AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 162

A company is launching an application. The application must use only approved AWS services. The account that runs the application was created less than 1 year ago and is assigned to an AWS Organizations OU.

The company needs to create a new Organizations account structure. The account structure must have an appropriate SCP that supports the use of only services that are currently active in the AWS account. The company will use AWS Identity and Access Management (IAM) Access Analyzer in the solution.

Which solution will meet these requirements?

Answer options

• A. Create an SCP that allows the services that IAM Access Analyzer identifies. Create an OU for the account. Move the account into the new OU. Attach the new SCP to the new OU. Detach the default FullAWSAccess SCP from the new OU.
• B. Create an SCP that denies the services that IAM Access Analyzer identifies. Create an OU for the account. Move the account into the new OU. Attach the new SCP to the new OU.
• C. Create an SCP that allows the services that IAM Access Analyzer identifies. Attach the new SCP to the organization's root.
• D. Create an SCP that allows the services that IAM Access Analyzer identifies. Create an OU for the account. Move the account into the new OU. Attach the new SCP to the management account. Detach the default FullAWSAccess SCP from the new OU.

Correct answer: A

Explanation

Answer A is correct because it allows the identified services while ensuring that the account is organized properly in a new OU with the appropriate SCP. The other options either deny services or incorrectly attach the SCP to the organization's root or the management account, which does not align with the requirement to have an SCP supporting only the active services in the specific account.