Practice DEA-C01 Data Security and Governance questions with full explanations on every answer.
Start practicing
Data Security and Governance — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A data engineer needs to ensure that an Amazon S3 bucket used for sensitive data is encrypted at rest using a customer-managed AWS KMS key. The bucket policy must enforce encryption for all PUT requests. Which policy statement should be added to the bucket policy?
2A company uses AWS Glue to process sensitive data stored in Amazon S3. The security team requires that all data in transit between AWS Glue and S3 be encrypted. Which configuration should be used to meet this requirement?
3A data engineer is troubleshooting an AWS Lake Formation permissions issue. A user is able to query an Amazon Athena table but cannot see the underlying S3 data in the AWS Glue Data Catalog. The user has been granted SELECT permission on the table in Lake Formation. What is the most likely cause?
4A company uses Amazon Redshift to store customer data. The security team requires that all queries are logged for auditing purposes. Which combination of steps should be taken to meet this requirement? (Select TWO.)
5A company is designing a data lake on Amazon S3. The security policy requires that all data be encrypted at rest using AWS KMS with automatic key rotation. Which encryption option meets these requirements? (Select THREE.)
6Refer to the exhibit. A data engineer is running an AWS Glue job that reads from an S3 bucket encrypted with a customer-managed KMS key. The job fails with the error shown. What is the most likely cause?
7Refer to the exhibit. A security analyst is reviewing CloudTrail logs and notices a PutObject event to the 'company-data-lake' bucket. The bucket policy requires all objects to be encrypted with SSE-KMS. What should the analyst conclude?
8A company is using Amazon Redshift Spectrum to query data in Amazon S3. The S3 bucket uses SSE-KMS encryption. The Redshift cluster has an IAM role that allows access to S3 and KMS. However, queries fail with an 'Access Denied' error. What is the most likely cause?
9A company is using Amazon EMR to process data stored in Amazon S3. The S3 bucket is configured with a bucket policy that denies access unless the request includes a specific tag. The EMR cluster's IAM role has s3:GetObject permission. However, the EMR job fails to read data from S3. What is the most likely cause?
10A company uses AWS Lake Formation to manage data lake permissions. The data lake contains sensitive customer data in the 'customer' database. The security team wants to ensure that only users with a specific tag 'access_level=analyst' can query the 'customer' table. Which combination of steps should the data engineer take to enforce this?
11A financial services company uses AWS KMS to encrypt data in Amazon S3. The compliance team requires that all encryption keys be rotated automatically every 365 days. The data engineer needs to implement this requirement without manual intervention. Which solution meets the requirement with the LEAST operational overhead?
12A data engineer is configuring AWS Glue jobs to access data stored in Amazon S3. The data is encrypted using server-side encryption with AWS KMS (SSE-KMS). The Glue job needs to read and write data to the S3 bucket. Which IAM policy statement should be added to the Glue job's IAM role to allow it to use the KMS key?
13Refer to the exhibit. A data engineer is troubleshooting a permissions issue. The IAM role 'DataEngineerRole' is used by an AWS Glue job that needs to read data from an S3 bucket encrypted with a customer managed KMS key. The above key policy is attached to the KMS key. The Glue job fails with an AccessDenied error when trying to read the data. What is the MOST likely cause?
14A company is building a data pipeline that ingests sensitive customer data from an on-premises database into Amazon S3 using AWS DMS. The data must be encrypted at rest in S3 and in transit. The security team requires that the encryption keys be managed by the company (not AWS). Which TWO actions should the data engineer take to meet these requirements? (Choose TWO.)
15A data engineer is designing a data lake on Amazon S3 with AWS Lake Formation. The data lake contains personally identifiable information (PII). The company has a policy that only users who have completed data privacy training can access the PII data. The training status is stored in an external identity provider (IdP) as an attribute. The data engineer needs to enforce this policy using Lake Formation. Which THREE steps should the data engineer take? (Choose THREE.)
16A healthcare company uses AWS Glue to process patient data stored in Amazon S3. The data is encrypted at rest using SSE-KMS with a customer managed key. The Glue ETL job runs on a schedule and reads from an S3 bucket, transforms the data, and writes to another S3 bucket also encrypted with the same KMS key. Recently, the security team rotated the KMS key. After the rotation, the Glue job started failing with 'AccessDenied' errors when trying to read from the source bucket. The Glue job's IAM role has permissions to use the KMS key (kms:Decrypt, kms:GenerateDataKey). The S3 bucket policies allow the role to read/write. What is the MOST likely cause of the failure?
17A data engineer is configuring a data lake on Amazon S3 that contains sensitive customer information. The company requires that all access to this data be logged and monitored, and that any data shared with external partners must be anonymized before leaving the S3 bucket. Which combination of AWS services should the engineer use to meet these requirements? (Choose THREE.)
18Refer to the exhibit. A data engineer applies this bucket policy to an S3 bucket named my-data-bucket. The bucket contains sensitive data. The company's security team reports that data was accessed from an IP address outside the allowed range. What is the MOST likely reason that the policy failed to block the unauthorized access?
19A financial services company uses AWS Glue ETL jobs to process credit card transaction data stored in Amazon S3. The data includes PII such as names and credit card numbers. The security team requires that all PII be masked before the data is written to the curated zone of the data lake. The data engineer has implemented a Glue job that reads from the raw zone, applies a custom transform to mask credit card numbers using a regular expression, and writes to the curated zone. However, during a recent audit, the security team discovered that some masked data still contained partial credit card numbers (e.g., showing the last four digits) when viewed by analysts who should only see masked data. The company's policy is that credit card numbers must be completely masked, showing only asterisks or a fixed string like "XXXX-XXXX-XXXX-XXXX". The Glue job uses a DynamicFrame and applies a Map transform with a Python function that replaces digits with 'X'. The data is stored in Parquet format. What should the data engineer do to ensure complete masking of credit card numbers?
20Order the steps to migrate an on-premises database to Amazon RDS using AWS DMS.
21Arrange the steps to implement data encryption at rest for an Amazon Redshift cluster using AWS KMS.
22Match each AWS storage class to its description.
23Match each AWS networking concept to its definition.
24A data engineer is configuring S3 bucket policies to restrict access to a specific VPC. Which condition key should be used in the bucket policy to enforce that requests originate only from the desired VPC?
25A company uses AWS KMS to encrypt sensitive data stored in S3. To meet compliance requirements, they need to ensure that the encryption keys are automatically rotated every year. Which type of KMS key should they use?
26A data engineer needs to audit data access events in Amazon S3. Which AWS service should be used to record and monitor API calls for S3 buckets?
27A team is designing a data lake on S3 and needs to enforce encryption at rest. They want to use server-side encryption with a KMS key that they manage. Which encryption option should they configure on the S3 bucket?
28A company stores sensitive data in S3 and uses VPC endpoints to access the bucket. They need to ensure that only traffic from their VPC can access the data, and that the traffic cannot leave the AWS network. Which combination of bucket policy and endpoint policy should they use?
29A data engineer needs to ensure that an S3 bucket is not publicly accessible. Which S3 block public access setting should be applied to achieve this?
30A company wants to grant cross-account access to an S3 bucket without using IAM roles. The data engineer needs to write a bucket policy that allows another AWS account to list objects. Which Principal should be specified in the bucket policy?
31A data engineer notices that an S3 bucket policy allows access to a user from another AWS account, but the access is being denied. What could be the reason?
