In order to meet data residency compliance requirements for a large bank, you must ensure that all S3 buckets are created in the eu-west-2 region. You plan to use SCP to enforce this rule. Which SCP will accomplish this?

Answer options:

A.{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"DataGovernancePolicy",
"Effect":"Deny",
"Action":[
"s3:CreateBucket"
],
"Resource":[
"arn:aws:s3:::*"
],
"Condition": {
"StringNotLike": {
"s3:LocationConstraint": "eu-west-2"
}
}
}
]
}
B.{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"DataGovernancePolicy",
"Effect":"Allow",
"Action":[
"s3:CreateBucket"
],
"Resource":[
"arn:aws:s3:::*"
],
"Condition": {
"StringLike": {
"s3:LocationConstraint": "eu-west-2"
}
}
}
]
}
C.{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"DataGovernancePolicy",
"Effect":"Deny",
"Action":[
"s3:CreateBucket"
],
"Resource":[
"arn:aws:s3:::*"
],
"Condition": {
"StringNotLike": {
"s3:x-amz-region": "eu-west-2"
}
}
}
]
}
D.{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"DataGovernancePolicy",
"Effect":"Allow",
"Action":[
"s3:CreateBucket"
],
"Resource":[
"arn:aws:s3:::*"
],
"Condition": {
"StringLike": {
"s3:x-amz-region": "eu-west-2"
}
}
}
]
}

Answer: A
Option A is CORRECT because it denies creating all S3 buckets that are not in region eu-west-2.
Option B is incorrect because without an explicit deny, there may be other policies applied that allow the creation of S3 buckets in other regions.
Option C is incorrect because s3:x-amz-region is not a valid condition key.
Option D is incorrect because s3:x-amz-region is not a valid condition key.
Reference:
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html
https://docs.aws.amazon.com/AmazonS3/latest/dev/amazon-s3-policy-keys.html