AWS Certified Solutions Architect - Professional 2020

Sign Up Free or Log In to participate!

SCP vs IAM – exam question

An exam simulator asks the following. To me, the right answer is A, but the simulator says it’s B. What is right??

I think A is right because (1) if accounts are actually able to create untagged resources now, it means they already have the permission, and SCP will limit this permission to tagged resources only (2) you cannot attach IAM policy to accounts (only to users/roles/groups).

Question :

You have multiple AWS accounts with multiple IAM Users launching many EC2 instances. As a result, your account quickly hit the service limit and you cannot create new instances. Some instances are not tagged, therefore you cannot understand who owns of them. So, you want to enforcing tagging EC2 instances at creation. How to do it?

Answer A :
Organizations with accounts grouped by OU. Add an SCP to all thhe member accounts of the OUs, with an aws:TagKeys condition, which requires its principals to add tags to EC2 instances at creation

Answer B :

Organizations with accounts grouped by OU. Add an IAM policy to the individual member accounts with an aws:TagKeys condition, which requires its principals to add tags to EC2 instances at creation

2 Answers

Hi there,

I’ve seen this question in the past, A is the correct answer. You can’t apply IAM policy at Org level, it’s SCP. 

Source: Managing AWS Organizations Policies

This has been passed on to ACG content team for review.

Lee

Thanks. I also had the same impression. What do you mean by "This has been passed on to ACG content team for review."?

Scott Pletcher

Hi Po, might I ask where you saw this question? Was it in an A Cloud Guru exam simulator or quiz, or from somewhere else?

Lee

hi Scott…somewhere else…definitely not AcloudGuru 🙂 …do you confirm it’s inaccurate?

Scott Pletcher

It’s debateable, but I think I agree with Wilson’s answer below.

I don’t agree with T.J’s answer. That option says: "Organizations with accounts grouped by OU. Add an SCP to all the member accounts of the OUs, with an aws:TagKeys condition, which requires its principals to add tags to EC2 instances at creation"

What you mentioned that you can’t apply IAM policy at Org level is correct but the act of requiring the principals to "add tags" to EC2 instances at creation is a type of policy which an IAM Policy is suitable for, and not SCP. Answer B says "Add an IAM policy to the individual member accounts", it didn’t say "…apply IAM Policy to the OU."

I also saw this kind of question in one Udemy practice tests that I am using just now. This knowledge brief from AWS is my source of truth:

https://aws.amazon.com/premiumsupport/knowledge-center/iam-policy-tags-restrict/

Scott Pletcher

I think I agree with Wilson here, specifically with the link to the Knowledge Center article. Lots of times when I’m writing exam simulator questions, I will follow a similar pattern of finding an article or whitepaper scenario and build a question around it. The AWS exam writers do the same thing to reinforce the best practice concepts. This question seems like it is from this article. Now, that said, one MIGHT be able to get this to work using an SCP although I haven’t tried it. SCPs are designed to limit the maximum permissions for entire accounts but it might be possible to enforce the TagKeys condition to be required. In practice, I would much rather use a Service Catalog method for this sort of thing…it would be cleaner. This is the real challenging part of writing exam sim questions…you have to be sure there isn’t some sneaky way to get the other "incorrect" options to work.

Roman

Thanks for clarifying Wilson. I agree with your answer too

Wilson Mcintyre

Thanks Scott!

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?