Skip to main content

AWS SOA-C02 Drill: Service Control Policies - Efficient Multi-Account EC2 Restrictions

·715 words·4 mins·
Certification Drills AWS SOA-C02 AWS Organizations Service Control Policies
Jeff Taakey
Author
Jeff Taakey
21+ Year Enterprise Architect | AWS SAA/SAP & Multi-Cloud Expert.
Table of Contents

Jeff’s Note
#

Unlike generic exam dumps, ADH analyzes this scenario through the lens of a Real-World Site Reliability Engineer (SRE).

For SOA-C02 candidates, the confusion often lies in the scope and application of AWS Organizations’ Service Control Policies (SCPs). In production, this is about knowing exactly how to enforce permission boundaries efficiently across multiple AWS accounts for operational governance — without managing policies individually per account. Let’s drill down.

The Certification Drill (Simulated Question)
#

Scenario
#

BrightPath Media operates a centralized AWS environment using AWS Organizations to manage multiple AWS accounts. They want to enforce a strict restriction: developers are prohibited from launching any Amazon EC2 instances within a specific instance family (e.g., T3 instances) across all their developer accounts. BrightPath aims for a solution that is both operationally efficient and scalable across multiple AWS accounts.

The Requirement:
#

Identify the most operationally efficient way for BrightPath to enforce this instance family restriction in their multi-account AWS setup.

The Options
#

  • A) Add developer accounts to an Organizational Unit (OU) in AWS Organizations, then apply a Service Control Policy (SCP) to that OU restricting the instance family.
  • B) Add developer accounts to an AWS Resource Group, then apply an SCP to the Resource Group restricting the instance family.
  • C) Apply a tailored SCP to each individual developer account directly restricting the instance family.
  • D) Register developer accounts with AWS Control Tower, then apply the SCP from the AWS Control Tower management account.

Google adsense
#

leave a comment:

Correct Answer
#

A

Quick Insight: The SOA Imperative
#

  • For SREs: The key is applying SCPs at the Organizational Unit (OU) level to enable scalable, centralized policy enforcement without repetitive manual application per account. This also simplifies automation and auditing.

Content Locked: The Expert Analysis
#

You’ve identified the answer. But do you know the implementation details that separate a Junior from a Senior?

Unlock Full Access & Start Mastering

The Expert’s Analysis
#

Correct Answer
#

Option A

The Winning Logic
#

Applying an SCP to an Organizational Unit (OU) leverages AWS Organizations’ best practices by providing centralized, hierarchical policy enforcement. When developer accounts are grouped under an OU, one SCP applied to that OU automatically cascades and restricts all member accounts. This reduces operational overhead because you avoid managing per-account SCPs and can apply changes at scale with confidence.

  • AWS currently supports applying SCPs only at the root, OU, or account level.
  • SCPs cannot be applied to resource groups (invalid scope for SCPs).
  • AWS Control Tower can automate account provisioning and governance but typically relies on SCPs attached to OUs it manages; applying SCPs directly through Control Tower management account for this purpose isn’t the operational standard method and adds complexity.

The Trap (Distractor Analysis)
#

  • Why not B? AWS Resource Groups are for resource management and do not support SCP attachments. This option reflects a misunderstanding of SCP scope.
  • Why not C? Managing SCPs per account is feasible but highly inefficient and error-prone at scale—defeats the purpose of centralized management in AWS Organizations.
  • Why not D? While AWS Control Tower automates governance, it applies SCPs primarily via OUs it creates. Attaching SCPs directly at the Control Tower management account level for this scenario is not the standard operational approach and limits flexible policy application.

The Technical Blueprint
# 

# Example CLI snippet to attach SCP to an OU using AWS CLI

# List OUs under the root to find correct OU ID
aws organizations list-organizational-units-for-parent --parent-id r-examplerootid

# Attach SCP policy to the OU
aws organizations attach-policy --policy-id p-examplepolicyid --target-id ou-examplerootid-ou1234

The Comparative Analysis
#

Option Operational Overhead Automation Level Impact
A Low High Centralized, immediate effect
B N/A (Invalid) N/A SCPs cannot be applied here
C High Low Tedious per-account management
D Medium Medium Control Tower adds complexity

Real-World Application (Practitioner Insight)
#

Exam Rule
#

For the exam, always pick OU-level SCPs when you see multi-account account permissions restrictions.

Real World
#

In practice, you might augment OU-level SCPs with Service Catalog constraints or AWS Control Tower guardrails for additional guard layers, but SCPs at the OU level remain the central, scalable enforcement mechanism.

(CTA) Stop Guessing, Start Mastering
#

Unlock The Full Analysis Now

Disclaimer

This is a study note based on simulated scenarios for the SOA-C02 exam.

The DevPro Network: Mission and Founder

A 21-Year Tech Leadership Journey

Jeff Taakey has driven complex systems for over two decades, serving in pivotal roles as an Architect, Technical Director, and startup Co-founder/CTO.

He holds both an MBA degree and a Computer Science Master's degree from an English-speaking university in Hong Kong. His expertise is further backed by multiple international certifications including TOGAF, PMP, ITIL, and AWS SAA.

His experience spans diverse sectors and includes leading large, multidisciplinary teams (up to 86 people). He has also served as a Development Team Lead while cooperating with global teams spanning North America, Europe, and Asia-Pacific. He has spearheaded the design of an industry cloud platform. This work was often conducted within global Fortune 500 environments like IBM, Citi and Panasonic.

Following a recent Master’s degree from an English-speaking university in Hong Kong, he launched this platform to share advanced, practical technical knowledge with the global developer community.


About This Site: AWS.CertDevPro.com


AWS.CertDevPro.com focuses exclusively on mastering the Amazon Web Services ecosystem. We transform raw practice questions into strategic Decision Matrices. Led by Jeff Taakey (MBA & 21-year veteran of IBM/Citi), we provide the exclusive SAA and SAP Master Packs designed to move your cloud expertise from certification-ready to project-ready.