AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 128

A company uses AWS Organizations to manage its AWS accounts. The organization root has an OU that is named Environments. The Environments OU has two child OUs that are named Development and Production, respectively.

The Environments OU and the child OUs have the default FullAWSAccess policy in place. A DevOps engineer plans to remove the FullAWSAccess policy from the Development OU and replace the policy with a policy that allows all actions on Amazon EC2 resources.

What will be the outcome of this policy replacement?

Answer options

• A. All users in the Development OU will be allowed all API actions on all resources.
• B. All users in the Development OU will be allowed all API actions on EC2 resources. All other API actions will be denied.
• C. All users in the Development OU will be denied all API actions on all resources.
• D. All users in the Development OU will be denied all API actions on EC2 resources. All other API actions will be allowed.

Correct answer: B

Explanation

The correct answer is B because replacing the FullAWSAccess policy with a policy that only allows actions on EC2 resources means that users will have access to all EC2-related API actions, while actions on other resources will be denied by default due to the absence of permissions for those actions. Options A, C, and D misinterpret the implications of the policy change regarding access control on EC2 and other resources.