AWS Certified Solutions Architect – Professional — Question 905

A company has hundreds of AWS accounts. The company recently implemented a centralized internal process for purchasing new Reserved Instances and modifying existing Reserved Instances. This process requires all business units that want to purchase or modify Reserved Instances to submit requests to a dedicated team for procurement. Previously, business units directly purchased or modified Reserved Instances in their own respective AWS accounts autonomously.
A solutions architect needs to enforce the new process in the most secure way possible.
Which combination of steps should the solutions architect take to meet these requirements? (Choose two.)

Answer options

• A. Ensure that all AWS accounts are part of an organization in AWS Organizations with all features enabled.
• B. Use AWS Config to report on the attachment of an IAM policy that denies access to the ec2:PurchaseReservedInstancesOffering action and the ec2:ModifyReservedInstances action.
• C. In each AWS account, create an IAM policy that denies the ec2:PurchaseReservedInstancesOffering action and the ec2:ModifyReservedInstances action.
• D. Create an SCP that denies the ec2:PurchaseReservedInstancesOffering action and the ec2:ModifyReservedInstances action. Attach the SCP to each OU of the organization.
• E. Ensure that all AWS accounts are part of an organization in AWS Organizations that uses the consolidated billing feature.

Correct answer: A, D

Explanation

To enforce restrictions across hundreds of AWS accounts, AWS Organizations must have all features enabled to support Service Control Policies (SCPs). Applying an SCP that denies ec2:PurchaseReservedInstancesOffering and ec2:ModifyReservedInstances to all OUs centrally prevents any member account from bypassing the restriction, even if they have administrator permissions. Local IAM policies or AWS Config reporting do not provide the same level of preventative enforcement and are harder to manage at scale.