Exam AWS Certified Solutions Architect - Professional topic 1 question 450 discussion

C A. It will give other people access of creating S3 bucket. B. It doesn't comply with organization's rule by removing accournt from OU. And it won't work either. C. Add required access to Developers only, not affecting others, right option. D. Provide people to change cloudtrail, which should be prohibited.

go with C

C the answer

C looks better SCP doesn't grant permissions

100pc it is C. If you don't understand why I suggest studying IAM and Orgs more.

Based on all comments

C looks ok

Answer - C - The below passage clarifies why its C. SCPs alone are not sufficient to granting permissions to the accounts in your organization. No permissions are granted by an SCP. An SCP defines a guardrail, or sets limits, on the actions that the account's administrator can delegate to the IAM users and roles in the affected accounts. The administrator must still attach identity-based or resource-based policies to IAM users or roles, or to the resources in your accounts to actually grant permissions. The effective permissions are the logical intersection between what is allowed by the SCP and what is allowed by the IAM and resource-based policies.

C seems perfect

why C ? I cannot add a permission to my user explicitly. if i do not have it then i need to ask someone to add it for like an admin. so C is ruled out here as well

It's C

B seems the best The SCP will continue to allow until it reaches and explicit Deny.

I would say answer B. See this page : https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_inheritance_auth.html -> Permissions work as the intersection from SCP of decreasing levels : root OU, child OU, account -> Explicit Deny > Explicit Allow > Implicit Deny > Implicit Allow where > means "takes precedence over". If in this (OU-level SCP) where Explicit Allow on All Resources, S3 actions cannot be performed, it means that there must be an Explicit Deny on the (Root-OU Level). Then to troubleshoot, the 2 options would be : - to remove this Explicit Deny from the Root-OU SCP we assume there is (not proposed in the answers) - or remove the OU dependency of the 1111-1111-1111 account for the Root-OU SCP not to apply anymore. This will have the impact that this Child-OU SCP will not apply anymore either, the only left will be Account-Level-IAM-Policy , assuming that she allows S3 actions Answer B

I'll go with C

C is the only one which makes sense

C is correct

"SCPs don't affect resource-based policies directly." https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html