Exam AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 160 discussion

You need to understand how SCP inheritance works in AWS. The way it works for Deny policies is different that allow policies. Allow polices are passing down to children ONLY if they don't have an allow policy. Deny policies always pass down to children. That's why there is always an SCP set to the Root to allow everything by default. If you limit this policy, the whole organization will be limited, not matter what other policies are saying for the other OUs. So it's not A. It's not D because it restricts the wrong OU.

CE FullAWSAccess is applied be default, no need to check it since the question did not say it has been removed. For an Action to be permitted it has to be allowed from the Root OUs all the way to the accounts.

ANS: B&E

B & E are correct

B-E, no debate

B and E are correct because he requirement for dev ou user should still be able to do what they need to

B and E are correct: A: this does not make sense. It would mess with permissions for all OUs C: The question requires <only the production OU>: we need to target the production OU, not development OU D: <Attach the SCP to the workload OU>: we need to target only the production OU. This option affects both dev and prod OUS

B & E it is

A is wrong, we only want to limit production OU, development OU users should be able to do anything

Answer is B & E. A is not correct because it would prevent the developers team to access the Developer OU. That wouldn't make sense.

A and E