AWS Certified Security – Specialty — Question 465

A company has many member accounts in an organization in AWS Organizations. The company is concerned about the potential for misuse of the AWS account root user credentials for member accounts in the organization. To address this potential misuse, the company wants to ensure that even if the account root user credentials are compromised, the account is still protected.

Which solution will meet this requirement?

Answer options

• A. Block service access by using SCPs for the root user.
• B. Remove the password for the root user.
• C. Delete access keys for the root user.
• D. Create an Amazon CloudWatch Events rule to detect any AWS account root user API events.

Correct answer: A

Explanation

Service Control Policies (SCPs) in AWS Organizations can restrict permissions for all users in member accounts, including the root user, which ensures that even compromised root credentials cannot perform restricted actions. While deleting access keys or removing passwords are good security practices, they do not prevent a compromised root account from being accessed if credentials are leaked, nor do they provide centralized policy enforcement. Monitoring with Amazon CloudWatch Events only detects unauthorized activity after it occurs rather than actively blocking the access.