Exam Context #
Exam: AWS SAP-C02
Primary Scenario Category: Governance
Architectural Decision: Organization-level preventive control (SCPs) vs decentralized IAM and reactive remediation
In SAP-C02, governance questions are rarely about how to write IAM policies.
They test whether you can contain account sprawl and enforce non-negotiable boundaries at scale.
👉🏻 Read more pillar articles at Pillars
These scenarios typically involve:
- Dozens or hundreds of AWS accounts
- Multiple business units or acquired environments
- Security or compliance requirements that must not be bypassed
The key architectural tension is always the same:
Should control be enforced centrally and preventively,
or distributed across accounts and remediated after the fact?
Service Control Policies (SCPs) sit at the organization layer and resolve this tension by defining hard permission boundaries that no IAM policy can override. Recognizing when the exam expects SCP-based governance—rather than account-level IAM, Config rules, or manual processes—is critical to selecting the correct answer.
Why SAP-C02 Loves This Topic #
Service Control Policies represent one of the few mechanisms in AWS that provide absolute preventive controls across an entire organization. This makes them a favorite testing ground for SAP-C02 scenario writers because they force candidates to think about governance at the enterprise level rather than the account level.
Typical enterprise contexts in SAP questions include:
Merger and acquisition scenarios where a parent company must rapidly enforce security baselines across newly acquired AWS accounts without disrupting existing workloads. The question tests whether you understand that SCPs can establish immediate guardrails without requiring changes to existing IAM policies.
Multi-business-unit organizations where different divisions have varying compliance requirements. These scenarios test your understanding of OU hierarchy design and SCP inheritance—specifically, whether you recognize that SCPs are multiplicative (intersection of all applicable policies) rather than additive.
Regulated industry contexts where certain actions must be prevented organization-wide regardless of individual account administrator decisions. These questions probe whether you understand that SCPs affect even the root user of member accounts, making them the only mechanism that can truly enforce organization-wide restrictions.
The exam expects you to recognize that SCPs solve a specific class of governance problems: preventing actions that should never occur, regardless of who attempts them or what permissions they hold.
Core Governance Decision #
What SCPs Control #
SCPs define the maximum available permissions for member accounts in an organization. They establish boundaries—hard limits that cannot be exceeded regardless of IAM policies, resource policies, or permission boundaries configured within the account.
The critical architectural insight is that SCPs operate at the AWS Organizations level, outside the IAM evaluation chain of any individual account. When an API call is made, AWS first checks whether the action is allowed by applicable SCPs before evaluating account-level IAM policies. If the SCP denies the action, the evaluation stops—no account-level policy can override this.
SCPs affect all principals in member accounts, including the root user. This is fundamentally different from IAM policies, which cannot restrict the root user. This distinction appears frequently in SAP scenarios involving compliance requirements that must apply universally.
What SCPs Do NOT Control #
SCPs do not grant permissions. This is the most common source of confusion and the basis for numerous exam traps. An SCP that allows an action does not enable that action—it merely permits the action to be allowed by account-level policies. The actual permission must still be granted through IAM.
SCPs do not affect the management account. The organization’s management account is immune to SCPs, which creates both a security consideration (the management account becomes a high-value target) and an architectural pattern (keep the management account minimal and delegate workloads to member accounts).
SCPs do not affect service-linked roles when those roles are used by AWS services to perform actions on your behalf. This exception exists to prevent SCPs from breaking AWS service functionality, but it also means SCPs cannot prevent all actions in all circumstances.
Boundary vs Permission Logic #
The mental model that unlocks SCP governance is understanding guardrails versus grants:
Guardrails (SCPs): Define what is impossible. Even with full administrative permissions, actions outside the SCP boundary cannot occur.
Grants (IAM): Define what is possible within the guardrail boundaries. IAM policies enable specific actions for specific principals.
This separation of concerns is architecturally powerful because it allows central governance teams to establish non-negotiable boundaries while delegating day-to-day permission management to account administrators. The exam tests whether you recognize scenarios where this separation is the correct architectural choice.
