Timed Diagnostic Test – AWS Organisations SCP for Development OU – Incomplete

[AJam]

Hi.

The below question in the Timed Diagnostic Test appears to have an incorrect answer and there is no explanation provided. Can you please provide explanation for why the supplied answer is correct? Thank you.

Here is the question.

A company is utilizing the AWS Organizations service to streamline its account management across various departments. Within AWS Organizations, they have a dedicated Organizational Unit (OU) named “Development,” housing multiple AWS accounts used by their software development teams.

The security team wants to enforce a strict policy to restrict AWS usage to the “ap-southeast-1” region for all existing and future AWS accounts under the “Development” OU. This policy should persistently apply to the existing and newly created AWS accounts within the “Development” OU.

Which solution will satisfy these requirements?

[Nikee-TutorialsDojo]

Hello AJam,

Thank you for bringing this to our attention. We will do the necessary updates, and this should be reflected in our practice exam as soon as possible.

Regarding the correct answer, Option 1 is the correct solution primarily because it leverages Service Control Policies (SCPs) to apply restrictions at the organizational unit (OU) level within AWS Organizations. Attaching the SCP to the “Development” OU ensures that the policy automatically applies to all existing and newly created AWS accounts within that OU. This approach effectively restricts AWS usage to the “ap-southeast-1” region for all accounts under the Development OU, aligning with the security team’s requirements to enforce strict regional access control while also providing the flexibility to exempt certain roles from these restrictions, ensuring both security and operational flexibility.

I hope this clarifies any confusion you have. If you have any further questions, please don’t hesitate to contact us.

Regards,

Nikee @ Tutorials Dojo

[AJam]

Hello Nikee.

Thank you for your response.

The numbering of the answer options always changes each time you do the test.
Just wanted to confirm. Are you saying that below is the correct answer? This is what the test is telling is correct.

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Sid":"DenyOtherRegions",
         "Effect":"Deny",
         "NotAction":[
            " <global services="" to="" use=""> "
         ],
         "Resource":"*",
         "Condition":{
            "StringNotEquals":{
               "aws:RequestedRegion":"ap-southeast-1"
            },
            "ArnNotLike":{
               "aws:PrincipalARN":"arn:aws:iam:::role/TDojoAdminRole"
            }
         }
      }
   ]
}</global>

I do not agree with the above because it says that the TDoJoAdminRole is exempt from that restriction. However, this information is not mentioned in the question.

Instead, I think below is the correct answer.

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Sid":"DenyOtherRegions",
         "Effect":"Deny",
         "NotAction":[
            " <global services="" to="" use=""> "
         ],
         "Resource":"*",
         "Condition":{
            "StringNotEquals":{
               "aws:RequestedRegion":"ap-southeast-1"
            }
         }
      }
   ]
}</global>

Please confirm.

Thank you

[Nikee-TutorialsDojo]

Hello AJam,

Sorry for the confusion it may have caused. The correct answer to the question is the option below.

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Sid":"DenyOtherRegions",
         "Effect":"Deny",
         "NotAction":[
            " <Global Services to Use> "
         ],
         "Resource":"*",
         "Condition":{
            "StringNotEquals":{
               "aws:RequestedRegion":"ap-southeast-1"
            },
            "ArnNotLike":{
               "aws:PrincipalARN":"arn:aws:iam:::role/TDojoAdminRole"
            }
         }
      }
   ]
}

Given the context of the scenario, where AWS accounts under the “Development” Organizational Unit are used by software development teams, it’s reasonable to assume the existence and necessity of roles such as the TDojoAdminRole. These roles are essential for administrative tasks and operational flexibility within the organizational structure, particularly in environments that are strictly regulated by security policies.

The option above most accurately aligns with the needs outlined in the scenario. It restricts AWS usage to the “ap-southeast-1” region for all activities except those performed by entities assuming the TDojoAdminRole. This exemption ensures that administrative tasks, which may require access to resources or actions outside the specified region, can be performed without hindrance.

If you have further questions, please don’t hesitate to contact us.

Regards,

Nikee @ Tutorials Dojo

[AJam]

Hello. I do not agree with your explanation. We should not be assuming, instead we should use the information that is provided in the question. So, we should not be excluding any roles in the scp.

[Nikee-TutorialsDojo]

Hello AJam,

Thank you for posting, and apologies for any confusion. We will provide the necessary update, which should be reflected in our practice exam as soon as possible.

Regards,

Nikee @ Tutorials Dojo