A company has an AWS Control Tower landing zone. The company's DevOps team creates a workload OU. A development OU and a production OU are nested under the workload OU. The company grants users full access to the company's AWS accounts to deploy applications.
The DevOps team needs to allow only a specific management 1AM role to manage the 1AM roles and policies of any AWS accounts In only the production OU.
Which combination of steps will meet these requirements? {Select TWO.)
You need to understand how SCP inheritance works in AWS. The way it works for Deny policies is different that allow policies.
Allow polices are passing down to children ONLY if they don't have an allow policy.
Deny policies always pass down to children.
That's why there is always an SCP set to the Root to allow everything by default. If you limit this policy, the whole organization will be limited, not matter what other policies are saying for the other OUs. So it's not A. It's not D because it restricts the wrong OU.
Bette
16 days agoFrank
1 days agoMyra
4 days agoRonny
18 days agoHuey
19 days agoChanel
20 days agoAja
22 days agoMammie
1 days agoBettye
11 days agoSalina
15 days agoRosalind
27 days agoClaribel
1 days agoJeanice
7 days agoShawn
8 days agoWeldon
1 months agoHuey
1 months ago