AWS Certified Solutions Architect - Professional

Get started today

Ultimate access to all questions.

Quick Answer

Answer-first summary for fast verification

Answer: Develop an SCP that targets all AWS accounts, denying IAM actions for all users except those with administrator roles, and apply this SCP to the root organizational unit (OU).

The correct answer is C: 'Develop an SCP that targets all AWS accounts, denying IAM actions for all users except those with administrator roles, and apply this SCP to the root organizational unit (OU)'. This approach ensures that IAM actions are restricted to only administrator roles across all AWS accounts managed by AWS Organizations. An SCP (Service Control Policy) is applied at the organizational unit level, impacting all accounts within it, making it an effective way to enforce policies with minimal operational overhead. By denying IAM actions for all users except administrators through the SCP, you achieve the desired security goal without requiring direct access to individual accounts or manual configuration of permissions boundaries for each account.

Author: LeetQuiz Editorial Team

Quick Answer

Answer-first summary for fast verification

Answer: Develop an SCP that targets all AWS accounts, denying IAM actions for all users except those with administrator roles, and apply this SCP to the root organizational unit (OU).

Author: LeetQuiz Editorial Team

Comments (0)

No comments yet.

A company utilizes AWS Organizations for managing its AWS accounts. A solutions architect is tasked with designing a solution that restricts IAM actions exclusively to administrator roles. However, the solutions architect lacks access to all company-wide AWS accounts. What is the most efficient solution with minimal operational overhead to achieve this requirement?

Exam-Like

Last updated: February 9, 2026 at 14:03

Implement an SCP that targets all AWS accounts, permitting IAM actions solely for administrator roles, and apply this SCP to the root organizational unit (OU).

41.2%

Set up AWS CloudTrail to trigger an AWS Lambda function for every IAM action event. Configure the Lambda function to block the action if the initiating user is not an administrator.

0.0%

Develop an SCP that targets all AWS accounts, denying IAM actions for all users except those with administrator roles, and apply this SCP to the root organizational unit (OU).

58.8%

Establish an IAM permissions boundary that authorizes IAM actions and attach this boundary to every administrator role across all AWS accounts.