🔥 3-day streak
AWS Certified Solutions Architect - Professional159 / 186
Question 159 of 186
A financial services company uses AWS Organizations with all features enabled. The security team wants to enforce that member accounts in the 'Production' OU can only use AWS services that have been formally approved through the company's internal risk assessment (currently 12 services). New services must never be usable until they pass review. Meanwhile, a separate 'Sandbox' OU should allow developers to experiment with any service except a small set of expensive or high-risk ones (e.g., specific EC2 instance families and certain database services). Which SCP strategy best meets both requirements with the least ongoing maintenance risk?
Reviewed for accuracy · Report an issueNext question