A Security Engineer manages AWS Organizations for a company. The Engineer would like to restrict AWS usage to allow Amazon S3 only in one of the organizational units (OUs).
The Engineer adds the following SCP to the OU:
The next day. API calls to AWS IAM appear in AWS CloudTrail logs In an account under that OU.
How should the Security Engineer resolve this issue?
A . Move the account to a new OU and deny IAM:* permissions.
B . Add a Deny policy for all non-S3 services at the account level.
C . Change the policy to:
D . Detach the default FullAWSAccess SCP
Answer: C