AWS Certified Security – Specialty (SCS-C02) — Question 9

A company is designing a multi-account structure for its development teams. The company is using AWS Organizations and AWS IAM Identity Center (AWS Single Sign-On). The company must implement a solution so that the development teams can use only specific AWS Regions and so that each AWS account allows access to only specific AWS services.
Which solution will meet these requirements with the LEAST operational overhead?

Answer options

• A. Use IAM Identity Center to set up service-linked roles with IAM policy statements that include the Condition, Resource, and NotAction elements to allow access to only the Regions and services that are needed.
• B. Deactivate AWS Security Token Service (AWS STS) in Regions that the developers are not allowed to use.
• C. Create SCPs that include the Condition, Resource, and NotAction elements to allow access to only the Regions and services that are needed.
• D. For each AWS account, create tailored identity-based policies for IAM Identity Center. Use statements that include the Condition, Resource, and NotAction elements to allow access to only the Regions and services that are needed.

Correct answer: C

Explanation

The correct answer is C because Service Control Policies (SCPs) provide a centralized way to manage permissions across organizational units in AWS Organizations, ensuring that teams can only access specific services and Regions with minimal overhead. Option A is incorrect as IAM Identity Center does not utilize service-linked roles for this purpose. Option B is not a viable solution as deactivating AWS STS does not restrict access at the service level. Option D, while functional, requires more management effort to create and maintain individual policies for each account.