AWS Certified SysOps Administrator SOA-C01 – Question882

A company is managing multiple AWS accounts using AWS Organizations. One of these accounts is used only for retaining logs in an Amazon S3 bucket. The company wants to make sure that compute resources cannot be used in the account.
How can this be accomplished with the LEAST administrative effort?

A.
Apply an IAM policy to all IAM entities in the account with a statement to explicitly deny NotAction: s3:*.
B. Configure AWS Config to terminate compute resources that have been created in the accounts.
C. Configure AWS CloudTrail to block any action where the event source is not s3:amazonaws.com.
D. Update the service control policy on the account to deny the unapproved services.

Correct Answer: D