Which solution will meet these requirements?
Create an SCP that allows the services that IAM Access Analyzer identifies. Create an OU for the account. Move the account into the new OU. Attach the new SCP to the new OU. Detach the default FullAWSAccess SCP from the new OU.
Create an SCP that denies the services that IAM Access Analyzer identifies. Create an OU for the account. Move the account into the new OU. Attach the new SCP to the new OU.
Create an SCP that allows the services that IAM Access Analyzer identifies. Attach the new SCP to the organization’s root.
Create an SCP that allows the services that IAM Access Analyzer identifies. Create an OU for the account. Move the account into the new OU. Attach the new SCP to the management account. Detach the default FullAWSAccess SCP from the new OU.
Explanations:
This option correctly creates a Service Control Policy (SCP) that allows only the services identified by IAM Access Analyzer. By creating a new Organizational Unit (OU) and moving the account there, the company can manage access specifically for this account. Detaching the default FullAWSAccess SCP ensures that only the allowed services can be used.
This option creates an SCP that denies the services identified by IAM Access Analyzer, which contradicts the requirement of allowing only the active services in the account. Denying services does not align with the goal of enabling the use of specific services.
Attaching the SCP to the organization’s root applies it to all accounts in the organization, which may not be suitable for a specific application. This approach lacks the granularity needed to support only the services currently active in the specific account.
While this option suggests creating a new OU and SCP, attaching the SCP to the management account instead of the new OU does not restrict the policy to the intended account. This could inadvertently allow other accounts to use services not identified as active.