An enterprise is designing a multi-account architecture. They need to ensure that developers in the 'Sandbox' accounts can experiment freely, but are strictly prohibited from provisioning resources in any region other than us-east-1 and eu-west-1. Furthermore, they must not be able to disable AWS CloudTrail. Which combination of actions will enforce these rules? (Select TWO)

Use SCPs for proactive, account-wide restrictions (region locking and service protection).

What mistakes do candidates make on this AWS SAP-C02 question?

Choosing reactive Config rules instead of proactive SCPs.

A.

Create an IAM boundary policy restricting regions and attach it to all developer roles.

B.

Create a Service Control Policy (SCP) that denies all actions where the aws:RequestedRegion condition is not us-east-1 or eu-west-1.

C.

Create an SCP that explicitly denies the cloudtrail:StopLogging and cloudtrail:DeleteTrail actions.

D.

Use AWS Config rules to automatically terminate resources launched outside the allowed regions.

E.

Configure AWS Control Tower to delete the Sandbox accounts if a violation occurs.

F.

Modify the VPC route tables to block traffic to unauthorized regions.