Which solution will meet these requirements?
In all member accounts, configure IAM policies that deny access to all DynamoDB resources for all users, including the root user.
Create a service control policy (SCP) in the management account to deny all DynamoDB actions. Apply the SCP to the root of the organization
In all member accounts, configure IAM policies that deny AmazonDynamoDBFullAccess to all users, including the root user.
Remove the default service control policy (SCP) in the management account. Create a replacement SCP that includes a single statement that denies all DynamoDB actions.
Explanations:
IAM policies apply at the account level and do not affect the root user in the context of denying access to services across accounts within AWS Organizations. Thus, this option does not effectively prevent all teams from using DynamoDB, especially since root user credentials are used.
Service Control Policies (SCPs) are used to manage permissions across AWS Organizations and can prevent all actions for DynamoDB across all member accounts, including those with root user credentials. This ensures that all teams, including the administrators, are restricted from using DynamoDB while allowing access to other services.
While denying AmazonDynamoDBFullAccess in IAM policies may limit access for IAM users, it does not apply to the root user, which other teams have access to. Thus, this option fails to prevent access to DynamoDB effectively.
Removing the default SCP and creating a new one to deny DynamoDB actions would not be effective if there are existing permissions that allow access. Additionally, simply denying actions without proper application to all members could result in unintended access. SCPs must be properly configured to ensure they apply across all accounts in the organization.
I estimate that the answer is:
Create a service control policy (SCP) in the management account to deny all DynamoDB actions. Apply the SCP to the root of the organization