A company has an organization in AWS Organizations. The company runs Amazon EC2 instances across four AWS accounts in the root organizational unit (OU): three nonproduction accounts and one production account. The company wants to prohibit users from launching EC2 instances of a certain size in the nonproduction accounts. The company has created a service control policy (SCP) to deny launches of the prohibited instance types. Which solutions to deploy the SCP will meet these requirements? (Choose two.)
Choose an answer
Tap an option to check your answer.
Correct answer: Attach the SCP to the three nonproduction Organizations member accounts., Create an OU for the required accounts. Attach the SCP to the OU. Move the nonproduction member accounts into the new OU..
Why this is the answer
The correct options effectively apply the SCP to only the nonproduction accounts. Attaching the SCP directly to the three nonproduction accounts ensures that the policy applies to them without affecting the production account. Alternatively, creating a new Organizational Unit (OU) specifically for the nonproduction accounts and then attaching the SCP to that OU achieves the same result. This method is often preferred for scalability and easier management when dealing with many accounts. Attaching the SCP to the root OU would apply the policy to all accounts, including the production account, which is not desired. Attaching it to the management account would only affect the management account itself, not the nonproduction accounts. Creating an OU for the production account and moving it there, then attaching the SCP to that OU, would incorrectly apply the restriction to the production account.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed