AWS Certified Solutions Architect – Professional — Question 987

A company is using AWS Organizations to manage multiple accounts. Due to regulatory requirements, the company wants to restrict specific member accounts to certain AWS Regions, where they are permitted to deploy resources. The resources in the accounts must be tagged, enforced based on a group standard, and centrally managed with minimal configuration.
What should a solutions architect do to meet these requirements?

Answer options

• A. Create an AWS Config rule in the specific member accounts to limit Regions and apply a tag policy.
• B. From the AWS Billing and Cost Management console, in the management account, disable Regions for the specific member accounts and apply a tag policy on the root.
• C. Associate the specific member accounts with the root. Apply a tag policy and an SCP using conditions to limit Regions.
• D. Associate the specific member accounts with a new OU. Apply a tag policy and an SCP using conditions to limit Regions.

Correct answer: D

Explanation

Grouping the specific member accounts under a new Organizational Unit (OU) allows the central application of Service Control Policies (SCPs) and tag policies specifically to those accounts without affecting the entire organization. Applying an SCP with conditions is the standard way to restrict resource deployment to approved AWS Regions, while tag policies ensure compliance with tagging standards. Applying these at the root level (Option C) would affect all accounts, while AWS Config (Option A) and Billing Console (Option B) do not provide the required central enforcement and governance capabilities.