Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 328 discussion

I don't think it's appropriate to make SCP changes from Organization to an OU managed by Control Tower, as it will cause drift. The recommended method is to set it as Preventive. https://docs.aws.amazon.com/controltower/latest/userguide/controls.html https://docs.aws.amazon.com/controltower/latest/userguide/governance-drift.html

Cannot be A. SCP will create drift and SCPs are used for denying any specific action, not allow as stated in option A.

All the people that have selected C have never used guardrails in control tower. There is no such guardrail to do this, plus you do not have the option to create custom guardrails.

By using a custom preventive control (guardrail) in AWS Control Tower, the company can effectively enforce the deployment of only burstable instances and disallow the use of irrelevant services in the development OU, optimizing costs and ensuring compliance. The other options are less effective or inappropriate: Option A: SCPs in AWS Organizations lack the granularity of AWS Control Tower guardrails for this specific use case. Option B: A detective control would detect non-compliant resources after deployment, not prevent it as required. Option D: Creating an AWS Config rule and deploying via CloudFormation StackSets is more complex than using purpose-built AWS Control Tower guardrails.

C is right. A preventive control (guardrail) is designed to prevent users from taking specific actions if they don't meet the defined criteria. In this case, creating a custom preventive control would allow you to: Define rules for what types of EC2 instances and RDS instances can be deployed in the development OU. Specify which services are allowed or disallowed. This approach provides real-time enforcement of desired resource usage patterns, helping the company prevent non-compliant resources from being created in the first place

C. Cannot be A as SCPs are for deny policies only but the answer specifies creating an SCP to allow and deny.

As long as you do not update the policies that Control Tower manages, this is fine: > Don't use AWS Organizations to update service control policies (SCPs) attached to an OU that is registered with AWS Control Tower. Doing so could result in the controls entering an unknown state, which will require you to reset your landing zone or re-register your OU in AWS Control Tower. Instead, you can create new SCPs and attach those to the OUs rather than editing the SCPs that AWS Control Tower has created.

Preventive guardrails deployed by AWS Control Tower are implemented via service control policies (SCPs). https://docs.aws.amazon.com/wellarchitected/latest/management-and-governance-guide/controls.html

I go with C, because of https://docs.aws.amazon.com/controltower/latest/userguide/governance-drift.html#drift-scp-attached-ou

SCP and "allow" are always incompatible

A -because SCPs are a more straightforward and integrated solution within AWS Organizations for this purpose than preventive controls in Control Tower

Applying the custom SCP to the development OU will enforce the restrictions on all the accounts within that OU, effectively limiting the developers to using only the allowed resources and services. AWS Control Tower guardrails (options B and C) are not the ideal solution in this case because they are primarily used for governance and compliance purposes, rather than granular service-level restrictions.

C - correct.

Option A - The preventive controls are implemented using Service Control Policies (SCPs), which are part of AWS Organizations Read " Implementation of control behavior" section https://docs.aws.amazon.com/controltower/latest/userguide/controls.html

Anwer is A. "Custom SCP" Drift is caused if you edit the existing SCP. Don't use AWS Organizations to update service control policies (SCPs) attached to an OU that is registered with AWS Control Tower. Doing so could result in the controls entering an unknown state, which will require you to repair your landing zone or re-register your OU in AWS Control Tower. Instead, you can create new SCPs and attach those to the OUs rather than editing the SCPs that AWS Control Tower has created. https://docs.aws.amazon.com/controltower/latest/userguide/orgs-guidance.html

Custom preventive guardrails in CT can't do this. The correct answer is A.

Answer : C because A said the SCP will apply to " AWS Organizations" not the OU.