A company is managing multiple AWS accounts using AWS Organizations. One of these accounts is used only for retaining logs in an Amazon S3 bucket. The company wants to make sure that compute resources cannot be used in the account. How can this be accomplished with the LEAST administrative effort?
A) Apply an IAM policy to all IAM entities in the account with a statement to explicitly deny NotAction: s3:*.
B) Configure AWS Config to terminate compute resources that have been created in the accounts.
C) Configure AWS CloudTrail to block any action where the event source is not s3:amazonaws.com.
D) Update the service control policy on the account to deny the unapproved services.

Question

Quizplus · Accepted Answer

Service control policies (SCPs) in AWS Organizations can be used to centrally control the use of AWS services across multiple AWS accounts. By updating the SCP to deny unapproved services, the company can ensure that compute resources cannot be used in the account with minimal administrative effort.

A Company Is Managing Multiple AWS Accounts Using AWS Organizations