Question #1638
A solutions architect is designing a security solution for a company that provides developers with individual AWS accounts through AWS Organizations. The developers have root user access to their accounts, and the architect must ensure that a mandatory AWS Config rule deployed to all developer accounts cannot be disabled or modified. Which action meets these requirements?
Create an IAM policy that prohibits changes to AWS Config rules and attach it to the root user.
Use AWS Organizations to automatically enable AWS Config rules in all developer accounts.
Create a service control policy (SCP) that prohibits changes to AWS Config rules, and attach it to the developer accounts.
Configure a service-linked role for AWS Config with a policy condition that allows modifications only from the management account.
Explanation
Answer C is correct because Service Control Policies (SCPs) are designed to set permission boundaries for AWS Organizations member accounts. By creating an SCP that denies actions like config:DeleteConfigRule or config:PutConfigRule, the developer accounts (even with root access) cannot disable or modify the AWS Config rules. SCPs override IAM policies and apply to all users, including root users, making them the only effective method here.
Option A is incorrect because IAM policies do not apply to the root user, which retains full access regardless of IAM policies. Option B is incorrect because enabling AWS Config rules via Organizations does not prevent developers from disabling/modifying them later. Option D is insufficient because service-linked roles do not restrict root users from altering AWS Config settings. Key takeaway: SCPs are the proper tool for enforcing account-wide restrictions in AWS Organizations.
Answer
The correct answer is: C