Ends in
00
days
00
hrs
00
mins
00
secs
SHOP NOW

🚀 25% OFF All Practice Exams, Video Courses, & eBooks – Cyber Sale Extension!

Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified Solutions Architect Professional If SCPs already deny, is an explicit IAM role in each account required to deny?

  • If SCPs already deny, is an explicit IAM role in each account required to deny?

  • tera.4012

    Member
    March 15, 2022 at 8:27 pm

    Hi, there is a question in the diagnostic test:

    A company has a designated AWS account for each project of its development team. All of these AWS accounts are linked to the main AWS account under the same AWS Organizations. The CFO allocates a budget for each project owner. Each project owner is allowed to provision any cloud resources that they need but all resources should have the Project tag which is used for cost allocation. After a recent audit, several team members are not adding the Project tag on their Amazon EC2 instances which results in inaccurate cost reports.

    The answer explanations say that SCP can be used to deny creation of EC2 via runInstances API if the project tag is not added at a central place for all accounts in an organization. However the other answer choice is also marked correct where an IAM role for each account is added with the same condition to deny. Are both really required?

    1] Apply an SCP to the AWS Organization that will deny the ec2:RunInstances action if the Project tag is not applied.

    2]Create an IAM policy on each project account that will deny the

    ec2:RunInstances action if the Project tag is not applied.

    • This discussion was modified 2 years, 8 months ago by  tera.4012. Reason: spelling errors
  • tera.4012

    Member
    March 15, 2022 at 8:30 pm

    Maybe the 2nd answer choice should be to add IAM role in each account that explicitly allow creation of EC2 instances provided the project tags are included.

  • Kenneth-Samonte-Tutorials-Dojo

    Member
    March 20, 2022 at 11:25 pm

    Hello tera.40.12

    It’s not required to use both the SCP and IAM deny rules.
    The given choices are simply options (that are correct) in which you can satisfy the requirements of the question.

    Using SCP, and the IAM policy are correct. Since we need to select 3 correct answers, we can select them both.

    Hope this helps.
    Let us know if you need further assistance. The Tutorials Dojo team is dedicated to helping you pass your AWS exam!

    Regards,
    Kenneth Samonte @ Tutorials Dojo

  • sergioarield

    Member
    July 11, 2024 at 11:02 pm

    I also think this question shows the wrong answers. You don’t need both SCP and IAM to enforce tagging. On the other hand, you do need an AWS Config aggregator and also the rules in each account to effectively control compliance. In other words, the correct answers should be SCP + Config rules in each account + Config aggregator.

  • m-agent

    Member
    November 18, 2024 at 10:56 pm

    Was similarly confused by this Q and chose the two config and SCP answers. It specifically states the AWS accounts are all under the same org, so the deny ec2:Runinstances in the SCP at the Org level should be sufficient and not require the IAM policy

    • JR-TutorialsDojo

      Administrator
      November 19, 2024 at 12:39 pm

      Hello m-agent,

      Thank you for bringing this up to our attention.

      Using SCPs at the organization level is indeed more effective for enforcing such rules across multiple accounts. IAM policies would need to be individually managed in each account, which is less efficient.

      We will make the necessary updates, which should be reflected on the portal soon.

      If you need further assistance or have additional suggestions, please share them with us. We are dedicated to improving our practice tests based on user feedback.

      Cheers,
      JR @ Tutorials Dojo

Viewing 1 - 5 of 5 replies

Log in to reply.

Original Post
0 of 0 posts June 2018
Now
Skip to content