In order to meet data residency compliance requirements for a large bank, you must ensure that all S3 buckets are created in the eu-west-2 region.
You plan to use SCP to enforce this rule.
Which SCP will accomplish this?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: A.
Option A is CORRECT because it denies creating all S3 buckets that are not in region eu-west-2.
Option B is incorrect because without an explicit deny, there may be other policies applied that allow the creation of S3 buckets in other regions.
Option C is incorrect because s3:x-amz-region is not a valid condition key.
Option D is incorrect because s3:x-amz-region is not a valid condition key.
Reference:
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html https://docs.aws.amazon.com/AmazonS3/latest/dev/amazon-s3-policy-keys.htmlSure, I'd be happy to provide a detailed explanation of the correct SCP to enforce the data residency compliance requirement for a large bank to create all S3 buckets in the eu-west-2 region.
First, let's understand what SCP is and how it works. SCP (Service Control Policies) is a feature in AWS that allows you to centrally manage and enforce policies across multiple AWS accounts in an organization. SCP is used to set permissions that are stricter than the default permissions and restrict the actions that can be performed on AWS resources.
Now, let's look at the SCP options provided in the exam question.
Option A:
{ "Version":"2012-10-17", "Statement":[ { "Sid":"DataGovernancePolicy", "Effect":"Deny", "Action":[ "s3:CreateBucket" ], "Resource":[ "arn:aws:s3:::*" ], "Condition": { "StringNotLike": { "s3:LocationConstraint": "eu-west-2" } } } ] }
This SCP denies the action of creating an S3 bucket if the location constraint is not in the eu-west-2 region. This option would not allow buckets to be created in other regions and meets the requirement.
Option B:
{ "Version":"2012-10-17", "Statement":[ { "Sid":"DataGovernancePolicy", "Effect":"Allow", "Action":[ "s3:CreateBucket" ], "Resource":[ "arn:aws:s3:::*" ], "Condition": { "StringLike": { "s3:LocationConstraint": "eu-west-2" } } } ] }
This SCP allows the action of creating an S3 bucket if the location constraint is in the eu-west-2 region. This option would allow buckets to be created in other regions, which does not meet the requirement.
Option C:
{ "Version":"2012-10-17", "Statement":[ { "Sid":"DataGovernancePolicy", "Effect":"Deny", "Action":[ "s3:CreateBucket" ], "Resource":[ "arn:aws:s3:::*" ], "Condition": { "StringNotLike": { "s3:x-amz-region": "eu-west-2" } } } ] }
This SCP denies the action of creating an S3 bucket if the region is not in the eu-west-2 region. This option would not allow buckets to be created in other regions and meets the requirement.
Option D:
{ "Version":"2012-10-17", "Statement":[ { "Sid":"DataGovernancePolicy", "Effect":"Allow", "Action":[ "s3:CreateBucket" ], "Resource":[ "arn:aws:s3:::*" ], "Condition": { "StringLike": { "s3:x-amz-region": "eu-west-2" } } } ] }
This SCP allows the action of creating an S3 bucket if the region is in the eu-west-2 region. This option would allow buckets to be created in other regions, which does not meet the requirement.
Therefore, the correct SCP to enforce the data residency compliance requirement for a large bank to create all S3 buckets in the eu-west-2 region is Option A.