A company manages multiple AWS accounts by using AWS Organizations. Under the root ou,the company has two OUs: Research and DataOps. Because of regulatory requirements, all resources that the company deploys in the organization must reside in the ap-northeast-1 Region. Additionally, EC2 instances that the company deploys in the DataOps OU must use a predefined list of instance types. A solutions architect must implement a solution that applies these restrictions. The solution must maximize operational efficiency and must minimize ongoing maintenance. Which combination of steps will meet these requirements? (Select TWO)

Exam-Like

Last updated: February 16, 2026 at 14:03

Create an IAM role in one account under the DataOps OU. Use the ec2:InstanceType condition key in an inline policy on the role to restrict access to specific instance types.

7.9%

Create an IAM user in all accounts under the root OU. Use the aws:RequestedRegion condition key in an inline policy on each user to restrict access to all AWS Regions except ap-northeast-1

7.9%

Create an SCP Use the aws:RequestedRegion condition key to restrict access to all AWS Regions exceptap- northeast-1.Apply the SCP to the root OU

39.5%

Create an SCP. Use the ec2:Region condition key to restrict access to all AWS Regions except ap- northeast-1. Apply the SCP to the root OU,the DataOps OU,and the Research OU

13.2%

Create an SCP. Use the ec2:InstanceType condition key to restrict access to specific instance types. Apply the SCP to the DataOps OU

31.6%

AWS Certified Solutions Architect - Professional

Get started today

Comments