Q74 — AWS DOP-C02 Ch.3

Question 74 of 100 | ← Chapter 3

A company performs sensitive workloads in accounts belonging to an AWS Organization. The company uses a single IP address range to scope the Amazon VPC CIDR block and assign IP addresses to on-premises hardware. The company needs a solution to prevent principals outside the company's IP address range from performing AWS operations in the organization's accounts. Which solution meets these requirements?

Correct Answer: B. Create a Service Control Policy (SCP) in the organization that denies API requests from source IP addresses outside the company's IP address range. Attach the SCP to the organization's root.

Explanation

AWS Service Control Policies (SCPs) are used to centrally manage permission boundaries at the organization root or organizational unit (OU) level. According to AWS Organizations documentation, SCPs can allow or deny AWS API actions based on conditions such as source IP address. When attached to the organization root, an SCP applies to all member accounts. The requirement is to block operations originating from outside the company's IP range; a deny-based SCP directly enforces this restriction. Option A filters network traffic—not API-level access control. Option C’s trusted IP list is part of Amazon GuardDuty, which is for threat detection—not access control. Option D uses an allow policy but fails to explicitly deny other sources by default, violating least-privilege principles. Option B’s explicit deny policy correctly blocks unauthorized IP-based requests.