Cyber Monday 2024! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Amazon Exam DOP-C02 Topic 5 Question 28 Discussion

Actual exam question for Amazon's DOP-C02 exam
Question #: 28
Topic #: 5
[All DOP-C02 Questions]

A company has an AWS Control Tower landing zone. The company's DevOps team creates a workload OU. A development OU and a production OU are nested under the workload OU. The company grants users full access to the company's AWS accounts to deploy applications.

The DevOps team needs to allow only a specific management 1AM role to manage the 1AM roles and policies of any AWS accounts In only the production OU.

Which combination of steps will meet these requirements? {Select TWO.)

Show Suggested Answer Hide Answer
Suggested Answer: B, E

You need to understand how SCP inheritance works in AWS. The way it works for Deny policies is different that allow policies.

Allow polices are passing down to children ONLY if they don't have an allow policy.

Deny policies always pass down to children.

That's why there is always an SCP set to the Root to allow everything by default. If you limit this policy, the whole organization will be limited, not matter what other policies are saying for the other OUs. So it's not A. It's not D because it restricts the wrong OU.


by Emily at Jul 03, 2024, 11:28 AM

Limited Time Offer

25%

Off

Get Premium DOP-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel
Alita
4 months ago
D and E, because I'm a DevOps wizard and I know these things. Also, did you hear about the AWS engineer who got lost in the cloud? They're still searching for him!
upvoted 0 times
...
Elfrieda
4 months ago
Is this a trick question? I bet the correct answer is B and D, because who needs production anyway? Just let the management IAM role rule them all!
upvoted 0 times
Alesia
3 months ago
C: Agreed. It's important to have the right permissions set up to ensure security and compliance.
upvoted 0 times
...
Maxima
3 months ago
B: Yeah, that makes sense. We need to control access to IAM roles carefully.
upvoted 0 times
...
Fernanda
4 months ago
A: I think the correct answers are B and D. Let's restrict IAM actions to the workload OU and allow the management IAM role in the production OU.
upvoted 0 times
...
...
Brock
5 months ago
D and E, but I'm a bit concerned about the 'full access' thing. Shouldn't we be more specific about the permissions?
upvoted 0 times
Shawn
4 months ago
That sounds like a good idea. Let's make sure we have everything covered.
upvoted 0 times
...
Norah
4 months ago
Maybe we can add additional conditions to the SCPs to restrict access further.
upvoted 0 times
...
Viki
4 months ago
I agree, but I also see your point about being more specific with the permissions.
upvoted 0 times
...
Arlene
4 months ago
I think we should go with option D and E to meet the requirements.
upvoted 0 times
...
...
Chau
5 months ago
Hmm, I think the management IAM role should be able to manage IAM in the entire organization, not just the production OU. Why complicate things?
upvoted 0 times
Chuck
3 months ago
C: Yeah, options A and E together would simplify the access control for the management IAM role in the organization.
upvoted 0 times
...
Sonia
3 months ago
B: I agree, option A along with option E would ensure that only the specific management IAM role has access to manage IAM in the production OU.
upvoted 0 times
...
Yasuko
3 months ago
A: I think option A is the right choice to allow the management IAM role to manage IAM in the production OU.
upvoted 0 times
...
Lindsey
3 months ago
C: It's important to restrict access to only what is necessary for security reasons.
upvoted 0 times
...
Brett
4 months ago
B: Maybe they have specific security requirements that need to be met.
upvoted 0 times
...
Olen
4 months ago
A: I agree, it does seem like a complicated setup.
upvoted 0 times
...
...
Vi
5 months ago
I'm not sure about the other options. But I think creating an SCP for the production OU is crucial to restrict access to only the specific management IAM role.
upvoted 0 times
...
Dominque
5 months ago
I agree with Berry. We also need to ensure that the FullAWSAccess SCP is applied at the organization root to meet the requirements.
upvoted 0 times
...
Berry
5 months ago
I think we should create an SCP that denies IAM related actions with a condition to exclude the management IAM role and attach it to the production OU.
upvoted 0 times
...
Lilli
5 months ago
D and E, because we need to restrict IAM access in the workload OU and allow it only for the management IAM role in the production OU.
upvoted 0 times
Tarra
4 months ago
This way, IAM access will be restricted in the workload OU and allowed only for the management IAM role in the production OU.
upvoted 0 times
...
Vicky
4 months ago
And attach the SCP that denies IAM related actions with a condition to exclude the management IAM role to the production OU.
upvoted 0 times
...
Ronnie
4 months ago
Make sure to attach the SCP that denies IAM related actions with a condition to exclude the management IAM role to the workload OU.
upvoted 0 times
...
Maybelle
5 months ago
D and E are the correct steps to meet the requirements.
upvoted 0 times
...
...

Save Cancel