nerdexam
ExamsDOP-C02Questions#199
AmazonAmazon

DOP-C02 · Question #199

DOP-C02 Question #199: Real Exam Question with Answer & Explanation

The correct answer is A: Create an AWS Organizations SCP that denies access to all non-global services in non-US. Explanation Why A and B are correct: An AWS Organizations SCP with a deny rule on non-global services in non-US Regions enforces a hard preventive control, blocking unauthorized regional usage across all accounts automatically - including newly enabled Regions. Configuring AWS Cl

Submitted by anna_se· Mar 6, 2026Security & Compliance

Question

A DevOps engineer is implementing governance controls for a company that requires its infrastructure to be housed within the United States. The engineer must restrict which AWS Regions can be used, and ensure an alert is sent as soon as possible if any activity outside the governance policy takes place. The controls should be automatically enabled on any new Region outside the United States (US). Which combination of actions will meet these requirements? (Choose two.)

Options

  • ACreate an AWS Organizations SCP that denies access to all non-global services in non-US
  • BConfigure AWS CloudTrail to send logs to Amazon CloudWatch Logs and enable it for all
  • CUse an AWS Lambda function that checks for AWS service activity and deploy it to all Regions.
  • DUse an AWS Lambda function to query Amazon Inspector to look for service activity in non-US
  • EWrite an SCP using the aws:RequestedRegion condition key limiting access to US Regions.

Explanation

Explanation

Why A and B are correct: An AWS Organizations SCP with a deny rule on non-global services in non-US Regions enforces a hard preventive control, blocking unauthorized regional usage across all accounts automatically - including newly enabled Regions. Configuring AWS CloudTrail to send logs to Amazon CloudWatch Logs (enabled for all Regions) provides the detective control, allowing CloudWatch Alarms or metric filters to trigger near-real-time alerts when any activity occurs outside the governance policy.

Why the distractors are wrong:

  • C is incorrect because deploying a Lambda function to all Regions means you'd need to manually add it to each new Region - it doesn't automatically cover newly activated Regions outside the US.
  • D is incorrect because Amazon Inspector is a vulnerability assessment tool, not a service activity monitor for tracking regional API usage.
  • E is a close distractor - while aws:RequestedRegion is a valid SCP condition key for restricting regions, Option A is the more complete and precise answer as written; however, note that E is actually the more technically accurate way to write region-based SCPs in practice.

⚠️ Exam Note: A and E are very similar - focus on the fact that A explicitly targets non-global services in non-US Regions, making it the fuller governance control in the context of this question.

Memory Tip: Think "Prevent + Detect" - SCPs prevent unauthorized access, CloudTrail + CloudWatch detects and alerts. Every good governance solution needs both layers.

Topics

#AWS Organizations#Service Control Policies#Region Restriction#Real-time Monitoring & Alerting

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full DOP-C02 PracticeBrowse All DOP-C02 Questions