AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

A company has separate AWS accounts for its finance, data analytics, and development departments. Because of costs and security concerns, the company wants to control which services each AWS account can use.

Which solution will meet these requirements with the LEAST operational overhead?

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Use AWS Systems Manager templates to control which AWS services each department can use.

Create organization units (OUs) for each department in AWS Organizations. Attach service control policies (SCPs) to the OUs.

Use AWS CloudFormation to automatically provision only the AWS services that each department can use.

Set up a list of products in AWS Service Catalog in the AWS accounts to manage and control the usage of specific AWS services.

Explanation:

Explanation

Correct Answer: B - Create organization units (OUs) for each department in AWS Organizations. Attach service control policies (SCPs) to the OUs.

Why Option B is Correct:

SCPs (Service Control Policies) are specifically designed for this purpose - they allow you to control which AWS services and actions can be used by member accounts in an AWS Organization.
Least Operational Overhead: Once SCPs are attached to OUs, they automatically apply to all accounts within those OUs without requiring ongoing manual intervention.
Centralized Management: AWS Organizations provides a centralized way to manage multiple AWS accounts, and SCPs offer guardrails at the organization level.
Security and Cost Control: SCPs can deny access to specific AWS services, preventing departments from using services they shouldn't, thereby controlling both security risks and costs.

Why Other Options are Incorrect:

A. AWS Systems Manager templates:

Systems Manager is primarily for operational management, patching, and automation, not for controlling which AWS services can be used.
Templates in Systems Manager don't provide service-level access control.

C. AWS CloudFormation:

While CloudFormation can provision resources, it doesn't prevent users from using services outside of CloudFormation templates.
Users could still use the AWS Console, CLI, or SDK to access services not included in templates.
Requires ongoing template management and doesn't provide enforcement.

D. AWS Service Catalog:

Service Catalog provides a curated list of approved products, but users could still access AWS services directly through the console or APIs.
Doesn't prevent unauthorized service usage; it only provides a catalog of approved configurations.
Requires more operational overhead to maintain and update the catalog.

Key AWS Concepts:

AWS Organizations: Service for centrally managing multiple AWS accounts.
Service Control Policies (SCPs): Policies that specify the maximum permissions for accounts in an organization.
Organization Units (OUs): Containers for grouping accounts within an organization.

SCPs provide the most effective and least operationally intensive way to control which AWS services each department can use across multiple accounts.

Powered ByGPT-5.2

Comments

Loading comments...