AWS Certified Solutions Architect – Associate (SAA-C03) — Question 669

A company has an organization in AWS Organizations. The company runs Amazon EC2 instances across four AWS accounts in the root organizational unit (OU). There are three nonproduction accounts and one production account. The company wants to prohibit users from launching EC2 instances of a certain size in the nonproduction accounts. The company has created a service control policy (SCP) to deny access to launch instances that use the prohibited types.

Which solutions to deploy the SCP will meet these requirements? (Choose two.)

Answer options

• A. Attach the SCP to the root OU for the organization.
• B. Attach the SCP to the three nonproduction Organizations member accounts.
• C. Attach the SCP to the Organizations management account.
• D. Create an OU for the production account. Attach the SCP to the OU. Move the production member account into the new OU.
• E. Create an OU for the required accounts. Attach the SCP to the OU. Move the nonproduction member accounts into the new OU.

Correct answer: B, E

Explanation

To restrict EC2 instance sizes only in the nonproduction accounts, the SCP must be targeted specifically to those accounts. Option B accomplishes this by attaching the SCP directly to the three nonproduction member accounts. Option E achieves this by grouping the nonproduction accounts into a new OU and applying the SCP at the OU level. Attaching the SCP to the root OU (Option A) would incorrectly impact the production account, while applying it to a production OU (Option D) or the management account (Option C) would not target the correct accounts.