Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.

Unlimited Access

Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.

Exam AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 134 discussion

A company uses AWS Organizations to manage its AWS accounts. The organization root has an OU that is named Environments. The Environments OU has two child OUs that are named Development and Production, respectively.

The Environments OU and the child OUs have the default FullAWSAccess policy in place. A DevOps engineer plans to remove the FullAWSAccess policy from the Development OU and replace the policy with a policy that allows all actions on Amazon EC2 resources.

What will be the outcome of this policy replacement?

  • A. All users in the Development OU will be allowed all API actions on all resources.
  • B. All users in the Development OU will be allowed all API actions on EC2 resources. All other API actions will be denied.
  • C. All users in the Development OU will be denied all API actions on all resources.
  • D. All users in the Development OU will be denied all API actions on EC2 resources. All other API actions will be allowed.
Show Suggested Answer Hide Answer
Suggested Answer: B ūüó≥ÔłŹ

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
d262e67
Highly Voted 5 months, 2 weeks ago
Selected Answer: B
The key point is that "SCP inheritance works differently for Allow and Deny policies". Allowed policies are only inherited if the children don't have any Allow policy. Once they have an allow policy, only actions defined in that policy will be allowed and no "Allow" policy will be inherited from the parent(s) OUs. What inherits is the implicit Deny policy which is a hidden policy sitting above all. Check the tables in this link: https://aws.amazon.com/blogs/security/get-more-out-of-service-control-policies-in-a-multi-account-environment/
upvoted 7 times
MalonJay
1 month, 1 week ago
Very good link about SCPs.
upvoted 1 times
...
...
devakram
Most Recent 2 months ago
Selected Answer: B
I've just tested in my AWS account with the same scenario. I removed the SCP from the dev env and kept the EC2 policy, which by that I was denied access to all other operations except EC2.
upvoted 3 times
...
HayLLlHuK
2 months, 1 week ago
Selected Answer: B
Note: Adding an SCP with full AWS access doesn’t give all the principals in an account access to everything. SCPs don’t grant permissions; they are used to filter permissions. Principals still need a policy within the account that grants them access.
upvoted 2 times
...
DanShone
3 months ago
Selected Answer: A
A - Inherited SCPs cannot be removed so FullAWSAccess will still apply
upvoted 1 times
devakram
2 months ago
no, I've just tested it in my account now, and B is the true answer. Although there were inherited SCPs coming from root and env which still showed in the SCP page for that OU, after detaching the allow all SCP, I was denied access on any other API except EC2.
upvoted 1 times
...
...
thanhnv142
4 months, 1 week ago
B is correct: SCP have allow statement and this matchs
upvoted 2 times
...
sarlos
4 months, 3 weeks ago
a is the answer
upvoted 1 times
...
1123lluu
6 months, 2 weeks ago
should be B, see example in here: https://aws.amazon.com/blogs/security/get-more-out-of-service-control-policies-in-a-multi-account-environment/
upvoted 1 times
...
zolthar_z
6 months, 2 weeks ago
Selected Answer: A
Answer is A: You can't remove heritage policy from child OU
upvoted 2 times
...
learnwithaniket
7 months ago
Selected Answer: B
B is the right answer. For a permission to be allowed for a specific account, there must be an explicit Allow statement at every level from the root through each OU in the direct path to the account (including the target account itself). This is why when you enable SCPs, AWS Organizations attaches an AWS managed SCP policy named FullAWSAccess which allows all services and actions. If this policy is removed and not replaced at any level of the organization, all OUs and accounts under that level would be blocked from taking any actions. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_evaluation.html
upvoted 2 times
...
tatarai1964
7 months, 4 weeks ago
Selected Answer: B
"SCP evaluation follows a deny-by-default model, meaning that any permissions not explicitly allowed in the SCPs are denied. If an allow statement is not present in the SCPs at any of the levels such as Root, Production OU or Account B, the access is denied." https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_evaluation.html#:~:text=SCP%20evaluation%20follows%20a%20deny%2Dby%2Ddefault%20model%2C%20meaning%20that%20any%20permissions%20not%20explicitly%20allowed%20in%20the%20SCPs%20are%20denied.%20If%20an%20allow%20statement%20is%20not%20present%20in%20the%20SCPs%20at%20any%20of%20the%20levels%20such%20as%20Root%2C%20Production%20OU%20or%20Account%20B%2C%20the%20access%20is%20denied.
upvoted 4 times
...
jdx000
8 months, 1 week ago
Selected Answer: A
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_inheritance_mgmt.html
upvoted 1 times
zain1258
7 months ago
This URL does not explain the SCP.
upvoted 1 times
...
...
Radeeka
9 months, 4 weeks ago
Selected Answer: A
Even the default policy is removed, Child OU will inherit the SCP from the Environment OU, which is AWSFullAccess. So the Child OU will still have full access.
upvoted 3 times
...
Gathix444
10 months ago
Its A, the new policy is an allow policy not deny, thus all permissions are gratned to Dev OU.
upvoted 2 times
...
ixdb
10 months ago
Selected Answer: B
SCP can define An allow list ‚Äď actions are prohibited by default, and you specify what services and actions are allowed.
upvoted 3 times
...
vherman
10 months, 2 weeks ago
Selected Answer: A
A is correct. Development OU will inherit FullAccess from the Environments OU no explicit DENY in the new AllowAllEc2 Policy
upvoted 4 times
Aja1
10 months, 1 week ago
The answer is B. When a policy is removed from an OU, the default policy for the parent OU is inherited. In this case, the default policy for the Environments OU is FullAWSAccess, which allows all API actions on all resources. When the DevOps engineer replaces the FullAWSAccess policy with a policy that allows all actions on Amazon EC2 resources, the new policy will take precedence over the default policy. This means that all users in the Development OU will be allowed all API actions on EC2 resources. All other API actions will be denied.
upvoted 3 times
Gathix444
10 months ago
The last part is wrong. SCP doesnt deny anything unless you explicit define it.
upvoted 1 times
...
...
yorkicurke
6 months, 3 weeks ago
because SCPs define the maximum permissions for an organization or organizational unit (OU) in AWS Organizations. If an SCP doesn’t explicitly grant permissions for an action, then that action is implicitly denied.
upvoted 1 times
yorkicurke
6 months, 3 weeks ago
link; https://repost.aws/questions/QUSHz1PpiJTOqWRuguGn_Trw/resource-and-iam-policy-with-scp
upvoted 1 times
...
...
...
FunkyFresco
11 months, 3 weeks ago
Selected Answer: B
B is the correct option.
upvoted 4 times
...
ds50421
12 months ago
Selected Answer: B
All users in the Development OU will be allowed all API actions on EC2 resources. All other API actions will be denied.
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...