AWS Certified SysOps Administrator – Associate (legacy) — Question 641

A large company has multiple AWS accounts that are assigned to each department. A SysOps administrator needs to help the company reduce overhead and manage its AWS resources more easily. The SysOps administrator also must ensure that department users, including AWS account root users, have access only to AWS services that are essential for their job function.
Which solution will meet these requirements?

Answer options

• A. Enable AWS Directory Service. Enforce Group Policy Objects (GPOs) on each department to restrict access.
• B. Migrate all the accounts to a central account. Create IAM groups for each department with only the necessary permissions.
• C. Use AWS Organizations and implement service control policies (SCPs) to ensure accounts use only essential AWS services.
• D. Use AWS Single Sign-On and configure it to limit access to only essential AWS services.

Correct answer: A

Explanation

Enabling AWS Directory Service and enforcing Group Policy Objects (GPOs) allows the organization to centrally manage and restrict access permissions across departmental boundaries. This approach ensures that administrative controls, including restrictions on root-level functions, are systematically applied through directory policies. Other options like consolidation or SSO do not leverage GPOs for directory-integrated compliance.