ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
Your company processes EU residents' personal data in AWS. Compliance requires that no related AWS resources be created outside the European Economic Area. Development teams operate in multiple AWS Organizations member accounts and must keep the ability to create resources on demand. Which approach best enforces this residency requirement across all accounts while still letting teams self-provision in approved EU regions?
Deploy AWS Config rules to detect resources outside approved Regions and invoke a Lambda function that deletes them immediately after creation.
Require developers to tag all resources with Region=EU and use an IAM permissions boundary that allows operations only when the aws:TagKeys condition includes that value.
Enable AWS CloudTrail in all accounts and create an Amazon EventBridge rule that triggers an alert whenever a resource is launched in a non-EU Region.
Attach a Service Control Policy to the AWS Organizations root that denies any Create*, Run*, or Put* API calls when aws:RequestedRegion is not one of eu-central-1, eu-west-1, or eu-north-1.
Service control policies (SCPs) operate at the AWS Organizations level and apply to every user and role in all attached accounts. By adding a deny statement that checks the aws:RequestedRegion condition key, the organization can automatically block any API call that attempts to create resources outside the specified EU Regions (for example eu-central-1, eu-west-1, and eu-north-1). Because the request is denied before the resource is created, data never leaves the EEA and developers can continue to launch services in the permitted Regions without additional manual steps.
The CloudTrail/EventBridge solution and the AWS Config + Lambda remediation option are reactive; resources could exist-and data could be transferred-before detection or deletion occurs, violating the residency mandate. Relying on resource tags with IAM conditions requires every resource to be correctly tagged and does not prevent someone from omitting or mistyping them, so it is less reliable than an organization-wide preventative control.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an AWS Service Control Policy (SCP)?
Open an interactive chat with Bash
How does the `aws:RequestedRegion` condition key work?
Open an interactive chat with Bash
Why are SCPs better for EU data residency in AWS compared to reactive solutions like CloudTrail or AWS Config?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Systems and Application Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .