Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Amazon Exam DOP-C02 Topic 5 Question 28 Discussion

Actual exam question for Amazon's DOP-C02 exam
Question #: 28
Topic #: 5
[All DOP-C02 Questions]

A company has an AWS Control Tower landing zone. The company's DevOps team creates a workload OU. A development OU and a production OU are nested under the workload OU. The company grants users full access to the company's AWS accounts to deploy applications.

The DevOps team needs to allow only a specific management 1AM role to manage the 1AM roles and policies of any AWS accounts In only the production OU.

Which combination of steps will meet these requirements? {Select TWO.)

Show Suggested Answer Hide Answer
Suggested Answer: B, E

You need to understand how SCP inheritance works in AWS. The way it works for Deny policies is different that allow policies.

Allow polices are passing down to children ONLY if they don't have an allow policy.

Deny policies always pass down to children.

That's why there is always an SCP set to the Root to allow everything by default. If you limit this policy, the whole organization will be limited, not matter what other policies are saying for the other OUs. So it's not A. It's not D because it restricts the wrong OU.


by Emily at Jul 03, 2024, 11:28 AM

Limited Time Offer

25%

Off

Get Premium DOP-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel
Alita
21 days ago
D and E, because I'm a DevOps wizard and I know these things. Also, did you hear about the AWS engineer who got lost in the cloud? They're still searching for him!
upvoted 0 times
...
Elfrieda
22 days ago
Is this a trick question? I bet the correct answer is B and D, because who needs production anyway? Just let the management IAM role rule them all!
upvoted 0 times
Fernanda
20 hours ago
A: I think the correct answers are B and D. Let's restrict IAM actions to the workload OU and allow the management IAM role in the production OU.
upvoted 0 times
...
...
Brock
30 days ago
D and E, but I'm a bit concerned about the 'full access' thing. Shouldn't we be more specific about the permissions?
upvoted 0 times
Shawn
3 days ago
That sounds like a good idea. Let's make sure we have everything covered.
upvoted 0 times
...
Norah
4 days ago
Maybe we can add additional conditions to the SCPs to restrict access further.
upvoted 0 times
...
Viki
7 days ago
I agree, but I also see your point about being more specific with the permissions.
upvoted 0 times
...
Arlene
10 days ago
I think we should go with option D and E to meet the requirements.
upvoted 0 times
...
...
Chau
1 months ago
Hmm, I think the management IAM role should be able to manage IAM in the entire organization, not just the production OU. Why complicate things?
upvoted 0 times
Brett
12 days ago
B: Maybe they have specific security requirements that need to be met.
upvoted 0 times
...
Olen
22 days ago
A: I agree, it does seem like a complicated setup.
upvoted 0 times
...
...
Vi
1 months ago
I'm not sure about the other options. But I think creating an SCP for the production OU is crucial to restrict access to only the specific management IAM role.
upvoted 0 times
...
Dominque
1 months ago
I agree with Berry. We also need to ensure that the FullAWSAccess SCP is applied at the organization root to meet the requirements.
upvoted 0 times
...
Berry
1 months ago
I think we should create an SCP that denies IAM related actions with a condition to exclude the management IAM role and attach it to the production OU.
upvoted 0 times
...
Lilli
2 months ago
D and E, because we need to restrict IAM access in the workload OU and allow it only for the management IAM role in the production OU.
upvoted 0 times
Tarra
13 days ago
This way, IAM access will be restricted in the workload OU and allowed only for the management IAM role in the production OU.
upvoted 0 times
...
Vicky
23 days ago
And attach the SCP that denies IAM related actions with a condition to exclude the management IAM role to the production OU.
upvoted 0 times
...
Ronnie
28 days ago
Make sure to attach the SCP that denies IAM related actions with a condition to exclude the management IAM role to the workload OU.
upvoted 0 times
...
Maybelle
1 months ago
D and E are the correct steps to meet the requirements.
upvoted 0 times
...
...

Save Cancel