Home › AWS Security › cloudcomputing › scsdatagov › Which AWS Organization feature lets a security e…
Which AWS Organization feature lets a security engineer enforce 'deny all use of root user except for break-glass procedures' as a preventive control across every account in an OU?
AService Control Policies (SCPs) attached at the OU level
BAsking developers nicely
CCloudTrail-only auditing without preventive control
DPer-account IAM policies copied manually
Answer & Solution
Correct answer: A. Service Control Policies (SCPs) attached at the OU level
SCPs are the preventive guardrail in Organizations (per SCS-C02 §6.1). Per-account IAM doesn't enforce org-wide; CloudTrail is reactive; trust is not a control.
Related questions
Which AWS service helps a security engineer collect evidence for compliance audits — assesWhich AWS service provides a turnkey multi-account landing-zone with guardrails, account fWhich AWS service centrally manages multiple AWS accounts with consolidated billing, SCPs,Which AWS service automatically discovers and classifies sensitive data (PII, financial daWhich AWS feature lets a security engineer enforce 'no S3 bucket can be made public' acrosWhich Amazon S3 feature enforces WORM (write-once-read-many) data retention to protect logWhich AWS service lightweight-stores parameters + SecureString secrets, integrated with KMWhich AWS service centrally stores application secrets (DB passwords, API keys, OAuth toke