ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam
Go to Exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 263 discussion

Exam question from Amazon's AWS Certified Security - Specialty SCS-C02
Question #: 263
Topic #: 1
[All AWS Certified Security - Specialty SCS-C02 Questions]

A company needs to prevent Amazon S3 objects from being shared with IAM identities outside of the company’s organization in AWS Organizations. A security engineer is creating and deploying an SCP to accomplish this goal. The company has enabled the S3 Block Public Access feature on all of its S3 buckets.

What should the SCP do to meet these requirements?

  • A. Deny the S3:* action with a Condition element that comprises an operator of StringNotEquals, a key of aws:ResourceOrgID, and a value of S{aws PrincipalOrgID}.
  • B. Deny the S3:PutAccountPublicAccessBlock action with a Condition element that comprises an operator of StringLike, a key of aws:PrincipalArn, and the values of the external IAM principals.
  • C. Allow the S3:* action with a Condition element that comprises an operator of StringNotEquals, a key of aws:PrincipalOrgID, and a value of S{aws:PrincipalOrgID}.
  • D. Deny the S3:* action with a Condition element that comprises an operator of StringLike, a key of aws:PrincipalArn, and the values of the external IAM principals
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by Pmktechno at Jan. 6, 2025, 1:20 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
AWSLoverLoverLoverLoverLover
2 months ago
Selected Answer: A
Use an SCP (Service Control Policy) – SCPs define what actions are allowed or denied across all accounts in an AWS Organization. Block access to resources for IAM principals outside of the organization – This ensures that only identities within the company’s AWS Organization can access the S3 objects. Use the correct condition key: aws:PrincipalOrgID refers to the organization ID of the AWS principal making the request. aws:ResourceOrgID refers to the organization ID of the AWS account that owns the resource. StringNotEquals ensures that the action is denied unless the resource belongs to the company’s organization.
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago