AWS Certified Solutions Architect – Professional (SAP-C02) — Question 455

A company uses AWS Organizations to manage its AWS accounts. A solutions architect must design a solution in which only administrator roles are allowed to use IAM actions. However, the solutions architect does not have access to all the AWS accounts throughout the company.

Which solution meets these requirements with the LEAST operational overhead?

Answer options

• A. Create an SCP that applies to all the AWS accounts to allow IAM actions only for administrator roles. Apply the SCP to the root OU.
• B. Configure AWS CloudTrail to invoke an AWS Lambda function for each event that is related to IAM actions. Configure the function to deny the action if the user who invoked the action is not an administrator.
• C. Create an SCP that applies to all the AWS accounts to deny IAM actions for all users except for those with administrator roles. Apply the SCP to the root OU.
• D. Set an IAM permissions boundary that allows IAM actions. Attach the permissions boundary to every administrator role across all the AWS accounts.

Correct answer: C

Explanation

Applying a Service Control Policy (SCP) at the root OU level allows the solutions architect to enforce restrictions across all member accounts globally without needing direct access to each individual account. Using an explicit deny SCP with a condition that excludes administrator roles ensures that unauthorized users are prevented from executing IAM actions, representing the lowest operational overhead. Other options either require access to individual accounts to attach permissions boundaries, introduce complex reactive architectures with Lambda, or fail to effectively restrict actions using allow-only SCPs.