Exam AWS-SysOps topic 1 question 639 discussion

Agree with A, as they have separate AWS account for development, AWS Organization with SCP is better choice

A it is a tricky question, in the scenario the question said that the developers have permissions to manipulate with IAM (therefore, answer "B" cant be correct, as they can edit the permissions and add what they want, with no restrictions). However, answer "A", using SCP, will BLOCK them from accessing certain services, but it will not grant them actions. I would go with "A", because even they are limited from accessing certain services through SCP, they can GRANT THEMSELVES the required actions using IAM policies. So this will resolve the "What is the best way to grant the developer.....blah blah".

By creating a service control policy at the organizational level and applying it to the development account, you can restrict the developers' access to specific services based on corporate policies. This ensures that they have the necessary privileges in the development account while still complying with the defined restrictions.

A is the answer, you want to limit developers access to certain services in the organization. SCP is the way to go https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html

A - SCPs cannot be changed in the managed account even with full admin access

A. Create a service control policy in AWS Organizations and apply it to the development account. Seem correct

I go with whatever jackdryan goes with :))) answer is A

Service control policy for sure

I'll go with A

A. Create a service control policy in AWS Organizations and apply it to the development account.

The Answer is A. Although B would work if you created an IAM policy to Deny developer access to specific services, the question states that the developers have IAM access, so they could go back and change the policy. The question asks for the BEST option, which is to use SCPs.

Answer is B - note :Corporate policies require that "developers" are blocked from accessing some services. So in this case SCP will block all user even admin. B is better.

I cannot find the practice exams for AWS. Keep getting a 404 error.

Answer is B SCPs alone are not sufficient for allowing access in the accounts in your organization. Attaching an SCP to an AWS Organizations entity (root, organizational unit (OU), or account) defines a guardrail for what actions the principals can perform. You still need to attach identity-based or resource-based policies to principals or resources in your organization's accounts to actually grant permissions to them. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_type-auth.html

A, is the best way to apply corporate policy to limit production account access in aws organization.

A - as it would be the best way. If you do what option B says, it will get the job done, but because it must be attached to multiple users it is a lengthy task. A SCP will blanket policy the entire Dev account. If B mentioned anything about applying the policy to a group of users where all the developers accounts reside, then it would have been correct

B, is my answer. Since there is no mention in the question that an Organization exists in the customers setup, A, does not apply. However, if the question did mention an Organization setup, A, would absolutely be the correct answer.