What is the SIMPLEST approach the SysOps administrator can take to ensure S3 buckets in those accounts can never be deleted?
Set up MFA Delete on all the S3 buckets to prevent the buckets from being deleted.
Use service control policies to deny the s3:DeleteBucket action on all buckets in production accounts.
Create an IAM group that has an IAM policy to deny the s3:DeleteBucket action on all buckets in production accounts.
Use AWS Shield to deny the s3:DeleteBucket action on the AWS account instead of all S3 buckets.
Explanations:
MFA Delete requires an additional authentication factor (MFA) to permanently delete objects in a bucket, but it doesn’t prevent the deletion of the bucket itself. It also requires enabling versioning and MFA setup for each bucket, making it more complex.
Service control policies (SCPs) can be used to prevent specific actions in AWS Organizations. By denying thes3:DeleteBucketaction in the production accounts, SCPs enforce this policy across all users and roles in those accounts, ensuring no bucket can be deleted.
While IAM policies can deny actions, they apply only to specific users or roles. This does not provide a simple or organization-wide solution, and doesn’t prevent deletions for all users and roles across the account.
AWS Shield protects against DDoS attacks, not against preventing the deletion of S3 buckets. It doesn’t help in this case for preventing bucket deletions.
I evaluate that the answer is:
Use service control policies to deny the s3:DeleteBucket action on all buckets in production accounts.