Examice

Exam DOP-C02 All QuestionsBrowse all questions from this exam

Question 261

A company has an organization in AWS Organizations. A DevOps engineer needs to maintain multiple AWS accounts that belong to different OUs in the organization. All resources, including IAM policies and Amazon S3 policies within an account, are deployed through AWS CloudFormation. All templates and code are maintained in an AWS CodeCommit repository. Recently, some developers have not been able to access an S3 bucket from some accounts in the organization.

The following policy is attached to the S3 bucket:

What should the DevOps engineer do to resolve this access issue?

Modify the S3 bucket policy. Turn off the S3 Block Public Access setting on the S3 bucket. In the S3 policy, add the aws:SourceAccount condition. Add the AWS account IDs of all developers who are experiencing the issue.

Verify that no IAM permissions boundaries are denying developers access to the S3 bucket. Make the necessary changes to IAM permissions boundaries. Use an AWS Config recorder in the individual developer accounts that are experiencing the issue to revert any changes that are blocking access. Commit the fix back into the CodeCommit repository. Invoke deployment through CloudFormation to apply the changes.

Configure an SCP that stops anyone from modifying IAM resources in developer OUs. In the S3 policy, add the aws:SourceAccount condition. Add the AWS account IDs of all developers who are experiencing the issue. Commit the fix back into the CodeCommit repository. Invoke deployment through CloudFormation to apply the changes.

Ensure that no SCP is blocking access for developers to the S3 bucket. Ensure that no IAM policy permissions boundaries are denying access to developer IAM users. Make the necessary changes to the SCP and IAM policy permissions boundaries in the CodeCommit repository. Invoke deployment through CloudFormation to apply the changes.

Correct Answer: D

To resolve the access issue, the DevOps engineer should ensure that no Service Control Policy (SCP) is blocking access for developers to the S3 bucket and that no IAM policy permissions boundaries are denying access to developer IAM users. This includes making the necessary changes to the SCP and IAM policy permissions boundaries in the CodeCommit repository. Following this, the engineer should invoke deployment through CloudFormation to apply the changes. This approach comprehensively addresses the potential access issues at both the SCP and IAM policy levels within the organization's governance structure.

Discussion

tgvOption: D

---> D

trungtdOption: D

Option D is the most comprehensive and aligns with the requirements: - It ensures that both SCPs and IAM policies are correctly configured. - It adheres to the use of CloudFormation for all changes. - It addresses the immediate issue while providing a scalable and manageable approach.