Company ABC has started to use AWS Service Catalog to manage its CloudFormation stacks within the company. In Service Catalog, several portfolios have been created with relevant products configured. It is supposed to assign access to different users or teams for these different products. For example, for one important payment service, only DevOps team can create, modify or delete the product. In Service Catalog, how should you manage the user access?

Answer options:

A.Make sure AWS Organization is created. Manage Organization Service Control Policies in Service Catalog to control the access. 
B.Assign AWS Cognito User Pools to manage the access to different products.
C.In Service Catalog, use AWS CLI or console to configure ACL policies to manage user access.
D.Assign permissions to IAM users, groups, and roles.

Correct Answer – D
For Service Catalog, it can grant user access to a portfolio which means that the user can browse the portfolio or launch the products in it. Check details in
https://docs.aws.amazon.com/servicecatalog/latest/adminguide/what-is_concepts.html
and
https://ap-southeast-2.console.aws.amazon.com/servicecatalog/home?region=ap-southeast-2#/home.
Option A is incorrect: Because Service Control Policies (SCPs) are used in AWS Organizations instead of Service Catalog.
Option B is incorrect: Because AWS Cognito User Pools are user directories. Users can sign in to web or mobile apps through Amazon Cognito User pools.
Option C is incorrect: Because Service Catalog does not have ACL policies.
Option D is CORRECT: Because Service Catalog assigns IAM permissions to manage access. In the below screenshot, IAM users, groups and roles can be assigned to the portfolio.