Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
exam questions

Exam AWS Certified Solutions Architect - Professional SAP-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional SAP-C02 exam

Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 32 discussion

A company is in the process of implementing AWS Organizations to constrain its developers to use only Amazon EC2, Amazon S3, and Amazon DynamoDB. The developers account resides in a dedicated organizational unit (OU). The solutions architect has implemented the following SCP on the developers account:

When this policy is deployed, IAM users in the developers account are still able to use AWS services that are not listed in the policy.
What should the solutions architect do to eliminate the developers’ ability to use services outside the scope of this policy?

  • A. Create an explicit deny statement for each AWS service that should be constrained.
  • B. Remove the FullAWSAccess SCP from the developers account’s OU.
  • C. Modify the FullAWSAccess SCP to explicitly deny all services.
  • D. Add an explicit deny statement using a wildcard to the end of the SCP.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
zhangyu20000
Highly Voted 1 year, 11 months ago
B is correct because default FullAWSAccess SCP is applied
upvoted 17 times
...
Six_Fingered_Jose
Highly Voted 1 year, 1 month ago
Selected Answer: B
If you go to AWS management console and look up how SCP works, you will find that by default FullAWSAccess policy is attached to all OUs by default if you have SCP enabled.
upvoted 9 times
jainparag1
11 months, 2 weeks ago
That's correct. You can disable AWSFullAccess SCP from member accounts as long as you are replacing it with another policy with specific permissions required.
upvoted 2 times
...
...
konieczny69
Most Recent 2 weeks, 1 day ago
It can be as well handled with a or d, like { "Effect": "Deny", "NotAction": [ "ec2:*", "s3:*", "dynamodb:*" ], "Resource": "*" }
upvoted 1 times
...
amministrazione
2 months, 1 week ago
B. Remove the FullAWSAccess SCP from the developers account’s OU.
upvoted 1 times
...
MAZIADI
2 months, 3 weeks ago
Selected Answer: B
B. Remove the FullAWSAccess SCP from the developers account’s OU. Explanation: FullAWSAccess SCP: By default, AWS Organizations attaches a FullAWSAccess SCP to all OUs and accounts, allowing access to all AWS services unless restricted by another SCP. If this SCP is still attached to the developers' OU, it will allow access to all services, regardless of the more restrictive SCP you have applied. SCP Behavior: SCPs are evaluated in an "implicit deny" model. If an action is not explicitly allowed by the SCPs, it is implicitly denied. However, if multiple SCPs are attached and one allows an action (like FullAWSAccess), that action is permitted unless explicitly denied in another SCP.
upvoted 1 times
...
felon124
3 months ago
Selected Answer: B
AWS Organizations attaches an AWS managed SCP named FullAWSAccess to every root, OU and account when it's created. This policy allows all services and actions. You can replace FullAWSAccess with a policy allowing only a set of services so that new AWS services are not allowed unless they are explicitly allowed by updating SCPs. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_evaluation.html
upvoted 1 times
...
8693a49
3 months, 1 week ago
Selected Answer: D
Best practice would be to create an explicit deny statement. The reason is that other SCPs could be in effect, aside from AWSFullAccess, that could grant access to other services. If the goal is to deny access to any other service, then this must be made explicit.
upvoted 1 times
...
vip2
3 months, 1 week ago
Selected Answer: B
B is correct Remove from develop account OU --> implicitly deny all service -->add explicity 'allow' to restirct only allow related services in SCP.
upvoted 1 times
...
Moghite
3 months, 2 weeks ago
Selected Answer: D
{ "Sid": "ExplicitDeny", "Effect": "Deny", "NotAction": [ "ec2:*", "dynamodb:*", "s3:*" ], "Resource": "*" }
upvoted 2 times
...
Helpnosense
4 months, 3 weeks ago
Selected Answer: D
FullAWSAccess SCP is inherited from root. Can't be removed from OU. D is correct answer.
upvoted 2 times
sam2ng
2 months, 3 weeks ago
It can be, read "How SCPs work with Allow" in here it shows example: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_evaluation.html
upvoted 1 times
...
...
qaz12wsx
6 months, 3 weeks ago
Selected Answer: D
