AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

A 4-year-old media company is using the AWS Organizations all features feature set to organize its AWS accounts. According to the company's finance team, the billing information on the member accounts must not be accessible to anyone, including the root user of the member accounts. Which solution will meet these requirements?

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Add all finance team users to an IAM group. Attach an AWS managed policy named Billing to the group.

Attach an identity-based policy to deny access to the billing information to all users, including the root user.

Create a service control policy (SCP) to deny access to the billing information. Attach the SCP to the root organizational unit (OU).

Convert from the Organizations all features feature set to the Organizations consolidated billing feature set.

Explanation:

Explanation

Correct Answer: C

Service Control Policies (SCPs) are the appropriate mechanism in AWS Organizations to control permissions across member accounts. Here's why:

Why Option C is Correct:

SCPs work at the organization level: SCPs are specifically designed to set permission boundaries for member accounts in AWS Organizations.
They can restrict root user access: Unlike IAM policies, SCPs can restrict what even the root user of member accounts can do.
Attaching to root OU: By attaching the SCP to the root organizational unit (OU), it applies to all member accounts in the organization.
Billing information protection: The SCP can explicitly deny access to billing information for all users, including root users.

Why Other Options are Incorrect:

Option A: This only grants billing access to finance team users but doesn't prevent others (including root users) from accessing billing information.

Option B: Identity-based policies cannot restrict the root user's permissions. The root user has full administrative access and bypasses IAM policies.

Option D: Converting to consolidated billing feature set would actually reduce security controls. The "all features" feature set includes SCPs, which are needed for this requirement.

Key AWS Concepts:

Service Control Policies (SCPs): Central policies that define maximum permissions for accounts in AWS Organizations
Root OU: The top-level organizational unit that contains all other OUs and accounts
All Features vs Consolidated Billing: Only the "all features" feature set supports SCPs

Implementation Example:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "aws-portal:*Billing",
        "aws-portal:*Usage",
        "aws-portal:*PaymentMethods"
      ],
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "aws:PrincipalArn": [
            "arn:aws:iam::*:role/FinanceTeamRole"
          ]
        }
      }
    }
  ]
}

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "aws-portal:*Billing",
        "aws-portal:*Usage",
        "aws-portal:*PaymentMethods"
      ],
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "aws:PrincipalArn": [
            "arn:aws:iam::*:role/FinanceTeamRole"
          ]
        }
      }
    }
  ]
}

This solution ensures that billing information is completely inaccessible to unauthorized users, including root users of member accounts.

Powered ByGPT-5.2

Comments

Loading comments...