AWS Certified SysOps Administrator – Associate (legacy) — Question 874
A company is using AWS Organizations to manage all their accounts. The Chief Technology Officer wants to prevent certain services from being used within production accounts until the services have been internally certified. They are willing to allow developers to experiment with these uncertified services in development accounts but need a way to ensure that these services are not used within production accounts.
Which option ensures that services are not allowed within the production accounts, yet are allowed in separate development accounts within the LEAST administrative overhead?
Answer options
- A. Use AWS Config to shut down non-compliant services found within the production accounts on a periodic basis, while allowing these same services to run in the development accounts.
- B. Apply service control policies to the AWS Organizational Unit (OU) containing the production accounts to whitelist certified services. Apply a less restrictive policy to the OUs containing the development accounts.
- C. Use IAM policies applied to the combination of user and account to prevent developers from using these services within the production accounts. Allow the services to run in development accounts.
- D. Use Amazon CloudWatch to report on the use of non-certified services within any account, triggering an AWS Lambda function to terminate only those non- certified services when found in a production account.
Correct answer: B
Explanation
Service Control Policies (SCPs) managed via AWS Organizations offer the most efficient, centralized, and secure method to restrict access to AWS services at the Organizational Unit (OU) level. Applying a restrictive SCP to the production OU prevents anyone—including administrators—from deploying uncertified services, while keeping development OUs flexible. Alternative approaches using AWS Config, IAM, or Lambda-based remediation introduce significant administrative overhead and do not proactively block service creation.