Which solution will meet these requirements?
Create an SCP that includes a Deny statement for changes to the auditing application’s IAM role. Include a condition that allows the trusted administrator IAM role to make changes. Attach the SCP to the root of the organization.
Create an SCP that includes an Allow statement for changes to the auditing application’s IAM role by the trusted administrator IAM role. Include a Deny statement for changes by all other IAM principals. Attach the SCP to the IAM service in each AWS account where the auditing application has an IAM role.
Create an IAM permissions boundary that includes a Deny statement for changes to the auditing application’s IAM role. Include a condition that allows the trusted administrator IAM role to make changes. Attach the permissions boundary to the audited AWS accounts.
Create an IAM permissions boundary that includes a Deny statement for changes to the auditing application’s IAM role. Include a condition that allows the trusted administrator IAM role to make changes. Attach the permissions boundary to the auditing application’s IAM role in the AWS accounts.
Explanations:
An SCP with a Deny statement applied to the organization root can effectively restrict all entities except the trusted administrator IAM role from modifying the auditing application’s IAM role across all accounts.
SCPs do not support attachment to individual AWS services within accounts; they are applied at the organizational level or to specific accounts or OUs, not individual services within each account.
Permissions boundaries control actions an IAM role or user can perform but do not restrict other principals from modifying the auditing role itself. SCPs are necessary for this organization-wide restriction.
Permissions boundaries limit permissions within a role but do not prevent other accounts or users from modifying or deleting the role itself; only an SCP can enforce organization-wide restrictions on a specific role’s modification.