Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Data Security and Governance practice sets

DEA-C01 Data Security and Governance • Complete Question Bank

DEA-C01 Data Security and Governance — All Questions With Answers

Complete DEA-C01 Data Security and Governance question bank — all 0 questions with answers and detailed explanations.

333
Questions
Free
No signup
Certifications/DEA-C01/Practice Test/Data Security and Governance/All Questions
Question 1mediummultiple choice
Read the full Data Security and Governance explanation →

A data engineer needs to ensure that an Amazon S3 bucket used for sensitive data is encrypted at rest using a customer-managed AWS KMS key. The bucket policy must enforce encryption for all PUT requests. Which policy statement should be added to the bucket policy?

Question 2easymultiple choice
Read the full Data Security and Governance explanation →

A company uses AWS Glue to process sensitive data stored in Amazon S3. The security team requires that all data in transit between AWS Glue and S3 be encrypted. Which configuration should be used to meet this requirement?

Question 3hardmultiple choice
Read the full Data Security and Governance explanation →

A data engineer is troubleshooting an AWS Lake Formation permissions issue. A user is able to query an Amazon Athena table but cannot see the underlying S3 data in the AWS Glue Data Catalog. The user has been granted SELECT permission on the table in Lake Formation. What is the most likely cause?

Question 4mediummulti select
Read the full NAT/PAT explanation →

A company uses Amazon Redshift to store customer data. The security team requires that all queries are logged for auditing purposes. Which combination of steps should be taken to meet this requirement? (Select TWO.)

Question 5mediummulti select
Read the full Data Security and Governance explanation →

A company is designing a data lake on Amazon S3. The security policy requires that all data be encrypted at rest using AWS KMS with automatic key rotation. Which encryption option meets these requirements? (Select THREE.)

Question 6hardmultiple choice
Read the full Data Security and Governance explanation →

Refer to the exhibit. A data engineer is running an AWS Glue job that reads from an S3 bucket encrypted with a customer-managed KMS key. The job fails with the error shown. What is the most likely cause?

Exhibit

Refer to the exhibit.

Error from AWS Glue job:
```
ERROR: An error occurred while calling o75.pyWriteDynamicFrame.
Access Denied. User: arn:aws:sts::123456789012:assumed-role/GlueServiceRole/i-abc123 is not authorized to perform: kms:Decrypt on resource: arn:aws:kms:us-east-1:123456789012:key/mrk-1234567890 because no identity-based policy allows the kms:Decrypt action
```
Question 7easymultiple choice
Read the full Data Security and Governance explanation →

Refer to the exhibit. A security analyst is reviewing CloudTrail logs and notices a PutObject event to the 'company-data-lake' bucket. The bucket policy requires all objects to be encrypted with SSE-KMS. What should the analyst conclude?

Exhibit

Refer to the exhibit.

AWS CloudTrail log entry:
```
{
  "eventVersion": "1.08",
  "userIdentity": {
    "arn": "arn:aws:iam::123456789012:user/DataEngineer",
    "principalId": "AIDACKCEVSQ6C2EXAMPLE"
  },
  "eventTime": "2023-09-15T14:30:00Z",
  "eventSource": "s3.amazonaws.com",
  "eventName": "PutObject",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "203.0.113.5",
  "userAgent": "[S3Console]",
  "requestParameters": {
    "bucketName": "company-data-lake",
    "key": "sensitive/customer-data.csv",
    "x-amz-server-side-encryption": "AES256"
  },
  "responseElements": null,
  "additionalEventData": {
    "AuthenticationMethod": "AuthHeader"
  }
}
```
Question 8mediummultiple choice
Read the full Data Security and Governance explanation →

A company is using Amazon Redshift Spectrum to query data in Amazon S3. The S3 bucket uses SSE-KMS encryption. The Redshift cluster has an IAM role that allows access to S3 and KMS. However, queries fail with an 'Access Denied' error. What is the most likely cause?

Question 9hardmultiple choice
Read the full Data Security and Governance explanation →

A company is using Amazon EMR to process data stored in Amazon S3. The S3 bucket is configured with a bucket policy that denies access unless the request includes a specific tag. The EMR cluster's IAM role has s3:GetObject permission. However, the EMR job fails to read data from S3. What is the most likely cause?

Question 10mediummultiple choice
Read the full NAT/PAT explanation →

A company uses AWS Lake Formation to manage data lake permissions. The data lake contains sensitive customer data in the 'customer' database. The security team wants to ensure that only users with a specific tag 'access_level=analyst' can query the 'customer' table. Which combination of steps should the data engineer take to enforce this?

Question 11hardmultiple choice
Read the full Data Security and Governance explanation →

A financial services company uses AWS KMS to encrypt data in Amazon S3. The compliance team requires that all encryption keys be rotated automatically every 365 days. The data engineer needs to implement this requirement without manual intervention. Which solution meets the requirement with the LEAST operational overhead?

Question 12easymultiple choice
Read the full Data Security and Governance explanation →

A data engineer is configuring AWS Glue jobs to access data stored in Amazon S3. The data is encrypted using server-side encryption with AWS KMS (SSE-KMS). The Glue job needs to read and write data to the S3 bucket. Which IAM policy statement should be added to the Glue job's IAM role to allow it to use the KMS key?

Question 13hardmultiple choice
Read the full Data Security and Governance explanation →

Refer to the exhibit. A data engineer is troubleshooting a permissions issue. The IAM role 'DataEngineerRole' is used by an AWS Glue job that needs to read data from an S3 bucket encrypted with a customer managed KMS key. The above key policy is attached to the KMS key. The Glue job fails with an AccessDenied error when trying to read the data. What is the MOST likely cause?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/DataEngineerRole"
      },
      "Action": [
        "kms:Decrypt",
        "kms:GenerateDataKey"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "kms:ViaService": "s3.us-east-1.amazonaws.com"
        }
      }
    },
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "kms:*",
      "Resource": "*",
      "Condition": {
        "BoolIfExists": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}
Question 14mediummulti select
Read the full Data Security and Governance explanation →

A company is building a data pipeline that ingests sensitive customer data from an on-premises database into Amazon S3 using AWS DMS. The data must be encrypted at rest in S3 and in transit. The security team requires that the encryption keys be managed by the company (not AWS). Which TWO actions should the data engineer take to meet these requirements? (Choose TWO.)

Question 15hardmulti select
Read the full Data Security and Governance explanation →

A data engineer is designing a data lake on Amazon S3 with AWS Lake Formation. The data lake contains personally identifiable information (PII). The company has a policy that only users who have completed data privacy training can access the PII data. The training status is stored in an external identity provider (IdP) as an attribute. The data engineer needs to enforce this policy using Lake Formation. Which THREE steps should the data engineer take? (Choose THREE.)

Question 16mediummultiple choice
Read the full NAT/PAT explanation →

A healthcare company uses AWS Glue to process patient data stored in Amazon S3. The data is encrypted at rest using SSE-KMS with a customer managed key. The Glue ETL job runs on a schedule and reads from an S3 bucket, transforms the data, and writes to another S3 bucket also encrypted with the same KMS key. Recently, the security team rotated the KMS key. After the rotation, the Glue job started failing with 'AccessDenied' errors when trying to read from the source bucket. The Glue job's IAM role has permissions to use the KMS key (kms:Decrypt, kms:GenerateDataKey). The S3 bucket policies allow the role to read/write. What is the MOST likely cause of the failure?

Question 17mediummulti select
Read the full NAT/PAT explanation →

A data engineer is configuring a data lake on Amazon S3 that contains sensitive customer information. The company requires that all access to this data be logged and monitored, and that any data shared with external partners must be anonymized before leaving the S3 bucket. Which combination of AWS services should the engineer use to meet these requirements? (Choose THREE.)

Question 18hardmultiple choice
Read the full Data Security and Governance explanation →

Refer to the exhibit. A data engineer applies this bucket policy to an S3 bucket named my-data-bucket. The bucket contains sensitive data. The company's security team reports that data was accessed from an IP address outside the allowed range. What is the MOST likely reason that the policy failed to block the unauthorized access?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-data-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/24"
        }
      }
    },
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::my-data-bucket/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}
Question 19easymultiple choice
Study the full Python automation breakdown →

A financial services company uses AWS Glue ETL jobs to process credit card transaction data stored in Amazon S3. The data includes PII such as names and credit card numbers. The security team requires that all PII be masked before the data is written to the curated zone of the data lake. The data engineer has implemented a Glue job that reads from the raw zone, applies a custom transform to mask credit card numbers using a regular expression, and writes to the curated zone. However, during a recent audit, the security team discovered that some masked data still contained partial credit card numbers (e.g., showing the last four digits) when viewed by analysts who should only see masked data. The company's policy is that credit card numbers must be completely masked, showing only asterisks or a fixed string like "XXXX-XXXX-XXXX-XXXX". The Glue job uses a DynamicFrame and applies a Map transform with a Python function that replaces digits with 'X'. The data is stored in Parquet format. What should the data engineer do to ensure complete masking of credit card numbers?

Question 20mediumdrag order
Read the full Data Security and Governance explanation →

Order the steps to migrate an on-premises database to Amazon RDS using AWS DMS.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 21mediumdrag order
Read the full Data Security and Governance explanation →

Arrange the steps to implement data encryption at rest for an Amazon Redshift cluster using AWS KMS.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 22mediummatching
Read the full Data Security and Governance explanation →

Match each AWS storage class to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Frequent access, low latency

Auto-moves data between tiers

Archive retrieval in minutes to hours

Lowest cost, 12-hour retrieval

Infrequent access, single AZ

Question 23mediummatching
Read the full Data Security and Governance explanation →

Match each AWS networking concept to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Virtual private cloud isolated network

Segment of VPC IP address range

Stateful firewall for instances

Stateless firewall for subnets

Enables VPC to internet communication

Question 24mediummultiple choice
Read the full NAT/PAT explanation →

A data engineer is configuring S3 bucket policies to restrict access to a specific VPC. Which condition key should be used in the bucket policy to enforce that requests originate only from the desired VPC?

