Question 1hardmultiple choice
Full question →Question 557 of 1,000
hardmultiple choiceObjective-mapped
SAA-C03 Practice Question: SCPs set the maximum permissions for all…
This SAA-C03 practice question tests your understanding of scps set the maximum permissions for all…. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. A key principle to apply: sCPs set the maximum permissions for all principals in member accounts. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
A company uses AWS Organizations and wants to prevent any account in the organization from launching resources in regions other than us-east-1 and eu-west-1. This restriction must apply even if an administrator in a member account grants full IAM permissions. Which approach should a solutions architect use?
Answer choices
Why each option matters
Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.
A
Distractor review
Use AWS Control Tower guardrails to enforce region restriction for all accounts
Control Tower implements guardrails using SCPs. The direct mechanism is an SCP. Specifying Control Tower is less precise than the correct answer of directly applying an SCP to the Organization root.
B
Best answer
Create an SCP with a Deny on all actions for regions outside us-east-1 and eu-west-1, attached to the Organization root
SCPs apply to all principals in all member accounts and cannot be overridden by account-level IAM. Attached to the Organization root, this SCP covers every member account. The Deny with StringNotEquals condition on aws:RequestedRegion blocks all other regions.
C
Distractor review
Create IAM policies with Deny for disallowed regions and attach them to all IAM users and roles in each account
IAM policies are account-scoped and can be modified by account administrators. This is unscalable and bypassable — not an organization-wide immutable control.
D
Distractor review
Enable AWS Config rules to detect resources launched in disallowed regions and trigger auto-remediation to delete them
Config rules are detective controls that identify violations after resources are created. This does not prevent resource creation — it is reactive, not preventive.
Common exam trap
Common exam trap: answer the scenario, not the keyword
A common misconception is that an IAM Administrator or root user in a member account can override organization-level controls. SCPs define the permission ceiling — even AdministratorAccess (Action: *, Resource: *) cannot exceed what the SCP allows. SCPs are evaluated BEFORE account-level IAM policies.
Technical deep dive
How to think about this question
AWS permission evaluation order for member accounts in an Organization: 1. AWS Organizations SCP (evaluated first — sets the ceiling) 2. IAM identity-based policy 3. Resource-based policy 4. Permission boundaries 5. Session policies Region restriction SCP pattern: Effect: Deny Action: * Resource: * Condition: StringNotEquals aws:RequestedRegion [us-east-1, eu-west-1] Note: SCPs do NOT apply to the management (master) account. Global services (IAM, Route 53) use 'us-east-1' as their region — use NotAction to exclude them from region restriction SCPs.
KKey Concepts to Remember
- SCPs set the maximum permissions for all principals in member accounts
- SCPs cannot be overridden by account-level IAM policies, even AdministratorAccess
- SCPs do NOT apply to the AWS Organizations management account
- Region restriction SCPs use Condition StringNotEquals on aws:RequestedRegion
- SCPs are evaluated before IAM policies in the request evaluation chain
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
SCPs set the maximum permissions for all principals in member accounts
Related practice questions
Related SAA-C03 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
SAA-C03 VPC practice questions
Practise SAA-C03 questions linked to SAA-C03 VPC.
SAA-C03 S3 lifecycle policy questions
Practise SAA-C03 questions linked to SAA-C03 S3 lifecycle policy questions.
SAA-C03 RDS Multi-AZ questions
Practise SAA-C03 questions linked to SAA-C03 RDS Multi-AZ questions.
SAA-C03 IAM policy practice questions
Practise SAA-C03 questions linked to SAA-C03 IAM policy.
SAA-C03 Route 53 failover questions
Practise SAA-C03 questions linked to SAA-C03 Route 53 failover questions.
SAA-C03 CloudFront practice questions
Practise SAA-C03 questions linked to SAA-C03 CloudFront.
SAA-C03 NAT gateway questions
Practise SAA-C03 questions linked to SAA-C03 NAT gateway questions.
SAA-C03 VPC endpoint questions
Practise SAA-C03 questions linked to SAA-C03 VPC endpoint questions.
SAA-C03 Auto Scaling practice questions
Practise SAA-C03 questions linked to SAA-C03 Auto Scaling.
SAA-C03 disaster recovery questions
Practise SAA-C03 questions linked to SAA-C03 disaster recovery questions.
SAA-C03 high availability questions
Practise SAA-C03 questions linked to SAA-C03 high availability questions.
SAA-C03 cost optimization questions
Practise SAA-C03 questions linked to SAA-C03 cost optimization questions.
More questions from this exam
Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.
Question 1
A team needs to distribute TCP traffic (not HTTP) across multiple services. The services must see the original client source IP for auditing. Which AWS load balancer is the best fit?
Question 2
A team wants to run containerized services with AWS-managed orchestration and autoscaling. They do NOT require Kubernetes compatibility. Which AWS service choice is most appropriate to meet these goals?
Question 3
A solutions architect is designing an S3 bucket for a IoT ingestion API. The objects must never be publicly accessible, even if a developer later adds an overly broad bucket policy. What should the architect configure? The design must avoid adding custom operational scripts.
Question 4
A solutions architect is designing an S3 bucket for a claims portal. The objects must never be publicly accessible, even if a developer later adds an overly broad bucket policy. What should the architect configure?
Question 5
A team wants to delegate IAM management to developers, but must ensure developers can never grant themselves permissions beyond a specific limit. Which AWS mechanism best matches this requirement?
Question 6
A solutions architect is designing an S3 bucket for a healthcare document service. The objects must never be publicly accessible, even if a developer later adds an overly broad bucket policy. What should the architect configure?
Practice this exam
Start a free SAA-C03 practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this SAA-C03 question test?
SCPs set the maximum permissions for all principals in member accounts
What is the correct answer to this question?
The correct answer is: Create an SCP with a Deny on all actions for regions outside us-east-1 and eu-west-1, attached to the Organization root — Service Control Policies (SCPs) in AWS Organizations provide a guardrail that applies to all principals in member accounts — including IAM users, roles, and even the account root. SCPs restrict the maximum permissions that can be granted within an account. An SCP with Deny on all actions for all regions except us-east-1 and eu-west-1, attached to the organization root, prevents any account from launching resources in other regions regardless of account-level IAM permissions. IAM policies in member accounts cannot override SCPs.
What should I do if I get this SAA-C03 question wrong?
Review sCPs set the maximum permissions for all principals in member accounts, then practise related SAA-C03 questions on the same topic to reinforce the concept.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Discussion
Loading comments…
Sign in to join the discussion.
This SAA-C03 practice question is part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SAA-C03 exam.