Free AWS SOA-C03 Actual Exam Questions - Question 9 Discussion

Maybe C makes sense too since Control Tower automates governance at the org level and SCPs can effectively limit root user actions and region usage. It's a neat all-in-one solution for these requirements.

C/D? Control Tower is great for governance with SCPs that can block root user actions and restrict regions, so it covers two big requirements well. But I'm unsure if SCPs can fully stop root users from deleting CloudTrail logs since root can sometimes bypass permissions. Firewall Manager combined with Config conformance packs (D) seems to offer a more complete enforcement and detection approach, catching violations org-wide and protecting logs better. So if the CloudTrail deletion prevention is critical, D might edge out C here.

I’m thinking D is the better choice here. Firewall Manager works well for centralized security policy enforcement and combined with Config aggregator and conformance packs, you get org-wide visibility and enforcement, including CloudTrail log protection. Control Tower (C) is great for governance but might not cover the CloudTrail deletion prevention fully. The other options don’t seem as complete for all three needs—blocking root, region restrictions, and CloudTrail protection—automatically across all accounts. D’s mix of Firewall Manager plus Config org-wide packs covers all bases more thorou

B imo, Security Hub with custom standards and StackSets can enforce and remediate org-wide.

C. Control Tower’s region deny controls and SCPs can centrally enforce no EC2 in ap-southeast-2 and block root actions. It’s a simpler, built-in way to govern accounts without needing extra services like Firewall Manager.

D – Firewall Manager combined with Config aggregator and conformance packs can enforce policies and detect violations across the org. It goes beyond just SCPs by actively monitoring CloudTrail log integrity too.

I’m thinking option D fits better here. Firewall Manager with organization-wide conformance packs can enforce security policies across all accounts and regions centrally. It’s more aligned with a full block on root user actions and preventing CloudTrail log deletion, since you can set detailed policies and continuously monitor compliance. Unlike Control Tower, Firewall Manager focuses more on security posture management rather than just governance. So I’d go with D for the complete automated enforcement across existing and future accounts.

Makes sense to go with C since Control Tower automates guardrails like SCPs that block root actions and restrict regions, covering the core requirements centrally. C feels like the most straightforward fit here.

C imo. Control Tower lets you set guardrails including SCPs that block root user actions and restrict regions like ap-southeast-2. It also automatically applies these controls to new accounts, which fits the centralized management need. The other options either don’t fully block root user actions or are more about detection than enforcement. CloudTrail log deletion can be restricted through SCPs too, so this covers all bases without needing extra layers.

C, because SCPs can explicitly block root user actions and restrict regions directly.

I’m not convinced A fits because Config rules detect violations but don’t fully block root actions or region usage. Also, permissions boundaries can’t restrict the root user itself, right? Maybe not enough control here.

This one’s tricky but I’d go with C. Service Control Policies are perfect for blocking root user actions and denying regions like ap-southeast-2 across all accounts automatically. Control Tower manages accounts at scale and applies guardrails consistently, which fits the need for a centrally managed solution. While Firewall Manager in D can help with security policies, it’s not designed to block root user actions or enforce region restrictions as effectively as SCPs. Plus, Control Tower simplifies governance without extra manual setup for each account. So, option C seems like the best fit over

The question focuses on blocking root user actions and region restrictions, which SCPs in option C can handle well. Also, Control Tower automates applying policies to all accounts, making C a strong choice.

Maybe D fits better since Firewall Manager with Config aggregator can enforce policies org-wide and detect if CloudTrail logs get deleted, which Control Tower alone might miss.

C vs D? Control Tower (C) is great for region restrictions and using SCPs to block root, but it doesn’t inherently stop CloudTrail log deletions across all accounts. Firewall Manager with Config aggregator and conformance packs (D) can detect violations org-wide and enforce policies, plus it’s designed for centralized security management. Since the company wants an automatic, organization-wide setup that covers blocking EC2 in a region, root user actions, and preventing log deletions, D seems to offer a more comprehensive and scalable approach.

B/D? B’s use of Security Hub and automated remediation could give a strong centralized way to enforce log protection and security standards, which might cover the CloudTrail deletion issue better than C. D sounds good for monitoring and policy enforcement via Firewall Manager and Config packs, but I’m not sure it can fully block root user actions without SCPs like in C. So B or D might offer a more complete coverage for preventing log deletions alongside other controls, while C handles region and root restrictions well but maybe misses full log protection.

Option C seems best since Control Tower enforces region and root restrictions natively.

It’s C because Control Tower is designed for centralized governance and includes Region deny controls plus SCPs to restrict root actions, which directly fits the no EC2 in ap-southeast-2 and root blocking needs.

C - Control Tower plus SCPs can handle region and root restrictions directly.

C/D? Control Tower’s Region deny controls can block EC2 in ap-southeast-2, and SCPs can restrict root actions, but preventing CloudTrail deletion might need extra steps. Firewall Manager with Config packs (D) offers broad policy enforcement including logs.