Answer: Create a service control policy in the root organizational unit to deny access to the services or actions.

## Explanation **Correct Answer: D** - Create a service control policy in the root organizational unit to deny access to the services or actions. ### Why Option D is Correct: 1. **Service Control Policies (SCPs)** are specifically designed for AWS Organizations to centrally manage permissions across multiple AWS accounts. 2. **SCPs offer a single point of control** - By attaching an SCP to the root organizational unit (OU), you can enforce permissions across all accounts in the organization. 3. **Scalability** - SCPs automatically apply to all current and future accounts in the organization, making them highly scalable. 4. **Deny access to specific services/actions** - SCPs can be configured to explicitly deny access to certain AWS services or specific API actions. 5. **Organizational-level control** - This approach aligns perfectly with the requirement that all accounts belong to a large AWS Organizations setup. ### Why Other Options are Incorrect: **A. Create an ACL to provide access to the services or actions.** - ACLs (Access Control Lists) are typically used for network-level permissions (like VPC security) or S3 bucket permissions, not for managing access to AWS services across multiple accounts. - ACLs don't provide centralized management across an organization. **B. Create a security group to allow accounts and attach it to user groups.** - Security groups are for controlling network traffic to AWS resources (EC2 instances, RDS databases, etc.), not for managing AWS service permissions. - Security groups cannot be used to control access to AWS services or API actions. **C. Create cross-account roles in each account to deny access to the services or actions.** - While cross-account roles are useful for allowing access between accounts, they are not efficient for denying access across all accounts. - This approach would require creating and maintaining roles in every account, which violates the requirement for a "single point where permissions can be maintained." - It's not scalable as you'd need to update each account individually. ### Key AWS Concepts: - **Service Control Policies (SCPs):** A type of organization policy that you can use to manage permissions in your organization. SCPs offer central control over the maximum available permissions for all accounts in your organization. - **AWS Organizations:** A service for centrally managing multiple AWS accounts. It enables you to create groups of accounts, apply policies to those groups, and automate account creation. - **Root Organizational Unit:** The top-level container in AWS Organizations where you can attach SCPs that apply to all accounts in the organization. ### Best Practice: When managing security across multiple AWS accounts in an organization, SCPs provide the most effective, scalable, and centralized solution for enforcing guardrails and permissions boundaries.