Access Issues with Amazon S3 Bucket

Correct Answer -A.

SCP affects the 'principals' of all accounts within the organization.

It does not apply to external users having permission to resources but is not part of the accounts within the AWS Organizations.

In the above case, the Amazon S3 bucket is owned by R&D accounts with the AWS Organizations.

But users accessing this bucket are external users not part of the R & D account.

Option B is incorrect as Deny permission applied at the OU level will impact all accounts with that OU & no separate policy need to apply at the account level.

Option C is incorrect as SCP will impact all accounts within an OU & does not need to apply at the root level to affect user permissions.

Option D is incorrect as IAM policy needs not to be created along with SCP to deny access.

If access is explicitly denied at SCP, users will not be able to access resources.

For more information on Service Control policies, refer to the following URL-

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_type-auth.html

As a SysOps Administrator, you have applied an SCP (Service Control Policy) at the OU (Organizational Unit) level to which the R&D account is part of. The SCP denies all access to the Amazon S3 bucket owned by the R&D account. However, based on AWS CloudTrail Logs, external vendors can still access the S3 bucket. Let's analyze the possible reasons for this issue:

Option A: SCP does not apply to users outside the AWS Organizations. This option is partially correct. SCPs only apply to entities (accounts, users, roles) within an AWS Organization. If external vendors are not part of the AWS Organization, SCPs will not apply to them. However, in this case, the scenario states that external vendors had access to the S3 bucket, which implies that they were part of the AWS Organization or had some kind of IAM (Identity and Access Management) access to it. Therefore, this option is not the cause of the issue.

Option B: SCP needs to be applied at the account level instead of OU level. This option is incorrect. SCPs can be applied at the account or OU level, depending on the scope and granularity required. In this case, applying the SCP at the OU level is correct since it targets a specific subset of accounts within the AWS Organization. Applying the SCP at the account level would affect all accounts within the organization, which may not be desirable.

Option C: SCP needs to be applied at the root level instead of OU level. This option is also incorrect. While SCPs can be applied at the root level, it is generally not recommended as it affects all accounts and resources within the organization. Applying the SCP at the OU level provides more granularity and control.

Option D: IAM Policy needs to be created for users to explicitly deny access to the Amazon S3 bucket along with SCP. This option is the most likely cause of the issue. While SCPs can be used to restrict access to resources, they do not replace IAM policies. IAM policies provide fine-grained control over who can access what resources. In this case, it is possible that external vendors had IAM access to the S3 bucket, which was not explicitly denied by the SCP. Therefore, a combination of an SCP and an IAM policy denying access to the S3 bucket should be applied to ensure that access is restricted.

In conclusion, option D is the most likely cause of the issue, and a combination of an SCP and an IAM policy denying access to the S3 bucket should be applied.