Jeff’s Note #
Unlike generic exam dumps, ADH analyzes this scenario through the lens of a Real-World Site Reliability Engineer.
For SOA-C02 candidates, the confusion often lies in understanding the scope and enforcement order of IAM policies, permission boundaries, and Service Control Policies (SCPs) in a multi-account AWS Organization setup. In production, this is about knowing precisely how to centrally govern permissions at scale with minimal operational overhead. Let’s drill down.
The Certification Drill (Simulated Question) #
Scenario #
TechWave Solutions is a fast-growing SaaS provider managing multiple AWS accounts across different business units using AWS Organizations. Due to strict customer data residency policies, TechWave must ensure all Amazon EC2 instances are launched only within a predefined list of authorized AWS regions.
As a Site Reliability Engineer, your task is to enforce this policy across every AWS account, preventing any user or team from launching EC2 instances in unauthorized regions.
The Requirement: #
Identify the most operationally efficient solution to prevent EC2 instance launches in unauthorized regions across all accounts and users within the organization.
The Options #
-
A) Enable AWS CloudTrail in all regions to monitor API calls. Set up an EventBridge rule in unauthorized regions to detect
ec2:RunInstancesevents, triggering a Lambda function that terminates instances launched in those regions. -
B) Create a managed IAM policy in each AWS account that denies
ec2:RunInstancesaction with a condition restricting the regions. Attach this policy to all IAM groups in each account to deny EC2 instance launches outside authorized regions. -
C) Create an IAM permissions boundary policy in each AWS account that denies
ec2:RunInstancesaction with a condition on region. Attach this boundary to every IAM user to prevent launching instances in restricted regions. -
D) In AWS Organizations, create a Service Control Policy (SCP) that denies
ec2:RunInstancesaction in unauthorized regions. Attach this SCP at the root of the organization to centrally enforce the region restriction across all accounts.
Google adsense #
leave a comment:
Correct Answer #
D.
Quick Insight: The SysOps Operational Efficiency Imperative #
- SCPs provide centralized, organization-wide guardrails that prevent prohibited actions before they reach the account level, reducing the need for per-account configuration.
- Approaches A, B, and C require implementing policies or automation in every account, risking inconsistent coverage and increased maintenance effort.
Content Locked: The Expert Analysis #
You’ve identified the answer. But do you know the implementation details that separate a Junior from a Senior?
The Expert’s Analysis #
Correct Answer #
Option D
The Winning Logic #
Service Control Policies (SCPs) are the most operationally efficient method to enforce permission guardrails across all accounts in an AWS Organization. SCPs apply at the organization hierarchy level and override IAM policies in accounts, effectively denying disallowed actions before they can be granted at the account or user level.
- SCPs can specify deny conditions on
ec2:RunInstanceswith region conditions, blocking instance launches in all unauthorized regions. - Because SCPs are managed centrally and attached once at the root or OU level, they vastly reduce overhead compared to configuring individual IAM policies or permission boundaries in multiple accounts.
- SCPs prevent violations in a fail-safe way by denying regardless of what permissions IAM users or roles may have.
The Trap (Distractor Analysis): #
-
Why not A?
Reactive approach—detects and terminates instances after launch, creating security risks, potential cost overruns, and increased operational complexity designing automated remediation. -
Why not B?
Managing IAM policies per account and per group adds operational overhead and risks inconsistent enforcement due to human error or missing attachments. -
Why not C?
IAM permissions boundaries restrict maximum permissions per user but require manual attachment and don’t centrally block actions for roles or federated users not limited by boundaries.
The Technical Blueprint #
# Example SCP JSON to deny EC2 instance launches outside authorized regions, e.g., us-east-1 and us-west-2
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyEC2LaunchInUnauthorizedRegions",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": [
"us-east-1",
"us-west-2"
]
}
}
}
]
}
Attach this SCP to the root or specific OU in AWS Organizations using AWS CLI:
aws organizations attach-policy --policy-id p-examplepolicyid --target-id r-examplerootid
The Comparative Analysis #
| Option | Operational Overhead | Automation Level | Impact |
|---|---|---|---|
| A | High - Needs Lambda+EventBridge in each region/accounts | Reactive (post-launch remediation) | Risk of unauthorized launch; costly and complex |
| B | High - IAM policies per account and groups | Preventive but manual management | Possible gaps if policies missing or misconfigured |
| C | High - Permissions boundaries require per-user attachment | Preventive but limited scope | Does not cover all identities, potential bypasses |
| D | Low - Centralized SCP managed at org root | Preventive, consistent | Enforced at highest level, fail-safe enforcement |
Real-World Application (Practitioner Insight) #
Exam Rule #
For the exam, always pick Service Control Policies (SCPs) when you see the keywords “multi-account”, “AWS Organizations”, “deny action across regions”.
Real World #
In production, organizations choose SCPs for global permission enforcement, supplemented with tagging policies and IAM policies for finer-grained, account-level controls.
(CTA) Stop Guessing, Start Mastering #
Disclaimer
This is a study note based on simulated scenarios for the SOA-C02 exam.