Logo
AWS Certified Solutions Architect - Professional / Question #902 of 529

Question #902

A large enterprise has consolidated multiple AWS accounts under AWS Organizations to manage their production and development environments. They aim to enforce service control policies (SCPs) that permit only the AWS services currently utilized by their application teams while blocking several others. The solution must allow managing accounts collectively and ensure minimal disruption to existing operations.

Which combination of actions should the solutions architect implement to meet these requirements? (Select three.)

A

Implement a Deny list approach in the SCPs.
B

Analyze AWS IAM Access Advisor data to identify active services.
C

Utilize AWS CloudTrail logs to determine service usage patterns.
D

Detach the default FullAWSAccess policy from the root.
E

Organize accounts into organizational units (OUs) based on function.
F

Create a new SCP that uses an Allow list strategy.

Explanation

The solution requires enforcing SCPs to allow only used services and block others.

- A (Deny list approach): While counterintuitive, a Deny list is used here to block specific unwanted services. However, this approach alone does not fully restrict to only used services unless combined with other policies. This might be a point of confusion, as an Allow list (F) would be more precise for strict restrictions.
- B (IAM Access Advisor): Identifies services actively used by IAM entities, ensuring SCPs permit necessary services.
- E (Organize OUs): Grouping accounts by function (e.g., production/dev) allows applying SCPs collectively to OUs, simplifying management.

Why not other options:
- C (CloudTrail): While useful for auditing, it is less direct than Access Advisor for identifying active services.
- D (Detach FullAWSAccess): Required for SCPs to take effect but not explicitly mentioned as part of the solution.
- F (Allow list): Theoretically correct for strict allow-only policies but not selected in the provided answer. The Deny list (A) might be chosen under the assumption that only specific services are blocked, though this does not fully meet the requirement.

Key Points: Use Access Advisor to identify services, organize accounts into OUs for SCP application, and implement SCPs (Deny list here, though Allow list is more precise).

Answer

The correct answer is: ABE