AWS Certified Solutions Architect – Professional — Question 659

A company has a large number of AWS accounts in an organization in AWS Organizations. A different business group owns each account. All the AWS accounts are bound by legal compliance requirements that restrict all operations outside the eu-west-2 Region.
The company's security team has mandated the use of AWS Systems Manager Session Manager across all AWS accounts.
Which solution should a solutions architect recommend to meet these requirements?

Answer options

• A. Create an SCP that denies access to all requests that do not target eu-west-2. Use the NotAction element to exempt global services from the restriction. In AWS Organizations, apply the SCP to the root of the organization.
• B. Create an SCP that denies access to all requests that do not target eu-west-2. Use the NotAction element to exempt global services from the restriction. For each AWS account, use the AmNotLike condition key to add the ARN of the IAM role that is associated with the Session Manager instance profile to the condition element of the SCP. In AWS Organizations apply, the SCP to the root of the organization.
• C. Create an SCP that denies access to all requests that do not target eu-west-2. Use the NotAction element to exempt global services from the restriction. In AWS Organizations, apply the SCP to the root of the organization. In each AWS account, create an IAM permissions boundary that allows access to the IAM role that is associated with the Session Manager instance profile.
• D. For each AWS account, create an IAM permissions boundary that denies access to all requests that do not target eu-west-2. For each AWS account, apply the permissions boundary to the IAM role that is associated with the Session Manager instance profile.

Correct answer: A

Explanation

Applying a Service Control Policy (SCP) at the root level of AWS Organizations is the most effective and centralized method to restrict operations to the eu-west-2 region across all accounts. Because AWS Systems Manager Session Manager operates within the target region once the instance is configured, a standard region-blocking SCP with exemptions for global services (using the NotAction element) fully satisfies the requirement without requiring complex exclusions. Options B, C, and D are incorrect because they introduce unnecessary administrative overhead and complexity by attempting to manage IAM roles or permission boundaries individually across multiple accounts.