Question #1452
A company is managing its development and production workloads across multiple AWS accounts within an AWS Organizations structure. The organization needs to ensure that encryption settings for critical resources cannot be disabled or altered without authorization.
Which solution will meet these requirements?
Create a custom AWS Config rule to block changes to encryption settings except by authorized principals.
Configure an AWS CloudTrail trail with event logging to prevent encryption setting modifications.
Implement a service control policy (SCP) to deny encryption setting changes except by authorized principals.
Use Amazon CloudWatch alarms to trigger alerts when encryption settings are modified.
Explanation
Option C is correct because Service Control Policies (SCPs) are designed to centrally manage permissions across multiple AWS accounts in an AWS Organizations setup. SCPs act as guardrails to restrict actions, even if IAM policies allow them. By creating an SCP that explicitly denies modifications to encryption settings (e.g., disabling KMS keys or altering S3 bucket encryption) unless performed by specific authorized principals (e.g., a secure admin role), the organization ensures that encryption cannot be disabled or altered without approval.
Other options are incorrect because:
- A: AWS Config rules only assess compliance and cannot block actions; they reactively flag violations.
- B: CloudTrail logs events but does not prevent actions; it is used for auditing, not enforcement.
- D: CloudWatch alarms trigger alerts post-modification but do not block changes.
Key Takeaway: SCPs are the only solution that proactively enforces organization-wide restrictions on AWS account actions, aligning with the requirement to prevent unauthorized encryption changes.
Answer
The correct answer is: C