Question #653
A company operates multiple AWS accounts and recently established a centralized process for managing RDS Reserved Instances. All business units must now submit requests to a central team to purchase new RDS Reserved Instances or modify existing ones. Previously, business units could autonomously manage RDS Reserved Instances in their own accounts. A solutions architect must enforce this new process securely. Which combination of steps should the architect take? (Choose two.)
Ensure all AWS accounts are part of an organization in AWS Organizations with all features enabled.
Use AWS Config to monitor compliance with IAM policies that deny the rds:PurchaseReservedDBInstances and rds:ModifyReservedDBInstances actions.
Create an IAM policy in each account denying the rds:PurchaseReservedDBInstances and rds:ModifyReservedDBInstances actions.
Create an SCP denying the rds:PurchaseReservedDBInstances and rds:ModifyReservedDBInstances actions, and attach it to all relevant OUs.
Enable consolidated billing for all accounts in AWS Organizations.
Explanation
A. AWS Organizations with all features enabled is required to use SCPs, which are essential for centrally restricting actions across multiple accounts. Without this, SCPs cannot be applied.
D. SCPs enforce account-wide restrictions. By denying rds:PurchaseReservedDBInstances and rds:ModifyReservedDBInstances via an SCP attached to relevant OUs, business units are prevented from managing Reserved Instances autonomously.
Why not others:
B. AWS Config only monitors compliance but does not enforce policies.
C. IAM policies in each account are less efficient and scalable compared to SCPs.
E. Consolidated billing aggregates costs but does not restrict actions.
Answer
The correct answer is: AD