Learn how to effectively manage permissions and restrict access to specific AWS services like DynamoDB across multiple accounts using Service Control Policies in AWS Organizations.
Table of Contents
Question
A SysOps administrator manages policies for many AWS member accounts in an AWS Organizations structure. Administrators on other teams have access to the account root user credentials of the member accounts. The SysOps administrator must prevent all teams, including their administrators, from using Amazon DynamoDB. The solution must not affect the ability of the teams to access other AWS services.
Which solution will meet these requirements?
A. In all member accounts, configure IAM policies that deny access to all DynamoDB resources for all users, including the root user.
B. Create a service control policy (SCP) in the management account to deny all DynamoDB actions. Apply the SCP to the root of the organization
C. In all member accounts, configure IAM policies that deny AmazonDynamoDBFullAccess to all users, including the root user.
D. Remove the default service control policy (SCP) in the management account. Create a replacement SCP that includes a single statement that denies all DynamoDB actions.
Answer
B. Create a service control policy (SCP) in the management account to deny all DynamoDB actions. Apply the SCP to the root of the organization
Explanation
In an AWS Organizations structure, Service Control Policies (SCPs) are the recommended way to manage permissions across multiple AWS accounts. SCPs allow you to centrally define and enforce permissions at the organizational unit (OU) or entire organization level.
To prevent all teams, including administrators, from using Amazon DynamoDB across all member accounts without affecting access to other AWS services, the SysOps administrator should create an SCP in the management account that explicitly denies all DynamoDB actions. By applying this SCP to the root of the organization, it will be enforced on all existing and future member accounts.
Here’s the step-by-step process:
- Log in to the management account of the AWS Organizations structure.
- Navigate to the AWS Organizations service.
- Create a new SCP with a statement that denies all DynamoDB actions (e.g., dynamodb:*).
- Attach the SCP to the root of the organization.
This solution ensures that regardless of the IAM permissions granted within individual member accounts, including root user access, no one can access or use DynamoDB due to the SCP restriction imposed at the organizational level.
Other options are either incomplete or inefficient:
A. Configuring IAM policies in each member account is not scalable and does not prevent root users from accessing DynamoDB. C. Denying the AmazonDynamoDBFullAccess managed policy is not comprehensive, as it does not cover all DynamoDB actions. D. Removing the default SCP and creating a replacement is unnecessary and does not provide a centralized way to manage permissions across accounts.
Amazon AWS Certified SysOps Administrator – Associate certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Amazon AWS Certified SysOps Administrator – Associate exam and earn Amazon AWS Certified SysOps Administrator – Associate certification.