Study SAP-C02 Security Controls: key concepts, common traps, and exam decision cues.
Organizational security questions in SAP-C02 usually test whether you can separate who can act, what can be used, which account owns the control, and where events are aggregated. If you collapse those into one answer, you usually miss the real boundary.
| Need | Strongest first fit | Why |
|---|---|---|
| workforce access across many accounts | IAM Identity Center | centralized human access model |
| workload access across accounts | IAM roles with trust policy | short-lived machine access pattern |
| org-wide restriction | SCP | guardrail that limits maximum permissions |
| cross-account encryption and key use | KMS key policy plus IAM or grants | KMS has its own boundary logic |
| centralized security events and audit | CloudTrail, Security Hub, GuardDuty aggregation | cross-account visibility and response |
| certificates for TLS | ACM | managed certificate lifecycle |
| Pair | Better rule |
|---|---|
| SCP vs IAM policy | SCP restricts; IAM grants within the allowed boundary |
| IAM allow vs KMS access | KMS key policy can still block use or admin actions |
| human access vs workload access | humans should usually federate; workloads should usually assume roles |
| centralized audit vs local logging only | enterprise questions usually want a central audit and event model |
| Trap | Better rule |
|---|---|
| assuming IAM allow is enough for cross-account KMS use | key policy and grants still matter |
| using long-lived IAM users for workforce access | IAM Identity Center is the cleaner org-scale answer |
| treating SCPs like permission grants | SCPs only reduce what can happen |
| leaving security findings inside each workload account | enterprise patterns usually centralize visibility and response |
Multi-account security questions usually reward choosing the right control plane. If the requirement is organization-wide guardrails, think SCP. If the requirement is central human access across accounts, think IAM Identity Center. If the requirement is cross-account key usage, remember the KMS key policy still matters. SAP-C02 often mixes these layers together to see whether you can separate org governance from account-level access.