AWS Certified Security – Specialty (SCS-C02) — Question 200

A healthcare company has multiple AWS accounts in an organization in AWS Organizations. The company uses Amazon S3 buckets to store sensitive information of patients. The company needs to restrict users from deleting any S3 bucket across the organization.

What is the MOST scalable solution that meets these requirements?

Answer options

• A. Permissions boundaries in AWS Identity and Access Management (IAM)
• B. S3 bucket policies
• C. Tag policies
• D. SCPs

Correct answer: D

Explanation

The most scalable approach to prevent users from deleting S3 buckets across all accounts in an AWS Organization is by using Service Control Policies (SCPs). SCPs apply organization-wide restrictions, whereas the other options like IAM permissions boundaries and S3 bucket policies are more limited in scope and do not provide the same level of management across all accounts.