AWS · DEA-C01

Multi-Account Governance — AWS Data Engineer (DEA-C01)

2%of exam questions (4 of 200)

Policy enforcement scope separates these four governance tools

Architecture requirement: prevent production data from leaving approved regions, enforced consistently across 40 AWS accounts. Competing choices: SCPs via AWS Organizations, guardrails via Control Tower, Config rules with aggregator, permission boundaries via IAM. The deciding constraint is enforcement versus detection. SCPs deny at the API level before actions occur; Config detects drift after the fact; Control Tower extends Organizations with opinionated landing zone defaults. The scenario word 'prevent' versus 'detect' is the selection signal.

What This Pattern Tests

The exam describes a multi-account environment and tests governance controls. AWS Organizations groups accounts into OUs. SCPs on OUs set maximum permission boundaries — they deny, never grant. CloudTrail organization trails aggregate audit logs. AWS Config aggregator collects compliance data across accounts. RAM (Resource Access Manager) shares resources across accounts without duplication. The trap is using SCPs to grant permissions (they only restrict) or creating cross-account IAM users instead of cross-account roles (roles use temporary credentials).

Decision Axis

Governance scope determines the tool: organization-wide restriction = SCP, account-specific permission = IAM, cross-account sharing = RAM/roles, compliance visibility = Config aggregator.

Associated Traps

Scope Overreach (4)CloudHSM with custom key stores for internal reports — when SSE-S3 is one checkbox.

More Top Traps on This Exam

Over-Provisioning · 38%Multi-AZ RDS with provisioned IOPS for a new microservice doing 100 reads per second. DynamoDB on-demand costs 90% less.Operational Complexity Underestimation · 34%Self-managed Kubernetes on EC2 — a full-time job disguised as a deployment strategy.

Decision Rules

Whether the scenario requires detection-only (Macie classifies PII) or access-control enforcement (Lake Formation column-level permissions) — or both — to satisfy a cross-account least-privilege constraint on PII column visibility.

AWS Lake FormationAmazon MacieAmazon S3

Domain Coverage

Data Security and Governance

Difficulty Breakdown

Medium: 4
Build recognition speed →

See all DEA-C01 patterns →