SCS-C03 Exam Cram: Centralized Account Deployment and Management

This guide covers Domain 6: Security Foundations and Governance, specifically focusing on the strategy to centrally deploy and manage AWS accounts using AWS Organizations and AWS Control Tower.

Topic Weighting

Domain	Percentage of Exam	Relevance to this Sheet
Domain 6: Security Foundations and Governance	14%	High (Covers Task 6.1 and 6.2)

[!IMPORTANT] Expect approximately 8-10 questions on the exam to touch on Organizations, SCPs, and Control Tower integration.

Key Concepts Summary

AWS Organizations

Organizational Units (OUs): Logical groupings for accounts. Policies (SCPs) attached to an OU apply to all child OUs and accounts.
Service Control Policies (SCPs): JSON policies that specify the maximum permissions for an organization or OU. They act as filters and do not grant permissions.
Delegated Administrator: Allows member accounts to manage AWS services (e.g., GuardDuty, Macie) across the organization, adhering to the principle of least privilege for the Management account.

AWS Control Tower

Landing Zone: A well-architected, multi-account environment based on best practices.
Guardrails (Controls): High-level rules for ongoing governance. Categorized as Preventive (implemented via SCPs) or Detective (implemented via AWS Config rules).
Account Factory: A standardized "vending machine" for provisioning new accounts with pre-approved configurations.

Root User Management

Break-glass Procedures: Secured, documented process for emergency access to the management account root user.
MFA: Mandatory for all root users. Root credentials for member accounts should be centralized or inaccessible for daily tasks.

Loading Diagram...

Common Pitfalls

Production in Management Account: Never run production workloads in the management account. Use it only for billing and organization-wide management.
SCP Misconception: Believing an SCP grants access. Remember: Identity-based policy + SCP = Effective Permission. If either denies, access is denied.
Root Credential Exposure: Creating Access Keys for the root user. Don't. Use IAM roles for daily administration.
Ignoring Inherited Deny: An explicit Deny at a parent OU level cannot be overridden by an Allow at a child OU/account level.

Mnemonics / Memory Triggers

C.O.R.E. (Control Tower Components):
- Controls (Guardrails)
- Organizational Units
- Resources (Account Factory)
- Environment (Landing Zone)
S.C.P. Filter: Think of an SCP as a Sieve for Command Permissions. It filters what goes through but doesn't provide the water (permissions).

Formula / Equation Sheet

Permission Evaluation Logic

$\text{Final Decision} = (\text{Identity Policy} \cap \text{Resource Policy}) \cap \text{SCP} \cap \text{Permissions Boundary}$

Policy Type	Purpose	Affects Root?
SCP	Sets permission ceiling for account	Yes (except for management account)
IAM Policy	Grants specific permissions	No
Resource Policy	Grants cross-account access	No

Practice Set

Scenario: You need to prevent all accounts in the Dev OU from deleting CloudTrail logs. What is the most efficient solution?
- Answer: Apply an SCP with a Deny effect on cloudtrail:DeleteTrail to the Dev OU.
Scenario: A Security Engineer needs to manage GuardDuty for the entire organization without using the Management account. What should you do?
- Answer: Designate a Security member account as the Delegated Administrator for GuardDuty.
Scenario: Which Control Tower component automates the creation of new accounts with a default VPC and IAM roles?
- Answer: Account Factory.
Scenario: Can an SCP attached to a member account limit the actions of the Root user in that account?
- Answer: Yes. SCPs are one of the few things that can restrict the Root user of a member account.
Scenario: You want to detect (not prevent) whenever an S3 bucket is created without encryption. What Control Tower tool should you use?
- Answer: A Detective Guardrail (AWS Config rule).

Worked Examples

Example 1: Restricting Regions via SCP

Goal: Ensure accounts in a specific OU can only operate in us-east-1.

json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyAllOutsideUSEast1",
      "Effect": "Deny",
      "NotAction": "iam:*",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "aws:RequestedRegion": ["us-east-1"]
        }
      }
    }
  ]
}

Explanation: The NotAction for IAM is critical because IAM is a global service. Without it, you might lock yourself out of IAM management from that region.

Example 2: Landing Zone Architecture

\begin{tikzpicture}[node distance=2cm, every node/.style={rectangle, draw, fill=white, minimum width=3cm, minimum height=1cm, align=center}] \node (root) [fill=orange!20] {Management Account$Billing/Org Management)}; \node (secou) [below left of=root, xshift=-1cm] {Security OU}; \node (sandbox) [below right of=root, xshift=1cm] {Sandbox OU};

code

\node (audit) [below of=secou, yshift=0.5cm] {Audit Account\$ReadOnly Access)};
\node (logs) [below of=audit, yshift=0.5cm] {Log Archive\$Centralized S3)};

\draw[->, thick] (root) -- (secou);
\draw[->, thick] (root) -- (sandbox);
\draw[->] (secou) -- (audit);
\draw[->] (audit) -- (logs);

\node[draw=none, fill=none, right of=logs, xshift=2cm] (note) {\small \textit{Control Tower}\\ \small \textit{Orchestrated Environment}};

\end{tikzpicture}

Fact Recall Blanks

AWS ________ ________ provides a "vending machine" for automated account provisioning.
The standard multi-account framework created by AWS Control Tower is called a ________ ________.
SCPs are attached to the ________, ________, or individual accounts.
Control Tower ________ guardrails are implemented using AWS Config.
To manage security services from a member account, you must configure a ________ ________ account.

Answers: 1. Account Factory, 2. Landing Zone, 3. Root (Org Root), OUs, 4. Detective, 5. Delegated Administrator