ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
A fintech company based in Frankfurt is migrating its web application to AWS. Regulations mandate that all production data and compute resources stay in Germany; any copy outside eu-central-1 is non-compliant. The team will run EC2 instances behind an Application Load Balancer and store user uploads in Amazon S3. Which solution best enforces this jurisdictional requirement while letting the application operate normally?
Create an AWS WAF geographic match rule that only allows web requests originating from German IP address ranges.
Enable Amazon S3 Cross-Region Replication to eu-west-1 with Replication Time Control so that all object copies are closely synchronized.
Encrypt the S3 bucket with a customer-managed AWS KMS key stored in eu-central-1 to prevent decryption outside Germany.
Attach an AWS Organizations service control policy that denies all EC2 and S3 API calls when the aws:RequestedRegion is not "eu-central-1".
A service control policy (SCP) applied to the organization or account can use the global condition key aws:RequestedRegion to deny every EC2 and S3 API action when the request targets any Region other than eu-central-1. Because SCPs are evaluated before IAM permissions, they provide a mandatory guardrail that prevents resources from being created or data from being stored in disallowed Regions, fully enforcing German data-sovereignty rules.
Enabling S3 Cross-Region Replication deliberately copies data to another Region, violating the requirement. An AWS WAF geographic match rule only restricts where traffic originates; it does not stop administrators or services from provisioning resources or storing data in other Regions. Encrypting S3 objects with a customer-managed KMS key in eu-central-1 controls access to the data but does not prevent the physical storage of encrypted objects in other Regions, so it cannot on its own guarantee jurisdictional confinement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an AWS Organizations Service Control Policy (SCP)?
Open an interactive chat with Bash
How does the `aws:RequestedRegion` condition key work in a Service Control Policy?
Open an interactive chat with Bash
What happens if an SCP denies an action but IAM permissions allow it?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Systems and Application Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .