Correct Answers: Option 1 and Option 2

Option 1: AWS Organizations with SCPs can enforce governance rules across accounts. You can block all Regions except ap-northeast-3 and prevent VPCs from creating internet gateways, thereby enforcing data residency and network isolation policies at scale.

Option 2: AWS Config provides visibility into noncompliant resources through managed rules that monitor VPC internet gateway usage and deployment in unauthorized Regions. Though it doesn't prevent violations, it ensures real-time alerts and auditability.

Why other options are incorrect:

Option 3: AWS Control Tower is not available in ap-northeast-3.
Option 4: AWS WAF is not designed for outbound traffic control and cannot enforce Region restrictions.
Option 5: Network ACLs are limited in scope and IAM policies cannot restrict Region usage.

Why this question is challenging: It tests your understanding of both proactive (SCP) and reactive (Config) compliance strategies, and requires awareness of service availability by Region.

Full AWS Practitioner Certification Question