Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 464 discussion

A: SCPs don't allow, they deny B: is reactive, not preventive C: is correct D: Boundary Permissions don't allow, they set maximum permissions.

I will go with C. But between A & C it is very confusing. You can understand the question that SCP deny actions by default and hence you need to allow actions, or if you are white listing you need to deny actions explicitly.

Option C involves creating an SCP that denies IAM actions for all users except those with administrator roles. This approach ensures that only administrators can perform IAM actions, meeting one of the key requirements. The use of an SCP to deny permissions also provides a more centralized and scalable solution compared to options A or D, which focus on allowing specific permissions for administrators. Applying this SCP to the root OU will ensure it applies to all child OUs and their respective AWS accounts, meeting the requirement of enforcing the policy across multiple accounts.

If an SCP allows certain IAM actions specifically for administrator roles or groups, it implicitly denies those actions for all other roles and users in the accounts where the SCP is applied. You do not need to explicitly deny the actions for non-administrator roles and users. The implicit deny happens automatically because SCPs define the maximum permissible permissions. So it is A. With C at every new role you have to define it. And Administrators by default have in their IAM permission the capacity to do the modifications.

C using SCP deny

Applying SCP to the root OU with specified deny rule