Which change should the DevOps engineer make to launch the EC2 instance in the vendor-data account?
Attach the AmazonEC2FullAccess IAM policy to the IAM user.
Create a new SCP that allows all actions for Amazon EC2. Attach the SCP to the vendor-data account.
Update the SCP in the child OU to allow all actions for Amazon EC2.
Create a new SCP that allows all actions for Amazon EC2. Attach the SCP to the root OU.
Explanations:
Attaching the AmazonEC2FullAccess IAM policy to the IAM user does not grant permission to launch EC2 instances because the permissions granted by IAM policies are still subject to Service Control Policies (SCPs) that restrict actions in the organizational unit (OU).
Creating a new SCP to allow all actions for Amazon EC2 and attaching it to the vendor-data account would not work because SCPs are applied at the OU level, not the account level, and the existing child OU SCP already restricts actions outside of DynamoDB and AWS Lambda.
Updating the SCP in the child OU to allow all actions for Amazon EC2 would directly address the access denied error by modifying the restrictions imposed on the child OU. This change would enable the IAM user in the vendor-data account to launch EC2 instances as intended.
Creating a new SCP at the root OU to allow all actions for Amazon EC2 would not work, as it would not override the restrictive SCP already applied to the child OU. The SCPs are evaluated based on the most restrictive policy applicable to the account, which is the child OU’s SCP.