A company that uses AWS Organizations has an organization that contains several AWS accounts. A SysOps administrator needs to implement controls to prevent an account from leaving the organization.
Which solution will meet these requirements?
A.
Create a service control policy (SCP) that denies the LeaveOrganization action. Apply the SCP to the root organizational unit (OU).
B.
Create a service control policy (SCP) that denies the RemoveAccountFromOrganization action. Apply the SCP to the root organizational unit (OU).
C.
Deploy an AWS Lambda function in each member account to remove any Organizations permissions when a user is created.
D.
Turn on AWS Config. Set up the account-part-of-organizations managed rule. Configure the rule to run every hour.
To prevent an account from leaving an AWS Organization, you use an SCP to deny the organizations:LeaveOrganization action.
From AWS Organizations documentation:
You can use a deny statement on organizations:LeaveOrganization to prevent accounts from leaving your AWS Organization.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit