Amazon Web Services SCS-C03 Dumps Questions Answers

AWS Key Management Service (KMS) customer managed keys are regional resources. According to the AWS Certified Security – Specialty Official Study Guide and KMS documentation, a KMS key created in one AWS Region cannot be used directly in another Region. When copying an encrypted Amazon Aurora DB snapshot across Regions, the destination Region must have access to a KMS key that exists in that Region.

Because the original KMS key resides in us-east-1, it cannot be accessed or referenced in us-west-1. The correct and supported approach is to create a new customer managed KMS key in us-west-1 and specify that key when performing the cross-Region snapshot copy. Amazon RDS automatically decrypts the snapshot using the source Region key and re-encrypts it using the destination Region key during the copy process.

Option A is invalid because KMS keys cannot be stored or transferred through AWS Secrets Manager. Options C and D are incorrect because IAM policies cannot grant cross-Region usage of a KMS key; KMS enforces strict regional boundaries regardless of IAM permissions.

AWS documentation clearly states that cross-Region encrypted snapshot copies require a KMS key in the destination Region, making this approach mandatory for compliance and encryption continuity.

AWS Certified Security – Specialty Official Study Guide

AWS Key Management Service Developer Guide

Amazon Aurora Security Documentation

When an internet-facing ALB is used as a CloudFront origin, it remains directly accessible unless additional access controls are enforced. According to AWS Certified Security – Specialty guidance, CloudFront IP allow lists alone are insufficient, because CloudFront IP ranges change and are not guaranteed to be exclusive.

The recommended and most secure approach is to configure CloudFront to send a custom origin header (such as X-Shared-Secret) with a secret value on every request to the origin. The ALB listener rules are then configured to forward traffic only when the header exists and matches the expected value. Requests that attempt to bypass CloudFront will not include this header and will be denied.

Option A is invalid because CloudFront does not support PrivateLink origins. Option B introduces unnecessary architectural changes and is not required. Option C is brittle and operationally risky due to changing IP ranges.

AWS documentation explicitly recommends custom origin headers as the best practice to ensure that only CloudFront can access an internet-facing ALB when AWS WAF is attached at the CloudFront layer.

AWS Certified Security – Specialty Official Study Guide

Amazon CloudFront Origin Security Documentation

AWS WAF and ALB Integration Guidance

Amazon S3 Object Lock in compliance mode provides write-once-read-many (WORM) protection, which prevents objects from being modified or deleted for a specified retention period. According to the AWS Certified Security – Specialty Study Guide, compliance mode enforces immutability even for the root user and cannot be overridden.

Enabling S3 Object Lock requires S3 bucket versioning and ensures that once an object is written, it cannot be changed or removed until the retention period expires. This is the strongest protection against data modification and is commonly used for regulatory and legal retention requirements.

Option A can be bypassed by administrators. Option D only protects against deletions, not overwrites. Option C changes encryption but does not prevent modification.

AWS documentation explicitly identifies S3 Object Lock in compliance mode as the correct solution for immutable data storage.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon S3 Object Lock

Amazon S3 Data Protection and Compliance