🔥 3-day streak
AWS Certified Security - Specialty141 / 184
Question 141 of 184
A security team manages a 60-account AWS Organization using SCPs. To enforce a strict governance model, they replaced the default FullAWSAccess policy on the root and all OUs with a custom allow-list SCP that explicitly permits only the services currently approved (e.g., ec2, s3, rds, lambda, cloudwatch). A development team now reports that they cannot use Amazon Bedrock in their sandbox account, even though their IAM roles grant full Bedrock permissions and there is no explicit deny anywhere. What is the most likely cause and the correct remediation?
Reviewed for accuracy · Report an issueNext question