Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsDEA-C01DomainsData Security and Governance
DEA-C01Free — No Signup

Data Security and Governance

Practice DEA-C01 Data Security and Governance questions with full explanations on every answer.

333questions

Start practicing

Data Security and Governance — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

DEA-C01 Domains

Data Ingestion and TransformationData Operations and SupportData Security and GovernanceData Store Management

Practice Data Security and Governance questions

10Q20Q30Q50Q

DEA-C01 Data Security and Governance questions (showing 300 of 333)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A data engineer needs to ensure that an Amazon S3 bucket used for sensitive data is encrypted at rest using a customer-managed AWS KMS key. The bucket policy must enforce encryption for all PUT requests. Which policy statement should be added to the bucket policy?

2

A company uses AWS Glue to process sensitive data stored in Amazon S3. The security team requires that all data in transit between AWS Glue and S3 be encrypted. Which configuration should be used to meet this requirement?

3

A data engineer is troubleshooting an AWS Lake Formation permissions issue. A user is able to query an Amazon Athena table but cannot see the underlying S3 data in the AWS Glue Data Catalog. The user has been granted SELECT permission on the table in Lake Formation. What is the most likely cause?

4

A company uses Amazon Redshift to store customer data. The security team requires that all queries are logged for auditing purposes. Which combination of steps should be taken to meet this requirement? (Select TWO.)

5

A company is designing a data lake on Amazon S3. The security policy requires that all data be encrypted at rest using AWS KMS with automatic key rotation. Which encryption option meets these requirements? (Select THREE.)

6

Refer to the exhibit. A data engineer is running an AWS Glue job that reads from an S3 bucket encrypted with a customer-managed KMS key. The job fails with the error shown. What is the most likely cause?

7

Refer to the exhibit. A security analyst is reviewing CloudTrail logs and notices a PutObject event to the 'company-data-lake' bucket. The bucket policy requires all objects to be encrypted with SSE-KMS. What should the analyst conclude?

8

A company is using Amazon Redshift Spectrum to query data in Amazon S3. The S3 bucket uses SSE-KMS encryption. The Redshift cluster has an IAM role that allows access to S3 and KMS. However, queries fail with an 'Access Denied' error. What is the most likely cause?

9

A company is using Amazon EMR to process data stored in Amazon S3. The S3 bucket is configured with a bucket policy that denies access unless the request includes a specific tag. The EMR cluster's IAM role has s3:GetObject permission. However, the EMR job fails to read data from S3. What is the most likely cause?

10

A company uses AWS Lake Formation to manage data lake permissions. The data lake contains sensitive customer data in the 'customer' database. The security team wants to ensure that only users with a specific tag 'access_level=analyst' can query the 'customer' table. Which combination of steps should the data engineer take to enforce this?

11

A financial services company uses AWS KMS to encrypt data in Amazon S3. The compliance team requires that all encryption keys be rotated automatically every 365 days. The data engineer needs to implement this requirement without manual intervention. Which solution meets the requirement with the LEAST operational overhead?

12

A data engineer is configuring AWS Glue jobs to access data stored in Amazon S3. The data is encrypted using server-side encryption with AWS KMS (SSE-KMS). The Glue job needs to read and write data to the S3 bucket. Which IAM policy statement should be added to the Glue job's IAM role to allow it to use the KMS key?

13

Refer to the exhibit. A data engineer is troubleshooting a permissions issue. The IAM role 'DataEngineerRole' is used by an AWS Glue job that needs to read data from an S3 bucket encrypted with a customer managed KMS key. The above key policy is attached to the KMS key. The Glue job fails with an AccessDenied error when trying to read the data. What is the MOST likely cause?

14

A company is building a data pipeline that ingests sensitive customer data from an on-premises database into Amazon S3 using AWS DMS. The data must be encrypted at rest in S3 and in transit. The security team requires that the encryption keys be managed by the company (not AWS). Which TWO actions should the data engineer take to meet these requirements? (Choose TWO.)

15

A data engineer is designing a data lake on Amazon S3 with AWS Lake Formation. The data lake contains personally identifiable information (PII). The company has a policy that only users who have completed data privacy training can access the PII data. The training status is stored in an external identity provider (IdP) as an attribute. The data engineer needs to enforce this policy using Lake Formation. Which THREE steps should the data engineer take? (Choose THREE.)

16

A healthcare company uses AWS Glue to process patient data stored in Amazon S3. The data is encrypted at rest using SSE-KMS with a customer managed key. The Glue ETL job runs on a schedule and reads from an S3 bucket, transforms the data, and writes to another S3 bucket also encrypted with the same KMS key. Recently, the security team rotated the KMS key. After the rotation, the Glue job started failing with 'AccessDenied' errors when trying to read from the source bucket. The Glue job's IAM role has permissions to use the KMS key (kms:Decrypt, kms:GenerateDataKey). The S3 bucket policies allow the role to read/write. What is the MOST likely cause of the failure?

17

A data engineer is configuring a data lake on Amazon S3 that contains sensitive customer information. The company requires that all access to this data be logged and monitored, and that any data shared with external partners must be anonymized before leaving the S3 bucket. Which combination of AWS services should the engineer use to meet these requirements? (Choose THREE.)

18

Refer to the exhibit. A data engineer applies this bucket policy to an S3 bucket named my-data-bucket. The bucket contains sensitive data. The company's security team reports that data was accessed from an IP address outside the allowed range. What is the MOST likely reason that the policy failed to block the unauthorized access?

19

A financial services company uses AWS Glue ETL jobs to process credit card transaction data stored in Amazon S3. The data includes PII such as names and credit card numbers. The security team requires that all PII be masked before the data is written to the curated zone of the data lake. The data engineer has implemented a Glue job that reads from the raw zone, applies a custom transform to mask credit card numbers using a regular expression, and writes to the curated zone. However, during a recent audit, the security team discovered that some masked data still contained partial credit card numbers (e.g., showing the last four digits) when viewed by analysts who should only see masked data. The company's policy is that credit card numbers must be completely masked, showing only asterisks or a fixed string like "XXXX-XXXX-XXXX-XXXX". The Glue job uses a DynamicFrame and applies a Map transform with a Python function that replaces digits with 'X'. The data is stored in Parquet format. What should the data engineer do to ensure complete masking of credit card numbers?

20

Order the steps to migrate an on-premises database to Amazon RDS using AWS DMS.

21

Arrange the steps to implement data encryption at rest for an Amazon Redshift cluster using AWS KMS.

22

Match each AWS storage class to its description.

23

Match each AWS networking concept to its definition.

24

A data engineer is configuring S3 bucket policies to restrict access to a specific VPC. Which condition key should be used in the bucket policy to enforce that requests originate only from the desired VPC?

25

A company uses AWS KMS to encrypt sensitive data stored in S3. To meet compliance requirements, they need to ensure that the encryption keys are automatically rotated every year. Which type of KMS key should they use?

26

A data engineer needs to audit data access events in Amazon S3. Which AWS service should be used to record and monitor API calls for S3 buckets?

27

A team is designing a data lake on S3 and needs to enforce encryption at rest. They want to use server-side encryption with a KMS key that they manage. Which encryption option should they configure on the S3 bucket?

28

A company stores sensitive data in S3 and uses VPC endpoints to access the bucket. They need to ensure that only traffic from their VPC can access the data, and that the traffic cannot leave the AWS network. Which combination of bucket policy and endpoint policy should they use?

29

A data engineer needs to ensure that an S3 bucket is not publicly accessible. Which S3 block public access setting should be applied to achieve this?

30

A company wants to grant cross-account access to an S3 bucket without using IAM roles. The data engineer needs to write a bucket policy that allows another AWS account to list objects. Which Principal should be specified in the bucket policy?

