Q: 7
A multinational company uses an organization in AWS Organizations to manage over 200 member
accounts across multiple AWS Regions. The company must ensure that all AWS resources meet
specific security requirements.
The company must not deploy any EC2 instances in the ap-southeast-2 Region. The company must
completely block root user actions in all member accounts. The company must prevent any user from
deleting AWS CloudTrail logs, including administrators. The company requires a centrally managed
solution that the company can automatically apply to all existing and future accounts. Which solution
will meet these requirements?
Options
Discussion
Option C is right for this setup. Control Tower plus SCPs can enforce region deny and block root everywhere, not just regular users. D won't lock down root user actions the same way. Pretty sure on this but open to corrections.
C or D? Pretty sure D handles the security policies fine, don't see why root actions are a blocker.
D , I had something like this in a mock and picked D.
Guessing D, since Firewall Manager and Config packs feel like they'd handle these org-wide controls even though root restrictions might be tricky.
C
If the requirements didn't say to block all root user actions, would D actually cover everything else? Or is there another trap in the region control part too?
C, not D. Firewall Manager can't block root user actions everywhere, that's the trick here. Saw similar on a practice test.
Nice catch, that's why it's C. Only SCPs with Control Tower can block root actions org-wide and do region-deny in one shot.
Maybe D since Firewall Manager and Config aggregator can check org-wide compliance, and policies can cover new accounts too. I thought D could block stuff at org level, even root. Let me know if I missed a trap here.
Yeah, C is the way to go here. Only Control Tower with SCPs can block root user actions org-wide and restrict regions at the org level. D can't prevent root from acting, so I think C is safest.
Be respectful. No spam.
