AWS Certified Solutions Architect – Associate (SAA-C02) — Question 20

A security team to limit access to specific services or actions in all of the team's AWS accounts. All accounts belong to a large organization in AWS Organizations.
The solution must be scalable and there must be a single point where permissions can be maintained.
What should a solutions architect do to accomplish this?

Answer options

• A. Create an ACL to provide access to the services or actions.
• B. Create a security group to allow accounts and attach it to user groups.
• C. Create cross-account roles in each account to deny access to the services or actions.
• D. Create a service control policy in the root organizational unit to deny access to the services or actions.

Correct answer: D

Explanation

The correct answer is D because a service control policy (SCP) in AWS Organizations allows centralized control over permissions across accounts and can effectively deny access to specific services or actions. Options A and B do not provide the necessary scalability and centralized management, while option C involves creating roles that would not be as efficient for managing permissions across multiple accounts.