Question 25hardmultiple choice
Read the full Data Security and Governance explanation →

A company uses AWS KMS to encrypt sensitive data stored in S3. To meet compliance requirements, they need to ensure that the encryption keys are automatically rotated every year. Which type of KMS key should they use?

Question 26easymultiple choice
Read the full Data Security and Governance explanation →

A data engineer needs to audit data access events in Amazon S3. Which AWS service should be used to record and monitor API calls for S3 buckets?

Question 27mediummultiple choice
Read the full Data Security and Governance explanation →

A team is designing a data lake on S3 and needs to enforce encryption at rest. They want to use server-side encryption with a KMS key that they manage. Which encryption option should they configure on the S3 bucket?

Question 28hardmultiple choice
Read the full NAT/PAT explanation →

A company stores sensitive data in S3 and uses VPC endpoints to access the bucket. They need to ensure that only traffic from their VPC can access the data, and that the traffic cannot leave the AWS network. Which combination of bucket policy and endpoint policy should they use?

Question 29easymultiple choice
Read the full Data Security and Governance explanation →

A data engineer needs to ensure that an S3 bucket is not publicly accessible. Which S3 block public access setting should be applied to achieve this?

Question 30mediummultiple choice
Read the full Data Security and Governance explanation →

A company wants to grant cross-account access to an S3 bucket without using IAM roles. The data engineer needs to write a bucket policy that allows another AWS account to list objects. Which Principal should be specified in the bucket policy?

Question 31hardmultiple choice
Read the full Data Security and Governance explanation →

A data engineer notices that an S3 bucket policy allows access to a user from another AWS account, but the access is being denied. What could be the reason?

Question 32easymultiple choice
Read the full Data Security and Governance explanation →

A company needs to encrypt data in transit between an EC2 instance and an S3 bucket. Which method should be used?

Question 33mediummulti select
Read the full Data Security and Governance explanation →

A data engineer is designing a data pipeline that processes PII data in AWS Glue. They need to ensure data is encrypted at rest and in transit. Which TWO actions should they take? (Choose TWO.)

Question 34hardmulti select
Read the full Data Security and Governance explanation →

A company wants to implement least privilege access for its data lake on S3. Which THREE practices should be followed? (Choose THREE.)

Question 35easymulti select
Read the full Data Security and Governance explanation →

A data engineer needs to audit data access in Amazon S3 for compliance. Which TWO services can be used to capture and analyze S3 access logs? (Choose TWO.)

Question 36hardmultiple choice
Read the full Data Security and Governance explanation →

Refer to the exhibit. A data engineer attached this S3 bucket policy to the bucket 'example-bucket'. What is the effect of this policy?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "AES256"
        }
      }
    }
  ]
}
Question 37mediummultiple choice
Read the full Data Security and Governance explanation →

Refer to the exhibit. The exhibit shows output from AWS CLI commands. Which key can be used to enable automatic annual rotation?

Network Topology
$ aws kms describe-keykey-id 1234abcd-12ab-34cd-56ef-1234567890abkey-id 5678efgh-34ij-56kl-78mn-9012345678opquery 'KeyMetadata.KeyManager'Refer to the exhibit.$ aws kms list-keys"Keys": [{"KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "KeyArn": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab"},{"KeyId": "5678efgh-34ij-56kl-78mn-9012345678op", "KeyArn": "arn:aws:kms:us-east-1:123456789012:key/5678efgh-34ij-56kl-78mn-9012345678op"}"CUSTOMER""AWS"
Question 38easymultiple choice
Read the full Data Security and Governance explanation →

Refer to the exhibit. An IAM policy includes this statement. What access does it grant?

Exhibit

Refer to the exhibit.

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/8"
        }
      }
    }
  ]
}
Question 39easymultiple choice
Read the full Data Security and Governance explanation →

A data engineer needs to ensure that all data in an S3 bucket is encrypted at rest. The bucket currently contains unencrypted objects from past uploads. Which action will encrypt these existing objects without re-uploading them?

Question 40mediummultiple choice
Read the full Data Security and Governance explanation →

A company uses AWS Glue to process sensitive customer data stored in S3. The data engineer must ensure that the Glue ETL jobs do not write any data to S3 buckets that lack encryption. Which approach meets this requirement?

Question 41hardmultiple choice
Read the full NAT/PAT explanation →

A company uses AWS Lake Formation to manage access to data in a data lake. The data engineer needs to grant a user the ability to query tables in the 'sales' database using Amazon Athena, but only when the user's IP address is within the corporate network (10.0.0.0/8). Which combination of actions should the data engineer take?

Question 42mediummultiple choice
Read the full NAT/PAT explanation →

A data engineer is designing a data pipeline that ingests personally identifiable information (PII) into Amazon Redshift. The engineer needs to ensure that only authorized users can view the data, and that all queries are logged for auditing. Which combination of AWS services should the engineer use?

Question 43easymultiple choice
Read the full Data Security and Governance explanation →

A company wants to enforce that all data written to an S3 bucket is encrypted with a customer-managed AWS KMS key. The data engineer has created the KMS key and attached an S3 bucket policy. However, users are still able to upload objects without specifying the KMS key. What is the most likely cause?

Question 44hardmultiple choice
Read the full Data Security and Governance explanation →

A company uses Amazon RDS for PostgreSQL to store financial data. The security team requires that all database connections be encrypted in transit and that the database audit logs be stored in Amazon S3 for at least 7 years. Which steps should the data engineer take to meet these requirements?

Question 45mediummultiple choice
Read the full Data Security and Governance explanation →

A data engineer is troubleshooting an issue where an AWS Glue ETL job fails when trying to read data from an S3 bucket encrypted with SSE-KMS. The job has an IAM role that includes `kms:Decrypt` permission. What is the most likely reason for the failure?

Question 46hardmultiple choice
Read the full Data Security and Governance explanation →

A company uses Amazon DynamoDB to store session data. The security team requires that all data be encrypted at rest using a customer-managed KMS key. The data engineer has enabled encryption with a KMS key, but discovers that old data remains encrypted with the previous AWS-managed key. How can the engineer re-encrypt all existing data with the new key?

Question 47easymultiple choice
Read the full Data Security and Governance explanation →

A data engineer needs to grant an IAM user access to query a specific table in Amazon Athena, but the user should not be able to view other tables in the same database. Which method should the engineer use?

Question 48mediummulti select
Read the full Data Security and Governance explanation →

A company stores sensitive data in Amazon S3. The data engineer needs to implement a solution that automatically detects and redacts PII in new objects as they are uploaded. Which TWO AWS services should be used together?

Question 49hardmulti select
Read the full Data Security and Governance explanation →

A company uses AWS KMS to encrypt data in Amazon Redshift. The data engineer needs to rotate the customer-managed KMS key annually. Which TWO actions must be taken to successfully rotate the key without data loss?

Question 50easymulti select
Read the full Data Security and Governance explanation →

A data engineer is designing a data lake on Amazon S3 that must comply with GDPR. The engineer needs to ensure that individuals can request deletion of their personal data. Which THREE AWS services can be used together to automate the deletion of specific records?

Question 51mediummultiple choice
Read the full Data Security and Governance explanation →

Refer to the exhibit. A data engineer attaches this bucket policy to an S3 bucket. A developer tries to upload an object to the bucket using the AWS CLI with the command: `aws s3 cp file.txt s3://my-bucket/`. The upload fails. What is the most likely reason?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "aws:kms"
        }
      }
    },
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Condition": {
        "Null": {
          "s3:x-amz-server-side-encryption": "true"
        }
      }
    }
  ]
}
Question 52hardmultiple choice
Read the full Data Security and Governance explanation →

Refer to the exhibit. A data engineer reviews an Amazon S3 server access log entry for an object upload. The log shows a status of 200 and encryption status "AES256". The company policy requires that all data be encrypted with SSE-KMS. Which action should the engineer take to enforce this policy?

Exhibit

2023-03-15T10:00:00Z  my-bucket  [13.48.75.23]  arn:aws:sts::123456789012:assumed-role/DataAccessRole/JohnDoe  6F8C7A2B  REST.PUT.OBJECT  report.pdf  "200"  256  "-"  "-"  "AES256"  "-"
Question 53mediummultiple choice
Read the full Data Security and Governance explanation →

Refer to the exhibit. A data engineer runs the AWS CLI command and gets the output shown. The engineer wants to grant a data analyst read-only access to the 'sales_db' database in AWS Glue Data Catalog using IAM. Which IAM policy statement is required?

Network Topology
aws glue get-databasesregion us-east-1"DatabaseList": ["Name": "sales_db","Description": "Sales data","LocationUri": "s3://data-lake-sales/"
Question 54easymultiple choice
Read the full Data Security and Governance explanation →

A data engineer needs to encrypt data in transit between an Amazon RDS for MySQL instance and an application. Which solution should be used?

Question 55mediummultiple choice
Read the full Data Security and Governance explanation →

A company is using AWS Lake Formation to manage access to data in a data lake stored in Amazon S3. A data engineer notices that users with SELECT permissions on a table can still query the underlying S3 data directly using Athena. What is the most likely cause?

Question 56hardmultiple choice
Read the full Data Security and Governance explanation →

A data engineer is designing a data pipeline that ingests data from an on-premises system into Amazon S3 using AWS Transfer Family. The data must be encrypted at rest using a customer-managed key in AWS KMS. The S3 bucket policy must allow only encrypted connections. Which policy condition should be used?

