Q74 — AWS DOP-C02 Ch.3
Question 74 of 100 | ← Chapter 3
A company performs sensitive workloads in accounts belonging to an AWS Organization. The company uses a single IP address range to scope the Amazon VPC CIDR block and assign IP addresses to on-premises hardware. The company needs a solution to prevent principals outside the company's IP address range from performing AWS operations in the organization's accounts. Which solution meets these requirements?
- A. Configure AWS Firewall Manager for the organization. Create an AWS Network Firewall policy that allows only source traffic from the company's IP address range. Apply the policy scope to all accounts within the organization.
- B. Create a Service Control Policy (SCP) in the organization that denies API requests from source IP addresses outside the company's IP address range. Attach the SCP to the organization's root. ✓
- C. Configure Amazon GuardDuty for the organization. Create a trusted IP address list for the company's IP range. Enable the trusted IP list for the organization.
- D. Create a Service Control Policy (SCP) in the organization that allows API requests only from source IP addresses within the company's IP address range. Attach the SCP to the organization's root.
Correct Answer: B. Create a Service Control Policy (SCP) in the organization that denies API requests from source IP addresses outside the company's IP address range. Attach the SCP to the organization's root.
Explanation
AWS Service Control Policies (SCPs) are used to centrally manage permission boundaries at the organization root or organizational unit (OU) level. According to AWS Organizations documentation, SCPs can allow or deny AWS API actions based on conditions such as source IP address. When attached to the organization root, an SCP applies to all member accounts. The requirement is to block operations originating from outside the company's IP range; a deny-based SCP directly enforces this restriction. Option A filters network traffic—not API-level access control. Option C’s trusted IP list is part of Amazon GuardDuty, which is for threat detection—not access control. Option D uses an allow policy but fails to explicitly deny other sources by default, violating least-privilege principles. Option B’s explicit deny policy correctly blocks unauthorized IP-based requests.