A company has organized its teams into separate AWS accounts within an AWS Organizations structure. Each team needs to maintain full administrative control over their respective AWS account while being restricted to only use AWS services that have been formally approved by the company through a specific request and approval process. What is the appropriate configuration strategy for a DevOps engineer to implement these access controls across the accounts?

Exam-Like

Use AWS CloudFormation StackSets to deploy IAM policies in each account that deny access to non-approved AWS services, and set up AWS Config rules in each account to ensure these policies are consistently applied to IAM principals.

25.0%

Utilize AWS Control Tower to organize the accounts into Organizational Units (OUs) and enable AWS IAM Identity Center (formerly AWS Single Sign-On) for administrative access. Configure IAM Identity Center to include deny policies on user roles for non-approved AWS services.

25.0%

Group all accounts under a new top-level Organizational Unit (OU) within the organization. Establish a Service Control Policy (SCP) that denies access to non-approved AWS services and attach this SCP to the new OU.

0.0%

Develop a Service Control Policy (SCP) that permits access only to approved AWS services, attach this SCP to the root OU of the organization, and remove the FullAWSAccess SCP from the root OU to enforce the restriction.

50.0%

AWS Certified DevOps Engineer - Professional

Get started today

Comments