Explanation:
In AWS Organizations, Service Control Policies (SCPs) are used to manage permissions and enforce guardrails across multiple accounts. To restrict resource creation based on tags for all accounts within a specific Organizational Unit (OU), an SCP is the most efficient method. By applying a 'Deny' SCP to the Application OU for the ec2:RunInstances action when the CostCenter-Project tag is missing, you ensure compliance for all users and roles within those specific accounts. Attaching it to the root (Option D) would affect the entire organization, not just the Application OU.
Ultimate access to all questions.
Question #10 A company uses AWS Organizations to manage a set of AWS accounts. The company has set up organizational units (OUs) in the organization. An application OU supports various applications. A CloudOps engineer must prevent users from launching Amazon EC2 instances that do not have a CostCenter-Project tag into any account in the application OU. The restriction must apply only to accounts in the application OU.
Which solution will meet these requirements?
A
Create an IAM group that has a policy that allows the ec2:RunInstances action when the CostCenter-Project tag is present. Place all IAM users who need access to the application accounts in the IAM group.
B
Create a service control policy (SCP) that denies the ec2:RunInstances action when the CostCenter-Project tag is missing. Attach the SCP to the application OU.
C
Create an IAM role that has a policy that allows the ec2:RunInstances action when the CostCenter-Project tag is present. Attach the IAM role to the IAM users that are in the application OU accounts.
D
Create a service control policy (SCP) that denies the ec2:RunInstances action when the CostCenter-Project tag is missing. Attach the SCP to the root OU.
E
None
F
None
No comments yet.