What should a SysOps administrator do to meet this requirement?
Create an identity-based IAM policy in each member account to deny actions on EC2 instances by the root user.
In the organization’s management account, create a service control policy (SCP) to deny actions on EC2 instances by the root user in all member accounts.
Use AWS Config to prevent any actions on EC2 instances by the root user.
Use Amazon Inspector in each member account to scan for root user logins and to prevent any actions on EC2 instances by the root user.
Explanations:
IAM policies cannot target the root user specifically. IAM policies apply to identities like IAM users, roles, and groups, but they cannot directly control or restrict actions for the root user.
A service control policy (SCP) in AWS Organizations can be used to deny actions for the root user across all accounts in the organization, including EC2 actions. SCPs can control what actions are allowed or denied for all IAM identities, including the root user.
AWS Config tracks configuration changes and compliance but does not control or prevent specific user actions, such as preventing the root user from performing EC2 actions. AWS Config is not designed for access control.
Amazon Inspector is a security assessment service, but it is not designed to block user actions. It helps with vulnerability scanning and assessments, not with preventing root user logins or actions on EC2 instances.
I evaluate that the answer is:
In the organization’s management account, create a service control policy (SCP) to deny actions on EC2 instances by the root user in all member accounts.