Which solutions to deploy the SCP will meet these requirements?

A company has an organization in AWS Organizations.The company runs Amazon EC2 instances across four AWS accounts in the root organizational unit (OU).There are three nonproduction accounts and one production account.The company wants to prohibit users from launching EC2 instances of a certain size in the nonproduction accounts.The company has created a service control policy (SCP) to deny access to launch instances that use the prohibited types.

Which solutions to deploy the SCP will meet these requirements?

(Choose two.)

Attach the SCP to the root OU for the organization.

Attach the SCP to the three nonproduction Organizations member accounts.

Attach the SCP to the Organizations management account.

Create an OU for the production account. Attach the SCP to the OU. Move the production member account into the new OU.

Create an OU for the required accounts. Attach the SCP to the OU. Move the nonproduction member accounts into the new OU.

Explanations:

Attaching the SCP to the root OU would apply the policy organization-wide, affecting both production and nonproduction accounts, which is not the desired outcome.

Attaching the SCP directly to the three nonproduction accounts would effectively enforce the restriction on only those accounts.

Attaching the SCP to the management account has no effect on the accounts under management. SCPs must be applied to OUs or member accounts, not the management account.

Creating an OU for the production account and attaching the SCP would inadvertently apply restrictions to the production account, which should be exempt from the restriction.

Creating an OU for the nonproduction accounts and attaching the SCP would limit the policy’s scope to just the nonproduction accounts, fulfilling the requirement.

Learn & move to cloud

Which solutions to deploy the SCP will meet these requirements?

Explanations:

Leave a Reply Cancel reply