Which combination of steps will meet these requirements?

By:
On:
In: SAP-C01
Tagged:
With: 0 Comments
A company manages multiple AWS accounts by using AWS Organizations.Under the root OU, the company has two OUs: Research and DataOps.Because of regulatory requirements, all resources that the company deploys in the organization must reside in the ap-northeast-1 Region.Additionally, EC2 instances that the company deploys in the DataOps OU must use a predefined list of instance types.A solutions architect must implement a solution that applies these restrictions.The solution must maximize operational efficiency and must minimize ongoing maintenance.

Which combination of steps will meet these requirements?

(Choose two.)

Create an IAM role in one account under the DataOps OU. Use the ec2:InstanceType condition key in an inline policy on the role to restrict access to specific instance type.

Create an IAM user in all accounts under the root OU. Use the aws:RequestedRegion condition key in an inline policy on each user to restrict access to all AWS Regions except ap-northeast-1.

Create an SCP. Use the aws:RequestedRegion condition key to restrict access to all AWS Regions except ap-northeast-1. Apply the SCP to the root OU.

Create an SCP. Use the ec2:Region condition key to restrict access to all AWS Regions except ap-northeast-1. Apply the SCP to the root OU, the DataOps OU, and the Research OU.

Create an SCP. Use the ec2:InstanceType condition key to restrict access to specific instance types. Apply the SCP to the DataOps OU.

Explanations:

Creating an IAM role with an inline policy for a specific account does not enforce the restriction across all accounts in the DataOps OU. It would only apply to that particular role and not to all users or services in the OU.

Creating IAM users with inline policies in each account does not provide a centralized management approach. It requires ongoing maintenance as every account needs an individual user and policy configuration, which is not efficient or scalable.

Creating a Service Control Policy (SCP) using the awscondition key effectively restricts access to all AWS Regions except ap-northeast-1. Applying this SCP to the root OU ensures that all accounts inherit this restriction, thereby meeting the regulatory requirement efficiently.

The ec2condition key is not a valid condition key for SCPs. SCPs use awsinstead, which means this option would not correctly apply the region restriction as intended.

An SCP that uses the ec2condition key to restrict access to specific instance types can effectively limit instance types in the DataOps OU. Applying the SCP specifically to the DataOps OU ensures that only those accounts are affected by this restriction, meeting operational efficiency and regulatory requirements.

Leave a Reply

Your email address will not be published. Required fields are marked *

2 + eight =