In an AWS Organization, the Root is attached with a default SCP that allows all actions on all resources. And other OUs or AWS accounts are attached with SCPs that contain Deny lists. For example, an SCP that denies cloudtrail:StopLogging is attached to an OU. However, you think that the Deny lists can be improved to contain more services such as those that are not used. How would you find out the AWS services that are allowed by the SCP but are never used?

Answer options:

A.In the AWS Organization console, identify allowed services that are never used by AWS accounts.
B.In the IAM credential report of AWS accounts, examine those services that are not required to be allowed by SCPs.
C.In AWS Config Resources, list the AWS services that are not used by IAM users.
D.In the IAM console, click the Service Control Policies and check the last accessed data to identify services that are never used.

Correct Answer – D
Refer to
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html
on how to improve SCPs by checking access data.
Option A is incorrect because the AWS Organization console does not contain the last access data.
Option B is incorrect because the IAM credential report provides IAM user information. There is no access data for AWS Organization.
Option C is incorrect because AWS Config Resources do not show resource information related to the Organization. The user cannot identify which services are not used in AWS Config.
Option D is CORRECT because the service report in Organization Activity can help identify the AWS services to be included in the Deny lists. Take below screenshot as an example: