AWS Certified SysOps Administrator – Associate (SOA-C03) — Question 60

A company uses AWS Organizations to manage a set of AWS accounts. The company has set up organizational units (OUs) in the organization. An application OU supports various applications.
A CloudOps engineer must prevent users from launching Amazon EC2 instances that do not have a CostCenter-Project tag into any account in the application OU. The restriction must apply only to accounts in the application OU.
Which solution will meet these requirements?

Answer options

• A. Create an IAM group that has a policy that allows the ec2:RunInstances action when the CostCenter-Project tag is present. Place all IAM users who need access to the application accounts in the IAM group.
• B. Create a service control policy (SCP) that denies the oc2:RunInstances action when the CostCenter-Project tag is missing. Attach the SCP to the application OU.
• C. Create an IAM role that has a policy that allows the oc2:RunInstances action when the CostCenter-Project tag is present. Attach the IAM role to the IAM users that are in the application OU accounts.
• D. Create a service control policy (SCP) that denies the ec2:RunInstances action when the CostCenter-Project tag is missing. Attach the SCP to the root OU.

Correct answer: B

Explanation

The correct answer is B because a service control policy (SCP) can be specifically applied to an organizational unit (OU) to enforce restrictions on actions like launching EC2 instances based on tag presence. Options A and C focus on IAM policies which do not restrict actions at the account level within the OU. Option D would apply the restriction to all accounts under the root OU, not just those in the application OU.