AWS Certified Solutions Architect – Professional (SAP-C02) — Question 377

A company is using AWS Control Tower to manage AWS accounts in an organization in AWS Organizations. The company has an OU that contains accounts. The company must prevent any new or existing Amazon EC2 instances in the OU's accounts from gaining a public IP address.

Which solution will meet these requirements?

Answer options

• A. Configure all instances in each account in the OU to use AWS Systems Manager. Use a Systems Manager Automation runbook to prevent public IP addresses from being attached to the instances.
• B. Implement the AWS Control Tower proactive control to check whether instances in the OU's accounts have a public IP address. Set the AssociatePublicIpAddress property to False. Attach the proactive control to the OU.
• C. Create an SCP that prevents the launch of instances that have a public IP address. Additionally, configure the SCP to prevent the attachment of a public IP address to existing instances. Attach the SCP to the OU.
• D. Create an AWS Config custom rule that detects instances that have a public IP address. Configure a remediation action that uses an AWS Lambda function to detach the public IP addresses from the instances.

Correct answer: C

Explanation

An SCP (Service Control Policy) attached to the OU is the most effective way to enforce preventative restrictions, as it can directly deny the launching of EC2 instances with public IPs and prevent the association of public IPs to existing instances. AWS Systems Manager and AWS Config options are reactive detective and remediation approaches rather than preventative controls. Proactive controls in AWS Control Tower analyze CloudFormation templates during deployment but do not prevent manual configuration changes or block public IP assignments on existing running instances.