-
Review Mode Set 1 – AWS Certified Solutions Architect Professional – Question 49
updated 11 months, 2 weeks ago
2 Members
·
3
Posts
-
I came across the following question and need some help to figure out the correct answer:
A company has several AWS accounts that are managed using AWS Organizations. The company created only one organizational unit (OU) so all child accounts are members of the Production OU. The Solutions Architects control access to certain AWS services using SCPs that define the restricted services. The SCPs are attached at the root of the organization so that they will be applied to all AWS accounts under the organization. The company recently acquired a small business firm and its existing AWS account was invited to join the organization. Upon onboarding, the administrators of the small business firm cannot apply the required AWS Config rules to meet the parent company’s security policies.
Which of the following options will allow the administrators to update the AWS Config rules on their AWS account without introducing long-term management overhead?
My question: The answer that I selected (option A) is incorrect: “Add the new account to a temporary Onboarding organization unit (OU) that has an attached SCP allowing changes to AWS Config. Perform the needed changes while on this temporary OU before moving the new account to Production OU.”
According to the answers guide, it says <font color=”#000000″>If the SCP applied on the organization’s root has a “deny” permission, all OUs under the organization will inherit that rule. </font>You cannot override an explicit “deny” permission with an explicit “allow” applied to the temporary Onboarding OU.
But the answer does NOT say anything about a DENY permission anywhere – so I don’t understand why option A is incorrect. Can you please clarify?
-
Hi Mohammad,
Thank you for the feedback.
I understand that the question did not mention anything about DENY permission. However, the scenario stated that The Solutions Architects control access to certain AWS services using SCPs that define the restricted services. The SCPs are attached at the root of the organization so that they will be applied to all AWS accounts under the organization. This means that the SCPs were used to deny the usage of certain AWS services in all accounts under the organization.
Since the SCPs are still attached to the root of the organization, that explains why the small business firm cannot apply the required AWS Config rules, as all OUs under the organization will inherit the SCP rule that is currently attached to the root. This will make the option Add the new account to a temporary Onboarding organization unit (OU) that has an attached SCP allowing changes to AWS Config. Perform the needed changes while on this temporary OU before moving the new account to Production OU incorrect as it did not mention anything about removing the SCPs attached to the root.
In addition, AWS strongly recommends that you don’t attach SCPs to the root of your organization without thoroughly testing the impact that the policy has on accounts. Instead, create an OU that you can move your accounts into one at a time, or at least in small numbers, to ensure that you don’t inadvertently lock users out of key services. (Reference: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html)
Please note that there are questions in the actual AWS exam that are difficult, tricky, and ambiguous. This is the style that we are trying to mimic in our practice tests. Some questions do not explicitly show the obvious keywords or phrases that will easily point to the answer.
Hope this helps.
Let us know if you need further assistance. The Tutorials Dojo team is dedicated to helping you pass your AWS exam!
Regards,
Amiel Palacol @ Tutorials Dojo
-
Ah that makes sense. Thank you for explaining that so clearly. Understood completely.
Log in to reply.