AWS Certified SysOps Administrator – Associate (legacy) — Question 678

A company has multiple AWS accounts. The company uses AWS Organizations with an organizational unit (OU) for the production account and another OU for the development account. Corporate policies state that developers may use only approved AWS services in the production account.
What is the MOST operationally efficient solution to control the production account?

Answer options

• A. Create a customer managed policy in AWS Identity and Access Management (IAM). Apply the policy to all users within the production account.
• B. Create a job function policy in AWS Identity and Access Management (IAM). Apply the policy to all users within the production OU.
• C. Create a service control policy (SCP). Apply the SCP to the production OU.
• D. Create an IAM policy. Apply the policy in Amazon API Gateway to restrict the production account.

Correct answer: A

Explanation

Creating a customer managed policy in AWS Identity and Access Management (IAM) and applying it to all users in the production account allows the organization to precisely define and enforce which AWS services developers are permitted to use. While Service Control Policies (SCPs) can restrict services at an organizational unit level, applying a targeted customer managed IAM policy directly to the users within the production account ensures exact compliance with corporate developer policies. Other methods, such as applying IAM policies directly to an OU or utilizing Amazon API Gateway for account-wide service restrictions, are either not supported or architecturally incorrect.