Home › AWS Solutions Architect Professional › cloudcomputing › sapcomplexity › An enterprise wants to enforce 'no resources in …
An enterprise wants to enforce 'no resources in eu-central-1' and 'no IAM users with admin policy' across every account under an OU. Which AWS feature applies these guardrails?
ACloudTrail-only auditing without prevention
BPer-account IAM policies copied manually
CAsking developers nicely
DService Control Policies (SCPs) in AWS Organizations
Answer & Solution
Correct answer: D. Service Control Policies (SCPs) in AWS Organizations
SCPs at OU/account scope are preventive guardrails in Organizations. Per-account IAM policies don't enforce org-wide; CloudTrail is reactive; trust is not a control.
Related questions
An architect must give a third-party identity provider (e.g. Okta, Azure AD) federated accWhich AWS rightsizing visibility tool analyses Amazon EC2 + EBS + Lambda + Auto Scaling grAn architect needs centralised security findings (GuardDuty + Inspector + IAM Access AnalyWhich AWS purchasing option offers the deepest discount for steady-state compute usage witAn enterprise on SAP-C02 RTO/RPO design must recover a critical workload within 4 hours anWhich AWS service provides hybrid DNS by forwarding DNS queries between an on-prem resolveWhich AWS service lets one account share specific resources (e.g. Transit Gateway, subnetsAn enterprise needs a turnkey multi-account landing-zone with guardrails, account factory,