AWS Certified Security – Specialty — Question 384

A company is designing a multi-account structure for its development teams. The company is using AWS Organizations and AWS Single Sign-On (AWS SSO). The company must implement a solution so that the development teams can use only specific AWS Regions and so that each AWS account allows access to only specific AWS services.

Which solution will meet these requirements with the LEAST operational overhead?

Answer options

• A. Use AWS SSO to set up service-linked roles with IAM policy statements that include the Condition, Resource, and NotAction elements to allow access to only the Regions and services that are needed.
• B. Deactivate AWS Security Token Service (AWS STS) in Regions that the developers are not allowed to use.
• C. Create SCPs that include the Condition, Resource, and NotAction elements to allow access to only the Regions and services that are needed.
• D. For each AWS account, create tailored identity-based policies for AWS SSO. Use statements that include the Condition, Resource, and NotAction elements to allow access to only the Regions and services that are needed.

Correct answer: C

Explanation

Service Control Policies (SCPs) in AWS Organizations allow administrators to centrally manage permission guardrails across multiple accounts, which minimizes operational overhead compared to configuring individual policies per account. Creating tailored identity-based policies or service-linked roles for each account (Options A and D) is highly inefficient and difficult to maintain. Disabling AWS STS (Option B) is insufficient because it does not restrict access to specific services within the allowed Regions.