🔥 3-day streak
AWS Certified Security - Specialty101 / 157
Question 101 of 157

A company uses AWS Organizations with SCPs. The root has an SCP attached that allows all actions (the default FullAWSAccess plus a custom policy allowing only ec2:*, s3:*, and cloudwatch:*). The 'Production' OU has an SCP attached that allows only ec2:* and s3:*. The 'Databases' OU is nested inside 'Production' and has an SCP allowing only s3:* and rds:*. An account resides in the 'Databases' OU. Ignoring IAM permissions, which actions are permitted for principals in that account by the SCP hierarchy?

Reviewed for accuracy · Report an issueNext question