Which solution will meet these requirements?

By:
In: DOP-C02
Tagged:
With: 1 Comment
A company is launching an application.The application must use only approved AWS services.The account that runs the application was created less than 1 year ago and is assigned to an AWS Organizations OU.The company needs to create a new Organizations account structure.The account structure must have an appropriate SCP that supports the use of only services that are currently active in the AWS account.The company will use AWS Identity and Access Management (IAM) Access Analyzer in the solution.

Which solution will meet these requirements?

Create an SCP that allows the services that IAM Access Analyzer identifies. Create an OU for the account. Move the account into the new OU. Attach the new SCP to the new OU. Detach the default FullAWSAccess SCP from the new OU.

Create an SCP that denies the services that IAM Access Analyzer identifies. Create an OU for the account. Move the account into the new OU. Attach the new SCP to the new OU.

Create an SCP that allows the services that IAM Access Analyzer identifies. Attach the new SCP to the organization’s root.

Create an SCP that allows the services that IAM Access Analyzer identifies. Create an OU for the account. Move the account into the new OU. Attach the new SCP to the management account. Detach the default FullAWSAccess SCP from the new OU.

Explanations:

This option correctly creates a Service Control Policy (SCP) that allows only the services identified by IAM Access Analyzer. By creating a new Organizational Unit (OU) and moving the account there, the company can manage access specifically for this account. Detaching the default FullAWSAccess SCP ensures that only the allowed services can be used.

This option creates an SCP that denies the services identified by IAM Access Analyzer, which contradicts the requirement of allowing only the active services in the account. Denying services does not align with the goal of enabling the use of specific services.

Attaching the SCP to the organization’s root applies it to all accounts in the organization, which may not be suitable for a specific application. This approach lacks the granularity needed to support only the services currently active in the specific account.

While this option suggests creating a new OU and SCP, attaching the SCP to the management account instead of the new OU does not restrict the policy to the intended account. This could inadvertently allow other accounts to use services not identified as active.

2025-10-14

1 Comment

  1. Amanda
    Author

    I compute that the answer is:
    Create an SCP that allows the services that IAM Access Analyzer identifies. Create an OU for the account. Move the account into the new OU. Attach the new SCP to the new OU. Detach the default FullAWSAccess SCP from the new OU.

Leave a Reply

Your email address will not be published. Required fields are marked *

14 − fourteen =