ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional SAP-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional SAP-C02 exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 32 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional SAP-C02
Question #: 32
Topic #: 1
[All AWS Certified Solutions Architect - Professional SAP-C02 Questions]

A company is in the process of implementing AWS Organizations to constrain its developers to use only Amazon EC2, Amazon S3, and Amazon DynamoDB. The developers account resides in a dedicated organizational unit (OU). The solutions architect has implemented the following SCP on the developers account:

When this policy is deployed, IAM users in the developers account are still able to use AWS services that are not listed in the policy.
What should the solutions architect do to eliminate the developers’ ability to use services outside the scope of this policy?

  • A. Create an explicit deny statement for each AWS service that should be constrained.
  • B. Remove the FullAWSAccess SCP from the developers account’s OU.
  • C. Modify the FullAWSAccess SCP to explicitly deny all services.
  • D. Add an explicit deny statement using a wildcard to the end of the SCP.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by zhangyu20000 at Dec. 12, 2022, 2:51 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
zhangyu20000
Highly Voted 2 years, 3 months ago
B is correct because default FullAWSAccess SCP is applied
upvoted 18 times
...
Six_Fingered_Jose
Highly Voted 1 year, 6 months ago
Selected Answer: B
If you go to AWS management console and look up how SCP works, you will find that by default FullAWSAccess policy is attached to all OUs by default if you have SCP enabled.
upvoted 11 times
jainparag1
1 year, 4 months ago
That's correct. You can disable AWSFullAccess SCP from member accounts as long as you are replacing it with another policy with specific permissions required.
upvoted 3 times
...
...
GabrielShiao
Most Recent 1 week ago
Selected Answer: A
I have to choose A although A is impractical. While most vote B, it is actually impossible since removing FullAWSAcess SCP from OU will deny all the services on the ous and accounts under the OU. The correct action is to remove FullAWSAccess SCP from the developer account.
upvoted 1 times
...
GabrielShiao
1 week, 4 days ago
Selected Answer: A
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_evaluation.html If you removed the default SCP from the OU, you will be denied for these permission even you allowed in SCP on the account in OU.
upvoted 1 times
...
GabrielShiao
1 week, 4 days ago
Selected Answer: A
If you removed FullAWSAccess from developer accounts, I vote B, however, B is removing it from OU. Keep in mind every level of organization hierarchy must reside at least one SCP.
upvoted 1 times
...
konieczny69
5 months, 1 week ago
It can be as well handled with a or d, like { "Effect": "Deny", "NotAction": [ "ec2:*", "s3:*", "dynamodb:*" ], "Resource": "*" }
upvoted 2 times
...
amministrazione
7 months ago
B. Remove the FullAWSAccess SCP from the developers account’s OU.
upvoted 1 times
...
MAZIADI
7 months, 3 weeks ago
Selected Answer: B
B. Remove the FullAWSAccess SCP from the developers account’s OU. Explanation: FullAWSAccess SCP: By default, AWS Organizations attaches a FullAWSAccess SCP to all OUs and accounts, allowing access to all AWS services unless restricted by another SCP. If this SCP is still attached to the developers' OU, it will allow access to all services, regardless of the more restrictive SCP you have applied. SCP Behavior: SCPs are evaluated in an "implicit deny" model. If an action is not explicitly allowed by the SCPs, it is implicitly denied. However, if multiple SCPs are attached and one allows an action (like FullAWSAccess), that action is permitted unless explicitly denied in another SCP.
upvoted 2 times
...
felon124
7 months, 3 weeks ago
Selected Answer: B
AWS Organizations attaches an AWS managed SCP named FullAWSAccess to every root, OU and account when it's created. This policy allows all services and actions. You can replace FullAWSAccess with a policy allowing only a set of services so that new AWS services are not allowed unless they are explicitly allowed by updating SCPs. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_evaluation.html
upvoted 1 times
...
8693a49
8 months ago
Selected Answer: D
Best practice would be to create an explicit deny statement. The reason is that other SCPs could be in effect, aside from AWSFullAccess, that could grant access to other services. If the goal is to deny access to any other service, then this must be made explicit.
