What is the MOST scalable solution that meets these requirements?

By:
In: SCS-C01
Tagged:
With: 2 Comments
A healthcare company has multiple AWS accounts in an organization in AWS Organizations.The company uses Amazon S3 buckets to store sensitive information of patients.The company needs to restrict users from deleting any S3 bucket across the organization.

What is the MOST scalable solution that meets these requirements?

Permissions boundaries in AWS Identity and Access Management (IAM)

S3 bucket policies

Tag policies

SCPs

Explanations:

Permissions boundaries in IAM define the maximum permissions a user or role can have but do not prevent actions like deleting S3 buckets across an organization. They are not a suitable solution for organization-wide restrictions on specific actions like deletions.

S3 bucket policies can restrict actions on a specific bucket, but managing policies for multiple buckets across an organization can become complex and cumbersome, making it less scalable for the requirement to restrict deletions across all S3 buckets.

Tag policies in AWS Organizations are used to enforce tagging rules for resources but do not directly control access to actions like deleting S3 buckets. They are not intended for permission management.

Service Control Policies (SCPs) in AWS Organizations allow for centralized control over permissions across accounts. SCPs can be applied to organizational units to restrict actions, such as preventing the deletion of S3 buckets across all accounts, making this the most scalable solution for the requirement.

2026-03-30

2 Comments

  1. Zachary
    Author

    I conclude that the answer is:
    SCPs

  2. Bruce
    Author

    I opine that the answer is:
    SCPs

Leave a Reply

Your email address will not be published. Required fields are marked *

10 − eight =