31

A data engineer notices that an S3 bucket policy allows access to a user from another AWS account, but the access is being denied. What could be the reason?

32

A company needs to encrypt data in transit between an EC2 instance and an S3 bucket. Which method should be used?

33

A data engineer is designing a data pipeline that processes PII data in AWS Glue. They need to ensure data is encrypted at rest and in transit. Which TWO actions should they take? (Choose TWO.)

34

A company wants to implement least privilege access for its data lake on S3. Which THREE practices should be followed? (Choose THREE.)

35

A data engineer needs to audit data access in Amazon S3 for compliance. Which TWO services can be used to capture and analyze S3 access logs? (Choose TWO.)

36

Refer to the exhibit. A data engineer attached this S3 bucket policy to the bucket 'example-bucket'. What is the effect of this policy?

37

Refer to the exhibit. The exhibit shows output from AWS CLI commands. Which key can be used to enable automatic annual rotation?

38

Refer to the exhibit. An IAM policy includes this statement. What access does it grant?

39

A data engineer needs to ensure that all data in an S3 bucket is encrypted at rest. The bucket currently contains unencrypted objects from past uploads. Which action will encrypt these existing objects without re-uploading them?

40

A company uses AWS Glue to process sensitive customer data stored in S3. The data engineer must ensure that the Glue ETL jobs do not write any data to S3 buckets that lack encryption. Which approach meets this requirement?

41

A company uses AWS Lake Formation to manage access to data in a data lake. The data engineer needs to grant a user the ability to query tables in the 'sales' database using Amazon Athena, but only when the user's IP address is within the corporate network (10.0.0.0/8). Which combination of actions should the data engineer take?

42

A data engineer is designing a data pipeline that ingests personally identifiable information (PII) into Amazon Redshift. The engineer needs to ensure that only authorized users can view the data, and that all queries are logged for auditing. Which combination of AWS services should the engineer use?

43

A company wants to enforce that all data written to an S3 bucket is encrypted with a customer-managed AWS KMS key. The data engineer has created the KMS key and attached an S3 bucket policy. However, users are still able to upload objects without specifying the KMS key. What is the most likely cause?

44

A company uses Amazon RDS for PostgreSQL to store financial data. The security team requires that all database connections be encrypted in transit and that the database audit logs be stored in Amazon S3 for at least 7 years. Which steps should the data engineer take to meet these requirements?

45

A data engineer is troubleshooting an issue where an AWS Glue ETL job fails when trying to read data from an S3 bucket encrypted with SSE-KMS. The job has an IAM role that includes `kms:Decrypt` permission. What is the most likely reason for the failure?

46

A company uses Amazon DynamoDB to store session data. The security team requires that all data be encrypted at rest using a customer-managed KMS key. The data engineer has enabled encryption with a KMS key, but discovers that old data remains encrypted with the previous AWS-managed key. How can the engineer re-encrypt all existing data with the new key?

47

A data engineer needs to grant an IAM user access to query a specific table in Amazon Athena, but the user should not be able to view other tables in the same database. Which method should the engineer use?

48

A company stores sensitive data in Amazon S3. The data engineer needs to implement a solution that automatically detects and redacts PII in new objects as they are uploaded. Which TWO AWS services should be used together?

49

A company uses AWS KMS to encrypt data in Amazon Redshift. The data engineer needs to rotate the customer-managed KMS key annually. Which TWO actions must be taken to successfully rotate the key without data loss?

50

A data engineer is designing a data lake on Amazon S3 that must comply with GDPR. The engineer needs to ensure that individuals can request deletion of their personal data. Which THREE AWS services can be used together to automate the deletion of specific records?

51

Refer to the exhibit. A data engineer attaches this bucket policy to an S3 bucket. A developer tries to upload an object to the bucket using the AWS CLI with the command: `aws s3 cp file.txt s3://my-bucket/`. The upload fails. What is the most likely reason?

52

Refer to the exhibit. A data engineer reviews an Amazon S3 server access log entry for an object upload. The log shows a status of 200 and encryption status "AES256". The company policy requires that all data be encrypted with SSE-KMS. Which action should the engineer take to enforce this policy?

53

Refer to the exhibit. A data engineer runs the AWS CLI command and gets the output shown. The engineer wants to grant a data analyst read-only access to the 'sales_db' database in AWS Glue Data Catalog using IAM. Which IAM policy statement is required?

54

A data engineer needs to encrypt data in transit between an Amazon RDS for MySQL instance and an application. Which solution should be used?

55

A company is using AWS Lake Formation to manage access to data in a data lake stored in Amazon S3. A data engineer notices that users with SELECT permissions on a table can still query the underlying S3 data directly using Athena. What is the most likely cause?

56

A data engineer is designing a data pipeline that ingests data from an on-premises system into Amazon S3 using AWS Transfer Family. The data must be encrypted at rest using a customer-managed key in AWS KMS. The S3 bucket policy must allow only encrypted connections. Which policy condition should be used?

57

A company is using Amazon Redshift for data warehousing. They need to ensure that all queries are logged for audit purposes. Which AWS service should be used to capture query logs?

58

A data engineer needs to share a dataset stored in Amazon S3 with another AWS account. The bucket policy currently grants access only to the owning account. What is the simplest way to grant cross-account access?

59

An organization is using AWS Glue to process sensitive data. The data is stored in S3 with server-side encryption using AWS KMS (SSE-KMS). The Glue job fails with an error indicating that it cannot read the data. The IAM role used by Glue has the following policy. What is missing?

60

A data engineer needs to audit all changes to IAM policies in an AWS account. Which AWS service should be used?

61

A company is using Amazon S3 to store sensitive data. The security team requires that all objects be encrypted using server-side encryption with AWS KMS (SSE-KMS) and that the bucket policy denies any PutObject request that does not include the required encryption header. Which bucket policy condition should be added?

62

A data engineer is setting up an Amazon EMR cluster to process sensitive data. The data is stored in S3 with SSE-S3. The company policy requires that data in transit between the EMR cluster and S3 be encrypted. Which configuration should be used?

63

A data engineer needs to enforce that all data in an Amazon S3 bucket is encrypted at rest. Which of the following can be used to achieve this? (Choose TWO.)

64

A company is using AWS Lake Formation to manage permissions on a data lake. Which of the following are valid ways to grant access to a user or role? (Choose THREE.)

65

A data engineer is troubleshooting an Amazon Redshift cluster that is unable to access an S3 bucket for COPY operations. The cluster has an IAM role attached. Which of the following could be causing the failure? (Choose TWO.)

66

The IAM policy shown in the exhibit is attached to a user. The user tries to upload an object to my-bucket using the AWS CLI without specifying encryption. What will happen?

67

A data engineer runs the command shown in the exhibit to check the bucket policy. A user from another AWS account is trying to download an object using HTTP (not HTTPS). What will happen?

68

A data engineer receives the error shown in the exhibit when trying to upload a file to my-bucket. The engineer uses the AWS CLI with the following command: aws s3 cp file.txt s3://my-bucket/. What is the most likely cause of the error?

69

A data engineer needs to ensure that an S3 bucket is encrypted at rest using AWS KMS. The bucket policy must allow only a specific IAM role to access the bucket and enforce encryption in transit. Which combination of bucket policy statements should be used?

70

A company uses AWS Lake Formation to manage permissions on a data lake in S3. A data analyst reports that queries using Amazon Athena return zero rows for a table that the analyst has been granted SELECT permission on. The table is registered in Lake Formation and uses a partition projection. What is the most likely cause?

