A large enterprise uses AWS Organizations to manage multiple accounts. The security team has implemented a Service Control Policy (SCP) at the root level that denies all actions unless the request originates from the corporate IP range (10.0.0.0/8). Recently, a developer in a member account tried to launch an EC2 instance from the AWS Management Console while connected via a VPN that provides an IP address within the corporate range. However, the launch failed with an 'AccessDenied' error. The developer is using an IAM user with full EC2 permissions (ec2:*). The SCP is as follows: {"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":"*","Resource":"*","Condition":{"NotIpAddress":{"aws:SourceIp":"10.0.0.0/8"}}}]}. What is the MOST likely reason for the failure?
The console may use intermediary IPs; the source IP condition is not reliable for console access.
Why this answer
Option C is correct. The SCP uses the aws:SourceIp condition, but when accessing the Management Console, the IP address seen by AWS is the console's IP, which may not be the same as the developer's VPN IP if the console uses a proxy or if the VPN is configured incorrectly. Option A is wrong because SCPs affect all principals, including the root user.
Option B is wrong because the SCP denies actions, not allows them; an explicit deny overrides allows. Option D is wrong because the SCP denies all actions, so even if the developer has permissions, the SCP denies them.