Q35 — AWS DOP-C02 Ch.3
Question 35 of 100 | ← Chapter 3
A company uses AWS Organizations to manage its AWS accounts. The organization root contains an organizational unit (OU) named Environments. The Environments OU contains two child OUs: Development and Production. Both the Environments OU and its child OUs have the default FullAWSAccess service control policy (SCP) attached. A DevOps engineer plans to remove the FullAWSAccess SCP from the Development OU and replace it with a new SCP that allows only actions on Amazon EC2 resources. What is the outcome of this policy replacement?
- A. All users in the Development OU will be allowed to perform all API operations on all resources.
- B. All users in the Development OU will be allowed to perform all API operations on EC2 resources. All other API operations will be denied. ✓
- C. All users in the Development OU will be denied all API operations on all resources.
- D. All users in the Development OU will be denied all API operations on EC2 resources. All other API operations will be allowed.
Correct Answer: B. All users in the Development OU will be allowed to perform all API operations on EC2 resources. All other API operations will be denied.
Explanation
AWS Organizations Service Control Policies (SCPs) define the maximum permissions allowed within an account or organizational unit (OU). When the default FullAWSAccess SCP is replaced with a new SCP permitting only EC2 operations, SCP inheritance and evaluation rules apply. Because SCPs follow a 'deny by default' principle, removing FullAWSAccess restricts permissions in the Development OU to only those explicitly allowed—EC2 operations—while all other unlisted API operations are implicitly denied. Option B correctly describes the result of allowing only EC2-related operations, consistent with AWS Organizations documentation on SCP inheritance and priority rules.