What will happen to the permissions of the administrative 1AM roles as a result of this change?
All API actions on all resources will be allowed.
All API actions on EC2 resources will be allowed. All other API actions will be denied.
All API actions on all resources will be denied.
All API actions on EC2 resources will be denied. All other API actions will be allowed.
Explanations:
Removing the FullAWSAccess policy from the Department OU means that accounts in that OU will no longer inherit broad permissions for all actions. Therefore, the administrative IAM roles will not automatically retain permissions for all API actions.
The new policy will allow all Amazon EC2 API operations. Since the FullAWSAccess policy is being removed, the IAM roles will still have permissions granted by the AdministratorAccess policy, which includes EC2 actions. However, without the FullAWSAccess policy, they will not inherit permissions for other services, resulting in the ability to perform all EC2 operations, but no other actions.
The administrative IAM roles will still retain permissions from the AdministratorAccess policy, which allows all actions on all resources. Therefore, they will not have all actions denied.
The new policy allows EC2 API actions, and the AdministratorAccess policy also allows all actions on all resources. Hence, the administrative IAM roles will not have all EC2 actions denied; they will retain access to all resources.