Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 151 discussion

agree with A and C https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_vpc.html#example_vpc_2

A. By using Control Tower, the company can enforce data residency guardrails and restrict internet access for VPCs and denies access to all Regions except the required ap-northeast-3 Region. C. With Organizations, the company can configure SCPs to prevent VPCs from gaining internet access. By denying access to all Regions except ap-northeast-3, the company ensures that VPCs can only be deployed in the specified Region. Option B is incorrect because using rules in AWS WAF alone does not address the requirement of denying access to all AWS Regions except ap-northeast-3. Option D is incorrect because configuring outbound rules in network ACLs and IAM policies for users can help restrict traffic and access, but it does not enforce the company's requirement of denying access to all Regions except ap-northeast-3. Option E is incorrect because using AWS Config and managed rules can help detect and alert for specific resources and configurations, but it does not directly enforce the restriction of internet access or deny access to specific Regions.

❌ A. Control Tower does not directly prevent internet access; it only provides guardrails, but those can be bypassed in some cases. ✅ C. SCPs (Service Control Policies) in AWS Organizations provide hard restrictions at the account level, making them more enforceable than Control Tower guardrails alone. ✅E. AWS Config ensures continuous monitoring and alerts, which Control Tower does not provide as effectively. This ensures strong security controls, compliance enforcement, and real-time monitoring while maintaining AWS best practices.

Option C provides centralized governance with SCPs, and Option E provides continuous monitoring and alerting for compliance. Together, these solutions meet the requirements of restricting internet access and ensuring usage of only the ap-northeast-3 region.

Ans A, C - Control Tower with Organisations configured. The two go together

AC for sure

B: Irrelevant WAF D: This is confusing so I'll ignore it. E: Wrong product A: Control Tower can have residency guard rails and block internet access. C: SCP is like a duplicate of A IMHO but it stops admins from circumventing A as Org policies cannot be overridden by admins unless they are org admins. Too moany assumptions

A. Use AWS Control Tower to implement data residency guardrails to deny internet access and deny access to all AWS Regions except ap-northeast-3. C. Use AWS Organizations to configure service control policies (SCPs) that prevent VPCs from gaining internet access. Deny access to all AWS Regions except ap-northeast-3.

Use Control Tower to implement data residency guardrails and Service Control Policies (SCPS) to prevent VPCs from gaining internet access.

AWS Control Tower guardrails and AWS Organizations SCPs provide centralized, automated mechanisms to enforce no internet connectivity for VPCs and restrict Region access to only ap-northeast-3.

Didn't know that SCPS (Service Control Policies) could be used to deny users internet access. Good to know. Always thought it's got controlling who can and can't access AWS Services.

Agree with Aand C https://aws.amazon.com/blogs/aws/new-for-aws-control-tower-region-deny-and-guardrails-to-help-you-meet-data-residency-requirements/

I choose C and D. For control tower, it can't be A because ap-northeast-3 doesn't support it! Also, in the case of E, it is detection and warning, so it is difficult to prevent internet connection (although the view is a little obscure).

A and C

C/D A - CANNOT BE!!! AWS Control Tower is not available in ap-northeast-3! Check your B- for sure no C - SCPS (Service Control Policies)- For sure D - Deny outbound rule to be place in prod and also IAM Policy to deny Users creating services in AP-Northeast3 E - it creates an alert, which means it happens but an alert is triggered. so I think it's not good either.

Control tower isn't available in AP-northeast-3 (only available in ap-northeast1 and 2 : https://www.aws-services.info/controltower.html) For answer E, it creates an alert, wich means it happens but an alert is triggered. so i think it's not good either. That's why i would go for C and D

AWS Control tower is not available in ap-northeast-3! https://www.aws-services.info/controltower.html