A company uses AWS Organizations and has deployed a multi-account strategy. The security team wants to enforce that all S3 buckets have versioning enabled. They create an SCP that denies the PutBucketVersioning action if versioning is not enabled. However, they find that the SCP is not preventing users in member accounts from disabling versioning on existing buckets. What is the most likely reason?
SCPs cannot check existing bucket configuration.
Why this answer
Option D is correct because SCPs are evaluated before the actual API call, but they cannot see the current state of the bucket. The SCP denies the PutBucketVersioning action only if the condition checks for the current setting, but SCPs cannot access the bucket's current configuration. Therefore, the SCP as described would not block the action.
Option A is wrong because SCPs apply to all users. Option B is wrong because SCPs are not optional. Option C is wrong because SCPs do not require explicit allow.