Exam AWS Certified Solutions Architect - Professional topic 1 question 572 discussion

B is correct

Answer is A - You cannot remove the FullAWSAccess SCP that is inherited from root. Test it and see.

SCP evaluation starts with an implicit Deny (soft deny). The default SCP allows full access so removing this policy causes any service to be implicitly denied unless an allow statement is used. Explicit Deny should be used for organizational rules that must be strictly enforced (hard deny). An example would be to deny a service that doesn't meet a specific compliance requirement to be used in regulated accounts.

Answer is B. "To use SCPs as an allow list, you must replace the AWS managed FullAWSAccess SCP with an SCP that explicitly permits only those services and actions that you want to allow. By removing the default FullAWSAccess SCP, all actions for all services are now implicitly denied. Your custom SCP then overrides the implicit Deny with an explicit Allow for only those actions that you want to permit. For a permission to be enabled for a specified account, every SCP from the root through each OU in the direct path to the account, and even attached to the account itself, must allow that permission."

Logical answer : C is ruining the good policy and not efficient. A is ridiculously inefficient, how many services need to be denied, thousands ? D is work because SCPs does not work like that. SCPs work like inverted Tree hierarchy.A deny list strategy makes use of the FullAWSAccess SCP that is attached by default to every OU and account. This SCP overrides the default implicit deny, and explicitly allows all permissions to flow down from the root to every account, unless you explicitly deny a permission with an additional SCP that you create and attach to the appropriate OU or account. So B should be correct https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_inheritance_auth.html

100% B

This question doesnt make sense AT ALL. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:*", "cloudwatch:*" ], "Resource": "*" } ] } An allow list policy might look like the following example, which enables account users to perform operations for Amazon Elastic Compute Cloud (Amazon EC2) and Amazon CloudWatch, ****but no other service****. + The FullAWSAccess SCP doesnt need to be deleted, the fact defining a new SCP is enough.. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_strategies.html#orgs_policies_allowlist

B To support this, AWS Organizations attaches an AWS managed SCP named FullAWSAccess to every root and OU when it's created. This policy allows all services and actions. It's always available for you to attach or detach from the entities in your organization as needed. Because the policy is an AWS managed SCP, you can't modify or delete it.

B is correct - An allow list strategy has you remove the FullAWSAccess SCP that is attached by default to every OU and account. This means that no APIs are permitted anywhere unless you explicitly allow them.

it should be B

Ans is B

B https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_inheritance_auth.html

Ignore the messages below - it looks like access has to be granted at each level : root, any intermediate OUs and ACCOUNT so removing FullAWSAccess SCP from any of the nodes in the hierarchy will do the job.

To add to the previous post - each higher OU higher in the hierarchy, including organization root will also have FullAWSAccess SCP attached and each of those SCPs will be inherited by each account below in the hierarchy. So each account inherits multiple copies of FullAWSAccess SCP. In order to get rid of it one would need to remove FullAWSAccess SCP from every OU (higher in the hierarchy) and the root as well as the ACCOUNT itself.

FullAWSAccess SCP is attached automatically by default not only to each OU but also to each account individually so removing FullAWSAccess SCP from Developers-OU will change nothing as the one attached directly to the Developers-ACCOUNT will still remain. That would only leave option A as valid although I'm not sure if the author of this question considered the behavior I described. Also in real scenarios one would rather attach SCP with DENY's and leave FullAWSAccess SCP untouched.

it should B

answ B