- A
IAM roles with multi-factor authentication (MFA)
Why wrong: IAM roles with MFA enhance authentication security but do not prevent an administrator within an account from performing destructive actions such as disabling CloudTrail or deleting bucket policies. They control who can assume a role, not what actions are allowed across accounts.
- B
AWS Config rules with automatic remediation
Why wrong: AWS Config rules are detective controls that evaluate resources for compliance with desired configurations. While automatic remediation can fix noncompliant resources after they are created, it does not prevent the initial action. For example, it could detect that CloudTrail was disabled and re-enable it, but does not stop the disable action from occurring.
- C
Service control policies (SCPs)
SCPs are a feature of AWS Organizations that allow central administrators to set permission guardrails for all accounts in the organization. SCPs can explicitly deny actions like cloudtrail:StopLogging or s3:DeleteBucketPolicy, even for the root user of member accounts. This provides a preventive control that cannot be overridden by account administrators.
- D
AWS Shield Advanced
Why wrong: AWS Shield Advanced is a managed DDoS protection service designed to safeguard applications from distributed denial-of-service attacks. It does not provide any capabilities for managing or restricting IAM permissions or resource configurations across multiple accounts.
Quick Answer
The answer is service control policies (SCPs). SCPs are the correct choice because they act as a centralized preventive guardrail within AWS Organizations, setting maximum permission boundaries that apply to every IAM user, role, and even the root user in all member accounts. By explicitly denying actions like cloudtrail:StopLogging, cloudtrail:DeleteTrail, and s3:PutBucketPolicy, SCPs ensure that no one—including account administrators—can disable CloudTrail or delete S3 bucket policies, making them the only AWS feature capable of enforcing such organization-wide restrictions. On the AWS Certified Cloud Practitioner CLF-C02 exam, this question tests your understanding of preventive controls versus detective controls; a common trap is confusing SCPs with IAM permission boundaries or AWS Config rules, which are detective, not preventive. Remember the memory tip: SCPs are the “supreme court” of permissions—they can overrule even root users by setting the absolute ceiling on what’s allowed across your entire organization.
CLF-C02 SCPs are a feature of AWS Organizations. Practice Question
This CLF-C02 practice question tests your understanding of security and compliance. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. A key principle to apply: sCPs are a feature of AWS Organizations.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
A company uses AWS Organizations to manage multiple accounts. The security team wants a preventive control to ensure that nobody in any account, including account root users, can disable AWS CloudTrail or delete Amazon S3 bucket policies. Which AWS feature should the security team use?
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
Service control policies (SCPs)
Service control policies (SCPs) are the correct choice because they provide centralized preventive controls over the maximum available permissions for all IAM users, roles, and root users in member accounts within AWS Organizations. SCPs can explicitly deny actions such as cloudtrail:StopLogging, cloudtrail:DeleteTrail, and s3:PutBucketPolicy, ensuring that even root users cannot disable CloudTrail or delete S3 bucket policies. This makes SCPs the only AWS feature that can enforce such restrictions across all accounts in an organization.
Key principle: SCPs are a feature of AWS Organizations.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✗
IAM roles with multi-factor authentication (MFA)
Why it's wrong here
IAM roles with MFA enhance authentication security but do not prevent an administrator within an account from performing destructive actions such as disabling CloudTrail or deleting bucket policies. They control who can assume a role, not what actions are allowed across accounts.
- ✗
AWS Config rules with automatic remediation
Why it's wrong here
AWS Config rules are detective controls that evaluate resources for compliance with desired configurations. While automatic remediation can fix noncompliant resources after they are created, it does not prevent the initial action. For example, it could detect that CloudTrail was disabled and re-enable it, but does not stop the disable action from occurring.
- ✓
Service control policies (SCPs)
Why this is correct
SCPs are a feature of AWS Organizations that allow central administrators to set permission guardrails for all accounts in the organization. SCPs can explicitly deny actions like cloudtrail:StopLogging or s3:DeleteBucketPolicy, even for the root user of member accounts. This provides a preventive control that cannot be overridden by account administrators.
