Question 40

Domain 6: Security and Compliance

A company is divided into teams. Each team has an AWS account, and all the accounts are in an organization in AWS Organizations. Each team must retain full administrative rights to its AWS account. Each team also must be allowed to access only AWS services that the company approves for use. AWS services must gain approval through a request and approval process. How should a DevOps engineer configure the accounts to meet these requirements?

A. Use AWS CloudFormation StackSets to provision IAM policies in each account to deny access to restricted AWS services. In each account, configure AWS Config rules that ensure that the policies are attached to IAM principals in the account. B. Use AWS Control Tower to provision the accounts into OUs within the organization. Configure AWS Control Tower to enable AWS IAM Identity Center (AWS Single Sign-On). Configure IAM Identity Center to provide administrative access. Include deny policies on user roles for restricted AWS services. C. Place all the accounts under a new top-level OU within the organization. Create an SCP that denies access to restricted AWS services. Attach the SCP to the OU. D. Create an SCP that allows access to only approved AWS services. Attach the SCP to the root OU of the organization. Remove the FullAWSAccess SCP from the root OU of the organization.

Correct answer: D

Explanation

Service control policies set the maximum permissions for accounts in an organization, and an SCP can "allow access to only approved AWS services" while still letting each team manage its own account. Attaching the SCP to the root OU applies it to all member accounts, and removing "FullAWSAccess" prevents unrestricted service use so only approved services are available.

Why each option is right or wrong

IAM policies inside accounts can be changed by account admins and do not create organization-wide permission boundaries.

B. Use AWS Control Tower to provision the accounts into OUs within the organization. Configure AWS Control Tower to enable AWS IAM Identity Center (AWS Single Sign-On). Configure IAM Identity Center to provide administrative access. Include deny policies on user roles for restricted AWS services.

Identity Center manages sign-in and role access, not the organization-wide service allow-list requirement.

C. Place all the accounts under a new top-level OU within the organization. Create an SCP that denies access to restricted AWS services. Attach the SCP to the OU.

A deny list blocks known restricted services, but the requirement is to permit only approved services.

D. Create an SCP that allows access to only approved AWS services. Attach the SCP to the root OU of the organization. Remove the FullAWSAccess SCP from the root OU of the organization.

Under AWS Organizations, service control policies are the mechanism that sets the maximum available permissions for member accounts, and they do not grant permissions by themselves; they only constrain what IAM principals in the account can do. Attaching the restrictive SCP at the root OU applies it to every account in the organization, and removing the default FullAWSAccess SCP is necessary because that policy otherwise allows all AWS services and would defeat the service whitelist. The request-and-approval process is satisfied by updating the SCP to include only newly approved services, while each team still retains full administrative rights within its account for anything not blocked by the SCP.

Previous See Results