32A company needs to encrypt data in transit between an EC2 instance and an S3 bucket. Which method should be used?
33A data engineer is designing a data pipeline that processes PII data in AWS Glue. They need to ensure data is encrypted at rest and in transit. Which TWO actions should they take? (Choose TWO.)
34A company wants to implement least privilege access for its data lake on S3. Which THREE practices should be followed? (Choose THREE.)
35A data engineer needs to audit data access in Amazon S3 for compliance. Which TWO services can be used to capture and analyze S3 access logs? (Choose TWO.)
36Refer to the exhibit. A data engineer attached this S3 bucket policy to the bucket 'example-bucket'. What is the effect of this policy?
37Refer to the exhibit. The exhibit shows output from AWS CLI commands. Which key can be used to enable automatic annual rotation?
38Refer to the exhibit. An IAM policy includes this statement. What access does it grant?
39A data engineer needs to ensure that all data in an S3 bucket is encrypted at rest. The bucket currently contains unencrypted objects from past uploads. Which action will encrypt these existing objects without re-uploading them?
40A company uses AWS Glue to process sensitive customer data stored in S3. The data engineer must ensure that the Glue ETL jobs do not write any data to S3 buckets that lack encryption. Which approach meets this requirement?
41A company uses AWS Lake Formation to manage access to data in a data lake. The data engineer needs to grant a user the ability to query tables in the 'sales' database using Amazon Athena, but only when the user's IP address is within the corporate network (10.0.0.0/8). Which combination of actions should the data engineer take?
42A data engineer is designing a data pipeline that ingests personally identifiable information (PII) into Amazon Redshift. The engineer needs to ensure that only authorized users can view the data, and that all queries are logged for auditing. Which combination of AWS services should the engineer use?
43A company wants to enforce that all data written to an S3 bucket is encrypted with a customer-managed AWS KMS key. The data engineer has created the KMS key and attached an S3 bucket policy. However, users are still able to upload objects without specifying the KMS key. What is the most likely cause?
44A company uses Amazon RDS for PostgreSQL to store financial data. The security team requires that all database connections be encrypted in transit and that the database audit logs be stored in Amazon S3 for at least 7 years. Which steps should the data engineer take to meet these requirements?
45A data engineer is troubleshooting an issue where an AWS Glue ETL job fails when trying to read data from an S3 bucket encrypted with SSE-KMS. The job has an IAM role that includes `kms:Decrypt` permission. What is the most likely reason for the failure?
46A company uses Amazon DynamoDB to store session data. The security team requires that all data be encrypted at rest using a customer-managed KMS key. The data engineer has enabled encryption with a KMS key, but discovers that old data remains encrypted with the previous AWS-managed key. How can the engineer re-encrypt all existing data with the new key?
47A data engineer needs to grant an IAM user access to query a specific table in Amazon Athena, but the user should not be able to view other tables in the same database. Which method should the engineer use?
48A company stores sensitive data in Amazon S3. The data engineer needs to implement a solution that automatically detects and redacts PII in new objects as they are uploaded. Which TWO AWS services should be used together?
49A company uses AWS KMS to encrypt data in Amazon Redshift. The data engineer needs to rotate the customer-managed KMS key annually. Which TWO actions must be taken to successfully rotate the key without data loss?
50A data engineer is designing a data lake on Amazon S3 that must comply with GDPR. The engineer needs to ensure that individuals can request deletion of their personal data. Which THREE AWS services can be used together to automate the deletion of specific records?
51Refer to the exhibit. A data engineer attaches this bucket policy to an S3 bucket. A developer tries to upload an object to the bucket using the AWS CLI with the command: `aws s3 cp file.txt s3://my-bucket/`. The upload fails. What is the most likely reason?
52Refer to the exhibit. A data engineer reviews an Amazon S3 server access log entry for an object upload. The log shows a status of 200 and encryption status "AES256". The company policy requires that all data be encrypted with SSE-KMS. Which action should the engineer take to enforce this policy?
53Refer to the exhibit. A data engineer runs the AWS CLI command and gets the output shown. The engineer wants to grant a data analyst read-only access to the 'sales_db' database in AWS Glue Data Catalog using IAM. Which IAM policy statement is required?
54A data engineer needs to encrypt data in transit between an Amazon RDS for MySQL instance and an application. Which solution should be used?
55A company is using AWS Lake Formation to manage access to data in a data lake stored in Amazon S3. A data engineer notices that users with SELECT permissions on a table can still query the underlying S3 data directly using Athena. What is the most likely cause?
56A data engineer is designing a data pipeline that ingests data from an on-premises system into Amazon S3 using AWS Transfer Family. The data must be encrypted at rest using a customer-managed key in AWS KMS. The S3 bucket policy must allow only encrypted connections. Which policy condition should be used?
57A company is using Amazon Redshift for data warehousing. They need to ensure that all queries are logged for audit purposes. Which AWS service should be used to capture query logs?
58A data engineer needs to share a dataset stored in Amazon S3 with another AWS account. The bucket policy currently grants access only to the owning account. What is the simplest way to grant cross-account access?
59An organization is using AWS Glue to process sensitive data. The data is stored in S3 with server-side encryption using AWS KMS (SSE-KMS). The Glue job fails with an error indicating that it cannot read the data. The IAM role used by Glue has the following policy. What is missing?
60A data engineer needs to audit all changes to IAM policies in an AWS account. Which AWS service should be used?
61A company is using Amazon S3 to store sensitive data. The security team requires that all objects be encrypted using server-side encryption with AWS KMS (SSE-KMS) and that the bucket policy denies any PutObject request that does not include the required encryption header. Which bucket policy condition should be added?
62A data engineer is setting up an Amazon EMR cluster to process sensitive data. The data is stored in S3 with SSE-S3. The company policy requires that data in transit between the EMR cluster and S3 be encrypted. Which configuration should be used?
63A data engineer needs to enforce that all data in an Amazon S3 bucket is encrypted at rest. Which of the following can be used to achieve this? (Choose TWO.)
64A company is using AWS Lake Formation to manage permissions on a data lake. Which of the following are valid ways to grant access to a user or role? (Choose THREE.)
65A data engineer is troubleshooting an Amazon Redshift cluster that is unable to access an S3 bucket for COPY operations. The cluster has an IAM role attached. Which of the following could be causing the failure? (Choose TWO.)
66The IAM policy shown in the exhibit is attached to a user. The user tries to upload an object to my-bucket using the AWS CLI without specifying encryption. What will happen?
67A data engineer runs the command shown in the exhibit to check the bucket policy. A user from another AWS account is trying to download an object using HTTP (not HTTPS). What will happen?
68A data engineer receives the error shown in the exhibit when trying to upload a file to my-bucket. The engineer uses the AWS CLI with the following command: aws s3 cp file.txt s3://my-bucket/. What is the most likely cause of the error?
69A data engineer needs to ensure that an S3 bucket is encrypted at rest using AWS KMS. The bucket policy must allow only a specific IAM role to access the bucket and enforce encryption in transit. Which combination of bucket policy statements should be used?
70A company uses AWS Lake Formation to manage permissions on a data lake in S3. A data analyst reports that queries using Amazon Athena return zero rows for a table that the analyst has been granted SELECT permission on. The table is registered in Lake Formation and uses a partition projection. What is the most likely cause?
71A data engineer needs to audit all AWS KMS key usage in the account. Which AWS service should be used to record KMS API calls?
