AWS Certified Security – Specialty (SCS-C02) — Question 126

A company has many member accounts in an organization in AWS Organizations. The company is concerned about the potential for misuse of the AWS account root user credentials for member accounts in the organization. To address this potential misuse, the company wants to ensure that even if the account root user credentials are compromised the account is still protected.

Which solution will meet this requirement?

Answer options

• A. Block service access by using SCPs for the root user
• B. Remove the password for the root user
• C. Delete access keys for the root user
• D. Create an Amazon EventBridge rule to detect any AWS account root user API events

Correct answer: A

Explanation

The correct answer is A, as using Service Control Policies (SCPs) to block access for the root user can effectively prevent any actions from being taken, even if the root credentials are compromised. Options B and C do not provide sufficient protection since removing the password or access keys alone does not prevent other forms of access. Option D, while useful for monitoring, does not prevent misuse of the credentials.