🔥 3-day streak
AWS Certified Security - Specialty122 / 157
Question 122 of 157

A security engineer must enforce that all member accounts in an AWS Organization can only operate in the eu-west-1 and eu-central-1 Regions to meet data residency requirements. However, the organization still relies on global services such as IAM, AWS Organizations, Route 53, and CloudFront, which make API calls that appear to originate from us-east-1. The engineer applies a Service Control Policy (SCP) that denies all actions when aws:RequestedRegion is not one of the two approved Regions. After deployment, users report they can no longer create IAM users or manage Route 53 hosted zones. What is the BEST way to fix the SCP while still enforcing the Regional restriction?

Reviewed for accuracy · Report an issueNext question