Topic: AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 174

A company uses AWS Organizations to manage its AWS accounts. The company has a root OU that has a child OU. The root OU has an SCP that allows all actions on all resources. The child OU has an SCP that allows all actions for Amazon DynamoDB and AWS Lambda, and denies all other actions.

The company has an AWS account that is named vendor-data in the child OU. A DevOps engineer has an IAM user that is attached to the Administrator Access IAM policy in the vendor-data account. The DevOps engineer attempts to launch an Amazon EC2 instance in the vendor-data account but receives an access denied error.

Which change should the DevOps engineer make to launch the EC2 instance in the vendor-data account?

A.
Attach the AmazonEC2FullAccess IAM policy to the IAM user.
B.
Create a new SCP that allows all actions for Amazon EC2. Attach the SCP to the vendor-data account.
C.
Update the SCP in the child OU to allow all actions for Amazon EC2.
D.
Create a new SCP that allows all actions for Amazon EC2. Attach the SCP to the root OU.

Re: AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 174

By updating the SCP in the child OU to allow all actions for Amazon EC2, the DevOps engineer can grant the necessary permissions to launch EC2 instances in the vendor-data account while maintaining the desired restrictions for other services and accounts within the child OU.

  • dkp
  • New member
  • Offline

Re: AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 174

answer is C

Re: AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 174

C, details are everything during an investigation

Re: AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 174

B is the correct answer!!!!

Re: AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 174

Edit: C is correct

Re: AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 174

C is correct

Re: AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 174

C is correct:
A: We need to modify SCP not IAM policy
B: SCP is attached to OUs, not account
D: This option changes nothing, as the roout OU has already allowed all actions

Re: AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 174

SCP can be attached to account: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_attach.html

Re: AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 174

update policy to include EC2

Re: AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 174

The only correct option

Re: AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 174

C is correct

  • csG13
  • New member
  • Offline

Re: AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 174

It's C - Allow must be explicit from root all the way down to the account level. Since it's not specified in the OU the only way to make it available to vendor-account is to change the OU policy.