Common SAP Exam Traps #
SCP vs IAM Policy Confusion #
Scenarios often present a requirement to “ensure developers cannot delete production databases” and offer both SCP-based and IAM-based solutions. The trap is selecting the IAM solution when the requirement implies organization-wide enforcement or when the scenario mentions that account administrators should not be able to override the restriction.
The decision logic: If the restriction must be absolute and immune to account-level changes, SCPs are required. If the restriction should be manageable by account administrators, IAM policies are appropriate.
OU Inheritance Misunderstandings #
SCPs are inherited through the OU hierarchy, and the effective permissions are the intersection of all applicable SCPs from the root to the account. A common trap presents a scenario where an account needs broader permissions than its parent OU allows, and the incorrect answer suggests adding a more permissive SCP to the account.
The correct understanding: You cannot grant permissions through SCPs that exceed what parent OUs allow. The solution is either restructuring the OU hierarchy or moving the account to a different OU with appropriate boundaries.
Misuse of Deny-All SCPs #
Some scenarios present deny-all SCPs as a security best practice, but this approach creates operational problems. The trap is selecting a deny-all SCP with explicit allows when the scenario involves dynamic or evolving permission requirements.
The architectural insight: Deny-all SCPs work well for stable, well-defined boundaries but create maintenance burden when requirements change frequently. The exam tests whether you recognize when this approach is appropriate versus when it creates unnecessary operational friction.
Over-Scoping SCPs Instead of OU Design #
A frequent trap presents a complex SCP with multiple conditions to handle different account types, when the correct solution is restructuring OUs so that simpler SCPs can be applied to appropriate organizational units.
The principle: SCPs should be simple and applied to well-designed OUs. Complexity in SCPs often indicates poor OU design. The exam rewards candidates who recognize that OU restructuring is sometimes the better governance solution.
Decision Framework (Architect View) #
| Capability | SCP | AWS Config | Control Tower |
|---|---|---|---|
| Prevent actions | ✅ | ❌ | ⚠️ |
| Detect violations | ❌ | ✅ | ⚠️ |
| Auto remediation | ❌ | ⚠️ | ⚠️ |
| Account-level guardrail | ✅ | ❌ | ✅ |
| Exam intent | Governance logic | Compliance | Landing zone |
When to Use SCPs #
Use SCPs when you need preventive controls that cannot be overridden by account administrators. This includes preventing use of non-approved regions, blocking specific high-risk services, enforcing tagging requirements for resource creation, and preventing disabling of security services like CloudTrail or GuardDuty.
Use SCPs when compliance requirements mandate that certain actions be impossible regardless of IAM configurations. Auditors often require evidence that controls cannot be bypassed, and SCPs provide this assurance.
Use SCPs when you need to establish boundaries during organizational transitions such as mergers or acquisitions, where you cannot immediately audit and modify all existing IAM policies.
When NOT to Use SCPs #
Do not use SCPs for fine-grained access control that should be managed at the account level. SCPs are blunt instruments—they affect all principals in all affected accounts.
Do not use SCPs when the requirement is detective rather than preventive. SCPs prevent actions; they do not detect or remediate policy violations. AWS Config rules are appropriate for detective controls.
Do not use SCPs when the management account needs to be restricted. SCPs do not affect the management account, so alternative controls are required.
Relationship with Other Governance Mechanisms #
IAM Permission Boundaries: Operate within accounts to limit maximum permissions for IAM entities. Use when you need to delegate IAM administration while maintaining boundaries. SCPs and permission boundaries are complementary—SCPs set organization-wide limits, permission boundaries set account-level limits for delegated administration.
AWS Config: Provides detective controls and remediation. Use Config rules to detect non-compliant configurations and trigger remediation. SCPs prevent; Config detects and remediates.
