Which solution will meet these requirements?
Use AWS Control Tower proactive controls to block deployment of EC2 instances with public IP addresses and inline policies with elevated access or “*”.
Use AWS Control Tower detective controls to block deployment of EC2 instances with public IP addresses and inline policies with elevated access or “*”.
Use AWS Config to create rules for EC2 and IAM compliance. Configure the rules to run an AWS Systems Manager Session Manager automation to delete a resource when it is not compliant.
Use a service control policy (SCP) to block actions for the EC2 instances and IAM resources if the actions lead to noncompliance.
Explanations:
AWS Control Tower proactive controls can block the deployment of EC2 instances with public IPs and IAM resources with inline policies or policies containing “*” in the statements. Proactive controls are used to enforce compliance and prevent non-compliant resources from being deployed.
AWS Control Tower detective controls only detect non-compliance but do not block or prevent the deployment of non-compliant resources. This option would identify the issues after deployment, not prevent them.
AWS Config can track compliance but cannot actively block the deployment of resources. The solution described would only delete non-compliant resources post-deployment, which doesn’t align with the requirement to prevent the deployment itself.
Service Control Policies (SCPs) are designed to restrict actions across AWS Organizations but cannot be used to specifically target EC2 instances with public IPs or IAM resources with inline policies or “*” in the statements. SCPs do not operate at the level of resource configuration within accounts.
I plot that the answer is:
Use AWS Control Tower proactive controls to block deployment of EC2 instances with public IP addresses and inline policies with elevated access or “*”.