Which solution will meet these requirements?
Create an SCP with the Deny effect on the ec2:PurchaseReservedInstancesOffering action. Attach the SCP to the root of the organization.
Create a new organizational unit (OU) Move all current member accounts to the new OU. Create an SCP with the Deny effect on the ec2:PurchaseReservedInstancesOffering action. Attach the SCP to the new OU.
Create an AWS Config rule event that triggers automation that will terminate any Reserved Instances launched by member accounts.
Create two new organizational units (OUs): OU1 and OU2. Move all member accounts to OU2 and the master account to OU1. Create an SCP with the Allow effect on the ec2:PurchaseReservedInstancesOffering action. Attach the SCP to OU1.
Explanations:
This option correctly creates a Service Control Policy (SCP) with a Deny effect on theec2:PurchaseReservedInstancesOfferingaction, applied to the root of the organization. This ensures that all member accounts are restricted from purchasing Reserved Instances, allowing only the master account to make such purchases.
Although this option creates an SCP with a Deny effect on theec2:PurchaseReservedInstancesOfferingaction, applying it to a newly created organizational unit (OU) means it will not affect accounts outside this OU. Future accounts might not fall under this OU, so they would not be restricted.
An AWS Config rule event to terminate Reserved Instances launched by member accounts is reactive and does not prevent the purchase of Reserved Instances; it only acts after the fact, thus not meeting the requirement.
This option applies an Allow policy to the ec2action on OU1, but SCPs are Deny by default, so only explicitly denied actions are prevented. This configuration does not block Reserved Instance purchases by member accounts in OU2, thus failing the requirements.