SAA-C03 · Question #740
SAA-C03 Question #740: Real Exam Question with Answer & Explanation
The correct answer is A: Configure a service control policy (SCP) to deny the ec2:RunInstances action in non-compliant. Service control policies (SCPs) in AWS Organizations can restrict actions across all accounts in the organization. By denying specific actions, such as ec2:RunInstances, in non-compliant Regions, the company enforces region-specific access and prevents accidental cross-Region ope
Question
A global company operates in multiple AWS Regions to meet data residency requirements. The company uses AWS Organizations to manage its accounts. The company wants to restrict IAM roles and access to specific Regions to prevent accidental data operations across geographic boundaries. Which solution will meet these requirements?
Options
- AConfigure a service control policy (SCP) to deny the ec2:RunInstances action in non-compliant
- BConfigure IAM policies by using the aws:RequestedRegion condition.
- CConfigure IAM role trust policies that use the aws:SourceIp condition.
- DConfigure AWS Config to detect unwanted access across Regions.
Explanation
Service control policies (SCPs) in AWS Organizations can restrict actions across all accounts in the organization. By denying specific actions, such as ec2:RunInstances, in non-compliant Regions, the company enforces region-specific access and prevents accidental cross-Region operations at the account level.
Community Discussion
No community discussion yet for this question.