AWS Certified Data Engineer Associate DEA-C01 Practice Question
Your data engineering team uses AWS Glue to transform data that lands in Amazon S3. To comply with EU data-sovereignty rules, every analytic object must remain in either eu-west-1 or eu-central-1. Across dozens of AWS accounts, you must prevent any resource creation or data replication in other Regions. Which solution BEST enforces this requirement?
Require SSE-KMS with customer-managed keys created in the EU Regions and mandate bucket policies that enforce encryption on all uploads.
Attach a service control policy (SCP) to the organization that denies all actions in Regions other than eu-west-1 and eu-central-1 by using the aws:RequestedRegion global condition key.
Turn on Amazon Macie automatic sensitive-data discovery and configure Security Hub to raise findings when objects are stored in non-EU Regions.
Enable S3 Object Lock on all buckets and configure default retention settings so that objects cannot be deleted or overwritten outside the EU.
A service control policy (SCP) applied at the AWS Organizations level can evaluate every API request before it is allowed. By using the aws:RequestedRegion global condition key, the SCP can explicitly Deny any action requested in Regions other than eu-west-1 or eu-central-1. This prevents engineers-and even automated services-from creating S3 buckets, enabling cross-Region replication, or launching resources outside the approved EU Regions, fully satisfying data-sovereignty requirements.
Enabling S3 Object Lock only stops object deletion or modification; it does not stop data being stored in other Regions. Requiring SSE-KMS with EU-based keys encrypts data but does not restrict its geographic location. Amazon Macie with Security Hub can detect non-compliant storage locations, but it is reactive and cannot block operations. Therefore, the SCP with a Region deny condition is the most effective preventive control.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a Service Control Policy (SCP) in AWS?
Open an interactive chat with Bash
What is the aws:RequestedRegion condition key?
Open an interactive chat with Bash
How does Amazon Macie differ from SCPs in enforcing data sovereignty rules?
Open an interactive chat with Bash
What is a Service Control Policy (SCP) in AWS Organizations?
Open an interactive chat with Bash
What is the aws:RequestedRegion global condition key?
Open an interactive chat with Bash
How does SCP enforcement differ from services like Amazon Macie or bucket policies?
Open an interactive chat with Bash
AWS Certified Data Engineer Associate DEA-C01
Data Security and Governance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .