ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam
Go to Exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 104 discussion

Exam question from Amazon's AWS Certified Security - Specialty SCS-C02
Question #: 104
Topic #: 1
[All AWS Certified Security - Specialty SCS-C02 Questions]

A company has an organization with SCPs in AWS Organizations. The root SCP for the organization is as follows:



The company's developers are members of a group that has an IAM policy that allows access to Amazon Simple Email Service (Amazon SES) by allowing ses:* actions. The account is a child to an OU that has an SCP that allows Amazon SES. The developers are receiving a not-authorized error when they try to access Amazon SES through the AWS Management Console.

Which change must a security engineer implement so that the developers can access Amazon SES?

  • A. Add a resource policy that allows each member of the group to access Amazon SES.
  • B. Add a resource policy that allows "Principal": {"AWS": "arn:aws:iam::account-number:group/Dev"}.
  • C. Remove the AWS Control Tower control (guardrail) that restricts access to Amazon SES.
  • D. Remove Amazon SES from the root SCP.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by [deleted] at Nov. 25, 2023, 11:42 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
navid1365
7 months, 1 week ago
Selected Answer: D
D is correct. A SCP identifies the maximum level of access that IAM entity within that OU can have. Since SES is denied in the SCP, it does not matter if you allow it in other policies. It will simply not be allowed because the SCP does not allow it.
upvoted 2 times
...
awssecuritynewbie
10 months, 2 weeks ago
Selected Answer: D
pay attention to the question... it states it wants to allow the dev to use SES... it does not ask to "only" allow them. so it would make sure to remove the SCP because SCP is never overwritten.
upvoted 2 times
...
rahav
1 year ago
D is the correct one
upvoted 1 times
...
ykhan321
1 year ago
Selected Answer: D
Why most of the answers are incorrect here.
upvoted 2 times
...
azure4life
1 year ago
Selected Answer: D
Option D is the correct solution. The root SCP is denying access to Amazon SES across the organization. Even though the OU SCP and IAM policy allow SES access, the root SCP takes precedence and blocks it. Removing Amazon SES from the root SCP whitelist will resolve the issue and allow the developers to access SES based on the permissions granted in their IAM policy. Option A is incorrect because resource policies apply at the service level, not for IAM users/groups. Option B is also related to resource policies, not the issue with the SCP whitelist. Option C mentions AWS Control Tower which is not referenced in the question. The SCP is set through AWS Organizations. So the root cause is the root SCP denying access to SES, and it needs to be removed from that SCP to allow access that is permitted in the lower levels of permissions.
upvoted 2 times
...
Oralinux
1 year ago
Answer D: a resource policy attached directly to an AWS resource (such as Amazon SES) cannot override an SCP (Service Control Policy) set at the root level in AWS Organizations. Service Control Policies (SCPs) at the root level act as "guardrails" and define the maximum permissions that accounts within the organization can have. They are evaluated before resource policies. If an SCP denies access to a particular service, even a resource policy allowing access on the specific resource won't take effect. The SCP at the root level will override any resource policy attached to individual resources. So, while a resource policy can be useful for granting permissions on a specific resource, it cannot be used to override the restrictions imposed by an SCP at a higher level in the organization's hierarchy. In this scenario, removing the restriction for Amazon SES from the root SCP would be the effective solution.
upvoted 1 times
...
Aamee
1 year ago
Selected Answer: D
Leads me towards option D only cuz it seems like the denial of ses* actions explicitly defined under the SCP is probably blocking their authorization requests... not sure if Control Tower here makes any big difference..
upvoted 1 times
...
[Removed]
1 year, 1 month ago
Selected Answer: D
The answer is D
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel