What should a solutions architect do to accomplish this?

By:
In: SAA-C02
Tagged:
With: 1 Comment
A security team to limit access to specific services or actions in all of the team’s AWS accounts.All accounts belong to a large organization in AWS Organizations.The solution must be scalable and there must be a single point where permissions can be maintained.

What should a solutions architect do to accomplish this?

Create an ACL to provide access to the services or actions.

Create a security group to allow accounts and attach it to user groups.

Create cross-account roles in each account to deny access to the services or actions.

Create a service control policy in the root organizational unit to deny access to the services or actions.

Explanations:

ACLs (Access Control Lists) are not suitable for managing permissions across multiple AWS accounts and do not provide centralized management in an organizational context.

Security groups are primarily used for controlling inbound and outbound traffic to resources (like EC2 instances) and do not manage permissions at the account level across an organization.

While cross-account roles can be used to manage permissions, creating roles in each account does not provide a centralized solution for scalable management.

Service Control Policies (SCPs) allow for centralized management of permissions across all accounts in an AWS Organization, making it scalable and efficient for limiting access to specific services or actions.

2025-09-29

1 Comment

  1. Edward
    Author

    In my opinion, the answer is:
    Create a service control policy in the root organizational unit to deny access to the services or actions.

Leave a Reply to Edward Cancel reply

Your email address will not be published. Required fields are marked *

six + 14 =