Which solution will meet these requirements?

By:
In: SOA-C02
Tagged:
With: 2 Comments
A SysOps administrator manages policies for many AWS member accounts in an AWS Organizations structure.Administrators on other teams have access to the account root user credentials of the member accounts.The SysOps administrator must prevent all teams, including their administrators, from using Amazon DynamoDB.The solution must not affect the ability of the teams to access other AWS services.

Which solution will meet these requirements?

In all member accounts, configure IAM policies that deny access to all DynamoDB resources for all users, including the root user.

Create a service control policy (SCP) in the management account to deny all DynamoDB actions. Apply the SCP to the root of the organization

In all member accounts, configure IAM policies that deny AmazonDynamoDBFullAccess to all users, including the root user.

Remove the default service control policy (SCP) in the management account. Create a replacement SCP that includes a single statement that denies all DynamoDB actions.

Explanations:

IAM policies apply at the account level and do not affect the root user in the context of denying access to services across accounts within AWS Organizations. Thus, this option does not effectively prevent all teams from using DynamoDB, especially since root user credentials are used.

Service Control Policies (SCPs) are used to manage permissions across AWS Organizations and can prevent all actions for DynamoDB across all member accounts, including those with root user credentials. This ensures that all teams, including the administrators, are restricted from using DynamoDB while allowing access to other services.

While denying AmazonDynamoDBFullAccess in IAM policies may limit access for IAM users, it does not apply to the root user, which other teams have access to. Thus, this option fails to prevent access to DynamoDB effectively.

Removing the default SCP and creating a new one to deny DynamoDB actions would not be effective if there are existing permissions that allow access. Additionally, simply denying actions without proper application to all members could result in unintended access. SCPs must be properly configured to ensure they apply across all accounts in the organization.

2026-03-25

2 Comments

  1. Emma
    Author

    I estimate that the answer is:
    Create a service control policy (SCP) in the management account to deny all DynamoDB actions. Apply the SCP to the root of the organization

  2. Bobby
    Author

    I scheme that the answer is:
    Create a service control policy (SCP) in the management account to deny all DynamoDB actions. Apply the SCP to the root of the organization

Leave a Reply to Bobby Cancel reply

Your email address will not be published. Required fields are marked *

eleven + twelve =