Q471. A Developer would like to implement multi-account access for AWS Systems Manager and plans to use two member accounts within their AWS Organization. The Developer has delegated an IAM Role that allows Systems Manager (SSM) Parameter Store and Document resources to be trusted by the member accounts.While testing access from a member account a user receives "Access Denied" errors when performing any SSM related operations. The Solutions Architect confirms that SSM operations are not denied in any of the Organization's Service Control Policies (SCP). Both member accounts are moved into a test OU which is not associated with any deny SCPs however the user is still receiving an access denied error. What changes should the Solutions Architect make to provide access while maintaining least privileges?
A.Create a new SCP which allows SSM operations and specify the ARNs for each SSM Parameter Store and Document. Apply the new SCP to the test OU that the member accounts were moved into. B.Create a new SCP that allows full access to AWS resources Apply the new SCP to the test OU that the member accounts were moved into C.Remove both member accounts from the current Organization. Create a new Organization with the account holding the SSM resources as the new master account and the other account as a member to the new Organization. Create a new SCP which allows full access to AWS resources D.Remove both member accounts from the current Organization. Create anew Organization with the account holding the SSM resources as the new master正确答案A
Account and the other account as a member to the new Organization. Create a new SCP which allows SSM operations and specify the ARNs for each SSM Parameter Store and Document within the new master account.
