ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified DevOps Engineer - Professional DOP-C02 All Questions

View all questions & answers for the AWS Certified DevOps Engineer - Professional DOP-C02 exam
Go to Exam

Exam AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 186 discussion

Exam question from Amazon's AWS Certified DevOps Engineer - Professional DOP-C02
Question #: 186
Topic #: 1
[All AWS Certified DevOps Engineer - Professional DOP-C02 Questions]

A company is launching an application. The application must use only approved AWS services. The account that runs the application was created less than 1 year ago and is assigned to an AWS Organizations OU.

The company needs to create a new Organizations account structure. The account structure must have an appropriate SCP that supports the use of only services that are currently active in the AWS account. The company will use AWS Identity and Access Management (IAM) Access Analyzer in the solution.

Which solution will meet these requirements?

  • A. Create an SCP that allows the services that IAM Access Analyzer identifies. Create an OU for the account. Move the account into the new OU. Attach the new SCP to the new OU. Detach the default FullAWSAccess SCP from the new OU.
  • B. Create an SCP that denies the services that IAM Access Analyzer identifies. Create an OU for the account. Move the account into the new OU. Attach the new SCP to the new OU.
  • C. Create an SCP that allows the services that IAM Access Analyzer identifies. Attach the new SCP to the organization's root.
  • D. Create an SCP that allows the services that IAM Access Analyzer identifies. Create an OU for the account. Move the account into the new OU. Attach the new SCP to the management account. Detach the default FullAWSAccess SCP from the new OU.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by PrasannaBalaji at Dec. 29, 2023, 3:44 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
jamesf
9 months, 1 week ago
Selected Answer: A
This question and answers are confusing but I think "Management Account" in option D and "the account" are different accounts. Hence, A is correct.
upvoted 1 times
...
dkp
1 year ago
Selected Answer: A
Answer A
upvoted 2 times
...
DanShone
1 year, 1 month ago
Selected Answer: A
A is correct
upvoted 3 times
...
thanhnv142
1 year, 2 months ago
Selected Answer: A
A is correct: <AWS Identity and Access Management (IAM) Access Analyzer> is a solution for least privilege, which is allow some, deny all. So we need to defy allowed permissions and then remove the <default FullAWSAccess> B: least privilege is allow some, deny all, not allow all, deny some. C: The step mentioned would have no effect. The root already had default FullAWSAccess SCP. Allowing some more services does not change anything D: <Attach the new SCP to the management account>: Cannot attach a SCP to an account
upvoted 3 times
thanhnv142
1 year, 2 months ago
Correct: D - We can attach SCP to an account. But it only affects an account. We need to impose the scp rule on the entire accounts in the new OU
upvoted 3 times
...
...
denccc
1 year, 3 months ago
A is correct
upvoted 1 times
...
kabary
1 year, 4 months ago
Selected Answer: A
I agree with @d262e67.
upvoted 1 times
...
d262e67
1 year, 4 months ago
Selected Answer: A
It's A. To those who selected D, why would you assign the SCP to the management account??? The application account goes into an OU, and the SCP must be associated with that OU, period!
upvoted 3 times
...
csG13
1 year, 4 months ago
Selected Answer: D
D is the right answer
upvoted 1 times
GokSK
1 year, 4 months ago
Could you please explain more?
upvoted 1 times
...
...
examaws
1 year, 4 months ago
Selected Answer: A
A is correct. Option D: Attaching the SCP to the management account and detaching FullAWSAccess from the new OU may lead to unintended access restrictions for other accounts and services under the management account.
upvoted 1 times
...
PrasannaBalaji
1 year, 4 months ago
Selected Answer: D
D is correct
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago