Answer-first summary for fast verification
Answer: Deploy an AWS Control Tower landing zone and create organizational units (OUs), attaching service control policies (SCPs) that prohibit access to services outside of the approved Regions.
Option C is the correct answer. Launching an AWS Control Tower landing zone allows you to create organizational units (OUs) and attach service control policies (SCPs) that can effectively deny access to run services outside of the approved Regions. This method is scalable and easier to manage compared to other options. While creating IAM roles and policies for each account (Option A) or creating IAM users with attached policies (Option B) might also work, they become cumbersome and difficult to maintain as the number of accounts increases. Option D, enabling AWS Security Hub, is not designed to enforce regional restrictions, but rather to monitor and improve the security posture of accounts.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
A company is expanding and plans to segregate its resources into numerous AWS accounts across various AWS Regions. A solutions architect needs to devise a strategy that restricts access to operations in non-approved Regions. What solution should the architect propose to achieve this?
A
Develop IAM roles for each account and formulate IAM policies with conditional allow permissions that exclusively include the approved Regions for those accounts.
B
Establish an organization within AWS Organizations and create IAM users for each account, attaching a policy to each user to prevent access to Regions where the account is not permitted to deploy infrastructure.
C
Deploy an AWS Control Tower landing zone and create organizational units (OUs), attaching service control policies (SCPs) that prohibit access to services outside of the approved Regions.
D
Activate AWS Security Hub across all accounts and implement controls to define the Regions in which the accounts are authorized to deploy infrastructure.
No comments yet.