AWS Control Tower: Provides pre-built governance frameworks including SCPs (guardrails). Use Control Tower when you want managed governance rather than building custom SCP architectures. Control Tower distinguishes between preventive guardrails (implemented via SCPs) and detective guardrails (implemented via Config rules).
Resource Control Policies (RCPs): A newer addition to AWS Organizations that controls access to resources rather than principals. While SCPs limit what principals can do, RCPs limit what can be done to resources. SAP-C02 scenarios may test understanding of when each is appropriate.
Real-World Mapping #
In enterprise environments, SCPs typically emerge from security and compliance requirements that must be enforced consistently across all accounts. A financial services company might use SCPs to prevent any account from disabling CloudTrail logging, ensuring audit trails exist regardless of individual account configurations.
SAP questions abstract this into scenarios like “ensure no account can disable centralized logging” or “prevent use of non-approved regions across all business units.” The underlying decision logic is identical: identify whether the requirement demands preventive, organization-wide control that cannot be overridden.
The exam also tests understanding of organizational change scenarios. When a company acquires another organization’s AWS accounts, SCPs provide immediate governance without requiring changes to existing account configurations. This “day one governance” capability is a common SAP scenario pattern.
notes: Security accounts often govern, but are not governed by the same SCP set.
Real enterprises often struggle with the balance between security and agility. Overly restrictive SCPs create friction for development teams and lead to shadow IT or workarounds. The exam tests whether you can identify solutions that provide necessary controls without creating operational bottlenecks—this often means combining SCPs for hard boundaries with Config rules for softer compliance requirements.
SAP-C02 Takeaway Rules #
IF the requirement states that account administrators must not be able to override a restriction, THEN SCPs are required—IAM policies alone are insufficient.
IF a scenario requires restricting the management account, THEN SCPs are not the solution—alternative controls such as IAM policies within the management account or organizational design changes are needed.
IF an SCP appears complex with many conditional statements for different account types, THEN consider whether OU restructuring would allow simpler SCPs applied to appropriate organizational units.
IF the requirement is to detect and remediate non-compliant configurations, THEN AWS Config is appropriate—SCPs only prevent, they do not detect or remediate.
IF a scenario mentions needing to restrict actions for service-linked roles, THEN recognize that SCPs have limited effectiveness—service-linked roles used by AWS services are exempt from SCP restrictions.
IF the scenario involves rapid governance enforcement across newly acquired accounts, THEN SCPs provide immediate boundaries without requiring changes to existing account-level IAM configurations.
IF the requirement involves both preventing certain actions AND allowing flexibility for account teams to manage their own permissions, THEN the architecture should combine SCPs for hard boundaries with delegated IAM administration within those boundaries.
Advanced SCP Patterns for SAP-C02 #
Region Restriction Pattern #
One of the most frequently tested SCP patterns involves restricting AWS usage to approved regions. This pattern appears in scenarios involving data sovereignty, compliance with regional regulations, or cost control. The architectural decision is whether to use an allow-list approach (explicitly permit approved regions) or a deny-list approach (explicitly block unapproved regions).
The allow-list approach is more secure but requires careful consideration of global services. Services like IAM, Route 53, CloudFront, and AWS Organizations operate globally and must be exempted from region restrictions. Failing to account for global services is a common exam trap—the scenario presents a region-restriction SCP that inadvertently breaks core AWS functionality.
Protecting Security Services Pattern #
Enterprise scenarios frequently require preventing the disabling of security services such as CloudTrail, GuardDuty, Security Hub, or AWS Config. The SCP pattern denies specific actions like StopLogging, DeleteTrail, or DisableOrganizationAdminAccount.
The exam tests whether you understand that this pattern should be applied broadly (at the root or high-level OU) and that exceptions should be handled through OU design rather than SCP conditions. A security team account might need to manage these services, which is handled by placing that account in an OU without the restrictive SCP rather than adding complex conditions to the SCP itself.
