A company is designing a multi-account structure for its development teams. The company is using AWS Organizations and AWS IAM Identity Center (AWS Single Sign-On). The company must implement a solution so that the development teams can use only specific AWS Regions and so that each AWS account allows access to only specific AWS services.
Which solution will meet these requirements with the LEAST operational overhead?
To meet the requirement of allowing access to only specific AWS Regions and services with the least operational overhead in a multi-account structure using AWS Organizations and AWS IAM Identity Center, the best solution is to use Service Control Policies (SCPs). SCPs can centrally control the maximum available permissions for accounts in an organization. By configuring SCPs with the appropriate Condition, Resource, and NotAction elements, you can restrict access to specific AWS Regions and services. This approach significantly reduces operational overhead as it allows for centralized management and enforcement of policies across all accounts in the organization.
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_general.html#example-scp-deny-region
https://www.examtopics.com/discussions/amazon/view/88434-exam-aws-certified-security-specialty-topic-1-question-431/
I would like the say A. :D Last week I did this, software team came to me, and they want to access another account S3 bucket permission.(Put, get, delete). and I went to the IAM Identity Center. created a group(put in the users group), and I did permission sets and they accessed other account s3 bucket. SCP is huge topic. SCP very critical . if you doing something, will affect all accounts
you cannot use "NOTACTION" with SCP though? Anyone can help?
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_syntax.html You can see not action listed
SCP to allow certain services in certain regions for specific accounts.
As explained here https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_syntax.html#scp-elements-table "Condition", "Resource", and "NotAction" elements can only be used with "Deny" effect, but answer C says "to allow access to only the Regions and services that are needed" as the ultimate outcome, not by the meaning with "Allow" effect. It tries to trick you into thinking "those elements cannot be used with "Allow", then not C" ! Still believe C is the best answer here.
SCP is the GOTO solution for multiple accounts in AWS Organisations.
C. If AWS organizations is enabled, why not take advantage of region deny feature? SCP is the actual mechanism to enforce this rule!
C is wrong becoz notaction, resource & condition can support deny only. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_syntax.html
C seems a good option but can someone share if SCPs can have "NotAction" element?
Correct answer is C. SCP to control which organization node can operate on which region(s).
Under Organization SCP is the least operational overhead.
Option C
C is right
Agree answer C