Q95 — AWS DOP-C02 Ch.3

Question 95 of 100 | ← Chapter 3

A company operates a globally distributed organization and wants to implement a governance strategy with the following requirements: • Access to AWS service resources must be restricted to the same Region as the requesting account. • Access to AWS services must be limited to a specific set of approved services per account. • Identity authentication must be provided by an on-premises Active Directory. • Access permissions must be consistent across business functions, with identical limits applied to each account.

Correct Answer: D. Establish service control policies (SCPs) in the management account to restrict Regions and authorized services. Use AWS IAM roles for each business function, including IAM trust policies for identity provider authentication in each account.

Explanation

Service Control Policies (SCPs) in AWS Organizations are the only mechanism to centrally enforce Region and service-level access restrictions across member accounts. IAM trust policies enable federation with on-premises Active Directory via identity providers. Consistent permissions across accounts are achieved through standardized IAM roles governed by SCPs. Option D correctly combines SCPs for resource/service scoping, IAM roles for functional delegation, and IAM identity provider trust policies for AD integration—fully satisfying all requirements. Option A incorrectly conflates OUs with SCP enforcement (SCPs apply to OUs but are defined separately); option B misuses permission boundaries (which apply to principals, not accounts); option C incorrectly substitutes IAM Identity Center for on-premises AD federation and misapplies RAM for role sharing.