Q17 — AWS DOP-C02 Ch.1

Question 17 of 100 | ← Chapter 1

A company uses AWS Organizations to centrally manage AWS accounts. The organization root has one child organizational unit (OU) named "Production." The "Production" OU has one child OU named "Engineering." Default service control policies (SCPs) are attached to the root, "Production," and "Engineering" OUs. The company has many AWS accounts in the "Engineering" OU. Each account has a management information system (MIS) and an IAM role with a policy granting permissions to access the MIS. Each account also has the default SCP attached. An engineer at Acme plans to replace the default SCP in the "Production" OU with a new SCP that contains only an Allow statement for Amazon EC2 API operations. After this change, what will happen to the permissions of the MIS IAM role in the Engineering accounts?

Correct Answer: B. All API operations on EC2 resources are allowed. All other API operations are denied.

Explanation

IAM policies follow the 'explicit allow, implicit deny' principle. After replacing the default SCP with a new SCP allowing only EC2 API operations at the organization level, permissions become restrictive: only EC2 actions are explicitly permitted; all other service actions receive no explicit allowance and are therefore implicitly denied. This enforces least privilege. Since SCPs operate as permission boundaries (not grants), the MIS role retains only the intersection of its IAM policy and the SCP — i.e., EC2 permissions only.