Home › Forums › AWS › AWS Certified Security – Specialty › Timed Diagnostic Test – AWS Organisations SCP for Development OU – Incomplete › Reply To: Timed Diagnostic Test – AWS Organisations SCP for Development OU – Incomplete
-
Hello AJam,
Sorry for the confusion it may have caused. The correct answer to the question is the option below.
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"DenyOtherRegions",
"Effect":"Deny",
"NotAction":[
" <Global Services to Use> "
],
"Resource":"*",
"Condition":{
"StringNotEquals":{
"aws:RequestedRegion":"ap-southeast-1"
},
"ArnNotLike":{
"aws:PrincipalARN":"arn:aws:iam:::role/TDojoAdminRole"
}
}
}
]
}Given the context of the scenario, where AWS accounts under the “Development” Organizational Unit are used by software development teams, it’s reasonable to assume the existence and necessity of roles such as the TDojoAdminRole. These roles are essential for administrative tasks and operational flexibility within the organizational structure, particularly in environments that are strictly regulated by security policies.
The option above most accurately aligns with the needs outlined in the scenario. It restricts AWS usage to the “ap-southeast-1” region for all activities except those performed by entities assuming the TDojoAdminRole. This exemption ensures that administrative tasks, which may require access to resources or actions outside the specified region, can be performed without hindrance.
If you have further questions, please don’t hesitate to contact us.
Regards,
Nikee @ Tutorials Dojo