- A
Create IAM policies with Deny for disallowed regions and attach them to all IAM users and roles in each account
Why wrong: IAM policies are account-scoped and can be modified by account administrators. This is unscalable and bypassable — not an organization-wide immutable control.
- B
Enable AWS Config rules to detect resources launched in disallowed regions and trigger auto-remediation to delete them
Why wrong: Config rules are detective controls that identify violations after resources are created. This does not prevent resource creation — it is reactive, not preventive.
- C
Use AWS Control Tower guardrails to enforce region restriction for all accounts
Why wrong: Control Tower implements guardrails using SCPs. The direct mechanism is an SCP. Specifying Control Tower is less precise than the correct answer of directly applying an SCP to the Organization root.
- D
Create an SCP with a Deny on all actions for regions outside us-east-1 and eu-west-1, attached to the Organization root
SCPs apply to all principals in all member accounts and cannot be overridden by account-level IAM. Attached to the Organization root, this SCP covers every member account. The Deny with StringNotEquals condition on aws:RequestedRegion blocks all other regions.
Quick Answer
The correct approach is to create a Service Control Policy (SCP) with a Deny effect on all actions for any region outside us-east-1 and eu-west-1, attached to the Organization root. This works because SCPs act as a central guardrail that sets the maximum allowable permissions for every principal in every member account, including the account root user, and cannot be overridden by any IAM policy—even one granting full administrator access. On the SAA-C03 exam, this scenario tests your understanding that SCPs are the only mechanism to enforce region restrictions across an entire AWS Organization, and a common trap is to mistakenly suggest IAM policies or a Deny on specific services instead of all actions. Remember the key distinction: IAM policies grant or deny within an account, but SCPs set the boundary for all accounts. A useful memory tip is “SCP sets the fence, IAM works inside the fence.”
SAA-C03 Practice Question: SCPs set the maximum permissions for all…
This SAA-C03 practice question tests your understanding of design secure architectures. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. A key principle to apply: sCPs set the maximum permissions for all principals in member accounts. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
A company uses AWS Organizations and wants to prevent any account in the organization from launching resources in regions other than us-east-1 and eu-west-1. This restriction must apply even if an administrator in a member account grants full IAM permissions. Which approach should a solutions architect use?
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
Create an SCP with a Deny on all actions for regions outside us-east-1 and eu-west-1, attached to the Organization root
Service Control Policies (SCPs) in AWS Organizations provide a guardrail that applies to all principals in member accounts — including IAM users, roles, and even the account root. SCPs restrict the maximum permissions that can be granted within an account. An SCP with Deny on all actions for all regions except us-east-1 and eu-west-1, attached to the organization root, prevents any account from launching resources in other regions regardless of account-level IAM permissions. IAM policies in member accounts cannot override SCPs.
Key principle: SCPs set the maximum permissions for all principals in member accounts
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✗
Create IAM policies with Deny for disallowed regions and attach them to all IAM users and roles in each account
Why it's wrong here
IAM policies are account-scoped and can be modified by account administrators. This is unscalable and bypassable — not an organization-wide immutable control.
- ✗
Enable AWS Config rules to detect resources launched in disallowed regions and trigger auto-remediation to delete them
Why it's wrong here
Config rules are detective controls that identify violations after resources are created. This does not prevent resource creation — it is reactive, not preventive.
- ✗
Use AWS Control Tower guardrails to enforce region restriction for all accounts
Why it's wrong here
Control Tower implements guardrails using SCPs. The direct mechanism is an SCP. Specifying Control Tower is less precise than the correct answer of directly applying an SCP to the Organization root.
- ✓
Create an SCP with a Deny on all actions for regions outside us-east-1 and eu-west-1, attached to the Organization root
Why this is correct
SCPs apply to all principals in all member accounts and cannot be overridden by account-level IAM. Attached to the Organization root, this SCP covers every member account. The Deny with StringNotEquals condition on aws:RequestedRegion blocks all other regions.
Related concept
SCPs set the maximum permissions for all principals in member accounts
Common exam traps
Common exam trap: answer the scenario, not the keyword
A common misconception is that an IAM Administrator or root user in a member account can override organization-level controls. SCPs define the permission ceiling — even AdministratorAccess (Action: *, Resource: *) cannot exceed what the SCP allows. SCPs are evaluated BEFORE account-level IAM policies.
Detailed technical explanation
How to think about this question
AWS permission evaluation order for member accounts in an Organization: 1. AWS Organizations SCP (evaluated first — sets the ceiling) 2. IAM identity-based policy 3. Resource-based policy 4. Permission boundaries 5. Session policies Region restriction SCP pattern: Effect: Deny Action: * Resource: * Condition: StringNotEquals aws:RequestedRegion [us-east-1, eu-west-1] Note: SCPs do NOT apply to the management (master) account. Global services (IAM, Route 53) use 'us-east-1' as their region — use NotAction to exclude them from region restriction SCPs.
