🔥 3-day streak
AWS Certified Solutions Architect - Professional35 / 186
Question 35 of 186
A large enterprise deployed AWS Control Tower to establish its multi-account landing zone. A platform engineering team, wanting to add a custom deny policy, manually attached a new Service Control Policy directly to a Control Tower-managed Organizational Unit using the AWS Organizations console. Weeks later, the Control Tower dashboard reports the OU and its accounts as 'Not compliant' / drifted, and the team is concerned that a future landing zone update could break their custom guardrail. What is the recommended approach to maintain the custom SCP while keeping Control Tower governance intact?
Reviewed for accuracy · Report an issueNext question