71

A data engineer needs to audit all AWS KMS key usage in the account. Which AWS service should be used to record KMS API calls?

72

A company wants to enable automatic encryption for all new objects written to an S3 bucket. The bucket has existing objects that are unencrypted. Which solution meets these requirements with the least operational overhead?

73

A data engineer is designing a system to handle sensitive customer data in Amazon RDS for PostgreSQL. The compliance team requires that the data be encrypted at rest and that encryption keys be rotated every 90 days. Which solution meets these requirements?

74

A company uses AWS Glue to process data. The security team requires that all data in transit between AWS Glue and Amazon S3 be encrypted using TLS. Which configuration should be used?

75

A data engineer is troubleshooting an Amazon Redshift cluster that is not responding to queries. The engineer suspects that the cluster may have been accidentally deleted. Which AWS service should be used to investigate the deletion?

76

A company needs to share a dataset stored in an S3 bucket with a partner account. The dataset contains sensitive information, so the company wants to ensure that the partner account can only access the data using a specific VPC endpoint in the partner's account. Which S3 bucket policy condition key should be used?

77

A data engineer needs to grant an IAM user the ability to view Amazon CloudWatch Logs log groups and stream log events from a specific log group. Which IAM policy action should be used?

78

A company uses S3 to store sensitive data. Which TWO S3 features can be used to protect data at rest?

79

A company needs to implement a data encryption strategy for data in transit between an Amazon EC2 instance and an Amazon RDS for MySQL database. Which THREE actions should be taken?

80

A data engineer is designing a data lake on S3 with fine-grained access control using AWS Lake Formation. Which THREE permissions can be managed by Lake Formation?

81

Refer to the exhibit. The S3 bucket policy above is applied to the bucket "example-bucket". An IAM user attempts to upload an object to the bucket without specifying any encryption header. What is the outcome?

82

Refer to the exhibit. A data engineer runs the command above. The DataAdminRole is used by an application to decrypt data. The security team wants to ensure that a SecurityAdminRole can revoke the grant. What must be done to allow the SecurityAdminRole to retire the grant?

83

Refer to the exhibit. An IAM policy includes the above statement to allow decryption of a KMS key under specific conditions. What does this policy allow?

84

A company uses S3 to store sensitive customer data. To prevent accidental public access, a data engineer needs to ensure that all S3 buckets block public access at the account level. Which AWS service should be used to enforce this policy?

85

A data engineer is designing a data lake on S3 and needs to ensure that data is encrypted at rest using customer-managed KMS keys. The engineer also needs to audit all access to the KMS keys. Which combination of services should be used?

86

A company uses AWS Glue to process sensitive data. The security team requires that all data in transit between Glue and Amazon S3 be encrypted using TLS 1.2 or higher. Which configuration ensures this requirement is met?

87

A data engineer needs to share a dataset from an S3 bucket in Account A with another AWS account (Account B). The data must remain encrypted at rest with KMS. Which steps are required?

88

A company uses AWS Lake Formation to manage permissions on a data lake stored in S3. A data engineer notices that a new IAM user can query data via Athena but cannot see the tables in the Lake Formation console. What is the most likely cause?

89

A company has a requirement to store audit logs for 7 years for compliance. The logs are stored in S3 and must be immutable. Which S3 feature should be used?

90

A data engineer needs to grant an IAM user read-only access to a specific KMS key for decrypting S3 objects. Which policy element should be used?

91

A company uses Amazon Redshift for data warehousing. The security team requires that all data stored in Redshift be encrypted at rest using a customer-managed KMS key. How should the data engineer configure this?

92

A data engineer is troubleshooting an issue where an IAM role used by AWS Glue cannot read data from an S3 bucket encrypted with SSE-KMS. The bucket policy allows the role to perform s3:GetObject. What additional permission is needed?

93

A company uses AWS CloudTrail to log all API calls. The security team wants to ensure that log files are tamper-proof and cannot be deleted. Which TWO actions should the data engineer take? (Choose TWO.)

94

A company uses Amazon EMR to process sensitive data. The data engineer needs to ensure that data in transit between EMR and S3 is encrypted. Which THREE configurations achieve this? (Choose THREE.)

95

A data engineer is setting up a data pipeline using AWS DMS to migrate data from an on-premises database to Amazon RDS for MySQL. The data must be encrypted in transit. Which TWO options can the engineer use? (Choose TWO.)

96

Refer to the exhibit. A data engineer applies the following S3 bucket policy to an S3 bucket. What does this policy enforce?

97

Refer to the exhibit. A data engineer configured CloudTrail to log data events for an S3 bucket. However, the engineer notices that no data events are being logged for objects in the 'logs/' prefix. What is the most likely reason?

98

Refer to the exhibit. A data engineer creates an IAM policy for a service role used by AWS Glue. What does the condition in the policy enforce?

99

A company wants to encrypt data at rest in Amazon S3 using server-side encryption. They need to manage the encryption keys themselves and rotate them annually. Which S3 encryption option should they use?

100

A data engineer needs to audit all access to an S3 bucket for compliance. They want to capture object-level operations such as GetObject and PutObject, as well as bucket-level operations like ListBucket. Which AWS service should be used?

101

A company uses AWS KMS to encrypt data in Amazon S3 and RDS. They need to ensure that encryption keys are automatically rotated every year. Which KMS key type supports automatic annual rotation?

102

A data engineer needs to share an S3 bucket with another AWS account. They want to ensure that the objects in the bucket remain encrypted with SSE-KMS using a customer managed key. What additional step is required for cross-account access?

103

A company wants to enforce that all data in Amazon S3 is encrypted at rest. They want to automatically reject any PUT request that does not include encryption headers. What S3 feature should they use?

104

A company uses AWS Lake Formation to manage data lake permissions. A data engineer notices that a user can query tables in Athena even though the user does not have SELECT permission on the table in Lake Formation. What could be the cause?

105

A company needs to monitor and record all changes to IAM policies in their AWS account. Which AWS service should be used?

106

A data engineer wants to ensure that only users with a specific tag (e.g., "Department": "DataEngineering") can access an S3 bucket. How can this be enforced?

107

A company stores sensitive data in S3 and uses VPC Endpoints to restrict access. They want to ensure that data can only be accessed from their VPC. What configuration is required?

108

A data engineer needs to protect sensitive data in an S3 bucket. Which TWO AWS services can be used to detect and prevent accidental public access?

109

A company uses AWS KMS to encrypt data in multiple services. They want to ensure that only specific IAM roles can decrypt data using a particular KMS key. Which THREE steps are necessary?

110

A data engineer needs to securely store database credentials for an RDS instance. Which TWO AWS services can be used?

111

Refer to the exhibit. A data engineer applied this bucket policy to an S3 bucket. What is the effect of this policy?

112

Refer to the exhibit. A data engineer runs this CLI command to investigate a recent change to an S3 bucket policy. What information does the command return?

113

Refer to the exhibit. This KMS key policy is attached to a customer managed key. A data engineer finds that the DataEngineer role can encrypt but cannot decrypt data. What is the most likely cause?

114

A data engineer is configuring an S3 bucket for storing sensitive customer data. The bucket must be encrypted at rest using an AWS Key Management Service (KMS) key that is managed by the data engineering team. The team wants to ensure that only users with explicit permission can decrypt the data. Which S3 encryption option should be used?

115

A company is using AWS Glue to process data stored in an S3 bucket that is encrypted with SSE-KMS. The Glue job fails with an 'Access Denied' error when trying to read the data. The IAM role used by the Glue job has permissions to read from the S3 bucket and to use the KMS key. What is the most likely cause of the failure?

