An organization uses AWS IAM Identity Center (AWS SSO) integrated with an on-premises Active Directory. Users are complaining about access denied errors when trying to assume a specific IAM role in a member account, even though they are in the correct AD group. The Solutions Architect verifies the Permission Set is attached. What is the MOST likely cause of the issue?

Answer options:

The IAM Identity Center session duration has expired.

An AWS Organizations Service Control Policy (SCP) is explicitly denying the action.

The AD connector has lost connectivity to the on-premises directory.

The IAM role trust policy does not trust the AD group directly.

How to approach this question

Remember the IAM policy evaluation logic: explicit denies in SCPs trump all allows.

Full Answer

B.An AWS Organizations Service Control Policy (SCP) is explicitly denying the action.✓ Correct

An AWS Organizations Service Control Policy (SCP) is explicitly denying the action.

In AWS, an explicit DENY in a Service Control Policy (SCP) will override any ALLOW in an IAM policy or Permission Set. This is a common cause of unexpected Access Denied errors in multi-account environments.

Common mistakes

Misunderstanding how IAM Identity Center maps AD groups.

Question 06 All questions Question 08

Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 4

75 questions · hints · full answers · grading

More questions from this exam

Q01A global enterprise is redesigning its network architecture across 50 AWS accounts. They require ...Hard Q02A financial services company uses AWS Organizations to manage 100+ accounts. The security team ma...Medium Q03An e-commerce company requires a multi-region active-active architecture for its critical order p...Medium Q04A company is setting up a new AWS environment using AWS Control Tower. They need to ensure that a...Hard Q05An enterprise has 50 AWS accounts under AWS Organizations. They want to implement a chargeback mo...Medium

View all 75 questions →