A company has an AWS Control Tower landing zone. The company's DevOps team creates a workload OU. A development OU and a production OU are nested under the workload OU. The company grants users full access to the company's AWS accounts to deploy applications.
The DevOps team needs to allow only a specific management 1AM role to manage the 1AM roles and policies of any AWS accounts In only the production OU.
Which combination of steps will meet these requirements? {Select TWO.)
You need to understand how SCP inheritance works in AWS. The way it works for Deny policies is different that allow policies.
Allow polices are passing down to children ONLY if they don't have an allow policy.
Deny policies always pass down to children.
That's why there is always an SCP set to the Root to allow everything by default. If you limit this policy, the whole organization will be limited, not matter what other policies are saying for the other OUs. So it's not A. It's not D because it restricts the wrong OU.
Alita
23 days agoElfrieda
24 days agoFernanda
3 days agoBrock
1 months agoShawn
5 days agoNorah
6 days agoViki
9 days agoArlene
12 days agoChau
1 months agoBrett
14 days agoOlen
24 days agoVi
1 months agoDominque
1 months agoBerry
1 months agoLilli
2 months agoTarra
15 days agoVicky
25 days agoRonnie
1 months agoMaybelle
1 months ago