Questions 31 to 33

Explanations for questions 31 to 33

We'll cover the following

Question 31

An AWS Organization has an OU with multiple member accounts in it. The company needs to restrict the ability to launch only specific Amazon EC2 instance types. How can this policy be applied across accounts with the least effort?

  1. Create an SCP with an allow rule that allows launching the specific instance types.
  2. Create an SCP with a deny rule that denies all expect the specific instance types.
  3. Create an IAM policy to deny launching all expect the specific instance types.
  4. Use AWS Resource Access Manager to control which launch types can be used.

Correct Answer: 2

Explanation: To apply the restrictions across multiple member accounts, you must use a Service Control Policy (SCP) in the AWS Organization. You will do this by creating a deny rule that applies to anything that does not equal the specific instance type you want to allow.

The following architecture can be used to achieve this goal:

Level up your interview prep. Join Educative to access 70+ hands-on prep courses.