Domain 1.1: Secure Access — AWS SAA-C03 Practice Question 01

How to approach this question

Identify the requirement for cross-account, centralized permission boundaries. SCPs are the standard AWS Well-Architected way to enforce organization-wide guardrails.

Full Answer

B.Create a Service Control Policy (SCP) that denies the cloudtrail:StopLogging action and attach it to the organization root.✓ Correct

Service Control Policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization. SCPs offer central control over the maximum available permissions for all accounts in your organization. By attaching an SCP to the root, it cascades down to all OUs and member accounts.

Common mistakes

Confusing IAM policies (which must be applied per account/user) with SCPs (which apply organization-wide guardrails).

A company has multiple AWS accounts in an AWS Organizations organization. The security team wants to ensure that no user or role in any member account can disable AWS CloudTrail. What is the MOST efficient way to enforce this requirement?

How to approach this question

Full Answer

Common mistakes

Practice the full AWS SAA-C03 Practice Exam 1

More questions from this exam