An AWS Organization has below the hierarchy of Organizational Units (OUs):
Root -> Project_OU -> Dev_OU
The Root is attached to the default Service Control Policy (SCP).
Project_OU is attached to an SCP that prevents users from deleting VPC Flow Logs.
Dev_OU has an SCP that allows the action of "ec2: DeleteFlowLogs".
Are the IAM users/roles in Dev_OU AWS accounts allowed to delete VPC Flow Logs?

Answer options:

A.It is permitted because the SCP in Dev_OU allows it.
B.It is allowed because the Root has the default SCP that allows all actions.
C.It is not allowed as the SCP in Project_OU restricts the action.
D.It is not allowed as the default SCP in Root denies the action.

Correct Answer – C
Check the AWS documentation https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_about-scps.html for how SCPs work in an AWS Organization.
Option A is incorrect: Because if any parent OU has an SCP to deny the action, the final result is Deny.
Option B is incorrect: Although the default SCP allows the action, the parent OU (Project_OU) denies it.
Option C is CORRECT: Because an explicit Deny statement in Project_OU overrides any Allow.
Option D is incorrect: Because the default SCP is FullAWSAccess which allows all actions and all services.