AWS Certified Solutions Architect Professional SAP-C02 Practice Question
A global enterprise operates 300 production accounts in an AWS Organizations OU called Workloads. Four custom service control policies (SCPs) are attached directly to that OU. The cloud center of excellence has deployed an AWS Control Tower landing zone and wants to register the Workloads OU while immediately enabling two preventive guardrails: Disallow creation of access keys for the root user and Disallow public read access to Amazon S3 buckets.
During a dry-run in a test organization, the Register OU operation fails with the message "Exceeds maximum number of SCPs".
As the lead solutions architect, what is the MOST effective way to ensure that the Workloads OU can be successfully registered in AWS Control Tower without losing the intent of the existing custom policies?
Temporarily disable one custom SCP, register the OU, re-enable Control Tower guardrails, and then attach the disabled policy to every account in the OU instead of the OU itself.
Open a support ticket to raise the maximum number of SCPs that can be attached to an OU above five, then register the OU and enable the guardrails.
Consolidate the four custom SCPs into a single SCP, detach the original policies, attach the consolidated SCP to the Workloads OU, and then register the OU and enable the guardrails.
Create a new parent OU, move Workloads under the parent, register the parent OU with Control Tower, and rely on the child OU to inherit the existing SCPs.
AWS Organizations enforces a hard quota of five SCPs that can be attached directly to a root, OU, or account. The quota is not adjustable. When an OU is registered, AWS Control Tower attaches its own preventive-guardrail SCPs to that OU, and these count toward the same limit. With four existing custom SCPs plus two new guardrail SCPs, the OU would exceed the quota and registration fails.
By consolidating the statements from the four custom SCPs into one consolidated policy, detaching the originals, and attaching the single new SCP to the OU, the total number of attached SCPs is reduced. After consolidation the OU has one custom SCP plus the two Control Tower guardrail SCPs, keeping the total at three-below the quota-so the Register OU operation completes successfully and the governance intent of the original policies is still enforced.
Requesting a quota increase is impossible because the limit is hard-coded, creating a new parent OU does not change the limit on the child OU, and disabling a policy only to reattach it later would re-create the quota violation and add unnecessary operational overhead.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are service control policies (SCPs) in AWS Organizations?
Open an interactive chat with Bash
How does AWS Control Tower use SCPs to enforce guardrails?
Open an interactive chat with Bash
What is the SCP quota in AWS Organizations and why can't it be increased?
Open an interactive chat with Bash
AWS Certified Solutions Architect Professional SAP-C02
Design Solutions for Organizational Complexity
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access