ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam
Go to Exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 15 discussion

Exam question from Amazon's AWS Certified Security - Specialty SCS-C02
Question #: 15
Topic #: 1
[All AWS Certified Security - Specialty SCS-C02 Questions]

A company is designing a multi-account structure for its development teams. The company is using AWS Organizations and AWS IAM Identity Center (AWS Single Sign-On). The company must implement a solution so that the development teams can use only specific AWS Regions and so that each AWS account allows access to only specific AWS services.
Which solution will meet these requirements with the LEAST operational overhead?

  • A. Use IAM Identity Center to set up service-linked roles with IAM policy statements that include the Condition, Resource, and NotAction elements to allow access to only the Regions and services that are needed.
  • B. Deactivate AWS Security Token Service (AWS STS) in Regions that the developers are not allowed to use.
  • C. Create SCPs that include the Condition, Resource, and NotAction elements to allow access to only the Regions and services that are needed.
  • D. For each AWS account, create tailored identity-based policies for IAM Identity Center. Use statements that include the Condition, Resource, and NotAction elements to allow access to only the Regions and services that are needed.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by aragon_saa at Oct. 4, 2023, 1:12 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
kkravets
5 months, 1 week ago
Selected Answer: A
SCP is going to affect all, not only dev team
upvoted 1 times
...
nischal77777
7 months, 3 weeks ago
Selected Answer: C
scp IS CORRECT
upvoted 1 times
...
komik_101
9 months ago
I would like the say A. :D Last week I did this, software team came to me, and they want to access another account S3 bucket permission.(Put, get, delete). and I went to the IAM Identity Center. created a group(put in the users group), and I did permission sets and they accessed other account s3 bucket. SCP is huge topic. SCP very critical . if you doing something, will affect all accounts
upvoted 1 times
...
awssecuritynewbie
1 year, 1 month ago
you cannot use "NOTACTION" with SCP though? Anyone can help?
upvoted 1 times
tester6667
1 year, 1 month ago
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_syntax.html You can see not action listed
upvoted 1 times
...
...
Raphaello
1 year, 1 month ago
Selected Answer: C
SCP to allow certain services in certain regions for specific accounts.
upvoted 1 times
Raphaello
1 year, 1 month ago
As explained here https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_syntax.html#scp-elements-table "Condition", "Resource", and "NotAction" elements can only be used with "Deny" effect, but answer C says "to allow access to only the Regions and services that are needed" as the ultimate outcome, not by the meaning with "Allow" effect. It tries to trick you into thinking "those elements cannot be used with "Allow", then not C" ! Still believe C is the best answer here.
upvoted 1 times
...
...
NoCrapEva
1 year, 1 month ago
Selected Answer: C
SCP is the GOTO solution for multiple accounts in AWS Organisations.
upvoted 1 times
...
habros
1 year, 2 months ago
Selected Answer: C
C. If AWS organizations is enabled, why not take advantage of region deny feature? SCP is the actual mechanism to enforce this rule!
upvoted 1 times
...
mynickc
1 year, 2 months ago
Selected Answer: A
C is wrong becoz notaction, resource & condition can support deny only. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_syntax.html
upvoted 1 times
...
Sab31
1 year, 2 months ago
C seems a good option but can someone share if SCPs can have "NotAction" element?
upvoted 1 times
...
Raphaello
1 year, 3 months ago
Correct answer is C. SCP to control which organization node can operate on which region(s).
upvoted 1 times
...
Daniel76
1 year, 4 months ago
Selected Answer: C
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_general.html#example-scp-deny-region
upvoted 2 times
...
lalee2
1 year, 5 months ago
Selected Answer: C
Under Organization SCP is the least operational overhead.
upvoted 1 times
...
KR693
1 year, 5 months ago
Option C
upvoted 1 times
...
Sumi81
1 year, 5 months ago
C is right
upvoted 1 times
...
100fold
1 year, 5 months ago
Selected Answer: C
Agree answer C
upvoted 1 times
...
aragon_saa
1 year, 6 months ago
https://www.examtopics.com/discussions/amazon/view/88434-exam-aws-certified-security-specialty-topic-1-question-431/
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago