AWS Certified Cloud Practitioner

Get started today

Ultimate access to all questions.

Quick Answer

Answer-first summary for fast verification

Answer: Use AWS Control Tower for account governance. Configure Region deny controls. Use service control policies (SCPs) to restrict root user access.

AWS Control Tower provides an automated and centralized framework for setting up and governing a multi-account environment. It allows defining Region deny controls directly and uses Service Control Policies (SCPs) from AWS Organizations to enforce security boundaries across all member accounts, such as preventing root access and restricting CloudTrail log deletion. Other options are either reactive (like Config rules) or do not completely enforce prevention at the organizational level across multiple accounts efficiently.

Author: Ritesh Yadav

Quick Answer

Answer-first summary for fast verification

Answer: Use AWS Control Tower for account governance. Configure Region deny controls. Use service control policies (SCPs) to restrict root user access.

Author: Ritesh Yadav

Comments (0)

No comments yet.

Question #69 A multinational company uses an organization in AWS Organizations to manage over 200 member accounts across multiple AWS Regions. The company must ensure that all AWS resources meet specific security requirements. The company must not deploy any EC2 instances in the ap-southeast-2 Region. The company must completely block root user actions in all member accounts. The company must prevent any user from deleting AWS CloudTrail logs, including administrators. The company requires a centrally managed solution that the company can automatically apply to all existing and future accounts. Which solution will meet these requirements?

Real Exam

Community

RRitesh

Last updated: April 30, 2026 at 11:36

Create AWS Config rules with remediation actions in each account to detect policy violations. Implement IAM permissions boundaries for the account root users.

Enable AWS Security Hub across the organization. Create custom security standards to enforce the security requirements. Use AWS CloudFormation StackSets to deploy the standards to all the accounts in the organization. Set up Security Hub automated remediation actions.

Use AWS Control Tower for account governance. Configure Region deny controls. Use service control policies (SCPs) to restrict root user access.

Configure AWS Firewall Manager with security policies to meet the security requirements. Use an AWS Config aggregator with organization-wide conformance packs to detect security policy violations.