Q14 — AWS SAA-C03 Ch.4
Question 14 of 105 | ← Chapter 4
Q209. A company wants to migrate its on-premises data center to AWS.According to the company's compliance requirements, the company can use only the ap-northeast-3 Region. Company administrators are not permitted to connect VPCs to the internetWhich solutions will meet these requirements? (Select TWO)
- A. Use AWS Control Tower to implement data residency guardrails to deny internet access and deny access to all AWS Regions except ap-northeast-3 ✓
- B. Use rules in AWS WAF to prevent internet access. Deny access to all AWS Regions exceptap- northeast-3 in the AWS account settings.
- C. Use AWS Organizations to configure service control policies (SCPs) that prevent VPCs from gaining internet access. Deny access to all AWS Regions except ap-northeast-3. ✓
- D. Create an outbound rule for the network ACL in each VPC to deny all traffic from 0.0.0.0/0. Create an IAM policy for each user to prevent the use of any AWS Region other than ap-northeast-3
- E. Use AWS Config to activate managed rules to detect and alert for internet gateways and to detect and alert for new resources deployed outside of ap-northeast-3.
Correct Answer: A. Use AWS Control Tower to implement data residency guardrails to deny internet access and deny access to all AWS Regions except ap-northeast-3, C. Use AWS Organizations to configure service control policies (SCPs) that prevent VPCs from gaining internet access. Deny access to all AWS Regions except ap-northeast-3.
Explanation
To migrate an on-premises data center to AWS in the ap-northeast-3 Region while meeting compliance requirements that prohibit connecting VPCs to the internet, a company should use AWS Control Tower to implement data residency guardrails to deny internet access and deny access to all AWS Regions except ap-northeast-3 and use AWS Organizations to configure service control policies (SCPs) that prevent VPCs from gaining internet access and deny access to all AWS Regions except ap-northeast-3. Therefore, options A and C are the correct answers. Option B suggests using rules in AWS WAF to prevent internet access and deny access to all AWS Regions except ap-northeast-3 in the AWS account settings. While this approach can work for preventing internet access, it may not be sufficient to ensure compliance requirements are met with respect to restricting AWS Region access. Option D suggests creating an outbound rule for the network ACL in each VPC to deny all traffic from 0.0.0.0/0 and creating an IAM policy for each user to prevent the use of any AWS Region other than ap-northeast-3. While this approach can work, it requires more manual setup and management compared to using AWS Control Tower and AWS Organizations to enforce SCPs. Option E suggests using AWS Config to activate managed rules to detect and alert for internet gateways and to detect and alert for new resources deployed outside of ap-northeast-3. While this approach can help detect potential non-compliance issues, it does not provide a mechanism for enforcing compliance requirements.