Exam AWS Certified Cloud Practitioner topic 1 question 773 discussion

Implementation of control behavior The preventive controls are implemented using Service Control Policies (SCPs), which are part of AWS Organizations. The detective controls are implemented using AWS Config rules. The proactive controls are implemented using AWS CloudFormation hooks.

AWS Config is used to assess, audit, and evaluate the configurations of AWS resources, ensuring compliance with desired configurations. Service control policies (SCPs) helps to enforce preventive guardrails by specifying the maximum permissions for accounts in an organization, ensuring users cannot perform unauthorized actions.

B. Service control policies (SCPs) D. AWS Identity and Access Management (IAM)

For those who are familiar with AWS: In AWS Control Tower preventive controls are implemented with Service Control Policies (SCPs). Detective controls are implemented with AWS Config rules. Proactive controls are implemented with AWS CloudFormation hooks. Referance:https://docs.aws.amazon.com/controltower/latest/userguide/how-control-tower-works.html#how-controls-work

B. Service control policies D. AWS Identity and Access Management (IAM)

B. Service control policies (SCPs): Service control policies are used to define fine-grained permissions for AWS accounts within an organization. With SCPs, you can establish guardrails by setting restrictions on the actions that IAM entities (users, groups, roles) can perform on AWS services and resources. D. AWS Identity and Access Management (IAM): IAM is a service that enables you to manage user access and permissions to AWS services and resources. Within an AWS Control Tower landing zone, you can use IAM to create and manage IAM roles, policies, and permissions.

The correct answers are (SCPs and AWS Config). For those who are familiar with AWS: In AWS Control Tower preventive controls are implemented with Service Control Policies (SCPs). Detective controls are implemented with AWS Config rules. Proactive controls are implemented with AWS CloudFormation hooks. Ref:https://docs.aws.amazon.com/controltower/latest/userguide/how-control-tower-works.html#how-controls-work

When creating a new AWS Control Tower landing zone, you can define policies to enforce permissions boundaries and ensure compliance across your AWS environment. AWS provides several services and features to help create and define these policies, and two of the primary tools are Service Control Policies (SCPs) and AWS Identity and Access Management (IAM) policies. Service Control Policies (SCPs) are used to define permission guardrails across accounts in a Control Tower landing zone. With SCPs, you can limit permissions for IAM entities (users, groups, and roles) and the resources they can access. SCPs work as a whitelist, explicitly allowing access to only the specified resources and services, and denying access to all other resources and services. This helps to enforce compliance policies across all accounts and resources within the AWS Control Tower environment.