AWS Certified Solutions Architect – Associate (SAA-C03) — Question 155

A security team wants to limit access to specific services or actions in all of the team’s AWS accounts. All accounts belong to a large organization in AWS Organizations. The solution must be scalable and there must be a single point where permissions can be maintained.

What should a solutions architect do to accomplish this?

Answer options

• A. Create an ACL to provide access to the services or actions.
• B. Create a security group to allow accounts and attach it to user groups.
• C. Create cross-account roles in each account to deny access to the services or actions.
• D. Create a service control policy in the root organizational unit to deny access to the services or actions.

Correct answer: D

Explanation

The correct answer is D because a service control policy (SCP) can centrally manage permissions across all accounts in an organization, providing a scalable solution. Options A and B are incorrect as ACLs and security groups do not apply to AWS Organizations for managing access across multiple accounts, and option C does not provide a scalable or centralized approach since it would require managing roles in each individual account.