A large steel company is using AWS Organization to manage multiple accounts across various regions.
OU's are created based upon verticals as Production, Sales, HR & IT.
Using SCP, you have assigned the following permissions: Production OU: EC2 Sales OU: EC2 HR OU: S3, EC2 IT OU: all IAM Policies are applied as follows: User A belonging to Production OU has full access to EC2 & denying access to other services. User B belonging to Sales OU has full access to EC2 & denying access to other services. User C belonging to HR OU has full access to EC2, S3 services & denying access to other services. User D belonging to IT OU has full access to S3, DynamoDB, RDS services & denying access to other services. Which of the following will be effective access permission to users A, B, C & D respectively?
Click on the arrows to vote for the correct answer
A. B. C. D. E.Correct Answer: B.
While accessing an AWS resource, a combination of SCP & IAM policies can be used.
For the user to access any service, it should have permission granted in IAM policy at the user level.
SCP policy should allow resources to be accessible from the account in which the user is part of.
SCPs are similar to IAM permission policies and use almost the same syntax.
However, an SCP never grants permissions.
Instead, SCPs are JSON policies that specify the maximum permissions for an organization or organizational unit (OU)
Users and roles must still be granted permissions with appropriate IAM permission policies.
A user without any IAM permission policies has no access at all, even if the applicable SCPs allow all services and all actions.
If a user or role has an IAM permission policy that grants access to an action that is also allowed by the applicable SCPs, the user or role can perform that action.
Option A is incorrect as User D will be able to access S3, DynamoDB and RDS services as allowed by IAM policy & not full access.
Option C is incorrect as User A belongs to production OU, which SCP policy allowing only EC2 & not S3
Also, User C belongs to HR OU, which can access EC2 & S3 & not to ELB.
User D will be able to access only S3, DynamoDB and RDS services as granted by IAM policy.
Option D is incorrect as User D will be able to access only S3, DynamoDB and RDS services as granted by IAM policy even though he is part of OU with SCP allowing full access to all AWS resources.
For more information on applying SCP & IAM policy, refer to the following URL-
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html https://aws.amazon.com/premiumsupport/knowledge-center/iam-policy-service-control-policy/The scenario describes an AWS Organization that manages multiple accounts across various regions. The organization uses Service Control Policies (SCPs) to assign permissions based on the organizational unit (OU) structure, which is based on verticals such as Production, Sales, HR, and IT. Additionally, IAM policies are applied to users based on their OU membership.
User A belongs to the Production OU and has full access to EC2, while denying access to other services. User B belongs to the Sales OU and has full access to EC2, while denying access to other services. User C belongs to the HR OU and has full access to EC2 and S3 services, while denying access to other services. User D belongs to the IT OU and has full access to S3, DynamoDB, and RDS services, while denying access to other services.
The question asks which of the following will be effective access permissions to users A, B, C, and D, respectively.
Option A: User A and User B will only be able to access EC2. User C will be able to access EC2 and S3. User D will be able to access all AWS resources.
This option is incorrect because it states that User D will have access to all AWS resources, which contradicts the scenario, where User D is only granted access to S3, DynamoDB, and RDS services.
Option B: User A and User B will only be able to access EC2. User C will be able to access EC2, S3, and not any other services. User D will be able to access only S3, DynamoDB, and RDS and not any other services.
This option is correct. Users A and B are only granted access to EC2, while User C is granted access to EC2 and S3. User D is granted access to S3, DynamoDB, and RDS services, but denied access to other services.
Option C: User A will be able to access S3. User B will be able to access EC2 only. User C will be able to access EC2, S3, and EL.
This option is incorrect because it states that User A will have access to S3, which contradicts the scenario where User A is only granted access to EC2.
Option D: User D will be able to access all services.
This option is incorrect because it contradicts the scenario, where User D is only granted access to S3, DynamoDB, and RDS services.
Option E: User A will be able to access EC2. User B will be able to access EC2 only. User C will be able to access EC2 and S3. User D will be able to access all services.
This option is incorrect because it states that User D will have access to all services, which contradicts the scenario where User D is only granted access to S3, DynamoDB, and RDS services.
In conclusion, the correct answer is option B.