What combination of steps should the solutions architect take to satisfy these requirements?
(Choose three.)
Use a Deny list strategy.
Review the Access Advisor in AWS IAM to determine services recently used
Review the AWS Trusted Advisor report to determine services recently used.
Remove the default FullAWSAccess SCP.
Define organizational units (OUs) and place the member accounts in the OUs.
Remove the default DenyAWSAccess SCP.
Explanations:
Using a Deny list strategy in Service Control Policies (SCPs) allows the organization to restrict specific services that are not in use across multiple accounts.
Reviewing the Access Advisor in AWS IAM helps determine which services are actively used, allowing the organization to make informed decisions about which services to restrict.
AWS Trusted Advisor does not provide insights into services used within accounts; it is mainly for cost optimization, security, and compliance checks.
Removing the default FullAWSAccess SCP is not recommended because it would block all service access, overriding other permissions granted in the accounts.
Organizing accounts into Organizational Units (OUs) allows for structured and centralized management of accounts as single units, facilitating SCP application by group.
There is no SCP called DenyAWSAccess by default. Removing this does not contribute to the solution requirements.