Question 35
Domain 6: Management and Security GovernanceA security architect at a large enterprise wants to ensure that even if an account's root user credentials are compromised, the attacker cannot create new IAM users or disable CloudTrail in any member account. The accounts already have CloudTrail trails defined by the management account. Which control most directly enforces this guardrail?
Correct answer: C
Explanation
An AWS Organizations service control policy (SCP) sets the maximum permissions for accounts in the organization, so an SCP attached at the root or top-level OU can block actions even if root credentials are compromised. Denying "iam:CreateUser" and "cloudtrail:StopLogging" organization-wide prevents creating new IAM users and disabling CloudTrail in member accounts.
Why each option is right or wrong
A. An IAM permissions boundary on every IAM user in the organization.
Permissions boundaries limit delegated IAM principals, not the account root user across the organization.
B. Resource-based policies on every CloudTrail trail.
Resource policies govern access to specific resources, not broad account-level guardrails against root actions.
C. An SCP attached at the root or top-level OU denying iam:CreateUser and cloudtrail:StopLogging organization-wide.
Under AWS Organizations, a service control policy (SCP) attached at the root or a top-level OU defines the maximum permissions available in every member account, including actions attempted with the account root user. The relevant API actions are `iam:CreateUser` and `cloudtrail:StopLogging`; denying them at the organization level prevents new IAM users from being created and prevents CloudTrail logging from being stopped in any member account, even if the account’s root credentials are compromised.
D. A custom IAM session policy applied during console login.
Session policies constrain a particular session, not all access paths or compromised root credentials.