Practice Test 1 | AWS Certified Cloud Practitioner | CLF-C01 | Dumps | Mock Test

Answers: A, D

• Option A is CORRECT.  An Organizational Unit(OU) can have a single branch going up, e.g. It can either inherit a root or another OU but not both as shown in the figure below.

• Option B is incorrect since an Account can belong to only one OU.
• Option C is incorrect. A Policy applied at the Root is applied throughout the Organization i.e. to all its OU’s and its Accounts. A Policy applied to the OU level applies to all OU’s and Accounts under those OU’s. A Policy applied at the Account level is applied to only that Account. Referring to the figure above, when a Policy is applied to the OU under the Root, it will also be applied to the OU below it & Accounts B, C, D. When a policy is applied to Account C, it will apply to only that account.
• Option D is CORRECT. AWS Organizations automate creation of AWS Accounts, OUs and their hierarchy. They use Service Control Policies (SCP) at OUs. SCPs are different from IAM in the sense that they can be applied to the Organization level. They override any IAM policies that are defined at an Account level & may also restrict the IAM policy defined. AWS Organizations do not cancel the need for IAM. It compliments what IAM can do by consolidating and centrally managing a lot of things that happen. AWS Organizations is not an authority for granting permissions, but it is an authority to approve/disapprove permissions given by IAM.
• Option E is incorrect. SCPs can be configured to allow or deny services and actions.

References:  

AWS Organizations user guide

• https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html

Service Control Policies

• https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html