Home › AWS DevOps Pro › cloudcomputing › dopsecurity › Which AWS feature lets a DevOps engineer apply p…
Which AWS feature lets a DevOps engineer apply preventive guardrails across an entire AWS Organization — e.g. 'no IAM users can create access keys without MFA'?
AService Control Policies (SCPs) attached at the OU level
BPer-account IAM policies copied manually
CCloudTrail-only auditing without preventive control
DAsking developers nicely
Answer & Solution
Correct answer: A. Service Control Policies (SCPs) attached at the OU level
SCPs are the preventive org-wide guardrail (per DOP-C02 §6.1). Per-account IAM doesn't enforce org-wide; CloudTrail is reactive; trust is not a control.
Related questions
Which AWS feature provides graph-based investigation of security findings to determine theWhich AWS service automatically discovers and classifies sensitive data (PII, credentials,Which AWS service aggregates findings from GuardDuty + Inspector + IAM Access Analyzer + MWhich AWS service continuously analyses CloudTrail + VPC Flow + DNS logs with ML and threaWhich AWS service issues and rotates public TLS certificates for AWS load balancers, CloudWhich AWS service provides dedicated FIPS 140-2 Level 3 hardware HSMs for tenants with strWhich AWS service creates and rotates customer-managed encryption keys with IAM-controlledWhich AWS service inspects IAM policies and resource policies to identify resources shared