A company uses AWS Organizations to manage multiple AWS accounts.

Objective:

Enforce corporate policy to prevent the creation of EC2 instances in unauthorized AWS Regions.

Using Service Control Policies (SCPs):

SCPs are an AWS Organizations feature that allow centralized control over permissions for all accounts in the organization.

By attaching an SCP to the root level of the organization, you can enforce the restriction across all accounts.

Solution Implementation:

Step 1: Open the AWS Organizations console.

Step 2: Create a new SCP with the following policy:

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Deny",

"Action": "ec2:RunInstances",

"Resource": "*",

"Condition": {

"StringNotEquals": {

"aws:RequestedRegion": [

"us-east-1",

"us-west-2"

]

}

}

}

]

}

Replace "us-east-1" and "us-west-2" with the allowed Regions.

Step 3: Attach the SCP to the root level of the organization.

AWS References:

Service Control Policies (SCPs):SCP Best Practices

Restricting EC2 Regions with SCP:SCP Examples

Why Other Options Are Incorrect:

Option A: CloudTrail and EventBridge with Lambda are operationally less efficient and reactive rather than preventative.

Option B: IAM policies applied at the account level require manual configuration for each account, which is less efficient.

Option C: Permissions boundaries are more suited for controlling specific IAM user or role actions, not account-wide restrictions.