AWS Certified SysOps Administrator – Associate (legacy) — Question 688

A company is managing multiple AWS accounts using AWS Organizations. One of these accounts is used only for retaining logs in an Amazon S3 bucket. The company wants to make sure that compute resources cannot be used in the account.
How can this be accomplished with the LEAST administrative effort?

Answer options

• A. Apply an IAM policy to all IAM entities in the account with a statement to explicitly deny NotAction: s3:*.
• B. Configure AWS Config to terminate compute resources that have been created in the accounts.
• C. Configure AWS CloudTrail to block any action where the event source is not s3:amazonaws.com.
• D. Update the service control policy on the account to deny the unapproved services.

Correct answer: D

Explanation

Applying a Service Control Policy (SCP) at the AWS Organizations level is the most efficient and centralized method to restrict services, preventing any compute resources from being launched even by the root user of the member account. Managing individual IAM policies across all entities requires high administrative effort and does not affect the root user, while AWS Config can only reactively remediate resources after they are already created. AWS CloudTrail is a logging and auditing service and does not have the capability to block API requests.