Q6 — AWS SAP-C02 Ch.1
Question 6 of 75 | ← Chapter 1
Q81. A company has hundreds of AWS accounts. The company recently implemented a centralized internal process for purchasing new Reserved Instances and modifying existing Reserved Instances. This process requires all business units that want to purchase or modify Reserved Instances to submit requests to a dedicated team for procurement. Previously, business units directly purchased or modified Reserved Instances in their own respective AWS accounts autonomously. A solutions architect needs to enforce the new process in the most secure way possible. Which combination of steps should the solutions architect take to meet these requirements? (Select TWO.)
- A. Ensure that all AWS accounts are part of an organization in AWS Organizations with all features enabled. ✓
- B. Use AWS Config to report on the attachment of an IAM policy that denies access to the ec2:PurchaseReservedlnstancesOffering action and the ec2:ModifyReservedlnstances action.
- C. In each AWS account, create an IAM policy that denies the ec2:PurchaseReservedlnstancesOffering action and the ec2:ModifyReservedlnstances action.
- D. Create an SCP that denies the ec2:PurchaseReservedinstancesOffering action and the ec2:ModifyReservedlnstances action. Attach the SCP to each OU of the organization. ✓
- E. Ensure that all AWS accounts are part of an organization in AWS Organizations that uses the consolidated billing feature.
Correct Answer: A. Ensure that all AWS accounts are part of an organization in AWS Organizations with all features enabled., D. Create an SCP that denies the ec2:PurchaseReservedinstancesOffering action and the ec2:ModifyReservedlnstances action. Attach the SCP to each OU of the organization.
Explanation
To enforce the new process of centralized procurement and modification of Reserved Instances in a secure manner across multiple AWS accounts, the recommended steps are: A. Ensure that all AWS accounts are part of an organization in AWS Organizations with all features enabled.D. Create an SCP that denies the ec2:PurchaseReservedInstancesOffering action and the ec2:ModifyReservedInstances action. Attach the SCP to each OU of the organization. Explanation: Step A: Ensure that all AWS accounts are part of an organization in AWS Organizations with all features enabled. By organizing the AWS accounts under an AWS Organization, you can centrally manage and enforce policies across the accounts. This includes features such as consolidated billing, service control policies (SCPs), and more. Step D: Create an SCP that denies the ec2:PurchaseReservedInstancesOffering action and the ec2:ModifyReservedInstances action. Attach the SCP to each organizational unit (OU) of the organization. An SCP is a policy at the organization, OU, or account level that can be used to set fine-grained permissions and restrictions on AWS services and actions. By creating an SCP that denies the purchase and modification of Reserved Instances, you can enforce the new procurement process and prevent individual business units from making these changes autonomously. These steps ensure that the new process is enforced in a secure manner across all AWS accounts, restricting the ability to purchase or modify Reserved Instances. By leveraging AWS Organizations and SCPs, you can centrally manage and control the permissions and actions allowed in the accounts. Option B is incorrect because using AWS Config to report on IAM policies that deny access to the required actions would provide visibility but would not enforce the new process or restrict the actions. Option C is incorrect because creating an IAM policy in each AWS account to deny the required actions would require manual configuration for each account, making it harder to enforce and centralize the process. Option E is incorrect because while using consolidated billing in AWS Organizations can provide cost management benefits, it does not directly address the requirement of enforcing the new procurement process or securing the actions. Therefore, the recommended steps are A and D to enforce the new process in the most secure way possible.