116

A data engineer needs to ensure that data in transit between an Amazon RDS for PostgreSQL database and an application is encrypted. Which configuration should be used?

117

An organization needs to audit all access to their S3 buckets for compliance purposes. They want to log both successful and failed API calls. Which AWS service should be used?

118

A company has multiple AWS accounts and wants to centrally manage permissions and access to data lakes. They have enabled AWS Organizations and want to use a single set of policies that apply to all accounts. Which policy type should be used at the organization level?

119

A data engineer needs to ensure that data stored in Amazon S3 is automatically deleted after 30 days. Which S3 feature should be used?

120

A company is using AWS Lake Formation to manage access to a data lake in S3. They want to grant a data analyst access to specific columns in a table, but not to the entire table. Which Lake Formation feature should be used?

121

A data engineer is designing a solution to securely store and rotate database credentials used by an application. The credentials should be automatically rotated every 90 days. Which AWS service should be used?

122

A data engineer needs to ensure that data in an S3 bucket is encrypted at rest. The bucket policy includes a condition that denies PutObject requests if the object is not encrypted. Which S3 encryption feature does this enforce?

123

Which TWO actions should a data engineer take to protect sensitive data in an Amazon S3 bucket from being accessed by unauthorized users? (Select TWO.)

124

A company must encrypt all data at rest in their Amazon RDS for MySQL instance. Which THREE steps are required to achieve this? (Select THREE.)

125

Which THREE AWS services can be used to centrally manage and govern data across multiple AWS accounts? (Select THREE.)

126

The IAM policy shown is attached to an IAM role. When a user assumes this role and tries to read an object in example-bucket that has no tags, what will happen?

127

A data engineer uses the AWS CLI to list KMS keys and describe one. The output shows two keys. The described key has KeyState 'Enabled' and Origin 'AWS_KMS'. Which statement is true about this key?

128

A data engineer runs the command shown to check the encryption configuration of an S3 bucket. The output shows SSEAlgorithm: AES256. What does this mean?

129

A company uses AWS KMS to encrypt data in Amazon S3. The security team requires that all encryption keys be rotated automatically every year. Which key type should the company use?

130

A data engineer needs to restrict access to an Amazon S3 bucket so that only objects encrypted with a specific AWS KMS key can be uploaded. Which S3 bucket policy condition should be used?

131

A company wants to audit all changes to IAM policies in their AWS account. Which combination of services should be used to achieve this?

132

A data engineer needs to allow an IAM user to rotate the secret in AWS Secrets Manager for an RDS database. Which IAM action should be included in the policy?

133

A company stores sensitive data in Amazon S3. The security team requires that all data be encrypted at rest and that the encryption keys be stored in AWS CloudHSM. Which S3 encryption option should be used?

134

A company wants to ensure that all S3 buckets are encrypted using server-side encryption. Which AWS service can be used to automatically remediate non-compliant buckets?

135

A data engineer needs to grant cross-account access to an S3 bucket. The engineer wants to use a role in the source account and assume that role from the target account. Which permissions are required?

136

A company uses Amazon Redshift for data warehousing. The security team requires that all data be encrypted at rest using a key managed by the company. Which Redshift encryption option should be used?

137

A company needs to centralize audit logs from multiple AWS accounts into a single S3 bucket. Which service should be used to aggregate these logs?

138

Which TWO actions are required to enforce encryption in transit for data being loaded into Amazon Redshift from Amazon S3? (Choose two.)

139

A company wants to monitor and alert on any IAM user creation in their AWS account. Which THREE services should be used together to achieve this? (Choose three.)

140

Which TWO AWS services can be used to protect sensitive data stored in Amazon S3 by preventing accidental public access? (Choose two.)

141

A company uses AWS Glue to process sensitive customer data stored in S3. The security team requires that all data be encrypted at rest using a customer-managed KMS key and that access to the key be auditable. Which solution meets these requirements?

142

A data engineer needs to share a dataset from an S3 bucket in Account A with users in Account B. The dataset must remain encrypted at rest with an S3-managed key. What is the MOST secure way to grant cross-account access?

143

A company uses Redshift for analytics. The security team requires that all queries be logged and that any access to sensitive columns be blocked for non-admin users. Which combination of features should the data engineer implement?

144

A data engineer is designing a data lake on S3 with sensitive data. The security policy mandates that data must be encrypted at rest and in transit, and that an inventory of all objects must be maintained for compliance. Which actions should be taken?

145

A company wants to use AWS Lake Formation to manage permissions on a data lake. What is the primary benefit of using Lake Formation for data security?

146

A company has an AWS Glue ETL job that reads from an RDS MySQL instance and writes to S3. The security team requires that the connection to RDS be encrypted and that credentials be rotated automatically. Which configuration should be used?

147

A data engineer needs to ensure that an S3 bucket can only be accessed from a specific VPC. Which policy element should be used?

148

A company uses Amazon Athena to query data in S3. The security team wants to ensure that users can only query tables they have permissions to in the AWS Glue Data Catalog. Which service should be used to manage these permissions centrally?

149

A company has an S3 bucket with versioning enabled and a bucket policy that denies access if the request does not include encryption. A data engineer notices that some objects are not encrypted. What is the most likely cause?

150

A data engineer is designing a data pipeline that processes PII data using AWS Glue and stores results in S3. Which TWO actions should be taken to protect the data? (Choose 2)

151

A company uses Amazon Redshift for data warehousing. The security team requires that all queries be logged for audit and that sensitive columns be masked for non-privileged users. Which THREE steps should the data engineer take? (Choose 3)

152

A company wants to enforce encryption in transit for data moving between an EC2 instance and an S3 bucket. Which TWO methods can achieve this? (Choose 2)

153

A company runs a data lake on AWS using S3 for storage and AWS Glue for ETL. The security team discovers that a contractor who left the company two months ago still has access to an S3 bucket containing sensitive data. The access was granted via an IAM user that was not deleted. The data engineer is asked to implement a solution to prevent future occurrences. The company uses AWS Organizations and has multiple accounts. The requirement is to automatically detect and remediate IAM users that have not been used for 90 days by disabling their access keys and notifying the security team. The solution must be least privilege and use AWS-native services. Which approach should the data engineer take?

154

A financial services company uses Amazon Redshift for its data warehouse. The compliance team requires that all access to the database be logged, including the SQL queries executed, and that the logs be stored in a separate S3 bucket that is encrypted with a customer-managed KMS key. Additionally, the logs must be retained for 7 years. The data engineer has enabled audit logging on the Redshift cluster and configured it to deliver logs to an S3 bucket. However, the compliance team reports that the logs are not being delivered. The S3 bucket policy allows the Redshift service to write logs. What is the most likely reason for the failure?

155

A company uses Amazon S3 to store sensitive customer data. The security policy requires that all objects in the bucket be encrypted at rest using server-side encryption with a customer-managed KMS key. The data engineer has enabled default encryption on the bucket using SSE-KMS with the required KMS key. However, a security scan reveals that some objects in the bucket are not encrypted with the KMS key. The objects were uploaded before the default encryption was enabled. The data engineer needs to ensure that all objects are encrypted with the KMS key without disrupting ongoing data access. What should the data engineer do?

156

A company uses AWS Glue to catalog data in Amazon S3. The security team requires that all sensitive data be identified and encrypted at rest using customer-managed KMS keys. Which combination of steps should a data engineer take to meet these requirements?

157

A data engineer is setting up cross-account access to an encrypted S3 bucket. The bucket uses a customer-managed KMS key. The engineer has configured the bucket policy and the IAM role in the source account. The target account still gets access denied errors when trying to read objects. What is the most likely cause?

