By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.
(AWS Organizations, SCPs, Control Tower for AWS SAA & Real-World Deployments)
You’re a cloud engineer at a mid-sized company. Your CISO just handed you a mandate:
"We need to isolate dev, staging, and prod environments. Finance wants cost visibility per team. And by the way, no one should accidentally delete the production database."
This is where multi-account strategies come in.AWS Organizations, Service Control Policies (SCPs), and Control Tower are the tools that let you: - Enforce security guardrails (e.g., "No public S3 buckets in prod").- Isolate workloads (e.g., "Dev team can’t touch prod resources").- Track costs per team/department (e.g., "Marketing’s ad spend is $X this month").- Automate compliance (e.g., "All accounts must enable AWS Config").
What breaks if you ignore this?- A rogue IAM user deletes a critical S3 bucket (no SCPs to block s3:DeleteBucket).- Finance can’t allocate costs—your CFO sees one giant AWS bill.- A misconfigured Lambda in dev accidentally triggers a prod API (no account isolation).- Auditors fail your SOC 2 audit because you can’t prove least-privilege access.
s3:DeleteBucket
Superpower you gain:You can scale securely without micromanaging every account. Think of it like a corporate credit card system: - AWS Organizations = The corporate card program (centralized billing, rules).- SCPs = Spending limits ("No alcohol purchases; max $10K/month").- Control Tower = The automated expense report tool (pre-approved templates, alerts).
Prod
Dev
Sandbox
Security
Root ├── Prod (OU) │ ├── Prod-App1 (Account) │ └── Prod-DB (Account) ├── Dev (OU) │ ├── Dev-App1 (Account) │ └── Dev-DB (Account) └── Security (OU) └── Audit (Account)
json { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "s3:PutBucketPublicAccessBlock", "Resource": "*", "Condition": { "Bool": { "s3:BlockPublicAcls": false } } } ] }
ReadOnly
us-east-1
eu-west-1
Dev-App1
[email protected]
Deny-Public-S3-Prod
Prod-App1
bash aws s3api create-bucket --bucket prod-app1-test-bucket --region us-east-1 aws s3api put-public-access-block --bucket prod-app1-test-bucket \ --public-access-block-configuration "BlockPublicAcls=false,IgnorePublicAcls=false,BlockPublicPolicy=false,RestrictPublicBuckets=false"
An error occurred (AccessDenied) when calling the PutPublicAccessBlock operation: Access denied
DevTeam-ReadOnly
json { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "*", "Resource": "*" } ] }
Environment=Prod
Team=Marketing
Dev-DB
Log Archive
ec2:RunInstances
Trap: SCPs override IAM policies (deny > allow).
Control Tower vs. Manual Setup:
Trap: "Use AWS Organizations alone" is wrong—Control Tower adds automation.
Cost Allocation:
Trap: "Use AWS Budgets" is wrong—Budgets cap spending, but don’t allocate costs.
Guardrails:
"You’re a cloud engineer. Your CISO demands that no one can disable AWS CloudTrail in any account. How do you enforce this?"
Deny-Disable-CloudTrail
json { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "cloudtrail:StopLogging", "Resource": "*" } ] }
# Create an organization aws organizations create-organization --feature-set ALL # Create an OU aws organizations create-organizational-unit --parent-id r-xxxx --name Prod # Create an account aws organizations create-account --email [email protected] --account-name Prod-App1 # Attach an SCP to an OU aws organizations attach-policy --policy-id p-xxxx --target-id ou-xxxx-xxxxxxxx
{"Effect": "Deny", "Action": "s3:PutBucketPublicAccessBlock", "Resource": "*", "Condition": {"Bool": {"s3:BlockPublicAcls": false}}}
{"Effect": "Deny", "Action": "*", "Resource": "*", "Condition": {"StringLike": {"aws:PrincipalArn": ["arn:aws:iam::*:root"]}}}
{"Effect": "Deny", "Action": "*", "Resource": "*", "Condition": {"StringNotEquals": {"aws:RequestedRegion": ["us-east-1", "eu-west-1"]}}}
s3:PutBucketPublicAccessBlock
BlockPublicAcls=false
kms:ScheduleKeyDeletion
Join 4M+ learners. Unlock unlimited quizzes, wrong-answer tracking, flashcards + reminders, study guides, and 1-on-1 challenges.