Question 40
Domain 6: Management and Security GovernanceA company is running its workloads in a single AWS Region and uses AWS Organizations. A security engineer must implement a solution to prevent users from launching resources in other Regions. Which solution will meet these requirements with the LEAST operational overhead?
Correct answer: D
Explanation
AWS Organizations supports service control policies, and the exam guide says to use “SCPs as a technical solution to enforce a policy.” An SCP with an `aws:RequestedRegion` condition can deny API calls outside the approved Region, preventing resource launches elsewhere with centralized, low-overhead control.
Why each option is right or wrong
A. Create an IAM policy that has an `aws:RequestedRegion` condition that allows actions only in the designated Region. Attach the policy to all users.
IAM policies attached to users control identity permissions, not centralized organization-wide Region guardrails.
B. Create an IAM policy that has an `aws:RequestedRegion` condition that denies actions that are not in the designated Region. Attach the policy to the AWS account in AWS Organizations.
Organizations attaches SCPs to accounts, OUs, or the root, not as IAM policies on an account.
C. Create an IAM policy that has an `aws:RequestedRegion` condition that allows the desired actions. Attach the policy only to the users who are in the designated Region.
Allow policies on selected users leave other principals ungoverned and require per-user maintenance.
D. Create an SCP that has an `aws:RequestedRegion` condition that denies actions that are not in the designated Region. Attach the SCP to the AWS account in AWS Organizations.
AWS Organizations service control policies are the only centralized guardrail here that can deny API calls across an entire account with minimal per-resource administration; the exam blueprint explicitly calls out SCPs as a technical control for policy enforcement in Organizations. The `aws:RequestedRegion` global condition key lets the deny statement block any action requested outside the approved Region, so users cannot launch new resources in other Regions while the SCP is attached at the account level.