AWS Certified Solutions Architect – Professional (SAP-C02) — Question 387

A company is using multiple AWS accounts and has multiple DevOps teams running production and non-production workloads in these accounts. The company would like to centrally-restrict access to some of the AWS services that the DevOps teams do not use. The company decided to use AWS Organizations and successfully invited all AWS accounts into the Organization. They would like to allow access to services that are currently in-use and deny a few specific services. Also they would like to administer multiple accounts together as a single unit.

What combination of steps should the solutions architect take to satisfy these requirements? (Choose three.)

Answer options

• A. Use a Deny list strategy.
• B. Review the Access Advisor in AWS IAM to determine services recently used
• C. Review the AWS Trusted Advisor report to determine services recently used.
• D. Remove the default FullAWSAccess SCP.
• E. Define organizational units (OUs) and place the member accounts in the OUs.
• F. Remove the default DenyAWSAccess SCP.

Correct answer: A, B, E

Explanation

To manage multiple accounts collectively as a single unit, the solutions architect must group them into Organizational Units (OUs). A Deny list strategy is the most efficient way to allow all services by default (keeping the FullAWSAccess SCP) while explicitly denying specific unused services. Using IAM Access Advisor allows the architect to inspect service-last-accessed data to determine which services are actually in use, whereas Trusted Advisor does not provide this specific service usage history.