AWS Certified Solutions Architect – Professional — Question 326

A company uses AWS Organizations with a single OU named Production to manage multiple accounts. All accounts are members of the Production OU.
Administrators use deny list SCPs in the root of the organization to manage access to restricted services.
The company recently acquired a new business unit and invited the new unit's existing AWS account to the organization. Once onboarded, the administrators of the new business unit discovered that they are not able to update existing AWS Config rules to meet the company's policies.
Which option will allow administrators to make changes and continue to enforce the current policies without introducing additional long-term maintenance?

Answer options

• A. Remove the organization's root SCPs that limit access to AWS Config. Create AWS Service Catalog products for the company's standard AWS Config rules and deploy them throughout the organization, including the new account.
• B. Create a temporary OU named Onboarding for the new account. Apply an SCP to the Onboarding OU to allow AWS Config actions. Move the new account to the Production OU when adjustments to AWS Config are complete.
• C. Convert the organization's root SCPs from deny list SCPs to allow list SCPs to allow the required services only. Temporally apply an SCP to the organization's root that allows AWS Config actions for principals only in the new account.
• D. Create a temporary OU named Onboarding for the new account. Apply an SCP to the Onboarding OU to allow AWS Config actions. Move the organization's root SCP to the Production OU. Move the new account to the Production OU when adjustments to AWS Config are complete.

Correct answer: D

Explanation

Option D is correct because SCPs applied at the root level affect all accounts in the organization, meaning a root deny-list SCP would override any permissions granted in a sub-OU. Moving the root SCPs to the Production OU allows the new account to be placed in a temporary 'Onboarding' OU without being blocked by the deny-list policies. Once the administrators finish updating the AWS Config rules, moving the account into the Production OU restores the standard policy enforcement automatically without long-term maintenance.