An enterprise wants to enforce strict data perimeter controls. They must ensure that IAM principals in their organization can only access AWS resources from within their corporate network or their VPCs. Which TWO mechanisms should be used together? (Select TWO)

Answer options:

AWS Organizations Service Control Policies (SCPs) with aws:SourceIp conditions.

VPC Endpoints with resource policies restricting access to the Organization ID.

AWS WAF attached to all S3 buckets.

Security Groups allowing only corporate IPs.

AWS Network Firewall blocking outbound internet access.

IAM Identity Center permission sets with MFA enabled.

How to approach this question

Combine identity-based and network-based controls.

Full Answer

AWS Organizations Service Control Policies (SCPs) with aws:SourceIp conditions., VPC Endpoints with resource policies restricting access to the Organization ID.

Data perimeters are built using SCPs to restrict network origin (aws:SourceIp/aws:SourceVpc) and VPC endpoint policies to restrict resource access to specific organizations.

Common mistakes

Thinking Security Groups can protect AWS API endpoints.

Question 50 All questions Question 52

Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 3

75 questions · hints · full answers · grading

More questions from this exam

Q01An enterprise has 100 VPCs across 5 AWS Regions. They need to establish a highly available, trans...Hard Q02A company uses AWS Organizations. The CISO requires that no EC2 instances can be launched outside...Medium Q03An application uses Amazon Aurora PostgreSQL. To meet disaster recovery requirements, the databas...Hard Q04A company is setting up a new multi-account AWS environment. They want to automate the creation o...Medium Q05An organization wants to allocate AWS costs to specific departments. They use multiple AWS accoun...Medium

View all 75 questions →