AWS Certified SysOps Administrator – Associate — Question 288

A SysOps administrator manages policies for many AWS member accounts in an AWS Organizations structure. Administrators on other teams have access to the account root user credentials of the member accounts. The SysOps administrator must prevent all teams, including their administrators, from using Amazon DynamoDB. The solution must not affect the ability of the teams to access other AWS services.

Which solution will meet these requirements?

Answer options

• A. In all member accounts, configure IAM policies that deny access to all DynamoDB resources for all users, including the root user.
• B. Create a service control policy (SCP) in the management account to deny all DynamoDB actions. Apply the SCP to the root of the organization
• C. In all member accounts, configure IAM policies that deny AmazonDynamoDBFullAccess to all users, including the root user.
• D. Remove the default service control policy (SCP) in the management account. Create a replacement SCP that includes a single statement that denies all DynamoDB actions.

Correct answer: B

Explanation

Service Control Policies (SCPs) are the only mechanism in AWS that can restrict actions for the root user of a member account within AWS Organizations. Applying a deny SCP at the organization root successfully blocks Amazon DynamoDB access for all accounts and users, including root. Removing the default FullAWSAccess SCP, as suggested in Option D, would block access to all other AWS services, which violates the requirement to leave other services unaffected.