Jeff’s Note #
Unlike generic exam dumps, ADH analyzes this scenario through the lens of a Real-World Site Reliability Engineer (SRE).
For SOA-C02 candidates, the confusion often lies in distinguishing between IAM-level permissions and Organizational governance controls. In production, this is about knowing exactly how to centrally enforce policies that cannot be overridden by individual IAM users or roles within accounts. Let’s drill down.
The Certification Drill (Simulated Question) #
Scenario #
FinSentry Solutions is a fintech company managing multiple AWS accounts via AWS Organizations. The central security team wants to ensure that none of the production AWS accounts can delete any Amazon S3 buckets, regardless of the permissions assigned within those accounts. This safeguard is critical to avoid accidental or malicious deletion of vital data buckets.
The Requirement: #
Select the simplest and most effective method to guarantee that Amazon S3 buckets in the production accounts can never be deleted, leveraging AWS Organizations governance.
The Options #
- A) Enable MFA Delete on all S3 buckets in production accounts to prevent accidental deletions.
- B) Use a Service Control Policy (SCP) attached to production accounts denying the s3:DeleteBucket action.
- C) Create an IAM group with an explicit deny policy for s3:DeleteBucket in each production account.
- D) Use AWS Shield to block s3:DeleteBucket API calls at the account level.
Google adsense #
leave a comment:
Correct Answer #
B
Quick Insight: The Site Reliability Imperative #
The key is organization-level enforcement that cannot be overridden locally. SCPs apply before IAM policies and block deletion API calls across the entire account, ensuring buckets remain intact. MFA Delete (Option A) works on bucket versioning but is operationally more complex and does NOT prevent deletion by roles with full privileges. Option C’s IAM group is locally configurable and can be overridden. AWS Shield (Option D) does not filter API actions like delete bucket.
Content Locked: The Expert Analysis #
You’ve identified the answer. But do you know the implementation details that separate a Junior from a Senior?
The Expert’s Analysis #
Correct Answer #
Option B
The Winning Logic #
Service Control Policies (SCPs) are the recommended AWS Organizations mechanism for centrally enforcing guardrails at the account level. Attaching an SCP that explicitly denies the s3:DeleteBucket permission to all production accounts enforces a hard boundary: no IAM user or role within those accounts can delete buckets, regardless of their local permissions or group memberships. SCPs are evaluated before IAM policies, making them the highest level of permission boundary within an organization.
MFA Delete (Option A) requires versioning enabled and only protects deletion of versioned objects or buckets under very specific conditions, but does not protect against principals with appropriate permissions. IAM groups (Option C) rely on internal permission management and can be circumvented if permissions are granted elsewhere. AWS Shield (Option D) protects against DDoS but does not offer API-level call filtering or permission management.
The Trap (Distractor Analysis) #
- Why not A? MFA Delete adds complexity and can be bypassed by privileged roles. Also, it only applies if versioning is enabled. It’s not a blanket preventive guardrail.
- Why not C? Local IAM groups and policies can be changed by administrators within the account or overridden by other policies, so it’s not foolproof.
- Why not D? AWS Shield focuses on network protection, not identity permission enforcement. It cannot block specific API actions like s3:DeleteBucket.
The Technical Blueprint #
# Example SCP JSON to deny S3 bucket deletion
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyS3BucketDeletion",
"Effect": "Deny",
"Action": "s3:DeleteBucket",
"Resource": "*"
}
]
}
Attach this SCP to all production OU accounts in AWS Organizations.
The Comparative Analysis #
| Option | Operational Overhead | Automation Level | Impact |
|---|---|---|---|
| A | Medium | Low | Complex MFA Delete setup; does not fully prevent privileged deletion |
| B | Low | High | Centralized enforcement; strong, non-overridable permission boundary |
| C | High | Medium | Requires manual management in each account; easy to circumvent |
| D | None | None | Not applicable for API-level permission blocking |
Real-World Application (Practitioner Insight) #
Exam Rule #
For the exam, always pick Service Control Policies (SCPs) when you see non-negotiable, account-wide permission limitations in AWS Organizations context.
Real World #
In production, SCPs form your first line of defense for governance. Combining SCPs with IAM permissions and bucket policies creates layered security, but SCPs are the only method that prevents all IAM roles—even administrators—from deleting critical resources.
(CTA) Stop Guessing, Start Mastering #
Disclaimer
This is a study note based on simulated scenarios for the AWS SOA-C02 exam.