exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 15 discussion

A company is designing a multi-account structure for its development teams. The company is using AWS Organizations and AWS IAM Identity Center (AWS Single Sign-On). The company must implement a solution so that the development teams can use only specific AWS Regions and so that each AWS account allows access to only specific AWS services.
Which solution will meet these requirements with the LEAST operational overhead?

  • A. Use IAM Identity Center to set up service-linked roles with IAM policy statements that include the Condition, Resource, and NotAction elements to allow access to only the Regions and services that are needed.
  • B. Deactivate AWS Security Token Service (AWS STS) in Regions that the developers are not allowed to use.
  • C. Create SCPs that include the Condition, Resource, and NotAction elements to allow access to only the Regions and services that are needed.
  • D. For each AWS account, create tailored identity-based policies for IAM Identity Center. Use statements that include the Condition, Resource, and NotAction elements to allow access to only the Regions and services that are needed.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
kkravets
1 month, 1 week ago
Selected Answer: A
SCP is going to affect all, not only dev team
upvoted 1 times
...
nischal77777
3 months, 3 weeks ago
Selected Answer: C
scp IS CORRECT
upvoted 1 times
...
komik_101
5 months ago
I would like the say A. :D Last week I did this, software team came to me, and they want to access another account S3 bucket permission.(Put, get, delete). and I went to the IAM Identity Center. created a group(put in the users group), and I did permission sets and they accessed other account s3 bucket. SCP is huge topic. SCP very critical . if you doing something, will affect all accounts
upvoted 1 times
...
awssecuritynewbie
9 months, 3 weeks ago
you cannot use "NOTACTION" with SCP though? Anyone can help?
upvoted 1 times
tester6667
9 months ago
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_syntax.html You can see not action listed
upvoted 1 times
...
...
Raphaello
9 months, 4 weeks ago
Selected Answer: C
SCP to allow certain services in certain regions for specific accounts.
upvoted 1 times
Raphaello
9 months, 2 weeks ago
As explained here https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_syntax.html#scp-elements-table "Condition", "Resource", and "NotAction" elements can only be used with "Deny" effect, but answer C says "to allow access to only the Regions and services that are needed" as the ultimate outcome, not by the meaning with "Allow" effect. It tries to trick you into thinking "those elements cannot be used with "Allow", then not C" ! Still believe C is the best answer here.
upvoted 1 times
...
...
NoCrapEva
10 months ago
Selected Answer: C
SCP is the GOTO solution for multiple accounts in AWS Organisations.
upvoted 1 times
...
habros
10 months ago
Selected Answer: C
C. If AWS organizations is enabled, why not take advantage of region deny feature? SCP is the actual mechanism to enforce this rule!
upvoted 1 times
...
mynickc
10 months, 1 week ago
Selected Answer: A
C is wrong becoz notaction, resource & condition can support deny only. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_syntax.html
upvoted 1 times
...
Sab31
11 months ago
C seems a good option but can someone share if SCPs can have "NotAction" element?
upvoted 1 times
...
Raphaello
11 months, 4 weeks ago
Correct answer is C. SCP to control which organization node can operate on which region(s).
upvoted 1 times
...
Daniel76
1 year ago
Selected Answer: C
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_general.html#example-scp-deny-region
upvoted 2 times
...
lalee2
1 year, 1 month ago
Selected Answer: C
Under Organization SCP is the least operational overhead.
upvoted 1 times
...
KR693
1 year, 1 month ago
Option C
upvoted 1 times
...
Sumi81
1 year, 1 month ago
C is right
upvoted 1 times
...
100fold
1 year, 1 month ago
Selected Answer: C
Agree answer C
upvoted 1 times
...
aragon_saa
1 year, 2 months ago
https://www.examtopics.com/discussions/amazon/view/88434-exam-aws-certified-security-specialty-topic-1-question-431/
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...