Question #993
A company uses AWS Organizations to manage multiple AWS accounts. A solutions architect needs to ensure that only authorized administrator roles can perform IAM operations. The architect does not have access to all accounts. Which solution meets these requirements with the LEAST operational overhead?
Create an SCP that allows IAM actions only for administrator roles and apply it to the root organizational unit (OU).
Configure AWS CloudTrail to trigger an AWS Lambda function for IAM-related events. Design the function to revoke permissions if the user is not an administrator.
Create an SCP that denies IAM actions for all users except administrator roles and apply it to the root organizational unit (OU).
Deploy an IAM permissions boundary permitting IAM actions and attach it to every administrator role in all AWS accounts.
Explanation
Option C is correct because Service Control Policies (SCPs) allow centralized enforcement of permissions across all accounts in an AWS Organization. By creating an SCP that denies IAM actions unless the principal is an administrator role, the solution ensures that only authorized roles can perform IAM operations. Applying this SCP to the root Organizational Unit (OU) propagates the policy to all child OUs and accounts, eliminating the need to configure each account individually. This approach minimizes operational overhead and ensures compliance without requiring access to every account.
Option A is incorrect because SCPs using 'Allow' statements restrict permissions to only the specified actions, which could unintentionally block non-IAM actions if not scoped properly. Option B introduces complexity with CloudTrail and Lambda, requiring ongoing maintenance. Option D is impractical because deploying IAM permissions boundaries across all accounts would require access to each account, which the architect lacks.
Answer
The correct answer is: C