Domain 1.2: Security Controls — AWS SAP-C02 Practice Question 69

How to approach this question

Use SCP conditions to create exceptions.

Full Answer

B.Create an SCP with a Deny effect for the 'ec2:DeleteFlowLogs' action, and add a condition using 'StringNotLike' with the 'aws:PrincipalARN' key pointing to the NetworkAdmin role.✓ Correct

To create an exception in an SCP, you use a Deny statement combined with a condition. The 'StringNotLike' or 'ArnNotEquals' condition on 'aws:PrincipalARN' ensures the Deny applies to everyone except the specified role.

Common mistakes

Thinking an IAM Allow can override an SCP Deny.

A company is using AWS Organizations. They want to apply a Service Control Policy (SCP) to an Organizational Unit (OU) to prevent any user from deleting VPC Flow Logs. However, they want the 'NetworkAdmin' IAM role to be exempt from this restriction. How can this be achieved?

How to approach this question

Full Answer

Common mistakes

Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 2

More questions from this exam