C: Correct – The root user is not affected by SCPs by default, but if the condition incorrectly references the root user, it may block all principals including SecurityAdminRole. However, the more common issue is that the SCP was applied without an explicit allow for the SecurityAdminRole, or the condition was not properly scoped. In this scenario, the most likely cause is that the condition in the SCP is not correctly scoped to allow SecurityAdminRole.
The SCP should use a condition like "StringNotEquals": {"aws:PrincipalArn": "arn:aws:iam::*:role/SecurityAdminRole"} to deny only when the principal is not that role. If the condition is incorrectly written, it may deny all principals. Alternatively, the SCP might be applied to the management account where root user cannot be denied, but the issue is that SecurityAdminRole is denied.
The typical mistake is using "Deny" without a proper condition that excludes the allowed role. A: Incorrect – If the SCP is applied to the root OU, it applies to all accounts including the security team's account. B: Incorrect – S3 bucket policies can grant access, but if the SCP denies, the deny overrides.
D: Incorrect – The correct answer is that the SCP is too restrictive; the condition is flawed.