AWS Certified Solutions Architect Professional SAP-C02 Practice Question
A financial-services company uses AWS Organizations. Developers in several member accounts create and update application secrets in AWS Secrets Manager only in the us-east-1 Region. Because of regulatory restrictions, no secret may be replicated to any other AWS Region-either when the secret is first created or later in its lifecycle. The security team wants a preventive control that:
still lets developers perform all other Secrets Manager operations in us-east-1, and
imposes the least ongoing operational overhead across the organization.
Which solution meets these requirements?
Attach an organization-wide service control policy that denies Secrets Manager actions whenever the request includes the AddReplicaRegions parameter, using a condition such as "Null":{"secretsmanager:AddReplicaRegions":"false"}. All other Secrets Manager actions are allowed.
Remove the secretsmanager:ReplicateSecretToRegions permission from every developer IAM role in each member account but leave all other Secrets Manager permissions intact.
Configure customer-managed AWS KMS keys that are usable only in us-east-1 and require Secrets Manager to encrypt every secret with those keys so that attempts to replicate the secret in other Regions fail.
Create an AWS Config custom rule that detects calls to ReplicateSecretToRegions or CreateSecret with AddReplicaRegions, and trigger an AWS Lambda function to delete any replica secret that is found.
A service control policy (SCP) that denies any Secrets Manager request containing the AddReplicaRegions parameter prevents developers from creating multi-Region secrets (which use the AddReplicaRegions field in CreateSecret) and from later calling ReplicateSecretToRegions. Because the SCP is attached at the organization or OU level, the restriction applies to every existing and future account without further administration. All other Secrets Manager permissions remain unaffected, so developers can continue to create, rotate, and retrieve secrets in us-east-1.
Removing only secretsmanager:ReplicateSecretToRegions from developer IAM roles is insufficient-developers could still pass AddReplicaRegions during CreateSecret. A CloudTrail or Config rule with an EventBridge/Lambda remediation workflow is reactive, not preventive, adds latency, and requires continuous maintenance. Restricting KMS key policies in other Regions does not stop the creation of replica secrets and complicates encryption management. Therefore, an SCP with the condition "Null": {"secretsmanager:AddReplicaRegions": "false"} is the most effective, least-effort solution.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a Service Control Policy (SCP) in AWS?
Open an interactive chat with Bash
How does the AddReplicaRegions parameter in AWS Secrets Manager work?
Open an interactive chat with Bash
Why is an SCP more effective than other solutions for this scenario?
Open an interactive chat with Bash
AWS Certified Solutions Architect Professional SAP-C02
Continuous Improvement for Existing Solutions
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access