A company is using AWS Organizations with multiple accounts. The security team requires that all S3 buckets across all accounts must have server-side encryption enabled and block public access. Which TWO actions should be taken to enforce these requirements centrally?
SCPs can centrally deny actions across all accounts.
Why this answer
Option A is correct because SCPs can deny actions that do not meet encryption or public access requirements. Option D is correct because AWS Config rules can be used to detect and remediate non-compliant buckets. Option B is wrong because IAM permissions are per-account and not centrally enforced.
Option C is wrong because tagging does not enforce security requirements. Option E is wrong because it does not enforce across all accounts; it only sets defaults for new buckets.