SAA-C03
00:00:00
Answered: 0 / 65
A company uses AWS Organizations with multiple member accounts. A solutions architect needs to ensure that EC2 instances in member accounts can only be launched in approved AWS Regions and cannot be launched with instance types larger than t3.large. The restriction must apply to all member accounts without requiring changes in each individual account. Which solution meets these requirements?
Create a Service Control Policy (SCP) that denies ec2:RunInstances for unapproved regions and disallowed instance types, and attach it to the root OU in AWS Organizations.
Create an IAM permission boundary in each member account that restricts EC2 instance types and regions.
Use AWS Config rules in each member account to detect and remediate non-compliant EC2 launches.
Create an IAM policy in the management account and use cross-account roles to enforce it across member accounts.
