🔥 3-day streak
AWS Certified Security - Specialty124 / 157
Question 124 of 157
A financial services company uses AWS Organizations with all features enabled. Security governance requires that a specific set of member accounts in the 'Sandbox' OU be prevented from creating resources except through AWS CloudFormation. The security team drafts an SCP that denies most write actions unless the calling principal is a designated automation role. However, after attaching the SCP, developers in the Sandbox OU report they can still create EC2 instances directly through the console using their own IAM roles, which have full administrator permissions. The SCP is correctly attached to the Sandbox OU. What is the MOST likely reason the SCP is not blocking these actions?
Reviewed for accuracy · Report an issueNext question