exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 57 discussion

To meet regulatory requirements, a security engineer needs to implement an IAM policy that restricts the use of AWS services to the us-east-1 Region.
What policy should the engineer implement?

  • A.
  • B.
  • C.
  • D.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
100fold
Highly Voted 1 year, 1 month ago
Selected Answer: C
Answer C https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_deny-requested-region.html
upvoted 8 times
...
zzyy
Most Recent 7 months, 1 week ago
Not sure even if C is correct... On the condition it says StringNotEquals to us-east-1. which means the Deny all the aws resources expect us-east-1 which is not we want right..? I am confused..
upvoted 1 times
zzyy
7 months, 1 week ago
Nevermind.. I got he actual picture now.. ChatGPT helped. When you use "StringEquals": { "aws:RequestedRegion": "us-east-1" }, it means that the condition will only be satisfied if the requested region is exactly "us-east-1". So, with this condition in place, any AWS service request made from a region other than us-east-1 will be denied. It's a strict policy that allows access only if the requested region matches "us-east-1". If the request comes from any other region, it will be denied, ensuring that all operations occur exclusively within the specified region. This policy denies all actions ("Action": "*") on all resources ("Resource": "*"), but only if the requested region is not "us-east-1". This effectively restricts the use of AWS services to the us-east-1 Region.
upvoted 1 times
...
...
frankzeng
8 months, 2 weeks ago
C is wrong. C is deny, no allow.
upvoted 1 times
helloworldabc
2 months, 2 weeks ago
just C
upvoted 1 times
...
...
Raphaello
9 months, 2 weeks ago
Selected Answer: C
The request is to restrict (deny) use of services outside a specific region, therefore an "allow" policy for that specific region is not enough. Option C does just that, it denies all services if the "requested region" is no the specific one.
upvoted 2 times
jakie22332
4 weeks, 1 day ago
this - exactly
upvoted 1 times
...
...
rahav
11 months, 2 weeks ago
Selected Answer: C
Answer is C
upvoted 1 times
...
lmimi
1 year ago
Why not A? C is just not denied, but not explicit allow.
upvoted 1 times
Aamee
1 year ago
A can't be correct since the 'Deny' always takes the precedence over 'Allow' if any similar SID policy statement is defined. The option C looks correct since it denies the access of the aws resources explicitly through the condition that 'IF' the region is not equal to 'us-east-1'. Since the question states that the access restriction should be limited to just us-east-1 region only.
upvoted 2 times
...
...
kk2000
1 year, 2 months ago
C is Correct
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...