Related concept
SCPs are a feature of AWS Organizations.
- ✗
AWS Shield Advanced
Why it's wrong here
AWS Shield Advanced is a managed DDoS protection service designed to safeguard applications from distributed denial-of-service attacks. It does not provide any capabilities for managing or restricting IAM permissions or resource configurations across multiple accounts.
Common exam traps
Common exam trap: answer the scenario, not the keyword
The trap here is that candidates often confuse detective/corrective controls (like AWS Config rules) with preventive controls (like SCPs), or they mistakenly think IAM MFA can block API actions, when in reality MFA only adds an authentication requirement and does not restrict specific service operations.
Detailed technical explanation
How to think about this question
SCPs are evaluated as an allow list or deny list at the account level before any IAM policies are evaluated, and they affect all principals including root users. For example, an SCP with a Deny effect on s3:PutBucketPolicy for all resources will prevent any user or role in the account from modifying bucket policies, even if an IAM policy explicitly allows it. This is because SCPs set a permissions boundary that cannot be overridden by any IAM policy within the account.
KKey Concepts to Remember
- SCPs are a feature of AWS Organizations.
- SCPs define maximum permissions for accounts or OUs.
- SCPs apply to all users and roles, including the root user.
- SCPs are preventive security controls.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
SCPs are a feature of AWS Organizations.
Real-world example
How this comes up in practice
A media company stores terabytes of video archives that are accessed once a year for audit purposes. Moving these objects to a cold storage tier (Azure Archive, S3 Glacier, or Google Nearline) costs a fraction of hot storage. Questions like this test whether you understand storage tiers, access frequency tradeoffs, and retrieval latency requirements.
What to study next
Got this wrong? Here's your next step.
Review sCPs are a feature of AWS Organizations., then practise related CLF-C02 questions on the same topic to reinforce the concept.
- →
Security and Compliance — study guide chapter
Learn the concepts, then practise the questions
- →
Security and Compliance practice questions
Targeted practice on this topic area only
- →
All CLF-C02 questions
1,024 questions across all exam domains
- →
AWS Certified Cloud Practitioner CLF-C02 study guide
Full concept coverage aligned to exam objectives
- →
CLF-C02 practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related CLF-C02 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Cloud Concepts practice questions
Practise CLF-C02 questions linked to Cloud Concepts.
Security and Compliance practice questions
Practise CLF-C02 questions linked to Security and Compliance.
Cloud Technology and Services practice questions
Practise CLF-C02 questions linked to Cloud Technology and Services.
Billing, Pricing, and Support practice questions
Practise CLF-C02 questions linked to Billing, Pricing, and Support.
AWS shared responsibility model practice questions
Practise CLF-C02 questions linked to AWS shared responsibility model.
AWS IAM practice questions
Practise CLF-C02 questions linked to AWS IAM.
AWS pricing practice questions
Practise CLF-C02 questions linked to AWS pricing.
AWS support plans practice questions
Practise CLF-C02 questions linked to AWS support plans.
AWS S3 practice questions
Practise CLF-C02 questions linked to AWS S3.
AWS EC2 practice questions
Practise CLF-C02 questions linked to AWS EC2.
Practice this exam
Start a free CLF-C02 practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this CLF-C02 question test?
Security and Compliance — This question tests Security and Compliance — SCPs are a feature of AWS Organizations..
What is the correct answer to this question?
The correct answer is: Service control policies (SCPs) — Service control policies (SCPs) are the correct choice because they provide centralized preventive controls over the maximum available permissions for all IAM users, roles, and root users in member accounts within AWS Organizations. SCPs can explicitly deny actions such as cloudtrail:StopLogging, cloudtrail:DeleteTrail, and s3:PutBucketPolicy, ensuring that even root users cannot disable CloudTrail or delete S3 bucket policies. This makes SCPs the only AWS feature that can enforce such restrictions across all accounts in an organization.