158

A company uses Amazon RDS for MySQL with encryption at rest enabled. The security team requires that all database audit logs be stored in Amazon S3 for at least 7 years. Which AWS service should the data engineer use to collect and store the logs?

159

A company has a data lake in Amazon S3 with millions of objects. The security team wants to enforce that all objects are encrypted with a specific customer-managed KMS key. The data engineer configures an S3 bucket policy to deny PutObject if the encryption is not set to that key. However, some existing objects are not encrypted with that key. What is the most efficient way to remediate the existing objects?

160

A company uses AWS Lake Formation to manage permissions on a data lake. A data engineer creates a table in the Data Catalog and grants SELECT permission to a group of analysts. The analysts report they can see the table but get an AccessDenied error when querying it with Amazon Athena. What is the most likely cause?

161

A data engineer needs to encrypt data at rest in Amazon S3 using server-side encryption with a customer-managed KMS key. Which TWO steps are required to ensure that the KMS key can be used for S3 object encryption?

162

A company is using AWS Lake Formation to manage a data lake. The data engineer needs to set up fine-grained access control so that users can only see specific columns in a table based on their IAM role. Which THREE steps should the data engineer take?

163

A company wants to audit all API calls made to Amazon S3 and Amazon RDS resources. Which TWO AWS services can be used together to achieve this?

164

A data engineer needs to securely store database credentials used by an AWS Glue ETL job. Which THREE steps should the engineer take?

165

A company uses Amazon Redshift for its data warehouse and needs to enforce column-level security on sensitive columns. Which TWO approaches can achieve this?

166

A data engineer is designing a data pipeline that ingests customer data from an on-premises database into Amazon S3. The data contains personally identifiable information (PII). The company policy requires that all PII be masked before it is stored in S3. The pipeline uses AWS DMS for migration and AWS Glue for transformation. The engineer needs to ensure that the masking is applied consistently and that no unmasked data is written to S3. The engineer has set up DMS to replicate data to an S3 bucket, and then a Glue job reads from S3, applies masking, and writes to another S3 bucket. However, there is a risk that unmasked data in the first S3 bucket could be accessed before the Glue job runs. What should the engineer do to mitigate this risk?

167

A company has a multi-account AWS environment with a centralized data lake in the Security account. Data producers in other accounts use AWS Glue to write data to S3 buckets in the Security account. The Security account uses AWS Lake Formation to manage permissions. The data engineer is setting up cross-account access so that users in the Producer account can query the data using Athena in their own account. The engineer has registered the S3 buckets and Data Catalog tables in Lake Formation. The IAM roles in the Producer account have the necessary permissions. However, when a user in the Producer account tries to query the table, they get an AccessDenied error. The error message indicates that the principal is not authorized to perform lakeformation:GetTable on the resource. What is the most likely cause?

168

A company uses Amazon EMR to process large datasets stored in Amazon S3. The data is encrypted at rest using SSE-S3. The security team now requires that all data at rest be encrypted with customer-managed KMS keys (SSE-KMS). The data engineer needs to migrate existing data to use SSE-KMS without downtime. The engineer plans to use S3 Batch Operations to copy objects in place. However, the Batch Operations job fails with a KMS access denied error. The engineer has confirmed that the Batch Operations service role has the necessary KMS permissions. What is the most likely cause?

169

A company uses Amazon QuickSight for data visualization. The data engineer needs to ensure that users can only see data relevant to their department. The data is stored in Amazon S3 and is accessed via SPICE. The engineer has created datasets in QuickSight and wants to implement row-level security (RLS). The dataset contains a column 'Department' that indicates which department a row belongs to. The engineer has configured RLS rules using a separate permissions dataset. However, users report that they can see all rows, not just their department's rows. What is the most likely reason?

170

A company uses Amazon DynamoDB to store session data. The security team requires that all data be encrypted at rest using a customer-managed KMS key. The data engineer has enabled DynamoDB encryption with a customer-managed key. However, the security team notices that the key is not being used for all tables; some tables still use the default AWS-managed key. The engineer needs to ensure that all new tables are automatically encrypted with the customer-managed key. The company has hundreds of developers who create tables using various methods (console, CLI, SDK, CloudFormation). What is the most efficient way to enforce this policy?

171

A financial services company uses AWS Glue ETL jobs to process sensitive customer data stored in Amazon S3. The data is encrypted at rest with SSE-KMS using a customer-managed key. Recently, the security team discovered that the Glue job's IAM role has an overly permissive policy that allows the 'kms:Decrypt' action for all KMS keys in the account. The company wants to follow the principle of least privilege. The Glue job runs on a schedule and reads from a specific S3 bucket. The security team needs to update the IAM policy to restrict KMS decryption to only the specific key used for that bucket. What should they do?

172

A healthcare organization uses AWS Lake Formation to manage a data lake in Amazon S3. The data lake contains sensitive patient information that must be encrypted at rest. The organization uses AWS KMS with a customer-managed key (CMK) for encryption. Recently, the security team noticed that a new IAM user was able to query the data lake using Amazon Athena without explicit permissions in Lake Formation. The data lake administrator suspects that the IAM user might have been granted access through an IAM policy that allows 'lakeformation:GetDataAccess' without proper resource restrictions. The organization wants to enforce that only Lake Formation permissions control access to the data lake, and IAM policies should not grant access directly. What should they do?

173

A gaming company uses Amazon Redshift for analytics. The Redshift cluster stores user data that must be encrypted at rest using a customer-managed KMS key. The company has enabled audit logging using AWS CloudTrail. The security team wants to ensure that any attempt to disable or delete the KMS key is immediately detected and triggers an automated response. They have set up a CloudWatch Events rule that triggers an SNS notification when the KMS key is scheduled for deletion. However, they also want to prevent the key from being deleted accidentally. What should they do?

174

A media company stores video files in an Amazon S3 bucket. The bucket policy allows access only from a specific VPC. The company has enabled S3 Server Access Logs to monitor access. Recently, the security team found that some requests were coming from an IP address outside the allowed VPC. They suspect that the bucket policy may have an incorrect condition. What should they check first?

175

A data engineering team uses AWS Glue Data Catalog to manage metadata for datasets in Amazon S3. The datasets contain personally identifiable information (PII). The team needs to implement column-level security so that only authorized users can access columns with PII. They use Amazon Athena for querying. The team has enabled AWS Lake Formation and defined data lake locations. They have created a Lake Formation tag called 'PII' and assigned it to the columns containing PII. They have also granted 'SELECT' permission on those columns to a specific IAM role. However, when a user assumes that role and queries the table using Athena, they can still see all columns, including the PII columns. What is the most likely cause?

176

A company uses Amazon RDS for MySQL to store transactional data. The database contains sensitive financial information. The company's security policy requires that all data at rest be encrypted using a customer-managed KMS key. The database was originally launched without encryption at rest. The security team now needs to enable encryption without significant downtime. What should they do?

177

A data engineer needs to audit all access to an S3 bucket containing sensitive customer data. The engineer must record the requester, timestamp, action, and whether the access was denied. Which AWS solution meets these requirements?

178

A company uses AWS Lake Formation to manage access to data in a data lake. A new data engineer has been granted SELECT permission on a table but receives an 'AccessDeniedException' when querying via Amazon Athena. The table is registered in Lake Formation and the data is encrypted with SSE-KMS. Which of the following is the MOST likely cause?

179

A data engineer needs to securely store database credentials used by a Lambda function. The solution must automatically rotate the credentials every 90 days. Which AWS service should the engineer use?

180

A company has an S3 bucket policy that allows access to a specific IAM role. However, an administrator notices that requests from that role are being denied. The bucket is encrypted with AES-256. What is the MOST likely reason for the denial?

