How can the Administrator restrict usage of member root user accounts across the organization?
Disable the use of the root user account at the organizational root. Enable multi-factor authentication of the root user account for each organizational member account.
Configure IAM user policies to restrict root account capabilities for each Organizations member account.
Create an organizational unit (OU) in Organizations with a service control policy that controls usage of the root user. Add all operational accounts to the new OU.
Configure AWS CloudTrail to integrate with Amazon CloudWatch Logs and then create a metric filter for RootAccountUsage.
Explanations:
Disabling the root user account at the organizational root is not a valid action in AWS Organizations. Multi-factor authentication (MFA) can be enforced for individual root accounts, but this does not restrict their overall usage across the organization.
IAM user policies cannot restrict the capabilities of the root user. Root account restrictions need to be managed through AWS Organizations or service control policies (SCPs), not IAM policies.
This is the correct approach. Service Control Policies (SCPs) can be used in AWS Organizations to restrict the usage of root user accounts. By creating an OU and applying an SCP, the Administrator can control and limit the root user capabilities for all operational accounts.
CloudTrail and CloudWatch Logs can monitor and alert on root user usage, but they do not restrict or prevent the usage of root accounts. This is more of a monitoring solution, not a restriction mechanism.
I opine that the answer is:
Create an organizational unit (OU) in Organizations with a service control policy that controls usage of the root user. Add all operational accounts to the new OU.