In an AWS Organizations setup, the management account needs to ensure that no member account can launch EC2 instances outside of the us-east-1 and eu-west-1 regions. How should this be enforced?

Answer options:

Use AWS IAM policies attached to all users in the member accounts.

Create a Service Control Policy (SCP) denying the ec2:RunInstances action with a condition restricting the aws:RequestedRegion.

Use AWS Config rules to terminate instances launched in unauthorized regions.

Configure VPC endpoints to only allow traffic to authorized regions.

How to approach this question

Look for the preventative control mechanism in AWS Organizations.

Full Answer

B.Create a Service Control Policy (SCP) denying the ec2:RunInstances action with a condition restricting the aws:RequestedRegion.✓ Correct

Service Control Policies (SCPs) are used in AWS Organizations to enforce preventative guardrails, such as restricting the regions where resources can be deployed.

Common mistakes

Using IAM policies, which do not provide organizational-level enforcement.

Question 16 All questions Question 18

Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 6

75 questions · hints · full answers · grading

More questions from this exam

Q01A global enterprise requires highly available hybrid connectivity between its on-premises data ce...Hard Q02An organization has 50 VPCs across two AWS Regions connected via Transit Gateways (TGW). The TGWs...Hard Q03A company uses AWS Organizations. The network team wants to share a central Transit Gateway (TGW)...Medium Q04An enterprise has on-premises data centers in the US and Europe. They want to use the AWS global ...Hard Q05A company requires that all API calls to Amazon S3 from their VPC must not traverse the public in...Medium

View all 75 questions →