AWS Certified SysOps Administrator – Associate (legacy) — Question 605

A company has an AWS account for each department and wants to consolidate billing and reduce overhead. The company wants to make sure that the finance team is denied from accessing services other than Amazon EC2, the security team is denied from accessing services other than AWS CloudTrail, and IT can access any resource.
Which solution meets these requirements with the LEAST amount of operational overhead?

Answer options

• A. Create a role for each department within AWS IAM and assign each role the necessary permissions.
• B. Create a user for each department within AWS IAM and assign each user the necessary permissions.
• C. Implement service control policies within AWS Organizations to determine which resources each department can access.
• D. Place each department into an organizational unit (OU) within AWS Organizations and use IAM policies to determine which resources they can access.

Correct answer: C

Explanation

Service Control Policies (SCPs) in AWS Organizations allow administrators to centrally manage and enforce maximum permission limits across multiple AWS accounts with minimal administrative overhead. By applying SCPs to the member accounts, the company can easily restrict access to specific services like Amazon EC2 or AWS CloudTrail at the account level. Managing permissions through individual IAM users, roles, or cross-account IAM policies (Options A, B, and D) would require significantly more configuration and maintenance across multiple accounts.