AWS Certified SysOps Administrator – Associate — Question 272

A company has multiple AWS accounts. The company uses AWS Organizations with an organizational unit (OU) for the production account and another OU for the development account. Corporate policies state that developers may use only approved AWS services in the production account.

What is the MOST operationally efficient solution to control the production account?

Answer options

• A. Create a customer managed policy in AWS Identity and Access Management (IAM). Apply the policy to all users within the production account.
• B. Create a job function policy in AWS Identity and Access Management (IAM). Apply the policy to all users within the production OU.
• C. Create a service control policy (SCP). Apply the SCP to the production OU.
• D. Create an IAM policy. Apply the policy in Amazon API Gateway to restrict the production account.

Correct answer: C

Explanation

Service control policies (SCPs) are designed to centrally manage permissions across multiple AWS accounts within an OU, making them the most operationally efficient solution for restricting AWS service usage. Managing IAM policies at the user level (Options A and B) is operationally inefficient and difficult to scale. Option D is incorrect because Amazon API Gateway is not a service used for account-wide AWS resource and service restrictions.