Questions 16 to 18

Explanations for questions 16 to 18

We'll cover the following

Question 16

A solutions architect has created an AWS Organization with several AWS accounts. Security policy requires that the use of specific API actions is limited across all accounts. The solutions architect requires a method of centrally controlling these actions.

What is the simplest method of achieving the requirements?

  1. Create a Network ACL that limits access to the services or actions, and attach it to all relevant subnets.
  2. Create an IAM policy in the root account and attach it to users and groups in each account.
  3. Create cross-account roles in each account to limit access to the services and actions that are allowed.
  4. Create a service control policy in the root organizational unit to deny access to the services or actions.

Correct Answer: 4

Explanation: Service control policies (SCPs) offer central control over the maximum available permissions for all accounts in your organization, allowing you to ensure your accounts stay within your organization’s access control guidelines.

In the example below, a policy in OU1 restricts all users from launching EC2 instance types other than a t2.micro:

Level up your interview prep. Join Educative to access 70+ hands-on prep courses.