AWS Certified Solutions Architect - Associate
Get started today
Ultimate access to all questions.
Deep dive into the quiz with AI chat providers.
We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.
A security team wants to limit access to specific services or actions in all of the team's AWS accounts. All accounts belong to a large organization in AWS Organizations. The solution must be scalable and there must be a single point where permissions can be maintained.
What should a solutions architect do to accomplish this?
Other
Community
UAnonymous
A
Create an ACL to provide access to the services or actions.
B
Create a security group to allow accounts and attach it to user groups.
C
Create cross-account roles in each account to deny access to the services or actions.
D
Create a service control policy in the root organizational unit to deny access to the services or actions.
Explanation:
Explanation
Correct Answer: D - Create a service control policy in the root organizational unit to deny access to the services or actions.
Why Option D is Correct:
- Service Control Policies (SCPs) are specifically designed for AWS Organizations to centrally manage permissions across multiple AWS accounts.
- SCPs offer a single point of control - By attaching an SCP to the root organizational unit (OU), you can enforce permissions across all accounts in the organization.
- Scalability - SCPs automatically apply to all current and future accounts in the organization, making them highly scalable.
- Deny access to specific services/actions - SCPs can be configured to explicitly deny access to certain AWS services or specific API actions.
- Organizational-level control - This approach aligns perfectly with the requirement that all accounts belong to a large AWS Organizations setup.
Why Other Options are Incorrect:
A. Create an ACL to provide access to the services or actions.
- ACLs (Access Control Lists) are typically used for network-level permissions (like VPC security) or S3 bucket permissions, not for managing access to AWS services across multiple accounts.
- ACLs don't provide centralized management across an organization.
B. Create a security group to allow accounts and attach it to user groups.
- Security groups are for controlling network traffic to AWS resources (EC2 instances, RDS databases, etc.), not for managing AWS service permissions.
- Security groups cannot be used to control access to AWS services or API actions.
C. Create cross-account roles in each account to deny access to the services or actions.
- While cross-account roles are useful for allowing access between accounts, they are not efficient for denying access across all accounts.
- This approach would require creating and maintaining roles in every account, which violates the requirement for a "single point where permissions can be maintained."
- It's not scalable as you'd need to update each account individually.
Key AWS Concepts:
- Service Control Policies (SCPs): A type of organization policy that you can use to manage permissions in your organization. SCPs offer central control over the maximum available permissions for all accounts in your organization.
- AWS Organizations: A service for centrally managing multiple AWS accounts. It enables you to create groups of accounts, apply policies to those groups, and automate account creation.
- Root Organizational Unit: The top-level container in AWS Organizations where you can attach SCPs that apply to all accounts in the organization.
Best Practice:
When managing security across multiple AWS accounts in an organization, SCPs provide the most effective, scalable, and centralized solution for enforcing guardrails and permissions boundaries.
Comments
Loading comments...