Which solution meets these requirements with the LEAST operational overhead?
Create an SCP that applies to all the AWS accounts to allow IAM actions only for administrator roles. Apply the SCP to the root OU.
Configure AWS CloudTrail to invoke an AWS Lambda function for each event that is related to IAM actions. Configure the function to deny the action if the user who invoked the action is not an administrator.
Create an SCP that applies to all the AWS accounts to deny IAM actions for all users except for those with administrator roles. Apply the SCP to the root OU.
Set an IAM permissions boundary that allows IAM actions. Attach the permissions boundary to every administrator role across all the AWS accounts.
Explanations:
This option suggests allowing IAM actions only for administrator roles but does not explicitly deny IAM actions for non-administrator roles, potentially allowing access to others inadvertently.
While this option attempts to deny IAM actions for non-administrator users via a Lambda function triggered by CloudTrail events, it introduces high operational overhead and complexity, requiring constant monitoring and maintenance of the Lambda function.
This option correctly creates a Service Control Policy (SCP) that denies IAM actions for all users except those with administrator roles. By applying it to the root Organizational Unit (OU), it ensures a consistent enforcement across all accounts with minimal operational overhead.
Setting IAM permissions boundaries requires the permissions boundary to be attached to each administrator role across all accounts, which can be cumbersome and complex to manage, especially when dealing with multiple accounts.
I think the answer is:
Create an SCP that applies to all the AWS accounts to deny IAM actions for all users except for those with administrator roles. Apply the SCP to the root OU.