Q34 — AWS DOP-C02 Ch.1
Question 34 of 100 | ← Chapter 1
A company is divided into multiple teams. Each team has its own AWS account, and all accounts reside within a single organization in AWS Organizations. Each team must retain full administrative IAM permissions for its own AWS account. Each team must be allowed to access only approved AWS services. Access to AWS services must be granted through a formal request and approval process.
- A. Use AWS CloudFormation StackSets to deploy IAM policies in each account that deny access to restricted AWS services. In each account, configure AWS Config rules to ensure those policies are attached to IAM principals.
- B. Use AWS Control Tower to configure accounts into organizational units (OUs) within the organization. Configure AWS Control Tower to enable AWS IAM Identity Center (AWS SSO). Configure IAM Identity Center to provide administrative access, including deny policies for restricted AWS services on user roles.
- C. Place all accounts under a new top-level OU within the organization. Create a Service Control Policy (SCP) that denies access to restricted AWS services and attach it to the OU.
- D. Create an SCP that allows access only to approved AWS services. Attach the SCP to the organization’s root OU. Remove the FullAWSAccess SCP from the organization’s root OU. ✓
Correct Answer: D. Create an SCP that allows access only to approved AWS services. Attach the SCP to the organization’s root OU. Remove the FullAWSAccess SCP from the organization’s root OU.
Explanation
The question tests understanding of AWS Organizations Service Control Policies (SCPs). SCPs act as permission boundaries at the organization level. Attaching a whitelist SCP (allowing only approved services) to the root OU enforces this boundary across all member accounts while preserving full IAM autonomy within each account. Removing the default FullAWSAccess SCP is essential—otherwise, the allow-list SCP would be overridden by the broader default permissions. This satisfies both requirements: centralized service governance and decentralized account-level administrative control.