Home › Forums › AWS › AWS Certified Security – Specialty › Security Speciality Timed mode Diagnostic test – 45 › Reply To: Security Speciality Timed mode Diagnostic test – 45
-
Hi Carlo,
Thanks for the details here , Actually now i got the solution after looking at solution as below
The option that says: The SCP does not explicitly allow the required action that would enable the account to create an S3 bucket is correct because the default service policy was changed which means that you would need to explicitly allow your account access to S3 to be able to create buckets. By removing the default FullAWSAccess SCP, all actions for all services are now implicitly denied. To use SCPs as a whitelist, you must replace the AWS-managed FullAWSAccess SCP with an SCP that explicitly permits only those services and actions that you want to allow. Your custom SCP then overrides the implicit Deny with an explicit Allow for only those actions that you want to permit.
If you look at the highlighted line , I guess now as we remove the default full access , I guess this makes sense now , But I feel that is some thing which you need to update in question also right because how can the user know that you have removed default full access AWS scp here ?