A company uses AWS Organizations to manage multiple AWS accounts. The security team wants to restrict access to a specific AWS service (Amazon EC2) in all accounts except for the 'production' account. The SysOps administrator needs to implement this restriction centrally. Which approach should the administrator use?
SCPs are a centralized way to set permission boundaries for all accounts in the organization. By denying EC2 actions via SCP on non-production OUs, the restriction is enforced even for the root user of those accounts, and it applies to all IAM principals.
Why this answer
Service control policies (SCPs) are the correct mechanism for centrally restricting permissions across accounts in AWS Organizations. By attaching an SCP that denies EC2 actions to the organization root or to the OUs containing non-production accounts, the security team can enforce this restriction at the account level, overriding any IAM policies within those accounts. This approach ensures that even if a user or role in a non-production account has an IAM policy granting EC2 access, the SCP will block it.
Exam trap
The trap here is that candidates often confuse IAM policies (which are identity-based and account-specific) with SCPs (which are account-wide and centrally managed), leading them to choose Option A because they think attaching a deny policy to users is sufficient, but they overlook that SCPs provide the only centralized, preventive control across multiple accounts in AWS Organizations.
How to eliminate wrong answers
Option A is wrong because IAM policies attached to users and roles are not centrally managed across multiple accounts; they must be applied individually in each account, which is not a centralized solution and can be bypassed by local administrators. Option C is wrong because AWS Config is a detective service that can detect and react to EC2 usage (e.g., via auto-remediation), but it does not prevent the initial creation or use of EC2 resources; it only responds after the fact, which is not a preventive restriction. Option D is wrong because resource-based policies on EC2 instances control access to the instance itself (e.g., who can start/stop it), not the ability to launch or manage EC2 services in an account; they are also not centrally managed across accounts.