Which combination of steps should be taken to proactively enforce the new process in the MOST secure way possible?

By:
In: SAP-C01
Tagged:
With: 1 Comment
A large company with hundreds of AWS accounts has a newly established centralized internal process for purchasing new or modifying existing ReservedInstances.This process requires all business units that want to purchase or modify Reserved Instances to submit requests to a dedicated team for procurement or execution.Previously, business units would directly purchase or modify Reserved Instances in their own respective AWS accounts autonomously.

Which combination of steps should be taken to proactively enforce the new process in the MOST secure way possible?

(Choose two.)

Ensure all AWS accounts are part of an AWS Organizations structure operating in all features mode.

Use AWS Config to report on the attachment of an IAM policy that denies access to the ec2:PurchaseReservedInstancesOffering and ec2:ModifyReservedInstances actions.

In each AWS account, create an IAM policy with a DENY rule to the ec2:PurchaseReservedInstancesOffering and ec2:ModifyReservedInstances actions.

Create an SCP that contains a deny rule to the ec2:PurchaseReservedInstancesOffering and ec2:ModifyReservedInstances actions. Attach the SCP to each organizational unit (OU) of the AWS Organizations structure.

Ensure that all AWS accounts are part of an AWS Organizations structure operating in consolidated billing features mode.

Explanations:

Ensuring all AWS accounts are part of an AWS Organizations structure operating in all features mode allows for centralized management and enforcement of policies, including Service Control Policies (SCPs). This structure is necessary to implement the governance required to enforce the new process.

Using AWS Config to report on IAM policy attachments does not proactively enforce the new process; it only provides reporting capabilities. While it’s useful for compliance monitoring, it won’t prevent users from purchasing or modifying Reserved Instances.

Creating an IAM policy with a DENY rule in each AWS account would not be a scalable solution. Each account would require manual updates to IAM policies, making it difficult to manage uniformly across hundreds of accounts. Furthermore, IAM policies are evaluated together, and if there are any Allow rules, they could override the DENY.

Creating a Service Control Policy (SCP) with a deny rule for the ec2and ec2actions is the most effective method to enforce the new process. By applying the SCP to each organizational unit (OU), the company can centrally manage permissions and ensure compliance across all accounts.

While operating in consolidated billing mode allows for cost management across multiple accounts, it does not inherently enforce compliance or governance related to the purchasing of Reserved Instances. It lacks the necessary controls to ensure that the new centralized process is followed.

2025-10-19

1 Comment

  1. Justin
    Author

    I organize that the answer is:
    Ensure all AWS accounts are part of an AWS Organizations structure operating in all features mode.

Leave a Reply

Your email address will not be published. Required fields are marked *

fourteen + 2 =