Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam
Go to Exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 114 discussion

Exam question from Amazon's AWS Certified Security - Specialty SCS-C02
Question #: 114
Topic #: 1
[All AWS Certified Security - Specialty SCS-C02 Questions]

A company deploys a set of standard IAM roles in AWS accounts. The IAM roles are based on job functions within the company. To balance operational efficiency and security, a security engineer implemented AWS Organizations SCPs to restrict access to critical security services in all company accounts.

All of the company's accounts and OUs within AWS Organizations have a default FullAWSAccess SCP that is attached. The security engineer needs to ensure that no one can disable Amazon GuardDuty and AWS Security Hub. The security engineer also must not override other permissions that are granted by IAM policies that are defined in the accounts.

Which SCP should the security engineer attach to the root of the organization to meet these requirements?

  • A.
  • B.
  • C.
  • D.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by [deleted] at Nov. 25, 2023, 12:39 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
ale_brd_111
6 months, 1 week ago
Selected Answer: A
gotta be A
upvoted 2 times
...
ahrentom
10 months, 1 week ago
Selected Answer: A
A is correct, key word in SCP is to Deny, because it overwrites the FullAccessSCP Alow statement.
upvoted 3 times
...
AgboolaKun
10 months, 1 week ago
Selected Answer: A
A is correct. The NotAction element cannot be used in this case. You only need an explicit DENY here since all accounts and OUs already have a default FullAWSAccess SCP but you don't want them to be able to disable Amazon GuardDuty and AWS Security Hub.
upvoted 3 times
Sab31
9 months ago
Kindly correct me if I am wrong. When we attach a new SCP the default FullAWSAccess SCP is detached from the OU. isn't that right?
upvoted 1 times
...
...
Aamee
10 months, 1 week ago
Selected Answer: D
Probably going with D but still not 100% sure how is it going to work that way... would appreciate if someone could help in understanding this question..
upvoted 2 times
LeoD
10 months, 1 week ago
SCPs do not support NotAction with effect Allow.
upvoted 2 times
Zek
4 months, 3 weeks ago
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_syntax.html#scp-elements-table
upvoted 1 times
...
Aamee
10 months, 1 week ago
Ah ok, got it...thnx so much... in this way, probably looks like all other options are invalid except option A since on all others they've used 'NotAction' attribute with Allow directly and indirectly which won't work..
upvoted 2 times
...
...
...
[Removed]
10 months, 2 weeks ago
A. OU level will still have access to other services outside of Guardduty and Security Hub due to the OU level policy. D could work but is not necessary
upvoted 1 times
...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel