Logo
AWS Certified Solutions Architect - Professional / Question #799 of 529

Question #799

A company needs to enforce strict regional compliance across hundreds of AWS accounts. The solution must prevent any resource deployment outside of approved AWS Regions and apply uniformly to all existing and future accounts. Which approach satisfies these requirements?

A

Create IAM policies with explicit Allow conditions for approved Regions and attach them to all IAM roles and users in each account.
B

Use AWS Organizations to create IAM groups with Deny policies for non-approved Regions and assign users to these groups across accounts.
C

Establish an AWS Organizations structure, create a Service Control Policy (SCP) that denies actions in non-approved Regions, and attach it to the organization's root Organizational Unit (OU).
D

Deploy AWS Config aggregators in a central account and define rules to flag resources in unapproved Regions, triggering automated remediation.

Explanation

Answer C is correct because:
- SCPs in AWS Organizations provide centralized governance across all accounts in an organization. By attaching an SCP to the root OU, the policy automatically applies to all current and future accounts, ensuring uniform compliance.
- The SCP can explicitly deny actions in non-approved Regions, preventing resource deployment outside the allowed Regions at the organizational level.

Other options are incorrect because:
- A: IAM policies require manual attachment to every user/role in each account, which is error-prone and unscalable for hundreds of accounts.
- B: IAM groups are account-specific and cannot be managed centrally via AWS Organizations. Creating groups in each account is inefficient and does not guarantee future account compliance.
- D: AWS Config aggregators detect non-compliant resources post-deployment but do not prevent deployment. This approach is reactive, not proactive.

Key Points:
- Use SCPs in AWS Organizations for account-wide, preventative controls.
- SCPs attached to the root OU apply to all accounts automatically.
- Regional restrictions via SCPs block non-compliant resource creation at the source.

Answer

The correct answer is: C