Amazon Exam DOP-C02 Topic 4 Question 30 Discussion

Actual exam question for Amazon's DOP-C02 exam

Question #: 30
Topic #: 4

A company has an AWS Control Tower landing zone. The company's DevOps team creates a workload OU. A development OU and a production OU are nested under the workload OU. The company grants users full access to the company's AWS accounts to deploy applications.

The DevOps team needs to allow only a specific management 1AM role to manage the 1AM roles and policies of any AWS accounts In only the production OU.

Which combination of steps will meet these requirements? {Select TWO.)

ACreate an SCP that denies full access with a condition to exclude the management 1AM role for the organization root.

BEnsure that the FullAWSAccess SCP is applied at the organization root

CCreate an SCP that allows IAM related actions Attach the SCP to the development OU

DCreate an SCP that denies IAM related actions with a condition to exclude the management I AM role Attach the SCP to the workload OU

ECreate an SCP that denies IAM related actions with a condition to exclude the management 1AM role Attach the SCP to the production OU

Show Suggested Answer

Suggested Answer: B, E

You need to understand how SCP inheritance works in AWS. The way it works for Deny policies is different that allow policies.

Allow polices are passing down to children ONLY if they don't have an allow policy.

Deny policies always pass down to children.

That's why there is always an SCP set to the Root to allow everything by default. If you limit this policy, the whole organization will be limited, not matter what other policies are saying for the other OUs. So it's not A. It's not D because it restricts the wrong OU.

by Charlene at Jul 17, 2024, 02:02 PM

Limited Time Offer

25%

Off

Get Premium DOP-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Bette

4 months ago

Alright, time to put on my AWS hat and figure this out. I'm thinking D and E are the way to go, but I might need to double-check the AWS docs to make sure I'm not missing anything.

upvoted 0 times

Frank

3 months ago

Yeah, I agree. Let's double-check the AWS docs just to be sure.

upvoted 0 times

...

Myra

4 months ago

I think D and E are the right choices for this scenario.

upvoted 0 times

...

Ronny

4 months ago

I don't know, this seems like a lot of work just to manage IAM roles. Why not just give everyone the management IAM role and call it a day? Kidding, kidding, I'm just joking around.

upvoted 0 times

...

Huey

4 months ago

That's a good point, Chanel. So, the combination of creating the SCP for production OU and applying FullAWSAccess at the organization root should meet the requirements.

upvoted 0 times

...

Chanel

4 months ago

But shouldn't we also ensure that the FullAWSAccess SCP is applied at the organization root?

upvoted 0 times

...

Aja

4 months ago

Hmm, I think options D and E are the way to go here. Gotta love those SCP conditions to exclude the management IAM role. Keeps things nice and secure.

upvoted 0 times

Mammie

3 months ago

It's important to set up the right permissions to maintain security in the AWS environment.

upvoted 0 times

...

Bettye

4 months ago

Definitely, it helps ensure that only the specific management IAM role has the necessary permissions.

upvoted 0 times

...

Salina

4 months ago

I agree, using SCPs with conditions is a great way to control access.

upvoted 0 times

...

Rosalind

4 months ago

Wait, so they want to restrict access to the production OU, but give full access to the entire AWS account? Sounds like a recipe for disaster if you ask me.

upvoted 0 times

Hubert

3 months ago

D: It's all about setting up the right permissions and restrictions to maintain security.

upvoted 0 times

...

Claribel

3 months ago

C: That way, they can restrict access to the production OU while still allowing full access to the entire AWS account.

upvoted 0 times

...

Jeanice

4 months ago

B: They also need to ensure that the FullAWSAccess SCP is applied at the organization root.

upvoted 0 times

...

Shawn

4 months ago

A: They should create an SCP that denies IAM related actions with a condition to exclude the management IAM role and attach it to the production OU.

upvoted 0 times

...

Weldon

5 months ago

I agree with Huey. That seems like the right approach to meet the requirements.

upvoted 0 times

...

Huey

5 months ago

I think we should create an SCP that denies IAM related actions with a condition to exclude the management IAM role and attach it to the production OU.

upvoted 0 times

...