ExpertMinds LogoExpertMinds
Medium1 markMultiple Choice
Domain 1.4: Multi-Account EnvironmentOrganizationsControl TowerSecurity

AWS SAP-C02 · Question 06 · Domain 1.4: Multi-Account Environment

A company is setting up a multi-account AWS environment using AWS Control Tower. They need to ensure that developers in the 'Sandbox' OU can experiment with new services, but they must not be able to create resources in regions outside of us-east-1 and eu-west-1. How should the Solutions Architect enforce this requirement?

Answer options:

A.

Apply a Service Control Policy (SCP) to the Sandbox OU that denies all actions with a condition of aws:RequestedRegion not equal to us-east-1 and eu-west-1.

B.

Configure AWS IAM permissions boundaries for all IAM roles in the Sandbox accounts to restrict regions.

C.

Use AWS Config rules to detect and automatically delete resources created in unauthorized regions.

D.

Modify the AWS Control Tower landing zone settings to disable all other regions globally.

How to approach this question

Identify the mechanism for applying preventative guardrails at the OU level.

Full Answer

A.Apply a Service Control Policy (SCP) to the Sandbox OU that denies all actions with a condition of aws:RequestedRegion not equal to us-east-1 and eu-west-1.✓ Correct
Apply a Service Control Policy (SCP) to the Sandbox OU that denies all actions with a condition of aws:RequestedRegion not equal to us-east-1 and eu-west-1.
Service Control Policies (SCPs) offer central control over the maximum available permissions for all accounts in an organization or OU. Using the aws:RequestedRegion condition key is the standard way to restrict regions.

Common mistakes

Choosing IAM permissions boundaries, which are harder to enforce at scale.
05All questions07

Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 7

75 questions · hints · full answers · grading

Sign up freeTake the exam

More questions from this exam

Q01A global enterprise is designing a multi-region network architecture connecting 50 AWS accounts a...HardQ02A company is migrating its hybrid network to AWS. They have two 10 Gbps AWS Direct Connect connec...HardQ03An enterprise has 100 AWS accounts in AWS Organizations. The security team mandates that all Amaz...MediumQ04A financial company requires that all EBS volumes, S3 buckets, and RDS databases be encrypted usi...EasyQ05An enterprise is designing a disaster recovery strategy for a critical application running on Ama...Hard
View all 75 questions →