72A company wants to enable automatic encryption for all new objects written to an S3 bucket. The bucket has existing objects that are unencrypted. Which solution meets these requirements with the least operational overhead?
73A data engineer is designing a system to handle sensitive customer data in Amazon RDS for PostgreSQL. The compliance team requires that the data be encrypted at rest and that encryption keys be rotated every 90 days. Which solution meets these requirements?
74A company uses AWS Glue to process data. The security team requires that all data in transit between AWS Glue and Amazon S3 be encrypted using TLS. Which configuration should be used?
75A data engineer is troubleshooting an Amazon Redshift cluster that is not responding to queries. The engineer suspects that the cluster may have been accidentally deleted. Which AWS service should be used to investigate the deletion?
76A company needs to share a dataset stored in an S3 bucket with a partner account. The dataset contains sensitive information, so the company wants to ensure that the partner account can only access the data using a specific VPC endpoint in the partner's account. Which S3 bucket policy condition key should be used?
77A data engineer needs to grant an IAM user the ability to view Amazon CloudWatch Logs log groups and stream log events from a specific log group. Which IAM policy action should be used?
78A company uses S3 to store sensitive data. Which TWO S3 features can be used to protect data at rest?
79A company needs to implement a data encryption strategy for data in transit between an Amazon EC2 instance and an Amazon RDS for MySQL database. Which THREE actions should be taken?
80A data engineer is designing a data lake on S3 with fine-grained access control using AWS Lake Formation. Which THREE permissions can be managed by Lake Formation?
81Refer to the exhibit. The S3 bucket policy above is applied to the bucket "example-bucket". An IAM user attempts to upload an object to the bucket without specifying any encryption header. What is the outcome?
82Refer to the exhibit. A data engineer runs the command above. The DataAdminRole is used by an application to decrypt data. The security team wants to ensure that a SecurityAdminRole can revoke the grant. What must be done to allow the SecurityAdminRole to retire the grant?
83Refer to the exhibit. An IAM policy includes the above statement to allow decryption of a KMS key under specific conditions. What does this policy allow?
84A company uses S3 to store sensitive customer data. To prevent accidental public access, a data engineer needs to ensure that all S3 buckets block public access at the account level. Which AWS service should be used to enforce this policy?
85A data engineer is designing a data lake on S3 and needs to ensure that data is encrypted at rest using customer-managed KMS keys. The engineer also needs to audit all access to the KMS keys. Which combination of services should be used?
86A company uses AWS Glue to process sensitive data. The security team requires that all data in transit between Glue and Amazon S3 be encrypted using TLS 1.2 or higher. Which configuration ensures this requirement is met?
87A data engineer needs to share a dataset from an S3 bucket in Account A with another AWS account (Account B). The data must remain encrypted at rest with KMS. Which steps are required?
88A company uses AWS Lake Formation to manage permissions on a data lake stored in S3. A data engineer notices that a new IAM user can query data via Athena but cannot see the tables in the Lake Formation console. What is the most likely cause?
89A company has a requirement to store audit logs for 7 years for compliance. The logs are stored in S3 and must be immutable. Which S3 feature should be used?
90A data engineer needs to grant an IAM user read-only access to a specific KMS key for decrypting S3 objects. Which policy element should be used?
91A company uses Amazon Redshift for data warehousing. The security team requires that all data stored in Redshift be encrypted at rest using a customer-managed KMS key. How should the data engineer configure this?
92A data engineer is troubleshooting an issue where an IAM role used by AWS Glue cannot read data from an S3 bucket encrypted with SSE-KMS. The bucket policy allows the role to perform s3:GetObject. What additional permission is needed?
93A company uses AWS CloudTrail to log all API calls. The security team wants to ensure that log files are tamper-proof and cannot be deleted. Which TWO actions should the data engineer take? (Choose TWO.)
94A company uses Amazon EMR to process sensitive data. The data engineer needs to ensure that data in transit between EMR and S3 is encrypted. Which THREE configurations achieve this? (Choose THREE.)
95A data engineer is setting up a data pipeline using AWS DMS to migrate data from an on-premises database to Amazon RDS for MySQL. The data must be encrypted in transit. Which TWO options can the engineer use? (Choose TWO.)
96Refer to the exhibit. A data engineer applies the following S3 bucket policy to an S3 bucket. What does this policy enforce?
97Refer to the exhibit. A data engineer configured CloudTrail to log data events for an S3 bucket. However, the engineer notices that no data events are being logged for objects in the 'logs/' prefix. What is the most likely reason?
98Refer to the exhibit. A data engineer creates an IAM policy for a service role used by AWS Glue. What does the condition in the policy enforce?
99A company wants to encrypt data at rest in Amazon S3 using server-side encryption. They need to manage the encryption keys themselves and rotate them annually. Which S3 encryption option should they use?
100A data engineer needs to audit all access to an S3 bucket for compliance. They want to capture object-level operations such as GetObject and PutObject, as well as bucket-level operations like ListBucket. Which AWS service should be used?
101A company uses AWS KMS to encrypt data in Amazon S3 and RDS. They need to ensure that encryption keys are automatically rotated every year. Which KMS key type supports automatic annual rotation?
102A data engineer needs to share an S3 bucket with another AWS account. They want to ensure that the objects in the bucket remain encrypted with SSE-KMS using a customer managed key. What additional step is required for cross-account access?
103A company wants to enforce that all data in Amazon S3 is encrypted at rest. They want to automatically reject any PUT request that does not include encryption headers. What S3 feature should they use?
104A company uses AWS Lake Formation to manage data lake permissions. A data engineer notices that a user can query tables in Athena even though the user does not have SELECT permission on the table in Lake Formation. What could be the cause?
105A company needs to monitor and record all changes to IAM policies in their AWS account. Which AWS service should be used?
106A data engineer wants to ensure that only users with a specific tag (e.g., "Department": "DataEngineering") can access an S3 bucket. How can this be enforced?
107A company stores sensitive data in S3 and uses VPC Endpoints to restrict access. They want to ensure that data can only be accessed from their VPC. What configuration is required?
108A data engineer needs to protect sensitive data in an S3 bucket. Which TWO AWS services can be used to detect and prevent accidental public access?
109A company uses AWS KMS to encrypt data in multiple services. They want to ensure that only specific IAM roles can decrypt data using a particular KMS key. Which THREE steps are necessary?
110A data engineer needs to securely store database credentials for an RDS instance. Which TWO AWS services can be used?
111Refer to the exhibit. A data engineer applied this bucket policy to an S3 bucket. What is the effect of this policy?
112Refer to the exhibit. A data engineer runs this CLI command to investigate a recent change to an S3 bucket policy. What information does the command return?
113Refer to the exhibit. This KMS key policy is attached to a customer managed key. A data engineer finds that the DataEngineer role can encrypt but cannot decrypt data. What is the most likely cause?
114A data engineer is configuring an S3 bucket for storing sensitive customer data. The bucket must be encrypted at rest using an AWS Key Management Service (KMS) key that is managed by the data engineering team. The team wants to ensure that only users with explicit permission can decrypt the data. Which S3 encryption option should be used?
115A company is using AWS Glue to process data stored in an S3 bucket that is encrypted with SSE-KMS. The Glue job fails with an 'Access Denied' error when trying to read the data. The IAM role used by the Glue job has permissions to read from the S3 bucket and to use the KMS key. What is the most likely cause of the failure?
116A data engineer needs to ensure that data in transit between an Amazon RDS for PostgreSQL database and an application is encrypted. Which configuration should be used?
