Q88 — AWS DOP-C02 Ch.1

Question 88 of 100 | ← Chapter 1

A company hosts a security audit application in an AWS account. The audit application uses IAM roles to access other AWS accounts. All audited accounts belong to the same organization in AWS Organizations. A recent security audit revealed that users in audited AWS accounts can modify or delete the IAM roles used by the audit application. The company needs to prevent any entity—except trusted administrator IAM roles—from modifying the audit application’s IAM roles.

Correct Answer: A. Create a Service Control Policy (SCP) containing a Deny statement for modifications to the audit application’s IAM roles. Include a condition allowing changes by trusted administrator IAM roles. Attach the SCP to the organization root.

Explanation

Service Control Policies (SCPs) are AWS Organizations features that set permission boundaries at the organization, organizational unit (OU), or account level—restricting what actions member accounts can perform. Deny statements in SCPs override all other permissions unless explicitly excluded via conditions. Attaching an SCP to the organization root applies it universally across all accounts in the organization. Option A correctly implements this by creating an SCP with a Deny statement targeting IAM role modifications, conditioned to permit only trusted administrators, and attaching it to the root—enforcing global protection. Option B is invalid because SCPs cannot be attached to individual services like IAM. Options C and D use permissions boundaries, which only constrain the maximum permissions of the *attached principal* (e.g., a role or user) and cannot prevent other principals (e.g., account root or other IAM users) from modifying the target role. Only SCPs provide organization-wide, enforceable guardrails against unauthorized IAM role modification.