ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
A company uses AWS Organizations and must meet GDPR by ensuring that all customer PII stored in Amazon S3 remains in eu-central-1 and that every new object is encrypted with a customer-managed KMS key controlled by the security team in that Region. The control must be preventive, apply to every present and future account, and incur minimal ongoing effort. Which solution meets these needs?
Enable S3 Block Public Access and default SSE-S3 encryption in every account, and configure CloudTrail to send an alert whenever a bucket is created outside eu-central-1.
Publish an S3 bucket policy template that enforces server-side encryption with the required CMK and make it available through AWS Service Catalog for developers to apply when creating buckets.
Attach an AWS Organizations service control policy that denies s3:CreateBucket and s3:PutObject if the aws:RequestedRegion is not eu-central-1 or if the s3:x-amz-server-side-encryption-aws-kms-key-id does not match the ARN of the customer-managed CMK in eu-central-1.
Create an AWS Config organization rule that detects S3 buckets outside eu-central-1 or without the correct KMS key and invokes a Lambda function to copy data to the correct Region and re-encrypt it.
A service control policy (SCP) attached at the root of the organization provides a preventive guardrail that no principal in any member account can bypass. By denying s3:CreateBucket and s3:PutObject when the request's aws:RequestedRegion is not eu-central-1-or when the s3:x-amz-server-side-encryption-aws-kms-key-id header does not equal the required CMK ARN-the policy blocks buckets or objects that would violate data-residency or encryption rules. Because the SCP applies automatically to existing and future accounts, it delivers the required controls with minimal ongoing maintenance. The other choices rely on detective controls, manual application of bucket policies, or settings that do not constrain region or mandate the specific CMK, so they cannot guarantee preventive, organization-wide enforcement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a Service Control Policy (SCP) in AWS Organizations?
Open an interactive chat with Bash
How does AWS Key Management Service (KMS) enable data encryption in S3?
Open an interactive chat with Bash
Why is preventive control preferred over detective control in AWS Organizations?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Systems and Application Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .