Exam AWS Certified Solutions Architect - Professional topic 1 question 661 discussion

Answer is A B is INCORRECT because this doesn't satisfy the requirement for future accounts possibility in OTHER OU's that might be created. The SCP in this answer would only affect the OU the SCP is applied too. C is INCORRECT because this allows accounts to continue to purchase RIs and the requirement is to BLOCK from purchasing D is INCORRECT because the "master account (a.k.a management account) is the root account of the org and should not and can not be in an OU. See the following diagram here (https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html) A is CORRECT because applying the explicit deny on the API and attaching it to the root org allows for current and future account in ANY OU to not be able to purchase RI's.

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html SCPs don't affect users or roles in the management (master) account. They affect only the member accounts in your organization. So correct answer is A.

A looks better because of the requirement for future accounts, so the explicit deny must be attached to the root.

A. Create an SCP with the Deny effect on the ec2:PurchaseReservedInstancesOffering action. Attach the SCP to the root of the organization.

A is right

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html

It's A - The master account of the organization is not affected by any SCPs that are attached either to it or to any root or OU the master account might be in.

AAA ---

go with A

The answer should be D - Rights work as intersection between Root, OU SCP and IAM Policy - Explicit Deny > Explicit Allow > Implicit Deny > Implicit Allow A : Explicit Deny. Blocks everybody, none can purchase instances B : Same C : As XRiddlerX states, ruled out D : Explicit Allow in OU1 SCP for master account, and Implicit Deny in OU2 SCP - as long as no Explicit Allow on OU2 SCP, works fine.

I'll go with A

A Correct

If you assign SCP to root, how does the master account buy reserved instances? It will be blocked as well. Has to be B.

SCPs affect only member accounts in the organization hence applying it on root will not impact master account. Answer is 𝗔.

I don't think it's A! AWS strongly recommends that you don't attach SCPs to the root of your organization without thoroughly testing the impact that the policy has on accounts. Instead, create an OU that you can move your accounts into one at a time, or at least in small numbers, to ensure that you don't inadvertently lock users out of key services. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html

it's A

AWS strongly recommends that you don't attach SCPs to the root of your organization without thoroughly testing the impact that the policy has on accounts. Instead, create an OU that you can move your accounts into one at a time, or at least in small numbers, to ensure that you don't inadvertently lock users out of key services. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html However we dont know how many OU currently exist whether all current belongs to one OU , or what are existing SCP applied old OU's. So I will go with A