AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 182

A company has an AWS Control Tower landing zone. The company's DevOps team creates a workload OU. A development OU and a production OU are nested under the workload OU. The company grants users full access to the company's AWS accounts to deploy applications.

The DevOps team needs to allow only a specific management IAM role to manage the IAM roles and policies of any AWS accounts in only the production OU.

Which combination of steps will meet these requirements? (Choose two.)

Answer options

• A. Create an SCP that denies full access with a condition to exclude the management IAM role for the organization root.
• B. Ensure that the FullAWSAccess SCP is applied at the organization root.
• C. Create an SCP that allows IAM related actions. Attach the SCP to the development OU.
• D. Create an SCP that denies IAM related actions with a condition to exclude the management IAM role. Attach the SCP to the workload OU.
• E. Create an SCP that denies IAM related actions with a condition to exclude the management IAM role. Attach the SCP to the production OU.

Correct answer: B, E

Explanation

Answer B is correct because applying the FullAWSAccess SCP at the organization root ensures that all accounts inherit this permission. Answer E is also correct as it specifically restricts IAM actions in the production OU while allowing the management IAM role to manage roles and policies. The other options either do not meet the requirements or apply restrictions in areas that do not align with the goal of limiting IAM management only to the production OU.