ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 7 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 7
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A Security Administrator is restricting the capabilities of company root user accounts. The company uses AWS Organizations and has enabled it for all feature sets, including consolidated billing. The top-level account is used for billing and administrative purposes, not for operational AWS resource purposes.
How can the Administrator restrict usage of member root user accounts across the organization?

  • A. Disable the use of the root user account at the organizational root. Enable multi-factor authentication of the root user account for each organizational member account.
  • B. Configure IAM user policies to restrict root account capabilities for each Organizations member account.
  • C. Create an organizational unit (OU) in Organizations with a service control policy that controls usage of the root user. Add all operational accounts to the new OU.
  • D. Configure AWS CloudTrail to integrate with Amazon CloudWatch Logs and then create a metric filter for RootAccountUsage.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by BillyC at Aug. 25, 2019, 5:14 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
josellama2000
Highly Voted 3 years, 7 months ago
Correct is C A is incorrect. organization root includes every user/group account in every account B is incorrect. Correct, may be a Identity-based policy applied to the root user on each account D is incorrect. This will not modify user's access or permission Applying a "Control Policy" in your organization. A policy applied to: 1) root applies to all accounts in the organization 2) OU applies to all accounts in the OU and to any child OUs 3) account applies to one account only Note- this requires that Acquirements: -all features are enabled for the organization in AWS Organizations -Only service control policy (SCP) are supported https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html
upvoted 39 times
yd_h
2 years, 1 month ago
A is incorrect because there is no such "feature" offered by AWS to disable root user access from the management account. The way you could do that is by using SCPs. From the docs: "We recommend that you create a service control policy (SCP) in the organization and attach it to the organization's root so that it applies to all member accounts." ( https://docs.aws.amazon.com/organizations/latest/userguide/best-practices_member-acct.html) "SCPs affect only member accounts in the organization. They have no effect on users or roles in the management account. (https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html)
upvoted 2 times
...
...
BillyC
Highly Voted 3 years, 7 months ago
The Correct Answer is C
upvoted 25 times
...
Benah
Most Recent 1 year, 7 months ago
C is correct Create an organizational unit (OU) in Organizations with a service control policy that controls usage of the root user. Add all operational accounts to the new OU.
upvoted 1 times
...
ITGURU51
1 year, 11 months ago
We can used OU's and service control policies to provision the appropriate amount of permissions for your accounts.
upvoted 1 times
...
gg12345
2 years, 5 months ago
Selected Answer: C
C - Seems like the best answer
upvoted 1 times
...
gondohwe
2 years, 8 months ago
SCPs can do this job in multi-account environment.....C is the way
upvoted 2 times
...
ideoignus
3 years, 2 months ago
Selected Answer: C
https://docs.aws.amazon.com/organizations/latest/userguide/best-practices_member-acct.html#best-practices_mbr-acct_scp
upvoted 4 times
...
sanjaym
3 years, 6 months ago
Ans: C 100%
upvoted 2 times
...
akbntc
3 years, 6 months ago
My vote is also for C
upvoted 3 times
...
devjava
3 years, 6 months ago
Ans > C
upvoted 2 times
...
AfricanCloudGuru
3 years, 6 months ago
Ans (C) Becuase Service Control Policy are available only in an organization that has all features enabled. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html
upvoted 4 times
...
DanMuniz
3 years, 6 months ago
Correct is C. SCPs affect all users and roles in attached accounts, including the root user. The only exceptions are those described in Tasks and entities not restricted by SCPs. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html IAM policies can not deny a user if such is a root account.
upvoted 3 times
...
freddyman
3 years, 6 months ago
C is the answer IMHO. Interestingly though you can apply an SCP along the chain of the OU hierarchy and have it apply to sub-OUs, as the effective permissions are the union of all the permissions in the SCP hierarchy, plus IAM permissions.
upvoted 2 times
...
patelsam
3 years, 6 months ago
C is correct answer
upvoted 2 times
...
IfyEze
3 years, 6 months ago
C ANSWER
upvoted 2 times
...
inf
3 years, 6 months ago
Answer: C (as everyone else states) https://docs.amazonaws.cn/en_us/general/latest/gr/root-vs-iam.html "You can only use an AWS Organizations service control policy (SCP) to limit permissions to an account, including the root user, that is a member of an organization or organizational unit (OU)"
upvoted 3 times
...
RaySmith
3 years, 6 months ago
C is correct
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago