PdfPrep.com

How should the Security Engineer resolve this issue?

A Security Engineer manages AWS Organizations for a company. The Engineer would like to restrict AWS usage to allow Amazon S3 only in one of the organizational units (OUs).

The Engineer adds the following SCP to the OU:

The next day. API calls to AWS IAM appear in AWS CloudTrail logs In an account under that OU.

How should the Security Engineer resolve this issue?
A . Move the account to a new OU and deny IAM:* permissions.
B . Add a Deny policy for all non-S3 services at the account level.
C . Change the policy to:
D . Detach the default FullAWSAccess SCP

Answer: C

Exit mobile version