AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 212

A company operates sensitive workloads across the AWS accounts that are in the company's organization in AWS Organizations. The company uses an IP address range to delegate IP addresses for Amazon VPC CIDR blocks and all non-cloud hardware.

The company needs a solution that prevents principals that are outside the company’s IP address range from performing AWS actions in the organization's accounts.

Which solution will meet these requirements?

Answer options

• A. Configure AWS Firewall Manager for the organization. Create an AWS Network Firewall policy that allows only source traffic from the company's IP address range. Set the policy scope to all accounts in the organization.
• B. In Organizations, create an SCP that denies source IP addresses that are outside of the company’s IP address range. Attach the SCP to the organization's root.
• C. Configure Amazon GuardDuty for the organization. Create a GuardDuty trusted IP address list for the company's IP range. Activate the trusted IP list for the organization.
• D. In Organizations, create an SCP that allows source IP addresses that are inside of the company’s IP address range. Attach the SCP to the organization's root.

Correct answer: B

Explanation

The correct answer is B because Service Control Policies (SCPs) in AWS Organizations can explicitly deny actions based on source IP addresses, ensuring that any requests from outside the company's IP range are blocked. Options A and C focus on different services that do not directly restrict AWS actions based on IP addresses, while D allows actions from within the IP range but does not prevent outside access.