Question 57easymultiple choice
Read the full Data Security and Governance explanation →

A company is using Amazon Redshift for data warehousing. They need to ensure that all queries are logged for audit purposes. Which AWS service should be used to capture query logs?

Question 58mediummultiple choice
Read the full Data Security and Governance explanation →

A data engineer needs to share a dataset stored in Amazon S3 with another AWS account. The bucket policy currently grants access only to the owning account. What is the simplest way to grant cross-account access?

Question 59hardmultiple choice
Read the full Data Security and Governance explanation →

An organization is using AWS Glue to process sensitive data. The data is stored in S3 with server-side encryption using AWS KMS (SSE-KMS). The Glue job fails with an error indicating that it cannot read the data. The IAM role used by Glue has the following policy. What is missing?

Question 60easymultiple choice
Read the full Data Security and Governance explanation →

A data engineer needs to audit all changes to IAM policies in an AWS account. Which AWS service should be used?

Question 61mediummultiple choice
Read the full Data Security and Governance explanation →

A company is using Amazon S3 to store sensitive data. The security team requires that all objects be encrypted using server-side encryption with AWS KMS (SSE-KMS) and that the bucket policy denies any PutObject request that does not include the required encryption header. Which bucket policy condition should be added?

Question 62hardmultiple choice
Read the full Data Security and Governance explanation →

A data engineer is setting up an Amazon EMR cluster to process sensitive data. The data is stored in S3 with SSE-S3. The company policy requires that data in transit between the EMR cluster and S3 be encrypted. Which configuration should be used?

Question 63easymulti select
Read the full Data Security and Governance explanation →

A data engineer needs to enforce that all data in an Amazon S3 bucket is encrypted at rest. Which of the following can be used to achieve this? (Choose TWO.)

Question 64mediummulti select
Read the full Data Security and Governance explanation →

A company is using AWS Lake Formation to manage permissions on a data lake. Which of the following are valid ways to grant access to a user or role? (Choose THREE.)

Question 65hardmulti select
Read the full Data Security and Governance explanation →

A data engineer is troubleshooting an Amazon Redshift cluster that is unable to access an S3 bucket for COPY operations. The cluster has an IAM role attached. Which of the following could be causing the failure? (Choose TWO.)

Question 66mediummultiple choice
Read the full Data Security and Governance explanation →

The IAM policy shown in the exhibit is attached to a user. The user tries to upload an object to my-bucket using the AWS CLI without specifying encryption. What will happen?

Exhibit

Refer to the exhibit.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::my-bucket",
        "arn:aws:s3:::my-bucket/*"
      ],
      "Condition": {
        "StringEquals": {
          "s3:x-amz-server-side-encryption": "AES256"
        }
      }
    }
  ]
}
Question 67hardmultiple choice
Read the full Data Security and Governance explanation →

A data engineer runs the command shown in the exhibit to check the bucket policy. A user from another AWS account is trying to download an object using HTTP (not HTTPS). What will happen?

Network Topology
$ aws s3api get-bucket-policybucket my-bucketRefer to the exhibit."Policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Deny\",\"Principal\":\"*\",\"Action\":\"s3:*\",\"Resource\":[\"arn:aws:s3:::my-bucket/*\"],\"Condition\":{\"Bool\":{\"aws:SecureTransport\":\"false\"}}}]}"
Question 68mediummultiple choice
Read the full Data Security and Governance explanation →

A data engineer receives the error shown in the exhibit when trying to upload a file to my-bucket. The engineer uses the AWS CLI with the following command: aws s3 cp file.txt s3://my-bucket/. What is the most likely cause of the error?

Exhibit

Refer to the exhibit.
ERROR: An error occurred (AccessDenied) when calling the PutObject operation: Access Denied

Bucket policy snippet:
{
  "Effect": "Deny",
  "Principal": "*",
  "Action": "s3:PutObject",
  "Resource": "arn:aws:s3:::my-bucket/*",
  "Condition": {
    "StringNotEquals": {
      "s3:x-amz-server-side-encryption": "aws:kms"
    }
  }
}
Question 69mediummultiple choice
Read the full NAT/PAT explanation →

A data engineer needs to ensure that an S3 bucket is encrypted at rest using AWS KMS. The bucket policy must allow only a specific IAM role to access the bucket and enforce encryption in transit. Which combination of bucket policy statements should be used?

Question 70hardmultiple choice
Read the full Data Security and Governance explanation →

A company uses AWS Lake Formation to manage permissions on a data lake in S3. A data analyst reports that queries using Amazon Athena return zero rows for a table that the analyst has been granted SELECT permission on. The table is registered in Lake Formation and uses a partition projection. What is the most likely cause?

Question 71easymultiple choice
Read the full Data Security and Governance explanation →

A data engineer needs to audit all AWS KMS key usage in the account. Which AWS service should be used to record KMS API calls?

Question 72mediummultiple choice
Read the full Data Security and Governance explanation →

A company wants to enable automatic encryption for all new objects written to an S3 bucket. The bucket has existing objects that are unencrypted. Which solution meets these requirements with the least operational overhead?

Question 73hardmultiple choice
Read the full Data Security and Governance explanation →

A data engineer is designing a system to handle sensitive customer data in Amazon RDS for PostgreSQL. The compliance team requires that the data be encrypted at rest and that encryption keys be rotated every 90 days. Which solution meets these requirements?

Question 74easymultiple choice
Read the full Data Security and Governance explanation →

A company uses AWS Glue to process data. The security team requires that all data in transit between AWS Glue and Amazon S3 be encrypted using TLS. Which configuration should be used?

Question 75mediummultiple choice
Read the full Data Security and Governance explanation →

A data engineer is troubleshooting an Amazon Redshift cluster that is not responding to queries. The engineer suspects that the cluster may have been accidentally deleted. Which AWS service should be used to investigate the deletion?

Question 76hardmultiple choice
Read the full Data Security and Governance explanation →

A company needs to share a dataset stored in an S3 bucket with a partner account. The dataset contains sensitive information, so the company wants to ensure that the partner account can only access the data using a specific VPC endpoint in the partner's account. Which S3 bucket policy condition key should be used?

Question 77easymultiple choice
Read the full Data Security and Governance explanation →

A data engineer needs to grant an IAM user the ability to view Amazon CloudWatch Logs log groups and stream log events from a specific log group. Which IAM policy action should be used?

Question 78mediummulti select
Read the full Data Security and Governance explanation →

A company uses S3 to store sensitive data. Which TWO S3 features can be used to protect data at rest?

Question 79hardmulti select
Read the full Data Security and Governance explanation →

A company needs to implement a data encryption strategy for data in transit between an Amazon EC2 instance and an Amazon RDS for MySQL database. Which THREE actions should be taken?

Question 80mediummulti select
Read the full Data Security and Governance explanation →

A data engineer is designing a data lake on S3 with fine-grained access control using AWS Lake Formation. Which THREE permissions can be managed by Lake Formation?

Question 81mediummultiple choice
Read the full Data Security and Governance explanation →

Refer to the exhibit. The S3 bucket policy above is applied to the bucket "example-bucket". An IAM user attempts to upload an object to the bucket without specifying any encryption header. What is the outcome?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": ["s3:GetObject"],
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "StringEquals": {
          "s3:x-amz-server-side-encryption": "AES256"
        }
      }
    },
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "AES256"
        }
      }
    }
  ]
}
Question 82hardmultiple choice
Read the full Data Security and Governance explanation →

Refer to the exhibit. A data engineer runs the command above. The DataAdminRole is used by an application to decrypt data. The security team wants to ensure that a SecurityAdminRole can revoke the grant. What must be done to allow the SecurityAdminRole to retire the grant?

Network Topology
aws kms list-grantskey-id 1234abcd-12ab-34cd-56ef-1234567890ab"Grants": ["KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab","GrantId": "abc123","GranteePrincipal": "arn:aws:iam::111122223333:role/DataAdminRole","Operations": ["Decrypt", "Encrypt"],"RetiringPrincipal": "arn:aws:iam::111122223333:role/SecurityAdminRole"
Question 83easymultiple choice
Read the full Data Security and Governance explanation →

Refer to the exhibit. An IAM policy includes the above statement to allow decryption of a KMS key under specific conditions. What does this policy allow?

Exhibit

{
  "Effect": "Allow",
  "Action": ["kms:Decrypt"],
  "Resource": "*",
  "Condition": {
    "ForAnyValue:StringEquals": {
      "kms:EncryptionContextKeys": ["service", "aws:pi"],
      "kms:EncryptionContext": {
        "aws:pi": "db-123"
      }
    }
  }
}
Question 84easymultiple choice
Read the full Data Security and Governance explanation →

A company uses S3 to store sensitive customer data. To prevent accidental public access, a data engineer needs to ensure that all S3 buckets block public access at the account level. Which AWS service should be used to enforce this policy?

Question 85mediummultiple choice
Read the full NAT/PAT explanation →

A data engineer is designing a data lake on S3 and needs to ensure that data is encrypted at rest using customer-managed KMS keys. The engineer also needs to audit all access to the KMS keys. Which combination of services should be used?

Question 86hardmultiple choice
Read the full Data Security and Governance explanation →

A company uses AWS Glue to process sensitive data. The security team requires that all data in transit between Glue and Amazon S3 be encrypted using TLS 1.2 or higher. Which configuration ensures this requirement is met?

Question 87easymultiple choice
Read the full Data Security and Governance explanation →

A data engineer needs to share a dataset from an S3 bucket in Account A with another AWS account (Account B). The data must remain encrypted at rest with KMS. Which steps are required?

Question 88mediummultiple choice
Read the full Data Security and Governance explanation →

A company uses AWS Lake Formation to manage permissions on a data lake stored in S3. A data engineer notices that a new IAM user can query data via Athena but cannot see the tables in the Lake Formation console. What is the most likely cause?