117An organization needs to audit all access to their S3 buckets for compliance purposes. They want to log both successful and failed API calls. Which AWS service should be used?
118A company has multiple AWS accounts and wants to centrally manage permissions and access to data lakes. They have enabled AWS Organizations and want to use a single set of policies that apply to all accounts. Which policy type should be used at the organization level?
119A data engineer needs to ensure that data stored in Amazon S3 is automatically deleted after 30 days. Which S3 feature should be used?
120A company is using AWS Lake Formation to manage access to a data lake in S3. They want to grant a data analyst access to specific columns in a table, but not to the entire table. Which Lake Formation feature should be used?
121A data engineer is designing a solution to securely store and rotate database credentials used by an application. The credentials should be automatically rotated every 90 days. Which AWS service should be used?
122A data engineer needs to ensure that data in an S3 bucket is encrypted at rest. The bucket policy includes a condition that denies PutObject requests if the object is not encrypted. Which S3 encryption feature does this enforce?
123Which TWO actions should a data engineer take to protect sensitive data in an Amazon S3 bucket from being accessed by unauthorized users? (Select TWO.)
124A company must encrypt all data at rest in their Amazon RDS for MySQL instance. Which THREE steps are required to achieve this? (Select THREE.)
125Which THREE AWS services can be used to centrally manage and govern data across multiple AWS accounts? (Select THREE.)
126The IAM policy shown is attached to an IAM role. When a user assumes this role and tries to read an object in example-bucket that has no tags, what will happen?
127A data engineer uses the AWS CLI to list KMS keys and describe one. The output shows two keys. The described key has KeyState 'Enabled' and Origin 'AWS_KMS'. Which statement is true about this key?
128A data engineer runs the command shown to check the encryption configuration of an S3 bucket. The output shows SSEAlgorithm: AES256. What does this mean?
129A company uses AWS KMS to encrypt data in Amazon S3. The security team requires that all encryption keys be rotated automatically every year. Which key type should the company use?
130A data engineer needs to restrict access to an Amazon S3 bucket so that only objects encrypted with a specific AWS KMS key can be uploaded. Which S3 bucket policy condition should be used?
131A company wants to audit all changes to IAM policies in their AWS account. Which combination of services should be used to achieve this?
132A data engineer needs to allow an IAM user to rotate the secret in AWS Secrets Manager for an RDS database. Which IAM action should be included in the policy?
133A company stores sensitive data in Amazon S3. The security team requires that all data be encrypted at rest and that the encryption keys be stored in AWS CloudHSM. Which S3 encryption option should be used?
134A company wants to ensure that all S3 buckets are encrypted using server-side encryption. Which AWS service can be used to automatically remediate non-compliant buckets?
135A data engineer needs to grant cross-account access to an S3 bucket. The engineer wants to use a role in the source account and assume that role from the target account. Which permissions are required?
136A company uses Amazon Redshift for data warehousing. The security team requires that all data be encrypted at rest using a key managed by the company. Which Redshift encryption option should be used?
137A company needs to centralize audit logs from multiple AWS accounts into a single S3 bucket. Which service should be used to aggregate these logs?
138Which TWO actions are required to enforce encryption in transit for data being loaded into Amazon Redshift from Amazon S3? (Choose two.)
139A company wants to monitor and alert on any IAM user creation in their AWS account. Which THREE services should be used together to achieve this? (Choose three.)
140Which TWO AWS services can be used to protect sensitive data stored in Amazon S3 by preventing accidental public access? (Choose two.)
141A company uses AWS Glue to process sensitive customer data stored in S3. The security team requires that all data be encrypted at rest using a customer-managed KMS key and that access to the key be auditable. Which solution meets these requirements?
142A data engineer needs to share a dataset from an S3 bucket in Account A with users in Account B. The dataset must remain encrypted at rest with an S3-managed key. What is the MOST secure way to grant cross-account access?
143A company uses Redshift for analytics. The security team requires that all queries be logged and that any access to sensitive columns be blocked for non-admin users. Which combination of features should the data engineer implement?
144A data engineer is designing a data lake on S3 with sensitive data. The security policy mandates that data must be encrypted at rest and in transit, and that an inventory of all objects must be maintained for compliance. Which actions should be taken?
145A company wants to use AWS Lake Formation to manage permissions on a data lake. What is the primary benefit of using Lake Formation for data security?
146A company has an AWS Glue ETL job that reads from an RDS MySQL instance and writes to S3. The security team requires that the connection to RDS be encrypted and that credentials be rotated automatically. Which configuration should be used?
147A data engineer needs to ensure that an S3 bucket can only be accessed from a specific VPC. Which policy element should be used?
148A company uses Amazon Athena to query data in S3. The security team wants to ensure that users can only query tables they have permissions to in the AWS Glue Data Catalog. Which service should be used to manage these permissions centrally?
149A company has an S3 bucket with versioning enabled and a bucket policy that denies access if the request does not include encryption. A data engineer notices that some objects are not encrypted. What is the most likely cause?
150A data engineer is designing a data pipeline that processes PII data using AWS Glue and stores results in S3. Which TWO actions should be taken to protect the data? (Choose 2)
151A company uses Amazon Redshift for data warehousing. The security team requires that all queries be logged for audit and that sensitive columns be masked for non-privileged users. Which THREE steps should the data engineer take? (Choose 3)
152A company wants to enforce encryption in transit for data moving between an EC2 instance and an S3 bucket. Which TWO methods can achieve this? (Choose 2)
153A company runs a data lake on AWS using S3 for storage and AWS Glue for ETL. The security team discovers that a contractor who left the company two months ago still has access to an S3 bucket containing sensitive data. The access was granted via an IAM user that was not deleted. The data engineer is asked to implement a solution to prevent future occurrences. The company uses AWS Organizations and has multiple accounts. The requirement is to automatically detect and remediate IAM users that have not been used for 90 days by disabling their access keys and notifying the security team. The solution must be least privilege and use AWS-native services. Which approach should the data engineer take?
154A financial services company uses Amazon Redshift for its data warehouse. The compliance team requires that all access to the database be logged, including the SQL queries executed, and that the logs be stored in a separate S3 bucket that is encrypted with a customer-managed KMS key. Additionally, the logs must be retained for 7 years. The data engineer has enabled audit logging on the Redshift cluster and configured it to deliver logs to an S3 bucket. However, the compliance team reports that the logs are not being delivered. The S3 bucket policy allows the Redshift service to write logs. What is the most likely reason for the failure?
155A company uses Amazon S3 to store sensitive customer data. The security policy requires that all objects in the bucket be encrypted at rest using server-side encryption with a customer-managed KMS key. The data engineer has enabled default encryption on the bucket using SSE-KMS with the required KMS key. However, a security scan reveals that some objects in the bucket are not encrypted with the KMS key. The objects were uploaded before the default encryption was enabled. The data engineer needs to ensure that all objects are encrypted with the KMS key without disrupting ongoing data access. What should the data engineer do?
156A company uses AWS Glue to catalog data in Amazon S3. The security team requires that all sensitive data be identified and encrypted at rest using customer-managed KMS keys. Which combination of steps should a data engineer take to meet these requirements?
157A data engineer is setting up cross-account access to an encrypted S3 bucket. The bucket uses a customer-managed KMS key. The engineer has configured the bucket policy and the IAM role in the source account. The target account still gets access denied errors when trying to read objects. What is the most likely cause?
