If SCPs already deny, is an explicit IAM role in each account required to deny?

[tera.4012]

Hi, there is a question in the diagnostic test:

A company has a designated AWS account for each project of its development team. All of these AWS accounts are linked to the main AWS account under the same AWS Organizations. The CFO allocates a budget for each project owner. Each project owner is allowed to provision any cloud resources that they need but all resources should have the Project tag which is used for cost allocation. After a recent audit, several team members are not adding the Project tag on their Amazon EC2 instances which results in inaccurate cost reports.

The answer explanations say that SCP can be used to deny creation of EC2 via runInstances API if the project tag is not added at a central place for all accounts in an organization. However the other answer choice is also marked correct where an IAM role for each account is added with the same condition to deny. Are both really required?

1] Apply an SCP to the AWS Organization that will deny the ec2:RunInstances action if the Project tag is not applied.

2]Create an IAM policy on each project account that will deny the

ec2:RunInstances action if the Project tag is not applied.

• This discussion was modified 2 years, 1 month ago by  tera.4012. Reason: spelling errors

[tera.4012]

Maybe the 2nd answer choice should be to add IAM role in each account that explicitly allow creation of EC2 instances provided the project tags are included.

[Kenneth-Samonte-Tutorials-Dojo]

Hello tera.40.12

It’s not required to use both the SCP and IAM deny rules.
The given choices are simply options (that are correct) in which you can satisfy the requirements of the question.

Using SCP, and the IAM policy are correct. Since we need to select 3 correct answers, we can select them both.

Hope this helps.
Let us know if you need further assistance. The Tutorials Dojo team is dedicated to helping you pass your AWS exam!

Regards,
Kenneth Samonte @ Tutorials Dojo