Home › Forums › AWS › AWS Certified Solutions Architect Professional › If SCPs already deny, is an explicit IAM role in each account required to deny?
-
If SCPs already deny, is an explicit IAM role in each account required to deny?
JR-TutorialsDojo updated 2 weeks, 4 days ago 5 Members · 6 Posts -
Hi, there is a question in the diagnostic test:
A company has a designated AWS account for each project of its development team. All of these AWS accounts are linked to the main AWS account under the same AWS Organizations. The CFO allocates a budget for each project owner. Each project owner is allowed to provision any cloud resources that they need but all resources should have the Project tag which is used for cost allocation. After a recent audit, several team members are not adding the Project tag on their Amazon EC2 instances which results in inaccurate cost reports.
The answer explanations say that SCP can be used to deny creation of EC2 via runInstances API if the project tag is not added at a central place for all accounts in an organization. However the other answer choice is also marked correct where an IAM role for each account is added with the same condition to deny. Are both really required?
1] Apply an SCP to the AWS Organization that will deny the
ec2:RunInstances
action if the Project tag is not applied.2]Create an IAM policy on each project account that will deny the
ec2:RunInstances
action if the Project tag is not applied.- This discussion was modified 2 years, 8 months ago by tera.4012. Reason: spelling errors
-
Maybe the 2nd answer choice should be to add IAM role in each account that explicitly allow creation of EC2 instances provided the project tags are included.
-
Hello tera.40.12
It’s not required to use both the SCP and IAM deny rules.
The given choices are simply options (that are correct) in which you can satisfy the requirements of the question.Using SCP, and the IAM policy are correct. Since we need to select 3 correct answers, we can select them both.
Hope this helps.
Let us know if you need further assistance. The Tutorials Dojo team is dedicated to helping you pass your AWS exam!Regards,
Kenneth Samonte @ Tutorials Dojo -
I also think this question shows the wrong answers. You don’t need both SCP and IAM to enforce tagging. On the other hand, you do need an AWS Config aggregator and also the rules in each account to effectively control compliance. In other words, the correct answers should be SCP + Config rules in each account + Config aggregator.
-
Was similarly confused by this Q and chose the two config and SCP answers. It specifically states the AWS accounts are all under the same org, so the deny ec2:Runinstances in the SCP at the Org level should be sufficient and not require the IAM policy
-
Hello m-agent,
Thank you for bringing this up to our attention.
Using SCPs at the organization level is indeed more effective for enforcing such rules across multiple accounts. IAM policies would need to be individually managed in each account, which is less efficient.
We will make the necessary updates, which should be reflected on the portal soon.
If you need further assistance or have additional suggestions, please share them with us. We are dedicated to improving our practice tests based on user feedback.
Cheers,
JR @ Tutorials Dojo
-
Log in to reply.