Q36 — AWS SAP-C02 Ch.3
Question 36 of 75 | ← Chapter 3
Q261. A company is using AWS Organizations to manage multiple accounts. Due to regulatory requirements, the company wants to restrict specific member accounts to certain AWS Regions, where they are permitted to deploy resources. The resources in the accounts must be tagged, enforced based on a group standard, and centrally managed with minimal configuration. What should a solutions architect do to meet these requirements?
- A. Create an AWS Config rule in the specific member accounts to limit Regions and apply a tag policy.
- B. From the AWS Billing and Cost Management console, in the master account, disable Regions for the specific member accounts and apply a tag policy on the root.
- C. Associate the specific member accounts with the root. Apply a tag policy and an SCP using conditions to limit Regions.
- D. Associate the specific member accounts with a new OU. Apply a tag policy and an SCP using conditions to limit Regions. ✓
Correct Answer: D. Associate the specific member accounts with a new OU. Apply a tag policy and an SCP using conditions to limit Regions.
Explanation
To meet the requirements of restricting specific member accounts to certain AWS Regions, enforcing group standards for tagged resources, and centrally managing with minimal configuration, a solutions architect should: By associating the specific member accounts with a new organizational unit (OU), the solutions architect can apply a tag policy and a service control policy (SCP) that limits the allowed regions. An SCP allows you to specify the services and actions that your users and roles can use in each account or OU within your organization. Applying a tag policy ensures that any resources deployed in those accounts are tagged consistently according to the defined group standard. The tags enable easier management of those resources as well as cost allocation and chargeback. Therefore, this approach allows for the required restrictions to be enforced while also providing centralized management which minimizes the need for additional configuration in each of the accounts.