Logo
AWS Certified Solutions Architect - Professional / Question #661 of 529

Question #661

A company manages multiple AWS accounts using AWS Organizations. The root OU contains two OUs: Development and Production.

Due to compliance requirements, all resources in the organization must be deployed in the us-west-2 Region. Additionally, RDS instances in the Production OU must use a predefined set of database instance classes.

A solutions architect must implement a solution that enforces these restrictions while maximizing operational efficiency and minimizing ongoing maintenance.

Which combination of steps will meet these requirements? (Choose two.)

A

Create an IAM role in one account under the Production OU. Use the rds:DBInstanceClass condition key in an inline policy on the role to restrict access to specific instance classes.
B

Create an IAM user in all accounts under the root OU. Use the aws:RequestedRegion condition key in an inline policy on each user to restrict access to all AWS Regions except us-west-2.
C

Create an SCP. Use the aws:RequestedRegion condition key to deny access to all AWS Regions except us-west-2. Apply the SCP to the root OU.
D

Create an SCP. Use the rds:Region condition key to restrict access to all AWS Regions except us-west-2. Apply the SCP to the root OU, Development OU, and Production OU.
E

Create an SCP. Use the rds:DBInstanceClass condition key to restrict access to specific database instance classes. Apply the SCP to the Production OU.

Explanation

Answer C uses an SCP with the aws:RequestedRegion condition to enforce deployment in us-west-2 across all accounts by denying other regions. Applying it to the root OU ensures inheritance by all OUs. Answer E uses an SCP with the rds:DBInstanceClass condition to restrict RDS instance classes specifically for the Production OU. SCPs are preferred over IAM policies (A, B) because they centrally manage permissions across accounts. Option D incorrectly uses rds:Region instead of aws:RequestedRegion. Option B is inefficient due to managing IAM users per account. Key points: Use SCPs for organization-wide policies, aws:RequestedRegion for region restrictions, and apply policies at the appropriate OU level.

Answer

The correct answer is: CE