Restricting Access and Configuration of AWS Private Marketplace to Procurement OU

Correct Answer - D.

An SCP restricts permissions for IAM users and roles in member accounts, including the member account's root user.

Any account has only those permissions permitted by every parent above it.

If permission is blocked at any level above the account, either implicitly (by not being included in an

Allow.

policy statement) or explicitly (by being included in a

Deny.

policy statement), a user or role in the affected account can't use that permission, even if the account administrator attaches the

AdministratorAccess.

IAM policy with */* permissions to the user.

If a user or role has an IAM permission policy that grants access to an action that is also allowed by the applicable SCPs, the user or role can perform that action.

Option A is incorrect: Because other IAM roles can also have this permission.

There are no restrictions for other IAM entities.

Option B is incorrect: Because the question states that only the "IAM role from the procurement OU can access or configure the Private Marketplace" and therefore applying the SCP that allows Private Marketplace full access to the Procurement OU is incorrect here.

Option C is incorrect: Because AWS Private Marketplace does not have this configuration.

Option D is CORRECT: With the SCP, you can deny the Private Marketplace access unless the AWS principal is the IAM role.

Reference:

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_type-auth.html

The correct answer to this question is D: Apply an SCP to restrict access to the Private Marketplace for all the organizational units. Ensure that only the IAM role from the Procurement OU has access to the Private Marketplace.

Explanation: AWS Private Marketplace is a custom-branded marketplace that enables AWS customers to easily discover and purchase third-party software from a catalog of products that have been pre-approved by their organization. To restrict access to the AWS Private Marketplace, an AWS administrator needs to apply an SCP (Service Control Policy) that restricts access to the Private Marketplace for all the organizational units. Then, the administrator can ensure that only the IAM role from the Procurement OU has access to the Private Marketplace.

Option A: Add the AWS Private MarketplaceAdminFullAccess permission to the specific IAM role. This option is not the most suitable because it grants full administrative access to the Private Marketplace for the specified IAM role, which is not required in this case. The question only requires that the IAM role from the Procurement OU has access to the Private Marketplace, not full administrative access.

Option B: Apply an SCP that allows Private Marketplace full access to the procurement OU. This option is not the most suitable because it allows the Procurement OU to have full access to the Private Marketplace, not just the specified IAM role from the Procurement OU. This could lead to security vulnerabilities if other users within the Procurement OU can also access the Private Marketplace.

Option C: Configure the AWS Private Marketplace to deny incoming requests unless the user is the IAM role. This option is not the most suitable because it does not provide a way to restrict access to the Private Marketplace for all the organizational units. This would require individual configurations for each IAM user, which could be time-consuming and difficult to manage.

Option D: Apply an SCP to restrict access to the Private Marketplace for all the organizational units. Ensure that only the IAM role from the Procurement OU has access to the Private Marketplace. This option is the most suitable because it applies an SCP to restrict access to the Private Marketplace for all the organizational units, ensuring that only the specified IAM role from the Procurement OU has access to the Private Marketplace. This is a secure and scalable solution that can be easily managed by the AWS administrator.