ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
An enterprise operates several AWS accounts in a single AWS Organization. To reduce its external attack surface, the security team must guarantee that no new EC2 instance can ever be launched with an automatically assigned public IPv4 address in any development account. Which AWS control provides the most effective preventative safeguard for this requirement?
Activate VPC Flow Logs and CloudWatch alarms to detect and alert on traffic from instances with public IP addresses in development VPCs.
Attach a Service Control Policy in AWS Organizations that denies ec2:RunInstances when the request's ec2:AssociatePublicIpAddress condition equals true for the development accounts.
Enable Amazon GuardDuty and configure an EventBridge rule to automatically stop any instance that acquires a public IP address.
Create an AWS Config managed rule that detects EC2 instances with public IP addresses and generates compliance alerts.
Applying a Service Control Policy (SCP) to the development accounts is the strongest preventative measure. In the SCP you would add a statement that denies the ec2:RunInstances action when the request includes the condition ec2:AssociatePublicIpAddress set to true (and optionally deny ec2:AssociateAddress to block later Elastic IP associations). Because SCPs are evaluated before any IAM or resource-based policies, a request that tries to launch an instance with an auto-assigned public IP is blocked outright.
An AWS Config rule, GuardDuty with automated response, and VPC Flow Logs with CloudWatch alarms are all detective or corrective controls: they identify or remediate the issue only after the instance has been launched or has started sending traffic. They do not prevent the initial creation of a publicly addressable instance.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an AWS Service Control Policy (SCP)?
Open an interactive chat with Bash
What does the ec2:AssociatePublicIpAddress condition mean in AWS?
Open an interactive chat with Bash
Why is a detective control not effective for this use case?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Security Concepts and Practices
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .