Q31 — AWS DOP-C02 Ch.2

Question 31 of 100 | ← Chapter 2

A company is divided into teams. Each team has its own AWS account, and all accounts reside within an organization in AWS Organizations. Each team requires full security administrative privileges over its AWS account. Additionally, each team must be restricted to only approved AWS services. AWS services are granted access through a formal request and approval process. How should a DevOps engineer configure the accounts to meet these requirements?

Correct Answer: C. Place all accounts under a new top-level OU within the organization. Create a Service Control Policy (SCP) denying access to restricted AWS services and attach it to the OU.

Explanation

The correct approach is to enforce service restrictions at the organizational level using Service Control Policies (SCPs), which are enforced hierarchically in AWS Organizations. Option C places all accounts under a new top-level OU and applies an SCP denying access to restricted services—this satisfies the requirement for centralized, mandatory governance without requiring per-account configuration or relying on identity-based policies that can be overridden. Option A relies on IAM policies, which are not organization-wide and can be modified by account administrators, violating the requirement for strict enforcement. Option B introduces unnecessary complexity with IAM Identity Center and does not inherently restrict service usage across accounts. Option D incorrectly attempts to allow only approved services via an SCP, but AWS strongly recommends using explicit deny SCPs rather than allow-only approaches due to maintenance overhead and risk of unintended access if new services launch. Therefore, option C is the most secure and scalable solution.