Every application in a company's portfolio has a separate AWS account for development and production.
The security team wants to prevent the root user and all IAM users in the production accounts from accessing a specific set of unneeded services. How can they control this functionality?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: A.
Option A is CORRECT because SCP can be used to deny access to the services.
We can add all production accounts under the organization unit (OU) and apply SCP to the OU.
Option B is incorrect because when SCP is attached to the AWS root account, it will influence all accounts in the organization.
Option C is incorrect because IAM policies alone at the account level would not be able to suffice the requirement.
Option D is incorrect because IAM policies alone at the account level would not be able to suffice the requirement.
The change is required at the AWS Organization.
When an AWS Organization blocks access to a service or API action for a member account, a user or role in that account can't access any prohibited service or API action, even if an administrator of a member account explicitly grants such permissions in an IAM policy.
Organization permissions overrule account permissions.
For more information, please visit the below URLs.
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html?icmpid=docs_orgs_console, https://aws.amazon.com/blogs/security/how-to-use-service-control-policies-to-set-permission-guardrails-across-accounts-in-your-aws-organization/#:~:text=You%20can%20attach%20SCPs%20to,they%20do%20not%20grant%20permissions.The correct answer is A: Create a Service Control Policy that denies access to the services. Assemble all production accounts in an organizational unit. Apply the policy to that organizational unit.
Explanation: In this scenario, the security team wants to prevent the root user and all IAM users in the production accounts from accessing a specific set of unneeded services. The best way to achieve this is by creating a Service Control Policy (SCP) in AWS. An SCP is a type of policy that allows organizations to control which AWS services their accounts and users can access.
To create an SCP that denies access to the specific set of unneeded services, the following steps should be taken:
By applying the SCP to the OU that contains all production accounts, the security team can effectively prevent the root user and all IAM users in the production accounts from accessing the specified set of unneeded services.
Option B, creating an SCP and applying it to the root account, is not the best approach since it will deny access to the specified set of unneeded services for all accounts, including development accounts.
Option C, creating an IAM policy and associating it with an IAM group, is not recommended since the root user cannot be added to an IAM group.
Option D, creating an IAM policy and checking that all users have the policy assigned using AWS Config and Lambda, is not the best approach since it is a more complex and error-prone solution compared to creating an SCP.