Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam
Go to Exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 15 discussion

Exam question from Amazon's AWS Certified Security - Specialty SCS-C02
Question #: 15
Topic #: 1
[All AWS Certified Security - Specialty SCS-C02 Questions]

A company is designing a multi-account structure for its development teams. The company is using AWS Organizations and AWS IAM Identity Center (AWS Single Sign-On). The company must implement a solution so that the development teams can use only specific AWS Regions and so that each AWS account allows access to only specific AWS services.
Which solution will meet these requirements with the LEAST operational overhead?

  • A. Use IAM Identity Center to set up service-linked roles with IAM policy statements that include the Condition, Resource, and NotAction elements to allow access to only the Regions and services that are needed.
  • B. Deactivate AWS Security Token Service (AWS STS) in Regions that the developers are not allowed to use.
  • C. Create SCPs that include the Condition, Resource, and NotAction elements to allow access to only the Regions and services that are needed.
  • D. For each AWS account, create tailored identity-based policies for IAM Identity Center. Use statements that include the Condition, Resource, and NotAction elements to allow access to only the Regions and services that are needed.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by aragon_saa at Oct. 4, 2023, 1:12 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
nischal77777
1 month, 3 weeks ago
Selected Answer: C
scp IS CORRECT
upvoted 1 times
...
komik_101
3 months ago
I would like the say A. :D Last week I did this, software team came to me, and they want to access another account S3 bucket permission.(Put, get, delete). and I went to the IAM Identity Center. created a group(put in the users group), and I did permission sets and they accessed other account s3 bucket. SCP is huge topic. SCP very critical . if you doing something, will affect all accounts
upvoted 1 times
...
awssecuritynewbie
7 months, 2 weeks ago
you cannot use "NOTACTION" with SCP though? Anyone can help?
upvoted 1 times
tester6667
7 months ago
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_syntax.html You can see not action listed
upvoted 1 times
...
...
Raphaello
7 months, 4 weeks ago
Selected Answer: C
SCP to allow certain services in certain regions for specific accounts.
upvoted 1 times
Raphaello
7 months, 2 weeks ago
As explained here https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_syntax.html#scp-elements-table "Condition", "Resource", and "NotAction" elements can only be used with "Deny" effect, but answer C says "to allow access to only the Regions and services that are needed" as the ultimate outcome, not by the meaning with "Allow" effect. It tries to trick you into thinking "those elements cannot be used with "Allow", then not C" ! Still believe C is the best answer here.
upvoted 1 times
...
...
NoCrapEva
7 months, 4 weeks ago
Selected Answer: C
SCP is the GOTO solution for multiple accounts in AWS Organisations.
upvoted 1 times
...
habros
8 months ago
Selected Answer: C
C. If AWS organizations is enabled, why not take advantage of region deny feature? SCP is the actual mechanism to enforce this rule!
upvoted 1 times
...
mynickc
8 months, 1 week ago
Selected Answer: A
C is wrong becoz notaction, resource & condition can support deny only. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_syntax.html
upvoted 1 times
...
Sab31
9 months ago
C seems a good option but can someone share if SCPs can have "NotAction" element?
upvoted 1 times
...
Raphaello
9 months, 4 weeks ago
Correct answer is C. SCP to control which organization node can operate on which region(s).
upvoted 1 times
...
Daniel76
10 months, 3 weeks ago
Selected Answer: C
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_general.html#example-scp-deny-region
upvoted 2 times
...
lalee2
11 months, 1 week ago
Selected Answer: C
Under Organization SCP is the least operational overhead.
upvoted 1 times
...
KR693
11 months, 2 weeks ago
Option C
upvoted 1 times
...
Sumi81
11 months, 2 weeks ago
C is right
upvoted 1 times
...
100fold
11 months, 3 weeks ago
Selected Answer: C
Agree answer C
upvoted 1 times
...
aragon_saa
1 year ago
https://www.examtopics.com/discussions/amazon/view/88434-exam-aws-certified-security-specialty-topic-1-question-431/
upvoted 2 times
...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel