Which SCP is attached by default to every organization root, OU, and account in AWS Organizations, allowing all actions?

Disable ads (and more) with a premium pass for a one time $4.99 payment

Study for the AWS Certified Security Specialty Exam. Utilize flashcards and multiple-choice questions with detailed explanations. Thoroughly prepare and boost your confidence for the exam!

The correct answer is that the Service Control Policy (SCP) attached by default to every organization root, organizational unit (OU), and account in AWS Organizations is designed to allow all actions. This means it permits the full range of API actions available in AWS unless explicitly restricted by another SCP.

When a new organization is created, the default SCP is applied. This default policy does not impose any restrictions on the actions that the accounts or OUs can perform. Instead, it serves as a baseline that sets no limits, allowing maximum flexibility for administrators to manage permissions at a more granular level later through additional SCPs if desired.

The other options listed do not accurately represent the default policy provided by AWS Organizations. FullAWSAccess is not a recognized SCP name within AWS Organizations, while DefaultAccessPolicy does not exist as a specific SCP in AWS terminology. ReadOnlyAccess restricts permissions to read-only actions, which contradicts the purpose of the default SCP, as it allows all actions.

Therefore, the SCP associated by default with every root, OU, and account facilitates unrestricted access—enabling organizations to manage their resources without immediate limitations.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy