Q21 — AWS DOP-C02 Ch.1
Question 21 of 100 | ← Chapter 1
A company has an organization in AWS Organizations. A developer engineer maintains multiple AWS accounts belonging to different OUs within the organization. Resources—including IAM policies and Amazon S3 bucket policies—are deployed via AWS CloudFormation. All templates and code are stored in an AWS CodeCommit repository. Recently, some developers were unable to access S3 buckets in certain accounts in the organization. The following policy is attached to the S3 bucket: What should the developer engineer do to resolve this access issue?
- A. Modify the S3 bucket policy. Disable S3 Block Public Access settings on the bucket. In the S3 bucket policy, add the aws:SourceAccount condition key and include the AWS account IDs of all affected developers.
- B. Verify that no IAM permissions boundary denies developer access to the S3 bucket. Make necessary changes to IAM permissions boundaries. Use AWS Config Recorder in the affected individual developer accounts to restore any changes blocking access. Commit the fix to the CodeCommit repository and deploy via CloudFormation.
- C. Configure an SCP to prevent anyone from modifying IAM resources in developer OUs. In the S3 bucket policy, add the aws:SourceAccount condition key and include the AWS account IDs of all affected developers. Commit the fix to the CodeCommit repository and deploy via CloudFormation.
- D. Ensure SCPs do not block developer access to the S3 bucket. Ensure no IAM policy or permissions boundary denies developer access to IAM users or roles. Make necessary changes to SCPs and IAM permissions boundaries in the CodeCommit repository. Deploy the changes via CloudFormation. ✓
Correct Answer: D. Ensure SCPs do not block developer access to the S3 bucket. Ensure no IAM policy or permissions boundary denies developer access to IAM users or roles. Make necessary changes to SCPs and IAM permissions boundaries in the CodeCommit repository. Deploy the changes via CloudFormation.
Explanation
Access failures to S3 buckets in multi-account environments often stem from overlapping permission controls: IAM policies, permissions boundaries, and SCPs. Since the issue affects developers across accounts and involves S3 access, the root cause could reside in any layer restricting permissions. Option D comprehensively addresses all three layers — verifying SCPs do not overly restrict, confirming IAM policies and boundaries permit required actions, and updating infrastructure-as-code (CloudFormation + CodeCommit) to ensure consistent, auditable, and repeatable remediation. Other options focus narrowly (e.g., only bucket policy or only boundaries) and omit critical scope such as SCP impact on cross-account access.