A company uses AWS Organizations to manage multiple AWS accounts. The security team needs to enforce a policy that prevents any employee from deploying resources in AWS Regions outside of the United States. The company’s legal department requires a preventive control that automatically blocks all resource creation in non-approved Regions for every account, including any new accounts added in the future. The team wants a solution that requires minimal ongoing administration. Which AWS feature should the security team use?
This is correct. An SCP is a centralized, preventive control that applies to all principals (users, roles) in member accounts. The condition `aws:RequestedRegion` is supported by most AWS services, allowing the policy to block resource creation in any non-approved Region. It automatically applies to new accounts added to the organization.
Why this answer
Option C is correct because a Service Control Policy (SCP) attached to the root or an OU in AWS Organizations can deny all AWS API actions when the `aws:RequestedRegion` condition key does not match an approved Region (e.g., `us-east-1` or `us-west-2`). This provides a preventive, account-wide guard that automatically applies to all existing and future accounts in the organization, requiring no per-user or per-role configuration and minimal ongoing administration.
Exam trap
The trap here is that candidates confuse detective controls (AWS Config) with preventive controls (SCPs) or mistakenly think IAM policies can enforce organization-wide restrictions, but SCPs are the only mechanism that applies to all accounts and principals in AWS Organizations without ongoing maintenance.
How to eliminate wrong answers
Option A is wrong because an IAM policy attached to users and roles is not a preventive control that applies to all accounts in the organization; it does not cover service-linked roles, root users, or new accounts, and it requires manual attachment to every principal. Option B is wrong because AWS Config rules are detective, not preventive—they detect non-compliant resources after creation and rely on a Lambda function for remediation, which does not block the initial resource creation and introduces latency and potential race conditions. Option D is wrong because VPC endpoint policies control traffic to AWS services through VPC endpoints but do not restrict resource creation in non-approved Regions; they are scoped to network-level access, not account-wide API actions.