Answer-first summary for fast verification
Answer: Use AWS Control Tower to implement data residency guardrails to deny internet access and deny access to all AWS Regions except ap-northeast-3., Use AWS Organizations to configure service control policies (SCPS) that prevent VPCs from gaining internet access. Deny access to all AWS Regions except ap-northeast-3.
## Explanation **Correct Answers: A and C** **A. AWS Control Tower with data residency guardrails** - AWS Control Tower provides a comprehensive way to set up and govern a secure, multi-account AWS environment. Data residency guardrails in Control Tower can: - Deny internet access by preventing the creation of internet gateways or VPC endpoints that could provide internet access - Restrict resource deployment to specific AWS Regions (in this case, only ap-northeast-3) **C. AWS Organizations with Service Control Policies (SCPs)** - SCPs are the primary mechanism in AWS Organizations to enforce guardrails across multiple accounts: - SCPs can deny actions that create internet gateways, NAT gateways, or other internet-facing resources - SCPs can restrict resource creation to specific AWS Regions using condition keys like `aws:RequestedRegion` **Why other options are incorrect:** **B. AWS WAF** - AWS WAF is a web application firewall that protects web applications from common exploits, but it cannot prevent VPCs from connecting to the internet at the infrastructure level. AWS account settings don't provide granular control over VPC internet access. **D. Network ACLs and IAM policies** - While network ACLs can block outbound traffic, they are not a preventative control (they can be modified). IAM policies can restrict users from using other regions, but they don't prevent VPC internet connectivity at the infrastructure level. **E. AWS Config** - AWS Config is a monitoring and compliance service that can detect and alert on configuration changes, but it doesn't prevent actions from happening. It's reactive rather than preventative. **Key AWS Services for Compliance:** - **AWS Control Tower**: Provides automated guardrails and account governance - **AWS Organizations SCPs**: Enforce organization-wide policies - **AWS Config**: Monitor compliance (detective control) - **AWS Security Hub**: Centralized security view **Best Practice**: For strict compliance requirements, use preventative controls (like SCPs and Control Tower guardrails) rather than detective controls or manual configurations.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company wants to migrate its on-premises data center to AWS. According to the company's compliance requirements, the company can use only the ap-northeast-3 Region. Company administrators are not permitted to connect VPCs to the internet. Which solutions will meet these requirements? (Choose two.)
A
Use AWS Control Tower to implement data residency guardrails to deny internet access and deny access to all AWS Regions except ap-northeast-3.
B
Use rules in AWS WAF to prevent internet access. Deny access to all AWS Regions except ap-northeast-3 in the AWS account settings.
C
Use AWS Organizations to configure service control policies (SCPS) that prevent VPCs from gaining internet access. Deny access to all AWS Regions except ap-northeast-3.
D
Create an outbound rule for the network ACL in each VPC to deny all traffic from 0.0.0.0/0. Create an IAM policy for each user to prevent the use of any AWS Region other than ap-northeast-3.
E
Use AWS Config to activate managed rules to detect and alert for internet gateways and to detect and alert for new resources deployed outside of ap-northeast-3.