AWS Certified Solutions Architect – Professional — Question 11

A company has implemented AWS Organizations. It has recently set up a number of new accounts and wants to deny access to a specific set of AWS services in these new accounts.
How can this be controlled MOST efficiently?

Answer options

• A. Create an IAM policy in each account that denies access to the services. Associate the policy with an IAM group, and add all IAM users to the group.
• B. Create a service control policy that denies access to the services. Add all of the new accounts to a single organizational unit (OU), and apply the policy to that OU.
• C. Create an IAM policy in each account that denies access to the services. Associate the policy with an IAM role, and instruct users to log in using their corporate credentials and assume the IAM role.
• D. Create a service control policy that denies access to the services, and apply the policy to the root of the organization.

Correct answer: B

Explanation

The correct answer is B because using a service control policy (SCP) at the organizational unit (OU) level allows for centralized management and efficient enforcement of access restrictions across multiple accounts. Options A and C involve creating individual IAM policies for each account, which is less efficient, while option D, applying the policy to the root, could unintentionally affect other accounts not intended for restriction.