Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

Amazon SCS-C02 Exam - Topic 2 Question 61 Discussion

[Identity and Access Management]A security administrator is restricting the capabilities of company root user accounts. The company uses AWS Organizations and has all features enabled. The management account is used for billing and administrative purposes, but it is not used for operational AWS resource purposes.How can the security administrator restrict usage of member root user accounts across the organization?
C) Create an OU in Organizations, and attach an SCP that controls usage of the root user. Add all member accounts to the new OU.
A) Disable the use of the root user account at the organizational root. Enable multi-factor authentication (MFA) of the root user account for each organization member account.
B) Configure 1AM user policies to restrict root account capabilities for each organization member account.
D) Configure AWS CloudTrail to integrate with Amazon CloudWatch Logs Create a metric filter for RootAccountUsage.

Amazon SCS-C02 Exam - Topic 2 Question 61 Discussion

Actual exam question for Amazon's SCS-C02 exam
Question #: 61
Topic #: 2
[All SCS-C02 Questions]

[Identity and Access Management]

A security administrator is restricting the capabilities of company root user accounts. The company uses AWS Organizations and has all features enabled. The management account is used for billing and administrative purposes, but it is not used for operational AWS resource purposes.

How can the security administrator restrict usage of member root user accounts across the organization?

Show Suggested Answer Hide Answer
Suggested Answer: C

Restrict Root User Capabilities Using Service Control Policies (SCPs):

SCPs in AWS Organizations provide the ability to control permissions for AWS accounts in the organization.

Create a new organizational unit (OU) and move all member accounts into this OU.

Create SCP for Root User Restrictions:

Define an SCP that denies critical actions likeiam:CreateUser,iam:DeleteUser, or other high-risk actions for the root user. Example SCP:

{

'Version': '2012-10-17',

'Statement':

[

{

'Effect': 'Deny',

'Action': '*',

'Resource': '*',

'Condition': {

'StringEquals': {

'aws:PrincipalAccountRoot': 'true'

}

}

}

]

}

Enforce Multi-Factor Authentication (MFA):

Enable MFA on root accounts for additional security.

Monitor Root User Activity:

Use AWS CloudTrail to monitor and log root user actions. Configure alerts with CloudWatch for any unauthorized root usage.

AWS Organizations SCP Documentation

Best Practices for Root User Account


Contribute your Thoughts:

0/2000 characters
Verona
2 days ago
We practiced a question similar to this where we had to restrict permissions. I think option B is more about IAM policies rather than directly addressing root user accounts.
upvoted 0 times
...
Buffy
7 days ago
I'm not entirely sure, but I think disabling the root user account isn't really an option. I feel like option A could be misleading.
upvoted 0 times
...
Tamekia
12 days ago
I remember we discussed the importance of using Service Control Policies (SCPs) in AWS Organizations, so I think option C might be the right choice.
upvoted 0 times
...

Save Cancel