AWS Certified Solutions Architect – Professional — Question 292

A company has a single AWS master billing account, which is the root of the AWS Organizations hierarchy.
The company has multiple AWS accounts within this hierarchy, all organized into organization units (OUs). More OUs and AWS accounts will continue to be created as other parts of the business migrate applications to AWS. These business units may need to use different AWS services. The Security team is implementing the following requirements for all current and future AWS accounts:
✑ Control policies must be applied across all accounts to prohibit AWS servers.
✑ Exceptions to the control policies are allowed based on valid use cases.
Which solution will meet these requirements with minimal optional overhead?

Answer options

• A. Use an SCP in Organizations to implement a deny list of AWS servers. Apply this SCP at the level. For any specific exceptions for an OU, create a new SCP for that OU and add the required AWS services to the allow list.
• B. Use an SCP in Organizations to implement a deny list of AWS service. Apply this SCP at the root level and each OU. Remove the default AWS managed SCP from the root level and all OU levels. For any specific exceptions, modify the SCP attached to that OU, and add the required AWS services to the allow list.
• C. Use an SCP in Organizations to implement a deny list of AWS service. Apply this SCP at each OU level. Leave the default AWS managed SCP at the root level. For any specific executions for an OU, create a new SCP for that OU.
• D. Use an SCP in Organizations to implement an allow list of AWS services. Apply this SCP at the root level. Remove the default AWS managed SCP from the root level and all OU levels. For any specific exceptions for an OU, modify the SCP attached to that OU, and add the required AWS services to the allow list.

Correct answer: D

Explanation

Option D is correct because implementing an allow list strategy with Service Control Policies (SCPs) requires replacing the default FullAWSAccess SCP with a custom SCP that explicitly lists allowed services. By applying this custom allow list at the root and removing the default full-access SCP, all accounts are restricted by default, and exceptions can be easily managed at the OU level with minimal overhead. Deny lists (Options A, B, and C) are operationally complex and difficult to maintain when trying to restrict access to a large and growing number of unapproved AWS services.