Preventing Accidental Deletion of AWS Config Rules

Answer: B.

Option A is incorrect because the SCP should not be added to the root account.

The root account should contain a default SCP that allows everything and applies to all the OUs (Organization Units)

An Organization Unit is where you group multiple accounts in your organization.

Option B is CORRECT because the SCP in the Organization Unit (OU) prevents relevant users from deleting Config rules even if they are permitted in their IAM policies.

You can either apply this SCP to a single OU or multiple OUs under your organization.

Option C is incorrect because there is no permission boundary in SCP.

Option D is incorrect because it is inefficient to maintain each IAM user or role.

Besides, the IAM policy may be modified to allow the DeleteConfigRule action at a later stage.

Instead of IAM policy or role, using SCP will allow controlling multiple permissions on multiple accounts under a single OU or multiple OUs.

For more information on AWS Organization and managing OU using SCP, kindly refer to the below URL:

https://aws.amazon.com/blogs/security/how-to-use-service-control-policies-to-set-permission-guardrails-across-accounts-in-your-aws-organization/#:~:text=You%20can%20attach%20SCPs%20to,they%20do%20not%20grant%20permissions.

For more information on the SCP example for AWS Config, kindly refer to the below URL:

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_example-scps.html#example_scp_4

The correct answer to this question is option C: Create a permission boundary in an SCP that denies the DeleteConfigRule action. Apply the new SCP to organizational units in the AWS Organization.

Explanation:

AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. You can use AWS Config to ensure that your resources comply with your organization's security and compliance policies. AWS Config continuously monitors and records the configuration changes made to your resources and alerts you if they violate any rules that you have defined.

In this scenario, the problem is that IAM users in other organizational units (OUs) are accidentally deleting the Config rules. To prevent this from happening, you need to restrict the IAM users' permissions to delete Config rules.

Option A: Create a Service Control Policy (SCP) that contains a deny to DeleteConfigRule. Apply the SCP to the root account in the AWS Organization.

This option is not the best choice because applying the SCP to the root account in the AWS Organization will affect all accounts in the organization, including accounts that may not use AWS Config. This may cause unnecessary restrictions that could impact other applications.

Option B: Implement an SCP that contains a deny to DeleteConfigRule action and apply the SCP to organizational units in the AWS Organization.

This option is better than option A because it applies the SCP to specific OUs in the AWS Organization instead of the root account. However, it still does not provide granular control over IAM user permissions.

Option C: Create a permission boundary in an SCP that denies the DeleteConfigRule action. Apply the new SCP to organizational units in the AWS Organization.

This is the correct option. By creating a permission boundary, you can restrict the actions that IAM users can take on AWS resources, including AWS Config. You can then apply the SCP to specific OUs in the AWS Organization to provide granular control over IAM user permissions.

Option D: Create a default IAM policy that denies DeleteConfigRule action. Apply the IAM policy to IAM users or roles in other AWS accounts.

This option is not the best choice because it only applies to specific IAM users or roles in other AWS accounts. It does not provide central control over IAM user permissions across the entire AWS Organization.