You have found that a team member uses AWS Resource Access Manager (RAM) in his AWS account to share resources with IAM users outside of the AWS Organization. You want to apply an SCP policy in the AWS Organization to prevent users from creating such resource shares in RAM. Which of the following SCP policies would you use?

Answer options:

A.{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ram:CreateResourceShare",
"ram:UpdateResourceShare"
],
"Resource": "*",
"Condition": {
"Bool": {"ram:RequestedAllowsInternalPrincipals": "true"
}
}
}
]
}
B.{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ram:*"
],
"Resource": "*",
"Condition": {
"Bool": {
"ram:AllowsInternalPrincipalsOnly": "true"
}
}
}
]
}
C.{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"ram:CreateResourceShare",
"ram:UpdateResourceShare"
],
"Resource": "*",
"Condition": {
"Bool": {"ram:RequestedAllowsExternalPrincipals": "true"
}
}
}
]
}
D.{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"ram:*"
],
"Resource": "AWS:Organization",
"Condition": {
"Bool": {
"ram:RequestedAllowsExternalPrincipals": "false"
}
}
}
]
}

Correct Answer: C
Option A is incorrect because the SCP should disallow users to share resources externally in RAM. The effect of the policy should be "Deny" instead of "Allow".
Option B is incorrect because the action should not be "ram:*" and the effect should not be "Allow".
Option C is CORRECT because the policy denies the actions of creating/updating resource shares in RAM on the condition that the resource shares are for external principals outside of the AWS Organization.
Option D is incorrect because the action should not be "ram:*" as it denies all RAM actions. The "Resource" of "AWS:Organization" is also incorrect.
Reference:
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_ram.html