A company is setting up a multi-account AWS environment using AWS Organizations. They need to ensure that no account can deploy resources in the ap-northeast-1 region, except for a specific 'Global-Security' account. What is the MOST operationally efficient way to achieve this?

Answer options:

Create an IAM policy denying access to ap-northeast-1 and attach it to all IAM users and roles in every account.

Apply a Service Control Policy (SCP) at the root level denying access to ap-northeast-1 with a condition excluding the Global-Security account ID.

Use AWS Config rules to detect and automatically terminate any resources launched in ap-northeast-1.

Remove the ap-northeast-1 region from the AWS console for all accounts using AWS SSO.

How to approach this question

Identify the requirement for organization-wide preventive controls.

Full Answer

B.Apply a Service Control Policy (SCP) at the root level denying access to ap-northeast-1 with a condition excluding the Global-Security account ID.✓ Correct

Service Control Policies (SCPs) offer central control over the maximum available permissions for all accounts in your organization.

Common mistakes

Confusing IAM policies with SCPs for multi-account governance.

All questions Question 02

Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 2

75 questions · hints · full answers · grading

More questions from this exam

Q02An enterprise needs to connect its on-premises data center to AWS. They require a dedicated, priv...Easy Q03A company wants to share a single AWS Transit Gateway across multiple AWS accounts within their A...Easy Q04An architect needs to design a highly available database architecture that spans multiple AWS Reg...Easy Q05A global financial institution is migrating its core banking application to AWS. The application ...Medium Q06An organization uses AWS Control Tower to manage its multi-account environment. They need to ensu...Medium

View all 75 questions →