Free Preparation Discussions
MENU
Amazon SCS-C02 Exam - Topic 2 Question 61 Discussion
Topic #: 2
[Identity and Access Management]
A security administrator is restricting the capabilities of company root user accounts. The company uses AWS Organizations and has all features enabled. The management account is used for billing and administrative purposes, but it is not used for operational AWS resource purposes.
How can the security administrator restrict usage of member root user accounts across the organization?
Restrict Root User Capabilities Using Service Control Policies (SCPs):
SCPs in AWS Organizations provide the ability to control permissions for AWS accounts in the organization.
Create a new organizational unit (OU) and move all member accounts into this OU.
Create SCP for Root User Restrictions:
Define an SCP that denies critical actions likeiam:CreateUser,iam:DeleteUser, or other high-risk actions for the root user. Example SCP:
{
'Version': '2012-10-17',
'Statement':
[
{
'Effect': 'Deny',
'Action': '*',
'Resource': '*',
'Condition': {
'StringEquals': {
'aws:PrincipalAccountRoot': 'true'
}
}
}
]
}
Enforce Multi-Factor Authentication (MFA):
Enable MFA on root accounts for additional security.
Monitor Root User Activity:
Use AWS CloudTrail to monitor and log root user actions. Configure alerts with CloudWatch for any unauthorized root usage.
AWS Organizations SCP Documentation
Best Practices for Root User Account
Currently there are no comments in this discussion, be the first to comment!