ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 142 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 142
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A Developer signed in to a new account within an AWS Organizations organizational unit (OU) containing multiple accounts. Access to the Amazon S3 service is restricted with the following SCP:

How can the Security Engineer provide the Developer with Amazon S3 access without affecting other accounts?

  • A. Move the SCP to the root OU of Organizations to remove the restriction to access Amazon S3.
  • B. Add an IAM policy for the Developer, which grants S3 access.
  • C. Create a new OU without applying the SCP restricting S3 access. Move the Developer account to this new OU.
  • D. Add an allow list for the Developer account for the S3 service.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by Bad_Mat at March 22, 2021, 2:26 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Daniel76
Highly Voted 3 years, 7 months ago
Answer- C A- Effect still exist because of inheritance nature of SCP in OU hierarchy. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html#scp-about-inheritance B- IAM policy is unable to override SCP at its OU. D- S3 bucket policy is also unable to override SCP.
upvoted 12 times
Gustava6272
3 years, 7 months ago
C is correct , but just for curiosity . If SCP is deny S3 and Bucket policy is allow - it will still work ?
upvoted 1 times
moobla
3 years, 6 months ago
It will not since explicit deny will always overrule.
upvoted 4 times
...
...
...
dcasabona
Most Recent 2 years, 10 months ago
Selected Answer: C
Option C.
upvoted 1 times
...
Lanka22
2 years, 10 months ago
Selected Answer: C
Answer- C
upvoted 1 times
...
mx677
3 years, 3 months ago
Selected Answer: C
new OU without the SCP applyied
upvoted 1 times
...
LaLune
3 years, 4 months ago
" A developer create a new account..." meaning that developer is either the administrator or has been granted administrative permissions. So, what that developer needs to access the S3 is just an IAM policy that allows him/her to access S3. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_permissions_overview.html . So, the option B is the easier path to the requirement! Note that, actions performed by the management accounts are not restricted by SCPs. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html
upvoted 1 times
...
Waniru
3 years, 4 months ago
Remeber explicit deny overrule any allow in whatever policy
upvoted 1 times
...
Kdosec
3 years, 7 months ago
C is correct but it is still lack many information, moving to another OU / new OU will inherit full access from root.
upvoted 2 times
...
sanjaym
3 years, 7 months ago
C for sure
upvoted 1 times
...
AWS_Noob_007
3 years, 8 months ago
C for me. B will work - but it will also allow everyone else access to S3 as well. Question states it should not affect other users. A & D are irrelevant.
upvoted 2 times
...
cldy
3 years, 8 months ago
C. That is the only way!!!
upvoted 3 times
DahMac
3 years, 7 months ago
I thought SCPs worked by limiting resources to those it allows. Denys are denied by not allowing them. But I was wrong. Door goes both ways. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_strategies.html
upvoted 1 times
...
...
Bad_Mat
3 years, 8 months ago
B looks good, but not sure..
upvoted 1 times
ChinkSantana
3 years, 7 months ago
B is not close. SCP denies everything is there is a Deny. C is the only reasonable answer
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel