ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified SysOps Administrator - Associate All Questions

View all questions & answers for the AWS Certified SysOps Administrator - Associate exam
Go to Exam

Exam AWS Certified SysOps Administrator - Associate topic 1 question 373 discussion

Exam question from Amazon's AWS Certified SysOps Administrator - Associate
Question #: 373
Topic #: 1
[All AWS Certified SysOps Administrator - Associate Questions]

A SysOps administrator manages policies for many AWS member accounts in an AWS Organizations structure. Administrators on other teams have access to the account root user credentials of the member accounts. The SysOps administrator must prevent all teams, including their administrators, from using Amazon DynamoDB. The solution must not affect the ability of the teams to access other AWS services.

Which solution will meet these requirements?

  • A. In all member accounts, configure IAM policies that deny access to all DynamoDB resources for all users, including the root user.
  • B. Create a service control policy (SCP) in the management account to deny all DynamoDB actions. Apply the SCP to the root of the organization
  • C. In all member accounts, configure IAM policies that deny AmazonDynamoDBFullAccess to all users, including the root user.
  • D. Remove the default service control policy (SCP) in the management account. Create a replacement SCP that includes a single statement that denies all DynamoDB actions.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by jas26says at July 21, 2023, 3:30 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
eboehm
Highly Voted 1 year, 3 months ago
Selected Answer: B
The answer is B as you have no idea what other SCP policies could be in place and deleting the entire SCP would be bad practice.
upvoted 10 times
...
Christina666
Highly Voted 1 year, 3 months ago
Selected Answer: B
Service Control Policies (SCPs) are a feature of AWS Organizations that allow you to set permissions across all member accounts in the organization. When you apply an SCP at the root of the organization, it affects all member accounts within that organization. In this scenario, by creating an SCP that denies all DynamoDB actions and applying it to the root of the AWS organization, you effectively block access to Amazon DynamoDB for all users, including the root user, in all member accounts within the organization. This solution prevents any team, including their administrators, from using DynamoDB while still allowing access to other AWS services that are not restricted by the SCP.
upvoted 5 times
...
AgboolaKun
Most Recent 5 months, 3 weeks ago
Selected Answer: B
I agree with the explanation of many folks here why B is the correct answer. One thing we must understand is that AWS Organizations attaches an AWS managed SCP named FullAWSAccess to every root, OU and account when it's created. This policy allows all services and actions. Therefore, attaching a new SCP that denies all DynamoDB actions to the root of the organizations makes a lot more sense. This is because we don't care what access other SCPs have granted the Management accounts and OUs, this new SCP explicitly denies DynamoDB related actions. We are good since explicit "deny" overrides explicit "allow". Please refer to this documentation - https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_evaluation.html for more information
upvoted 1 times
...
trvtrinh
1 year, 3 months ago
Answer: B Service Control Policies (SCPs) are used to manage permissions for all members of an AWS Organization. SCPs allow you to set permissions that restrict actions across the entire organization or specific organizational units (OUs). By creating an SCP that denies all DynamoDB actions and applying it at the root level of the AWS Organization, you can prevent all member accounts, including their administrators with root user credentials, from using Amazon DynamoDB. This solution will not affect the ability of the teams to access other AWS services, as SCPs are used to control permissions for specific services or actions.
upvoted 3 times
...
jas26says
1 year, 3 months ago
I´m not sure, but for me it´s something between B and D, but not C.
upvoted 2 times
trvtrinh
1 year, 3 months ago
I think B is true
upvoted 3 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago