Answer-first summary for fast verification
Answer: Create an SCP that denies access to all requests that do not target eu-west-2. Use the NotAction element to exempt global services from the restriction. In AWS Organizations, apply the SCP to the root of the organization.
1. Explanation for Answer A: Creating a Service Control Policy (SCP) that denies access to all requests not targeting the eu-west-2 region is a suitable approach to enforce the legal compliance requirements. By using the NotAction element to exempt global services, the policy ensures that global AWS services, which are not region-specific, are still accessible to the users. Applying the SCP to the root of the organization ensures that it is enforced across all accounts within the organization. This centralized approach simplifies management and ensures consistent compliance across all business groups. 2. Why other answers are incorrect: - Answer B introduces the AmNotLike condition key, which is not a valid AWS IAM condition key and thus is not a viable solution. - Answer C suggests creating an IAM permissions boundary for each account, which is an alternative approach but not as centralized and efficient as applying an SCP at the organization root. Additionally, IAM permissions boundaries do not support conditions, making it difficult to exempt global services. - Answer D recommends applying permissions boundaries to the IAM role associated with the Session Manager instance profile, which is not the correct scope of enforcement. The restriction should apply to all operations, not just those related to Session Manager.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company has a large number of AWS accounts in an organization in AWS Organizations. A different business group owns each account. All the AWS accounts are bound by legal compliance requirements that restrict all operations outside the eu-west-2 Region. The company's security team has mandated the use of AWS Systems Manager Session Manager across all AWS accounts. Which solution should a solutions architect recommend to meet these requirements?
A
Create an SCP that denies access to all requests that do not target eu-west-2. Use the NotAction element to exempt global services from the restriction. In AWS Organizations, apply the SCP to the root of the organization.
B
Create an SCP that denies access to all requests that do not target eu-west-2. Use the NotAction element to exempt global services from the restriction. For each AWS account, use the AmNotLike condition key to add the ARN of the IAM role that is associated with the Session Manager instance profile to the condition element of the SCP. In AWS Organizations apply, the SCP to the root of the organization.
C
Create an SCP that denies access to all requests that do not target eu-west-2. Use the NotAction element to exempt global services from the restriction. In AWS Organizations, apply the SCP to the root of the organization. In each AWS account, create an IAM permissions boundary that allows access to the IAM role that is associated with the Session Manager instance profile.
D
For each AWS account, create an IAM permissions boundary that denies access to all requests that do not target euwest-2. For each AWS account, apply the permissions boundary to the IAM role that is associated with the Session Manager instance profile.