A company operates sensitive workloads across the AWS accounts that are in the company’s organization in AWS Organizations.The company uses an IP address range to delegate IP addresses for Amazon VPC CIDR blocks and all non-cloud hardware.The company needs a solution that prevents principals that are outside the company’s IP address range from performing AWS actions in the organization’s accounts.
Which solution will meet these requirements?
Configure AWS Firewall Manager for the organization. Create an AWS Network Firewall policy that allows only source traffic from the company’s IP address range. Set the policy scope to all accounts in the organization.
In Organizations, create an SCP that denies source IP addresses that are outside of the company’s IP address range. Attach the SCP to the organization’s root.
Configure Amazon GuardDuty for the organization. Create a GuardDuty trusted IP address list for the company’s IP range. Activate the trusted IP list for the organization.
In Organizations, create an SCP that allows source IP addresses that are inside of the company’s IP address range. Attach the SCP to the organization’s root.
I arrange that the answer is:
In Organizations, create an SCP that denies source IP addresses that are outside of the company’s IP address range. Attach the SCP to the organization’s root.