Which combination of steps should the solutions architect take to meet these requirements?
(Choose two.)
Ensure that all AWS accounts are part of an organization in AWS Organizations with all features enabled.
Use AWS Config to report on the attachment of an IAM policy that denies access to the ec2:PurchaseReservedInstancesOffering action and the ec2:ModifyReservedInstances action.
In each AWS account, create an IAM policy that denies the ec2:PurchaseReservedInstancesOffering action and the ec2:ModifyReservedInstances action.
Create an SCP that denies the ec2:PurchaseReservedInstancesOffering action and the ec2:ModifyReservedInstances action. Attach the SCP to each OU of the organization.
Ensure that all AWS accounts are part of an organization in AWS Organizations that uses the consolidated billing feature.
Explanations:
Enabling all features in AWS Organizations allows for centralized management, including the use of Service Control Policies (SCPs) to enforce organizational-wide rules.
AWS Config cannot be used to enforce IAM policies. It only reports compliance, it does not prevent actions such as the PurchaseReservedInstancesOffering or ModifyReservedInstances actions.
An IAM policy denying these actions in each account could work, but it requires managing policies separately for every account, which is not scalable in a large organization.
SCPs at the organizational level can enforce rules across all accounts within an organization. Denying the actions through an SCP is the most centralized and secure method.
Using consolidated billing only aggregates billing data across accounts and does not help with enforcing security policies or process controls like those required here.