What is the SIMPLEST approach the SysOps Administrator can take to ensure S3 buckets in those accounts can never be deleted?
Set up MFA Delete on all the S3 buckets to prevent the buckets from being deleted.
Use service control policies to deny the s3:DeleteBucket action on all buckets in production accounts.
Create an IAM group that has an IAM policy to deny the s3:DeleteBucket action on all buckets in production accounts.
Use AWS Shield to deny the s3:DeleteBucket action on the AWS account instead of all S3 buckets.
Explanations:
MFA Delete is designed to prevent the permanent deletion of objects within a bucket, not the deletion of the bucket itself. It requires MFA authentication for deleting objects, but it does not stop the deletion of the S3 bucket.
Using service control policies (SCPs) to deny thes3:DeleteBucketaction is the simplest and most effective approach in AWS Organizations. SCPs can apply restrictions at the account level, ensuring that no user or role in production accounts can delete S3 buckets.
An IAM policy can be used to deny thes3:DeleteBucketaction, but this requires additional management at the IAM level, which is more complex and less centralized than using SCPs for controlling actions at the account level in AWS Organizations.
AWS Shield is a DDoS protection service and is not designed to manage access control for S3 bucket actions. It cannot be used to deny thes3:DeleteBucketaction on the AWS account or any S3 buckets.
If memory serves me right, the answer is:
Use service control policies to deny the s3:DeleteBucket action on all buckets in production accounts.