ExpertAWS SAP-C02 · Question 69 · Domain 1.2: Security Controls
A company is using AWS Organizations. They want to apply a Service Control Policy (SCP) to an Organizational Unit (OU) to prevent any user from deleting VPC Flow Logs. However, they want the 'NetworkAdmin' IAM role to be exempt from this restriction. How can this be achieved?
A company is using AWS Organizations. They want to apply a Service Control Policy (SCP) to an Organizational Unit (OU) to prevent any user from deleting VPC Flow Logs. However, they want the 'NetworkAdmin' IAM role to be exempt from this restriction. How can this be achieved?
Answer options:
Create an SCP with an Allow effect for the NetworkAdmin role.
Create an SCP with a Deny effect for the 'ec2:DeleteFlowLogs' action, and add a condition using 'StringNotLike' with the 'aws:PrincipalARN' key pointing to the NetworkAdmin role.
Attach an IAM policy to the NetworkAdmin role that explicitly allows deleting flow logs.
Move the NetworkAdmin role to a different AWS account outside the OU.
How to approach this question
Full Answer
Common mistakes
Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 2
75 questions · hints · full answers · grading