ExpertMinds LogoExpertMinds
Medium1 markMultiple Choice
Domain 1.2: Security ControlsSecurityOrganizationsSCP

AWS SAP-C02 · Question 54 · Domain 1.2: Security Controls

A company is using AWS Organizations with all features enabled. The security team wants to ensure that no IAM user or role in any member account can access AWS services in regions other than us-east-1 and eu-west-1. However, they need to ensure that global services like AWS IAM and Amazon CloudFront continue to function normally. How can this be achieved?

Answer options:

A.

Create a Service Control Policy (SCP) that denies all actions with a condition 'aws:RequestedRegion' not equal to us-east-1 or eu-west-1. Add exceptions in the NotAction element for global services.

B.

Use AWS Config rules to detect resources created outside the allowed regions and trigger an SSM Automation document to delete them.

C.

Disable the unauthorized regions in the AWS Management Console for each member account.

D.

Create an IAM permissions boundary that denies access to unauthorized regions and attach it to the root user of the management account.

How to approach this question

Identify the standard SCP pattern for region restriction.

Full Answer

A.Create a Service Control Policy (SCP) that denies all actions with a condition 'aws:RequestedRegion' not equal to us-east-1 or eu-west-1. Add exceptions in the NotAction element for global services.✓ Correct
Create a Service Control Policy (SCP) that denies all actions with a condition 'aws:RequestedRegion' not equal to us-east-1 or eu-west-1. Add exceptions in the NotAction element for global services.
To restrict AWS regions across an organization, you use a Service Control Policy (SCP). The policy uses the `Deny` effect with a `StringNotEquals` condition on the `aws:RequestedRegion` key. Because global services (like IAM, Route 53, CloudFront) have endpoints that do not map to specific regions, you must use the `NotAction` element to exempt these services from the deny policy, otherwise you will break core functionality.

Common mistakes

Forgetting to exempt global services when writing region-restriction SCPs.
53All questions55

Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 5

75 questions · hints · full answers · grading

Sign up freeTake the exam

More questions from this exam

Q01A global enterprise is redesigning its AWS network architecture across 50 AWS accounts and 3 AWS ...HardQ02A company uses AWS Organizations to manage multiple accounts. The security team mandates that no ...MediumQ03A financial institution requires a disaster recovery strategy for its critical trading applicatio...HardQ04An enterprise is setting up a new multi-account AWS environment using AWS Control Tower. They nee...MediumQ05A company has a complex AWS environment with hundreds of linked accounts under AWS Organizations....Hard
View all 75 questions →