An AWS Organizations setup uses an SCP to enforce that developers can read only non-production secrets. A developer role in a member account is correctly configured with an identity policy that allows: - secretsmanager:GetSecretValue on arn:aws:secretsmanager:us-east-1:222222222222:secret:app/* However, the developer gets AccessDenied with an error message mentioning an organization policy (SCP). The SCP includes this Deny statement: "Deny secretsmanager:GetSecretValue on * unless secretsmanager:ResourceTag/environment equals 'dev'". Which change best restores access for secrets tagged environment=dev while still blocking prod secrets?

Remove the Deny statement from the SCP and rely only on the member account identity policy.

Removing the SCP removes the centralized guardrail. Identity policies can drift across member accounts, and the scenario is explicitly about an SCP enforcing the desired behavior.

Add an IAM policy statement with Effect=Allow and "Condition: aws:PrincipalOrgID" in the member account to override the SCP.

An SCP Deny cannot be overridden by IAM Allow statements. SCPs determine the maximum effective permissions at the organization level, and when the SCP Deny condition matches, access is blocked.

Use a longer STS session duration so the SCP is evaluated less frequently.

SCP evaluation is not avoided by session duration. If the SCP Deny condition matches the request, access is denied regardless of session duration.

What does this SAA-C03 question test?

Standard ACLs match source addresses.

What is the correct answer to this question?

The correct answer is: Update the SCP to match the correct tag key/format actually used on your Secrets Manager secret resources so the condition evaluates to true for environment=dev. — The error indicates an SCP (organization policy) is denying the request. Because the SCP Deny is conditional on a resource tag (environment=dev), the access problem is most likely that the SCP condition does not match the actual tag key/format on the Secrets Manager secret resources being accessed. Updating the SCP to use the correct secretsmanager:ResourceTag/<environment-key> condition (so secrets tagged environment=dev satisfy the condition) restores access for dev secrets while continuing to deny for non-dev (for example, prod) secrets. B removes the centralized control the question is testing. C is incorrect because IAM Allow cannot override an SCP Deny. D is incorrect because SCP evaluation is enforced per request, not amortized across a session duration.

What should I do if I get this SAA-C03 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.