Requiring Tags Pattern #
Tag enforcement through SCPs prevents resource creation when required tags are missing. This pattern supports cost allocation, ownership tracking, and compliance requirements. However, the exam tests understanding of limitations—not all AWS services support tag-on-create, and SCP-based tag enforcement only works at creation time, not for existing resources.
The architectural insight: SCP-based tag enforcement is preventive but incomplete. A comprehensive tagging strategy combines SCPs for enforcement at creation with Config rules for detecting untagged existing resources and remediation workflows for addressing gaps.
Organizational Unit Design Principles #
Hierarchy Depth Considerations #
SAP scenarios often present OU hierarchies and ask about SCP inheritance implications. The key principle is that deeper hierarchies provide more granular control but increase complexity. Each level in the hierarchy represents an intersection point for SCPs—permissions must be allowed at every level from root to account.
A common exam pattern presents a scenario where an account needs permissions that conflict with its OU placement. The correct solution is usually OU restructuring rather than SCP modification. Moving an account to a different OU with appropriate boundaries is cleaner than creating complex conditional SCPs.
Workload-Based vs Entity-Based OUs #
The exam tests understanding of OU design philosophies. Workload-based OUs group accounts by function (production, development, sandbox), while entity-based OUs group accounts by business unit or team. The choice affects how SCPs are applied and inherited.
Workload-based OUs work well when security requirements vary by environment type. Entity-based OUs work well when different business units have different compliance requirements. Hybrid approaches are common in real enterprises and may appear in exam scenarios requiring you to identify the appropriate OU placement for a new account.
Integration with AWS Control Tower #
Guardrail Categories #
AWS Control Tower implements governance through guardrails, which are categorized as preventive (implemented via SCPs) or detective (implemented via Config rules). SAP scenarios may present Control Tower as an option and test whether you understand when managed guardrails are appropriate versus custom SCP development.
Control Tower is appropriate when standard governance patterns meet requirements and when rapid deployment of a governed multi-account environment is needed. Custom SCP development is appropriate when requirements exceed Control Tower’s built-in guardrails or when existing organizational structures cannot accommodate Control Tower’s landing zone design.
Account Factory Considerations #
Control Tower’s Account Factory provisions new accounts with baseline governance automatically applied. Exam scenarios may test understanding of how Account Factory interacts with existing SCPs and whether additional customization is needed for specific account types.
Troubleshooting SCP Issues #
Effective Policy Analysis #
When SCPs produce unexpected results, the effective policy must be analyzed by considering all SCPs from root to account. SAP scenarios may present troubleshooting situations where an action is unexpectedly denied, and you must identify which SCP in the hierarchy is responsible.
The diagnostic approach: Start at the root and trace through each OU to the account, identifying the intersection of all applicable SCPs. The most restrictive policy at any level determines the effective boundary.
Common Misconfigurations #
Exam scenarios may present SCP misconfigurations and ask you to identify the issue. Common problems include:
- Forgetting to allow necessary actions for AWS services to function
- Applying deny statements that are too broad and affect unintended services
- Misunderstanding the difference between not allowing an action and explicitly denying it
- Failing to account for SCP size limits when policies become complex
Exam Strategy Summary #
When approaching SCP-related SAP questions, apply this decision sequence:
First, identify whether the requirement is preventive or detective. SCPs are exclusively preventive—if the scenario requires detection or remediation, look for Config-based solutions.
Second, determine whether the restriction must be absolute or manageable. SCPs provide absolute restrictions that account administrators cannot override. If flexibility is needed, IAM-based solutions may be more appropriate.
Third, evaluate the scope of the requirement. SCPs affect entire accounts and all principals within them. If the requirement is principal-specific or resource-specific, other mechanisms may be more appropriate.
Fourth, consider the operational impact. Overly restrictive SCPs create friction and workarounds. The best architectural solutions balance security requirements with operational flexibility.
Finally, remember that SCPs are one component of a comprehensive governance architecture. The exam rewards candidates who understand how SCPs integrate with IAM policies, permission boundaries, Config rules, and Control Tower guardrails to create layered, defense-in-depth governance.