What is the BEST way to grant the developers privileges in the development account while still complying with corporate policies?
Create a service control policy in AWS Organizations and apply it to the development account.
Create a customer managed policy in IAM and apply it to all users within the development account.
Create a job function policy in IAM and apply it to all users within the development account.
Create an IAM policy and apply it in API Gateway to restrict the development account.
Explanations:
A service control policy (SCP) in AWS Organizations is the best way to centrally manage access to AWS services for accounts in an organization. It helps ensure that the developers in the development account cannot access restricted services, even if they have IAM roles or policies that grant them access. SCPs are applied at the account level, making them the most appropriate solution.
A customer managed policy in IAM is used to define permissions for IAM users, groups, or roles. However, this would not address the corporate policy to block specific services at the account level. It’s not as effective as using SCPs for cross-account service restrictions.
A job function policy in IAM is a managed policy provided by AWS for common job functions, such as admin or developer. However, it does not provide the fine-grained control needed to block access to certain AWS services as per corporate policy.
Restricting services in API Gateway using an IAM policy is not the correct approach to prevent access to services at the account level. API Gateway is a service-specific solution and would not globally prevent developers from accessing restricted services across the entire account.
I arrange that the answer is:
Create a service control policy in AWS Organizations and apply it to the development account.