Q27 — AWS SCS-C02 Ch.1

Question 27 of 100 | ← Chapter 1

A company has an organization with SCPs in AWS Organizations. The root SCP for the organization is as follows: The company's developers are members of a group that has an IAM policy that allows access to Amazon Simple Email Service (Amazon SES) by allowing ses:* actions. The account is a child to an OU that has an SCP that allows Amazon SES. The developers are receiving a not authorized error when they try to access Amazon SES through the AWS Management Console. Which change must a security engineer implement so that the developers can access Amazon SES?

Correct Answer: D. Remove Amazon SES from the root SCP.

Explanation

根据题目描述,组织的根SCP中有一个拒绝(Deny)访问Amazon SES的规则。尽管开发者的IAM策略允许访问SES,但由于根SCP中的拒绝规则,他们仍然无法访问。要解决这个问题,需要从根SCP中移除对Amazon SES的拒绝规则,这样开发者就可以访问SES了。其他选项要么不符合题意,要么不是解决问题的有效方法。