ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 187 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 187
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company has multiple AWS accounts that are part of AWS Organizations. The company's Security team wants to ensure that even those Administrators with full access to the company's AWS accounts are unable to access the company's Amazon S3 buckets.
How should this be accomplished?

  • A. Use SCPs.
  • B. Add a permissions boundary to deny access to Amazon S3 and attach it to all roles.
  • C. Use an S3 bucket policy.
  • D. Create a VPC endpoint for Amazon S3 and deny statements for access to Amazon S3.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
Reference:
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html
by DayQuil at March 12, 2021, 10:06 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
DayQuil
Highly Voted 3 years, 9 months ago
A. Use service control policies to deny or permit access at the account level. This will be precede IAM policies that permit access.
upvoted 21 times
...
Raphaello
Most Recent 1 year, 4 months ago
Selected Answer: A
SCP control/restrict even root user in member AWS accounts.
upvoted 1 times
...
G4Exams
2 years, 2 months ago
Selected Answer: A
A.This is a typical SCP usecase.
upvoted 1 times
...
ITGURU51
2 years, 2 months ago
Service control policies can be used to limit of scope and permissions granted to admin accounts within AWS. A
upvoted 1 times
...
acloudguru
3 years, 7 months ago
such easy one, SCP for root. hope i can have such easy ones in my exam
upvoted 4 times
...
skipbaylessfor3
3 years, 8 months ago
One problem with B is that they are only attaching it to roles... (which is also inefficient to attach it to potentially hundreds of roles) but what if there's a user who has access to S3 from their access/secret access key and they don't even use a role, then what? It wouldn't stop them. But an SCP would Did that make sense or am I tripping?
upvoted 3 times
EricR17
3 years, 8 months ago
Admins in those accounts with "full permissions" could change the permission boundaries. They can't do so with an SCP.
upvoted 2 times
...
...
Daniel76
3 years, 8 months ago
B - permission boundary only effective within the account whereas the scenario requires multiple AWS accounts in the AWS Organization.
upvoted 1 times
skipbaylessfor3
3 years, 8 months ago
So that means A is correct right? That's what I'm leaning towards
upvoted 1 times
...
...
rainit2006
3 years, 8 months ago
I know A works,but why B is incorrect?
upvoted 2 times
rhinozD
3 years, 8 months ago
How many roles you have? If the number is 100? Or 1000
upvoted 2 times
...
EricR17
3 years, 8 months ago
Because Admins in those accounts with "full permissions" could change the permission boundaries. They can't do so with an SCP.
upvoted 1 times
...
...
sanjaym
3 years, 8 months ago
"A" without doubt.
upvoted 4 times
...
Hungdv
3 years, 8 months ago
A and C will work. But should use SCP here.
upvoted 1 times
rhinozD
3 years, 8 months ago
C should work but you have to take a lot of efforts to do it if the number S3 buckets is large number.
upvoted 1 times
...
...
Edgecrusher77
3 years, 9 months ago
A Of course SCP is not enougth, you will need a specific Policy, but SCP is the key point here
upvoted 2 times
...
aawwss
3 years, 9 months ago
I don't think it's A as it does not block cross account access. C definitely works. Not sure about B.
upvoted 1 times
ChinkSantana
3 years, 9 months ago
A is the only correct answer here. Use service control policies to deny or permit access at the account level. This will be precede IAM policies that permit access.
upvoted 5 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel