AWS Certified SysOps Administrator – Associate — Question 423

A company wants to prohibit its developers from using a particular family of Amazon EC2 instances. The company uses AWS Organizations and wants to apply the restriction across multiple accounts.
What is the MOST operationally efficient way for the company to apply service control policies (SCPs) to meet these requirements?

Answer options

• A. Add the accounts to an organizational unit (OU). Apply the SCPs to the OU.
• B. Add the accounts to resource groups in AWS Resource Groups. Apply the SCPs to the resource groups.
• C. Apply the SCPs to each developer account
• D. Enroll the accounts with AWS Control Tower. Apply the SCPs to the AWS Control Tower management account.

Correct answer: A

Explanation

Applying SCPs to an Organizational Unit (OU) is the most operationally efficient method because all member accounts within the OU automatically inherit the policy, minimizing management overhead. Attaching SCPs to individual accounts requires repetitive manual effort, while AWS Resource Groups cannot have SCPs applied to them. Applying the SCP to the management account would restrict the management account rather than targeting only the developer accounts.