ExpertEasy1 markMultiple Choice
AWS SAA-C03 · Question 01 · Domain 1.1: Secure Access
A company wants to ensure that no AWS resources can be created in the ap-northeast-1 region across all of its AWS accounts. What is the MOST efficient way to enforce this?
A company wants to ensure that no AWS resources can be created in the ap-northeast-1 region across all of its AWS accounts. What is the MOST efficient way to enforce this?
Answer options:
A.
Create an IAM policy denying access to the region and attach it to all users.
B.
Use AWS Organizations and attach a Service Control Policy (SCP) denying access to the ap-northeast-1 region.
C.
Configure AWS CloudTrail to alert when resources are created in the region.
D.
Use AWS Config rules to automatically delete resources in the region.
How to approach this question
Identify the multi-account control mechanism.
Full Answer
B.Use AWS Organizations and attach a Service Control Policy (SCP) denying access to the ap-northeast-1 region.✓ Correct
Use AWS Organizations and attach a Service Control Policy (SCP) denying access to the ap-northeast-1 region.
SCPs offer central control over the maximum available permissions for all accounts in an organization.
Common mistakes
Confusing IAM policies with SCPs for multi-account management.
Practice the full AWS SAA-C03 Practice Exam 2
65 questions · hints · full answers · grading
More questions from this exam
Q02A web application runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The com...EasyQ03A company is storing highly sensitive data in an Amazon S3 bucket. The security team requires tha...MediumQ04An application running on an EC2 instance needs to access an Amazon DynamoDB table in a different...HardQ05A company needs to store database credentials securely. The credentials must be automatically rot...MediumQ06A solutions architect needs to implement a threat detection service that continuously monitors fo...Easy