nerdexam
ExamsSCS-C02Questions#447
AmazonAmazon

SCS-C02 · Question #447

SCS-C02 Question #447: Real Exam Question with Answer & Explanation

The correct answer is C: {"Version": "2012-10-17", "Statement": [ { "Sid": "DenyNonDefaultRegions", "Effect": "Deny", "NotAction": [ "<Desired Global Services>" ], "Resource": "*", "Condition": { "StringNotEquals": { "aws:RequestedRegion": [ "eu-west-1" ] } } } ]}. Option C is correct because it uses 'Effect: Deny' combined with 'NotAction' (to exclude desired global services from the denial) and 'StringNotEquals' on 'aws:RequestedRegion' to deny all actions - except the listed global services - when the requested region is NOT eu-west-1. T

Submitted by devops_kid· Mar 6, 2026Identity and Access Management / Security Controls - implementing organizational guardrails using SCPs to enforce region-based restrictions across AWS accounts

Question

A company is using AWS Organizations with the default SCP. The company needs to restrict AWS usage for all AWS accounts that are in a specific OU. Except for some desired global services, the AWS usage must occur only in the eu-west-1 Region for all accounts in the OU. A security engineer must create an SCP that applies the restriction to existing accounts and any new accounts in the OU. Which SCP will meet these requirements? A. B. C. D.

Options

  • A{"Version": "2012-10-17", "Statement": [ { "Sid": "DenyNonDefaultRegions", "Effect": "Deny", "NotAction": [ "<Desired Global Services>" ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestedRegion": [ "eu-west-1" ] } } } ]}
  • B{"Version": "2012-10-17", "Statement": [ { "Sid": "DenyNonDefaultRegions", "Effect": "Allow", "Action": [ "<Desired Global Services>" ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestedRegion": [ "eu-west-1" ] } } } ]}
  • C{"Version": "2012-10-17", "Statement": [ { "Sid": "DenyNonDefaultRegions", "Effect": "Deny", "NotAction": [ "<Desired Global Services>" ], "Resource": "*", "Condition": { "StringNotEquals": { "aws:RequestedRegion": [ "eu-west-1" ] } } } ]}
  • D{"Version": "2012-10-17", "Statement": [ { "Sid": "DenyNonDefaultRegions", "Effect": "Allow", "NotAction": [ "<Desired Global Services>" ], "Resource": "*", "Condition": { "StringNotEquals": { "aws:RequestedRegion": [ "eu-west-1" ] } } } ]}

Explanation

Option C is correct because it uses 'Effect: Deny' combined with 'NotAction' (to exclude desired global services from the denial) and 'StringNotEquals' on 'aws:RequestedRegion' to deny all actions - except the listed global services - when the requested region is NOT eu-west-1. This precisely blocks all non-eu-west-1 activity while allowing global services like IAM, CloudFront, and Route 53 to function everywhere. SCPs apply automatically to all existing and new accounts within the OU, satisfying the requirement.

Topics

#AWS Organizations#Service Control Policies (SCPs)#IAM Policy Conditions#Region Restriction

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full SCS-C02 PracticeBrowse All SCS-C02 Questions