Your company is planning to set up multiple accounts in AWS. The IT Security department must ensure that certain services and actions are not allowed across all accounts. How would you achieve this in the most effective way possible?

Answer options:

A.Create a common IAM policy that can be applied across all accounts.
B.Create an IAM policy per account and apply them accordingly.
C.Deny the services to be used across accounts by contacting AWS.
D.Use AWS Organizations and Service Control Policies.

Answer – D
The AWS Documentation mentions the following.
An AWS organization is an entity that you create to consolidate your AWS accounts.
A service control policy is a policy that specifies the services and actions that users and roles can use in the accounts that the SCP affects.
Option A is incorrect since you can’t have a common IAM policy.
Option B is incorrect since this is an ineffective way of managing centralized control.
Option C is incorrect since AWS should not be responsible for denying the usage of services in an account.
For more information on AWS Organizations, please refer to the below URL-
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html