Which solution will meet these requirements?
Configure all instances in each account in the OU to use AWS Systems Manager. Use a Systems Manager Automation runbook to prevent public IP addresses from being attached to the instances.
Implement the AWS Control Tower proactive control to check whether instances in the OU’s accounts have a public IP address. Set the AssociatePublicIpAddress property to False. Attach the proactive control to the OU.
Create an SCP that prevents the launch of instances that have a public IP address. Additionally, configure the SCP to prevent the attachment of a public IP address to existing instances. Attach the SCP to the OU.
Create an AWS Config custom rule that detects instances that have a public IP address. Configure a remediation action that uses an AWS Lambda function to detach the public IP addresses from the instances.
Explanations:
While using AWS Systems Manager to manage instances could help automate processes, it does not inherently prevent instances from being assigned public IP addresses. This option does not provide a direct control mechanism to enforce the restriction.
AWS Control Tower proactive controls can monitor compliance but cannot directly enforce settings like disabling public IPs on instances. They are used primarily for reporting compliance rather than implementing configuration changes.
Service Control Policies (SCPs) can effectively prevent the launch of EC2 instances with public IP addresses and also restrict attaching public IPs to existing instances. This approach enforces the policy at the organizational unit (OU) level, ensuring compliance across all accounts in the OU.
While creating an AWS Config rule could help identify and remediate instances with public IPs, it operates reactively rather than proactively. This means instances could initially gain public IPs before being remediated, which does not meet the requirement to prevent public IP assignment upfront.