Q21 — AWS DOP-C02 Ch.1

Question 21 of 100 | ← Chapter 1

A company has an organization in AWS Organizations. A developer engineer maintains multiple AWS accounts belonging to different OUs within the organization. Resources—including IAM policies and Amazon S3 bucket policies—are deployed via AWS CloudFormation. All templates and code are stored in an AWS CodeCommit repository. Recently, some developers were unable to access S3 buckets in certain accounts in the organization. The following policy is attached to the S3 bucket: What should the developer engineer do to resolve this access issue?

Correct Answer: D. Ensure SCPs do not block developer access to the S3 bucket. Ensure no IAM policy or permissions boundary denies developer access to IAM users or roles. Make necessary changes to SCPs and IAM permissions boundaries in the CodeCommit repository. Deploy the changes via CloudFormation.

Explanation

Access failures to S3 buckets in multi-account environments often stem from overlapping permission controls: IAM policies, permissions boundaries, and SCPs. Since the issue affects developers across accounts and involves S3 access, the root cause could reside in any layer restricting permissions. Option D comprehensively addresses all three layers — verifying SCPs do not overly restrict, confirming IAM policies and boundaries permit required actions, and updating infrastructure-as-code (CloudFormation + CodeCommit) to ensure consistent, auditable, and repeatable remediation. Other options focus narrowly (e.g., only bucket policy or only boundaries) and omit critical scope such as SCP impact on cross-account access.