Amazon Exam SOA-C02 Topic 1 Question 109 Discussion

Actual exam question for Amazon's SOA-C02 exam

Question #: 109
Topic #: 1

A company uses AWS Organizations to manage multiple AWS accounts. Corporate policy mandates that only specific AWS Regions can be used to store and process customer dat

a. A SysOps administrator must prevent the provisioning of Amazon EC2 instances in unauthorized Regions by anyone in the company.

What is the MOST operationally efficient solution that meets these requirements?

AConfigure AWS CloudTrail in all Regions to record all API activity Create an Amazon EventBridge rule in all unauthorized Regions for ec2:Runlnstances events. Use AWS Lambda to terminate the launched EC2 instances.

BIn each AWS account, create a managed 1AM policy that uses a Region condition to deny the ec2:Runlnstances action in all unauthorized Regions. Attach this policy to all 1AM groups in each AWS account.

CIn each AWS account, create an 1AM permissions boundary policy that uses a Region condition to deny the ec2:Runlnstances action in all unauthorized Regions. Attach the permissions boundary policy to all 1AM users in each AWS account.

DCreate a service control policy (SCP) in AWS Organizations to deny the ec2:Runlnstances action in all unauthorized Regions. Attach this policy to the root level of the organization.

Show Suggested Answer

Suggested Answer: D

Objective:

Enforce corporate policy to prevent the creation of EC2 instances in unauthorized AWS Regions.

Using Service Control Policies (SCPs):

SCPs are an AWS Organizations feature that allow centralized control over permissions for all accounts in the organization.

By attaching an SCP to the root level of the organization, you can enforce the restriction across all accounts.

Solution Implementation:

Step 1: Open the AWS Organizations console.

Step 2: Create a new SCP with the following policy:

{

'Version': '2012-10-17',

'Statement': [

{

'Effect': 'Deny',

'Action': 'ec2:RunInstances',

'Resource': '*',

'Condition': {

'StringNotEquals': {

'aws:RequestedRegion': [

'us-east-1',

'us-west-2'

]

}

]

}

Replace 'us-east-1' and 'us-west-2' with the allowed Regions.

Step 3: Attach the SCP to the root level of the organization.

AWS Reference:

Service Control Policies (SCPs): SCP Best Practices

Restricting EC2 Regions with SCP: SCP Examples

Why Other Options Are Incorrect:

Option A: CloudTrail and EventBridge with Lambda are operationally less efficient and reactive rather than preventative.

Option B: IAM policies applied at the account level require manual configuration for each account, which is less efficient.

Option C: Permissions boundaries are more suited for controlling specific IAM user or role actions, not account-wide restrictions.

Topic 2, Simulation

by Tijuana at Jan 11, 2025, 04:03 AM

Limited Time Offer

25%

Off

Get Premium SOA-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Lavonne

2 months ago

Option D is the clear winner here. Although, I can't help but wonder if the SCP will also prevent me from launching EC2 instances in my favorite Regions - the Mos Eisley cantina and the Death Star.

upvoted 0 times

Jules

23 days ago

The SCP will only deny the ec2:RunInstances action in unauthorized Regions. Your favorite unique Regions should not be affected.

upvoted 0 times

...

Sheron

25 days ago

But what about launching EC2 instances in unique Regions like the Mos Eisley cantina and the Death Star?

upvoted 0 times

...

Virgie

1 months ago

I agree, Option D is the most operationally efficient solution. It will ensure compliance with corporate policy.

upvoted 0 times

...

Mindy

2 months ago

Option D is the best choice to meet the requirements. The SCP will prevent unauthorized Regions.

upvoted 0 times

...

Annamae

3 months ago

I'd go with Option D and then add a little AWS-flavored humor - 'Make AWS Regions Great Again!'

upvoted 0 times

Helaine

2 months ago

I agree, Option D with the SCP in AWS Organizations seems like the most efficient solution.

upvoted 0 times

...

Charlette

2 months ago

Option D sounds like the best choice. 'Make AWS Regions Great Again!'

upvoted 0 times

...

Yesenia

3 months ago

I'm not sure, I think option A could also work well. Configuring CloudTrail and using EventBridge rules seems like a good approach to monitor and prevent unauthorized EC2 instances.

upvoted 0 times

...

Paola

3 months ago

I agree with Billi. Option D with SCP in AWS Organizations seems like the most efficient way to control access to unauthorized Regions.

upvoted 0 times

...

Billi

3 months ago

I think option D is the best solution. It allows us to centrally manage the permissions for all AWS accounts.

upvoted 0 times

...

Mary

3 months ago

Hmm, I'm not convinced. What if someone accidentally creates a new account outside the organization? Option D might not catch that. Maybe a combination of Options B and D would be better?

upvoted 0 times

Heike

2 months ago

It's always good to have multiple safeguards in place to prevent any accidental breaches of the policy.

upvoted 0 times

...

Crista

2 months ago

Combining both options could provide a more comprehensive solution to ensure compliance with the corporate policy on AWS Regions.

upvoted 0 times

...

Nan

2 months ago

Option B could help prevent unauthorized EC2 instances in each account, but Option D with the SCP at the organization level adds an extra layer of security.

upvoted 0 times

...

Ceola

3 months ago

I agree, Option D is the way to go. Centralized control over the allowed Regions is key to meeting the company's policy requirements.

upvoted 0 times

Fannie

2 months ago

Absolutely. It's all about ensuring compliance with corporate policies when managing multiple AWS accounts.

upvoted 0 times

...

Brigette

2 months ago

Agreed. Having a service control policy in AWS Organizations provides the necessary restrictions to prevent unauthorized usage of Regions.

upvoted 0 times

...

Bronwyn

3 months ago

I think so too. It's important to have a solution that aligns with the company's policy requirements.

upvoted 0 times

...

Paz

3 months ago

Option D is definitely the best choice. It allows for centralized control over the allowed Regions.

upvoted 0 times

...

Salina

3 months ago

Option D definitely seems like the most efficient solution. Applying the SCP at the root level of the organization ensures consistent enforcement across all accounts.

upvoted 0 times

Coletta

2 months ago

It's important to have a centralized control for security measures.

upvoted 0 times

...

Franklyn

3 months ago

Agreed, applying the SCP at the root level ensures consistency.

upvoted 0 times

...

Winfred

3 months ago

Option D definitely seems like the most efficient solution.

upvoted 0 times

...