-
Hi Nikee,
thank’s for your reply and I’m sorry for my late answer. Too busy with preparation for the exam :-/
To be honest I don’t agree with you.
As stated in the link documentation AWS writes:
“AWS Organizations attaches an AWS managed SCP named FullAWSAccess<awsui-icon name=”external”></awsui-icon> to every root, OU and account when it’s created“
The FullAWSAccess is really attached to each OU/Account. It’s not just a matter of showing it in the console in my opinion. In my AWS Organizations I can see that the SCP is attached not just inherited to my OUs/Accounts.
Besides on the webpage you can see some examples.
The last line in the very last table confuses me.
On root level there is a “Deny S3 access”.
So whatever is defined below this level doesn’t matter anymore because S3 is denied and nothing else has been explicitly allowed on root level.
So below root no OU/Account should be able to do anything.
But at the very last line in this example is stated that “Resultant policies at Production OU, Account E and Account F” have “no S3 access” (the very last line in the last table). In my opinion it should be “No service access”.
(I’m assuming: “no S3 access” means: every service can be accessed except S3, the wording is not good at the example from AWS)
What do you think about this example?
