Q96 — AWS ANS-C01 Ch.1
Question 96 of 100 | ← Chapter 1
A company has AWS accounts in an organization in AWS Organizations. The company has implemented Amazon VPC IP Address Manager (IPAM) In its networking AWS account. The company is using AWS Resource Access Manager (AWS RAM) to share IPAM pools with other AWS accounts. The company has created a top-level pool with a CIDR block of 10.0.0.0/8. For each AWS account, the company has created an IPAM pool within The top-level pool.A network engineer needs to implement a solution to ensure that users in each AWS account cannot create new VPCs. The solution also must Prevent users from associating a CIDR block with existing VPCs unless the CIDR block is from the IPAM pool for that account. Which solution will meet these requirements?
- A. Create a new AWS Config rule to find all VPCs that are not configured to allocate their CIDR block from an IPAM pool. Invoke an AWS Lambda function to delete these VPCs.
- B. Create a new SCP in Organizations. Add a condition that denies the CreateVpc and AssociateVpcCidrBlock Amazon EC2 actions if the Ipv4IpamPoolId context key value is not the ID of an IPAM pool. ✓
- C. Create an AWS Lambda function to check for and delete all VPCs that are not configured to allocate their CIDR block from an IPAM pool. Invoke the Lambda function at regular intervals.
- D. Create an Amazon EventBridge rule to check for AWS CloudTrail events for the CreateVpc and AssociateVpcCidrBlock Amazon EC2 actions. Use the rule to invoke an AWS Lambda function to delete all VPCs that are not configured to allocate their CIDR block from an IPAM pool.
Correct Answer: B. Create a new SCP in Organizations. Add a condition that denies the CreateVpc and AssociateVpcCidrBlock Amazon EC2 actions if the Ipv4IpamPoolId context key value is not the ID of an IPAM pool.
Explanation
AWS服务控制策略(SCP)用于在组织层级集中管理权限,允许或禁止成员账户中的特定操作。题目中的需求涉及限制账户用户创建VPC或关联非指定IPAM池的CIDR块。选项B使用SCP通过条件`Ipv4IpamPoolId`限制操作,直接拒绝未经授权的EC2 API调用。其他选项依赖事后检测(如AWS Config、Lambda删除)或事件响应(EventBridge+Lambda),无法实时阻止操作。参考AWS SCP文档中关于使用全局条件上下文键控制资源创建的说明。