A company manages 40 AWS accounts in AWS Organizations, grouped into a Development OU and a Production OU. The security team requires that no user in any Development account, including account administrators who hold full IAM permissions, can stop or delete AWS CloudTrail trails. What is the MOST effective way to enforce this requirement?
Choose one.
Restrictions that must bind account administrators cannot live inside the accounts those administrators control. Service control policies are applied from AWS Organizations, above the member accounts, and set the maximum permissions available to every principal within them.
The SCP on the Development OU wins because it is enforced at a layer no Development-account principal can reach: it inherits to every account in the OU, constrains even member-account root users, and denies the CloudTrail actions at the API regardless of what IAM policies allow. The per-account IAM deny policy fails because administrators with iam:* can simply detach it. The permissions boundary fails for the same reason at a different layer: boundaries are per-identity objects managed inside the account, so an admin can strip them off. The Config rule is detective, not preventive; it tells you logging was disabled instead of stopping it, which does not satisfy a requirement that no one can perform the action.
- Identify the requirement type: a restriction that must hold against administrators, not a grant of access.
- Eliminate any control managed inside the member accounts (IAM policies, permissions boundaries), because admins with iam:* can modify or remove it.
- Eliminate detective options (Config rules) because the requirement is prevention, not notification.
- Choose an SCP attached at the OU level so it inherits to all Development accounts and binds every principal, including root.
- Confirm the SCP uses an explicit deny for the specific CloudTrail actions, which overrides any allow anywhere.
Exam tip: When a restriction must bind administrators or root in member accounts, the answer is an SCP applied from the organization, never an IAM policy inside the account.
Designing Secure Access: IAM Best Practices, Roles, and AWS Organizations — the lesson that teaches this.