ExpertAWS SAP-C02 · Question 32 · Domain 1.2: Security Controls
An enterprise is designing a multi-account architecture. They need to ensure that developers in the 'Sandbox' accounts can experiment freely, but are strictly prohibited from provisioning resources in any region other than us-east-1 and eu-west-1. Furthermore, they must not be able to disable AWS CloudTrail. Which combination of actions will enforce these rules? (Select TWO)
An enterprise is designing a multi-account architecture. They need to ensure that developers in the 'Sandbox' accounts can experiment freely, but are strictly prohibited from provisioning resources in any region other than us-east-1 and eu-west-1. Furthermore, they must not be able to disable AWS CloudTrail. Which combination of actions will enforce these rules? (Select TWO)
Answer options:
Create an IAM boundary policy restricting regions and attach it to all developer roles.
Create a Service Control Policy (SCP) that denies all actions where the aws:RequestedRegion condition is not us-east-1 or eu-west-1.
Create an SCP that explicitly denies the cloudtrail:StopLogging and cloudtrail:DeleteTrail actions.
Use AWS Config rules to automatically terminate resources launched outside the allowed regions.
Configure AWS Control Tower to delete the Sandbox accounts if a violation occurs.
Modify the VPC route tables to block traffic to unauthorized regions.
How to approach this question
Full Answer
Common mistakes
Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 4
75 questions · hints · full answers · grading