Which combination of actions will meet these requirements?

By:
In: DOP-C02
Tagged:
With: 1 Comment
A DevOps engineer is implementing governance controls for a company that requires its infrastructure to be housed within the United States.The engineer must restrict which AWS Regions can be used, and ensure an alert is sent as soon as possible if any activity outside the governance policy takes place.The controls should be automatically enabled on any new Region outside the United States (US).

Which combination of actions will meet these requirements?

(Choose two.)

Create an AWS Organizations SCP that denies access to all non-global services in non-US Regions. Attach the policy to the root of the organization.

Configure AWS CloudTrail to send logs to Amazon CloudWatch Logs and enable it for all Regions. Use a CloudWatch Logs metric filter to send an alert on any service activity in non-US Regions.

Use an AWS Lambda function that checks for AWS service activity and deploy it to all Regions. Write an Amazon EventBridge rule that runs the Lambda function every hour, sending an alert if activity is found in a non-US Region.

Use an AWS Lambda function to query Amazon Inspector to look for service activity in non-US Regions and send alerts if any activity is found.

Write an SCP using the aws:RequestedRegion condition key limiting access to US Regions. Apply the policy to all users, groups, and roles.

Explanations:

AWS Organizations SCP can be used to deny access to non-US Regions for all users in the organization. This policy will be automatically enforced when a new Region is created outside the allowed boundaries.

Configuring AWS CloudTrail to log all Regions and sending logs to CloudWatch Logs allows for monitoring of service activity across all Regions. A CloudWatch Logs metric filter can alert on any non-US Region activity.

Lambda functions can check for activity, but running a rule every hour is inefficient for real-time alerts. Immediate alerting is required, so using CloudTrail and CloudWatch Logs is a better approach.

Amazon Inspector does not track AWS service activity across Regions, making it unsuitable for this use case. It is a security assessment tool, not designed for real-time activity monitoring in all Regions.

While SCP withaws:RequestedRegionlimits access to US Regions, it only controls access to services and does not monitor or send alerts on unauthorized activities after they occur, as required in this scenario.

2025-10-11

1 Comment

  1. Jose
    Author

    It seems to me that the answer is:
    Create an AWS Organizations SCP that denies access to all non-global services in non-US Regions. Attach the policy to the root of the organization.

Leave a Reply to Jose Cancel reply

Your email address will not be published. Required fields are marked *

nine − 2 =