AWS Certified Advanced Networking - Specialty

Get started today

Ultimate access to all questions.

Quick Answer

Answer-first summary for fast verification

Answer: Create a new SCP in Organizations. Add a condition that denies the CreateVpc and AssociateVpcCidrBlock Amazon EC2 actions if the Ipv4IpamPoolId context key value is not the ID of an IPAM pool.

The correct solution must prevent users from creating new VPCs and from associating a CIDR block with existing VPCs unless the CIDR block is from the IPAM pool for that account. Option B is the correct choice because it uses a Service Control Policy (SCP) in AWS Organizations to deny the CreateVpc and AssociateVpcCidrBlock actions unless the Ipv4IpamPoolId context key matches the ID of an IPAM pool. This approach directly enforces the requirement at the policy level, ensuring compliance across all accounts in the organization. Options A, C, and D involve reactive measures that delete non-compliant VPCs after they are created, which does not prevent the creation or association of VPCs with non-IPAM CIDR blocks in the first place. Therefore, these options do not fully meet the requirements.

Author: LeetQuiz Editorial Team

Quick Answer

Answer-first summary for fast verification

Author: LeetQuiz Editorial Team

Comments (0)

No comments yet.

A company has multiple AWS accounts within an organization in AWS Organizations. They have deployed Amazon VPC IP Address Manager (IPAM) in their networking AWS account and are using AWS Resource Access Manager (AWS RAM) to share IPAM pools with other accounts. A top-level IPAM pool with a CIDR block of 10.0.0.0/8 has been created, and each AWS account has its own IPAM pool within this top-level pool.

A network engineer must implement a solution to ensure that users in each AWS account are unable to create new VPCs and cannot associate CIDR blocks with existing VPCs unless the CIDR block is from the account's assigned IPAM pool.

What solution will meet these requirements?

Exam-Like

Last updated: March 8, 2026 at 14:03

Create a new AWS Config rule to find all VPCs that are not configured to allocate their CIDR block from an IPAM pool. Invoke an AWS Lambda function to delete these VPCs.

0.0%

Create a new SCP in Organizations. Add a condition that denies the CreateVpc and AssociateVpcCidrBlock Amazon EC2 actions if the Ipv4IpamPoolId context key value is not the ID of an IPAM pool.

100.0%

Create an AWS Lambda function to check for and delete all VPCs that are not configured to allocate their CIDR block from an IPAM pool. Invoke the Lambda function at regular intervals.

Create an Amazon EventBridge rule to check for AWS CloudTrail events for the CreateVpc and AssociateVpcCidrBlock Amazon EC2 actions. Use the rule to invoke an AWS Lambda function to delete all VPCs that are not configured to allocate their CIDR block from an IPAM pool.