Question 610 of 1,024
Billing, Pricing, and SupportmediumMultiple ChoiceObjective-mapped

Quick Answer

The answer is to apply a Service Control Policy (SCP) that denies billing-related actions for all member accounts. This is correct because SCPs in AWS Organizations act as a central permission guardrail, allowing the management account to restrict which AWS services and actions member accounts can use, including billing. By attaching an SCP that explicitly denies actions like `aws-portal:*` or `awsbilling:*`, the finance team ensures member accounts cannot view payment methods or invoices, while the management account remains unaffected since SCPs do not apply to it. On the AWS Certified Cloud Practitioner CLF-C02 exam, this question tests your understanding of how to restrict billing access to member accounts using SCPs, a common scenario for consolidated billing environments. A frequent trap is confusing SCPs with IAM policies—remember that SCPs set boundaries for all users in an account, while IAM policies grant permissions within those boundaries. Memory tip: think of SCPs as the "bouncer" at the door—they deny entry to billing actions for every member account, leaving the management account as the only VIP with access.

CLF-C02 Billing, Pricing, and Support Practice Question

This CLF-C02 practice question tests your understanding of billing, pricing, and support. This is a configuration task: choose the command set that satisfies every stated requirement. Small differences — like 'secret' vs 'password' or 'transport input ssh' vs 'all' — change whether the answer is correct. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A company uses AWS Organizations with consolidated billing across multiple member accounts. The finance team requires that only the management account (payer account) can view and modify payment methods and receive invoices. Member accounts must be prevented from accessing billing and payment information in the AWS Billing and Cost Management console. Which AWS feature should be configured to enforce this restriction?

Question 1mediummultiple choice
Full question →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Apply a Service Control Policy (SCP) to deny billing-related actions for all member accounts.

Service Control Policies (SCPs) in AWS Organizations allow you to centrally restrict the AWS services and actions that member accounts can use. By applying an SCP that denies billing-related actions (e.g., `aws-portal:*` or `awsbilling:*`) to all member accounts, the management account can enforce that only the payer account can view and modify payment methods and receive invoices. This directly meets the requirement without affecting the management account, which is not subject to SCPs.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Enable all features in AWS Organizations, including consolidated billing.

    Why it's wrong here

    Enabling all features is a prerequisite for using Service Control Policies, but this step alone does not restrict member account access to billing pages. Additional SCP configuration is required.

  • Apply a Service Control Policy (SCP) to deny billing-related actions for all member accounts.

    Why this is correct

    An SCP can explicitly deny actions like 'aws-portal:ViewBilling' and 'aws-portal:ModifyBilling' for member accounts. This prevents users in those accounts from accessing billing information, leaving full control to the management account.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Enable AWS CloudTrail to log billing events for all accounts.

    Why it's wrong here

    AWS CloudTrail records API calls for auditing purposes, including billing events, but it does not prevent member accounts from accessing billing pages. It provides visibility, not restriction.

  • Configure AWS Cost Explorer to grant cross-account access only to the management account.

    Why it's wrong here

    AWS Cost Explorer allows viewing of cost and usage data, but it does not restrict access to the billing console or payment methods. It is not a mechanism to prevent member accounts from modifying billing settings.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates often confuse enabling consolidated billing (Option A) with actually restricting access, not realizing that consolidated billing alone does not enforce any access controls on member accounts.

Detailed technical explanation

How to think about this question

SCPs are evaluated as a deny-override policy at the account level, meaning any action explicitly denied by an SCP is blocked even if an IAM policy grants it. The relevant billing actions to deny include `aws-portal:ModifyBilling`, `aws-portal:ViewBilling`, and `awsbilling:*`; these must be specified in the `Action` element of the SCP. In a real-world scenario, if a member account has an IAM user with full admin privileges, an SCP denying billing actions ensures that user still cannot access billing data, demonstrating the power of SCPs as a guardrail.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A startup's cloud architect reviews their monthly bill and notices costs are higher than expected for a long-running batch job. Switching from on-demand instances to Reserved Instances — or using Spot/Preemptible VMs — can reduce compute costs by up to 72 %. Questions like this test whether you understand the tradeoffs between commitment, flexibility, and cost across cloud pricing models.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related CLF-C02 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free CLF-C02 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this CLF-C02 question test?

Billing, Pricing, and Support — This question tests Billing, Pricing, and Support — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Apply a Service Control Policy (SCP) to deny billing-related actions for all member accounts. — Service Control Policies (SCPs) in AWS Organizations allow you to centrally restrict the AWS services and actions that member accounts can use. By applying an SCP that denies billing-related actions (e.g., `aws-portal:*` or `awsbilling:*`) to all member accounts, the management account can enforce that only the payer account can view and modify payment methods and receive invoices. This directly meets the requirement without affecting the management account, which is not subject to SCPs.

What should I do if I get this CLF-C02 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This CLF-C02 practice question is part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the CLF-C02 exam.