Learn how to restrict specific member accounts to certain AWS Regions in AWS Organizations and centrally manage resources with minimal configuration using tag policies and SCPs.
Table of Contents
Question
A company is using AWS Organizations to manage multiple accounts. Due to regulatory requirements, the company wants to restrict specific member accounts to certain AWS Regions, where they are permitted to deploy resources. The resources in the accounts must be tagged, enforced based on a group standard, and centrally managed with minimal configuration.
What should a solutions architect do to meet these requirements?
A. Create an AWS Config rule in the specific member accounts to limit Regions and apply a tag policy.
B. From the AWS Billing and Cost Management console, in the management account, disable Regions for the specific member accounts and apply a tag policy on the root.
C. Associate the specific member accounts with the root. Apply a tag policy and an SCP using conditions to limit Regions.
D. Associate the specific member accounts with a new OU. Apply a tag policy and an SCP using conditions to limit Regions.
Answer
D. Associate the specific member accounts with a new OU. Apply a tag policy and an SCP using conditions to limit Regions.
Explanation
To meet the requirements of restricting specific member accounts to certain AWS Regions and centrally managing resources with minimal configuration, a solutions architect should create a new OU (Organizational Unit) in AWS Organizations and move the specific member accounts to this OU. Then, the architect can apply a tag policy and an SCP with conditions to limit the allowed Regions for resource deployment.
Here are the steps to achieve this:
- Create a new OU in AWS Organizations.
- Move the specific member accounts to the new OU.
- Create a tag policy that requires resources to be tagged with a specific key-value pair.
- Create an SCP that allows API calls only from the permitted Regions. Use conditions to check for the tag policy.
- Attach the SCP to the new OU.
This solution ensures that the specific member accounts can only deploy resources in the permitted Regions and that all resources are tagged according to the company’s tagging policy.
Amazon AWS Certified Solutions Architect – Professional SAP-C02 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Solutions Architect – Professional SAP-C02 exam and earn Amazon AWS Certified Solutions Architect – Professional SAP-C02 certification.