AWS Certified CloudOps Engineer Associate SOA-C03 Practice Question
A compliance mandate requires that no member account in the company's AWS Organization can provision resources outside the us-east-1 or us-west-2 Regions and that Amazon Redshift is completely blocked. The CloudOps team needs a centrally managed, preventive control that applies to existing and future accounts without modifying individual IAM roles. Which solution meets these requirements?
Deploy AWS Control Tower and enable guardrails to disable unsupported Regions and block the Redshift service across the organization.
Create an IAM permission boundary in each account that allows only approved Regions and excludes Redshift actions, then attach it to every user and role.
Attach a Service Control Policy to the organization root that denies all actions when aws:RequestedRegion is anything other than us-east-1 or us-west-2 and denies redshift:* for all principals.
Enable an AWS Config rule that detects resources created in unauthorized Regions or any Redshift cluster and invokes Systems Manager Automation to delete them.
Service Control Policies (SCPs) are organization-level guardrails that apply to every principal in every account, including the root user. An SCP attached to the organization's root can include two explicit Deny statements: one that denies all actions if the aws:RequestedRegion condition is not us-east-1 or us-west-2, and another that denies redshift: actions everywhere. Because SCPs are evaluated before IAM policies, the restrictions are preventive and automatically apply to all current and newly created accounts.
IAM permission boundaries (or account-level IAM policies) must be attached to each role or user and can be removed by administrators, making them harder to enforce consistently. AWS Config with remediation is detective; resources are created before they are deleted, which does not satisfy the preventive requirement. AWS Control Tower guardrails cannot currently disable individual services such as Redshift in every account and introduce additional overhead that is unnecessary for this narrow requirement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are Service Control Policies (SCPs) in AWS Organizations?
Open an interactive chat with Bash
What is the difference between SCPs and IAM permission boundaries?
Open an interactive chat with Bash
Why are SCPs considered a preventive control, while AWS Config rules are detective?
Open an interactive chat with Bash
AWS Certified CloudOps Engineer Associate SOA-C03
Security and Compliance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .