You want to apply a policy that restricts all accounts in your AWS Organization from launching EC2 instances in a specific region. How should you implement this?

hard📝 Application Q8 of 15

AWS - Account and Billing

AModify each account's IAM user policies to deny EC2 launch

BCreate a billing alert for EC2 usage in that region

CDisable EC2 service in each account manually

DUse a Service Control Policy (SCP) attached to the root or OU denying ec2:RunInstances in that region

Step-by-Step Solution

Solution:

Step 1: Identify the best policy type for organization-wide restrictions
Service Control Policies (SCPs) apply restrictions across accounts in an AWS Organization.
Step 2: Apply SCP to root or organizational unit (OU)
Attaching an SCP denying ec2:RunInstances in the target region blocks instance launches in all accounts under it.
Final Answer:
Use a Service Control Policy (SCP) attached to the root or OU denying ec2:RunInstances in that region -> Option D
Quick Check:
SCPs enforce org-wide restrictions [OK]

Quick Trick: Use SCPs for organization-wide permission control [OK]

Common Mistakes:

Relying on individual IAM policies
Manually disabling services per account
Using billing alerts for permission control

Master "Account and Billing" in AWS

9 interactive learning modes - each teaches the same concept differently

Learn Why Deep Visual Try Challenge Project Recall Time

Want More Practice?

15+ quiz questions · All difficulty levels · Free

Free Signup - Practice All Questions

More AWS Quizzes

You want to apply a policy that restricts all accounts in your AWS Organization from launching EC2 instances in a specific region. How should you implement this?

Step 1: Identify the best policy type for organization-wide restrictions

Step 2: Apply SCP to root or organizational unit (OU)

Final Answer:

Quick Check:

Want More Practice?