Enable VPC Flow Logs Permissions: Configurations and User Operations
Question
An IT company has owned several AWS accounts that belong to an AWS Organization.
The root account and all children accounts have configured Service Control Policies (SCPs) to help manage the organization.
Recently, an IAM user in a child account needs the permissions to enable its Amazon VPC Flow Logs.
Under which configurations can the user operate the VPC Flow Logs successfully? (Select TWO.)
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D. E.Correct Answer - B, D.
An SCP policy can limit the permissions for all entities in its member accounts, which means the root account policy affects all the children's accounts.
And the child account has only those permissions permitted by every parent above it.
In this case, to have the permissions to enable VPC Flow Logs, the root account SCP, the child account SCP, and IAM policy should all allow the action.
Option A is incorrect: Because the child account SCP blocks the action.
Option B is CORRECT: Because all parties allow the action according to the above.
Option C is incorrect: Because users or roles must be granted permissions using IAM permission policies even if SCP policies allow the actions.
Option D is CORRECT: Because the FullAWSAccess policy is a default one that allows everything including VPC Flow Logs.
Option E is incorrect: Because the action is blocked by the root account SCP even if the child SCP allows it.
The correct answers are A and D.
Explanation: In an AWS Organization, Service Control Policies (SCPs) can be used to manage and restrict access to AWS services and actions across the organization. SCPs are applied at the organizational unit (OU) level, and they can be attached to the root of the organization, as well as individual OUs.
In this scenario, an IAM user in a child account needs permissions to enable its Amazon VPC Flow Logs. To enable VPC Flow Logs, the user needs permissions at two levels: an SCP that permits enabling VPC Flow Logs and an IAM policy that allows the user to perform this action.
Answer A is correct because the SCP for the root account permits enabling VPC Flow Logs, but the SCP for the child account does NOT permit it. Therefore, the user needs the IAM permission policy to enable VPC Flow Logs to perform this action. With these two configurations, the user will be able to operate VPC Flow Logs successfully.
Answer B is incorrect because both the SCP for the root account and the child account permit enabling VPC Flow Logs, but it doesn't mention anything about the user's IAM permission policy. Therefore, we cannot assume that the user has the required permissions to enable VPC Flow Logs.
Answer C is incorrect because the SCP for the root account permits all actions with the default FullAWSAccess policy. However, the user does NOT have the IAM permission policy to enable VPC Flow Logs, which is a required permission to perform this action.
Answer D is correct because the SCP for the root account permits all actions with the default FullAWSAccess policy, and the child account permits enabling VPC Flow Logs. Therefore, the user needs only the IAM permission policy to enable VPC Flow Logs to perform this action.
Answer E is incorrect because the SCP for the root account does NOT permit enabling VPC Flow Logs, and the user does NOT have the IAM permission policy to perform this action. Although the SCP for the child account permits enabling VPC Flow Logs, the user still needs the IAM permission policy to perform this action.
