A company is expanding its AWS environment from a single account to multiple accounts using AWS Organizations. The security team wants to enforce a baseline set of permissions across all accounts, ensuring that users in any account cannot disable AWS CloudTrail or modify Amazon S3 bucket policies that prevent public access. Which feature of AWS Organizations should the security team use to achieve this control?
SCPs allow you to define and enforce maximum permissions for all accounts in your AWS Organization. They act as a guardrail, ensuring that even if an account has permissive IAM policies, the effective permissions are limited by the SCP. This enables central enforcement of security baselines such as preventing the disabling of CloudTrail or modification of S3 bucket policies that block public access.
Why this answer
Service Control Policies (SCPs) are the correct choice because they allow you to centrally define and enforce baseline permissions across all accounts in an AWS Organization. SCPs act as a guardrail, restricting what actions users and roles in member accounts can perform, even if they have full administrative privileges within their own account. By creating an SCP that explicitly denies the `cloudtrail:StopLogging`, `cloudtrail:DeleteTrail`, and `s3:PutBucketPolicy` actions (or similar), the security team can prevent disabling CloudTrail and modifying S3 bucket policies that block public access across the entire organization.
Exam trap
The trap here is that candidates often confuse AWS Config rules (detective) with SCPs (preventive), thinking that Config rules can block actions when they only alert on non-compliance after the fact.
How to eliminate wrong answers
Option A is wrong because Consolidated Billing is a feature that aggregates usage costs across accounts for a single invoice and volume discounts; it does not enforce any permissions or security controls. Option C is wrong because AWS Config rules are used for evaluating resource configurations against desired policies (e.g., detecting non-compliant S3 bucket policies) but they cannot prevent actions from being taken—they only provide detective, not preventive, controls.