Which combination of actions will meet these requirements?
(Choose two.)
Create an AWS Organizations SCP that denies access to all non-global services in non-US Regions. Attach the policy to the root of the organization.
Configure AWS CloudTrail to send logs to Amazon CloudWatch Logs and enable it for all Regions. Use a CloudWatch Logs metric filter to send an alert on any service activity in non-US Regions.
Use an AWS Lambda function that checks for AWS service activity and deploy it to all Regions. Write an Amazon EventBridge rule that runs the Lambda function every hour, sending an alert if activity is found in a non-US Region.
Use an AWS Lambda function to query Amazon Inspector to look for service activity in non-US Regions and send alerts if any activity is found.
Write an SCP using the aws:RequestedRegion condition key limiting access to US Regions. Apply the policy to all users, groups and roles.
Explanations:
An AWS Organizations Service Control Policy (SCP) can be used to restrict access to services in non-US Regions. By denying access to all non-global services in non-US Regions, this policy ensures that any new Region outside the US is automatically restricted. Attaching it to the root of the organization ensures enforcement across all accounts.
Configuring AWS CloudTrail to log activity across all Regions and setting up CloudWatch Logs with a metric filter will allow for real-time monitoring and alerting on any activity in non-US Regions. This solution helps enforce the governance control and alerts the engineer to non-compliant activity.
Using a Lambda function to check for service activity and running it every hour is inefficient for real-time alerting. It introduces a delay in detecting non-compliant activity, and the Lambda function is not a preferred mechanism for continuous governance monitoring.
Amazon Inspector is a security service that scans for vulnerabilities and configurations. It does not track general service activity in specific Regions, making it unsuitable for this use case. It cannot monitor and send alerts based on activity in non-US Regions.
While theaws:RequestedRegioncondition key in an SCP can restrict users from accessing services in non-US Regions, this does not automatically apply to new Regions, as AWS services and Regions evolve. This solution also requires additional configuration for future Regions to ensure compliance, which may not be sufficient for dynamic governance needs.