AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Explanation:

Explanation

Correct Answer: D - Create a service control policy in the root organizational unit to deny access to the services or actions.

Why Option D is Correct:

Service Control Policies (SCPs) are specifically designed for AWS Organizations to centrally manage permissions across multiple AWS accounts.
SCPs offer a single point of control - By attaching an SCP to the root organizational unit (OU), you can enforce permissions across all accounts in the organization.
Scalability - SCPs automatically apply to all current and future accounts in the organization, making them highly scalable.
Deny access to specific services/actions - SCPs can be configured to explicitly deny access to certain AWS services or specific API actions.
Organizational-level control - This approach aligns perfectly with the requirement that all accounts belong to a large AWS Organizations setup.

Why Other Options are Incorrect:

A. Create an ACL to provide access to the services or actions.

ACLs (Access Control Lists) are typically used for network-level permissions (like VPC security) or S3 bucket permissions, not for managing access to AWS services across multiple accounts.
ACLs don't provide centralized management across an organization.

B. Create a security group to allow accounts and attach it to user groups.

Security groups are for controlling network traffic to AWS resources (EC2 instances, RDS databases, etc.), not for managing AWS service permissions.
Security groups cannot be used to control access to AWS services or API actions.

C. Create cross-account roles in each account to deny access to the services or actions.

While cross-account roles are useful for allowing access between accounts, they are not efficient for denying access across all accounts.
This approach would require creating and maintaining roles in every account, which violates the requirement for a "single point where permissions can be maintained."
It's not scalable as you'd need to update each account individually.

Key AWS Concepts:

Service Control Policies (SCPs): A type of organization policy that you can use to manage permissions in your organization. SCPs offer central control over the maximum available permissions for all accounts in your organization.
AWS Organizations: A service for centrally managing multiple AWS accounts. It enables you to create groups of accounts, apply policies to those groups, and automate account creation.
Root Organizational Unit: The top-level container in AWS Organizations where you can attach SCPs that apply to all accounts in the organization.

Best Practice:

When managing security across multiple AWS accounts in an organization, SCPs provide the most effective, scalable, and centralized solution for enforcing guardrails and permissions boundaries.

Explanation:

Explanation

Correct Answer: D - Create a service control policy in the root organizational unit to deny access to the services or actions.

Why Option D is Correct:

Service Control Policies (SCPs) are specifically designed for AWS Organizations to centrally manage permissions across multiple AWS accounts.
SCPs offer a single point of control - By attaching an SCP to the root organizational unit (OU), you can enforce permissions across all accounts in the organization.
Scalability - SCPs automatically apply to all current and future accounts in the organization, making them highly scalable.
Deny access to specific services/actions - SCPs can be configured to explicitly deny access to certain AWS services or specific API actions.
Organizational-level control - This approach aligns perfectly with the requirement that all accounts belong to a large AWS Organizations setup.

Why Other Options are Incorrect:

A. Create an ACL to provide access to the services or actions.

ACLs (Access Control Lists) are typically used for network-level permissions (like VPC security) or S3 bucket permissions, not for managing access to AWS services across multiple accounts.
ACLs don't provide centralized management across an organization.

B. Create a security group to allow accounts and attach it to user groups.

Security groups are for controlling network traffic to AWS resources (EC2 instances, RDS databases, etc.), not for managing AWS service permissions.
Security groups cannot be used to control access to AWS services or API actions.

C. Create cross-account roles in each account to deny access to the services or actions.

While cross-account roles are useful for allowing access between accounts, they are not efficient for denying access across all accounts.
This approach would require creating and maintaining roles in every account, which violates the requirement for a "single point where permissions can be maintained."
It's not scalable as you'd need to update each account individually.

Key AWS Concepts:

Service Control Policies (SCPs): A type of organization policy that you can use to manage permissions in your organization. SCPs offer central control over the maximum available permissions for all accounts in your organization.
AWS Organizations: A service for centrally managing multiple AWS accounts. It enables you to create groups of accounts, apply policies to those groups, and automate account creation.
Root Organizational Unit: The top-level container in AWS Organizations where you can attach SCPs that apply to all accounts in the organization.

Best Practice:

When managing security across multiple AWS accounts in an organization, SCPs provide the most effective, scalable, and centralized solution for enforcing guardrails and permissions boundaries.

Comments (0)

No comments yet.

A security team wants to limit access to specific services or actions in all of the team's AWS accounts. All accounts belong to a large organization in AWS Organizations. The solution must be scalable and there must be a single point where permissions can be maintained.

What should a solutions architect do to accomplish this?

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Create an ACL to provide access to the services or actions.

Create a security group to allow accounts and attach it to user groups.

Create cross-account roles in each account to deny access to the services or actions.