181

A data engineer is designing a data pipeline that processes sensitive financial data. The data must be encrypted at rest and in transit. The pipeline uses Amazon Kinesis Data Streams to ingest data and AWS Lambda to process it. Which combination of actions ensures the data is encrypted in transit? (Select TWO.)

182

A company wants to monitor and alert on unauthorized API calls in their AWS account. Which AWS service should be used to detect and notify on such events?

183

A data engineer is troubleshooting an Amazon Redshift cluster that is not allowing connections from a specific IP range. The engineer verified that the cluster's security group allows inbound traffic from the IP range. What is the next step to resolve the issue?

184

A company needs to enforce that all objects uploaded to an S3 bucket are encrypted at rest. Which bucket setting should be used?

185

A company uses AWS Glue to run ETL jobs on data stored in S3. The data is encrypted with SSE-KMS. The Glue job fails with an 'AccessDenied' error when trying to read the data. What is the MOST likely cause?

186

Refer to the exhibit. An S3 bucket policy allows the DataEngineerRole to get objects only if the request uses HTTPS. However, requests from this role are being denied even when using HTTPS. What is the MOST likely reason?

187

A data engineer needs to grant an IAM user read-only access to an S3 bucket named 'data-lake'. Which IAM policy statement should be used?

188

Refer to the exhibit. A data engineer runs the AWS CLI command to look up GetObject events. The output shows an event from the DataEngineer role. However, the engineer suspects that some GetObject requests are not being logged. What is the MOST likely reason?

189

Refer to the exhibit. An IAM policy allows kms:Decrypt and kms:GenerateDataKey on a specific KMS key. A data engineer is unable to upload an object to an S3 bucket that uses SSE-KMS with that key. What is the MOST likely missing permission?

190

A company needs to ensure that data stored in Amazon RDS is encrypted at rest. Which action should the data engineer take?

191

A company uses Amazon Redshift for data warehousing. The security team requires that all data stored in Redshift be encrypted at rest. The current cluster is unencrypted. Which approach should the data engineer take to meet this requirement with minimal downtime?

192

A data engineer needs to ensure that all data stored in an S3 bucket is encrypted at rest. Which S3 bucket policy condition key should be used to enforce encryption using AWS KMS?

193

A company uses AWS Lake Formation to manage data lake permissions. A data analyst is unable to query a table in the data lake using Amazon Athena. The table is registered in Lake Formation, and the analyst has SELECT permission granted via Lake Formation. What is the most likely reason for the failure?

194

A financial services company needs to share sensitive customer data with a third-party analytics firm. The data resides in an S3 bucket encrypted with an AWS KMS customer managed key. The third party has their own AWS account. Which combination of steps is required to securely share the data? (Choose TWO.)

195

A company is designing a data lake on AWS and must comply with GDPR requirements. The company needs to implement data masking for personally identifiable information (PII) columns in Amazon Redshift. Which feature should be used?

196

A data engineer needs to audit who accessed specific objects in an S3 bucket over the past 30 days. Which AWS service should be used?

197

A company has an AWS Glue ETL job that reads data from an S3 bucket encrypted with SSE-S3. The job runs successfully, but the output written to another S3 bucket with SSE-KMS fails. The IAM role for the Glue job has s3:PutObject and kms:GenerateDataKey permissions. What is the most likely cause?

198

A company wants to centrally manage encryption keys for multiple AWS services and automatically rotate them every year. Which AWS service should be used?

199

A data engineer needs to ensure that an Amazon Redshift cluster encrypts all data at rest. Which setting must be enabled when creating the cluster?

200

A company uses Amazon RDS for PostgreSQL with encryption at rest using AWS KMS. The company needs to share a database snapshot with a different AWS account. What must be done to allow the target account to restore the snapshot?

201

Refer to the exhibit. Exhibit: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:role/DataEngineer" }, "Action": [ "kms:Decrypt", "kms:ReEncrypt*" ], "Resource": "*" } ] } A data engineer tries to encrypt data using the KMS key associated with this key policy and receives an access denied error. What is the cause?

202

A data engineer runs an AWS Glue ETL job that reads from a table in the AWS Glue Data Catalog. The job fails with the error shown. The IAM role used by the Glue job has the following policy attached: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "glue:GetTable", "glue:GetDatabase" ], "Resource": "*" } ] } What should be added to the IAM role's policy to resolve the error?

203

A data engineer applies the above bucket policy to an S3 bucket containing sensitive data. The goal is to allow only encrypted (HTTPS) requests. However, a user reports being able to access an object using an HTTP (non-HTTPS) request. What is the most likely reason?

204

A company uses Amazon DynamoDB with encryption at rest using an AWS managed KMS key. The security team requires that the encryption key be rotated every 90 days. What should the data engineer do to meet this requirement?

205

A data engineer needs to restrict access to an S3 bucket so that only users from a specific AWS account can read objects. Which S3 bucket policy element should be used?

206

A company uses Amazon Kinesis Data Streams to ingest real-time data. The compliance team requires that all data in the stream be encrypted at rest. Which configuration should be enabled?

207

A company has a multi-account strategy using AWS Organizations. The data engineering team needs to share a central S3 bucket across multiple accounts while maintaining fine-grained access control. Which solution should be used?

208

A company needs to automate the detection of sensitive data in Amazon S3 and generate reports. Which AWS service should be used?

209

A data engineer needs to ensure that an Amazon Redshift cluster only accepts encrypted connections. Which parameter should be modified?

210

A company uses Amazon EMR to process data stored in S3 with server-side encryption using AWS KMS. The EMR cluster fails with a "403 Access Denied" error when reading data from S3. The IAM role for the EMR cluster has s3:GetObject and kms:Decrypt permissions. What is the most likely issue?

211

A company needs to tag all resources created in a specific AWS account to enforce data governance policies. Which AWS service can automatically enforce tagging rules?

212

A data engineer needs to store encryption keys used for protecting data in Amazon S3 and automatically rotate them every year. Which service should be used?

213

A data engineer needs to ensure that an Amazon S3 bucket containing sensitive customer data is encrypted at rest. Which AWS service can be used to manage the encryption keys?

214

A company stores sensitive data in an Amazon S3 bucket. To comply with regulations, all data must be encrypted at rest using server-side encryption. The security team wants to ensure that any attempt to upload an unencrypted object is automatically denied. Which S3 bucket policy condition should be used?

215

A company uses AWS Glue to process data from Amazon S3. The data contains personally identifiable information (PII). The data engineer needs to automatically detect and mask PII fields before the data is loaded into Amazon Redshift. Which combination of AWS services should be used?

216

A data engineer is setting up an Amazon RDS for MySQL database. The compliance team requires that all data at rest be encrypted. What must the engineer do to enable encryption for this database?

217

A company uses Amazon S3 to store log files. The security team notices that some objects are being accessed from an unexpected AWS account. The data engineer needs to identify which specific IAM user or role is accessing the objects. Which AWS service should be used to get this information?

218

A data engineer needs to share a dataset stored in an Amazon S3 bucket with another AWS account. The dataset must remain encrypted at rest using AWS KMS. The data engineer creates a bucket policy that grants the other account access to the bucket. However, the other account reports that objects appear encrypted and they cannot decrypt them. What is the most likely cause?

219

A company wants to audit all changes to IAM policies in their AWS account. Which AWS service should be used to record these changes?

220

A company uses Amazon Redshift for data warehousing. The security team requires that all data loading into Redshift be encrypted in transit. Which configuration ensures this requirement is met?

221

A data engineer is tasked with implementing data masking for a non-production environment. The source data contains credit card numbers stored in an Amazon RDS for PostgreSQL database. The engineer wants to automatically mask the credit card numbers when copying data to the non-production database. Which AWS service can be used to achieve this?

