Explore how AWS Control Tower and Service Control Policies can be used to manage hundreds of AWS accounts across multiple regions. Learn how to deny operations outside of designated regions effectively.
Table of Contents
Question
A company is expanding. The company plans to separate its resources into hundreds of different AWS accounts in multiple AWS Regions. A solutions architect must recommend a solution that denies access to any operations outside of specifically designated Regions.
Which solution will meet these requirements?
A. Create IAM roles for each account. Create IAM policies with conditional allow permissions that include only approved Regions for the accounts.
B. Create an organization in AWS Organizations. Create IAM users for each account. Attach a policy to each user to block access to Regions where an account cannot deploy infrastructure.
C. Launch an AWS Control Tower landing zone. Create OUs and attach SCPs that deny access to run services outside of the approved Regions.
D. Enable AWS Security Hub in each account. Create controls to specify the Regions where an account can deploy infrastructure.
Answer
C. Launch an AWS Control Tower landing zone. Create OUs and attach SCPs that deny access to run services outside of the approved Regions.
Explanation
AWS Control Tower provides the easiest way to set up and govern a secure, multi-account AWS environment. It establishes a landing zone that is based on best-practices blueprints, and enables governance using guardrails you can choose from a pre-packaged list. The Organizational Units (OUs) can be used to group accounts with similar requirements and Service Control Policies (SCPs) can be used to permit or deny actions across those accounts.
Amazon AWS Certified Solutions Architect – Professional SAP-C02 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Solutions Architect – Professional SAP-C02 exam and earn Amazon AWS Certified Solutions Architect – Professional SAP-C02 certification.