Crucial Exams

AWS Certified CloudOps Engineer Associate SOA-C03 Practice Question

An enterprise uses AWS Organizations with a single root and two organizational units (OUs) named Prod and Dev. The security team must guarantee that Dev accounts cannot launch Amazon EC2 instances that receive a public IPv4 address, while Prod accounts retain full functionality. The solution must be centrally enforced and impossible for Dev account administrators to bypass. Which approach meets these requirements MOST effectively?

  • Attach an SCP to the Dev OU that explicitly denies ec2:RunInstances when the request parameter AssociatePublicIpAddress is true.

  • Enable Amazon GuardDuty in the management account and configure an organization-wide detector to block Dev accounts from launching instances with public IP addresses.

  • In every Dev account, attach an IAM customer managed policy that denies launching EC2 instances with public IP addresses to all users and roles.

  • Enable AWS Config across the organization and add a rule that terminates any instance in the Dev OU that is launched with a public IP address.

AWS Certified CloudOps Engineer Associate SOA-C03
Security and Compliance
Your Score:
Settings & Objectives
Random Mixed
Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.
Rotate by Objective
Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Check or uncheck an objective to set which questions you will receive.

Wipe Score
Bash, the Crucial Exams Chat Bot
AI Bot