AWS Certified Solutions Architect - Professional (#131)

A company with several AWS accounts is using AWS Organizations and service control policies (SCPs). An Administrator created the following SCP and has attached it to an organizational unit (OU) that contains AWS account 1111-1111-1111:

Developers working in account 1111-1111-1111 complain that they cannot create Amazon S3 buckets. How should the Administrator address this problem?

Add
s3:CreateBucket
with “Allow” effect to the SCP.
Remove the account from the OU, and attach the SCP directly to account 1111-1111-1111.
Instruct the Developers to add Amazon S3 permissions to their IAM entities.
Remove the SCP from account 1111-1111-1111.

Need help?