ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 344 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 344
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company deploys a set of standard IAM roles in AWS accounts. The IAM roles are based on job functions within the company. To balance operational efficiency and security, a security engineer implemented AWS Organizations SCPs to restrict access to critical security services in all company accounts.

All of the company's accounts and OUs within AWS Organizations have a default FullAWSAccess SCP that is attached. The security engineer needs to ensure that no one can disable Amazon GuardDuty and AWS Security Hub. The security engineer also must not override other permissions that are granted by IAM policies that are defined in the accounts.

Which SCP should the security engineer attach to the root of the organization to meet these requirements?

  • A.
  • B.
  • C.
  • D.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by landsamboni at Nov. 30, 2022, 10:54 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Toptip
1 year, 11 months ago
Selected Answer: A
A is correct
upvoted 1 times
...
ITGURU51
2 years ago
the NotAction element cannot be used in this case. The NotAction element is used to specify an exception to a list of actions. For example, you could use a NotAction element to allow all actions except for a specific set of actions. However, in this case, you want to explicitly deny access to specific actions that would disable Amazon GuardDuty and AWS Security Hub. A
upvoted 2 times
...
G4Exams
2 years ago
Selected Answer: A
Definitely A. The "NotAction" in the other options is not correct here.
upvoted 2 times
...
milofficial
2 years, 3 months ago
Selected Answer: A
Answer is A
upvoted 2 times
...
Isaias
2 years, 5 months ago
Selected Answer: A
A for sure
upvoted 2 times
...
landsamboni
2 years, 5 months ago
A. SCP can not Allow, only Deny
upvoted 1 times
Isaias
2 years, 5 months ago
It can, but it does not need it because it already has a DefaultFullAccess, so what we need is attach a explict deny ,
upvoted 10 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago