Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified Security – Specialty Timed Diagnostic Test – AWS Organisations SCP for Development OU – Incomplete Reply To: Timed Diagnostic Test – AWS Organisations SCP for Development OU – Incomplete

  • AJam

    Member
    March 18, 2024 at 3:19 pm

    Hello Nikee.

    Thank you for your response.

    The numbering of the answer options always changes each time you do the test.
    Just wanted to confirm. Are you saying that below is the correct answer? This is what the test is telling is correct.

    {
       "Version":"2012-10-17",
       "Statement":[
          {
             "Sid":"DenyOtherRegions",
             "Effect":"Deny",
             "NotAction":[
                " <global services="" to="" use=""> "
             ],
             "Resource":"*",
             "Condition":{
                "StringNotEquals":{
                   "aws:RequestedRegion":"ap-southeast-1"
                },
                "ArnNotLike":{
                   "aws:PrincipalARN":"arn:aws:iam:::role/TDojoAdminRole"
                }
             }
          }
       ]
    }</global>

    I do not agree with the above because it says that the TDoJoAdminRole is exempt from that restriction. However, this information is not mentioned in the question.

    Instead, I think below is the correct answer.

    {
       "Version":"2012-10-17",
       "Statement":[
          {
             "Sid":"DenyOtherRegions",
             "Effect":"Deny",
             "NotAction":[
                " <global services="" to="" use=""> "
             ],
             "Resource":"*",
             "Condition":{
                "StringNotEquals":{
                   "aws:RequestedRegion":"ap-southeast-1"
                }
             }
          }
       ]
    }</global>

    Please confirm.

    Thank you