ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 673 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 673
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

A company uses AWS Organizations with a single OU named Production to manage multiple accounts. All accounts are members of the Production OU.
Administrators use deny list SCPs in the root of the organization to manage access to restricted services.
The company recently acquired a new business unit and invited the new unit's existing AWS account to the organization. Once onboarded, the administrators of the new business unit discovered that they are not able to update existing AWS Config rules to meet the company's policies.
Which option will allow administrators to make changes and continue to enforce the current policies without introducing additional long-term maintenance?

  • A. Remove the organization's root SCPs that limit access to AWS Config. Create AWS Service Catalog products for the company's standard AWS Config rules and deploy them throughout the organization, including the new account.
  • B. Create a temporary OU named Onboarding for the new account. Apply an SCP to the Onboarding OU to allow AWS Config actions. Move the new account to the Production OU when adjustments to AWS Config are complete.
  • C. Convert the organization's root SCPs from deny list SCPs to allow list SCPs to allow the required services only. Temporally apply an SCP to the organization's root that allows AWS Config actions for principals only in the new account.
  • D. Create a temporary OU named Onboarding for the new account. Apply an SCP to the Onboarding OU to allow AWS Config actions. Move the organization's root SCP to the Production OU. Move the new account to the Production OU when adjustments to AWS Config are complete.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by liono at Nov. 7, 2020, 11:59 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
avland
Highly Voted 3 years, 6 months ago
D. The problem with B is that the new OU will be created within the root of the organization, and so the Deny on changes to Config rules (from the root of the organization) will then apply to the new OU as well. The new OU must not have a parent that denies changes to Config rules. That would be the case for D.
upvoted 29 times
...
smartassX
Highly Voted 3 years, 6 months ago
D --> "Administrators use deny list SCPs in the root of the organization to manage access to restricted services." In Option D "Move the organization's root SCP to the Production OU. Move the new account to the Production OU when adjustments to AWS Config are complete."
upvoted 10 times
...
SkyZeroZx
Most Recent 1 year, 9 months ago
Selected Answer: D
D. The problem with B is that the new OU will be created within the root of the organization, and so the Deny on changes to Config rules (from the root of the organization) will then apply to the new OU as well. The new OU must not have a parent that denies changes to Config rules. That would be the case for D.
upvoted 1 times
...
cldy
3 years, 4 months ago
D. Create a temporary OU named Onboarding for the new account. Apply an SCP to the Onboarding OU to allow AWS Config actions. Move the organizationג€™s root SCP to the Production OU. Move the new account to the Production OU when adjustments to AWS Config are complete.
upvoted 1 times
...
AzureDP900
3 years, 4 months ago
D Is right
upvoted 1 times
...
andylogan
3 years, 5 months ago
It's D - create temporary OU
upvoted 2 times
...
tgv
3 years, 5 months ago
DDD ---
upvoted 2 times
...
WhyIronMan
3 years, 5 months ago
I'll go with D
upvoted 1 times
...
Waiweng
3 years, 5 months ago
it's D
upvoted 2 times
...
ExtHo
3 years, 6 months ago
D is correct as for B If the SCP applied on the organization's root has a "deny" permission, all OUs under the organization will inherit that rule. You cannot override an explicit "deny" permission with an explicit "allow" applied to the temporary Onboarding OU.
upvoted 5 times
...
awsnoob
3 years, 6 months ago
B is not correct.... Deny takes precedent... it should be D
upvoted 1 times
...
kiev
3 years, 6 months ago
OK review again. The answer is B. Don't forget scp was already applicable to root do no need to apply it again and thus why D isn't correct
upvoted 2 times
...
kiev
3 years, 6 months ago
Guys anyone here having problems accessing exam topics from laptop? I just can't get access for over two days now. My answer is D
upvoted 1 times
...
Ebi
3 years, 6 months ago
B does not work, deny at root does not allow member account even with an allow D for sure
upvoted 4 times
...
njthomas
3 years, 6 months ago
Going with D, due to the "allow administrators to make changes and continue to enforce the current policies" part.
upvoted 1 times
...
njthomas
3 years, 6 months ago
If scp is applied via deny policy at the root, we cannot enable it at a lower level. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_inheritance_auth.html I suggest C
upvoted 2 times
...
Bulti
3 years, 6 months ago
I think the correct answer is D. The best practice is to not assign an SCP to the root of the organization. So B is incorrect. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html - Search for "Testing effects of SCPs".
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago