A security team wants to limit access to specific services or actions across all AWS accounts in a large AWS Organizations organization. The solution must be scalable and provide a single place to maintain permissions. What should a solutions architect do?
Choose an answer
Tap an option to check your answer.
Correct answer: Create a service control policy in the root organizational unit to deny access to the services or actions..
Why this is the answer
Service Control Policies (SCPs) are the correct choice because they offer a centralized, scalable way to manage permissions across all accounts in an AWS Organization. By attaching an SCP to the root organizational unit (OU), you can effectively deny access to specific services or actions for all accounts within that OU, including nested OUs and individual accounts. This meets the requirement for a single place to maintain permissions and ensures scalability. ACLs (Access Control Lists) are used for network traffic filtering, not for service-level access control within an AWS account. Security groups control inbound and outbound traffic for EC2 instances and other resources, not broad service access across accounts. Cross-account roles grant permissions to external accounts but would require individual creation and management in each account, which is not scalable for a large organization.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed