Answer-first summary for fast verification
Answer: Develop a Service Control Policy (SCP) that permits access only to approved AWS services, attach this SCP to the root OU of the organization, and remove the FullAWSAccess SCP from the root OU to enforce the restriction.
The correct answer is D. This is because creating a Service Control Policy (SCP) that specifically allows access only to approved AWS services and attaching it to the root OU ensures that all accounts under the organization are restricted from using non-approved services. Removing the FullAWSAccess SCP from the root OU reinforces this restriction and prevents any bypass. Options A, B, and C do not provide the same level of comprehensive restriction and control over service access across the organization.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company has organized its teams into separate AWS accounts within an AWS Organizations structure. Each team needs to maintain full administrative control over their respective AWS account while being restricted to only use AWS services that have been formally approved by the company through a specific request and approval process. What is the appropriate configuration strategy for a DevOps engineer to implement these access controls across the accounts?
A
Use AWS CloudFormation StackSets to deploy IAM policies in each account that deny access to non-approved AWS services, and set up AWS Config rules in each account to ensure these policies are consistently applied to IAM principals.
B
Utilize AWS Control Tower to organize the accounts into Organizational Units (OUs) and enable AWS IAM Identity Center (formerly AWS Single Sign-On) for administrative access. Configure IAM Identity Center to include deny policies on user roles for non-approved AWS services.
C
Group all accounts under a new top-level Organizational Unit (OU) within the organization. Establish a Service Control Policy (SCP) that denies access to non-approved AWS services and attach this SCP to the new OU.
D
Develop a Service Control Policy (SCP) that permits access only to approved AWS services, attach this SCP to the root OU of the organization, and remove the FullAWSAccess SCP from the root OU to enforce the restriction.