What is the MOST operationally efficient solution that meets these requirements?
Configure AWS CloudTrail in all Regions to record all API activity. Create an Amazon EventBridge (Amazon CloudWatch Events) rule in all unauthorized Regions for ec2:RunInstances events. Use AWS Lambda to terminate the launched EC2 instances.
In each AWS account, create a managed IAM policy that uses a Region condition to deny the ec2:RunInstances action in all unauthorized Regions. Attach this policy to all IAM groups in each AWS account.
In each AWS account, create an IAM permissions boundary policy that uses a Region condition to deny the ec2:RunInstances action in all unauthorized Regions. Attach the permissions boundary policy to all IAM users in each AWS account.
Create a service control policy (SCP) in AWS Organizations to deny the ec2:RunInstances action in all unauthorized Regions. Attach this policy to the root level of the organization.
Explanations:
While CloudTrail and EventBridge could track and react to EC2 launches, it would require complex setup and ongoing maintenance. Additionally, terminating instances post-launch introduces operational overhead and delay.
An IAM policy with a Region condition would be enforced at the IAM level. However, it would only apply to users and roles that use IAM permissions directly, and would not be as centralized or efficient as using SCPs.
A permissions boundary limits what actions IAM users can perform, but it would not be a comprehensive solution across an entire organization. It also requires configuring boundaries for every user and would be less scalable.
Service control policies (SCPs) in AWS Organizations are the most efficient way to manage permissions across multiple AWS accounts. SCPs can be applied centrally, ensuring uniform enforcement of Region restrictions across all accounts.