Question 89hardmultiple choice
Read the full Data Security and Governance explanation →

A company has a requirement to store audit logs for 7 years for compliance. The logs are stored in S3 and must be immutable. Which S3 feature should be used?

Question 90easymultiple choice
Read the full Data Security and Governance explanation →

A data engineer needs to grant an IAM user read-only access to a specific KMS key for decrypting S3 objects. Which policy element should be used?

Question 91mediummultiple choice
Read the full Data Security and Governance explanation →

A company uses Amazon Redshift for data warehousing. The security team requires that all data stored in Redshift be encrypted at rest using a customer-managed KMS key. How should the data engineer configure this?

Question 92hardmultiple choice
Read the full Data Security and Governance explanation →

A data engineer is troubleshooting an issue where an IAM role used by AWS Glue cannot read data from an S3 bucket encrypted with SSE-KMS. The bucket policy allows the role to perform s3:GetObject. What additional permission is needed?

Question 93mediummulti select
Read the full Data Security and Governance explanation →

A company uses AWS CloudTrail to log all API calls. The security team wants to ensure that log files are tamper-proof and cannot be deleted. Which TWO actions should the data engineer take? (Choose TWO.)

Question 94hardmulti select
Read the full Data Security and Governance explanation →

A company uses Amazon EMR to process sensitive data. The data engineer needs to ensure that data in transit between EMR and S3 is encrypted. Which THREE configurations achieve this? (Choose THREE.)

Question 95easymulti select
Read the full Data Security and Governance explanation →

A data engineer is setting up a data pipeline using AWS DMS to migrate data from an on-premises database to Amazon RDS for MySQL. The data must be encrypted in transit. Which TWO options can the engineer use? (Choose TWO.)

Question 96mediummultiple choice
Read the full Data Security and Governance explanation →

Refer to the exhibit. A data engineer applies the following S3 bucket policy to an S3 bucket. What does this policy enforce?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "aws:kms"
        }
      }
    }
  ]
}
Question 97hardmultiple choice
Read the full Data Security and Governance explanation →

Refer to the exhibit. A data engineer configured CloudTrail to log data events for an S3 bucket. However, the engineer notices that no data events are being logged for objects in the 'logs/' prefix. What is the most likely reason?

Network Topology
aws cloudtrail get-event-selectorstrail-name my-trail"EventSelectors": ["ReadWriteType": "All","IncludeManagementEvents": true,"DataResources": ["Type": "AWS::S3::Object","Values": ["arn:aws:s3:::my-bucket/logs/"
Question 98easymultiple choice
Read the full Data Security and Governance explanation →

Refer to the exhibit. A data engineer creates an IAM policy for a service role used by AWS Glue. What does the condition in the policy enforce?

Exhibit

{
  "Effect": "Allow",
  "Action": [
    "kms:Decrypt",
    "kms:ReEncrypt*",
    "kms:GenerateDataKey*"
  ],
  "Resource": "*",
  "Condition": {
    "ForAnyValue:StringLike": {
      "kms:ViaService": [
        "s3.*.amazonaws.com"
      ]
    }
  }
}
Question 99easymultiple choice
Read the full Data Security and Governance explanation →

A company wants to encrypt data at rest in Amazon S3 using server-side encryption. They need to manage the encryption keys themselves and rotate them annually. Which S3 encryption option should they use?

Question 100mediummultiple choice
Read the full Data Security and Governance explanation →

A data engineer needs to audit all access to an S3 bucket for compliance. They want to capture object-level operations such as GetObject and PutObject, as well as bucket-level operations like ListBucket. Which AWS service should be used?

Question 101hardmultiple choice
Read the full Data Security and Governance explanation →

A company uses AWS KMS to encrypt data in Amazon S3 and RDS. They need to ensure that encryption keys are automatically rotated every year. Which KMS key type supports automatic annual rotation?

Question 102mediummultiple choice
Read the full Data Security and Governance explanation →

A data engineer needs to share an S3 bucket with another AWS account. They want to ensure that the objects in the bucket remain encrypted with SSE-KMS using a customer managed key. What additional step is required for cross-account access?

Question 103easymultiple choice
Read the full Data Security and Governance explanation →

A company wants to enforce that all data in Amazon S3 is encrypted at rest. They want to automatically reject any PUT request that does not include encryption headers. What S3 feature should they use?

Question 104hardmultiple choice
Read the full Data Security and Governance explanation →

A company uses AWS Lake Formation to manage data lake permissions. A data engineer notices that a user can query tables in Athena even though the user does not have SELECT permission on the table in Lake Formation. What could be the cause?

Question 105mediummultiple choice
Read the full Data Security and Governance explanation →

A company needs to monitor and record all changes to IAM policies in their AWS account. Which AWS service should be used?

Question 106easymultiple choice
Read the full Data Security and Governance explanation →

A data engineer wants to ensure that only users with a specific tag (e.g., "Department": "DataEngineering") can access an S3 bucket. How can this be enforced?

Question 107hardmultiple choice
Read the full Data Security and Governance explanation →

A company stores sensitive data in S3 and uses VPC Endpoints to restrict access. They want to ensure that data can only be accessed from their VPC. What configuration is required?

Question 108mediummulti select
Read the full Data Security and Governance explanation →

A data engineer needs to protect sensitive data in an S3 bucket. Which TWO AWS services can be used to detect and prevent accidental public access?

Question 109hardmulti select
Read the full Data Security and Governance explanation →

A company uses AWS KMS to encrypt data in multiple services. They want to ensure that only specific IAM roles can decrypt data using a particular KMS key. Which THREE steps are necessary?

Question 110easymulti select
Read the full Data Security and Governance explanation →

A data engineer needs to securely store database credentials for an RDS instance. Which TWO AWS services can be used?

Question 111mediummultiple choice
Read the full Data Security and Governance explanation →

Refer to the exhibit. A data engineer applied this bucket policy to an S3 bucket. What is the effect of this policy?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}
Question 112hardmultiple choice
Read the full Data Security and Governance explanation →

Refer to the exhibit. A data engineer runs this CLI command to investigate a recent change to an S3 bucket policy. What information does the command return?

Network Topology
aws cloudtrail lookup-eventslookup-attributes AttributeKey=EventNamestart-time 2025-03-01T00:00:00Zend-time 2025-03-02T00:00:00Zoutput json
Question 113mediummultiple choice
Read the full Data Security and Governance explanation →

Refer to the exhibit. This KMS key policy is attached to a customer managed key. A data engineer finds that the DataEngineer role can encrypt but cannot decrypt data. What is the most likely cause?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/DataEngineer"
      },
      "Action": [
        "kms:Decrypt",
        "kms:GenerateDataKey"
      ],
      "Resource": "*"
    }
  ]
}
Question 114mediummultiple choice
Read the full Data Security and Governance explanation →

A data engineer is configuring an S3 bucket for storing sensitive customer data. The bucket must be encrypted at rest using an AWS Key Management Service (KMS) key that is managed by the data engineering team. The team wants to ensure that only users with explicit permission can decrypt the data. Which S3 encryption option should be used?

Question 115hardmultiple choice
Read the full Data Security and Governance explanation →

A company is using AWS Glue to process data stored in an S3 bucket that is encrypted with SSE-KMS. The Glue job fails with an 'Access Denied' error when trying to read the data. The IAM role used by the Glue job has permissions to read from the S3 bucket and to use the KMS key. What is the most likely cause of the failure?

Question 116easymultiple choice
Read the full Data Security and Governance explanation →

A data engineer needs to ensure that data in transit between an Amazon RDS for PostgreSQL database and an application is encrypted. Which configuration should be used?

Question 117mediummultiple choice
Read the full Data Security and Governance explanation →

An organization needs to audit all access to their S3 buckets for compliance purposes. They want to log both successful and failed API calls. Which AWS service should be used?

Question 118hardmultiple choice
Read the full Data Security and Governance explanation →

A company has multiple AWS accounts and wants to centrally manage permissions and access to data lakes. They have enabled AWS Organizations and want to use a single set of policies that apply to all accounts. Which policy type should be used at the organization level?

Question 119easymultiple choice
Read the full Data Security and Governance explanation →

A data engineer needs to ensure that data stored in Amazon S3 is automatically deleted after 30 days. Which S3 feature should be used?

Question 120mediummultiple choice
Read the full Data Security and Governance explanation →

A company is using AWS Lake Formation to manage access to a data lake in S3. They want to grant a data analyst access to specific columns in a table, but not to the entire table. Which Lake Formation feature should be used?

Question 121hardmultiple choice
Read the full Data Security and Governance explanation →

A data engineer is designing a solution to securely store and rotate database credentials used by an application. The credentials should be automatically rotated every 90 days. Which AWS service should be used?

Question 122easymultiple choice
Read the full Data Security and Governance explanation →

A data engineer needs to ensure that data in an S3 bucket is encrypted at rest. The bucket policy includes a condition that denies PutObject requests if the object is not encrypted. Which S3 encryption feature does this enforce?

Question 123mediummulti select
Read the full Data Security and Governance explanation →

Which TWO actions should a data engineer take to protect sensitive data in an Amazon S3 bucket from being accessed by unauthorized users? (Select TWO.)

Question 124hardmulti select
Read the full Data Security and Governance explanation →

A company must encrypt all data at rest in their Amazon RDS for MySQL instance. Which THREE steps are required to achieve this? (Select THREE.)

Question 125easymulti select
Read the full Data Security and Governance explanation →

Which THREE AWS services can be used to centrally manage and govern data across multiple AWS accounts? (Select THREE.)

