Which solution will meet these requirements?

By:
In: DOP-C02
Tagged:
With: 1 Comment
A company manages multiple AWS accounts by using AWS Organizations with OUs for the different business divisions.The company is updating their corporate network to use new IP address ranges.The company has 10 Amazon S3 buckets in different AWS accounts.The S3 buckets store reports for the different divisions.The S3 bucket configurations allow only private corporate network IP addresses to access the S3 buckets.A DevOps engineer needs to change the range of IP addresses that have permission to access the contents of the S3 buckets.The DevOps engineer also needs to revoke the permissions of two OUs in the company.

Which solution will meet these requirements?

Create a new SCP that has two statements, one that allows access to the new range of IP addresses for all the S3 buckets and one that denies access to the old range of IP addresses for all the S3 buckets. Set a permissions boundary for the OrganizationAccountAccessRole role in the two OUs to deny access to the S3 buckets.

Create a new SCP that has a statement that allows only the new range of IP addresses to access the S3 buckets. Create another SCP that denies access to the S3 buckets. Attach the second SCP to the two OUs.

On all the S3 buckets, configure resource-based policies that allow only the new range of IP addresses to access the S3 buckets. Create a new SCP that denies access to the S3 buckets. Attach the SCP to the two OUs.

On all the S3 buckets, configure resource-based policies that allow only the new range of IP addresses to access the S3 buckets. Set a permissions boundary for the OrganizationAccountAccessRole role in the two OUs to deny access to the S3 buckets.

Explanations:

While this option introduces a Service Control Policy (SCP) to manage IP address access, it does not effectively revoke permissions for the specified OUs since it relies on permissions boundaries for a specific role, which does not affect the overall access. Additionally, using SCPs to manage access at the bucket level may not be effective since SCPs apply to all actions and resources in the account, not just S3 buckets.

This option suggests using SCPs to allow only the new IP range while denying access to all S3 buckets. However, SCPs are not intended for IP address restrictions at the resource level and cannot be used effectively to manage access based solely on IP addresses for S3 buckets. The second SCP would block all access to S3 buckets, which is not the intended requirement.

This option correctly configures resource-based policies on each S3 bucket to allow access only from the new range of IP addresses. Additionally, it implements a second SCP to deny access to the S3 buckets for the two OUs, thus effectively revoking their permissions while allowing the new IP range access. This meets both requirements effectively.

Although this option correctly allows access to the new IP range via resource-based policies, setting a permissions boundary does not revoke access for the OUs but rather defines limits on the permissions for specific IAM roles. This approach would not effectively meet the requirement of revoking access for the specified OUs.

2025-10-17

1 Comment

  1. Jacob
    Author

    I compute that the answer is:
    On all the S3 buckets, configure resource-based policies that allow only the new range of IP addresses to access the S3 buckets. Create a new SCP that denies access to the S3 buckets. Attach the SCP to the two OUs.

Leave a Reply

Your email address will not be published. Required fields are marked *

17 − 11 =