Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Amazon Exam SOA-C02 Topic 1 Question 109 Discussion

Actual exam question for Amazon's SOA-C02 exam
Question #: 109
Topic #: 1
[All SOA-C02 Questions]

A company uses AWS Organizations to manage multiple AWS accounts. Corporate policy mandates that only specific AWS Regions can be used to store and process customer dat

a. A SysOps administrator must prevent the provisioning of Amazon EC2 instances in unauthorized Regions by anyone in the company.

What is the MOST operationally efficient solution that meets these requirements?

Show Suggested Answer Hide Answer
Suggested Answer: D

Objective:

Enforce corporate policy to prevent the creation of EC2 instances in unauthorized AWS Regions.

Using Service Control Policies (SCPs):

SCPs are an AWS Organizations feature that allow centralized control over permissions for all accounts in the organization.

By attaching an SCP to the root level of the organization, you can enforce the restriction across all accounts.

Solution Implementation:

Step 1: Open the AWS Organizations console.

Step 2: Create a new SCP with the following policy:

{

'Version': '2012-10-17',

'Statement': [

{

'Effect': 'Deny',

'Action': 'ec2:RunInstances',

'Resource': '*',

'Condition': {

'StringNotEquals': {

'aws:RequestedRegion': [

'us-east-1',

'us-west-2'

]

}

}

}

]

}

Replace 'us-east-1' and 'us-west-2' with the allowed Regions.

Step 3: Attach the SCP to the root level of the organization.

AWS Reference:

Service Control Policies (SCPs): SCP Best Practices

Restricting EC2 Regions with SCP: SCP Examples

Why Other Options Are Incorrect:

Option A: CloudTrail and EventBridge with Lambda are operationally less efficient and reactive rather than preventative.

Option B: IAM policies applied at the account level require manual configuration for each account, which is less efficient.

Option C: Permissions boundaries are more suited for controlling specific IAM user or role actions, not account-wide restrictions.

Topic 2, Simulation


by Tijuana at Jan 11, 2025, 04:03 AM

Limited Time Offer

25%

Off

Get Premium SOA-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel
Lavonne
12 days ago
Option D is the clear winner here. Although, I can't help but wonder if the SCP will also prevent me from launching EC2 instances in my favorite Regions - the Mos Eisley cantina and the Death Star.
upvoted 0 times
...
Annamae
25 days ago
I'd go with Option D and then add a little AWS-flavored humor - 'Make AWS Regions Great Again!'
upvoted 0 times
Helaine
2 days ago
I agree, Option D with the SCP in AWS Organizations seems like the most efficient solution.
upvoted 0 times
...
Charlette
6 days ago
Option D sounds like the best choice. 'Make AWS Regions Great Again!'
upvoted 0 times
...
...
Yesenia
26 days ago
I'm not sure, I think option A could also work well. Configuring CloudTrail and using EventBridge rules seems like a good approach to monitor and prevent unauthorized EC2 instances.
upvoted 0 times
...
Paola
28 days ago
I agree with Billi. Option D with SCP in AWS Organizations seems like the most efficient way to control access to unauthorized Regions.
upvoted 0 times
...
Billi
1 months ago
I think option D is the best solution. It allows us to centrally manage the permissions for all AWS accounts.
upvoted 0 times
...
Mary
1 months ago
Hmm, I'm not convinced. What if someone accidentally creates a new account outside the organization? Option D might not catch that. Maybe a combination of Options B and D would be better?
upvoted 0 times
Heike
5 days ago
It's always good to have multiple safeguards in place to prevent any accidental breaches of the policy.
upvoted 0 times
...
Crista
12 days ago
Combining both options could provide a more comprehensive solution to ensure compliance with the corporate policy on AWS Regions.
upvoted 0 times
...
Nan
18 days ago
Option B could help prevent unauthorized EC2 instances in each account, but Option D with the SCP at the organization level adds an extra layer of security.
upvoted 0 times
...
...
Ceola
1 months ago
I agree, Option D is the way to go. Centralized control over the allowed Regions is key to meeting the company's policy requirements.
upvoted 0 times
Fannie
15 days ago
Absolutely. It's all about ensuring compliance with corporate policies when managing multiple AWS accounts.
upvoted 0 times
...
Brigette
15 days ago
Agreed. Having a service control policy in AWS Organizations provides the necessary restrictions to prevent unauthorized usage of Regions.
upvoted 0 times
...
Bronwyn
25 days ago
I think so too. It's important to have a solution that aligns with the company's policy requirements.
upvoted 0 times
...
Paz
1 months ago
Option D is definitely the best choice. It allows for centralized control over the allowed Regions.
upvoted 0 times
...
...
Salina
2 months ago
Option D definitely seems like the most efficient solution. Applying the SCP at the root level of the organization ensures consistent enforcement across all accounts.
upvoted 0 times
Coletta
19 days ago
It's important to have a centralized control for security measures.
upvoted 0 times
...
Franklyn
24 days ago
Agreed, applying the SCP at the root level ensures consistency.
upvoted 0 times
...
Winfred
1 months ago
Option D definitely seems like the most efficient solution.
upvoted 0 times
...
...

Save Cancel