A company manages multiple AWS accounts by using AWS Organizations. Under the root OU, th…

Question

A company manages multiple AWS accounts by using AWS Organizations. Under the root OU, the company has two OUs: Research and DataOps. Because of regulatory requirements, all resources that the company deploys in the organization must reside in the ap-northeast-1 Region. Additionally, EC2 instances that the company deploys in the DataOps OU must use a predefined list of instance types. A solutions architect must implement a solution that applies these restrictions. The solution must maximize operational efficiency and must minimize ongoing maintenance. Which combination of steps will meet these requirements? (Choose two.)

Accepted Answer

Correct answer: C, E. C. Create an SCP. Use the aws:RequestedRegion condition key to restrict access to all AWS Regions except ap-northeast-1. Apply the SCP to the root OU. — E. Create an SCP. Use the ec2:InstanceType condition key to restrict access to specific instance types. Apply the SCP to the DataOps OU. — The correct answers are C and E. Option C ensures that all resources across the organization are restricted to the ap-northeast-1 Region by applying a service control policy (SCP) at the root level, while option E limits the instance types in the DataOps OU using a separate SCP, ensuring compliance with regulatory requirements. Options A and B do not provide a comprehensive solution across all accounts, and option D incorrectly uses the ec2:Region condition key instead of the aws:RequestedRegion key.

AWS Certified Solutions Architect – Professional (SAP-C02) — Question 130

Answer options

Correct answer: C, E

Explanation