AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 343

A company is using AWS Organizations and wants to implement a governance strategy with the following requirements:

• AWS resource access is restricted to the same two Regions for all accounts.
• AWS services are limited to a specific group of authorized services for all accounts.
• Authentication is provided by Active Directory.
• Access permissions are organized by job function and are identical in each account.

Which solution will meet these requirements?

Answer options

• A. Establish an organizational unit (OU) with group policies in the management account to restrict Regions and authorized services. Use AWS CloudFormation StackSets to provision roles with permissions for each job function, including an IAM trust policy for IAM identity provider authentication in each account.
• B. Establish a permission boundary in the management account to restrict Regions and authorized services. Use AWS CloudFormation StackSets to provision roles with permissions for each job function, including an IAM trust policy for IAM identity provider authentication in each account.
• C. Establish a service control policy in the management account to restrict Regions and authorized services. Use AWS Resource Access Manager (AWS RAM) to share management account roles with permissions for each job function, including AWS IAM Identity Center for authentication in each account.
• D. Establish a service control policy in the management account to restrict Regions and authorized services. Use AWS CloudFormation StackSets to provision roles with permissions for each job function, including an IAM trust policy for IAM identity provider authentication in each account.

Correct answer: D

Explanation

Service Control Policies (SCPs) managed in the AWS Organizations management account are the correct mechanism to globally restrict AWS Regions and services across all member accounts. Deploying consistent IAM roles across multiple accounts is best achieved using AWS CloudFormation StackSets, which can include trust policies pointing to an Active Directory-linked IAM identity provider for authentication. Other options are incorrect because group policies and permission boundaries cannot be applied globally from the management account to restrict member accounts, and AWS RAM cannot be used to share IAM roles.