Home › Forums › AWS › AWS Certified Security – Specialty › Security Speciality Timed mode Diagnostic test – 45
-
Security Speciality Timed mode Diagnostic test – 45
-
A multinational corporation has recently acquired a smaller startup as a result of its business expansion plans. A Security Administrator was instructed to consolidate the multiple AWS accounts of both entities using AWS Organizations. The Administrator prepared the required service control policies (SCPs) to simplify the process of controlling access permissions for each individual account and Organizational Units (OUs). However, one account is having trouble when creating a new S3 bucket, and the Administrator was tasked to investigate the cause of this issue. The account has the following SCP attached:
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: “cloudtrail:*”,
“Resource”: “*”
},
{
“Effect”: “Allow”,
“Action”: “iam:*”,
“Resource”: “*”
}
]
}
Each IAM user of the account has the following IAM policy attached:
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: “s3:*”,
“Resource”: [
“arn:aws:s3:::*”
]
},
{
“Effect”: “Deny”,
“NotAction”: “s3:*”,
“NotResource”: [
“arn:aws:s3:::*”
]
}
]
}
Which of the following is the MOST likely cause of this problem?
Both the IAM policy and the SCP caused the issue. The SCP should explicitly allow S3 bucket creation in its policy and the IAM policy should exactly match the permissions of the SCP.
The SCP does not support whitelisting actions of the AWS resources.
The SCP does not explicitly allow the required action that would enable the account to create an S3 bucket.
The IAM policy doesn’t have the required user permissions to execute any S3-related actions.
Team,
Regarding this question , I guess this needs to be revised , because either the policy in Incorrect in question or the options , Because I have attached the above scp to my root account and i have even created an IAM user with above IAM policy and when i logged in via that user account , I was able to create an s3 bucket , because user IAM policy allow creation of s3 bucket , May be if SCP will have a deny on creation of s3 i guess it wont work , But In this case it is not the case it is working perfectly .
Can you please review this accordingly and let me know why option C is Correct here
-
Hello Vinod,
Thanks for your feedback.
A few questions before I answer your question:
Are you sure that you’ve attached the SCP at your organization root, and not on an organization unit?
Did you use a child account under your organization root?
Regards,
Carlo @ Tutorials Dojo -
Hi Carlo,
Thanks for the details here , Actually now i got the solution after looking at solution as below
The option that says: The SCP does not explicitly allow the required action that would enable the account to create an S3 bucket is correct because the default service policy was changed which means that you would need to explicitly allow your account access to S3 to be able to create buckets. By removing the default FullAWSAccess SCP, all actions for all services are now implicitly denied. To use SCPs as a whitelist, you must replace the AWS-managed FullAWSAccess SCP with an SCP that explicitly permits only those services and actions that you want to allow. Your custom SCP then overrides the implicit Deny with an explicit Allow for only those actions that you want to permit.
If you look at the highlighted line , I guess now as we remove the default full access , I guess this makes sense now , But I feel that is some thing which you need to update in question also right because how can the user know that you have removed default full access AWS scp here ?
-
Hello Vinod4b9,
“how can the user know that you have removed default full access AWS scp here ?”
>> The permissions for the SCP were given in the question (Only CloudTrail and IAM were given full permissions). An SCP that grants full access would look like this:
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: “*”,
“Resource”: “*”
}
]
}
Let me know if this answers your question.
Regards,
Carlo @ Tutorials Dojo- This reply was modified 3 years, 5 months ago by Carlo-TutorialsDojo.
-
-
Hi Carlos,
I do agree that as you said the policy is correct , But actually if you look at scp in aws organization by default you will have full access enabled and you need to remove that that is what mentioned in explanation , once after removing that then new scp is added which is not giving access to s3 bucket , In that way it is correct. if you don’t delete that policy you can still create s3 bucket with polices mentioned in question.
Attaching the screenshot regarding the same , because in question you haven’t mentioned that you have removed that but in explanation you said it is removed , which is why I raised this concern
-
Hello Vinod4b9,
I understand that you can attach SCPs other than the default (FullAWSAccess). The question states “The account has the following SCP attached” which alludes to the fact that the presented SCP is the only SCP granting permission for the account. Even without having to explicitly say that full access was removed, the statement should clearly translates to not having full access.
- This reply was modified 3 years, 5 months ago by Carlo-TutorialsDojo.
- This reply was modified 3 years, 5 months ago by Carlo-TutorialsDojo.
-
-
Hi Carlos,
“The account has the following SCP attached” which alludes to the fact that the presented SCP is the only SCP granting permission for the account. Even without having to explicitly say that full access was removed, the statement should clearly translates to not having full access.
I mean I don’t agree with that statement , Here we are not adding full access policy , By default it will be there and atleast if you could have mentioned The account has only the following SCP attached” atleast makes some sense , I mean i am not saying what you said is wrong , But to be more precise it would be better to add only as above .
As you said , if the statement should clearly translates to not having full access , You shouldn’t have mentioned specifically in the exaplanation . So i feel atleast adding this line will be better “The account has only the following SCP attached”
Any comments on this is welcome
-
Hello Vinod,
Okay. I understand what you mean. One of our objectives in writing a question is to pattern its structure to the actual AWS exam. There is actually some level of ambiguity in their question which is what we’re going for. In the exam, there are questions like this where full details are not explicitly stated.
Regards and Thanks,
Carlo @ Tutorials Dojo
-
-
Hi Carlos,
“In the exam, there are questions like this where full details are not explicitly stated” , If you feel that you can expect this type of questions in Exams , I am good with the explanation then and may be you can close this ticket regarding this and Thanks for taking your time in helping me here.
Log in to reply.