ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 280 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 280
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company uses AWS Config and AWS Organizations. One of the company's account administrators recently turned off AWS Config recording, and a critical security incident was not logged properly.
The company's security engineer must create an SCP that will deny all users the ability to stop AWS Config. The SCP also must allow the ApprovedAdministrator role to edit AWS Config settings.
Which SCP meets these requirements?
A.

B.

C.

D.

Show Suggested Answer Hide Answer
Suggested Answer: A
by dumma at Aug. 26, 2021, 2:59 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
dumma
Highly Voted 3 years, 9 months ago
D is right
upvoted 23 times
dumma
3 years, 8 months ago
Sorry i take it back, A is correct.
upvoted 8 times
...
ExtHo
3 years, 8 months ago
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_syntax.html C & D are out from race. Unsupported elements The following elements aren't supported in SCPs: Principal NotPrincipal NotResource
upvoted 18 times
...
...
SHMEHUL
Highly Voted 3 years, 8 months ago
Answer: A Reason: Unsupported elements The following elements aren't supported in SCPs: Principal NotPrincipal NotResource
upvoted 9 times
...
Raphaello
Most Recent 1 year, 4 months ago
Principal/NotPrincipal elements are NOT used in SCPs. Correct answer is A.
upvoted 1 times
...
Jay_12
2 years ago
A A - “Effect”: “Allow “and “ArnEEquals” (ArnEquals/ArnLike: restrict access based on comparing a key to ARNs. String operators like StringEquals don’t work!) B – “Effect” Deny and “ArnEEquals” (This will deny the user in Principal ARN. This is not what we want) C - This is out. (You cannot use Principal in SCP) https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_syntax.html D – Same as C. (You cannot use Principal in SCP)
upvoted 1 times
...
6_8ftwin
2 years ago
A https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_strategies.html#orgs_policies_allowlist implicit deny
upvoted 1 times
...
Toptip
2 years, 1 month ago
D 100%, whoever says A is either an AWS troll or don't know nothing about SCP
upvoted 2 times
...
sakibmas
2 years, 6 months ago
Answer: A Reason: Supported elements: Version, Statement, Statement ID, Effect, Action, NOtAction, Resource, Condition Reference: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_syntax.html
upvoted 2 times
...
maddyr
2 years, 7 months ago
A is correct
upvoted 1 times
...
sapien45
2 years, 10 months ago
A is the ''most correct.. answer. Would have been better with a stringnotlike "Condition": { "StringNotLike": { "aws:PrincipalArn": "arn:aws:iam::*:role/
upvoted 3 times
...
vbal
2 years, 10 months ago
SCP that will deny all users the ability to stop AWS Config..none of the answers achieve this reqrmnt correctly.
upvoted 4 times
vbal
2 years, 10 months ago
How to Deny All except one principal in SCPs: { "Version": "2012-10-17", "Statement": [ { "Sid": "DenyAccessToRI", "Effect": "Deny", "Action": [ "ec2:PurchaseReservedInstancesOffering", "ec2:AcceptReservedInstancesExchangeQuote", "ec2:CancelCapacityReservation", "ec2:CancelReservedInstancesListing", "ec2:CreateCapacityReservation", "ec2:CreateReservedInstancesListing" ], "Resource": [ "*" ], "Condition": { "StringNotLike": { "aws:PrincipalArn": "arn:aws:iam::*:role/AWS-CentralCostTeam" } } } ] }
upvoted 3 times
...
...
CuLeBrO
2 years, 10 months ago
Something is wrong in ALL the answers: A - Should be the right answer but it has condition element, and those can only be used in a Deny SCP B - It has a Deny and a condition, great, BUT if we apply this one will end up blocking the ApprovedAdministrator group, and this is the opposite of the requirement C - It has a Principal element, which is not allowed in SCP D - It has a NotPrincipal element, which is not allowed in SCP Please confirm here: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_syntax.html#scp-syntax-condition Look for "Condition element" and "Unsupported elements"
upvoted 5 times
kujin
2 years, 4 months ago
better doc https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_syntax.html
upvoted 1 times
...
...
dcasabona
2 years, 11 months ago
it's option B. SCP does not support Principal, Not Principal and NotResorce conditions AND to use a condition it must be with a Deny statement :"You can specify a Condition element in deny statements in an SCP." https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_syntax.html#scp-syntax-condition
upvoted 2 times
dcasabona
2 years, 10 months ago
Ops... Sorry, option A. B will bock ApprovedAdministrators role.
upvoted 1 times
...
...
Andres123456
3 years ago
Answer A is correct, Elements Principal and NotPrincipal are not supported for SCPs https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_syntax.html
upvoted 2 times
...
sam_live
3 years, 6 months ago
Answer is A. you can only call principals in SCP through a Condition.
upvoted 2 times
...
Smartf0x
3 years, 6 months ago
D is the correct answer https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notprincipal.html
upvoted 1 times
...
TollaMS
3 years, 8 months ago
A is the answer https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_syntax.html focus on example action element by default everything is blocked so you have to allow the things you need
upvoted 2 times
...
hk436
3 years, 8 months ago
A is my answer. B - This says Deny if arn equals to Approved Administrator. C & D - Not Principal is not applicable for SCP's
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel