AWS Certified Security – Specialty — Question 395

A large company organizes hundreds of AWS accounts in AWS Organizations in Developer, Test, and Production OUs. Developers who have full administrative privileges in their respective accounts use the accounts in the Developer OU. The company wants to allow only certain Amazon EC2 instance types to be used within the Developer OU.

How can the company prevent developer accounts from launching unapproved EC2 instance types?

Answer options

• A. Create a now launch template in each AWS account in the Developer OU to deny the ec2:RunInstances API call for instance types that are not in an approved list Associate these templates with all IAM principals in the account.
• B. Create an IAM policy to deny the ec2:RunInstances API call for instance types that are not in an approved list. Attach the policy to all IAM principals in all the AWS accounts in the Developer OU.
• C. Use a managed SCP that is attached to the organization's root account to deny the ec2:RunInstances API call for instance types that are not in an approved list
• D. Create an SCP to deny the ec2:RunInstances API call for instance types that are not in an approved list. Attach the policy to the Developer OU.

Correct answer: D

Explanation

Service Control Policies (SCPs) act as permission guardrails that define the maximum permissions for member accounts in an organization, overriding even local administrative privileges. By attaching the SCP specifically to the Developer OU, the restriction is correctly scoped to only the developer accounts. Local IAM policies or launch templates can be easily modified or bypassed by developers with full administrative access, and attaching the SCP to the root would unnecessarily restrict Test and Production accounts.