A Security Engineer must enforce the use of only Amazon EC2, Amazon S3, Amazon RDS, Amazon DynamoDB, and AWS STS in specific accounts. What is a scalable and efficient approach to meet this requirement?
A.
Set up an AWS Organizations hierarchy, and replace the FullAWSAccess policy with the following Service Control Policy for the governed organization units:
B.
Create multiple IAM users for the regulated accounts, and attach the following policy statement to restrict services as required:
C.
Set up an Organizations hierarchy, replace the global FullAWSAccess with the following Service Control Policy at the top level:
D.
Set up all users in the Active Directory for federated access to all accounts in the company. Associate Active Directory groups with IAM groups, and attach the following policy statement to restrict services as required:
A - Correct
B - Not correct, this does not restrict for all users in specific accounts
C - Not correct, this would apply for all accounts, the ask here is for specific accounts
D - Not correct, the ask here is for specific accounts
My understanding is that SCP can only Deny not Allow? The question specifically states Accounts so that related to OU level and by process of elimination that only leaves A as the answer but can someone explain why an allow statement is being used at SCP level?
The default configuration of AWS Organizations supports using SCPs as deny lists. This means by default FullAWSAccess (access to all services allowed) is enabled and you need to use Deny SCP to restrict access to services.
However, SCP can also used as Allow list. For this, FullAWSAccess need to be detached (by default deny everything) and only allow services mentioned in SCP.
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_strategies.html#orgs_policies_allowlist
C is something needed as per "you must create your own SCPs and attach them to the account and every OU above it, up to and including the root. Every SCP in the hierarchy, starting at the root, must explicitly allow the APIs that you want to be usable in the OUs and accounts below it."
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
MungKey
Highly Voted 2 years, 7 months agoRaphaello
Most Recent 1 year, 1 month agoAwsSat
2 years agoPankaj24hrs
1 year, 10 months agogvramana
2 years, 1 month agogg12345
2 years, 5 months agoMr__
2 years, 7 months agovbal
2 years, 7 months agovbal
2 years, 7 months ago