ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
Your company is concerned about shadow IT after several teams spun up their own AWS accounts and copied regulated customer data for testing. Security and compliance now require that any new AWS resources be provisioned only from pre-approved configurations that enforce encryption, tagging, and region restrictions, while still letting developers self-service new environments. Which AWS solution best meets these requirements and therefore most effectively reduces the risk of shadow IT in the organization?
Deploy AWS Service Catalog so developers can launch only centrally approved CloudFormation products.
Require all infrastructure to be defined in AWS CloudFormation stacks that developers manage themselves.
Use AWS IAM Identity Center to enforce single sign-on to all existing and future AWS accounts.
Enable AWS Control Tower with guardrails to create new AWS accounts for each project.
AWS Service Catalog lets central IT create and manage a portfolio of approved products-such as CloudFormation templates for VPCs, EC2 instances, or entire application stacks-with predefined configurations, tagging standards, and permissions. Users can launch these products on demand through a self-service portal, but they cannot modify the underlying templates, ensuring that every resource complies with corporate security and regulatory policies and preventing teams from bypassing governance with unapproved accounts or configurations.
AWS Control Tower simplifies setting up and governing multiple accounts, but it does not by itself give developers a constrained, self-service provisioning experience; they would still need a service such as Service Catalog. AWS CloudFormation alone allows infrastructure as code but does not stop users from creating their own arbitrary templates, so it does not effectively curb shadow IT. AWS IAM Identity Center (formerly AWS SSO) centralizes authentication and authorization but does not provide catalog-based controls over which resources can be deployed. Therefore, AWS Service Catalog is the most appropriate choice for mitigating shadow IT in this scenario.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is AWS Service Catalog?
Open an interactive chat with Bash
How does AWS Service Catalog prevent shadow IT?
Open an interactive chat with Bash
How does AWS Service Catalog differ from AWS Control Tower?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Systems and Application Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .