Which statement about service control policies (SCPs) is true?

Disable ads (and more) with a premium pass for a one time $4.99 payment

Prepare for the Amazon Web Services (CISN 74A) Security Test with our interactive quizzes. Use multiple choice questions with detailed hints and explanations to ace your exam.

Service Control Policies (SCPs) are a feature in AWS Organizations that allow you to manage permissions and access across multiple AWS accounts within an organization. The correct statement highlights that SCPs can restrict access to services, resources, or API actions. This capability is crucial for organizations that need to enforce governance and compliance by ensuring that only certain actions are permitted, regardless of the permissions granted to IAM users or roles.

By using SCPs, administrators can create policies that specify which AWS services can be accessed or specific API actions that can be performed by the accounts in the organization. For example, an SCP might be created to prevent the use of certain services, thereby providing a layer of security that helps to enforce organizational policies at a broader level than IAM alone.

The other options do not accurately describe the functionality of SCPs. SCPs are not mandatory for all AWS accounts; they are applied at the organizational level and can be selectively applied to individual accounts. They apply not just to IAM users but also to all entities in the accounts managed under the organization's umbrella, including roles and federated users. Additionally, SCPs are not restricted by AWS Regions; they are applicable across the entire organization regardless of geographic location. Thus, the ability of SCPs to restrict access