Home › Forums › AWS › AWS Certified Solutions Architect Professional › If SCPs already deny, is an explicit IAM role in each account required to deny? › Reply To: If SCPs already deny, is an explicit IAM role in each account required to deny?
-
I also think this question shows the wrong answers. You don’t need both SCP and IAM to enforce tagging. On the other hand, you do need an AWS Config aggregator and also the rules in each account to effectively control compliance. In other words, the correct answers should be SCP + Config rules in each account + Config aggregator.