A large company recently acquired a small company. The large company invited the small co…

Question

A large company recently acquired a small company. The large company invited the small company to join the large company's existing organization in AWS Organizations as a new OU. A DevOps engineer determines that the small company needs to launch t3.small Amazon EC2 instance types for the company's application workloads. The small company needs to deploy the instances only within US-based AWS Regions. The DevOps engineer needs to use an SCP in the small company's new OU to ensure that the small company can launch only the required instance types. Which solution will meet these requirements?

Accepted Answer

Correct answer: A. A. Configure a statement to deny the ec2:RunInstances action for all EC2 instance resources when the ec2:InstanceType condition is not equal to t3.small.
Configure another statement to deny the ec2:RunInstances action for all EC2 instance resources when the aws:RequestedRegion condition is not equal to us-*. — SCPs act as guardrails and are most effective when using explicit 'Deny' statements to block actions that do not meet specific criteria. Denying the ec2:RunInstances action when the instance type is not t3.small or when the region is not us-* successfully restricts resource creation to only these allowed configurations. Other options either block the allowed configurations or incorrectly use 'Allow' statements which do not override the default FullAWSAccess permissions.

AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 335

Answer options

Correct answer: A

Explanation