A company manages multiple AWS accounts by using AWS Organizations. Under the root OU, th…

Question

A company manages multiple AWS accounts by using AWS Organizations. Under the root OU, the company has two OUs: Research and DataOps.
Because of regulatory requirements, all resources that the company deploys in the organization must reside in the ap-northeast-1 Region. Additionally, EC2 instances that the company deploys in the DataOps OU must use a predefined list of instance types.
A solutions architect must implement a solution that applies these restrictions. The solution must maximize operational efficiency and must minimize ongoing maintenance.
Which combination of steps will meet these requirements? (Choose two.)

Accepted Answer

Correct answer: C, E. C. Create an SCP. Use the aws:RequestedRegion condition key to restrict access to all AWS Regions except ap-northeast-1. Apply the SCP to the root OU. — E. Create an SCP. Use the ec2:InstanceType condition key to restrict access to specific instance types. Apply the SCP to the DataOps OU. — To restrict AWS Regions organization-wide with minimal administrative effort, an SCP utilizing the aws:RequestedRegion global condition key should be applied to the root OU, which automatically cascades the restriction to all child OUs. To limit EC2 instance types specifically for the DataOps OU, another SCP utilizing the ec2:InstanceType condition key should be applied directly to that OU. Using SCPs at the Organization level is far more operationally efficient than managing individual IAM users or roles across multiple member accounts.

AWS Certified Solutions Architect – Professional — Question 621

Answer options

Correct answer: C, E

Explanation