Which AWS feature should the SysOps administrator use to meet these requirements?

A company has deployed AWS Security Hub and AWS Config in a newly implemented organization in AWS Organizations. A SysOps administrator must implement a solution to restrict all member accounts in the organization from deploying Amazon EC2 resources in the ap-southeast-2 Region. The solution must be implemented from a single point and must govern an current and future accounts. The use of root credentials also must be restricted in member accounts.

Which AWS feature should the SysOps administrator use to meet these requirements?
A . AWS Config aggregator
B . IAM user permissions boundaries
C . AWS Organizations service control policies (SCPs)
D . AWS Security Hub conformance packs

View Answer

Answer: C

Explanation:

To restrict EC2 resource deployment in a specific region and restrict root credentials usage:

Create Service Control Policies (SCPs):

Use AWS Organizations to create SCPs that restrict actions for all member accounts.

Create an SCP to deny the creation of EC2 instances in the ap-southeast-2 region.

Create an SCP to deny the use of root credentials in member accounts.

Reference: Service Control Policies

Attach SCPs:

Attach the SCPs to the organizational units (OUs) or directly to the accounts as needed.

Reference: Attaching SCPs

This approach provides centralized control over account policies, ensuring compliance across current and future accounts.