What will be the outcome of this policy replacement?

By:
In: DOP-C02
Tagged:
With: 1 Comment
A company uses AWS Organizations to manage its AWS accounts.The organization root has an OU that is named Environments.The Environments OU has two child OUs that are named Development and Production, respectively.The Environments OU and the child OUs have the default FullAWSAccess policy in place.A DevOps engineer plans to remove the FullAWSAccess policy from the Development OU and replace the policy with a policy that allows all actions on Amazon EC2 resources.

What will be the outcome of this policy replacement?

All users in the Development OU will be allowed all API actions on all resources.

All users in the Development OU will be allowed all API actions on EC2 resources. All other API actions will be denied.

All users in the Development OU will be denied all API actions on all resources.

All users in the Development OU will be denied all API actions on EC2 resources. All other API actions will be allowed.

Explanations:

Removing the FullAWSAccess policy and applying a policy that grants only EC2 permissions means that users can only perform actions on EC2 resources, not all resources.

Replacing the FullAWSAccess policy with a policy that grants all actions on EC2 resources means users can perform any EC2-related action, while all other actions are implicitly denied.

The policy allows all actions on EC2 resources, so users will not be denied all actions on all resources. They can still interact with EC2 resources.

The new policy grants all actions on EC2 resources, meaning users will not be denied EC2 actions. Additionally, other actions will implicitly be denied.

2025-10-13

1 Comment

  1. Anna
    Author

    I reckon the answer is:
    All users in the Development OU will be allowed all API actions on EC2 resources. All other API actions will be denied.

Leave a Reply

Your email address will not be published. Required fields are marked *

1 × two =