Question 126mediummultiple choice
Read the full Data Security and Governance explanation →

The IAM policy shown is attached to an IAM role. When a user assumes this role and tries to read an object in example-bucket that has no tags, what will happen?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "StringEquals": {
          "s3:ExistingObjectTag/classification": "public"
        }
      }
    },
    {
      "Effect": "Deny",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "Null": {
          "s3:ExistingObjectTag/classification": "true"
        }
      }
    }
  ]
}
Question 127hardmultiple choice
Read the full Data Security and Governance explanation →

A data engineer uses the AWS CLI to list KMS keys and describe one. The output shows two keys. The described key has KeyState 'Enabled' and Origin 'AWS_KMS'. Which statement is true about this key?

Network Topology
aws kms list-keysregion us-east-1key-id 1234abcd-12ab-34cd-56ef-1234567890abaws kms describe-keyRefer to the exhibit.Output:"Keys": ["KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab","KeyArn": "arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"},"KeyId": "0987zyxw-98zy-76xw-54vu-0987654321cd","KeyArn": "arn:aws:kms:us-east-1:111122223333:key/0987zyxw-98zy-76xw-54vu-0987654321cd""KeyMetadata": {"KeyState": "Enabled","KeyUsage": "ENCRYPT_DECRYPT","Origin": "AWS_KMS"
Question 128easymultiple choice
Read the full Data Security and Governance explanation →

A data engineer runs the command shown to check the encryption configuration of an S3 bucket. The output shows SSEAlgorithm: AES256. What does this mean?

Network Topology
aws s3api get-bucket-encryptionbucket example-bucketRefer to the exhibit.Output:"ServerSideEncryptionConfiguration": {"Rules": ["ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "AES256"
Question 129mediummultiple choice
Read the full Data Security and Governance explanation →

A company uses AWS KMS to encrypt data in Amazon S3. The security team requires that all encryption keys be rotated automatically every year. Which key type should the company use?

Question 130easymultiple choice
Read the full Data Security and Governance explanation →

A data engineer needs to restrict access to an Amazon S3 bucket so that only objects encrypted with a specific AWS KMS key can be uploaded. Which S3 bucket policy condition should be used?

Question 131hardmultiple choice
Read the full NAT/PAT explanation →

A company wants to audit all changes to IAM policies in their AWS account. Which combination of services should be used to achieve this?

Question 132mediummultiple choice
Read the full Data Security and Governance explanation →

A data engineer needs to allow an IAM user to rotate the secret in AWS Secrets Manager for an RDS database. Which IAM action should be included in the policy?

Question 133hardmultiple choice
Read the full Data Security and Governance explanation →

A company stores sensitive data in Amazon S3. The security team requires that all data be encrypted at rest and that the encryption keys be stored in AWS CloudHSM. Which S3 encryption option should be used?

Question 134easymultiple choice
Read the full Data Security and Governance explanation →

A company wants to ensure that all S3 buckets are encrypted using server-side encryption. Which AWS service can be used to automatically remediate non-compliant buckets?

Question 135mediummultiple choice
Read the full Data Security and Governance explanation →

A data engineer needs to grant cross-account access to an S3 bucket. The engineer wants to use a role in the source account and assume that role from the target account. Which permissions are required?

Question 136hardmultiple choice
Read the full Data Security and Governance explanation →

A company uses Amazon Redshift for data warehousing. The security team requires that all data be encrypted at rest using a key managed by the company. Which Redshift encryption option should be used?

Question 137easymultiple choice
Read the full Data Security and Governance explanation →

A company needs to centralize audit logs from multiple AWS accounts into a single S3 bucket. Which service should be used to aggregate these logs?

Question 138mediummulti select
Read the full Data Security and Governance explanation →

Which TWO actions are required to enforce encryption in transit for data being loaded into Amazon Redshift from Amazon S3? (Choose two.)

Question 139hardmulti select
Read the full Data Security and Governance explanation →

A company wants to monitor and alert on any IAM user creation in their AWS account. Which THREE services should be used together to achieve this? (Choose three.)

Question 140easymulti select
Read the full Data Security and Governance explanation →

Which TWO AWS services can be used to protect sensitive data stored in Amazon S3 by preventing accidental public access? (Choose two.)

Question 141mediummultiple choice
Read the full Data Security and Governance explanation →

A company uses AWS Glue to process sensitive customer data stored in S3. The security team requires that all data be encrypted at rest using a customer-managed KMS key and that access to the key be auditable. Which solution meets these requirements?

Question 142easymultiple choice
Read the full Data Security and Governance explanation →

A data engineer needs to share a dataset from an S3 bucket in Account A with users in Account B. The dataset must remain encrypted at rest with an S3-managed key. What is the MOST secure way to grant cross-account access?

Question 143hardmultiple choice
Read the full NAT/PAT explanation →

A company uses Redshift for analytics. The security team requires that all queries be logged and that any access to sensitive columns be blocked for non-admin users. Which combination of features should the data engineer implement?

Question 144mediummultiple choice
Read the full Data Security and Governance explanation →

A data engineer is designing a data lake on S3 with sensitive data. The security policy mandates that data must be encrypted at rest and in transit, and that an inventory of all objects must be maintained for compliance. Which actions should be taken?

Question 145easymultiple choice
Read the full Data Security and Governance explanation →

A company wants to use AWS Lake Formation to manage permissions on a data lake. What is the primary benefit of using Lake Formation for data security?

Question 146hardmultiple choice
Read the full Data Security and Governance explanation →

A company has an AWS Glue ETL job that reads from an RDS MySQL instance and writes to S3. The security team requires that the connection to RDS be encrypted and that credentials be rotated automatically. Which configuration should be used?

Question 147mediummultiple choice
Read the full Data Security and Governance explanation →

A data engineer needs to ensure that an S3 bucket can only be accessed from a specific VPC. Which policy element should be used?

Question 148easymultiple choice
Read the full Data Security and Governance explanation →

A company uses Amazon Athena to query data in S3. The security team wants to ensure that users can only query tables they have permissions to in the AWS Glue Data Catalog. Which service should be used to manage these permissions centrally?

Question 149hardmultiple choice
Read the full Data Security and Governance explanation →

A company has an S3 bucket with versioning enabled and a bucket policy that denies access if the request does not include encryption. A data engineer notices that some objects are not encrypted. What is the most likely cause?

Question 150mediummulti select
Read the full Data Security and Governance explanation →

A data engineer is designing a data pipeline that processes PII data using AWS Glue and stores results in S3. Which TWO actions should be taken to protect the data? (Choose 2)

Question 151hardmulti select
Read the full Data Security and Governance explanation →

A company uses Amazon Redshift for data warehousing. The security team requires that all queries be logged for audit and that sensitive columns be masked for non-privileged users. Which THREE steps should the data engineer take? (Choose 3)

Question 152easymulti select
Read the full Data Security and Governance explanation →

A company wants to enforce encryption in transit for data moving between an EC2 instance and an S3 bucket. Which TWO methods can achieve this? (Choose 2)

Question 153hardmultiple choice
Read the full NAT/PAT explanation →

A company runs a data lake on AWS using S3 for storage and AWS Glue for ETL. The security team discovers that a contractor who left the company two months ago still has access to an S3 bucket containing sensitive data. The access was granted via an IAM user that was not deleted. The data engineer is asked to implement a solution to prevent future occurrences. The company uses AWS Organizations and has multiple accounts. The requirement is to automatically detect and remediate IAM users that have not been used for 90 days by disabling their access keys and notifying the security team. The solution must be least privilege and use AWS-native services. Which approach should the data engineer take?

Question 154mediummultiple choice
Read the full Data Security and Governance explanation →

A financial services company uses Amazon Redshift for its data warehouse. The compliance team requires that all access to the database be logged, including the SQL queries executed, and that the logs be stored in a separate S3 bucket that is encrypted with a customer-managed KMS key. Additionally, the logs must be retained for 7 years. The data engineer has enabled audit logging on the Redshift cluster and configured it to deliver logs to an S3 bucket. However, the compliance team reports that the logs are not being delivered. The S3 bucket policy allows the Redshift service to write logs. What is the most likely reason for the failure?

Question 155easymultiple choice
Read the full Data Security and Governance explanation →

A company uses Amazon S3 to store sensitive customer data. The security policy requires that all objects in the bucket be encrypted at rest using server-side encryption with a customer-managed KMS key. The data engineer has enabled default encryption on the bucket using SSE-KMS with the required KMS key. However, a security scan reveals that some objects in the bucket are not encrypted with the KMS key. The objects were uploaded before the default encryption was enabled. The data engineer needs to ensure that all objects are encrypted with the KMS key without disrupting ongoing data access. What should the data engineer do?

Question 156mediummultiple choice
Read the full NAT/PAT explanation →

A company uses AWS Glue to catalog data in Amazon S3. The security team requires that all sensitive data be identified and encrypted at rest using customer-managed KMS keys. Which combination of steps should a data engineer take to meet these requirements?

Question 157mediummultiple choice
Read the full Data Security and Governance explanation →

A data engineer is setting up cross-account access to an encrypted S3 bucket. The bucket uses a customer-managed KMS key. The engineer has configured the bucket policy and the IAM role in the source account. The target account still gets access denied errors when trying to read objects. What is the most likely cause?

Question 158easymultiple choice
Read the full Data Security and Governance explanation →

A company uses Amazon RDS for MySQL with encryption at rest enabled. The security team requires that all database audit logs be stored in Amazon S3 for at least 7 years. Which AWS service should the data engineer use to collect and store the logs?

Question 159hardmultiple choice
Read the full Data Security and Governance explanation →

A company has a data lake in Amazon S3 with millions of objects. The security team wants to enforce that all objects are encrypted with a specific customer-managed KMS key. The data engineer configures an S3 bucket policy to deny PutObject if the encryption is not set to that key. However, some existing objects are not encrypted with that key. What is the most efficient way to remediate the existing objects?

