A team writes an SCP and assumes that it will grant the permissions users need as long as the SCP allows those actions. Why is this assumption incorrect?

ASCPs grant permissions only to root users

BSCPs never grant permissions; they only define the maximum available permissions and IAM or resource policies must still grant access

CSCPs are evaluated only after AWS Config rules

DSCPs can grant permissions only when FullAWSAccess is detached

More Security Foundations and Governance Questions

28 questions

Full AWS Certified Security - Specialty Practice Test

All topics covered

All AWS Certified Security - Specialty Questions

Browse by topic

Related Questions

A company is scaling its AWS environment and wants the recommended boundary for permission, security...

easy

An auditor asks for AWS compliance reports and agreements that can be downloaded at no additional co...

easy

A management account administrator attaches a restrictive service control policy at the organization...

medium

A platform team wants a configurable account template that standardizes the provisioning of new AWS ...

medium

A compliance team wants a service that uses prebuilt frameworks, automatically collects evidence for...

medium

View all Security Foundations and Governance questions

Educational Content — CertQnA practice questions are written against official exam objectives, covering the same domains tested on the real exam. All content is original and independent — not actual exam questions, not affiliated with any certification vendor. Learn more about our content policy

Discussion

Be the first to share your understanding of this concept

⚠️ Discussion is for concept clarification only. Do not share or request actual exam questions or answers.