AWS Certified SysOps Administrator – Associate — Question 314

A company has several member accounts that are in an organization in AWS Organizations. The company recently discovered that administrators have been using account root user credentials. The company must prevent the administrators from using root user credentials to perform any actions on Amazon EC2 instances.

What should a SysOps administrator do to meet this requirement?

Answer options

• A. Create an identity-based IAM policy in each member account to deny actions on EC2 instances by the root user.
• B. In the organization's management account, create a service control policy (SCP) to deny actions on EC2 instances by the root user in all member accounts.
• C. Use AWS Config to prevent any actions on EC2 instances by the root user.
• D. Use Amazon Inspector in each member account to scan for root user logins and to prevent any actions on EC2 instances by the root user.

Correct answer: B

Explanation

Service control policies (SCPs) in AWS Organizations can be used to restrict permissions for all accounts in an organization, including the root user of member accounts. IAM policies cannot be used to restrict the actions of the root user within their own account, making option A incorrect. AWS Config and Amazon Inspector are monitoring and assessment services, respectively, and cannot natively prevent actions from being executed in real-time.