Q95 — AWS DOP-C02 Ch.3
Question 95 of 100 | ← Chapter 3
A company operates a globally distributed organization and wants to implement a governance strategy with the following requirements: • Access to AWS service resources must be restricted to the same Region as the requesting account. • Access to AWS services must be limited to a specific set of approved services per account. • Identity authentication must be provided by an on-premises Active Directory. • Access permissions must be consistent across business functions, with identical limits applied to each account.
- A. Create an organizational unit (OU) in the management account with a service control policy (SCP) to restrict Regions and authorized services. Use AWS IAM roles for each business function, including IAM trust policies for identity provider authentication in each account.
- B. Set permission boundaries in the management account to restrict Regions and authorized services. Use AWS IAM roles for each business function, including IAM trust policies for identity provider authentication in each account.
- C. Establish service control policies (SCPs) in the management account to restrict Regions and authorized services. Use AWS Resource Access Manager (RAM) to share management account roles and grant permissions to each business function, including AWS IAM Identity Center for authentication in each account.
- D. Establish service control policies (SCPs) in the management account to restrict Regions and authorized services. Use AWS IAM roles for each business function, including IAM trust policies for identity provider authentication in each account. ✓
Correct Answer: D. Establish service control policies (SCPs) in the management account to restrict Regions and authorized services. Use AWS IAM roles for each business function, including IAM trust policies for identity provider authentication in each account.
Explanation
Service Control Policies (SCPs) in AWS Organizations are the only mechanism to centrally enforce Region and service-level access restrictions across member accounts. IAM trust policies enable federation with on-premises Active Directory via identity providers. Consistent permissions across accounts are achieved through standardized IAM roles governed by SCPs. Option D correctly combines SCPs for resource/service scoping, IAM roles for functional delegation, and IAM identity provider trust policies for AD integration—fully satisfying all requirements. Option A incorrectly conflates OUs with SCP enforcement (SCPs apply to OUs but are defined separately); option B misuses permission boundaries (which apply to principals, not accounts); option C incorrectly substitutes IAM Identity Center for on-premises AD federation and misapplies RAM for role sharing.