Exam AWS Certified Security - Specialty topic 1 question 140 discussion

CORRECTION: D is the correct answer. Somehow I missed that the case asks to restrict S3 access "in one of the organizational units". Detaching default "FullAWSAccess" on the OU level will do that. Option D! My mistake!

Yaay..let's remove the default FullAWSAccess and paralyze everything to allow only S3 for an OU! Cannot remove default "FullAWSAccess" inherited from root. B is better answer, but it is "at the account level" on OU level!

Very Badly worded. arghh

D - You can dettach FullAWSAccess from the rest of OU

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_inheritance_auth.html

B-attach deny policy to target aws account in OU to restrict the account to use only s3 service. even if we detach FullAWSAccess SCP policy from target account, there may be a chance that it inherits the SCP policy applied at root level or OU level granting access to other services. So it is best to attach the deny policy to target account as explicit deny always overrides

Question says "adds the following SCP to the OU" which means,user would have detached default one

An allow list strategy has you remove the FullAWSAccess SCP that is attached by default to every OU and account. This means that no APIs are permitted anywhere unless you explicitly allow them. To allow a service API to operate in an AWS account, you must create your own SCPs and attach them to the account and every OU above it, up to and including the root.

https://docs.aws.amazon.com/organizations/latest/APIReference/API_DetachPolicy.html Every root, OU, and account must have at least one SCP attached. If you want to replace the default FullAWSAccess policy with an SCP that limits the permissions that can be delegated, you must attach the replacement SCP before you can remove the default SCP. This is the authorization strategy of an "allow list".