Question #1567
A company maintains separate AWS accounts for its production, staging, and development environments. To ensure compliance with security policies and optimize costs, the company needs to restrict access to specific AWS services in each environment. Which solution will fulfill these requirements with the LEAST operational overhead?
Use AWS Config rules to audit and enforce allowed AWS services for each environment.
Create organization units (OUs) for each environment in AWS Organizations. Apply service control policies (SCPs) to the OUs.
Deploy AWS Lambda functions to automatically disable unauthorized services in each account.
Configure AWS Identity and Access Management (IAM) policies in each account to restrict access to specific services.
Explanation
Answer B is correct because:
1. SCPs in AWS Organizations enable centralized control over allowed AWS services across multiple accounts. By creating OUs for each environment (production, staging, development), SCPs can be applied at the OU level to restrict access to specific services uniformly.
2. Least Operational Overhead: SCPs require no code deployment (unlike Option C) and avoid repetitive IAM policy management in each account (unlike Option D). AWS Config (Option A) focuses on auditing rather than proactive enforcement.
Why other options are incorrect:
- A: AWS Config rules audit compliance but do not enforce restrictions natively, requiring additional automation.
- C: Lambda functions introduce maintenance and operational complexity.
- D: IAM policies must be manually configured in each account, increasing overhead.
Key Points:
- SCPs are designed for account-level service restrictions in multi-account environments.
- AWS Organizations provides a scalable way to manage policies across OUs.
- Centralized policies reduce redundancy and human error.
Answer
The correct answer is: B