How should a DevOps engineer configure the accounts to meet these requirements?
Use AWS CloudFormation StackSets to provision IAM policies in each account to deny access to restricted AWS services. In each account, configure AWS Config rules that ensure that the policies are attached to IAM principals in the account.
Use AWS Control Tower to provision the accounts into OUs within the organization. Configure AWS Control Tower to enable AWS IAM Identity Center (AWS Single Sign-On). Configure IAM Identity Center to provide administrative access. Include deny policies on user roles for restricted AWS services.
Place all the accounts under a new top-level OU within the organization. Create an SCP that denies access to restricted AWS services. Attach the SCP to the OU.
Create an SCP that allows access to only approved AWS services. Attach the SCP to the root OU of the organization. Remove the FullAWSAccess SCP from the root OU of the organization.
Explanations:
Using IAM policies with CloudFormation StackSets would allow teams to retain admin rights, but it does not ensure organization-wide control or prevent unauthorized service use at the account level.
AWS Control Tower and IAM Identity Center can provide admin access but do not inherently restrict service access, and using deny policies on user roles isn’t sufficient for consistent enforcement.
An SCP denying access to restricted services could limit access to unauthorized services, but it would be complex to update frequently if services are often added to the approved list.
An SCP that allows only approved services ensures all accounts adhere to company policy without allowing unintended service access, while keeping teams’ full admin rights within approved services.
I design that the answer is:
Create an SCP that allows access to only approved AWS services. Attach the SCP to the root OU of the organization. Remove the FullAWSAccess SCP from the root OU of the organization.