Which combination of steps will meet these requirements?
(Choose two.)
Create an IAM role in one account under the DataOps OU. Use the ec2:InstanceType condition key in an inline policy on the role to restrict access to specific instance type.
Create an IAM user in all accounts under the root OU. Use the aws:RequestedRegion condition key in an inline policy on each user to restrict access to all AWS Regions except ap-northeast-1.
Create an SCP. Use the aws:RequestedRegion condition key to restrict access to all AWS Regions except ap-northeast-1. Apply the SCP to the root OU.
Create an SCP. Use the ec2:Region condition key to restrict access to all AWS Regions except ap-northeast-1. Apply the SCP to the root OU, the DataOps OU, and the Research OU.
Create an SCP. Use the ec2:InstanceType condition key to restrict access to specific instance types. Apply the SCP to the DataOps OU.
Explanations:
IAM roles and inline policies can be used to restrict actions, but this would require creating and maintaining a policy in each individual account. It does not scale well.
While the awscondition key can restrict regions for IAM users, applying it individually to all users in all accounts is not efficient for large environments.
SCPs can be used to enforce restrictions at the organizational level. The awscondition key will restrict access to all regions except ap-northeast-1.
The ec2condition key does not exist. The correct condition key is awsfor restricting regions in an SCP.
SCPs can restrict instance types using the ec2condition key, and applying it to the DataOps OU ensures that only specific instance types are allowed.