Which combination of steps should the solutions architect take to meet these requirements?

By:
In: SAP-C02
Tagged:
With: 2 Comments
A company has hundreds of AWS accounts.The company recently implemented a centralized internal process for purchasing new Reserved Instances and modifying existing Reserved Instances.This process requires all business units that want to purchase or modify Reserved Instances to submit requests to a dedicated team for procurement.Previously, business units directly purchased or modified Reserved Instances in their own respective AWS accounts autonomously.A solutions architect needs to enforce the new process in the most secure way possible.

Which combination of steps should the solutions architect take to meet these requirements?

(Choose two.)

Ensure that all AWS accounts are part of an organization in AWS Organizations with all features enabled.

Use AWS Config to report on the attachment of an IAM policy that denies access to the ec2:PurchaseReservedInstancesOffering action and the ec2:ModifyReservedInstances action.

In each AWS account, create an IAM policy that denies the ec2:PurchaseReservedInstancesOffering action and the ec2:ModifyReservedInstances action.

Create an SCP that denies the ec2:PurchaseReservedInstancesOffering action and the ec2:ModifyReservedInstances action. Attach the SCP to each OU of the organization.

Ensure that all AWS accounts are part of an organization in AWS Organizations that uses the consolidated billing feature.

Explanations:

Ensuring all AWS accounts are part of an organization in AWS Organizations with all features enabled allows for the management of policies and service control policies (SCPs) across accounts, which is essential for enforcing centralized control.

AWS Config is primarily used for compliance auditing and monitoring of resource configurations. It cannot enforce actions; it can only report on configurations. Therefore, it does not effectively enforce the new purchasing process.

Creating an IAM policy in each account can provide denial of actions but does not enforce the centralized procurement process effectively, especially when managing multiple accounts. This can lead to inconsistencies and potential circumvention.

Creating an SCP that denies the actions at the organizational level ensures that no account within the organization can perform those actions, thus enforcing the centralized purchasing process across all accounts effectively.

While consolidated billing is beneficial for cost management, it does not provide the necessary controls or enforcement mechanisms to manage Reserved Instances purchasing pro

2026-03-20

2 Comments

  1. Jason
    Author

    I organize that the answer is:
    Ensure that all AWS accounts are part of an organization in AWS Organizations with all features enabled.

  2. Noah
    Author

    If I’m not mistaken, the answer is:
    Ensure that all AWS accounts are part of an organization in AWS Organizations with all features enabled.

Leave a Reply

Your email address will not be published. Required fields are marked *

one × four =