SOA-C02 · Question #682
SOA-C02 Question #682: Real Exam Question with Answer & Explanation
The correct answer is A: Create a service control policy (SCP) that denies the LeaveOrganization action. Apply the SCP to. An SCP can block any account-level API call, including organizations:LeaveOrganization, across all member accounts. Attaching a policy that explicitly denies LeaveOrganization to the root OU ensures no account in the organization can remove itself.
Question
A company that uses AWS Organizations has an organization that contains several AWS accounts. A SysOps administrator needs to implement controls to prevent an account from leaving the organization. Which solution will meet these requirements?
Options
- ACreate a service control policy (SCP) that denies the LeaveOrganization action. Apply the SCP to
- BCreate a service control policy (SCP) that denies the RemoveAccountFromOrganization action.
- CDeploy an AWS Lambda function in each member account to remove any Organizations
- DTurn on AWS Config. Set up the account-part-of-organizations managed rule. Configure the rule to
Explanation
An SCP can block any account-level API call, including organizations:LeaveOrganization, across all member accounts. Attaching a policy that explicitly denies LeaveOrganization to the root OU ensures no account in the organization can remove itself.
Community Discussion
No community discussion yet for this question.