Which solution meets these requirements with the LEAST operational overhead?
Create an SCP that applies to all the AWS accounts to allow IAM actions only for administrator roles. Apply the SCP to the root OU.
Configure AWS CloudTrail to invoke an AWS Lambda function for each event that is related to IAM actions. Configure the function to deny the action if the user who invoked the action is not an administrator.
Create an SCP that applies to all the AWS accounts to deny IAM actions for all users except for those with administrator roles. Apply the SCP to the root OU.
Set an IAM permissions boundary that allows IAM actions. Attach the permissions boundary to every administrator role across all the AWS accounts.
Explanations:
While creating an SCP to allow IAM actions only for administrator roles sounds viable, it is inherently flawed because SCPs work on a deny-by-default basis. This means that if the action is not explicitly denied for all other roles, they will still have the ability to perform IAM actions, making this option ineffective.
This option introduces significant operational overhead by requiring the continuous monitoring of IAM actions through AWS CloudTrail and invoking a Lambda function for each event. This method does not effectively prevent IAM actions from being performed by non-administrators and may lead to delayed enforcement of policies.
Creating an SCP that denies IAM actions for all users except those with administrator roles is the most effective solution. This ensures that only administrators can perform IAM actions across all accounts under the organization, aligning with the requirement while maintaining low operational overhead by managing permissions centrally through the SCP.
Setting an IAM permissions boundary requires attaching it to every administrator role across all accounts, which involves significant operational overhead. Furthermore, permissions boundaries do not inherently restrict IAM actions to only administrator roles but rather define the maximum permissions a role can have, which can lead to potential misconfigurations.
I systematize that the answer is:
Create an SCP that applies to all the AWS accounts to deny IAM actions for all users except for those with administrator roles. Apply the SCP to the root OU.