Q27 — AWS SCS-C02 Ch.1
Question 27 of 100 | ← Chapter 1
A company has an organization with SCPs in AWS Organizations. The root SCP for the organization is as follows: The company's developers are members of a group that has an IAM policy that allows access to Amazon Simple Email Service (Amazon SES) by allowing ses:* actions. The account is a child to an OU that has an SCP that allows Amazon SES. The developers are receiving a not authorized error when they try to access Amazon SES through the AWS Management Console. Which change must a security engineer implement so that the developers can access Amazon SES?
- A. Add a resource policy that allows each member of the group to access Amazon SES.  
- B. Add a resource policy that allows "Principal": {"AWS": "arn:aws:iam::account-number:group/Dev"}.
- C.  Remove the AWS Control Tower control (guardrail) that restricts access to Amazon SES. 
- D. Remove Amazon SES from the root SCP. ✓
Correct Answer: D. Remove Amazon SES from the root SCP.
Explanation
根据题目描述,组织的根SCP中有一个拒绝(Deny)访问Amazon SES的规则。尽管开发者的IAM策略允许访问SES,但由于根SCP中的拒绝规则,他们仍然无法访问。要解决这个问题,需要从根SCP中移除对Amazon SES的拒绝规则,这样开发者就可以访问SES了。其他选项要么不符合题意,要么不是解决问题的有效方法。