An enterprise uses AWS Organizations. They want to ensure that developers in the 'Sandbox' Organizational Unit (OU) can only use a specific set of approved AWS services (e.g., EC2, S3, RDS), and are explicitly denied access to all other services. How can this be achieved?

Answer options:

Create an IAM policy with the approved services and attach it to all users in the Sandbox accounts.

Attach an SCP to the Sandbox OU that uses an 'Allow' list for the approved services.

Use AWS Service Catalog to provision only the approved services.

Configure AWS Config rules to terminate resources created from unapproved services.

How to approach this question

Identify the mechanism for setting maximum permissions at the OU level.

Full Answer

B.Attach an SCP to the Sandbox OU that uses an 'Allow' list for the approved services.✓ Correct

Attach an SCP to the Sandbox OU that uses an 'Allow' list for the approved services.

Service Control Policies (SCPs) can be used as an 'allow list' to explicitly define which services are permitted within an OU. Any service not on the list is implicitly denied, regardless of IAM permissions.

Common mistakes

Relying on IAM policies, which don't provide centralized, unbreakable guardrails across accounts.

Question 41 All questions Question 43

Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 1

75 questions · hints · full answers · grading

More questions from this exam

Q01An enterprise has 50 VPCs across two AWS Regions. They need to establish transitive routing betwe...Hard Q02A company uses AWS Organizations. The security team wants to ensure that no IAM user or role can ...Medium Q03An application requires a relational database with an RPO of 1 second and an RTO of less than 1 m...Hard Q04A company is setting up a new multi-account environment. They want to automate the provisioning o...Medium Q05An organization wants to allocate AWS costs to specific business units. They use AWS Organization...Hard

View all 75 questions →