AWS Certified Solutions Architect Professional SAP-C02 Practice Question

The correct answer provides the most effective and scalable solution by using a combination of AWS Organizations features. A Service Control Policy (SCP) acts as a preventative guardrail, denying any s3:PutObject API call that does not meet the specified encryption requirements before it can be processed. This is more effective than reactive methods and more scalable than managing IAM policies in each account. The KMS key policy in the central SharedServices account must explicitly grant cross-account permissions to the IAM principals (roles) in the member accounts that need to use the key for encryption and decryption. Finally, creating a single organization-wide CloudTrail trail is the standard, most efficient method for centralizing audit logs from all accounts into a designated S3 bucket in the Security account.

The option to use IAM policies in each member account is incorrect because it is not scalable. It requires manual configuration and ongoing management in every account within the organization, increasing operational overhead and the risk of misconfiguration. SCPs provide a centralized enforcement mechanism.

The option to use AWS Config rules and Lambda for remediation is incorrect because it is a reactive, not preventative, approach. Non-compliant objects would be created before being detected and deleted, which may not meet the strict security requirement to deny the action outright. SCPs prevent the creation from happening in the first place.

The option to grant access only to the S3 service principal and use EventBridge is incorrect for two reasons. First, for cross-account SSE-KMS, the calling IAM principal requires permissions in the KMS key policy, not just the S3 service principal. Second, while EventBridge can be used for eventing, AWS CloudTrail is the purpose-built service for comprehensive, centralized API call auditing and logging for security and compliance purposes.