AWS Certified Security – Specialty (SCS-C02) — Question 169

A company uses an organization in AWS Organizations to manage its AWS accounts. The company has implemented an SCP in the root account to prevent resources from being shared with external accounts.

The company now needs to allow applications in its marketing team's AWS account to share resources with external accounts. The company must continue to prevent all the other accounts in the organization from sharing resources with external accounts. All the accounts in the organization are members of the same OU.

Which solution will meet these requirements?

Answer options

• A. Create a new SCP in the marketing team's account Configure the SCP to explicitly allow resource sharing.
• B. Edit the existing SCP to add a Condition statement that excludes the marketing team's account.
• C. Edit the existing SCP to include an Allow statement that specifies the marketing team's account.
• D. Create an IAM permissions boundary policy to explicitly allow resource sharing Attach the policy to IAM users in the marketing team's account.

Correct answer: B

Explanation

The correct answer is B because modifying the existing SCP with a Condition statement that excludes the marketing team's account allows it to share resources while maintaining restrictions for all other accounts. Option A is incorrect as creating a new SCP would not override the root account's SCP. Option C fails to maintain the restrictions for other accounts, and option D is not relevant since IAM permissions boundaries do not affect SCPs.