AWS Certified Solutions Architect – Professional — Question 296

A company decided to purchase Amazon EC2 Reserved Instances. A solutions architect is tasked with implementing a solution where only the master account in
AWS Organizations is able to purchase the Reserved Instances. Current and future member accounts should be blocked from purchasing Reserved Instances.
Which solution will meet these requirements?

Answer options

• A. Create an SCP with the Deny effect on the ec2:PurchaseReservedInstancesOffering action. Attach the SCP to the root of the organization.
• B. Create a new organizational unit (OU) Move all current member accounts to the new OU. Create an SCP with the Deny effect on the ec2:PurchaseReservedInstancesOffering action. Attach the SCP to the new OU.
• C. Create an AWS Config rule event that triggers automation that will terminate any Reserved Instances launched by member accounts.
• D. Create two new organizational units (OUs): OU1 and OU2. Move all member accounts to OU2 and the master account to OU1. Create an SCP with the Allow effect on the ec2:PurchaseReservedInstancesOffering action. Attach the SCP to OU1.

Correct answer: C

Explanation

Option C is correct because utilizing AWS Config rules combined with automated remediation allows the organization to actively monitor and tear down unauthorized Reserved Instances initiated by member accounts. Option A is incorrect because applying a Deny SCP at the root level may block all accounts indiscriminately if not scoped properly. Options B and D are incorrect because they require ongoing manual migration of new accounts into specific OUs, failing to automatically restrict future member accounts by default.