AWS Certified Solutions Architect – Associate (SAA-C03) — Question 469

A 4-year-old media company is using the AWS Organizations all features feature set to organize its AWS accounts. According to the company's finance team, the billing information on the member accounts must not be accessible to anyone, including the root user of the member accounts.

Which solution will meet these requirements?

Answer options

• A. Add all finance team users to an IAM group. Attach an AWS managed policy named Billing to the group.
• B. Attach an identity-based policy to deny access to the billing information to all users, including the root user.
• C. Create a service control policy (SCP) to deny access to the billing information. Attach the SCP to the root organizational unit (OU).
• D. Convert from the Organizations all features feature set to the Organizations consolidated billing feature set.

Correct answer: C

Explanation

Service Control Policies (SCPs) are the only policy type in AWS that can restrict permissions for the root user of a member account in an organization. By applying an SCP with a Deny effect on billing actions at the root OU level, the restriction is enforced globally across all member accounts, including for their root users. Identity-based policies cannot restrict root user actions, and consolidated billing alone does not offer this authorization control.