Which solution should a solutions architect recommend to meet these requirements?
Create an SCP that denies access to all requests that do not target eu-west-2. Use the NotAction element to exempt global services from the restriction. In AWS Organizations, apply the SCP to the root of the organization.
Create an SCP that denies access to all requests that do not target eu-west-2. Use the NotAction element to exempt global services from the restriction. For each AWS account, use the AmNotLike condition key to add the ARN of the IAM role that is associated with the Session Manager instance profile to the condition element of the SCP. In AWS Organizations apply, the SCP to the root of the organization.
Create an SCP that denies access to all requests that do not target eu-west-2. Use the NotAction element to exempt global services from the restriction. In AWS Organizations, apply the SCP to the root of the organization. In each AWS account, create an IAM permissions boundary that allows access to the IAM role that is associated with the Session Manager instance profile.
For each AWS account, create an IAM permissions boundary that denies access to all requests that do not target eu-west-2. For each AWS account, apply the permissions boundary to the IAM role that is associated with the Session Manager instance profile.
Explanations:
This option correctly creates a Service Control Policy (SCP) that denies all requests not targeting the eu-west-2 region, which satisfies the legal compliance requirements. By applying the SCP to the root of the organization, it ensures that all accounts are subject to the restriction while exempting global services.
While this option proposes using an SCP to deny access to regions outside of eu-west-2, it incorrectly adds complexity by introducing the AmNotLike condition key specific to IAM roles for Session Manager. This is unnecessary since SCPs operate at the organizational level, not at the individual IAM role level, making it less efficient.
This option suggests using an SCP with a permissions boundary at the IAM level. However, permissions boundaries are not necessary to enforce the region restriction at the organizational level with an SCP, leading to unnecessary complexity and potential misconfigurations.
This option relies solely on IAM permissions boundaries to enforce the regional restriction, which is not the intended use of permissions boundaries. Permissions boundaries limit the maximum permissions an IAM role can have, but do not inherently restrict AWS resource access to specific regions, thus failing to meet the compliance requirement effectively.
I conclude that the answer is:
Create an SCP that denies access to all requests that do not target eu-west-2. Use the NotAction element to exempt global services from the restriction. In AWS Organizations, apply the SCP to the root of the organization.