AWS Exam Practice - AWS Certified Solutions Architect

A company is using AWS Organizations to restrict its developers to only use Amazon RDS, AWS Lambda, and AWS CloudFormation. The developers' account is placed in a separate organizational unit (OU). The solutions architect has applied the following SCP to the developers' OU:

json { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowRDS", "Effect": "Allow", "Action": "rds:*", "Resource": "*" }, { "Sid": "AllowLambda", "Effect": "Allow", "Action": "lambda:*", "Resource": "*" }, { "Sid": "AllowCloudFormation", "Effect": "Allow", "Action": "cloudformation:*", "Resource": "*" } ] } 

Despite this policy, IAM users in the developers' account can still access AWS services not listed in the SCP. What should the solutions architect do to enforce the restriction?

A. Add explicit deny statements for all AWS services except RDS, Lambda, and CloudFormation.
B. Detach the FullAWSAccess SCP from the developers' OU.
C. Update the FullAWSAccess SCP to explicitly deny all services not listed.
D. Include a wildcard deny statement at the end of the existing SCP.

Explanation

AWS Organizations applies Service Control Policies (SCPs) as a whitelist by default. The developers' OU had both the custom SCP (allowing RDS, Lambda, CloudFormation) and the default FullAWSAccess SCP (allowing all services). SCPs use an intersection logic: actions must be allowed by all attached SCPs. Since FullAWSAccess allows everything, the intersection with the custom SCP still allowed all services. Detaching FullAWSAccess leaves only the custom SCP, which restricts access to the specified services. Other options are incorrect: adding explicit denies (A) is redundant since SCPs deny by default; modifying FullAWSAccess (C) isn't possible as it's a managed policy; a wildcard deny (D) isn't needed if FullAWSAccess is removed.

Question #561

Explanation

Answer