Question #1507
A healthcare organization uses AWS Organizations with all features enabled to manage multiple accounts. Their compliance team mandates that billing details for member accounts must remain inaccessible to all users, including the root users of those accounts. Which approach ensures compliance with this mandate?
Assign all compliance team members to an IAM role with the AWS managed policy 'ViewBilling' attached.
Apply a resource-based policy to the billing console to deny access to all principals except the management account.
Implement a service control policy (SCP) that restricts access to billing information and attach it to the root organizational unit (OU).
Migrate from the all features feature set to the consolidated billing feature set.
Explanation
Answer C is correct because Service Control Policies (SCPs) are designed to enforce permissions boundaries across AWS Organizations accounts. By attaching an SCP that explicitly denies access to billing information (e.g., using the 'Deny' effect for actions like 'aws-portal:*Billing') to the root OU, the policy applies to all member accounts. This ensures that even root users in those accounts cannot access billing details, meeting the compliance mandate.
Other options are incorrect:
- A: IAM roles/policies do not affect root users, who bypass IAM permissions.
- B: Resource-based policies cannot be applied to the billing console, as AWS does not support this.
- D: Migrating to consolidated billing removes SCP functionality, which is required to enforce the restriction.
Key Points:
1. SCPs override all IAM permissions, including root user access.
2. AWS Organizations' 'all features' mode enables SCPs.
3. Root OU SCPs propagate to all child OUs/accounts.
Answer
The correct answer is: C