A company must migrate its on-premises data center to AWS but, due to compliance, can use only the ap-northeast-3 Region. Company administrators are not allowed to connect VPCs to the internet. Which solutions satisfy these requirements? (Choose two.)
Choose an answer
Tap an option to check your answer.
Correct answer: Use AWS Control Tower to implement data residency guardrails that deny internet access and that block all AWS Regions except ap-northeast-3., Use AWS Organizations to create service control policies (SCPs) that prevent VPCs from gaining internet access and that deny all AWS Regions except ap-northeast-3..
Why this is the answer
AWS Control Tower and AWS Organizations with Service Control Policies (SCPs) are effective solutions. Control Tower provides a prescriptive way to set up a secure, multi-account AWS environment, including data residency guardrails that can restrict internet access and enforce specific regions. SCPs, managed through AWS Organizations, allow you to centrally manage permissions for all accounts in your organization, explicitly denying actions that would grant internet access or create resources outside the specified region. The other options are less comprehensive or effective. AWS WAF is for web application protection, not general VPC internet access control. Denying regions in account settings is not a standard AWS feature. Network ACLs are VPC-specific and don't prevent internet access across all VPCs or enforce region restrictions at an organizational level. IAM policies are user-specific and can be bypassed by other users or roles, and AWS Config detects and alerts but doesn't prevent non-compliant actions.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed