SOA-C02 Question #249: Real Exam Question with Answer & Explanation

Question

A company uses AWS Organizations to manage multiple AWS accounts. Corporate policy mandates that only specific AWS Regions can be used to store and process customer data. A SysOps administrator must prevent the provisioning of Amazon EC2 instances in unauthorized Regions by anyone in the company. What is the MOST operationally efficient solution that meets these requirements?

Options

• AConfigure AWS CloudTrail in all Regions to record all API activity.
• BIn each AWS account, create a managed IAM policy that uses a Region condition to deny the
• CIn each AWS account, create an IAM permissions boundary policy that uses a Region condition
• DCreate a service control policy (SCP) in AWS Organizations to deny the ec2:RunInstances action

Explanation

Option D is correct because a Service Control Policy (SCP) applied at the AWS Organizations level acts as a centralized guardrail that enforces the Region restriction across all accounts simultaneously - one policy, organization-wide enforcement, no per-account management required.

Why the distractors fail:

• A (CloudTrail) only records API activity after the fact; it does nothing to prevent provisioning in unauthorized Regions.
• B (Managed IAM policy per account) would work technically, but requires manually creating and maintaining the policy in every account - operationally expensive and error-prone at scale.
• C (IAM permissions boundary per account) has the same scalability problem as B; permissions boundaries must be applied to individual IAM principals per account, making them impractical for organization-wide enforcement.

Memory tip: Think of SCPs as the "org-level bouncer" - they set the maximum permissions ceiling for every account in the organization regardless of what IAM policies say. Whenever a question asks for a single, centralized control that applies across all accounts in AWS Organizations, SCPs are almost always the answer.

No community discussion yet for this question.