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowEC2", "Effect": "Allow", "Action": "ec2:*", "Resource": "*" }, { "Sid": "AllowDynamoDB", "Effect": "Allow", "Action": "dynamodb:*", "Resource": "*" }, { "Sid": "AllowS3", "Effect": "Allow", "Action": "s3:*", "Resource": "*" }, { "Sid": "ExplicitDeny", "Effect": "Deny", "NotAction": [ "ec2:*", "dynamodb:*", "s3:*" ], "Resource": "*" } ] }
upvoted 4 times
...
Dgix
8 months ago
Selected Answer: D
D - the alternative doesn't mention an ASG which must be taken as implied. The other solutions are simply absurd: A: The operational overhead is ENORMOUS. To those who think that "operational overhead" is only day-to-day maintenance: it is not. It encompasses ALL CHANGES to the infrastructure. B: Kubernetes is the very definition of operational overhead. Always avoid unless there is an absolutely compelling reason to use it. C: And what do you people think the function of the Lambda is? None. D: This works and is the most straightforward as soon as you realise that the ASG is implied. In the final analysis, this is another example of how AWS exam questions leave out information in order to trip you up.
upvoted 2 times
...
Dafukubai
8 months, 3 weeks ago
Selected Answer: D
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_evaluation.html FullAWSAccess NOT inherited. It must be set at every OU layer. B is the most inadvisable choice because target account will get a explicitly DENY for all AWS services including EC2 etc if delete FullAWSAccess at it OU.
upvoted 2 times
...
8608f25
9 months ago
Selected Answer: D
To eliminate the developers’ ability to use AWS services outside the scope of Amazon EC2, Amazon S3, and Amazon DynamoDB, the solutions architect should: * D. Add an explicit deny statement using a wildcard to the end of the SCP. This action effectively restricts access to only the specified services by explicitly denying access to all other AWS services. The corrected Service Control Policy (SCP) would look something like this: { "Sid": "ExplicitDenyAllOtherServices", "Effect": "Deny", "NotAction": [ "ec2:", "dynamodb:", "s3:" ], "Resource": "*" }
upvoted 4 times
8608f25
9 months ago
Full SCP: { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowEC2", "Effect": "Allow", "Action": "ec2:", "Resource": "*" }, { "Sid": "AllowDynamoDB", "Effect": "Allow", "Action": "dynamodb:", "Resource": "*" }, { "Sid": "AllowS3", "Effect": "Allow", "Action": "s3:", "Resource": "*" }, { "Sid": "ExplicitDenyAllOtherServices", "Effect": "Deny", "NotAction": [ "ec2:", "dynamodb:", "s3:" ], "Resource": "*" } ] }
upvoted 2 times
8608f25
9 months ago
Explanation: * Option A is less efficient because creating an explicit deny statement for each AWS service except EC2, S3, and DynamoDB would be impractical given the large number of services AWS offers. * Option B suggests removing the FullAWSAccess SCP from the developers account’s OU. While removing FullAWSAccess could potentially restrict access, it’s not as direct or effective as implementing an explicit deny. The FullAWSAccess SCP allows all actions on all resources within the account or OU it’s applied to, and simply removing it doesn’t automatically restrict access to only the specified services. * Option C suggests modifying the FullAWSAccess SCP to explicitly deny all services. However, the FullAWSAccess SCP is a default SCP applied by AWS Organizations and should generally be left as is. Custom SCPs should be created to enforce specific policies. * Option D is the most direct and effective approach.
upvoted 3 times
...
...
...
LazyAutonomy
9 months, 1 week ago
Selected Answer: B
ignore my previous comment
upvoted 2 times
...
LazyAutonomy
9 months, 1 week ago
Selected Answer: A
By default, FullAWSAccess is applied at the root, so all member accounts in all OUs will inherit this policy. Removing FullAWSAccess SCP from a specific OU isn't enough. Answer is A.
upvoted 1 times
LazyAutonomy
9 months, 1 week ago
Ahh, thanks to @gustori99 for pointing out my incorrect understanding. SCPs are not inherited. See https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_evaluation.html
upvoted 1 times
LazyAutonomy
9 months, 1 week ago
The answer is B.
upvoted 1 times
...
...
...
Vaibs099
9 months, 1 week ago
A is correct - Removing FullAWSAccess SCP from the developer account only is not going to help. As FullAWSAccess allowing all is also being inherited from the root and Parent OUs. When SCP is enable FullAWSAccess is enabled by default. One option is replacing FullAWSAccess on root and all Parent OUs and developer account to the SCP mentioned in question allowing only three service. If we are only removing FullAWSAccess SCP from developer's account then we will have to explicitly deny all other services not required.
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...