Question 160hardmultiple choice
Read the full Data Security and Governance explanation →

A company uses AWS Lake Formation to manage permissions on a data lake. A data engineer creates a table in the Data Catalog and grants SELECT permission to a group of analysts. The analysts report they can see the table but get an AccessDenied error when querying it with Amazon Athena. What is the most likely cause?

Question 161mediummulti select
Read the full Data Security and Governance explanation →

A data engineer needs to encrypt data at rest in Amazon S3 using server-side encryption with a customer-managed KMS key. Which TWO steps are required to ensure that the KMS key can be used for S3 object encryption?

Question 162hardmulti select
Read the full Data Security and Governance explanation →

A company is using AWS Lake Formation to manage a data lake. The data engineer needs to set up fine-grained access control so that users can only see specific columns in a table based on their IAM role. Which THREE steps should the data engineer take?

Question 163easymulti select
Read the full Data Security and Governance explanation →

A company wants to audit all API calls made to Amazon S3 and Amazon RDS resources. Which TWO AWS services can be used together to achieve this?

Question 164mediummulti select
Read the full Data Security and Governance explanation →

A data engineer needs to securely store database credentials used by an AWS Glue ETL job. Which THREE steps should the engineer take?

Question 165hardmulti select
Read the full Data Security and Governance explanation →

A company uses Amazon Redshift for its data warehouse and needs to enforce column-level security on sensitive columns. Which TWO approaches can achieve this?

Question 166mediummultiple choice
Read the full Data Security and Governance explanation →

A data engineer is designing a data pipeline that ingests customer data from an on-premises database into Amazon S3. The data contains personally identifiable information (PII). The company policy requires that all PII be masked before it is stored in S3. The pipeline uses AWS DMS for migration and AWS Glue for transformation. The engineer needs to ensure that the masking is applied consistently and that no unmasked data is written to S3. The engineer has set up DMS to replicate data to an S3 bucket, and then a Glue job reads from S3, applies masking, and writes to another S3 bucket. However, there is a risk that unmasked data in the first S3 bucket could be accessed before the Glue job runs. What should the engineer do to mitigate this risk?

Question 167hardmultiple choice
Read the full Data Security and Governance explanation →

A company has a multi-account AWS environment with a centralized data lake in the Security account. Data producers in other accounts use AWS Glue to write data to S3 buckets in the Security account. The Security account uses AWS Lake Formation to manage permissions. The data engineer is setting up cross-account access so that users in the Producer account can query the data using Athena in their own account. The engineer has registered the S3 buckets and Data Catalog tables in Lake Formation. The IAM roles in the Producer account have the necessary permissions. However, when a user in the Producer account tries to query the table, they get an AccessDenied error. The error message indicates that the principal is not authorized to perform lakeformation:GetTable on the resource. What is the most likely cause?

Question 168mediummultiple choice
Read the full Data Security and Governance explanation →

A company uses Amazon EMR to process large datasets stored in Amazon S3. The data is encrypted at rest using SSE-S3. The security team now requires that all data at rest be encrypted with customer-managed KMS keys (SSE-KMS). The data engineer needs to migrate existing data to use SSE-KMS without downtime. The engineer plans to use S3 Batch Operations to copy objects in place. However, the Batch Operations job fails with a KMS access denied error. The engineer has confirmed that the Batch Operations service role has the necessary KMS permissions. What is the most likely cause?

Question 169easymultiple choice
Read the full Data Security and Governance explanation →

A company uses Amazon QuickSight for data visualization. The data engineer needs to ensure that users can only see data relevant to their department. The data is stored in Amazon S3 and is accessed via SPICE. The engineer has created datasets in QuickSight and wants to implement row-level security (RLS). The dataset contains a column 'Department' that indicates which department a row belongs to. The engineer has configured RLS rules using a separate permissions dataset. However, users report that they can see all rows, not just their department's rows. What is the most likely reason?

Question 170hardmultiple choice
Read the full Data Security and Governance explanation →

A company uses Amazon DynamoDB to store session data. The security team requires that all data be encrypted at rest using a customer-managed KMS key. The data engineer has enabled DynamoDB encryption with a customer-managed key. However, the security team notices that the key is not being used for all tables; some tables still use the default AWS-managed key. The engineer needs to ensure that all new tables are automatically encrypted with the customer-managed key. The company has hundreds of developers who create tables using various methods (console, CLI, SDK, CloudFormation). What is the most efficient way to enforce this policy?

Question 171mediummultiple choice
Read the full Data Security and Governance explanation →

A financial services company uses AWS Glue ETL jobs to process sensitive customer data stored in Amazon S3. The data is encrypted at rest with SSE-KMS using a customer-managed key. Recently, the security team discovered that the Glue job's IAM role has an overly permissive policy that allows the 'kms:Decrypt' action for all KMS keys in the account. The company wants to follow the principle of least privilege. The Glue job runs on a schedule and reads from a specific S3 bucket. The security team needs to update the IAM policy to restrict KMS decryption to only the specific key used for that bucket. What should they do?

Question 172hardmultiple choice
Read the full NAT/PAT explanation →

A healthcare organization uses AWS Lake Formation to manage a data lake in Amazon S3. The data lake contains sensitive patient information that must be encrypted at rest. The organization uses AWS KMS with a customer-managed key (CMK) for encryption. Recently, the security team noticed that a new IAM user was able to query the data lake using Amazon Athena without explicit permissions in Lake Formation. The data lake administrator suspects that the IAM user might have been granted access through an IAM policy that allows 'lakeformation:GetDataAccess' without proper resource restrictions. The organization wants to enforce that only Lake Formation permissions control access to the data lake, and IAM policies should not grant access directly. What should they do?

Question 173mediummultiple choice
Read the full Data Security and Governance explanation →

A gaming company uses Amazon Redshift for analytics. The Redshift cluster stores user data that must be encrypted at rest using a customer-managed KMS key. The company has enabled audit logging using AWS CloudTrail. The security team wants to ensure that any attempt to disable or delete the KMS key is immediately detected and triggers an automated response. They have set up a CloudWatch Events rule that triggers an SNS notification when the KMS key is scheduled for deletion. However, they also want to prevent the key from being deleted accidentally. What should they do?

Question 174easymultiple choice
Read the full Data Security and Governance explanation →

A media company stores video files in an Amazon S3 bucket. The bucket policy allows access only from a specific VPC. The company has enabled S3 Server Access Logs to monitor access. Recently, the security team found that some requests were coming from an IP address outside the allowed VPC. They suspect that the bucket policy may have an incorrect condition. What should they check first?

Question 175hardmultiple choice
Read the full Data Security and Governance explanation →

A data engineering team uses AWS Glue Data Catalog to manage metadata for datasets in Amazon S3. The datasets contain personally identifiable information (PII). The team needs to implement column-level security so that only authorized users can access columns with PII. They use Amazon Athena for querying. The team has enabled AWS Lake Formation and defined data lake locations. They have created a Lake Formation tag called 'PII' and assigned it to the columns containing PII. They have also granted 'SELECT' permission on those columns to a specific IAM role. However, when a user assumes that role and queries the table using Athena, they can still see all columns, including the PII columns. What is the most likely cause?

Question 176mediummultiple choice
Read the full Data Security and Governance explanation →

A company uses Amazon RDS for MySQL to store transactional data. The database contains sensitive financial information. The company's security policy requires that all data at rest be encrypted using a customer-managed KMS key. The database was originally launched without encryption at rest. The security team now needs to enable encryption without significant downtime. What should they do?

Question 177mediummultiple choice
Read the full Data Security and Governance explanation →

A data engineer needs to audit all access to an S3 bucket containing sensitive customer data. The engineer must record the requester, timestamp, action, and whether the access was denied. Which AWS solution meets these requirements?

Question 178hardmultiple choice
Read the full Data Security and Governance explanation →

A company uses AWS Lake Formation to manage access to data in a data lake. A new data engineer has been granted SELECT permission on a table but receives an 'AccessDeniedException' when querying via Amazon Athena. The table is registered in Lake Formation and the data is encrypted with SSE-KMS. Which of the following is the MOST likely cause?

Question 179easymultiple choice
Read the full Data Security and Governance explanation →

A data engineer needs to securely store database credentials used by a Lambda function. The solution must automatically rotate the credentials every 90 days. Which AWS service should the engineer use?

Question 180hardmultiple choice
Read the full Data Security and Governance explanation →

A company has an S3 bucket policy that allows access to a specific IAM role. However, an administrator notices that requests from that role are being denied. The bucket is encrypted with AES-256. What is the MOST likely reason for the denial?

Question 181mediummultiple choice
Read the full NAT/PAT explanation →

A data engineer is designing a data pipeline that processes sensitive financial data. The data must be encrypted at rest and in transit. The pipeline uses Amazon Kinesis Data Streams to ingest data and AWS Lambda to process it. Which combination of actions ensures the data is encrypted in transit? (Select TWO.)

Question 182mediummultiple choice
Read the full Data Security and Governance explanation →

A company wants to monitor and alert on unauthorized API calls in their AWS account. Which AWS service should be used to detect and notify on such events?

Question 183hardmultiple choice
Read the full Data Security and Governance explanation →

A data engineer is troubleshooting an Amazon Redshift cluster that is not allowing connections from a specific IP range. The engineer verified that the cluster's security group allows inbound traffic from the IP range. What is the next step to resolve the issue?

Question 184easymultiple choice
Read the full Data Security and Governance explanation →

A company needs to enforce that all objects uploaded to an S3 bucket are encrypted at rest. Which bucket setting should be used?

Question 185mediummultiple choice
Read the full Data Security and Governance explanation →

A company uses AWS Glue to run ETL jobs on data stored in S3. The data is encrypted with SSE-KMS. The Glue job fails with an 'AccessDenied' error when trying to read the data. What is the MOST likely cause?

