ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 422 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 422
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company is running its workloads in a single AWS Region and uses AWS Organizations. A security engineer must implement a solution to prevent users from launching resources in other Regions.

Which solution will meet these requirements with the LEAST operational overhead?

  • A. Create an IAM policy that has an aws:RequestedRegion condition that allows actions only in the designated Region. Attach the policy to all users.
  • B. Create an IAM policy that has an aws:RequestedRegion condition that denies actions that are not in the designated Region. Attach the policy to the AWS account in AWS Organizations.
  • C. Create an IAM policy that has an aws:RequestedRegion condition that allows the desired actions. Attach the policy only to the users who are in the designated Region.
  • D. Create an SCP that has an aws:RequestedRegion condition that denies actions that are not in the designated Region. Attach the SCP to the AWS account in AWS Organizations.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by AdamWest at Nov. 23, 2022, 3:06 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
AdamWest
Highly Voted 2 years, 9 months ago
D - Although you can use a IAM policy to prevent users launching resources in other regions. The best practice is to use SCP when using AWS organizations. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_general.html#example-scp-deny-region
upvoted 14 times
AzureDP900
2 years, 5 months ago
Thank you for sharing the link
upvoted 1 times
...
...
vvsandipvv
Most Recent 1 year, 2 months ago
It's funny how all organisation questions has answer with Scp only
upvoted 1 times
...
ITGURU51
2 years, 3 months ago
Option D is the best solution to meet the requirements with the least operational overhead. By creating an SCP that denies actions that are not in the designated Region and attaching it to the AWS account in AWS Organizations, you can ensure that no user or role can launch resources in other Regions, regardless of their IAM permissions.
upvoted 2 times
...
milofficial
2 years, 6 months ago
Selected Answer: D
cross account permissions - > SCP
upvoted 1 times
...
Un1c0rn
2 years, 8 months ago
Selected Answer: D
Answer: D SCP is for less effort and most effective
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel