A company has multiple AWS accounts managed through AWS Organizations. The security team wants to enforce that all S3 buckets across all accounts are encrypted with a specific KMS key. What is the MOST efficient way to achieve this?
SCPs can enforce policies across all accounts in an OU, including preventing non-compliant actions.
Why this answer
Using an SCP under the root OU prevents any account from creating unencrypted buckets or using a different KMS key. Option A is wrong because individual account IAM policies are harder to manage at scale. Option C is wrong because AWS Config can detect but not enforce.
Option D is wrong because CloudFormation StackSets require manual deployment to each account.