Exam AWS-SysOps topic 1 question 794 discussion

AWS offers about 220 services. It would be easier to Allow a few than to Deny many in a policy. Imagine how many "Deny" you will be required to list if all you want to do is allow access to just one or two services. I will pick A as the best answer.

B. Apply service control policies (SCPs) to prevent restricted actions https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps-about.html By default, an SCP named FullAWSAccess is attached to every organization root, OU, and account. This default SCP allows all actions and all services. So in a new organization, until you start creating or manipulating the SCPs, all of your existing IAM permissions continue to operate as they did. As soon as you apply a new or modified SCP to the organization root or an OU that contains an account, the permissions that your users have in that account become filtered by the SCP. Permissions that used to work might now be denied if they're not allowed by the SCP at every level of the hierarchy down to the specified account.

Service Control Policies (SCPs) are a feature of AWS Organizations that allow you to control what actions AWS IAM users and roles can perform within an AWS account or a group of accounts. SCPs are applied at the organization, organizational unit (OU), or account level and act as a permissions boundary, effectively limiting the actions that IAM entities (users and roles) can take. By applying SCPs that explicitly deny certain actions, you can effectively prevent all users of an account, including the root user, from performing those restricted actions. SCPs are applied at the root level, meaning they apply to all entities within the account.

Both A and B are two sides form the same coin. AWS by default comes with "FullAWSAccess" policy when creating an Org, allowing fill access: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_strategies.html Best practice to go for an Allow approach, by removing the default policy. There is no information provided in the question that the default configuration has been maintained for AWS Organisations.

B - SCP allows by default The default configuration for working with SCPs is to use a "block list" strategy where all actions are implicitly allowed except for those actions you want to block by creating statements that deny access. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_create.html?icmpid=docs_orgs_console

B. Scenario expects us to prevent activity, deny list, therefore B us correct

Answer is B. Please SCP blacklist and whitelist concept.

Answer is A ... it's true that in SCP everything is denied by default and you need to configure approved actions and and the same time by default FullAWSAccess is granted to organization .. but we can't depend on predicting what's configured in the mentioned account , whether it's the default or not !! so there's a probability that B is wrong if account run non-default configuration . but A can't be wrong in anyway " although it need more work!"

B. Apply service control policies (SCPs) to prevent restricted actions : Seems correct here

B. SCPs are used to deny/prevent actions

I'll go with B

Policies to centralize control over the AWS services and API actions that each account can access As an administrator of the management account of an organization, you can use service control policies (SCPs) to specify the maximum permissions for member accounts in the organization. In SCPs, you can restrict which AWS services, resources, and individual API actions the users and roles in each member account can access. You can also define conditions for when to restrict access to AWS services, resources, and API actions. These restrictions even override the administrators of member accounts in the organization. When AWS Organizations blocks access to a service, resource, or API action for a member account, a user or role in that account can't access it. This block remains in effect even if an administrator of a member account explicitly grants such permissions in an IAM policy. I want to add this: n other words, the user can access only what is allowed by both the AWS Organizations policies and IAM policies. If either blocks an operation, the user can't access that operation. Link: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html

B Only Deny statements can include resources and conditions https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_create.html?icmpid=docs_orgs_console

Its B as per Steven Marek course .

Right answer is C because you need to restrict root user as well for actions , permission boundaries will restrict actions, SCP will completely deny the use of service in account. Hence Ans C is 100% correct. Any comments on this are welcome

i will vote for A as well. It's always easier to know what kind of operations can be allowed in the environment, comparing with its opposite

I want to say it's A due to least-privileged security principal