Practice free →
HomeAWS Securitycloudcomputingscsdatagov › Which AWS Organization feature lets a security e…

Which AWS Organization feature lets a security engineer enforce 'deny all use of root user except for break-glass procedures' as a preventive control across every account in an OU?

AService Control Policies (SCPs) attached at the OU level
BAsking developers nicely
CCloudTrail-only auditing without preventive control
DPer-account IAM policies copied manually
Answer & Solution
Correct answer: A. Service Control Policies (SCPs) attached at the OU level
SCPs are the preventive guardrail in Organizations (per SCS-C02 §6.1). Per-account IAM doesn't enforce org-wide; CloudTrail is reactive; trust is not a control.
Solve this in the app — AWS Security practice & 24k+ MCQs →
Related questions