Q43 — AWS DOP-C02 Ch.2

Question 43 of 100 | ← Chapter 2

A cloud team manages a company’s AWS accounts using AWS Organizations and AWS Identity Center (formerly AWS Single Sign-On). The company recently formed a research team. The research team needs delegated administrative access to resources in a dedicated AWS account. The research team must not be allowed to create IAM users. The cloud team created a Research Administrator permission set in IAM Identity Center and attached the AdministratorAccess AWS managed policy. The cloud team wants to ensure no one in the research team can create IAM users.

Correct Answer: C. Create a Service Control Policy (SCP) denying iam:CreateUser and attach it to the research team’s AWS account.

Explanation

AWS Service Control Policies (SCPs) are part of AWS Organizations and restrict permissions at the account level. SCPs apply to all principals in member accounts—including those authenticated via Identity Center—and override IAM policies. Since the research team has AdministratorAccess, IAM-level restrictions (Options A and B) may be overridden or bypassed due to policy evaluation order. SCPs (Option C) enforce the restriction at the account boundary, guaranteeing that iam:CreateUser is denied regardless of identity source. Option D is reactive and insecure, violating least-privilege principles.