Amazon Exam DOP-C02 Topic 3 Question 16 Discussion

Actual exam question for Amazon's DOP-C02 exam

Question #: 16
Topic #: 3

A DevOps engineer is implementing governance controls for a company that requires its infrastructure to be housed within the United States. The engineer must restrict which AWS Regions can be used, and ensure an alert is sent as soon as possible if any activity outside the governance policy takes place. The controls should be automatically enabled on any new Region outside the United States (US).

Which combination of actions will meet these requirements? (Select TWO.)

ACreate an AWS Organizations SCP that denies access to all non-global services in non-US Regions. Attach the policy to the root of the organization.

BConfigure AWS CloudTrail to send logs to Amazon CloudWatch Logs and enable it for all Regions. Use a CloudWatch Logs metric filter to send an alert on any service activity in non-US Regions.

CUse an AWS Lambda function that checks for AWS service activity and deploy it to all Regions. Write an Amazon EventBridge rule that runs the Lambda function every hour, sending an alert if activity is found in a non-US Region.

DUse an AWS Lambda function to query Amazon Inspector to look for service activity in non-US Regions and send alerts if any activity is found.

EWrite an SCP using the aws: RequestedRegion condition key limiting access to US Regions. Apply the policy to all users, groups, and roles

Show Suggested Answer

Suggested Answer: A, B

To implement governance controls that restrict AWS service usage to within the United States and ensure alerts for any activity outside the governance policy, the following actions will meet the requirements:

A) Create an AWS Organizations SCP that denies access to all non-global services in non-US Regions. Attach the policy to the root of the organization.This action will effectively prevent users and roles in all accounts within the organization from accessing services in non-US Regions12.

B) Configure AWS CloudTrail to send logs to Amazon CloudWatch Logs and enable it for all Regions. Use a CloudWatch Logs metric filter to send an alert on any service activity in non-US Regions.This action will allow monitoring of all AWS Regions and will trigger alerts if any activity is detected in non-US Regions, ensuring that the governance team is notified as soon as possible3.

AWS Documentation on Service Control Policies (SCPs) and how they can be used to manage permissions and restrict access based on Regions12.

AWS Documentation on monitoring CloudTrail log files with Amazon CloudWatch Logs to set up alerts for specific activities3.

by Ammie at Dec 26, 2023, 10:47 AM

Limited Time Offer

25%

Off

Get Premium DOP-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

7 months ago

Hmm, this is an interesting one. Let's see, I think the key here is to restrict access to non-US regions and set up some kind of alert mechanism. The SCP option in A sounds promising, but I'm not sure if it covers all the non-global services. And B seems like a good way to monitor activity, but we'd need to figure out how to filter for just the non-US regions.

upvoted 0 times

...