What should I do if I get this CLF-C02 question wrong?
Review sCPs are a feature of AWS Organizations., then practise related CLF-C02 questions on the same topic to reinforce the concept.
What is the key concept behind this question?
SCPs are a feature of AWS Organizations.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Same concept, more angles
3 more ways this is tested on CLF-C02
These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.
Variation 1. A company uses AWS Organizations to manage multiple accounts. The security team wants to enforce a policy that prevents any user or role in any member account from disabling AWS CloudTrail or deleting CloudTrail log files from Amazon S3. The team needs a solution that is centrally managed from the management account and applies to all current and future member accounts automatically. Which AWS feature should the security team use to meet these requirements?
medium- A.AWS Config conformance packs
- ✓ B.Service Control Policies (SCPs)
- C.IAM permissions boundaries
- D.AWS CloudTrail data events
Why B: Service Control Policies (SCPs) are a feature of AWS Organizations that allow you to centrally control the maximum available permissions for all accounts within an organization. By attaching an SCP that explicitly denies the actions to disable CloudTrail or delete CloudTrail log files from S3, the security team can enforce this policy across all current and future member accounts from the management account, as SCPs automatically apply to new accounts added to the organization.
Variation 2. A company is using AWS Organizations to manage multiple AWS accounts. The security team wants to ensure that users in the development accounts cannot disable AWS CloudTrail logging or delete CloudTrail trails, even if those users have full administrator permissions within their own accounts. The team needs a central mechanism that is enforced across all development accounts regardless of individual IAM policies. Which AWS feature should the security team use to meet this requirement?
medium- ✓ A.Service control policies (SCPs)
- B.IAM policies
- C.AWS Config rules
- D.Amazon CloudWatch Events
Why A: Service control policies (SCPs) are a feature of AWS Organizations that allow you to centrally control the maximum available permissions for all accounts in an organization. SCPs act as a guardrail, restricting what actions users and roles in member accounts can perform, even if they have full administrator permissions via IAM policies. By applying an SCP that denies the `cloudtrail:DeleteTrail` and `cloudtrail:StopLogging` actions, the security team can enforce that CloudTrail cannot be disabled or deleted across all development accounts, regardless of individual IAM configurations.
Variation 3. A company manages multiple AWS accounts under a single AWS Organizations organization. The security team wants to implement a preventive control that blocks any action that would disable AWS CloudTrail or delete CloudTrail log files across all accounts, including the management account. The solution must be centrally managed and must not require changes to individual account permissions. Which AWS feature should the security team use?
medium- A.IAM permission boundaries
- ✓ B.AWS Service Control Policies (SCPs)
- C.AWS Identity and Access Management (IAM) roles with a trust policy
- D.AWS Config conformance packs
Why B: AWS Service Control Policies (SCPs) are the correct choice because they allow the security team to define preventive guardrails at the AWS Organizations root, OU, or account level that apply to all principals, including the management account. An SCP can explicitly deny any action that would disable CloudTrail (e.g., cloudtrail:StopLogging, cloudtrail:DeleteTrail) or delete log files (e.g., s3:DeleteObject on the CloudTrail S3 bucket), and because SCPs are inherited by all accounts in the organization, no individual account permission changes are required.
Keep practising
More CLF-C02 practice questions
- A company publishes a message each time a new product is added to its catalogue. Three services need to receive this mes…
- A media company stores frequently accessed video thumbnails in Amazon S3. The thumbnails are read multiple times every d…
- A company needs a service to translate domain names (like www.example.com) into IP addresses, check the health of their…
- A startup runs an application on AWS and receives a monthly bill that charges exactly for the number of compute hours us…
- A financial institution runs its core banking application on-premises due to regulatory requirements. It has connected i…
- A company wants to run a MySQL database in AWS without managing database software installation, applying patches, settin…
Last reviewed: Jun 11, 2026
This CLF-C02 practice question is part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the CLF-C02 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.