158A company uses Amazon RDS for MySQL with encryption at rest enabled. The security team requires that all database audit logs be stored in Amazon S3 for at least 7 years. Which AWS service should the data engineer use to collect and store the logs?
159A company has a data lake in Amazon S3 with millions of objects. The security team wants to enforce that all objects are encrypted with a specific customer-managed KMS key. The data engineer configures an S3 bucket policy to deny PutObject if the encryption is not set to that key. However, some existing objects are not encrypted with that key. What is the most efficient way to remediate the existing objects?
160A company uses AWS Lake Formation to manage permissions on a data lake. A data engineer creates a table in the Data Catalog and grants SELECT permission to a group of analysts. The analysts report they can see the table but get an AccessDenied error when querying it with Amazon Athena. What is the most likely cause?
161A data engineer needs to encrypt data at rest in Amazon S3 using server-side encryption with a customer-managed KMS key. Which TWO steps are required to ensure that the KMS key can be used for S3 object encryption?
162A company is using AWS Lake Formation to manage a data lake. The data engineer needs to set up fine-grained access control so that users can only see specific columns in a table based on their IAM role. Which THREE steps should the data engineer take?
163A company wants to audit all API calls made to Amazon S3 and Amazon RDS resources. Which TWO AWS services can be used together to achieve this?
164A data engineer needs to securely store database credentials used by an AWS Glue ETL job. Which THREE steps should the engineer take?
165A company uses Amazon Redshift for its data warehouse and needs to enforce column-level security on sensitive columns. Which TWO approaches can achieve this?
166A data engineer is designing a data pipeline that ingests customer data from an on-premises database into Amazon S3. The data contains personally identifiable information (PII). The company policy requires that all PII be masked before it is stored in S3. The pipeline uses AWS DMS for migration and AWS Glue for transformation. The engineer needs to ensure that the masking is applied consistently and that no unmasked data is written to S3. The engineer has set up DMS to replicate data to an S3 bucket, and then a Glue job reads from S3, applies masking, and writes to another S3 bucket. However, there is a risk that unmasked data in the first S3 bucket could be accessed before the Glue job runs. What should the engineer do to mitigate this risk?
167A company has a multi-account AWS environment with a centralized data lake in the Security account. Data producers in other accounts use AWS Glue to write data to S3 buckets in the Security account. The Security account uses AWS Lake Formation to manage permissions. The data engineer is setting up cross-account access so that users in the Producer account can query the data using Athena in their own account. The engineer has registered the S3 buckets and Data Catalog tables in Lake Formation. The IAM roles in the Producer account have the necessary permissions. However, when a user in the Producer account tries to query the table, they get an AccessDenied error. The error message indicates that the principal is not authorized to perform lakeformation:GetTable on the resource. What is the most likely cause?
168A company uses Amazon EMR to process large datasets stored in Amazon S3. The data is encrypted at rest using SSE-S3. The security team now requires that all data at rest be encrypted with customer-managed KMS keys (SSE-KMS). The data engineer needs to migrate existing data to use SSE-KMS without downtime. The engineer plans to use S3 Batch Operations to copy objects in place. However, the Batch Operations job fails with a KMS access denied error. The engineer has confirmed that the Batch Operations service role has the necessary KMS permissions. What is the most likely cause?
169A company uses Amazon QuickSight for data visualization. The data engineer needs to ensure that users can only see data relevant to their department. The data is stored in Amazon S3 and is accessed via SPICE. The engineer has created datasets in QuickSight and wants to implement row-level security (RLS). The dataset contains a column 'Department' that indicates which department a row belongs to. The engineer has configured RLS rules using a separate permissions dataset. However, users report that they can see all rows, not just their department's rows. What is the most likely reason?
170A company uses Amazon DynamoDB to store session data. The security team requires that all data be encrypted at rest using a customer-managed KMS key. The data engineer has enabled DynamoDB encryption with a customer-managed key. However, the security team notices that the key is not being used for all tables; some tables still use the default AWS-managed key. The engineer needs to ensure that all new tables are automatically encrypted with the customer-managed key. The company has hundreds of developers who create tables using various methods (console, CLI, SDK, CloudFormation). What is the most efficient way to enforce this policy?
171A financial services company uses AWS Glue ETL jobs to process sensitive customer data stored in Amazon S3. The data is encrypted at rest with SSE-KMS using a customer-managed key. Recently, the security team discovered that the Glue job's IAM role has an overly permissive policy that allows the 'kms:Decrypt' action for all KMS keys in the account. The company wants to follow the principle of least privilege. The Glue job runs on a schedule and reads from a specific S3 bucket. The security team needs to update the IAM policy to restrict KMS decryption to only the specific key used for that bucket. What should they do?
172A healthcare organization uses AWS Lake Formation to manage a data lake in Amazon S3. The data lake contains sensitive patient information that must be encrypted at rest. The organization uses AWS KMS with a customer-managed key (CMK) for encryption. Recently, the security team noticed that a new IAM user was able to query the data lake using Amazon Athena without explicit permissions in Lake Formation. The data lake administrator suspects that the IAM user might have been granted access through an IAM policy that allows 'lakeformation:GetDataAccess' without proper resource restrictions. The organization wants to enforce that only Lake Formation permissions control access to the data lake, and IAM policies should not grant access directly. What should they do?
173A gaming company uses Amazon Redshift for analytics. The Redshift cluster stores user data that must be encrypted at rest using a customer-managed KMS key. The company has enabled audit logging using AWS CloudTrail. The security team wants to ensure that any attempt to disable or delete the KMS key is immediately detected and triggers an automated response. They have set up a CloudWatch Events rule that triggers an SNS notification when the KMS key is scheduled for deletion. However, they also want to prevent the key from being deleted accidentally. What should they do?
174A media company stores video files in an Amazon S3 bucket. The bucket policy allows access only from a specific VPC. The company has enabled S3 Server Access Logs to monitor access. Recently, the security team found that some requests were coming from an IP address outside the allowed VPC. They suspect that the bucket policy may have an incorrect condition. What should they check first?
175A data engineering team uses AWS Glue Data Catalog to manage metadata for datasets in Amazon S3. The datasets contain personally identifiable information (PII). The team needs to implement column-level security so that only authorized users can access columns with PII. They use Amazon Athena for querying. The team has enabled AWS Lake Formation and defined data lake locations. They have created a Lake Formation tag called 'PII' and assigned it to the columns containing PII. They have also granted 'SELECT' permission on those columns to a specific IAM role. However, when a user assumes that role and queries the table using Athena, they can still see all columns, including the PII columns. What is the most likely cause?
176A company uses Amazon RDS for MySQL to store transactional data. The database contains sensitive financial information. The company's security policy requires that all data at rest be encrypted using a customer-managed KMS key. The database was originally launched without encryption at rest. The security team now needs to enable encryption without significant downtime. What should they do?
177A data engineer needs to audit all access to an S3 bucket containing sensitive customer data. The engineer must record the requester, timestamp, action, and whether the access was denied. Which AWS solution meets these requirements?
178A company uses AWS Lake Formation to manage access to data in a data lake. A new data engineer has been granted SELECT permission on a table but receives an 'AccessDeniedException' when querying via Amazon Athena. The table is registered in Lake Formation and the data is encrypted with SSE-KMS. Which of the following is the MOST likely cause?
179A data engineer needs to securely store database credentials used by a Lambda function. The solution must automatically rotate the credentials every 90 days. Which AWS service should the engineer use?
