Q4 — AWS SAA-C03 Ch.1
Question 4 of 65 | ← Chapter 1
Q4. A security team wants to limit access to specific services or actions in all of the team's AWS accounts. All accounts belong to a large organization in AWS Organizations. The solution must be scalable and there must be a single point where permissions can be maintained.What should a solutions architect do to accomplish this?
- A. Create an ACL to provide access to the services or actions.
- B. Create a security group to allow accounts and attach it to user groups
- C. Create cross-account roles in each account to deny access to the services or actions.
- D. Create a service control policy in the root organizational unit to deny access to the services or actions ✓
Correct Answer: D. Create a service control policy in the root organizational unit to deny access to the services or actions
Explanation
To limit access to specific services or actions across all AWS accounts belonging to a large organization in AWS Organizations, and to maintain a scalable solution with a single point of permission management, the solutions architect should take the following approach:A. ACLs (Access Control Lists) are primarily used in VPCs (Virtual Private Clouds) to control access to and from instances within subnets. They are not suitable for controlling access to AWS services or actions across multiple accounts.B. Security groups are also used in VPCs to control inbound and outbound traffic at the instance level. They do not apply to controlling access to AWS services or actions, nor can they be attached to user groups or used across multiple accounts.C. While cross-account roles can be used to allow or deny access to resources in different accounts, managing these roles individually in each account would not meet the requirement for a scalable solution with a single point of permission management.D. The most suitable approach is to create a service control policy (SCP) in the root organizational unit (OU) of AWS Organizations. SCPs allow an administrator to centrally manage permissions for all accounts in the organization by specifying the actions that are allowed or denied for IAM (Identity and Access Management) roles and users in those accounts. By placing the SCP in the root OU, it can be applied to all accounts within the organization, ensuring that permissions are consistently enforced across all accounts and that there is a single point of management for those permissions.Conclusion:The correct approach is:D.