AWS Certified Security – Specialty — Question 143

A company has multiple AWS accounts that are part of AWS Organizations. The company's Security team wants to ensure that even those Administrators with full access to the company's AWS accounts are unable to access the company's Amazon S3 buckets.
How should this be accomplished?

Answer options

• A. Use SCPs.
• B. Add a permissions boundary to deny access to Amazon S3 and attach it to all roles.
• C. Use an S3 bucket policy.
• D. Create a VPC endpoint for Amazon S3 and deny statements for access to Amazon S3.

Correct answer: A

Explanation

The correct answer is A, as Service Control Policies (SCPs) can be used to set permission guardrails across accounts in an AWS Organization, effectively preventing administrators from accessing Amazon S3 buckets. Options B and C could restrict access but would not be able to override the full access of administrators in all accounts. Option D does not address the issue of account-level access control effectively.