A large company organizes hundreds of AWS accounts in AWS Organizations in Developer, Test, and Production OUs. Developers who have full administrative privileges in their respective accounts use the accounts in the Developer OU. The company wants to allow only certain Amazon EC2 instance types to be used within the Developer OU. How can the company prevent developer accounts from launching unapproved EC2 instance types?

Topic #: - All AWS Certified Security - Specialty Questions

A. Create a now launch template in each AWS account in the Developer OU to deny the ec2:RunInstances API call for instance types that are not in an approved list Associate these templates with all IAM principals in the account.
B. Create an IAM policy to deny the ec2:RunInstances API call for instance types that are not in an approved list. Attach the policy to all IAM principals in all the AWS accounts in the Developer OU.
C. Use a managed SCP that is attached to the organization’s root account to deny the ec2:RunInstances API call for instance types that are not in an approved list
D. Create an SCP to deny the ec2:RunInstances API call for instance types that are not in an approved list. Attach the policy to the Developer OU.

- Awsexamhub website is not related to, affiliated with, endorsed or authorized by Amazon.
- Trademarks, certification & product names are used for reference only and belong to Amazon.

Suggested Answer:

Share this post

Join the Discussion