222

A company is designing a data lake on Amazon S3. The security team requires granular access control based on data classifications. Which TWO AWS services can be used together to implement attribute-based access control (ABAC) for objects in S3?

223

A company needs to enforce encryption at rest for all data stored in Amazon S3. The security team wants to ensure that no objects can be uploaded without encryption. Which THREE steps should be taken to meet this requirement?

224

A data engineer is setting up an Amazon Redshift cluster. Which TWO measures can be taken to secure the data at rest?

225

Refer to the exhibit. A data engineer applies this S3 bucket policy to the bucket 'example-bucket'. What is the effect of this policy?

226

Refer to the exhibit. A data engineer runs this AWS CLI command to execute an Athena query. What is the purpose of the EncryptionConfiguration parameter?

227

Refer to the exhibit. A data engineer creates this KMS key policy. An IAM role in account 123456789012 is granted decrypt access to the key. However, when the DataAnalystRole tries to decrypt an S3 object encrypted with this key, the operation fails. What is the most likely reason?

228

A company uses AWS Glue to catalog data in Amazon S3. The data includes personally identifiable information (PII). The security team requires that PII be masked when queried by users who are not data owners. Which AWS service should be used to enforce this requirement?

229

A data engineer needs to ensure that an Amazon Redshift cluster encrypts data at rest using a customer-managed AWS KMS key. Which configuration step is required?

230

A company runs an Amazon EMR cluster that processes sensitive data stored in Amazon S3. The security team requires that all data in transit between the EMR cluster and S3 be encrypted. Which configuration ensures this requirement is met?

231

A data engineer needs to audit all access to an Amazon S3 bucket containing sensitive data. The audit must capture who accessed the bucket, from which IP address, and what actions were performed. Which AWS service should be enabled?

232

A company uses AWS KMS to encrypt data in Amazon S3. The security team wants to ensure that the KMS key can only be used from within the company's VPC. Which policy element should be added to the KMS key policy?

233

A data engineer is designing a data lake on Amazon S3. The compliance team requires that objects be automatically deleted after 7 years. Additionally, objects must be transitioned to Amazon S3 Glacier Instant Retrieval after 30 days to reduce costs. Which S3 lifecycle policy configuration meets these requirements?

234

A company uses AWS Glue DataBrew to clean and normalize data. The data contains sensitive columns that must be masked before being written to the output. Which DataBrew action should be applied?

235

A data engineer receives an alert that an AWS KMS key has been scheduled for deletion by mistake. What is the immediate action to prevent the key from being deleted?

236

A company stores data in Amazon S3 with server-side encryption using AWS KMS (SSE-KMS). The data engineer needs to give a third-party auditor read-only access to the encrypted objects. The auditor has an AWS account. Which strategy should be used?

237

A company is building a data lake on AWS and must encrypt data at rest. Which services can provide server-side encryption for data stored in Amazon S3? (Choose TWO.)

238

A data engineer is configuring an Amazon Redshift cluster for compliance. The cluster must encrypt data at rest and automatically rotate the encryption key every year. Which steps should the engineer take? (Choose THREE.)

239

A company wants to audit API calls made to its Amazon S3 buckets. Which AWS services can be used to achieve this? (Choose TWO.)

240

Refer to the exhibit. A data engineer applies this S3 bucket policy to an S3 bucket. What is the effect of this policy?

241

Refer to the exhibit. A data engineer runs the commands shown. What can be determined about the key with ID 1234abcd-12ab-34cd-56ef-1234567890ab?

242

Refer to the exhibit. A data engineer queries AWS CloudTrail to investigate a PutObject event. What does the exhibit reveal about the object sensitive.csv?

243

A data engineer needs to ensure that all data in an S3 bucket is encrypted at rest. The bucket contains objects uploaded by various applications. What is the simplest method to enforce encryption for all new objects?

244

A company uses AWS KMS to encrypt sensitive data in S3. The security team requires that the KMS key must be rotated automatically every year. Which key type should be used?

245

A data engineer is troubleshooting an AWS Glue ETL job that fails with an access denied error when writing to an S3 bucket. The Glue job uses an IAM role that has an S3 bucket policy attached. The bucket policy denies access to any principal that does not use server-side encryption. What is the most likely cause of the failure?

246

A company wants to audit all data access events in their S3 buckets, including who accessed objects and from which IP address. Which AWS service should be used to capture these events?

247

A data engineer needs to allow a Lambda function to read data from an S3 bucket in the same account. The Lambda function's execution role has the required permissions, but access is denied. The S3 bucket has a bucket policy that explicitly denies access to any principal that is not from the organization. What is the most likely issue?

248

A data engineer is designing a data lake on S3 that must be encrypted at rest using customer-managed keys in AWS KMS. The security team requires that the key be used only for S3 operations and that the key be rotated every 180 days. Which solution meets these requirements?

249

A company wants to ensure that only encrypted connections are used when data is transferred to S3. Which policy condition should be used in an S3 bucket policy?

250

A data engineer is configuring an S3 bucket to host sensitive data. The security policy requires that all objects be encrypted with a key that is generated and managed by the customer, and that the key be stored in AWS KMS. Which encryption option should be used?

251

A data engineer is troubleshooting an ETL job that reads from an S3 bucket encrypted with SSE-KMS. The job is failing with an error indicating that the IAM role does not have permission to decrypt the data. What is the most likely missing permission?

252

A data engineering team needs to encrypt data at rest in an Amazon S3 bucket that stores sensitive customer information. The team must use an AWS Key Management Service (AWS KMS) customer managed key with automatic rotation enabled. Which configuration meets these requirements?

253

A company is using AWS Glue to process data stored in Amazon S3. The data includes personally identifiable information (PII) that must be masked before being written to a separate output bucket. Which AWS service or feature can be used to automatically detect and mask sensitive data in the Glue ETL job?

254

A data engineer needs to audit all AWS KMS key usage events for the past 90 days to verify compliance. Which AWS service should be used?

255

A company needs to enforce encryption in transit for all data moving between its Amazon S3 bucket and a fleet of Amazon EC2 instances. The data is accessed via S3 API calls over the internet. Which configuration ensures encryption in transit?

256

A data engineer is designing a data lake on Amazon S3 that must comply with a regulatory requirement to prevent any data from being overwritten or deleted for 7 years after creation. Which S3 feature should be used?

257

A company wants to centrally manage access to multiple AWS accounts for its data engineers. The company already uses AWS Organizations. Which AWS service should be used to define fine-grained permissions across accounts?

258

A company uses Amazon RDS for MySQL to store financial data. A compliance requirement mandates that all database connections must be encrypted. Which configuration step is necessary?

259

A data engineer needs to share a dataset stored in an S3 bucket with a partner AWS account. The partner should be able to read the data without needing to authenticate with the engineer's account. The engineer must not share any secret keys. Which approach should be used?

260

A company uses Amazon Redshift for data warehousing. The security team requires that all data in transit between the Redshift cluster and clients be encrypted. Which feature should be enabled?

261

A company needs to securely store and manage database credentials used by a data pipeline. Which AWS services can be used to store and rotate secrets automatically? (Choose TWO.)

262

A data engineer needs to ensure that an S3 bucket policy follows the principle of least privilege. Which of the following are valid conditions to restrict access based on the requester's identity? (Choose THREE.)

263

A company must comply with a regulation that requires logging all access to sensitive data stored in Amazon S3. Which AWS services can be used to capture and store access logs? (Choose TWO.)

