Q43 — AWS DOP-C02 Ch.2
Question 43 of 100 | ← Chapter 2
A cloud team manages a company’s AWS accounts using AWS Organizations and AWS Identity Center (formerly AWS Single Sign-On). The company recently formed a research team. The research team needs delegated administrative access to resources in a dedicated AWS account. The research team must not be allowed to create IAM users. The cloud team created a Research Administrator permission set in IAM Identity Center and attached the AdministratorAccess AWS managed policy. The cloud team wants to ensure no one in the research team can create IAM users.
- A. Create an IAM policy denying the iam:CreateUser action and attach it to the Research Administrator permission set.
- B. Create an IAM policy allowing all actions except iam:CreateUser and use it as a permissions boundary for the Research Administrator permission set.
- C. Create a Service Control Policy (SCP) denying iam:CreateUser and attach it to the research team’s AWS account. ✓
- D. Develop an AWS Lambda function that deletes IAM users. Create an Amazon EventBridge rule to detect iam:CreateUser events and configure it to invoke the Lambda function.
Correct Answer: C. Create a Service Control Policy (SCP) denying iam:CreateUser and attach it to the research team’s AWS account.
Explanation
AWS Service Control Policies (SCPs) are part of AWS Organizations and restrict permissions at the account level. SCPs apply to all principals in member accounts—including those authenticated via Identity Center—and override IAM policies. Since the research team has AdministratorAccess, IAM-level restrictions (Options A and B) may be overridden or bypassed due to policy evaluation order. SCPs (Option C) enforce the restriction at the account boundary, guaranteeing that iam:CreateUser is denied regardless of identity source. Option D is reactive and insecure, violating least-privilege principles.