upvoted 1 times
...
vip2
8 months ago
Selected Answer: B
B is correct Remove from develop account OU --> implicitly deny all service -->add explicity 'allow' to restirct only allow related services in SCP.
upvoted 1 times
...
Moghite
8 months, 1 week ago
Selected Answer: D
{ "Sid": "ExplicitDeny", "Effect": "Deny", "NotAction": [ "ec2:*", "dynamodb:*", "s3:*" ], "Resource": "*" }
upvoted 2 times
...
Helpnosense
9 months, 2 weeks ago
Selected Answer: D
FullAWSAccess SCP is inherited from root. Can't be removed from OU. D is correct answer.
upvoted 2 times
sam2ng
7 months, 2 weeks ago
It can be, read "How SCPs work with Allow" in here it shows example: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_evaluation.html
upvoted 1 times
...
...
qaz12wsx
11 months, 2 weeks ago
Selected Answer: D
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowEC2", "Effect": "Allow", "Action": "ec2:*", "Resource": "*" }, { "Sid": "AllowDynamoDB", "Effect": "Allow", "Action": "dynamodb:*", "Resource": "*" }, { "Sid": "AllowS3", "Effect": "Allow", "Action": "s3:*", "Resource": "*" }, { "Sid": "ExplicitDeny", "Effect": "Deny", "NotAction": [ "ec2:*", "dynamodb:*", "s3:*" ], "Resource": "*" } ] }
upvoted 4 times
...
Dgix
1 year ago
Selected Answer: D
D - the alternative doesn't mention an ASG which must be taken as implied. The other solutions are simply absurd: A: The operational overhead is ENORMOUS. To those who think that "operational overhead" is only day-to-day maintenance: it is not. It encompasses ALL CHANGES to the infrastructure. B: Kubernetes is the very definition of operational overhead. Always avoid unless there is an absolutely compelling reason to use it. C: And what do you people think the function of the Lambda is? None. D: This works and is the most straightforward as soon as you realise that the ASG is implied. In the final analysis, this is another example of how AWS exam questions leave out information in order to trip you up.
upvoted 2 times
...
Dafukubai
1 year, 1 month ago
Selected Answer: D
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_evaluation.html FullAWSAccess NOT inherited. It must be set at every OU layer. B is the most inadvisable choice because target account will get a explicitly DENY for all AWS services including EC2 etc if delete FullAWSAccess at it OU.
upvoted 2 times
...
8608f25
1 year, 1 month ago
Selected Answer: D
To eliminate the developers’ ability to use AWS services outside the scope of Amazon EC2, Amazon S3, and Amazon DynamoDB, the solutions architect should: * D. Add an explicit deny statement using a wildcard to the end of the SCP. This action effectively restricts access to only the specified services by explicitly denying access to all other AWS services. The corrected Service Control Policy (SCP) would look something like this: { "Sid": "ExplicitDenyAllOtherServices", "Effect": "Deny", "NotAction": [ "ec2:", "dynamodb:", "s3:" ], "Resource": "*" }
upvoted 4 times
8608f25
1 year, 1 month ago
Full SCP: { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowEC2", "Effect": "Allow", "Action": "ec2:", "Resource": "*" }, { "Sid": "AllowDynamoDB", "Effect": "Allow", "Action": "dynamodb:", "Resource": "*" }, { "Sid": "AllowS3", "Effect": "Allow", "Action": "s3:", "Resource": "*" }, { "Sid": "ExplicitDenyAllOtherServices", "Effect": "Deny", "NotAction": [ "ec2:", "dynamodb:", "s3:" ], "Resource": "*" } ] }
upvoted 2 times
8608f25
1 year, 1 month ago
Explanation: * Option A is less efficient because creating an explicit deny statement for each AWS service except EC2, S3, and DynamoDB would be impractical given the large number of services AWS offers. * Option B suggests removing the FullAWSAccess SCP from the developers account’s OU. While removing FullAWSAccess could potentially restrict access, it’s not as direct or effective as implementing an explicit deny. The FullAWSAccess SCP allows all actions on all resources within the account or OU it’s applied to, and simply removing it doesn’t automatically restrict access to only the specified services. * Option C suggests modifying the FullAWSAccess SCP to explicitly deny all services. However, the FullAWSAccess SCP is a default SCP applied by AWS Organizations and should generally be left as is. Custom SCPs should be created to enforce specific policies. * Option D is the most direct and effective approach.
upvoted 3 times
...
...
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago