Which solutions will meet these requirements?
(Choose two.)
Use AWS Control Tower to implement data residency guardrails to deny internet access and deny access to all AWS Regions except ap-northeast-3.
Use rules in AWS WAF to prevent internet access. Deny access to all AWS Regions except ap-northeast-3 in the AWS account settings.
Use AWS Organizations to configure service control policies (SCPS) that prevent VPCs from gaining internet access. Deny access to all AWS Regions except ap-northeast-3.
Create an outbound rule for the network ACL in each VPC to deny all traffic from 0.0.0.0/0. Create an IAM policy for each user to prevent the use of any AWS Region other than ap-northeast-3.
Use AWS Config to activate managed rules to detect and alert for internet gateways and to detect and alert for new resources deployed outside of ap-northeast-3.
Explanations:
AWS Control Tower can enforce governance and compliance guardrails, including restrictions on internet access and limiting resources to specific regions, such as ap-northeast-3.
AWS WAF is primarily for web application security and does not control access to AWS Regions or internet connectivity at the VPC level.
AWS Organizations can use service control policies (SCPs) to enforce restrictions on VPC internet access and limit resource creation to the ap-northeast-3 region, ensuring compliance.
While network ACLs can restrict outbound traffic, they do not prevent users from creating VPCs with internet access. An IAM policy restricting regions alone does not prevent the underlying VPC configurations.
AWS Config managed rules can detect configurations but do not prevent internet gateway creation or resource deployment outside of a region; they are mainly for monitoring compliance after the fact.
From what I’ve seen, the answer is:
Use AWS Control Tower to implement data residency guardrails to deny internet access and deny access to all AWS Regions except ap-northeast-3.