180A company has an S3 bucket policy that allows access to a specific IAM role. However, an administrator notices that requests from that role are being denied. The bucket is encrypted with AES-256. What is the MOST likely reason for the denial?
181A data engineer is designing a data pipeline that processes sensitive financial data. The data must be encrypted at rest and in transit. The pipeline uses Amazon Kinesis Data Streams to ingest data and AWS Lambda to process it. Which combination of actions ensures the data is encrypted in transit? (Select TWO.)
182A company wants to monitor and alert on unauthorized API calls in their AWS account. Which AWS service should be used to detect and notify on such events?
183A data engineer is troubleshooting an Amazon Redshift cluster that is not allowing connections from a specific IP range. The engineer verified that the cluster's security group allows inbound traffic from the IP range. What is the next step to resolve the issue?
184A company needs to enforce that all objects uploaded to an S3 bucket are encrypted at rest. Which bucket setting should be used?
185A company uses AWS Glue to run ETL jobs on data stored in S3. The data is encrypted with SSE-KMS. The Glue job fails with an 'AccessDenied' error when trying to read the data. What is the MOST likely cause?
186Refer to the exhibit. An S3 bucket policy allows the DataEngineerRole to get objects only if the request uses HTTPS. However, requests from this role are being denied even when using HTTPS. What is the MOST likely reason?
187A data engineer needs to grant an IAM user read-only access to an S3 bucket named 'data-lake'. Which IAM policy statement should be used?
188Refer to the exhibit. A data engineer runs the AWS CLI command to look up GetObject events. The output shows an event from the DataEngineer role. However, the engineer suspects that some GetObject requests are not being logged. What is the MOST likely reason?
189Refer to the exhibit. An IAM policy allows kms:Decrypt and kms:GenerateDataKey on a specific KMS key. A data engineer is unable to upload an object to an S3 bucket that uses SSE-KMS with that key. What is the MOST likely missing permission?
190A company needs to ensure that data stored in Amazon RDS is encrypted at rest. Which action should the data engineer take?
191A company uses Amazon Redshift for data warehousing. The security team requires that all data stored in Redshift be encrypted at rest. The current cluster is unencrypted. Which approach should the data engineer take to meet this requirement with minimal downtime?
192A data engineer needs to ensure that all data stored in an S3 bucket is encrypted at rest. Which S3 bucket policy condition key should be used to enforce encryption using AWS KMS?
193A company uses AWS Lake Formation to manage data lake permissions. A data analyst is unable to query a table in the data lake using Amazon Athena. The table is registered in Lake Formation, and the analyst has SELECT permission granted via Lake Formation. What is the most likely reason for the failure?
194A financial services company needs to share sensitive customer data with a third-party analytics firm. The data resides in an S3 bucket encrypted with an AWS KMS customer managed key. The third party has their own AWS account. Which combination of steps is required to securely share the data? (Choose TWO.)
195A company is designing a data lake on AWS and must comply with GDPR requirements. The company needs to implement data masking for personally identifiable information (PII) columns in Amazon Redshift. Which feature should be used?
196A data engineer needs to audit who accessed specific objects in an S3 bucket over the past 30 days. Which AWS service should be used?
197A company has an AWS Glue ETL job that reads data from an S3 bucket encrypted with SSE-S3. The job runs successfully, but the output written to another S3 bucket with SSE-KMS fails. The IAM role for the Glue job has s3:PutObject and kms:GenerateDataKey permissions. What is the most likely cause?
198A company wants to centrally manage encryption keys for multiple AWS services and automatically rotate them every year. Which AWS service should be used?
199A data engineer needs to ensure that an Amazon Redshift cluster encrypts all data at rest. Which setting must be enabled when creating the cluster?
200A company uses Amazon RDS for PostgreSQL with encryption at rest using AWS KMS. The company needs to share a database snapshot with a different AWS account. What must be done to allow the target account to restore the snapshot?
201Refer to the exhibit. Exhibit: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:role/DataEngineer" }, "Action": [ "kms:Decrypt", "kms:ReEncrypt*" ], "Resource": "*" } ] } A data engineer tries to encrypt data using the KMS key associated with this key policy and receives an access denied error. What is the cause?
202A data engineer runs an AWS Glue ETL job that reads from a table in the AWS Glue Data Catalog. The job fails with the error shown. The IAM role used by the Glue job has the following policy attached: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "glue:GetTable", "glue:GetDatabase" ], "Resource": "*" } ] } What should be added to the IAM role's policy to resolve the error?
203A data engineer applies the above bucket policy to an S3 bucket containing sensitive data. The goal is to allow only encrypted (HTTPS) requests. However, a user reports being able to access an object using an HTTP (non-HTTPS) request. What is the most likely reason?
204A company uses Amazon DynamoDB with encryption at rest using an AWS managed KMS key. The security team requires that the encryption key be rotated every 90 days. What should the data engineer do to meet this requirement?
205A data engineer needs to restrict access to an S3 bucket so that only users from a specific AWS account can read objects. Which S3 bucket policy element should be used?
206A company uses Amazon Kinesis Data Streams to ingest real-time data. The compliance team requires that all data in the stream be encrypted at rest. Which configuration should be enabled?
207A company has a multi-account strategy using AWS Organizations. The data engineering team needs to share a central S3 bucket across multiple accounts while maintaining fine-grained access control. Which solution should be used?
208A company needs to automate the detection of sensitive data in Amazon S3 and generate reports. Which AWS service should be used?
209A data engineer needs to ensure that an Amazon Redshift cluster only accepts encrypted connections. Which parameter should be modified?
210A company uses Amazon EMR to process data stored in S3 with server-side encryption using AWS KMS. The EMR cluster fails with a "403 Access Denied" error when reading data from S3. The IAM role for the EMR cluster has s3:GetObject and kms:Decrypt permissions. What is the most likely issue?
211A company needs to tag all resources created in a specific AWS account to enforce data governance policies. Which AWS service can automatically enforce tagging rules?
212A data engineer needs to store encryption keys used for protecting data in Amazon S3 and automatically rotate them every year. Which service should be used?
213A data engineer needs to ensure that an Amazon S3 bucket containing sensitive customer data is encrypted at rest. Which AWS service can be used to manage the encryption keys?
214A company stores sensitive data in an Amazon S3 bucket. To comply with regulations, all data must be encrypted at rest using server-side encryption. The security team wants to ensure that any attempt to upload an unencrypted object is automatically denied. Which S3 bucket policy condition should be used?
215A company uses AWS Glue to process data from Amazon S3. The data contains personally identifiable information (PII). The data engineer needs to automatically detect and mask PII fields before the data is loaded into Amazon Redshift. Which combination of AWS services should be used?
216A data engineer is setting up an Amazon RDS for MySQL database. The compliance team requires that all data at rest be encrypted. What must the engineer do to enable encryption for this database?
217A company uses Amazon S3 to store log files. The security team notices that some objects are being accessed from an unexpected AWS account. The data engineer needs to identify which specific IAM user or role is accessing the objects. Which AWS service should be used to get this information?
218A data engineer needs to share a dataset stored in an Amazon S3 bucket with another AWS account. The dataset must remain encrypted at rest using AWS KMS. The data engineer creates a bucket policy that grants the other account access to the bucket. However, the other account reports that objects appear encrypted and they cannot decrypt them. What is the most likely cause?
219A company wants to audit all changes to IAM policies in their AWS account. Which AWS service should be used to record these changes?
