[Vinod4b9]

Hi Carlos,

“In the exam, there are questions like this where full details are not explicitly stated” , If you feel that you can expect this type of questions in Exams , I am good with the explanation then and may be you can close this ticket regarding this and Thanks for taking your time in helping me here.

[Vinod4b9]

Hi Carlos,

“The account has the following SCP attached” which alludes to the fact that the presented SCP is the only SCP granting permission for the account. Even without having to explicitly say that full access was removed, the statement should clearly translates to not having full access.

I mean I don’t agree with that statement , Here we are not adding full access policy , By default it will be there and atleast if you could have mentioned The account has only the following SCP attached” atleast makes some sense , I mean i am not saying what you said is wrong , But to be more precise it would be better to add only as above .

As you said , if the statement should clearly translates to not having full access , You shouldn’t have mentioned specifically in the exaplanation . So i feel atleast adding this line will be better “The account has only the following SCP attached”

Any comments on this is welcome

[Vinod4b9]

Hi Carlos,

I do agree that as you said the policy is correct , But actually if you look at scp in aws organization by default you will have full access enabled and you need to remove that that is what mentioned in explanation , once after removing that then new scp is added which is not giving access to s3 bucket , In that way it is correct. if you don’t delete that policy you can still create s3 bucket with polices mentioned in question.

Attaching the screenshot regarding the same , because in question you haven’t mentioned that you have removed that but in explanation you said it is removed , which is why I raised this concern

[Vinod4b9]

Hi Carlo,

Thanks for the details here , Actually now i got the solution after looking at solution as below

The option that says: The SCP does not explicitly allow the required action that would enable the account to create an S3 bucket is correct because the default service policy was changed which means that you would need to explicitly allow your account access to S3 to be able to create buckets. By removing the default FullAWSAccess SCP, all actions for all services are now implicitly denied. To use SCPs as a whitelist, you must replace the AWS-managed FullAWSAccess SCP with an SCP that explicitly permits only those services and actions that you want to allow. Your custom SCP then overrides the implicit Deny with an explicit Allow for only those actions that you want to permit.

If you look at the highlighted line , I guess now as we remove the default full access , I guess this makes sense now , But I feel that is some thing which you need to update in question also right because how can the user know that you have removed default full access AWS scp here ?