AWS · SAA-C03

Multi-Account Governance — AWS Solutions Architect (SAA-C03)

6%of exam questions (12 of 200)

Organizations enforce policy; Control Tower builds guardrails

The scenario describes enforcing a security baseline or restricting services across dozens of accounts. Candidates reach for IAM because they understand its permissions model. The exam is testing org-level controls: SCPs via AWS Organizations apply non-overridable permission guardrails; Control Tower automates landing zone setup and governance at scale across OUs. IAM cannot restrict an account's administrator or prevent service enablement at the account boundary. When scope is the account itself, the answer lives in Organizations or Control Tower.

What This Pattern Tests

The exam describes a multi-account environment and tests governance controls. AWS Organizations groups accounts into OUs. SCPs on OUs set maximum permission boundaries — they deny, never grant. CloudTrail organization trails aggregate audit logs. AWS Config aggregator collects compliance data across accounts. RAM (Resource Access Manager) shares resources across accounts without duplication. The trap is using SCPs to grant permissions (they only restrict) or creating cross-account IAM users instead of cross-account roles (roles use temporary credentials).

Decision Axis

Governance scope determines the tool: organization-wide restriction = SCP, account-specific permission = IAM, cross-account sharing = RAM/roles, compliance visibility = Config aggregator.

Associated Traps

Over-Provisioning (4)Multi-AZ RDS with provisioned IOPS for a new microservice doing 100 reads per second. DynamoDB on-demand costs 90% less.Near-Right Architecture (4)CloudFront + ALB or Global Accelerator + NLB? Both cut latency — only one preserves client IPs over TCP.Scope Overreach (4)CloudHSM with custom key stores for internal reports — when SSE-S3 is one checkbox.

Decision Rules

Whether to enforce an organization-level preventive SCP via AWS Organizations that blocks public-access actions on S3 across all member accounts — or to deploy Amazon Macie per account to detect and alert on PII exposure, a detective approach that requires per-account provisioning and can be disabled by member account admins.

AWS OrganizationsAmazon MacieAmazon S3

Select preventive org-level guardrail (SCP via AWS Organizations) over detective or aggregation controls (Macie, Security Hub) when the stated requirement explicitly demands member accounts cannot override or disable the enforcement mechanism.

AWS OrganizationsAmazon MacieAWS Security Hub

Whether to apply a minimum-sufficient org-level preventive guardrail (SCP plus S3 Block Public Access at the organization level) versus deploying per-account detective controls such as Amazon Macie that exceed the stated requirement, add per-account scan costs, and cannot guarantee prevention.

AWS OrganizationsAmazon S3

Domain Coverage

Design Secure Architectures

Difficulty Breakdown

Medium: 12

Build recognition speed →

See all SAA-C03 patterns →