Answer-first summary for fast verification
Answer: Create a service control policy (SCP) that denies the ec2:RunInstances action when the CostCenter-Project tag is missing. Attach the SCP to the application OU.
**Service Control Policies (SCPs)** in AWS Organizations are used to centrally manage permissions across multiple AWS accounts within an organization. To prevent users from launching EC2 instances without a specific tag (like `CostCenter-Project`), you can create an SCP that explicitly uses a `Deny` effect on the `ec2:RunInstances` action when the tag is absent. Attaching this SCP directly to the **application OU** ensures that the restriction only applies to the accounts inside that specific OU, exactly meeting the requirements.
Author: Ritesh Yadav
Ultimate access to all questions.
Question #10
A company uses AWS Organizations to manage a set of AWS accounts. The company has set up organizational units (OUs) in the organization. An application OU supports various applications. A CloudOps engineer must prevent users from launching Amazon EC2 instances that do not have a CostCenter-Project tag into any account in the application OU. The restriction must apply only to accounts in the application OU.
Which solution will meet these requirements?
A
Create an IAM group that has a policy that allows the ec2:RunInstances action when the CostCenter-Project tag is present. Place all IAM users who need access to the application accounts in the IAM group.
B
Create a service control policy (SCP) that denies the ec2:RunInstances action when the CostCenter-Project tag is missing. Attach the SCP to the application OU.
C
Create an IAM role that has a policy that allows the ec2:RunInstances action when the CostCenter-Project tag is present. Attach the IAM role to the IAM users that are in the application OU accounts.
D
Create a service control policy (SCP) that denies the ec2:RunInstances action when the CostCenter-Project tag is missing. Attach the SCP to the root OU.
No comments yet.