Q49 — AWS DOP-C02 Ch.2

Question 49 of 100 | ← Chapter 2

A company’s organization is structured under a single organizational unit (OU) governed by enterprise security policies. The company runs Amazon EC2 instances in OU accounts. It needs to restrict credential usage so that credentials assigned to a specific EC2 instance can only be used on that instance. Architects want to configure security for the EC2 instances. Which solution meets these requirements?

Correct Answer: B. Create an SCP that checks whether the values of the aws:EC2即决-cevpc and aws:SourceVpc condition keys match. Deny access if they differ. In the same SCP statement, check whether the value of aws:EC2快捷来源 matches the aws:Vpc31-ceip condition key. Deny access if they differ. Apply the SCP to the OU.

Explanation

Service Control Policies (SCPs) enforce permission boundaries at the organization level. Per AWS documentation, condition keys like aws:SourceVpc and aws:VpcSourceIp restrict resource access based on originating VPC context. Option B correctly enforces that requests originate from the same VPC as the target EC2 instance (via aws:EC2即决-cevpc and aws:SourceVpc) and that the source IP aligns with the VPC’s address space (via aws:EC2快捷来源 and aws:Vpc31-ceip), ensuring credentials bind to specific instances. Other options reference invalid or irrelevant condition keys or fail to establish precise instance-VPC binding.