If deny ec2:RunInstances action with SCP, do not need IAM policy to

[seth_e]

Here are your answers

The option that says: Apply an SCP to the AWS Organization that will deny the ec2:RunInstances action if the Project tag is not applied is correct. The SCP applied to the organization will deny members from spawning EC2 instances without the Project tag.

The option that says: Create an IAM policy on each project account that will deny the ec2:RunInstances action if the Project tag is not applied is correct. This is needed to deny individual IAM accounts from spawning EC2 instances without the Project tag.

The “<strong style=”font-family: inherit; font-size: inherit;”>Create an IAM policy” should be wrong (you have it as right).

1. If SCP already does the deny, then IAM does not need to

2. Even if you assume SCP does not exist, then using IAM is not efficient in an organization, should use SCP instead

[Kenneth-Samonte-Tutorials-Dojo]

Hi seth_e,

Thanks for the feedback on this question.

I agree with your statements.

This is a multiple-select question. As with some other questions on AWS, the answers can be independent of each other.

In this case, you don’t have to implement both SCP and/or IAM rules to deny the launching of EC2 instances. The choices provided are correct in the sense that they can achieve the requirements using different approaches.

SCP is more efficient for the Organization while IAM is for individual users. But they both accomplish the requirement of the question.

The options are not necessarily to be implemented at the same time.

Hope this helps.

Let us know if you need further assistance. The Tutorials Dojo team is dedicated to helping you pass your AWS exam!

Regards,

Kenneth Samonte @ Tutorials Dojo