AWS Certified SysOps Administrator – Associate (legacy) — Question 526

A company is operating a multi-account environment under a single organization using AWS Organizations. The Security team discovers that some employees are using AWS services in ways that violate company policies. A SysOps Administrator needs to prevent all users of an account, including the root user, from performing certain restricted actions.
What should be done to accomplish this?

Answer options

• A. Apply service control policies (SCPs) to allow approved actions only
• B. Apply service control policies (SCPs) to prevent restricted actions
• C. Define permissions boundaries to allow approved actions only
• D. Define permissions boundaries to prevent restricted actions

Correct answer: B

Explanation

Service control policies (SCPs) in AWS Organizations can restrict actions for all IAM users and roles in an account, including the root user. To block specific prohibited behaviors, an SCP with explicit deny statements should be applied to the target account or organizational unit. Permissions boundaries do not apply to the root user, making options C and D incorrect, while option A is less optimal than B because explicitly denying restricted actions is a more direct way to prevent specific violations without disrupting other allowed services.