A company uses AWS Organizations to manage multiple accounts. The security team mandates that no Amazon S3 buckets can be made public, and all EBS volumes must be encrypted. Developers need the ability to manage their own IAM roles, but must not be able to bypass these security controls. Which combination of actions should the Solutions Architect take? (Select TWO)

Look for preventive controls that apply organization-wide and cannot be bypassed by local account administrators.

What mistakes do candidates make on this AWS SAP-C02 question?

Choosing IAM policies or boundaries, which can be bypassed if developers have IAM creation permissions.

A.

Create a Service Control Policy (SCP) that denies the s3:PutBucketPublicAccessBlock action and attach it to the root of the organization.

B.

Create an SCP that denies the ec2:CreateVolume action if the encrypted flag is false and attach it to the root.

C.

Use AWS IAM permissions boundaries on all developer roles to deny S3 public access and enforce EBS encryption.

D.

Enable AWS Config rules in the management account to automatically terminate unencrypted EBS volumes.

E.

Create an IAM policy denying S3 public access and attach it to the AWS Organizations management account.

F.

Use AWS CloudTrail to monitor for unencrypted volumes and trigger a Lambda function to encrypt them.