Question 4
Domain 1: Design Secure ArchitecturesWhich of the following statements about Service Control Policies (SCPs) is TRUE?
Correct answer: C
Explanation
SCPs are used in AWS Organizations to set guardrails, and they “define the maximum permissions for member accounts.” They do not grant access by themselves; instead, they limit what IAM users and roles in those accounts can do, consistent with least privilege.
Why each option is right or wrong
A. SCPs grant permissions to users and roles
B. SCPs affect the management account in an AWS Organization
C. SCPs define maximum permissions for member accounts
AWS Organizations service control policies are evaluated as an account-level permission boundary: they can only restrict what principals in member accounts are allowed to do, and they do not grant permissions on their own. Under the AWS Organizations SCP model, the effective permission set for an IAM user or role in a member account is the intersection of the SCPs attached to the account/OU and the IAM policies in that account, so the SCP establishes the maximum allowed actions.
D. SCPs can only be applied to individual accounts, not OUs