Ends in
00
days
00
hrs
00
mins
00
secs
SHOP NOW

Save 40% OFF on AWS Foundational Reviewers + Get Free Cloud Practitioner eBook if you buy Practice Exam + Video Course Bundle!

Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified Solutions Architect Professional If deny ec2:RunInstances action with SCP, do not need IAM policy to

  • If deny ec2:RunInstances action with SCP, do not need IAM policy to

  • seth_e

    Member
    January 24, 2023 at 12:45 pm

    Here are your answers

    The option that says: Apply an SCP to the AWS Organization that will deny the ec2:RunInstances action if the Project tag is not applied is correct. The SCP applied to the organization will deny members from spawning EC2 instances without the Project tag.

    The option that says: Create an IAM policy on each project account that will deny the ec2:RunInstances action if the Project tag is not applied is correct. This is needed to deny individual IAM accounts from spawning EC2 instances without the Project tag.

    The “<strong style=”font-family: inherit; font-size: inherit;”>Create an IAM policy” should be wrong (you have it as right).

    1. If SCP already does the deny, then IAM does not need to

    2. Even if you assume SCP does not exist, then using IAM is not efficient in an organization, should use SCP instead

  • Kenneth-Samonte-Tutorials-Dojo

    Member
    January 24, 2023 at 11:31 pm

    Hi seth_e,

    Thanks for the feedback on this question.

    I agree with your statements.

    This is a multiple-select question. As with some other questions on AWS, the answers can be independent of each other.

    In this case, you don’t have to implement both SCP and/or IAM rules to deny the launching of EC2 instances. The choices provided are correct in the sense that they can achieve the requirements using different approaches.

    SCP is more efficient for the Organization while IAM is for individual users. But they both accomplish the requirement of the question.

    The options are not necessarily to be implemented at the same time.

    Hope this helps.

    Let us know if you need further assistance. The Tutorials Dojo team is dedicated to helping you pass your AWS exam!

    Regards,

    Kenneth Samonte @ Tutorials Dojo

  • mobious

    Member
    May 22, 2024 at 3:43 am

    I just got through this question and it says both iam and the scp. I would only use an scp and then use aws config with a rule and an aggregator to catch the instances.

    if you agree with this kenneth why is the question still the same.

Viewing 1 - 3 of 3 replies

Log in to reply.

Original Post
0 of 0 posts June 2018
Now
Skip to content