220A company uses Amazon Redshift for data warehousing. The security team requires that all data loading into Redshift be encrypted in transit. Which configuration ensures this requirement is met?
221A data engineer is tasked with implementing data masking for a non-production environment. The source data contains credit card numbers stored in an Amazon RDS for PostgreSQL database. The engineer wants to automatically mask the credit card numbers when copying data to the non-production database. Which AWS service can be used to achieve this?
222A company is designing a data lake on Amazon S3. The security team requires granular access control based on data classifications. Which TWO AWS services can be used together to implement attribute-based access control (ABAC) for objects in S3?
223A company needs to enforce encryption at rest for all data stored in Amazon S3. The security team wants to ensure that no objects can be uploaded without encryption. Which THREE steps should be taken to meet this requirement?
224A data engineer is setting up an Amazon Redshift cluster. Which TWO measures can be taken to secure the data at rest?
225Refer to the exhibit. A data engineer applies this S3 bucket policy to the bucket 'example-bucket'. What is the effect of this policy?
226Refer to the exhibit. A data engineer runs this AWS CLI command to execute an Athena query. What is the purpose of the EncryptionConfiguration parameter?
227Refer to the exhibit. A data engineer creates this KMS key policy. An IAM role in account 123456789012 is granted decrypt access to the key. However, when the DataAnalystRole tries to decrypt an S3 object encrypted with this key, the operation fails. What is the most likely reason?
228A company uses AWS Glue to catalog data in Amazon S3. The data includes personally identifiable information (PII). The security team requires that PII be masked when queried by users who are not data owners. Which AWS service should be used to enforce this requirement?
229A data engineer needs to ensure that an Amazon Redshift cluster encrypts data at rest using a customer-managed AWS KMS key. Which configuration step is required?
230A company runs an Amazon EMR cluster that processes sensitive data stored in Amazon S3. The security team requires that all data in transit between the EMR cluster and S3 be encrypted. Which configuration ensures this requirement is met?
231A data engineer needs to audit all access to an Amazon S3 bucket containing sensitive data. The audit must capture who accessed the bucket, from which IP address, and what actions were performed. Which AWS service should be enabled?
232A company uses AWS KMS to encrypt data in Amazon S3. The security team wants to ensure that the KMS key can only be used from within the company's VPC. Which policy element should be added to the KMS key policy?
233A data engineer is designing a data lake on Amazon S3. The compliance team requires that objects be automatically deleted after 7 years. Additionally, objects must be transitioned to Amazon S3 Glacier Instant Retrieval after 30 days to reduce costs. Which S3 lifecycle policy configuration meets these requirements?
234A company uses AWS Glue DataBrew to clean and normalize data. The data contains sensitive columns that must be masked before being written to the output. Which DataBrew action should be applied?
235A data engineer receives an alert that an AWS KMS key has been scheduled for deletion by mistake. What is the immediate action to prevent the key from being deleted?
236A company stores data in Amazon S3 with server-side encryption using AWS KMS (SSE-KMS). The data engineer needs to give a third-party auditor read-only access to the encrypted objects. The auditor has an AWS account. Which strategy should be used?
237A company is building a data lake on AWS and must encrypt data at rest. Which services can provide server-side encryption for data stored in Amazon S3? (Choose TWO.)
238A data engineer is configuring an Amazon Redshift cluster for compliance. The cluster must encrypt data at rest and automatically rotate the encryption key every year. Which steps should the engineer take? (Choose THREE.)
239A company wants to audit API calls made to its Amazon S3 buckets. Which AWS services can be used to achieve this? (Choose TWO.)
240Refer to the exhibit. A data engineer applies this S3 bucket policy to an S3 bucket. What is the effect of this policy?
241Refer to the exhibit. A data engineer runs the commands shown. What can be determined about the key with ID 1234abcd-12ab-34cd-56ef-1234567890ab?
242Refer to the exhibit. A data engineer queries AWS CloudTrail to investigate a PutObject event. What does the exhibit reveal about the object sensitive.csv?
243A data engineer needs to ensure that all data in an S3 bucket is encrypted at rest. The bucket contains objects uploaded by various applications. What is the simplest method to enforce encryption for all new objects?
244A company uses AWS KMS to encrypt sensitive data in S3. The security team requires that the KMS key must be rotated automatically every year. Which key type should be used?
245A data engineer is troubleshooting an AWS Glue ETL job that fails with an access denied error when writing to an S3 bucket. The Glue job uses an IAM role that has an S3 bucket policy attached. The bucket policy denies access to any principal that does not use server-side encryption. What is the most likely cause of the failure?
246A company wants to audit all data access events in their S3 buckets, including who accessed objects and from which IP address. Which AWS service should be used to capture these events?
247A data engineer needs to allow a Lambda function to read data from an S3 bucket in the same account. The Lambda function's execution role has the required permissions, but access is denied. The S3 bucket has a bucket policy that explicitly denies access to any principal that is not from the organization. What is the most likely issue?
248A data engineer is designing a data lake on S3 that must be encrypted at rest using customer-managed keys in AWS KMS. The security team requires that the key be used only for S3 operations and that the key be rotated every 180 days. Which solution meets these requirements?
249A company wants to ensure that only encrypted connections are used when data is transferred to S3. Which policy condition should be used in an S3 bucket policy?
250A data engineer is configuring an S3 bucket to host sensitive data. The security policy requires that all objects be encrypted with a key that is generated and managed by the customer, and that the key be stored in AWS KMS. Which encryption option should be used?
251A data engineer is troubleshooting an ETL job that reads from an S3 bucket encrypted with SSE-KMS. The job is failing with an error indicating that the IAM role does not have permission to decrypt the data. What is the most likely missing permission?
252A data engineering team needs to encrypt data at rest in an Amazon S3 bucket that stores sensitive customer information. The team must use an AWS Key Management Service (AWS KMS) customer managed key with automatic rotation enabled. Which configuration meets these requirements?
253A company is using AWS Glue to process data stored in Amazon S3. The data includes personally identifiable information (PII) that must be masked before being written to a separate output bucket. Which AWS service or feature can be used to automatically detect and mask sensitive data in the Glue ETL job?
254A data engineer needs to audit all AWS KMS key usage events for the past 90 days to verify compliance. Which AWS service should be used?
255A company needs to enforce encryption in transit for all data moving between its Amazon S3 bucket and a fleet of Amazon EC2 instances. The data is accessed via S3 API calls over the internet. Which configuration ensures encryption in transit?
256A data engineer is designing a data lake on Amazon S3 that must comply with a regulatory requirement to prevent any data from being overwritten or deleted for 7 years after creation. Which S3 feature should be used?
257A company wants to centrally manage access to multiple AWS accounts for its data engineers. The company already uses AWS Organizations. Which AWS service should be used to define fine-grained permissions across accounts?
258A company uses Amazon RDS for MySQL to store financial data. A compliance requirement mandates that all database connections must be encrypted. Which configuration step is necessary?
259A data engineer needs to share a dataset stored in an S3 bucket with a partner AWS account. The partner should be able to read the data without needing to authenticate with the engineer's account. The engineer must not share any secret keys. Which approach should be used?
260A company uses Amazon Redshift for data warehousing. The security team requires that all data in transit between the Redshift cluster and clients be encrypted. Which feature should be enabled?
261A company needs to securely store and manage database credentials used by a data pipeline. Which AWS services can be used to store and rotate secrets automatically? (Choose TWO.)