KKey Concepts to Remember
- SCPs set the maximum permissions for all principals in member accounts
- SCPs cannot be overridden by account-level IAM policies, even AdministratorAccess
- SCPs do NOT apply to the AWS Organizations management account
- Region restriction SCPs use Condition StringNotEquals on aws:RequestedRegion
- SCPs are evaluated before IAM policies in the request evaluation chain
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
SCPs set the maximum permissions for all principals in member accounts
Real-world example
How this comes up in practice
A company's IT admin needs to give a contractor read-only access to production logs without sharing account credentials. Using role-based access control (RBAC) and temporary scoped permissions — not a permanent shared password — is the correct pattern. Questions like this test whether you can apply least-privilege access across cloud identity services.
What to study next
Got this wrong? Here's your next step.
Review sCPs set the maximum permissions for all principals in member accounts, then practise related SAA-C03 questions on the same topic to reinforce the concept.
- →
Design Secure Architectures — study guide chapter
Learn the concepts, then practise the questions
- →
Design Secure Architectures practice questions
Targeted practice on this topic area only
- →
All SAA-C03 questions
1,040 questions across all exam domains
- →
SAA-C03 study guide
Full concept coverage aligned to exam objectives
- →
SAA-C03 practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related SAA-C03 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Design Secure Architectures practice questions
Practise SAA-C03 questions linked to Design Secure Architectures.
Design Resilient Architectures practice questions
Practise SAA-C03 questions linked to Design Resilient Architectures.
Design High-Performing Architectures practice questions
Practise SAA-C03 questions linked to Design High-Performing Architectures.
Design Cost-Optimized Architectures practice questions
Practise SAA-C03 questions linked to Design Cost-Optimized Architectures.
SAA-C03 VPC practice questions
Practise SAA-C03 questions linked to SAA-C03 VPC.
SAA-C03 S3 lifecycle policy questions
Practise SAA-C03 questions linked to SAA-C03 S3 lifecycle policy questions.
SAA-C03 RDS Multi-AZ questions
Practise SAA-C03 questions linked to SAA-C03 RDS Multi-AZ questions.
SAA-C03 IAM policy practice questions
Practise SAA-C03 questions linked to SAA-C03 IAM policy.
SAA-C03 Route 53 failover questions
Practise SAA-C03 questions linked to SAA-C03 Route 53 failover questions.
SAA-C03 CloudFront practice questions
Practise SAA-C03 questions linked to SAA-C03 CloudFront.
SAA-C03 NAT gateway questions
Practise SAA-C03 questions linked to SAA-C03 NAT gateway questions.
SAA-C03 VPC endpoint questions
Practise SAA-C03 questions linked to SAA-C03 VPC endpoint questions.
Practice this exam
Start a free SAA-C03 practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this SAA-C03 question test?
Design Secure Architectures — This question tests Design Secure Architectures — SCPs set the maximum permissions for all principals in member accounts.
What is the correct answer to this question?
The correct answer is: Create an SCP with a Deny on all actions for regions outside us-east-1 and eu-west-1, attached to the Organization root — Service Control Policies (SCPs) in AWS Organizations provide a guardrail that applies to all principals in member accounts — including IAM users, roles, and even the account root. SCPs restrict the maximum permissions that can be granted within an account. An SCP with Deny on all actions for all regions except us-east-1 and eu-west-1, attached to the organization root, prevents any account from launching resources in other regions regardless of account-level IAM permissions. IAM policies in member accounts cannot override SCPs.
What should I do if I get this SAA-C03 question wrong?
Review sCPs set the maximum permissions for all principals in member accounts, then practise related SAA-C03 questions on the same topic to reinforce the concept.
What is the key concept behind this question?
SCPs set the maximum permissions for all principals in member accounts
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Keep practising
More SAA-C03 practice questions
- A content publishing system uses Lambda functions that call an unreliable third-party API. Failed events must be retaine…
- A startup runs two EC2-based workloads in the same AWS Region. Its customer-facing API is always on, and its nightly vid…
- A warehouse integration service must use shared file storage across Linux EC2 instances in multiple Availability Zones.…
- A team runs a stateless web app on Amazon EC2 behind an Application Load Balancer. During traffic spikes, new EC2 instan…
- A service in private subnets downloads product images from Amazon S3 and stores job state in DynamoDB. A NAT Gateway is…
- A static site is hosted in Amazon S3 and delivered by CloudFront. After a frontend release, the same JavaScript bundles…
Last reviewed: May 17, 2026
This SAA-C03 practice question is part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SAA-C03 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.