AWS Certified Solutions Architect – Professional (SAP-C02) — Question 239

A company is expanding. The company plans to separate its resources into hundreds of different AWS accounts in multiple AWS Regions. A solutions architect must recommend a solution that denies access to any operations outside of specifically designated Regions.

Which solution will meet these requirements?

Answer options

• A. Create IAM roles for each account. Create IAM policies with conditional allow permissions that include only approved Regions for the accounts.
• B. Create an organization in AWS Organizations. Create IAM users for each account. Attach a policy to each user to block access to Regions where an account cannot deploy infrastructure.
• C. Launch an AWS Control Tower landing zone. Create OUs and attach SCPs that deny access to run services outside of the approved Regions.
• D. Enable AWS Security Hub in each account. Create controls to specify the Regions where an account can deploy infrastructure.

Correct answer: C

Explanation

The correct answer is C because launching an AWS Control Tower landing zone allows for the creation of Organizational Units (OUs) and the application of Service Control Policies (SCPs) that can effectively deny access to services outside of approved Regions. Option A does not enforce a broad account-wide restriction, while option B focuses on individual IAM users without utilizing organizational policies. Option D involves AWS Security Hub, which is not designed for managing Region access restrictions.