Amazon DOP-C02 Exam - Topic 5 Question 28 Discussion

Actual exam question for Amazon's DOP-C02 exam

Question #: 28
Topic #: 5

A company has an AWS Control Tower landing zone. The company's DevOps team creates a workload OU. A development OU and a production OU are nested under the workload OU. The company grants users full access to the company's AWS accounts to deploy applications.

The DevOps team needs to allow only a specific management 1AM role to manage the 1AM roles and policies of any AWS accounts In only the production OU.

Which combination of steps will meet these requirements? {Select TWO.)

ACreate an SCP that denies full access with a condition to exclude the management 1AM role for the organization root.

BEnsure that the FullAWSAccess SCP is applied at the organization root

CCreate an SCP that allows IAM related actions Attach the SCP to the development OU

DCreate an SCP that denies IAM related actions with a condition to exclude the management I AM role Attach the SCP to the workload OU

ECreate an SCP that denies IAM related actions with a condition to exclude the management 1AM role Attach the SCP to the production OU

Show Suggested Answer

Suggested Answer: B, E

You need to understand how SCP inheritance works in AWS. The way it works for Deny policies is different that allow policies.

Allow polices are passing down to children ONLY if they don't have an allow policy.

Deny policies always pass down to children.

That's why there is always an SCP set to the Root to allow everything by default. If you limit this policy, the whole organization will be limited, not matter what other policies are saying for the other OUs. So it's not A. It's not D because it restricts the wrong OU.

by Emily at Jul 03, 2024, 11:28 AM

Limited Time Offer

25%

Off

Get Premium DOP-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Catina

3 months ago

Not sure if this setup is secure enough for production...

upvoted 0 times

...

Berry

3 months ago

B is definitely needed for full access at the root level.

upvoted 0 times

...

Ben

3 months ago

Wait, why would you deny IAM actions? That seems counterproductive.

upvoted 0 times

...

Gaynell

4 months ago

Totally agree, E makes sense!

upvoted 0 times

...

Earnestine

4 months ago

I think E is the right choice for the production OU.

upvoted 0 times

...

Sommer

4 months ago

I recall that creating an SCP that denies IAM actions and attaching it to the workload OU could be a good approach, but I’m not certain if it’s the best option here.

upvoted 0 times

...

Delmy

4 months ago

I'm a bit confused about the conditions in the SCPs. Does denying IAM actions with an exclusion for the management role really work as intended?

upvoted 0 times

...

Elli

4 months ago

I think we practiced a similar question where we had to restrict IAM actions. I feel like option E might be the right choice since it specifically targets the production OU.

upvoted 0 times

...

Patria

5 months ago

I remember we discussed how SCPs can control access at different levels, but I'm not sure if we should apply the SCP to the production OU or the workload OU.

upvoted 0 times

...

Layla

5 months ago

This seems straightforward enough. I'll just need to make sure I select the right combination of steps to restrict access while still allowing the management IAM role to do its job.

upvoted 0 times

...

Peggie

5 months ago

Okay, I think I've got a plan. I'll create an SCP that denies IAM-related actions, but with a condition to exclude the management IAM role. Then I'll attach that SCP to the production OU to meet the requirements.

upvoted 0 times

...

Billy

5 months ago

Hmm, I'm a bit confused on the difference between the SCPs and how to apply them at the different organizational levels. I'll need to review the SCP documentation to make sure I understand the options.

upvoted 0 times

...

Gracia

5 months ago

This looks like a tricky one. I'll need to carefully read through the requirements and think about the best way to restrict access while still allowing the management IAM role to manage the IAM roles and policies.

upvoted 0 times

...

Markus

5 months ago

Okay, let me think this through step-by-step. The question is asking about the fasting blood glucose level that indicates type 2 diabetes. I believe the diagnostic criteria is a fasting level of 7 mmol/L or higher. So I'll go with option C.

upvoted 0 times

...

Levi

5 months ago

This seems like a straightforward question about automating notifications for open cases. I think the key is to identify the Salesforce feature that can monitor case activity and trigger an action when a case hasn't been touched in 24 hours.

upvoted 0 times

...

Alita

2 years ago

D and E, because I'm a DevOps wizard and I know these things. Also, did you hear about the AWS engineer who got lost in the cloud? They're still searching for him!

upvoted 0 times

...

Elfrieda

2 years ago

Is this a trick question? I bet the correct answer is B and D, because who needs production anyway? Just let the management IAM role rule them all!

upvoted 0 times

Alesia

1 year ago

C: Agreed. It's important to have the right permissions set up to ensure security and compliance.

upvoted 0 times

...

Maxima

1 year ago

B: Yeah, that makes sense. We need to control access to IAM roles carefully.

upvoted 0 times

...

Fernanda

2 years ago

A: I think the correct answers are B and D. Let's restrict IAM actions to the workload OU and allow the management IAM role in the production OU.

upvoted 0 times

...

Brock

2 years ago

D and E, but I'm a bit concerned about the 'full access' thing. Shouldn't we be more specific about the permissions?

upvoted 0 times

Shawn

2 years ago

That sounds like a good idea. Let's make sure we have everything covered.

upvoted 0 times

...

Norah

2 years ago

Maybe we can add additional conditions to the SCPs to restrict access further.

upvoted 0 times

...

Viki

2 years ago

I agree, but I also see your point about being more specific with the permissions.

upvoted 0 times

...

Arlene

2 years ago

I think we should go with option D and E to meet the requirements.

upvoted 0 times

...

Chau

2 years ago

Hmm, I think the management IAM role should be able to manage IAM in the entire organization, not just the production OU. Why complicate things?

upvoted 0 times

Chuck

1 year ago

C: Yeah, options A and E together would simplify the access control for the management IAM role in the organization.

upvoted 0 times

...

Sonia

2 years ago

B: I agree, option A along with option E would ensure that only the specific management IAM role has access to manage IAM in the production OU.

upvoted 0 times

...

Yasuko

2 years ago

A: I think option A is the right choice to allow the management IAM role to manage IAM in the production OU.

upvoted 0 times

...

Lindsey

2 years ago

C: It's important to restrict access to only what is necessary for security reasons.

upvoted 0 times

...

Brett

2 years ago

B: Maybe they have specific security requirements that need to be met.

upvoted 0 times

...

Olen

2 years ago

A: I agree, it does seem like a complicated setup.

upvoted 0 times

...

Vi

2 years ago

I'm not sure about the other options. But I think creating an SCP for the production OU is crucial to restrict access to only the specific management IAM role.

upvoted 0 times

...

Dominque

2 years ago

I agree with Berry. We also need to ensure that the FullAWSAccess SCP is applied at the organization root to meet the requirements.

upvoted 0 times

...

Berry

2 years ago

I think we should create an SCP that denies IAM related actions with a condition to exclude the management IAM role and attach it to the production OU.

upvoted 0 times

...