The key point is that "SCP inheritance works differently for Allow and Deny policies". Allowed policies are only inherited if the children don't have any Allow policy. Once they have an allow policy, only actions defined in that policy will be allowed and no "Allow" policy will be inherited from the parent(s) OUs. What inherits is the implicit Deny policy which is a hidden policy sitting above all. Check the tables in this link: https://aws.amazon.com/blogs/security/get-more-out-of-service-control-policies-in-a-multi-account-environment/

I've just tested in my AWS account with the same scenario. I removed the SCP from the dev env and kept the EC2 policy, which by that I was denied access to all other operations except EC2.

Note: Adding an SCP with full AWS access doesn’t give all the principals in an account access to everything. SCPs don’t grant permissions; they are used to filter permissions. Principals still need a policy within the account that grants them access.

A - Inherited SCPs cannot be removed so FullAWSAccess will still apply

B is correct: SCP have allow statement and this matchs

a is the answer

should be B, see example in here: https://aws.amazon.com/blogs/security/get-more-out-of-service-control-policies-in-a-multi-account-environment/

Answer is A: You can't remove heritage policy from child OU

B is the right answer. For a permission to be allowed for a specific account, there must be an explicit Allow statement at every level from the root through each OU in the direct path to the account (including the target account itself). This is why when you enable SCPs, AWS Organizations attaches an AWS managed SCP policy named FullAWSAccess which allows all services and actions. If this policy is removed and not replaced at any level of the organization, all OUs and accounts under that level would be blocked from taking any actions. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_evaluation.html

"SCP evaluation follows a deny-by-default model, meaning that any permissions not explicitly allowed in the SCPs are denied. If an allow statement is not present in the SCPs at any of the levels such as Root, Production OU or Account B, the access is denied." https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_evaluation.html#:~:text=SCP%20evaluation%20follows%20a%20deny%2Dby%2Ddefault%20model%2C%20meaning%20that%20any%20permissions%20not%20explicitly%20allowed%20in%20the%20SCPs%20are%20denied.%20If%20an%20allow%20statement%20is%20not%20present%20in%20the%20SCPs%20at%20any%20of%20the%20levels%20such%20as%20Root%2C%20Production%20OU%20or%20Account%20B%2C%20the%20access%20is%20denied.

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_inheritance_mgmt.html

Even the default policy is removed, Child OU will inherit the SCP from the Environment OU, which is AWSFullAccess. So the Child OU will still have full access.

Its A, the new policy is an allow policy not deny, thus all permissions are gratned to Dev OU.

SCP can define An allow list – actions are prohibited by default, and you specify what services and actions are allowed.

A is correct. Development OU will inherit FullAccess from the Environments OU no explicit DENY in the new AllowAllEc2 Policy

B is the correct option.

All users in the Development OU will be allowed all API actions on EC2 resources. All other API actions will be denied.