Question 186hardmultiple choice
Read the full Data Security and Governance explanation →

Refer to the exhibit. An S3 bucket policy allows the DataEngineerRole to get objects only if the request uses HTTPS. However, requests from this role are being denied even when using HTTPS. What is the MOST likely reason?

Exhibit

Refer to the exhibit.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/DataEngineerRole"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "true"
        }
      }
    }
  ]
}
Question 187easymultiple choice
Read the full Data Security and Governance explanation →

A data engineer needs to grant an IAM user read-only access to an S3 bucket named 'data-lake'. Which IAM policy statement should be used?

Question 188hardmultiple choice
Read the full Data Security and Governance explanation →

Refer to the exhibit. A data engineer runs the AWS CLI command to look up GetObject events. The output shows an event from the DataEngineer role. However, the engineer suspects that some GetObject requests are not being logged. What is the MOST likely reason?

Network Topology
$ aws cloudtrail lookup-eventslookup-attributes AttributeKey=EventNamestart-time 2023-01-01end-time 2023-01-31region us-east-1Refer to the exhibit."Events": ["EventId": "example1","EventName": "GetObject","ReadOnly": "True","Username": "arn:aws:iam::123456789012:role/DataEngineer","EventTime": "2023-01-15T10:00:00Z","Resources": [{"ResourceName": "my-bucket/my-object", "ResourceType": "AWS::S3::Object"}]
Question 189mediummultiple choice
Read the full Data Security and Governance explanation →

Refer to the exhibit. An IAM policy allows kms:Decrypt and kms:GenerateDataKey on a specific KMS key. A data engineer is unable to upload an object to an S3 bucket that uses SSE-KMS with that key. What is the MOST likely missing permission?

Exhibit

Refer to the exhibit.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:GenerateDataKey"
            ],
            "Resource": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab"
        }
    ]
}
Question 190easymultiple choice
Read the full Data Security and Governance explanation →

A company needs to ensure that data stored in Amazon RDS is encrypted at rest. Which action should the data engineer take?

Question 191hardmultiple choice
Read the full Data Security and Governance explanation →

A company uses Amazon Redshift for data warehousing. The security team requires that all data stored in Redshift be encrypted at rest. The current cluster is unencrypted. Which approach should the data engineer take to meet this requirement with minimal downtime?

Question 192easymultiple choice
Read the full Data Security and Governance explanation →

A data engineer needs to ensure that all data stored in an S3 bucket is encrypted at rest. Which S3 bucket policy condition key should be used to enforce encryption using AWS KMS?

Question 193mediummultiple choice
Read the full Data Security and Governance explanation →

A company uses AWS Lake Formation to manage data lake permissions. A data analyst is unable to query a table in the data lake using Amazon Athena. The table is registered in Lake Formation, and the analyst has SELECT permission granted via Lake Formation. What is the most likely reason for the failure?

Question 194hardmulti select
Read the full NAT/PAT explanation →

A financial services company needs to share sensitive customer data with a third-party analytics firm. The data resides in an S3 bucket encrypted with an AWS KMS customer managed key. The third party has their own AWS account. Which combination of steps is required to securely share the data? (Choose TWO.)

Question 195mediummultiple choice
Read the full Data Security and Governance explanation →

A company is designing a data lake on AWS and must comply with GDPR requirements. The company needs to implement data masking for personally identifiable information (PII) columns in Amazon Redshift. Which feature should be used?

Question 196easymultiple choice
Read the full Data Security and Governance explanation →

A data engineer needs to audit who accessed specific objects in an S3 bucket over the past 30 days. Which AWS service should be used?

Question 197hardmultiple choice
Read the full Data Security and Governance explanation →

A company has an AWS Glue ETL job that reads data from an S3 bucket encrypted with SSE-S3. The job runs successfully, but the output written to another S3 bucket with SSE-KMS fails. The IAM role for the Glue job has s3:PutObject and kms:GenerateDataKey permissions. What is the most likely cause?

Question 198mediummultiple choice
Read the full Data Security and Governance explanation →

A company wants to centrally manage encryption keys for multiple AWS services and automatically rotate them every year. Which AWS service should be used?

Question 199easymultiple choice
Read the full Data Security and Governance explanation →

A data engineer needs to ensure that an Amazon Redshift cluster encrypts all data at rest. Which setting must be enabled when creating the cluster?

Question 200hardmultiple choice
Read the full Data Security and Governance explanation →

A company uses Amazon RDS for PostgreSQL with encryption at rest using AWS KMS. The company needs to share a database snapshot with a different AWS account. What must be done to allow the target account to restore the snapshot?

Question 201mediummultiple choice
Read the full Data Security and Governance explanation →

Refer to the exhibit.

Exhibit:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/DataEngineer"
      },
      "Action": [

"kms:Decrypt", "kms:ReEncrypt*"

],
      "Resource": "*"
    }
  ]
}

A data engineer tries to encrypt data using the KMS key associated with this key policy and receives an access denied error. What is the cause?

Question 202hardmultiple choice
Read the full Data Security and Governance explanation →

A data engineer runs an AWS Glue ETL job that reads from a table in the AWS Glue Data Catalog. The job fails with the error shown. The IAM role used by the Glue job has the following policy attached:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [

"glue:GetTable", "glue:GetDatabase"

],
            "Resource": "*"
        }
    ]
}

What should be added to the IAM role's policy to resolve the error?

Exhibit

Refer to the exhibit.

Exhibit:

[GlueJobRun] ERROR: Insufficient Lake Formation permissions: User is not authorized to perform: lakeformation:GetDataAccess on resource: arn:aws:glue:us-east-1:123456789012:table/sales_db/customers
Question 203mediummultiple choice
Read the full Data Security and Governance explanation →

A data engineer applies the above bucket policy to an S3 bucket containing sensitive data. The goal is to allow only encrypted (HTTPS) requests. However, a user reports being able to access an object using an HTTP (non-HTTPS) request. What is the most likely reason?

Network Topology
aws s3api put-bucket-policybucket my-data-lakepolicy file://policy.jsonRefer to the exhibit.Exhibit:Contents of policy.json:"Version": "2012-10-17","Statement": ["Effect": "Allow","Principal": "*","Action": "s3:GetObject","Resource": "arn:aws:s3:::my-data-lake/*","Condition": {"BoolIfExists": {"aws:SecureTransport": "true"
Question 204hardmultiple choice
Read the full Data Security and Governance explanation →

A company uses Amazon DynamoDB with encryption at rest using an AWS managed KMS key. The security team requires that the encryption key be rotated every 90 days. What should the data engineer do to meet this requirement?

Question 205easymultiple choice
Read the full Data Security and Governance explanation →

A data engineer needs to restrict access to an S3 bucket so that only users from a specific AWS account can read objects. Which S3 bucket policy element should be used?

Question 206mediummultiple choice
Read the full Data Security and Governance explanation →

A company uses Amazon Kinesis Data Streams to ingest real-time data. The compliance team requires that all data in the stream be encrypted at rest. Which configuration should be enabled?

Question 207hardmultiple choice
Read the full Data Security and Governance explanation →

A company has a multi-account strategy using AWS Organizations. The data engineering team needs to share a central S3 bucket across multiple accounts while maintaining fine-grained access control. Which solution should be used?

Question 208mediummultiple choice
Read the full Data Security and Governance explanation →

A company needs to automate the detection of sensitive data in Amazon S3 and generate reports. Which AWS service should be used?

Question 209easymultiple choice
Read the full Data Security and Governance explanation →

A data engineer needs to ensure that an Amazon Redshift cluster only accepts encrypted connections. Which parameter should be modified?

Question 210hardmultiple choice
Read the full Data Security and Governance explanation →

A company uses Amazon EMR to process data stored in S3 with server-side encryption using AWS KMS. The EMR cluster fails with a "403 Access Denied" error when reading data from S3. The IAM role for the EMR cluster has s3:GetObject and kms:Decrypt permissions. What is the most likely issue?

Question 211mediummultiple choice
Read the full Data Security and Governance explanation →

A company needs to tag all resources created in a specific AWS account to enforce data governance policies. Which AWS service can automatically enforce tagging rules?

Question 212easymultiple choice
Read the full Data Security and Governance explanation →

A data engineer needs to store encryption keys used for protecting data in Amazon S3 and automatically rotate them every year. Which service should be used?

Question 213easymultiple choice
Read the full Data Security and Governance explanation →

A data engineer needs to ensure that an Amazon S3 bucket containing sensitive customer data is encrypted at rest. Which AWS service can be used to manage the encryption keys?

Question 214mediummultiple choice
Read the full Data Security and Governance explanation →

A company stores sensitive data in an Amazon S3 bucket. To comply with regulations, all data must be encrypted at rest using server-side encryption. The security team wants to ensure that any attempt to upload an unencrypted object is automatically denied. Which S3 bucket policy condition should be used?

Question 215hardmultiple choice
Read the full NAT/PAT explanation →

A company uses AWS Glue to process data from Amazon S3. The data contains personally identifiable information (PII). The data engineer needs to automatically detect and mask PII fields before the data is loaded into Amazon Redshift. Which combination of AWS services should be used?

Question 216easymultiple choice
Read the full Data Security and Governance explanation →

A data engineer is setting up an Amazon RDS for MySQL database. The compliance team requires that all data at rest be encrypted. What must the engineer do to enable encryption for this database?

Question 217mediummultiple choice
Read the full Data Security and Governance explanation →

A company uses Amazon S3 to store log files. The security team notices that some objects are being accessed from an unexpected AWS account. The data engineer needs to identify which specific IAM user or role is accessing the objects. Which AWS service should be used to get this information?

