AWS · SCS-C03

Multi-Account Governance — AWS Security Specialty (SCS-C03)

4%of exam questions (8 of 193)

Policy Enforcement Scope Decides the Correct Service

AWS Organizations SCPs deny actions at the account boundary — they cannot grant permissions. Control Tower adds landing zone automation and guardrails on top of Organizations. IAM Identity Center handles federated identity across accounts. AWS Config with aggregators provides cross-account compliance visibility. The SCS-C03 tests whether you can match the governance requirement to the correct enforcement layer. An SCP prevents an account from disabling GuardDuty. A Config rule detects when it's already disabled. Those are different controls solving different problems.

What This Pattern Tests

The exam describes a multi-account environment and tests governance controls. AWS Organizations groups accounts into OUs. SCPs on OUs set maximum permission boundaries — they deny, never grant. CloudTrail organization trails aggregate audit logs. AWS Config aggregator collects compliance data across accounts. RAM (Resource Access Manager) shares resources across accounts without duplication. The trap is using SCPs to grant permissions (they only restrict) or creating cross-account IAM users instead of cross-account roles (roles use temporary credentials).

Decision Axis

Governance scope determines the tool: organization-wide restriction = SCP, account-specific permission = IAM, cross-account sharing = RAM/roles, compliance visibility = Config aggregator.

Associated Traps

Near-Right Architecture (4)CloudFront + ALB or Global Accelerator + NLB? Both cut latency — only one preserves client IPs over TCP.Compliance Misconception (4)S3 encryption + HTTPS does not make you HIPAA-compliant — you still need a BAA and eligible services only.

More Top Traps on This Exam

Over-Engineering · 23%CloudFront + Lambda@Edge + API Gateway + DynamoDB + SES — for a static site with a contact form.

Decision Rules

Whether the organizational compliance monitoring requirement — detecting configuration drift against a named framework across all accounts — is satisfied by a threat-detection service (GuardDuty) or by a configuration-compliance aggregation service (AWS Config feeding Security Hub standards with a delegated administrator).

AWS Security HubAmazon GuardDutyAWS Config

Whether AWS Config organizational rules feeding Security Hub's PCI-DSS standard (configuration-compliance monitoring) or Amazon GuardDuty (threat detection) satisfies the requirement to alert on configuration deviations against a named compliance framework across all member accounts.

AWS Security HubAWS ConfigAmazon GuardDuty

Domain Coverage

Detection

Difficulty Breakdown

Medium: 4Hard: 4

Build recognition speed →

See all SCS-C03 patterns →