A company uses AWS Organizations with SCPs to restrict access to services. The security team needs to ensure that no IAM role can be created without an approved custom trust policy. Which SCP should be attached to the root OU to enforce this requirement?
This SCP denies CreateRole unless the request includes a tag 'Approved' with value 'true', enforcing the requirement.
Why this answer
Option A is correct because it uses a Deny effect with a condition that only blocks IAM role creation when the request does not include a tag with key 'Approved' set to 'true'. This enforces that every new IAM role must have an approved custom trust policy by requiring the tag as a proxy for approval, while still allowing role creation when the tag is present. The SCP is attached to the root OU to apply globally across all accounts in the organization.
Exam trap
AWS often tests the distinction between using tags versus naming conventions or resource-based conditions to enforce governance, and candidates mistakenly choose naming-based conditions (Option C) thinking they can enforce policy approval, but tags are the only reliable way to pass metadata at creation time that can be evaluated by SCPs.
How to eliminate wrong answers
Option B is wrong because it denies all iam:CreateRole actions unconditionally, which would prevent any IAM role from being created at all, even those with an approved trust policy, thus violating the requirement to allow approved roles. Option C is wrong because it uses a condition on the role name pattern 'approved-*', which is a naming convention and does not enforce an approved custom trust policy; roles could be named 'approved-*' without having an approved trust policy, and roles with a different name but an approved policy would be blocked. Option D is wrong because it denies iam:PassRole, which controls the ability to pass an existing role to an AWS service, not the creation of a new role; this does not address the requirement to restrict role creation based on trust policy approval.