🔥 3-day streak
AWS Certified Solutions Architect - Professional115 / 186
Question 115 of 186

A financial services company uses AWS Organizations with a hierarchy of nested OUs. The security team attaches an SCP at the root that explicitly allows all EC2 actions. A separate SCP at the 'Production' OU explicitly denies ec2:TerminateInstances. Developers in a production account also have an IAM policy that explicitly allows ec2:TerminateInstances. A developer attempts to terminate an EC2 instance in a production account and is denied. The team wants to understand the governing behavior to design future guardrails correctly. Which statement accurately describes why the action was blocked and how SCPs interact with IAM permissions?

Reviewed for accuracy · Report an issueNext question