A company wants to migrate its on-premises data center to AWS. According to the company's compliance requirements, the company can use only the ap-northeast-3 Region. Company administrators are not permitted to connect VPCs to the internet.
Which solutions will meet these requirements? (Choose two.)
To migrate its on-premises data center to AWS while meeting compliance requirements of using only the ap-northeast-3 Region and not connecting VPCs to the internet, a company can use AWS Control Tower and AWS Organizations. AWS Control Tower can enforce data residency guardrails to deny internet access and restrict access to the required region only. Additionally, AWS Organizations can configure service control policies (SCPs) which prevent VPCs from gaining internet access and ensure that resources are only deployed in ap-northeast-3.
agree with A and C https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_vpc.html#example_vpc_2
A. By using Control Tower, the company can enforce data residency guardrails and restrict internet access for VPCs and denies access to all Regions except the required ap-northeast-3 Region. C. With Organizations, the company can configure SCPs to prevent VPCs from gaining internet access. By denying access to all Regions except ap-northeast-3, the company ensures that VPCs can only be deployed in the specified Region. Option B is incorrect because using rules in AWS WAF alone does not address the requirement of denying access to all AWS Regions except ap-northeast-3. Option D is incorrect because configuring outbound rules in network ACLs and IAM policies for users can help restrict traffic and access, but it does not enforce the company's requirement of denying access to all Regions except ap-northeast-3. Option E is incorrect because using AWS Config and managed rules can help detect and alert for specific resources and configurations, but it does not directly enforce the restriction of internet access or deny access to specific Regions.
https://aws.amazon.com/blogs/aws/new-for-aws-control-tower-region-deny-and-guardrails-to-help-you-meet-data-residency-requirements/ *Disallow internet access for an Amazon VPC instance managed by a customer
Option A and C
*You can use data-residency guardrails to control resources in any AWS Region.
Didn't know that SCPS (Service Control Policies) could be used to deny users internet access. Good to know. Always thought it's got controlling who can and can't access AWS Services.
From ChatGPT :) Control Tower: Can Yes, AWS Control Tower can implement data residency guardrails to deny internet access and restrict access to AWS Regions except for one. To restrict access to AWS regions, you can create a guardrail using AWS Organizations to deny access to all AWS regions except for the one that you want to allow. This can be done by creating an organizational policy that restricts access to specific AWS services and resources based on region. Config: Can(not). Yes, AWS Config can help you enforce restrictions on internet access and control access to specific AWS Regions using AWS Config Rules. It's worth noting that AWS Config is a monitoring service that provides continuous assessment of your AWS resources against desired configurations. While AWS Config can alert you when a configuration change occurs, it cannot directly restrict access to resources or enforce specific policies. For that, you may need to use other AWS services such as AWS Identity and Access Management (IAM), AWS Firewall Manager, or AWS Organizations.
If we say AWS won't support Control Tower & config, it will simply agree by asking few more questions. Don't trust ChatGPT blindly
A - CANNOT BE!!! AWS Control Tower is not available in ap-northeast-3! Check your consolle.
AWS Control Tower guardrails and AWS Organizations SCPs provide centralized, automated mechanisms to enforce no internet connectivity for VPCs and restrict Region access to only ap-northeast-3.
You can now use AWS Control Tower guardrails to deny services and operations for AWS Region(s) of your choice in your AWS Control Tower environments. The Region deny capabilities complement existing AWS Control Tower Region selection and Region deselection features, providing you with the capabilities to address compliance and regulatory requirements while improving cost efficiency of expanding into additional Regions. Along with the Region Deny feature, a set of data residency guardrails are released to help customers with data residency requirements. You can use these guardrails to choose the AWS Region that is in your desired location and have complete control and ownership over the region in which your data is physically located, making it easy to meet regional compliance and data residency requirements. https://controltower.aws-management.tools/security/restrict_regions/
I mean A and C not D. Please allow editing post after submitted
What's wrong with B?
Denying access to all AWS Regions except ap-northeast-3 in the AWS account settings cannot be enforced. Each individual account owner would have to configure this on trust. They could easily change it to allow themselves access beyond the Asia Pacific Region. So, instead you configure access controls across ALL accounts by using service control policies (SCPs). Apply to the root & it will apply to all OUs and accounts in the organization.
A. Use AWS Control Tower to implement data residency guardrails to deny internet access and deny access to all AWS Regions except ap-northeast-3. C. Use AWS Organizations to configure service control policies (SCPs) that prevent VPCs from gaining internet access. Deny access to all AWS Regions except ap-northeast-3.
B: Irrelevant WAF D: This is confusing so I'll ignore it. E: Wrong product A: Control Tower can have residency guard rails and block internet access. C: SCP is like a duplicate of A IMHO but it stops admins from circumventing A as Org policies cannot be overridden by admins unless they are org admins. Too moany assumptions
Option A uses AWS Control Tower to implement data residency guardrails, but it does not prevent internet access by itself. It only denies access to all AWS Regions except ap-northeast-3. The requirement states that administrators are not permitted to connect VPCs to the internet, so Option A does not meet this requirement.
