agree with A and C https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_vpc.html#example_vpc_2

A. By using Control Tower, the company can enforce data residency guardrails and restrict internet access for VPCs and denies access to all Regions except the required ap-northeast-3 Region. C. With Organizations, the company can configure SCPs to prevent VPCs from gaining internet access. By denying access to all Regions except ap-northeast-3, the company ensures that VPCs can only be deployed in the specified Region. Option B is incorrect because using rules in AWS WAF alone does not address the requirement of denying access to all AWS Regions except ap-northeast-3. Option D is incorrect because configuring outbound rules in network ACLs and IAM policies for users can help restrict traffic and access, but it does not enforce the company's requirement of denying access to all Regions except ap-northeast-3. Option E is incorrect because using AWS Config and managed rules can help detect and alert for specific resources and configurations, but it does not directly enforce the restriction of internet access or deny access to specific Regions.

AC for sure

B: Irrelevant WAF D: This is confusing so I'll ignore it. E: Wrong product A: Control Tower can have residency guard rails and block internet access. C: SCP is like a duplicate of A IMHO but it stops admins from circumventing A as Org policies cannot be overridden by admins unless they are org admins. Too moany assumptions

A. Use AWS Control Tower to implement data residency guardrails to deny internet access and deny access to all AWS Regions except ap-northeast-3. C. Use AWS Organizations to configure service control policies (SCPs) that prevent VPCs from gaining internet access. Deny access to all AWS Regions except ap-northeast-3.

Use Control Tower to implement data residency guardrails and Service Control Policies (SCPS) to prevent VPCs from gaining internet access.

AWS Control Tower guardrails and AWS Organizations SCPs provide centralized, automated mechanisms to enforce no internet connectivity for VPCs and restrict Region access to only ap-northeast-3.

Didn't know that SCPS (Service Control Policies) could be used to deny users internet access. Good to know. Always thought it's got controlling who can and can't access AWS Services.

Agree with Aand C https://aws.amazon.com/blogs/aws/new-for-aws-control-tower-region-deny-and-guardrails-to-help-you-meet-data-residency-requirements/

I choose C and D. For control tower, it can't be A because ap-northeast-3 doesn't support it! Also, in the case of E, it is detection and warning, so it is difficult to prevent internet connection (although the view is a little obscure).

A and C

C/D A - CANNOT BE!!! AWS Control Tower is not available in ap-northeast-3! Check your B- for sure no C - SCPS (Service Control Policies)- For sure D - Deny outbound rule to be place in prod and also IAM Policy to deny Users creating services in AP-Northeast3 E - it creates an alert, which means it happens but an alert is triggered. so I think it's not good either.

Control tower isn't available in AP-northeast-3 (only available in ap-northeast1 and 2 : https://www.aws-services.info/controltower.html) For answer E, it creates an alert, wich means it happens but an alert is triggered. so i think it's not good either. That's why i would go for C and D

AWS Control tower is not available in ap-northeast-3! https://www.aws-services.info/controltower.html

What's wrong with B?

A - CANNOT BE!!! AWS Control Tower is not available in ap-northeast-3! Check your consolle.

From ChatGPT :) Control Tower: Can Yes, AWS Control Tower can implement data residency guardrails to deny internet access and restrict access to AWS Regions except for one. To restrict access to AWS regions, you can create a guardrail using AWS Organizations to deny access to all AWS regions except for the one that you want to allow. This can be done by creating an organizational policy that restricts access to specific AWS services and resources based on region. Config: Can(not). Yes, AWS Config can help you enforce restrictions on internet access and control access to specific AWS Regions using AWS Config Rules. It's worth noting that AWS Config is a monitoring service that provides continuous assessment of your AWS resources against desired configurations. While AWS Config can alert you when a configuration change occurs, it cannot directly restrict access to resources or enforce specific policies. For that, you may need to use other AWS services such as AWS Identity and Access Management (IAM), AWS Firewall Manager, or AWS Organizations.