Which solution will meet these requirements?
Add all finance team users to an IAM group. Attach an AWS managed policy named Billing to the group.
Attach an identity-based policy to deny access to the billing information to all users, including the root user.
Create a service control policy (SCP) to deny access to the billing information. Attach the SCP to the root organizational unit (OU).
Convert from the Organizations all features feature set to the Organizations consolidated billing feature set.
Explanations:
The AWS managed policy “Billing” grants users the ability to access billing information, which directly contradicts the requirement to restrict access to the billing information for all users, including the root user.
While attaching an identity-based policy to deny access to billing information could work for IAM users, it will not work for the root user of the member accounts, as root users cannot be restricted by IAM policies.
A Service Control Policy (SCP) can be used to enforce restrictions across AWS Organizations accounts, including denying access to billing information. SCPs apply to all users and roles, including root users, so this would meet the requirement.
The Organizations consolidated billing feature set does not provide the fine-grained control over access to billing information that the “all features” feature set does, and it doesn’t restrict access to the billing information for member accounts in the way required.
From what I’ve seen, the answer is:
Create a service control policy (SCP) to deny access to the billing information. Attach the SCP to the root organizational unit (OU).