A DevOps engineer is implementing governance controls for a company that requires its infrastructure to be housed within the United States. The engineer must restrict which Regions can be used, and ensure an alert is sent as soon as possible if any activity outside the governance policy takes place. The controls should be automatically enabled on any new Region outside the United States. Which combination of actions will meet these requirements? (Choose two.)
A) Create an AWS Organizations SCP that denies access to all non-global services in non-US Regions. Attach the policy to the root of the organization.
B) Configure AWS CloudTrail to send logs to Amazon CloudWatch Logs and enable it for all Regions. Use a CloudWatch Logs metric filter to send an alert on any service activity in non-US Regions.
C) Use an AWS Lambda function that checks for AWS service activity and deploy it to all Regions. Write an Amazon CloudWatch Events rule that runs the Lambda function every hour, sending an alert if activity is found in a non-US Region.
D) Use an AWS Lambda function to query Amazon Inspector to look for service activity in non-US Regions and send alerts if any activity is found.
E) Write an SCP using the aws:RequestedRegion condition key limiting access to US Regions. Apply the policy to all users, groups, and roles.
Correct Answer:
Verified
Q245: A company is implementing a well-architected design
Q246: You are using a configuration management system
Q247: You work for an insurance company and
Q248: A company has 100 GB of log
Q249: You want to securely distribute credentials for
Q251: A company is using AWS CodePipeline to
Q252: After a recent audit, a company decided
Q253: A company is developing a web application's
Q254: A DevOps engineer is deploying a new
Q255: A company wants to use AWS Systems
Unlock this Answer For Free Now!
View this answer and more for free by performing one of the following actions
Scan the QR code to install the App and get 2 free unlocks
Unlock quizzes for free by uploading documents