SOA-C02 Question #471: Real Exam Question with Answer & Explanation

Question

A company has multiple AWS accounts. The company uses AWS Organizations with an organizational unit (OU) for the production account and another OU for the development account. Corporate policies state that developers may use only approved AWS services in the production account. What is the MOST operationally efficient solution to control the production account?

Options

• ACreate a customer managed policy in AWS Identity and Access Management (IAM). Apply the
• BCreate a job function policy in AWS Identity and Access Management (IAM). Apply the policy to
• CCreate a service control policy (SCP). Apply the SCP to the production OU.
• DCreate an IAM policy. Apply the policy in Amazon API Gateway to restrict the production account.

Explanation

Option C is correct because Service Control Policies (SCPs) are the native AWS Organizations feature designed exactly for this use case - they act as guardrails that restrict what services and actions are available across entire OUs or accounts, enforced centrally regardless of what IAM policies individual users have.

Why the distractors fail:

• A & B (IAM policies): Customer-managed and job-function IAM policies must be attached to individual users, groups, or roles within an account - they require per-account maintenance and can be bypassed or overridden by account admins. They are not centrally enforced at the Organizations level.
• D (API Gateway policy): API Gateway resource policies control access to API Gateway endpoints, not to AWS services broadly. This doesn't address service restriction across an account.

Memory tip: Think of SCPs as a "ceiling" - they define the maximum permissions possible in an account or OU, and no IAM policy can grant permissions above that ceiling. Whenever a question involves restricting AWS service usage across accounts or OUs centrally, SCP is almost always the answer.

No community discussion yet for this question.