ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified DevOps Engineer - Professional DOP-C02 All Questions

View all questions & answers for the AWS Certified DevOps Engineer - Professional DOP-C02 exam
Go to Exam

Exam AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 280 discussion

Exam question from Amazon's AWS Certified DevOps Engineer - Professional DOP-C02
Question #: 280
Topic #: 1
[All AWS Certified DevOps Engineer - Professional DOP-C02 Questions]

A company uses AWS Organizations to manage its AWS accounts. The organization root has a child OU that is named Department. The Department OU has a child OU that is named Engineering. The default FullAWSAccess policy is attached to the root, the Department OU, and the Engineering OU.

The company has many AWS accounts in the Engineering OU. Each account has an administrative IAM role with the AdministratorAccess IAM policy attached. The default FullAWSAccessPolicy is also attached to each account.

A DevOps engineer plans to remove the FullAWSAccess policy from the Department OU. The DevOps engineer will replace the policy with a policy that contains an Allow statement for all Amazon EC2 API operations.

What will happen to the permissions of the administrative 1AM roles as a result of this change?

  • A. All API actions on all resources will be allowed.
  • B. All API actions on EC2 resources will be allowed. All other API actions will be denied.
  • C. All API actions on all resources will be denied.
  • D. All API actions on EC2 resources will be denied. All other API actions will be allowed.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by hzaki at Aug. 21, 2024, 4:03 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
teo2157
4 months, 1 week ago
Selected Answer: B
It's B based on this url https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_evaluation.html
upvoted 2 times
...
aws_god
7 months, 1 week ago
Selected Answer: A
The default FullAWSAccess policy is attached to the root, the Department OU, and the Engineering OU. So even if it is removed from the Department OU, it is still attached on the Engineering OU.
upvoted 2 times
...
ApacheKafkaAWS
7 months, 4 weeks ago
Selected Answer: B
I'ts B
upvoted 2 times
...
siheom
8 months ago
Selected Answer: B
vote B..
upvoted 2 times
...
hzaki
8 months ago
Selected Answer: B
When the FullAWSAccess policy is replaced with a policy that allows only EC2 actions, this new SCP will act as a boundary. Even if an IAM role or user within the account has a broader permission set (like AdministratorAccess), the SCP limits what can be done.
upvoted 4 times
...
hzaki
8 months, 1 week ago
Selected Answer: A
The answer is A Still, the root has attached a full access policy.
upvoted 1 times
hzaki
8 months ago
Sorry the Answer: B When the FullAWSAccess policy is replaced with a policy that allows only EC2 actions, this new SCP will act as a boundary. Even if an IAM role or user within the account has a broader permission set (like AdministratorAccess), the SCP limits what can be done.
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago