Exactprep SCS-C02 Questions

For a company using AWS Organizations that requires centralized management and automatic activation of Amazon GuardDuty across all current and future AWS accounts, setting up a delegated administrator account for GuardDuty is the optimal solution. By enabling GuardDuty in a new account and designating it as the delegated administrator, the company can centrally manage GuardDuty findings and automatically enroll new AWS accounts into GuardDuty as they are created within the organization. This approach ensures consistent threat detection and continuous monitoring across all accounts, aligning with best security practices.

The correct answer is A and B. The principal’s identity-based policy grants access to put objects into the S3 bucket with no conditions, and the principal’s identity-based policy overrides the condition because the identity-based policy contains an explicit allow.

The reason is that when evaluating access requests, AWS uses a combination of resource-based policies (such as bucket policies) and identity-based policies (such as IAM user policies) to determine whether to allow or deny the action. According to the AWS documentation1, “If an explicit allow exists in either the resource-based policy or the identity-based policy, then AWS allows access to the resource.” Therefore, even if the bucket policy has a condition that checks the tag values, it will not be effective if the principal’s identity-based policy has an explicit allow for the PutObject action without any conditions. The explicit allow in the identity-based policy will override the condition in the bucket policy and grant access to the principal.

The other options are incorrect because:

• C. The S3 bucket’s resource policy does not deny access to put objects. This is not a factor that causes the PutObject operation to succeed when the tag values are different. The bucket policy can either allow or deny access based on conditions, but it cannot prevent an explicit allow in the identity-based policy from taking effect.
• D. The S3 bucket’s resource policy cannot allow actions to the principal. This is not true. The bucket policy can allow actions to specific principals by using the Principal element in the policy statement. According to the AWS documentation2, “The Principal element specifies the user (IAM user, federated user, or assumed-role user), AWS account, AWS service, or other principal entity that is allowed or denied access to a resource.”
• E. The bucket policy does not apply to principals in the same zone of trust. This is not true. The bucket policy applies to any principal that is specified in the Principal element, regardless of whether they are in the same zone of trust or not. A zone of trust is a logical boundary that defines who can access a resource and under what conditions. According to the AWS documentation3, “A zone of trust can be as small as a single resource (for example, an Amazon S3 object) or as large as an entire AWS account.”

To support answer B, use the reference IAMstatic.com/whitepapers/IAM-security-whitepaper.pdf

"For example, IAM Config provides a managed IAM Config Rules to ensure that encryption is turned on for all EBS volumes in your account."