AWS Certified SysOps Administrator – Associate (legacy) — Question 571

A company using AWS Organizations requires that no Amazon S3 buckets in its production accounts should ever be deleted.
What is the SIMPLEST approach the SysOps Administrator can take to ensure S3 buckets in those accounts can never be deleted?

Answer options

• A. Set up MFA Delete on all the S3 buckets to prevent the buckets from being deleted.
• B. Use service control policies to deny the s3:DeleteBucket action on all buckets in production accounts.
• C. Create an IAM group that has an IAM policy to deny the s3:DeleteBucket action on all buckets in production accounts.
• D. Use AWS Shield to deny the s3:DeleteBucket action on the AWS account instead of all S3 buckets.

Correct answer: B

Explanation

Service control policies (SCPs) offer centralized control over the maximum available permissions for all accounts in an organization, making them the simplest way to enforce a global deny on s3:DeleteBucket for production accounts. MFA Delete only protects against object deletion, not bucket deletion itself. IAM groups cannot restrict the AWS account root user and are harder to manage across multiple accounts, while AWS Shield is a DDoS protection service and cannot block API actions like s3:DeleteBucket.