AWS Certified Security – Specialty — Question 345

A healthcare company has multiple AWS accounts in an organization in AWS Organizations. The company uses Amazon S3 buckets to store sensitive information of patients. The company needs to restrict users from deleting any S3 bucket across the organization.

What is the MOST scalable solution that meets these requirements?

Answer options

• A. Permissions boundaries in AWS Identity and Access Management (IAM)
• B. S3 bucket policies
• C. Tag policies
• D. SCPs

Correct answer: D

Explanation

Service control policies (SCPs) offer the most scalable way to enforce organization-wide restrictions because they can be applied centrally to prevent actions like s3:DeleteBucket across all accounts. While S3 bucket policies and IAM permissions boundaries can restrict deletions, they require configuration on individual buckets or IAM entities, which does not scale well across multiple accounts. Tag policies are designed to enforce tagging compliance and cannot be used to block bucket deletion operations.