Exam AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 104 discussion

A=local account admin can change this. B=local admin has admin permissions. Complicated. C=implicit permit on everything else = breaks requirements. D= As they want to approve each service, its got to be white-list based SCP setup. Answer is D.

Ans D: It is easier to allow approved services than deny all the other services, considering the vast amount of AWS services. it's easier to whitelist than blacklisting all the remaining services.

D. SCP that allows only approved services at the root OU: This is risky because it affects all accounts in the organization, including potentially critical shared services or management accounts. It's better to scope restrictions to a specific OU.

Not Option D, Using allow-list SCP, since: - Too restrictive - More difficult to maintain - Might block essential services - Could break account functionality - Requires constant updates

Going for C as removing the FullAWSAccess SCP from the root OU requires impacts directly in the Administrative Access and restrict necessary administrative actions required for account management and operations.

D is more straight forward

The answer is (D). The following SCP example from the AWS DOCUMENT allows accounts to create resource shares that share prefix lists https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_ram.html

I prefer C than D. As SCP more in Deny but not Allow https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html

SCP - only deny not allow - So answer is C

The question is looking to use the Allow List Strategy using SCP. So the answer that best fits is D.

SCPs primary function is not grant permissions by themselves but restrict the permissions that IAM policies and other access control mechanisms can grant.

D seems better.

Option C: Place all the accounts under a new top-level OU within the organization: This allows for centralized management of the accounts. Create an SCP that denies access to restricted AWS services: This ensures that only approved services are accessible. SCPs (Service Control Policies) are the best way to control permissions at the organizational level. Attach the SCP to the OU: By attaching the SCP to the OU, all accounts within the OU will inherit the restrictions set by the SCP. D is wrong: This option allows access only to approved AWS services by creating an SCP that allows access to only approved services and attaching it to the root OU of the organization. However, this would restrict all accounts, including those of other departments or teams within the organization. It doesn't meet the requirement of allowing each team to retain full administrative rights to its AWS account.

Conclusion: Option C is the best solution to meet the requirements with operational efficiency and scalability. It allows teams to retain administrative rights while enforcing company-wide controls on service access through SCPs. This approach is straightforward to manage at scale, as adding or removing services from the SCP can adjust access permissions across all accounts within the OU. It directly aligns with the goal of allowing access only to approved AWS services and supports a governance model that can evolve with the organization's needs.

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html

C is correct: <all the accounts are in an organization in AWS Organizations> means we need scps A and B: no mention of scps D: SCP only denies access, not allow. Additionally, should not attack SCP to the root OU because this may inadvertently denies users' access to AWS services

C is correct; apart from SCP's only denying ... why would u want to add SCPs to the root org.