AWS Certified Data Engineer Associate DEA-C01 Practice Question
The analytics team stores PII in an Amazon S3 data lake in us-east-2 and protects it with AWS Backup. Company policy mandates that no backups or object replicas may ever leave us-east-2. You need an organization-wide control that prevents any engineer from configuring cross-Region replication or AWS Backup copy jobs to other Regions while still allowing normal operations in us-east-2. Which approach meets the requirement with minimal ongoing maintenance?
Create VPC interface endpoints for Amazon S3 and AWS Backup only in us-east-2 and delete the endpoints in all other AWS Regions.
Attach an AWS Organizations SCP that denies s3:PutBucketReplication, s3:CreateBucket, and backup:StartCopyJob whenever aws:RequestedRegion or s3:LocationConstraint is not "us-east-2", and apply the policy to the OU that contains all data accounts.
Encrypt all recovery points with a customer-managed AWS KMS key that exists solely in us-east-2 and rotate the key quarterly.
Enable Amazon S3 Same-Region Replication on every bucket and remove all cross-Region copy rules from existing AWS Backup plans.
An AWS Organizations service control policy (SCP) is evaluated before IAM policies in every member account, so an explicit Deny cannot be overridden. A Deny statement that fires when aws:RequestedRegion is not "us-east-2" blocks any API call aimed at another Region. Adding conditions such as s3:LocationConstraint and denying critical calls like s3:PutBucketReplication, s3:CreateBucket, and backup:StartCopyJob ensures engineers cannot create resources or start copy jobs that would place data outside the permitted Region. Because the SCP is attached to the organizational unit, it automatically applies to new accounts, buckets, and backup plans with no further action.
The Same-Region Replication answer relies on every bucket and backup plan being configured correctly and could be changed by developers. Restricting VPC interface endpoints only limits private network access; S3 replication and AWS Backup can use public endpoints that would still succeed. A Region-specific KMS key controls access to existing backups but does not stop a copy job from storing data in a vault in another Region, even if that data is encrypted.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an AWS Organizations Service Control Policy (SCP)?
Open an interactive chat with Bash
How does the `aws:RequestedRegion` condition help enforce Region-specific policies?
Open an interactive chat with Bash
Why is attaching an SCP to an Organizational Unit (OU) beneficial for long-term policy enforcement?
Open an interactive chat with Bash
AWS Certified Data Engineer Associate DEA-C01
Data Security and Governance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .