A large company organizes hundreds of AWS accounts in AWS Organizations in Developer, Test, and Production OUs. Developers who have full administrative privileges in their respective accounts use the accounts in the Developer OU. The company wants to allow only certain Amazon EC2 instance types to be used within the Developer OU. How can the company prevent developer accounts from launching unapproved EC2 instance types? A. Create a now launch template in each AWS account in the Developer OU to deny the ec2:RunInstances API call for instance types that are not in an approved list Associate these templates with all IAM principals in the account. B. Create an IAM policy to deny the ec2:RunInstances API call for instance types that are not in an approved list. Attach the policy to all IAM principals in all the AWS accounts in the Developer OU. C. Use a managed SCP that is attached to the organization's root account to deny the ec2:RunInstances API call for instance types that are not in an approved list D. Create an SCP to deny the ec2:RunInstances API call for instance types that are not in an approved list. Attach the policy to the Developer OU.  Suggested Answer: D Community Answer: D This question is in SCS-C01 AWS Certified Security – Specialty Exam For getting AWS Certified Security – Specialty Certificate Disclaimers: The website is not related to, affiliated with, endorsed or authorized by Amazon. Trademarks, certification & product names are used for reference only and belong to Amazon. The website does not contain actual questions and answers from Amazon's Certification Exam.
Please login or Register to submit your answer