Q88 — AWS DOP-C02 Ch.1
Question 88 of 100 | ← Chapter 1
A company hosts a security audit application in an AWS account. The audit application uses IAM roles to access other AWS accounts. All audited accounts belong to the same organization in AWS Organizations. A recent security audit revealed that users in audited AWS accounts can modify or delete the IAM roles used by the audit application. The company needs to prevent any entity—except trusted administrator IAM roles—from modifying the audit application’s IAM roles.
- A. Create a Service Control Policy (SCP) containing a Deny statement for modifications to the audit application’s IAM roles. Include a condition allowing changes by trusted administrator IAM roles. Attach the SCP to the organization root. ✓
- B. Create an SCP containing an Allow statement permitting trusted administrator IAM roles to modify the audit application’s IAM roles. Include Deny statements blocking all other IAM principals from making such changes. Attach the SCP to the IAM service in each AWS account where the audit application has IAM roles.
- C. Create an IAM permissions boundary containing a Deny statement for modifications to the audit application’s IAM roles. Include a condition allowing changes by trusted administrator IAM roles. Attach the permissions boundary to the audited AWS account.
- D. Create an IAM permissions boundary containing a Deny statement for modifications to the audit application’s IAM roles. Include a condition allowing changes by trusted administrator IAM roles. Attach the permissions boundary to the IAM role used by the audit application in the AWS account.
Correct Answer: A. Create a Service Control Policy (SCP) containing a Deny statement for modifications to the audit application’s IAM roles. Include a condition allowing changes by trusted administrator IAM roles. Attach the SCP to the organization root.
Explanation
Service Control Policies (SCPs) are AWS Organizations features that set permission boundaries at the organization, organizational unit (OU), or account level—restricting what actions member accounts can perform. Deny statements in SCPs override all other permissions unless explicitly excluded via conditions. Attaching an SCP to the organization root applies it universally across all accounts in the organization. Option A correctly implements this by creating an SCP with a Deny statement targeting IAM role modifications, conditioned to permit only trusted administrators, and attaching it to the root—enforcing global protection. Option B is invalid because SCPs cannot be attached to individual services like IAM. Options C and D use permissions boundaries, which only constrain the maximum permissions of the *attached principal* (e.g., a role or user) and cannot prevent other principals (e.g., account root or other IAM users) from modifying the target role. Only SCPs provide organization-wide, enforceable guardrails against unauthorized IAM role modification.