"AWS Control Tower also offers guardrails to further control data residency in underlying AWS service options, for example, blocking Amazon Simple Storage Service (Amazon S3) cross-region replication or BLOCKING THE CREATION OF INTERNET GATEWAYS." https://aws.amazon.com/de/blogs/aws/new-for-aws-control-tower-region-deny-and-guardrails-to-help-you-meet-data-residency-requirements/
AWS Control tower is not available in ap-northeast-3! https://www.aws-services.info/controltower.html
Control tower isn't available in AP-northeast-3 (only available in ap-northeast1 and 2 : https://www.aws-services.info/controltower.html) For answer E, it creates an alert, wich means it happens but an alert is triggered. so i think it's not good either. That's why i would go for C and D
False, Control Tower is in Osaka NorthEast 3 https://docs.aws.amazon.com/controltower/latest/userguide/region-how.html
same page you posted: ap-northeast-3 Asia Pacific (Osaka) 2023-04-20 https://aws.amazon.com/controltower
It's availabe now on the same tink u pasted in earlier: ap-northeast-3 Asia Pacific (Osaka) 2023-04-20.
C/D A - CANNOT BE!!! AWS Control Tower is not available in ap-northeast-3! Check your B- for sure no C - SCPS (Service Control Policies)- For sure D - Deny outbound rule to be place in prod and also IAM Policy to deny Users creating services in AP-Northeast3 E - it creates an alert, which means it happens but an alert is triggered. so I think it's not good either.
False, Control Tower is in Osaka NorthEast 3 https://docs.aws.amazon.com/controltower/latest/userguide/region-how.html
I dont think region availability shall be a consideration in exam, which i think it would be crazy if aws intend to test your "knowledge" against regional availability of different service...
Agree with Aand C https://aws.amazon.com/blogs/aws/new-for-aws-control-tower-region-deny-and-guardrails-to-help-you-meet-data-residency-requirements/
Use Control Tower to implement data residency guardrails and Service Control Policies (SCPS) to prevent VPCs from gaining internet access.
Ans A, C - Control Tower with Organisations configured. The two go together
❌ A. Control Tower does not directly prevent internet access; it only provides guardrails, but those can be bypassed in some cases. ✅ C. SCPs (Service Control Policies) in AWS Organizations provide hard restrictions at the account level, making them more enforceable than Control Tower guardrails alone. ✅E. AWS Config ensures continuous monitoring and alerts, which Control Tower does not provide as effectively. This ensures strong security controls, compliance enforcement, and real-time monitoring while maintaining AWS best practices.
A and C
A and C
C and E To meet the requirements of not allowing VPCs to connect to the internet and limiting the AWS Region to ap-northeast-3, you can use the following solutions: C: Use AWS Organizations to configure service control policies (SCPs) that prevent VPCs from gaining internet access. Deny access to all AWS Regions except ap-northeast-3. This will ensure that VPCs cannot access the internet and can only be created in the ap-northeast-3 Region. E: Use AWS Config to activate managed rules to detect and alert for internet gateways and to detect and alert for new resources deployed outside of ap-northeast-3. This will allow you to monitor for any attempts to connect VPCs to the internet or to deploy resources outside of the ap-northeast-3 Region, and alert you if any such attempts are detected.
Not E. "Company administrators are not permitted...", an alert detect a connection an send an alert, not prevent the connection
Option A is not a valid solution because AWS Control Tower is a service that helps customers set up and govern a new, secure, multi-account AWS environment based on best practices. It does not provide specific guardrails that would prevent internet access or restrict access to a specific region. Option C is a valid solution because AWS Organizations can be used to configure service control policies (SCPs) that can prevent VPCs from gaining internet access, and this can be done by denying access to all AWS Regions except ap-northeast-3. Option E is also a valid solution because AWS Config can be used to activate managed rules to detect and alert for internet gateways and to detect and alert for new resources deployed outside of ap-northeast-3. This can help to ensure compliance with the company's requirements to prevent internet access and to limit access to a specific region.
The most interesting guardrail is probably the one denying access to AWS based on the requested AWS Region. I choose it from the list and find that it is different from the other guardrails because it affects all Organizational Units (OUs) and cannot be activated here but must be activated in the landing zone settings. https://aws.amazon.com/blogs/aws/new-for-aws-control-tower-region-deny-and-guardrails-to-help-you-meet-data-residency-requirements/#:~:text=AWS%20Control%20Tower%20also%20offers,the%20creation%20of%20internet%20gateway
"AWS Control Tower also offers guardrails to further control data residency in underlying AWS service options, for example, blocking Amazon Simple Storage Service (Amazon S3) cross-region replication or BLOCKING THE CREATION OF INTERNET GATEWAYS." https://aws.amazon.com/de/blogs/aws/new-for-aws-control-tower-region-deny-and-guardrails-to-help-you-meet-data-residency-requirements/
A and C
I choose C and D. For control tower, it can't be A because ap-northeast-3 doesn't support it! Also, in the case of E, it is detection and warning, so it is difficult to prevent internet connection (although the view is a little obscure).
I just check, now it's supported!!!
AC for sure
Option C provides centralized governance with SCPs, and Option E provides continuous monitoring and alerting for compliance. Together, these solutions meet the requirements of restricting internet access and ensuring usage of only the ap-northeast-3 region.