A 4-year-old media company uses the AWS Organizations all features feature set. The finance team requires that billing information for member accounts must not be accessible to anyone, including the root user of the member accounts. Which solution meets this requirement?
Choose an answer
Tap an option to check your answer.
Correct answer: Create a service control policy (SCP) to deny access to the billing information. Attach the SCP to the root organizational unit (OU)..
Why this is the answer
A Service Control Policy (SCP) is the only mechanism within AWS Organizations that can restrict permissions for all IAM users and roles, including the root user of member accounts. By attaching an SCP that denies access to billing information at the root OU level, this policy will apply to all accounts within the organization, ensuring no one, not even the root user, can access that sensitive data. Adding finance users to an IAM group with a Billing policy only grants them access, it doesn't restrict others. An identity-based policy attached to individual users or roles can deny access, but it cannot restrict the root user of a member account. Converting to consolidated billing would not restrict access; it's a billing feature, not a security control for access permissions.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed