AWS Certified Solutions Architect – Associate (SAA-C03) — Question 550

A company has separate AWS accounts for its finance, data analytics, and development departments. Because of costs and security concerns, the company wants to control which services each AWS account can use.

Which solution will meet these requirements with the LEAST operational overhead?

Answer options

• A. Use AWS Systems Manager templates to control which AWS services each department can use.
• B. Create organization units (OUs) for each department in AWS Organizations. Attach service control policies (SCPs) to the OUs.
• C. Use AWS CloudFormation to automatically provision only the AWS services that each department can use.
• D. Set up a list of products in AWS Service Catalog in the AWS accounts to manage and control the usage of specific AWS services.

Correct answer: B

Explanation

AWS Organizations using service control policies (SCPs) applied to organizational units (OUs) is the most efficient, centralized method to restrict service access across multiple AWS accounts. AWS Systems Manager and AWS CloudFormation are not designed for enforcing account-level service restrictions. While AWS Service Catalog can control product deployment, it requires significant operational overhead to configure and maintain portfolios across separate accounts compared to SCPs.