264

Refer to the exhibit. An S3 bucket policy is shown. A data engineer using the DataEngineerRole tries to upload an object to s3://example-bucket/data/report.csv with SSE-S3 encryption. The upload fails. What is the most likely cause?

265

Refer to the exhibit. A data engineer runs the AWS CLI command shown to encrypt a file using AWS KMS. The command succeeds. Later, the engineer tries to decrypt the file using the same key but without providing an encryption context. The decryption fails. What is the most likely reason?

266

Refer to the exhibit. An IAM policy is attached to a user. What is the security implication of this policy?

267

A data engineer needs to ensure that an S3 bucket containing sensitive customer data is encrypted at rest. The company requires that all encryption keys be managed by AWS and rotated annually. Which encryption option meets these requirements?

268

A company is using an Amazon RDS for PostgreSQL database to store personally identifiable information (PII). The security team wants to ensure that database administrators cannot view the plaintext PII data. Which solution should a data engineer implement?

269

A company wants to audit all changes to IAM policies in their AWS account. Which AWS service should be used to record these changes for compliance purposes?

270

A data engineer is configuring an S3 bucket policy to allow cross-account access for a partner account to read objects. The bucket is encrypted with SSE-KMS using a customer-managed key. What additional configuration is needed to allow the partner account to decrypt the objects?

271

A company uses AWS Lake Formation to manage data lake permissions. The data engineer notices that a user with SELECT permission on a table can also query the underlying data in Amazon S3 directly. How can the engineer enforce that access to the S3 data is only through Lake Formation?

272

A company wants to securely store database credentials used by a Lambda function. Which AWS service should be used to store and rotate the credentials automatically?

273

A company is using Amazon Redshift for analytics and needs to ensure that all data is encrypted at rest. The current cluster does not have encryption enabled. What is the most efficient way to enable encryption?

274

A data engineer needs to grant a data scientist access to query a Glue Data Catalog database but must prevent the data scientist from seeing the underlying S3 data locations. Which approach should be used?

275

A company has an S3 bucket that stores logs for compliance. The compliance team requires that objects are retained for 7 years and cannot be deleted or overwritten. Which S3 feature should be used?

276

A company needs to protect sensitive data stored in Amazon S3 from unauthorized access. Which TWO actions should the data engineer take? (Choose two.)

277

A company is using AWS KMS to encrypt data in Amazon S3. The security team wants to ensure that only specific IAM roles can decrypt the data. Which THREE steps should the data engineer take? (Choose three.)

278

A company needs to audit access to their Amazon S3 buckets. Which TWO services can be used together to achieve this? (Choose two.)

279

Refer to the exhibit. A data engineer has attached this KMS key policy to a customer-managed key. The policy is intended to allow the DataEngineer role to decrypt objects in S3 only when the request comes through S3. However, the role is unable to decrypt objects stored in an S3 bucket in the us-west-2 region. What is the most likely cause?

280

Refer to the exhibit. A data engineer runs the above command and sees that the DataLakeAdmin role has the AmazonS3FullAccess and AWSLakeFormationDataAdmin policies attached. The engineer wants to ensure that the role can only access S3 data through Lake Formation. What should the engineer do?

281

Refer to the exhibit. A data engineer checks the versioning status of an S3 bucket and sees the above output. The bucket contains critical logs that must not be permanently deleted. What should the engineer do to enhance protection against accidental or malicious deletion?

282

A company uses AWS KMS to encrypt data at rest in Amazon S3. The security team requires that all encryption keys be automatically rotated every year. Which key type should be used to meet this requirement without manual intervention?

283

A data engineer needs to grant an IAM role read-only access to Amazon DynamoDB tables in a specific AWS account. Which IAM policy element should be used to restrict access to only the 'GetItem' and 'Query' actions?

284

A company stores sensitive customer data in an Amazon S3 bucket with versioning enabled. A data engineer accidentally deleted the current version of an object. What is the quickest way to restore the object to its previous state without additional data transfer costs?

285

A data engineer is configuring an Amazon Redshift cluster to encrypt data at rest. The company policy requires that encryption keys be stored in AWS CloudHSM. Which integration should the engineer use to meet this requirement?

286

A company uses AWS Lake Formation to manage data lakes on Amazon S3. The data engineer needs to grant a data analyst access to query specific columns in a table using Amazon Athena, but deny access to columns containing personally identifiable information (PII). Which Lake Formation feature should be used?

287

A company is using Amazon S3 to store log files. The security team requires that all data be encrypted in transit. Which of the following ensures encryption in transit for S3?

288

An organization wants to audit all API calls made to AWS services for compliance. Which AWS service should be used to capture and store these API calls?

289

A data engineer is troubleshooting an issue where an Amazon Redshift query returns an error: 'ERROR: permission denied for relation table_name'. The user has been granted SELECT on the table. What is the most likely cause?

290

A company is designing a data pipeline that ingests data from an on-premises database to Amazon S3. The data contains personally identifiable information (PII) that must be masked before storage. Which AWS service can be used to mask the data in transit?

291

A company needs to enforce encryption at rest for all data stored in Amazon S3. Which of the following are valid methods to achieve this? (Choose TWO.)

292

A data engineer is configuring a VPC for an Amazon Redshift cluster. The cluster must be accessible only from a specific on-premises network via a Direct Connect connection. Which TWO actions should the engineer take to meet this requirement? (Choose TWO.)

293

A company wants to ensure that an IAM user can only launch Amazon EC2 instances of a specific instance type. Which THREE IAM policy elements are required to define this permission? (Choose THREE.)

294

Refer to the exhibit. An IAM policy is attached to an IAM user. The user is trying to download an object from the S3 bucket 'example-bucket' from an IP address 10.1.1.1, but the request is denied. What is the most likely reason?

295

Refer to the exhibit. A data engineer runs a CLI command to decrypt a file and receives an access denied error. The IAM user 'DataEngineer' has the following policy attached: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "kms:Decrypt", "Resource": "*" } ] } What is the most likely cause of the error?

296

Refer to the exhibit. A data engineer creates an external table in AWS Glue Data Catalog pointing to an S3 bucket that contains encrypted objects (SSE-S3). The CREATE TABLE statement fails with an error. What change should be made to fix the error?

297

A company uses AWS Glue to process sensitive data stored in S3. The security team requires that all data be encrypted at rest using customer-managed KMS keys. The data engineers are encountering 'Access Denied' errors when running Glue ETL jobs. What is the most likely cause?

298

A company stores PII in an S3 bucket. The security team wants to use Amazon Macie to discover sensitive data. After enabling Macie, they notice that no sensitive data findings are generated. The S3 bucket is in the same account. What is the most likely reason?

299

A company needs to audit all API calls made in their AWS account, including actions performed by the root user. Which AWS service should be used?

300

A data engineer needs to encrypt data at rest in an Amazon Redshift cluster. The company requires that the encryption key be managed by the customer and rotated annually. Which solution meets these requirements?

Practice all 300 Data Security and Governance questions

Other DEA-C01 exam domains

Data Ingestion and TransformationData Operations and SupportData Store Management

Frequently asked questions

What does the Data Security and Governance domain cover on the DEA-C01 exam?

The Data Security and Governance domain covers the key concepts tested in this area of the DEA-C01 exam blueprint published by Amazon Web Services. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all DEA-C01 domains — no account required.

How many Data Security and Governance questions are in the DEA-C01 question bank?

The Courseiva DEA-C01 question bank contains 300 questions in the Data Security and Governance domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Data Security and Governance for DEA-C01?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Data Security and Governance questions for DEA-C01?

Yes — the session launcher on this page draws questions exclusively from the Data Security and Governance domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your DEA-C01 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

SAA-C03MLS-C01DBS-C01