Q9 — AWS SCS-C02 Ch.1
Question 9 of 100 | ← Chapter 1
A company is designing a multi-account structure for its development teams. The company is using AWS Organizations and AWS IAM Identity Center (AWS Single Sign-On). The company must implement a solution so that the development teams can use only specific AWS Regions and so that each AWS account allows access to only specific AWS services. Which solution will meet these requirements with the LEAST operational overhead?
- A. Use IAM Identity Center to set up service-linked roles with IAM policy statements that include the Condition, Resource, and NotAction elements to allow access to only the Regions and services that are needed.
- B. Deactivate AWS Security Token Service (AWS STS) in Regions that the developers are not allowed to use.
- C. Create SCPs that include the Condition, Resource, and NotAction elements to allow access to only the Regions and services that are needed. ✓
- D. For each AWS account, create tailored identity-based policies for IAM Identity Center. Use statements that include the Condition, Resource, and NotAction elements to allow access to only the Regions and services that are needed.
Correct Answer: C. Create SCPs that include the Condition, Resource, and NotAction elements to allow access to only the Regions and services that are needed.
Explanation
AWS多账户架构设计中,限制开发团队访问特定AWS区域和服务需使用服务控制策略(SCP)。根据AWS Organizations文档,SCP在组织单元(OU)或整个组织层级集中管理权限,无需针对每个账户单独配置。选项C通过SCP的Condition、Resource和NotAction元素全局生效,一次性设置即可影响多个账户。选项D需为每个账户定制身份策略,操作复杂。选项A中的服务关联角色通常用于AWS服务间交互,不适用于用户权限管理。选项B的STS停用按区域不可行,STS为全局服务。正确答案参考AWS SCP最佳实践。