Q49 — AWS DOP-C02 Ch.2
Question 49 of 100 | ← Chapter 2
A company’s organization is structured under a single organizational unit (OU) governed by enterprise security policies. The company runs Amazon EC2 instances in OU accounts. It needs to restrict credential usage so that credentials assigned to a specific EC2 instance can only be used on that instance. Architects want to configure security for the EC2 instances. Which solution meets these requirements?
- A. Create a service control policy (SCP) specifying a VPC CIDR block. Configure the SCP to check whether the aws:Vpc31-slp condition key falls within the specified block. In the same SCP statement, check whether aws:EC2--------------- ----------------------------------------------------------------- If both conditions evaluate to false, deny access. Apply the SCP to the OU.
- B. Create an SCP that checks whether the values of the aws:EC2即决-cevpc and aws:SourceVpc condition keys match. Deny access if they differ. In the same SCP statement, check whether the value of aws:EC2快捷来源 matches the aws:Vpc31-ceip condition key. Deny access if they differ. Apply the SCP to the OU. ✓
- C. Create an SCP containing an allowed list of VPC values and verify whether the aws:SourceVpc condition key value is in that list. In the same SCP statement, define an allowed list of IP address values and verify whether the aws:Vpc31-ceip condition key is in that list. Deny access if both conditions evaluate to false. Apply the SCP to each account in the organization.
- D. Create an SCP that checks whether the aws:EC2即时程序 and aws:Vpc31-ceip condition keys match. Deny access if they differ. In the same SCP statement, check whether the aws:EC2 value matches itself. Deny access if they differ. Apply the SCP to each account in the organization.
Correct Answer: B. Create an SCP that checks whether the values of the aws:EC2即决-cevpc and aws:SourceVpc condition keys match. Deny access if they differ. In the same SCP statement, check whether the value of aws:EC2快捷来源 matches the aws:Vpc31-ceip condition key. Deny access if they differ. Apply the SCP to the OU.
Explanation
Service Control Policies (SCPs) enforce permission boundaries at the organization level. Per AWS documentation, condition keys like aws:SourceVpc and aws:VpcSourceIp restrict resource access based on originating VPC context. Option B correctly enforces that requests originate from the same VPC as the target EC2 instance (via aws:EC2即决-cevpc and aws:SourceVpc) and that the source IP aligns with the VPC’s address space (via aws:EC2快捷来源 and aws:Vpc31-ceip), ensuring credentials bind to specific instances. Other options reference invalid or irrelevant condition keys or fail to establish precise instance-VPC binding.