Answer-first summary for fast verification
Answer: Create a service control policy (SCP) to deny access to the billing information. Attach the SCP to the root organizational unit (OU).
## Explanation **Correct Answer: C** Service Control Policies (SCPs) are the appropriate mechanism in AWS Organizations to control permissions across member accounts. Here's why: ### Why Option C is Correct: 1. **SCPs work at the organization level**: SCPs are specifically designed to set permission boundaries for member accounts in AWS Organizations. 2. **They can restrict root user access**: Unlike IAM policies, SCPs can restrict what even the root user of member accounts can do. 3. **Attaching to root OU**: By attaching the SCP to the root organizational unit (OU), it applies to all member accounts in the organization. 4. **Billing information protection**: The SCP can explicitly deny access to billing information for all users, including root users. ### Why Other Options are Incorrect: **Option A**: This only grants billing access to finance team users but doesn't prevent others (including root users) from accessing billing information. **Option B**: Identity-based policies cannot restrict the root user's permissions. The root user has full administrative access and bypasses IAM policies. **Option D**: Converting to consolidated billing feature set would actually reduce security controls. The "all features" feature set includes SCPs, which are needed for this requirement. ### Key AWS Concepts: - **Service Control Policies (SCPs)**: Central policies that define maximum permissions for accounts in AWS Organizations - **Root OU**: The top-level organizational unit that contains all other OUs and accounts - **All Features vs Consolidated Billing**: Only the "all features" feature set supports SCPs ### Implementation Example: ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "aws-portal:*Billing", "aws-portal:*Usage", "aws-portal:*PaymentMethods" ], "Resource": "*", "Condition": { "StringNotEquals": { "aws:PrincipalArn": [ "arn:aws:iam::*:role/FinanceTeamRole" ] } } } ] } ``` This solution ensures that billing information is completely inaccessible to unauthorized users, including root users of member accounts.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A 4-year-old media company is using the AWS Organizations all features feature set to organize its AWS accounts. According to the company's finance team, the billing information on the member accounts must not be accessible to anyone, including the root user of the member accounts. Which solution will meet these requirements?
A
Add all finance team users to an IAM group. Attach an AWS managed policy named Billing to the group.
B
Attach an identity-based policy to deny access to the billing information to all users, including the root user.
C
Create a service control policy (SCP) to deny access to the billing information. Attach the SCP to the root organizational unit (OU).
D
Convert from the Organizations all features feature set to the Organizations consolidated billing feature set.