New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Amazon DOP-C02 Exam - Topic 5 Question 46 Discussion

Actual exam question for Amazon's DOP-C02 exam
Question #: 46
Topic #: 5
[All DOP-C02 Questions]

A company uses AWS Organizations to manage its AWS accounts. The organization root has a child OU that is named Department. The Department OU has a child OU that is named Engineering. The default FullAWSAccess policy is attached to the root, the Department OU. and the Engineering OU.

The company has many AWS accounts in the Engineering OU. Each account has an administrative 1AM role with the AdmmistratorAccess 1AM policy attached. The default FullAWSAccessPolicy is also attached to each account.

A DevOps engineer plans to remove the FullAWSAccess policy from the Department OU The DevOps engineer will replace the policy with a policy that contains an Allow statement for all Amazon EC2 API operations.

What will happen to the permissions of the administrative 1AM roles as a result of this change'?

Show Suggested Answer Hide Answer
Suggested Answer: B

* Impact of Removing FullAWSAccess and Adding Policy for EC2 Actions:

The FullAWSAccess policy allows all actions on all resources by default. Removing this policy from the Department OU will limit the permissions that accounts within this OU inherit from the parent OU.

Adding a policy that allows only Amazon EC2 API operations will restrict the permissions to EC2 actions only.

* Permissions of Administrative IAM Roles:

The administrative IAM roles in the Engineering OU have the AdministratorAccess policy attached, which grants full access to all AWS services and resources.

Since SCPs are restrictions that apply at the organizational level, removing FullAWSAccess and replacing it with a policy allowing only EC2 actions means that for all accounts in the Engineering OU:

They will have full access to EC2 actions due to the new SCP.

They will be restricted in other actions that are not covered by the SCP, hence, non-EC2 API actions will be denied.

* Conclusion:

All API actions on EC2 resources will be allowed.

All other API actions will be denied due to the absence of a broader allow policy.


by France at Mar 21, 2025, 09:51 AM

Limited Time Offer

25%

Off

Get Premium DOP-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Elouise
2 months ago
I’m leaning towards option B, but I’m a bit confused about how the AdministratorAccess policy plays into this. It seems like it should still allow everything.
upvoted 0 times
...
Lizette
2 months ago
If they replace it with an EC2-only policy, wouldn't that mean only EC2 actions are allowed? I feel like the other actions would be denied.
upvoted 0 times
...
Gracie
2 months ago
I remember a practice question where changing a policy affected permissions, but I can't recall if it was similar to this scenario.
upvoted 0 times
...
Tomoko
2 months ago
I'm surprised they would change it like that!
upvoted 0 times
...
Linn
3 months ago
Definitely not C, that doesn't make sense.
upvoted 0 times
...
Sarah
3 months ago
I think B is the right answer!
upvoted 0 times
...
Shelba
3 months ago
Wait, so all other actions get denied? That seems harsh.
upvoted 0 times
...
Cordelia
3 months ago
The FullAWSAccess policy removal will limit permissions.
upvoted 0 times
...
Jacquelyne
3 months ago
I think if the FullAWSAccess policy is removed, the roles might lose some permissions, but I'm not sure how it interacts with the AdministratorAccess policy.
upvoted 0 times
...
Marilynn
4 months ago
Wait, I'm a bit confused. If the default FullAWSAccess policy is attached to the accounts, wouldn't that override the more restrictive policy at the OU level?
upvoted 0 times
...
Cecil
4 months ago
I'm pretty confident I know the answer here. Removing the FullAWSAccess policy and replacing it with a policy that only allows EC2 actions should limit the permissions of the administrative IAM roles to just EC2.
upvoted 0 times
...
Tanesha
4 months ago
Okay, let's think this through step-by-step. The key is understanding how the policies are applied at the different levels of the organization.
upvoted 0 times
...
Lai
4 months ago
This question seems straightforward, but I want to make sure I understand the details correctly before answering.
upvoted 0 times
...
Elise
5 months ago
I've got a good feeling about this one. The policy change at the Department OU level should impact the permissions of the administrative IAM roles in the Engineering OU accounts.
upvoted 0 times
...
Alona
5 months ago
I'm a bit confused about how the different policies interact. I'll need to review the AWS Organizations documentation to make sure I have the right understanding before answering.
upvoted 0 times
...
James
5 months ago
Okay, let's think this through step-by-step. The key is understanding how the policies are applied at the different levels of the organization.
upvoted 0 times
...
Cornell
5 months ago
This question seems straightforward, but I want to make sure I understand the implications of the policy change. I'll need to carefully consider how the permissions will be affected.
upvoted 0 times
...
Reynalda
11 months ago
I agree with Lera, option B seems like the correct answer based on the scenario described.
upvoted 0 times
...
Aliza
11 months ago
That makes sense, since the new policy will only contain an Allow statement for EC2 API operations.
upvoted 0 times
...
Lera
11 months ago
I believe that only API actions on EC2 resources will be allowed.
upvoted 0 times
...
Aliza
11 months ago
I think the permissions of the administrative 1AM roles will change.
upvoted 0 times
...
Ulysses
11 months ago
This is a tricky one, but I think option B is the safest bet. Gotta love these AWS Organization questions, they always keep you on your toes!
upvoted 0 times
...
Jamika
11 months ago
Haha, I bet the DevOps engineer who came up with this change is feeling pretty confident in their AWS knowledge. Option B seems like the way to go though.
upvoted 0 times
Lindsey
10 months ago
The administrative 1AM roles will only have permissions for EC2 resources after this change.
upvoted 0 times
...
Curtis
10 months ago
Yeah, removing the FullAWSAccess policy and allowing only EC2 API operations makes sense.
upvoted 0 times
...
Norah
10 months ago
I agree, option B seems like the most logical choice.
upvoted 0 times
...
...
Ciara
12 months ago
I'm not so sure, I'm leaning towards option D. If the new policy only allows EC2 actions, then all other API actions will be denied for the administrative roles.
upvoted 0 times
...
Lamar
12 months ago
Hmm, I think option B is the correct answer here. The new policy will only allow EC2 API operations, so the administrative IAM roles will only have access to those specific actions.
upvoted 0 times
Effie
10 months ago
Yes, it's important to carefully manage permissions to ensure security and compliance.
upvoted 0 times
...
Anglea
11 months ago
That makes sense. The administrative IAM roles will have limited permissions after the change.
upvoted 0 times
...
Ronnie
11 months ago
I agree, option B seems to be the correct choice. The new policy will restrict access to only EC2 API operations.
upvoted 0 times
...
...

Save Cancel