Question 8
Domain 1: Design Solutions for Organizational ComplexityA company is in the process of implementing AWS Organizations to constrain its developers to use only Amazon EC2. Amazon S3 and Amazon DynamoDB. The developers account resides In a dedicated organizational unit (OU). The solutions architect has implemented the following SCP on the developers account: When this policy is deployed, IAM users in the developers account are still able to use AWS services that are not listed in the policy. What should the solutions architect do to eliminate the developers' ability to use services outside the scope of this policy?
Correct answer: D
Explanation
AWS Organizations SCPs are evaluated with the effective permissions from the OU and account. If the OU still has the default "Full AWS Access" SCP, it allows all services unless explicitly denied, so removing it leaves only the restrictive SCP in effect and enforces least privilege.
Why each option is right or wrong
A. Add an explicit deny statement using a wildcard to the end of the SCP
A wildcard deny is not the standard SCP pattern for allowing only selected services.
B. Modify the Full AWS Access SCP to explicitly deny all services
Full AWS Access is an allow-all SCP, not a policy modified into a deny-all control.
C. Create an explicit deny statement for each AWS service that should be constrained
Service restriction is enforced by the effective SCP set, not by listing every denied service individually.
D. Remove the Full AWS Access SCP from the developer account's OU
AWS Organizations service control policies are evaluated as the intersection of all applicable SCPs on the account and its parent OU, per the AWS Organizations policy evaluation model. The default "FullAWSAccess" SCP attached to the OU is an allow-all policy, so if it remains in place alongside the restrictive SCP, the account still retains permission to use other services unless they are explicitly denied; removing that default SCP leaves only the restrictive policy in effect and blocks all unlisted services.