AWS Certified DevOps Engineer - Professional
Get started today
Ultimate access to all questions.
Ultimate access to all questions.
A company has organized its teams into separate AWS accounts within an AWS Organizations structure. Each team needs to maintain full administrative control over their respective AWS account while being restricted to only use AWS services that have been formally approved by the company through a specific request and approval process. What is the appropriate configuration strategy for a DevOps engineer to implement these access controls across the accounts?
Explanation:
The correct answer is D. This is because creating a Service Control Policy (SCP) that specifically allows access only to approved AWS services and attaching it to the root OU ensures that all accounts under the organization are restricted from using non-approved services. Removing the FullAWSAccess SCP from the root OU reinforces this restriction and prevents any bypass. Options A, B, and C do not provide the same level of comprehensive restriction and control over service access across the organization.