Q19 — AWS DOP-C02 Ch.1

Question 19 of 100 | ← Chapter 1

A company recently acquired another company. The acquiring company invited the acquired company to join its existing AWS Organization as a new organizational unit (OU). A DevOps engineer determined that the acquired company needs to launch only t3 instance types for its application workloads. The acquired company requires launching these instances only in the US West (Oregon) Region.

Correct Answer: A. Configure a statement to deny ec2:RunInstances on all EC2 instance resources when the ec2:InstanceType condition key does not equal t3*. Configure another statement to deny ec2:RunInstances on all EC2 instance resources when the aws:RequestedRegion condition key does not equal us-west-2.

Explanation

Service Control Policies (SCPs) act as permission boundaries and only deny permissions — they cannot grant them. To restrict usage to only t3 instance types in us-west-2, the correct approach is to explicitly deny all ec2:RunInstances requests that violate either condition. Option A correctly denies non-t3 instance types and denies launches outside us-west-2. Because SCPs are deny-based and permissions are granted by IAM policies downstream, this deny-only strategy ensures only compliant launches succeed. Options B and D incorrectly attempt to use 'allow' statements (invalid in SCPs); Option C denies the *allowed* values, which would block all intended usage.