You are working in the cloud security team in a big company. In order to meet security compliance, you are in charge of applying AWS Config rules to AWS accounts in other organizational units (OUs). However, it has been found that the Config rules may be deleted by IAM users accidentally in these AWS accounts. You need to prevent such actions from happening again. How should you implement this?

Answer options:

A.Create a Service Control Policy (SCP) that contains a deny to DeleteConfigRule. Apply the SCP to the root account in the AWS Organization.
B.Implement an SCP that contains a deny to DeleteConfigRule action and apply the SCP to organizational units in the AWS Organization.
C.Create a permission boundary in an SCP that denies the DeleteConfigRule action. Apply the new SCP to organizational units in the AWS Organization.
D.Create a default IAM policy that denies DeleteConfigRule action. Apply the IAM policy to IAM users or roles in other AWS accounts.

Answer: B
Option A is incorrect because the SCP should not be added to the root account. The root account should contain a default SCP that allows everything and applies to all the OUs (Organization Units). An Organization Unit is where you group multiple accounts in your organization.
Option B is CORRECT because the SCP in the Organization Unit (OU) prevents relevant users from deleting Config rules even if they are permitted in their IAM policies. You can either apply this SCP to a single OU or multiple OUs under your organization.
Option C is incorrect because there is no permission boundary in SCP.
Option D is incorrect because it is inefficient to maintain each IAM user or role. Besides, the IAM policy may be modified to allow the DeleteConfigRule action at a later stage. Instead of IAM policy or role, using SCP will allow controlling multiple permissions on multiple accounts under a single OU or multiple OUs.
For more information on AWS Organization and managing OU using SCP, kindly refer to the below URL:
https://aws.amazon.com/blogs/security/how-to-use-service-control-policies-to-set-permission-guardrails-across-accounts-in-your-aws-organization/#:~:text=You%20can%20attach%20SCPs%20to,they%20do%20not%20grant%20permissions.
For more information on the SCP example for AWS Config, kindly refer to the below URL:
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_example-scps.html#example_scp_4