262A data engineer needs to ensure that an S3 bucket policy follows the principle of least privilege. Which of the following are valid conditions to restrict access based on the requester's identity? (Choose THREE.)
263A company must comply with a regulation that requires logging all access to sensitive data stored in Amazon S3. Which AWS services can be used to capture and store access logs? (Choose TWO.)
264Refer to the exhibit. An S3 bucket policy is shown. A data engineer using the DataEngineerRole tries to upload an object to s3://example-bucket/data/report.csv with SSE-S3 encryption. The upload fails. What is the most likely cause?
265Refer to the exhibit. A data engineer runs the AWS CLI command shown to encrypt a file using AWS KMS. The command succeeds. Later, the engineer tries to decrypt the file using the same key but without providing an encryption context. The decryption fails. What is the most likely reason?
266Refer to the exhibit. An IAM policy is attached to a user. What is the security implication of this policy?
267A data engineer needs to ensure that an S3 bucket containing sensitive customer data is encrypted at rest. The company requires that all encryption keys be managed by AWS and rotated annually. Which encryption option meets these requirements?
268A company is using an Amazon RDS for PostgreSQL database to store personally identifiable information (PII). The security team wants to ensure that database administrators cannot view the plaintext PII data. Which solution should a data engineer implement?
269A company wants to audit all changes to IAM policies in their AWS account. Which AWS service should be used to record these changes for compliance purposes?
270A data engineer is configuring an S3 bucket policy to allow cross-account access for a partner account to read objects. The bucket is encrypted with SSE-KMS using a customer-managed key. What additional configuration is needed to allow the partner account to decrypt the objects?
271A company uses AWS Lake Formation to manage data lake permissions. The data engineer notices that a user with SELECT permission on a table can also query the underlying data in Amazon S3 directly. How can the engineer enforce that access to the S3 data is only through Lake Formation?
272A company wants to securely store database credentials used by a Lambda function. Which AWS service should be used to store and rotate the credentials automatically?
273A company is using Amazon Redshift for analytics and needs to ensure that all data is encrypted at rest. The current cluster does not have encryption enabled. What is the most efficient way to enable encryption?
274A data engineer needs to grant a data scientist access to query a Glue Data Catalog database but must prevent the data scientist from seeing the underlying S3 data locations. Which approach should be used?
275A company has an S3 bucket that stores logs for compliance. The compliance team requires that objects are retained for 7 years and cannot be deleted or overwritten. Which S3 feature should be used?
276A company needs to protect sensitive data stored in Amazon S3 from unauthorized access. Which TWO actions should the data engineer take? (Choose two.)
277A company is using AWS KMS to encrypt data in Amazon S3. The security team wants to ensure that only specific IAM roles can decrypt the data. Which THREE steps should the data engineer take? (Choose three.)
278A company needs to audit access to their Amazon S3 buckets. Which TWO services can be used together to achieve this? (Choose two.)
279Refer to the exhibit. A data engineer has attached this KMS key policy to a customer-managed key. The policy is intended to allow the DataEngineer role to decrypt objects in S3 only when the request comes through S3. However, the role is unable to decrypt objects stored in an S3 bucket in the us-west-2 region. What is the most likely cause?
280Refer to the exhibit. A data engineer runs the above command and sees that the DataLakeAdmin role has the AmazonS3FullAccess and AWSLakeFormationDataAdmin policies attached. The engineer wants to ensure that the role can only access S3 data through Lake Formation. What should the engineer do?
281Refer to the exhibit. A data engineer checks the versioning status of an S3 bucket and sees the above output. The bucket contains critical logs that must not be permanently deleted. What should the engineer do to enhance protection against accidental or malicious deletion?
282A company uses AWS KMS to encrypt data at rest in Amazon S3. The security team requires that all encryption keys be automatically rotated every year. Which key type should be used to meet this requirement without manual intervention?
283A data engineer needs to grant an IAM role read-only access to Amazon DynamoDB tables in a specific AWS account. Which IAM policy element should be used to restrict access to only the 'GetItem' and 'Query' actions?
284A company stores sensitive customer data in an Amazon S3 bucket with versioning enabled. A data engineer accidentally deleted the current version of an object. What is the quickest way to restore the object to its previous state without additional data transfer costs?
285A data engineer is configuring an Amazon Redshift cluster to encrypt data at rest. The company policy requires that encryption keys be stored in AWS CloudHSM. Which integration should the engineer use to meet this requirement?
286A company uses AWS Lake Formation to manage data lakes on Amazon S3. The data engineer needs to grant a data analyst access to query specific columns in a table using Amazon Athena, but deny access to columns containing personally identifiable information (PII). Which Lake Formation feature should be used?
287A company is using Amazon S3 to store log files. The security team requires that all data be encrypted in transit. Which of the following ensures encryption in transit for S3?
288An organization wants to audit all API calls made to AWS services for compliance. Which AWS service should be used to capture and store these API calls?
289A data engineer is troubleshooting an issue where an Amazon Redshift query returns an error: 'ERROR: permission denied for relation table_name'. The user has been granted SELECT on the table. What is the most likely cause?
290A company is designing a data pipeline that ingests data from an on-premises database to Amazon S3. The data contains personally identifiable information (PII) that must be masked before storage. Which AWS service can be used to mask the data in transit?
291A company needs to enforce encryption at rest for all data stored in Amazon S3. Which of the following are valid methods to achieve this? (Choose TWO.)
292A data engineer is configuring a VPC for an Amazon Redshift cluster. The cluster must be accessible only from a specific on-premises network via a Direct Connect connection. Which TWO actions should the engineer take to meet this requirement? (Choose TWO.)
293A company wants to ensure that an IAM user can only launch Amazon EC2 instances of a specific instance type. Which THREE IAM policy elements are required to define this permission? (Choose THREE.)
294Refer to the exhibit. An IAM policy is attached to an IAM user. The user is trying to download an object from the S3 bucket 'example-bucket' from an IP address 10.1.1.1, but the request is denied. What is the most likely reason?
295Refer to the exhibit. A data engineer runs a CLI command to decrypt a file and receives an access denied error. The IAM user 'DataEngineer' has the following policy attached: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "kms:Decrypt", "Resource": "*" } ] } What is the most likely cause of the error?
296Refer to the exhibit. A data engineer creates an external table in AWS Glue Data Catalog pointing to an S3 bucket that contains encrypted objects (SSE-S3). The CREATE TABLE statement fails with an error. What change should be made to fix the error?
297A company uses AWS Glue to process sensitive data stored in S3. The security team requires that all data be encrypted at rest using customer-managed KMS keys. The data engineers are encountering 'Access Denied' errors when running Glue ETL jobs. What is the most likely cause?
298A company stores PII in an S3 bucket. The security team wants to use Amazon Macie to discover sensitive data. After enabling Macie, they notice that no sensitive data findings are generated. The S3 bucket is in the same account. What is the most likely reason?
299A company needs to audit all API calls made in their AWS account, including actions performed by the root user. Which AWS service should be used?
300A data engineer needs to encrypt data at rest in an Amazon Redshift cluster. The company requires that the encryption key be managed by the customer and rotated annually. Which solution meets these requirements?
The Data Security and Governance domain covers the key concepts tested in this area of the DEA-C01 exam blueprint published by Amazon Web Services. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all DEA-C01 domains — no account required.
The Courseiva DEA-C01 question bank contains 300 questions in the Data Security and Governance domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Data Security and Governance domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included