AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 350

A DevOps engineer is implementing governance controls for a company that requires its infrastructure to be housed within the United States. The company has many AWS accounts in an organization in AWS Organizations that has all features enabled.

The engineer must restrict which AWS Regions the company can use. The engineer must also ensure that an alert is sent as soon as possible if any activity outside the governance policy occurs. The controls must be automatically enabled on any new Region outside the United States.

Which combination of steps will meet these requirements? (Choose two.)

Answer options

• A. Create an Organizations SCP deny policy that has a condition that the aws:RequestedRegion property does not match a list of all US Regions. Include an exception in the policy for global services. Attach the policy to the root of the organization.
• B. Configure AWS CloudTrail to send logs to Amazon CloudWatch Logs. Enable CloudTrail for all Regions. Use a CloudWatch Logs metric filter to create a metric in non-US Regions. Configure a CloudWatch alarm to send an alert if the metric is greater than 0.
• C. Use an AWS Lambda function that checks for AWS service activity. Deploy the Lambda function to all Regions. Write an Amazon EventBridge rule that runs the Lambda function every hour. Configure the rule to send an alert if the Lambda function finds any activity in a non-US Region.
• D. Use an AWS Lambda function to query Amazon Inspector to look for service activity in non-US Regions. Configure the Lambda function to send alerts if Amazon Inspector finds any activity.
• E. Create an Organizations SCP allow policy that has a condition that the aws:RequestedRegion property matches a list of all US Regions. Include an exception in the policy for global services. Attach the policy to the root of the organization.

Correct answer: A, B

Explanation

Option A is correct because an explicit deny SCP using the aws:RequestedRegion condition is the most secure and scalable way to restrict access to unauthorized Regions while excluding global services. Option B is correct because enabling CloudTrail globally and streaming to CloudWatch Logs allows for near real-time detection and alerting of any API activity in non-US regions via metric filters and alarms. Options C and D are incorrect because they rely on periodic polling or third-party assessment tools which do not provide immediate alerting and require significant maintenance as new Regions are launched.