-
Hello Jayid,
As mentioned, by default, when SCPs are enabled in AWS Organizations, AWS attaches the managed FullAWSAccess policy to the root, OUs, and accounts, ensuring no restrictions unless explicitly modified. Since there is no indication in the given scenario that an SCP was modified at the account level, the account simply inherits the OU policy and the default FullAWSAccess policy.
We don’t need to specify in the question that the SCP at the account level has not been modified because, since the question only mentions modifications at the OU level, we can assume that no modifications have been made at the account level. Therefore, we can reasonably conclude that the default FullAWSAccess policy remains attached.
For this one: Regarding “The key point is that SCP evaluation works as an intersection across all levels. Even if FullAWSAccess exists at the account level by default, the OU-level SCP still defines the maximum allowed actions.” – to that I’d say that the SCP I configured at the account level was more restrictive that what’s configured at the OU level. In my explanation above, both Root and Sandbox had FullAWSAccess and the account had a custom SCP attached that only allowed
ec2:*, the account level SCP is the most restrictive of all the SCPs and that would dictate the final permission. – I’m referring to this structure:- Root – FullAWSAccess
- Sandbox OU – Allow
ec2:*,s3:* - Account A – No SCP explicitly mentioned (inherits from OU)
Take note that there are questions in the actual AWS exam that are difficult, tricky, and ambiguous. You have to be prepared to look for specific keywords or key phrases in order to find the most suitable answer. This is the style that we are trying to mimic in our practice tests. Some of the questions do not explicitly show the obvious keywords or phrases that will easily point to the answer.
We will improve the explanation to avoid confusion, and the changes should be reflected on the portal soon.
Regards,
JR @ Tutorials Dojo
