Q27 — AWS SOA-C02 Ch.1
Question 27 of 100 | ← Chapter 1
A company has several member accounts that are in an organization in AWS Organizations. The company recently discovered that administrators have been using account root user credentials. The company must prevent the administrators from using root user credentials to perform any actions on Amazon EC2 instances. What should a SysOps administrator do to meet this requirement?
- A. Create an identity-based IAM policy in each member account to deny actions on EC2 instances by the root user.
- B. In the organization's management account, create a service control policy (SCP) to deny actions on EC2 instances by the root user in all member accounts. ✓
- C. Use AWS Config to prevent any actions on EC2 instances by the root user.
- D. Use Amazon Inspector in each member account to scan for root user logins and to prevent any actions on EC2 instances by the root user.
Correct Answer: B. In the organization's management account, create a service control policy (SCP) to deny actions on EC2 instances by the root user in all member accounts.
Explanation
AWS Organizations中的服务控制策略(SCP)允许在管理账户中定义权限边界,影响所有成员账户。IAM策略基于身份但无法覆盖根用户权限,SCP作为组织级策略可全局限制根用户操作。选项B通过SCP统一限制所有成员账户的根用户EC2操作,符合需求。选项A需每个账户单独配置,不符合题干中“several member accounts”的高效管理要求。选项C的AWS Config用于合规评估而非实时阻止,选项D的Amazon Inspector用于安全评估而非访问控制。正确答案为B。(来源:AWS SCP文档)