Q34 — AWS DOP-C02 Ch.1

Question 34 of 100 | ← Chapter 1

A company is divided into multiple teams. Each team has its own AWS account, and all accounts reside within a single organization in AWS Organizations. Each team must retain full administrative IAM permissions for its own AWS account. Each team must be allowed to access only approved AWS services. Access to AWS services must be granted through a formal request and approval process.

Correct Answer: D. Create an SCP that allows access only to approved AWS services. Attach the SCP to the organization’s root OU. Remove the FullAWSAccess SCP from the organization’s root OU.

Explanation

The question tests understanding of AWS Organizations Service Control Policies (SCPs). SCPs act as permission boundaries at the organization level. Attaching a whitelist SCP (allowing only approved services) to the root OU enforces this boundary across all member accounts while preserving full IAM autonomy within each account. Removing the default FullAWSAccess SCP is essential—otherwise, the allow-list SCP would be overridden by the broader default permissions. This satisfies both requirements: centralized service governance and decentralized account-level administrative control.