Exam SCS-C02 All QuestionsBrowse all questions from this exam
Go to Exam
Question 165

A company uses an organization in AWS Organizations to manage its AWS accounts. The company has implemented an SCP in the root account to prevent resources from being shared with external accounts.

The company now needs to allow applications in its marketing team's AWS account to share resources with external accounts. The company must continue to prevent all the other accounts in the organization from sharing resources with external accounts. All the accounts in the organization are members of the same OU.

Which solution will meet these requirements?

    Correct Answer: B

    To meet the stated requirements, the appropriate solution is to edit the existing Service Control Policy (SCP) to add a Condition statement that excludes the marketing team's account from the restriction. This configuration allows the marketing team's account to share resources with external accounts while continuing to prevent other accounts in the organization from doing so. This can be achieved by specifying conditions within the SCP that identify the marketing team's account, avoiding the need to create new SCPs or error-prone changes in other accounts or policies. This ensures the marketing team is exempted from the restriction without affecting the security posture of the other accounts.

Discussion
aescudero51Option: B

Answer is B The SCP continues to prevent resource sharing with external accounts for all other accounts in the organization. The marketing team's account is specifically exempted from this restriction, allowing them to share resources as needed. Here's an example of a Condition statement that could be used: JSON { "Condition": { "StringEquals": { "aws:PrincipalOrgID": "<marketing-team-account-id>" } } }

7c84836

I went with B too, but there still needs to be an explicit allow statement somewhere in the SCP