Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location PL
Mob_nav_barsMENU

Amazon Exam DOP-C02 Topic 5 Question 46 Discussion

Actual exam question for Amazon's DOP-C02 exam
Question #: 46
Topic #: 5
[All DOP-C02 Questions]

A company uses AWS Organizations to manage its AWS accounts. The organization root has a child OU that is named Department. The Department OU has a child OU that is named Engineering. The default FullAWSAccess policy is attached to the root, the Department OU. and the Engineering OU.

The company has many AWS accounts in the Engineering OU. Each account has an administrative 1AM role with the AdmmistratorAccess 1AM policy attached. The default FullAWSAccessPolicy is also attached to each account.

A DevOps engineer plans to remove the FullAWSAccess policy from the Department OU The DevOps engineer will replace the policy with a policy that contains an Allow statement for all Amazon EC2 API operations.

What will happen to the permissions of the administrative 1AM roles as a result of this change'?

Show Suggested Answer Hide Answer
Suggested Answer: B

* Impact of Removing FullAWSAccess and Adding Policy for EC2 Actions:

The FullAWSAccess policy allows all actions on all resources by default. Removing this policy from the Department OU will limit the permissions that accounts within this OU inherit from the parent OU.

Adding a policy that allows only Amazon EC2 API operations will restrict the permissions to EC2 actions only.

* Permissions of Administrative IAM Roles:

The administrative IAM roles in the Engineering OU have the AdministratorAccess policy attached, which grants full access to all AWS services and resources.

Since SCPs are restrictions that apply at the organizational level, removing FullAWSAccess and replacing it with a policy allowing only EC2 actions means that for all accounts in the Engineering OU:

They will have full access to EC2 actions due to the new SCP.

They will be restricted in other actions that are not covered by the SCP, hence, non-EC2 API actions will be denied.

* Conclusion:

All API actions on EC2 resources will be allowed.

All other API actions will be denied due to the absence of a broader allow policy.


by France at Mar 21, 2025, 09:51 AM

Limited Time Offer

25%

Off

Get Premium DOP-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel
Reynalda
12 days ago
I agree with Lera, option B seems like the correct answer based on the scenario described.
upvoted 0 times
...
Aliza
16 days ago
That makes sense, since the new policy will only contain an Allow statement for EC2 API operations.
upvoted 0 times
...
Lera
17 days ago
I believe that only API actions on EC2 resources will be allowed.
upvoted 0 times
...
Aliza
20 days ago
I think the permissions of the administrative 1AM roles will change.
upvoted 0 times
...
Ulysses
22 days ago
This is a tricky one, but I think option B is the safest bet. Gotta love these AWS Organization questions, they always keep you on your toes!
upvoted 0 times
...
Jamika
24 days ago
Haha, I bet the DevOps engineer who came up with this change is feeling pretty confident in their AWS knowledge. Option B seems like the way to go though.
upvoted 0 times
...
Ciara
1 months ago
I'm not so sure, I'm leaning towards option D. If the new policy only allows EC2 actions, then all other API actions will be denied for the administrative roles.
upvoted 0 times
...
Lamar
1 months ago
Hmm, I think option B is the correct answer here. The new policy will only allow EC2 API operations, so the administrative IAM roles will only have access to those specific actions.
upvoted 0 times
Anglea
8 days ago
That makes sense. The administrative IAM roles will have limited permissions after the change.
upvoted 0 times
...
Ronnie
25 days ago
I agree, option B seems to be the correct choice. The new policy will restrict access to only EC2 API operations.
upvoted 0 times
...
...

Save Cancel
az-700  pass4success  az-104  200-301  200-201  cissp  350-401  350-201  350-501  350-601  350-801  350-901  az-720  az-305  pl-300  

Warning: Cannot modify header information - headers already sent by (output started at /pass.php:70) in /pass.php on line 77