AWS Certified SysOps Administrator – Associate (legacy) — Question 910

A company has created a separate AWS account for all development work to protect the production environment. In this development account, developers have permission to manipulate IAM policies and roles. Corporate policies require that developers are blocked from accessing some services.
What is the BEST way to grant the developers privileges in the development account while still complying with corporate policies?

Answer options

• A. Create a service control policy in AWS Organizations and apply it to the development account.
• B. Create a customer managed policy in IAM and apply it to all users within the development account.
• C. Create a job function policy in IAM and apply it to all users within the development account.
• D. Create an IAM policy and apply it in API Gateway to restrict the development account.

Correct answer: A

Explanation

Service Control Policies (SCPs) in AWS Organizations allow organizations to set permission guardrails that even administrators or users with full IAM access within the member account cannot bypass. Since developers in this account have the ability to manipulate IAM policies, any local IAM-based restrictions (Options B and C) could easily be altered or removed by the developers themselves. Option D is incorrect because API Gateway resource policies cannot restrict general AWS service access across the entire account.