Which combination of steps will meet these requirements?
(Choose two.)
Create an SCP that denies full access with a condition to exclude the management IAM role for the organization root.
Ensure that the FullAWSAccess SCP is applied at the organization root.
Create an SCP that allows IAM related actions. Attach the SCP to the development OU.
Create an SCP that denies IAM related actions with a condition to exclude the management IAM role. Attach the SCP to the workload OU.
Create an SCP that denies IAM related actions with a condition to exclude the management IAM role. Attach the SCP to the production OU.
Explanations:
Applying an SCP at the root level would impact all OUs under the root, which would restrict IAM role management across all OUs, not only in the production OU.
Ensuring the FullAWSAccess SCP is applied at the root level allows accounts to have access as expected while enabling restrictions applied by additional SCPs to specific OUs.
Allowing IAM actions specifically for the development OU does not meet the requirement to restrict IAM role and policy management only to the production OU and for a specific role.
Applying a deny SCP to the workload OU would affect both the production and development OUs, contradicting the need for IAM restrictions specifically in the production OU.
Attaching a deny SCP to the production OU, with a condition to exclude the management IAM role, meets the requirement by restricting IAM management actions only in production accounts and only allowing the specified role.