Which option will allow administrators to make changes and continue to enforce the current policies without introducing additional long-term maintenance?
Remove the organization’s root SCPs that limit access to AWS Config. Create AWS Service Catalog products for the company’s standard AWS Config rules and deploy them throughout the organization, including the new account.
Create a temporary OU named Onboarding for the new account. Apply an SCP to the Onboarding OU to allow AWS Config actions. Move the new account to the Production OU when adjustments to AWS Config are complete.
Convert the organization’s root SCPs from deny list SCPs to allow list SCPs to allow the required services only. Temporarily apply an SCP to the organization’s root that allows AWS Config actions for principals only in the new account.
Create a temporary OU named Onboarding for the new account. Apply an SCP to the Onboarding OU to allow AWS Config actions. Move the organization’s root SCP to the Production OU. Move the new account to the Production OU when adjustments to AWS Config are complete.
Explanations:
Removing the organization’s root SCPs would weaken overall security by allowing unrestricted access to AWS Config, which contradicts the goal of enforcing company policies. Additionally, creating AWS Service Catalog products introduces unnecessary complexity and long-term maintenance.
While creating a temporary OU named Onboarding could provide the necessary permissions for the new account to update AWS Config rules, moving the account to the Production OU after adjustments would still require ongoing management of SCPs, which could complicate governance and policy enforcement in the future.
Converting root SCPs from deny list to allow list could allow unintended access to other services that should remain restricted. While temporarily allowing AWS Config actions for the new account could solve the immediate problem, it does not provide a sustainable, long-term solution for managing service access across the organization.
This option allows administrators to grant the necessary permissions for the new account to update AWS Config rules without compromising the existing security model. By creating a temporary OU and applying an SCP to allow AWS Config actions, they can meet the immediate need while maintaining control over the overall access policies. Moving the account to the Production OU after adjustments ensures that long-term governance remains intact.
My best guess is:
Create a temporary OU named Onboarding for the new account. Apply an SCP to the Onboarding OU to allow AWS Config actions. Move the organization’s root SCP to the Production OU. Move the new account to the Production OU when adjustments to AWS Config are complete.