Explanation:
Service Control Policies (SCPs) in AWS Organizations are used to centrally manage permissions across multiple AWS accounts within an organization. To prevent users from launching EC2 instances without a specific tag (like CostCenter-Project), you can create an SCP that explicitly uses a Deny effect on the ec2:RunInstances action when the tag is absent. Attaching this SCP directly to the application OU ensures that the restriction only applies to the accounts inside that specific OU, exactly meeting the requirements.
Ultimate access to all questions.
No comments yet.
Question #10
A company uses AWS Organizations to manage a set of AWS accounts. The company has set up organizational units (OUs) in the organization. An application OU supports various applications. A CloudOps engineer must prevent users from launching Amazon EC2 instances that do not have a CostCenter-Project tag into any account in the application OU. The restriction must apply only to accounts in the application OU.
Which solution will meet these requirements?
A
Create an IAM group that has a policy that allows the ec2:RunInstances action when the CostCenter-Project tag is present. Place all IAM users who need access to the application accounts in the IAM group.
B
Create a service control policy (SCP) that denies the ec2:RunInstances action when the CostCenter-Project tag is missing. Attach the SCP to the application OU.
C
Create an IAM role that has a policy that allows the ec2:RunInstances action when the CostCenter-Project tag is present. Attach the IAM role to the IAM users that are in the application OU accounts.
D
Create a service control policy (SCP) that denies the ec2:RunInstances action when the CostCenter-Project tag is missing. Attach the SCP to the root OU.