Ends in
00
hrs
00
mins
00
secs
SHOP NOW

MID-YEAR 24-Hour Bonus Sale - 25% OFF Any Reviewer. Use Coupon Code: TDMIDYEAR-2024

Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified Solutions Architect Professional Explanation is there, but a better explanation would have been better for OU and Reply To: Explanation is there, but a better explanation would have been better for OU and

  • TutorialsDojo-Support

    Member
    October 8, 2020 at 11:46 pm

    Hello Joseph,

    Thanks for the feedback.

    I’ve update the explanation section to include more details on why the chosen answer is correct.

    • The scenario on this question has a lot of AWS Accounts that need to be managed. AWS Organization solves this problem and provides you with control by assigning the different business units as individual Organization Units (OU). Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization. SCPs offer central control over the maximum available permissions for all accounts in your organization. However, SCPs alone are not sufficient for allowing access in the accounts in your organization. Attaching an SCP to an AWS Organizations entity just defines a guardrail for what actions the principals can perform. You still need to attach identity-based or resource-based policies to principals or resources in your organization’s accounts to actually grant permission to them.
    • Since SCPs only allow or deny the use of an AWS service, you don’t want to block OUs from completely using the EC2 service. Thus, you will need to provide cross-account access and the IAM policy to every member accounts of the OU.
    • Hence, the correct answer is: Use AWS Organizations to centrally manage all of your accounts. Group your accounts, which belong to a specific business unit, to individual Organization Units (OU). Create an IAM Role in the production account which has a policy that allows access to the EC2 instances including a resource-level permission to terminate the instances owned by a particular business unit. Provide the cross-account access and the IAM policy to every member accounts of the OU.

    Hope this helps.

    Let us know if you need further assistance. The Tutorials Dojo team is dedicated to helping you pass your AWS exam!

    Regards,

    Kenneth Samonte @ Tutorials Dojo