Home › Forums › AWS › AWS Certified Solutions Architect Professional › If deny ec2:RunInstances action with SCP, do not need IAM policy to
-
If deny ec2:RunInstances action with SCP, do not need IAM policy to
mobious updated 5 months, 3 weeks ago 3 Members · 3 Posts -
Here are your answers
The option that says: Apply an SCP to the AWS Organization that will deny the
ec2:RunInstances
action if the Project tag is not applied is correct. The SCP applied to the organization will deny members from spawning EC2 instances without the Project tag.The option that says: Create an IAM policy on each project account that will deny the
ec2:RunInstances
action if the Project tag is not applied is correct. This is needed to deny individual IAM accounts from spawning EC2 instances without the Project tag.The “<strong style=”font-family: inherit; font-size: inherit;”>Create an IAM policy” should be wrong (you have it as right).
1. If SCP already does the deny, then IAM does not need to
2. Even if you assume SCP does not exist, then using IAM is not efficient in an organization, should use SCP instead
-
Hi seth_e,
Thanks for the feedback on this question.
I agree with your statements.
This is a multiple-select question. As with some other questions on AWS, the answers can be independent of each other.
In this case, you don’t have to implement both SCP and/or IAM rules to deny the launching of EC2 instances. The choices provided are correct in the sense that they can achieve the requirements using different approaches.
SCP is more efficient for the Organization while IAM is for individual users. But they both accomplish the requirement of the question.
The options are not necessarily to be implemented at the same time.
Hope this helps.
Let us know if you need further assistance. The Tutorials Dojo team is dedicated to helping you pass your AWS exam!
Regards,
Kenneth Samonte @ Tutorials Dojo
-
I just got through this question and it says both iam and the scp. I would only use an scp and then use aws config with a rule and an aggregator to catch the instances.
if you agree with this kenneth why is the question still the same.
Log in to reply.