A company has hundreds of AWS accounts. The company recently implemented a centralized in…

Question

A company has hundreds of AWS accounts. The company recently implemented a centralized internal process for purchasing new Reserved Instances and modifying existing Reserved Instances. This process requires all business units that want to purchase or modify Reserved Instances to submit requests to a dedicated team for procurement. Previously, business units directly purchased or modified Reserved Instances in their own respective AWS accounts autonomously. A solutions architect needs to enforce the new process in the most secure way possible. Which combination of steps should the solutions architect take to meet these requirements? (Choose two.)

Accepted Answer

Correct answer: A, D. A. Ensure that all AWS accounts are part of an organization in AWS Organizations with all features enabled. — D. Create an SCP that denies the ec2:PurchaseReservedInstancesOffering action and the ec2:ModifyReservedInstances action. Attach the SCP to each OU of the organization. — The correct approach is to ensure all AWS accounts are part of an organization in AWS Organizations with all features enabled (A) and to create a Service Control Policy (SCP) that denies the actions (D). This setup centralizes control over Reserved Instances and enhances security by preventing unauthorized purchases or modifications. Options B and C are less effective because they either monitor compliance without enforcement (B) or apply restrictions per account rather than centrally (C), which does not support the new centralized process.

AWS Certified Solutions Architect – Professional (SAP-C02) — Question 122

Answer options

Correct answer: A, D

Explanation