Question 218hardmultiple choice
Read the full Data Security and Governance explanation →

A data engineer needs to share a dataset stored in an Amazon S3 bucket with another AWS account. The dataset must remain encrypted at rest using AWS KMS. The data engineer creates a bucket policy that grants the other account access to the bucket. However, the other account reports that objects appear encrypted and they cannot decrypt them. What is the most likely cause?

Question 219easymultiple choice
Read the full Data Security and Governance explanation →

A company wants to audit all changes to IAM policies in their AWS account. Which AWS service should be used to record these changes?

Question 220mediummultiple choice
Read the full Data Security and Governance explanation →

A company uses Amazon Redshift for data warehousing. The security team requires that all data loading into Redshift be encrypted in transit. Which configuration ensures this requirement is met?

Question 221hardmultiple choice
Read the full Data Security and Governance explanation →

A data engineer is tasked with implementing data masking for a non-production environment. The source data contains credit card numbers stored in an Amazon RDS for PostgreSQL database. The engineer wants to automatically mask the credit card numbers when copying data to the non-production database. Which AWS service can be used to achieve this?

Question 222mediummulti select
Read the full Data Security and Governance explanation →

A company is designing a data lake on Amazon S3. The security team requires granular access control based on data classifications. Which TWO AWS services can be used together to implement attribute-based access control (ABAC) for objects in S3?

Question 223hardmulti select
Read the full Data Security and Governance explanation →

A company needs to enforce encryption at rest for all data stored in Amazon S3. The security team wants to ensure that no objects can be uploaded without encryption. Which THREE steps should be taken to meet this requirement?

Question 224easymulti select
Read the full Data Security and Governance explanation →

A data engineer is setting up an Amazon Redshift cluster. Which TWO measures can be taken to secure the data at rest?

Question 225easymultiple choice
Read the full Data Security and Governance explanation →

Refer to the exhibit. A data engineer applies this S3 bucket policy to the bucket 'example-bucket'. What is the effect of this policy?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "AES256"
        }
      }
    }
  ]
}
Question 226mediummultiple choice
Read the full Data Security and Governance explanation →

Refer to the exhibit. A data engineer runs this AWS CLI command to execute an Athena query. What is the purpose of the EncryptionConfiguration parameter?

Network Topology
query-string "SELECT * FROM my_table"aws athena start-query-executionresult-configuration EncryptionConfiguration={EncryptionOption=SSE_S3}Refer to the exhibit.
Question 227hardmultiple choice
Read the full Data Security and Governance explanation →

Refer to the exhibit. A data engineer creates this KMS key policy. An IAM role in account 123456789012 is granted decrypt access to the key. However, when the DataAnalystRole tries to decrypt an S3 object encrypted with this key, the operation fails. What is the most likely reason?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/DataAnalystRole"
      },
      "Action": [
        "kms:Decrypt",
        "kms:DescribeKey"
      ],
      "Resource": "arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
    }
  ]
}
Question 228mediummultiple choice
Read the full Data Security and Governance explanation →

A company uses AWS Glue to catalog data in Amazon S3. The data includes personally identifiable information (PII). The security team requires that PII be masked when queried by users who are not data owners. Which AWS service should be used to enforce this requirement?

Question 229easymultiple choice
Read the full Data Security and Governance explanation →

A data engineer needs to ensure that an Amazon Redshift cluster encrypts data at rest using a customer-managed AWS KMS key. Which configuration step is required?

Question 230hardmultiple choice
Read the full Data Security and Governance explanation →

A company runs an Amazon EMR cluster that processes sensitive data stored in Amazon S3. The security team requires that all data in transit between the EMR cluster and S3 be encrypted. Which configuration ensures this requirement is met?

Question 231mediummultiple choice
Read the full Data Security and Governance explanation →

A data engineer needs to audit all access to an Amazon S3 bucket containing sensitive data. The audit must capture who accessed the bucket, from which IP address, and what actions were performed. Which AWS service should be enabled?

Question 232easymultiple choice
Read the full Data Security and Governance explanation →

A company uses AWS KMS to encrypt data in Amazon S3. The security team wants to ensure that the KMS key can only be used from within the company's VPC. Which policy element should be added to the KMS key policy?

Question 233hardmultiple choice
Read the full Data Security and Governance explanation →

A data engineer is designing a data lake on Amazon S3. The compliance team requires that objects be automatically deleted after 7 years. Additionally, objects must be transitioned to Amazon S3 Glacier Instant Retrieval after 30 days to reduce costs. Which S3 lifecycle policy configuration meets these requirements?

Question 234mediummultiple choice
Read the full Data Security and Governance explanation →

A company uses AWS Glue DataBrew to clean and normalize data. The data contains sensitive columns that must be masked before being written to the output. Which DataBrew action should be applied?

Question 235easymultiple choice
Read the full Data Security and Governance explanation →

A data engineer receives an alert that an AWS KMS key has been scheduled for deletion by mistake. What is the immediate action to prevent the key from being deleted?

Question 236hardmultiple choice
Read the full Data Security and Governance explanation →

A company stores data in Amazon S3 with server-side encryption using AWS KMS (SSE-KMS). The data engineer needs to give a third-party auditor read-only access to the encrypted objects. The auditor has an AWS account. Which strategy should be used?

Question 237mediummulti select
Read the full Data Security and Governance explanation →

A company is building a data lake on AWS and must encrypt data at rest. Which services can provide server-side encryption for data stored in Amazon S3? (Choose TWO.)

Question 238hardmulti select
Read the full Data Security and Governance explanation →

A data engineer is configuring an Amazon Redshift cluster for compliance. The cluster must encrypt data at rest and automatically rotate the encryption key every year. Which steps should the engineer take? (Choose THREE.)

Question 239easymulti select
Read the full Data Security and Governance explanation →

A company wants to audit API calls made to its Amazon S3 buckets. Which AWS services can be used to achieve this? (Choose TWO.)

Question 240mediummultiple choice
Read the full Data Security and Governance explanation →

Refer to the exhibit. A data engineer applies this S3 bucket policy to an S3 bucket. What is the effect of this policy?

Exhibit

Refer to the exhibit.
```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "true"
        }
      }
    },
    {
      "Effect": "Deny",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}
```
Question 241hardmultiple choice
Read the full Data Security and Governance explanation →

Refer to the exhibit. A data engineer runs the commands shown. What can be determined about the key with ID 1234abcd-12ab-34cd-56ef-1234567890ab?

Network Topology
aws kms describe-keykey-id 1234abcd-12ab-34cd-56ef-1234567890abRefer to the exhibit.```aws kms list-keys"Keys": [{"KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "KeyArn": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab"},{"KeyId": "0987zyxw-21ba-43dc-65fe-0987654321ba", "KeyArn": "arn:aws:kms:us-east-1:123456789012:key/0987zyxw-21ba-43dc-65fe-0987654321ba"}"KeyMetadata": {"KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab","KeyManager": "AWS","KeyState": "Enabled","Origin": "AWS_KMS","CreationDate": 1625097600.0,"Enabled": true
Question 242mediummultiple choice
Read the full Data Security and Governance explanation →

Refer to the exhibit. A data engineer queries AWS CloudTrail to investigate a PutObject event. What does the exhibit reveal about the object sensitive.csv?

Network Topology
aws cloudtrail lookup-eventslookup-attributes AttributeKey=EventNamemax-results 1Refer to the exhibit.```"Events": ["EventId": "example-event-id","EventName": "PutObject","EventTime": 1633046400.0,"Username": "data-scientist-1","Resources": [{"ResourceType": "AWS::S3::Object", "ResourceName": "arn:aws:s3:::data-bucket/sensitive.csv"}],"CloudTrailEvent": "{\"eventSource\":\"s3.amazonaws.com\",\"requestParameters\":{\"bucketName\":\"data-bucket\",\"key\":\"sensitive.csv\",\"x-amz-server-side-encryption\":\"aws:kms\"}}"
Question 243easymultiple choice
Read the full Data Security and Governance explanation →

A data engineer needs to ensure that all data in an S3 bucket is encrypted at rest. The bucket contains objects uploaded by various applications. What is the simplest method to enforce encryption for all new objects?

Question 244mediummultiple choice
Read the full Data Security and Governance explanation →

A company uses AWS KMS to encrypt sensitive data in S3. The security team requires that the KMS key must be rotated automatically every year. Which key type should be used?

Question 245hardmultiple choice
Read the full Data Security and Governance explanation →

A data engineer is troubleshooting an AWS Glue ETL job that fails with an access denied error when writing to an S3 bucket. The Glue job uses an IAM role that has an S3 bucket policy attached. The bucket policy denies access to any principal that does not use server-side encryption. What is the most likely cause of the failure?

Question 246easymultiple choice
Read the full Data Security and Governance explanation →

A company wants to audit all data access events in their S3 buckets, including who accessed objects and from which IP address. Which AWS service should be used to capture these events?

Question 247mediummultiple choice
Read the full Data Security and Governance explanation →

A data engineer needs to allow a Lambda function to read data from an S3 bucket in the same account. The Lambda function's execution role has the required permissions, but access is denied. The S3 bucket has a bucket policy that explicitly denies access to any principal that is not from the organization. What is the most likely issue?

Question 248hardmultiple choice
Read the full Data Security and Governance explanation →

A data engineer is designing a data lake on S3 that must be encrypted at rest using customer-managed keys in AWS KMS. The security team requires that the key be used only for S3 operations and that the key be rotated every 180 days. Which solution meets these requirements?

Question 249easymultiple choice
Read the full Data Security and Governance explanation →

A company wants to ensure that only encrypted connections are used when data is transferred to S3. Which policy condition should be used in an S3 bucket policy?

Question 250mediummultiple choice
Read the full Data Security and Governance explanation →

A data engineer is configuring an S3 bucket to host sensitive data. The security policy requires that all objects be encrypted with a key that is generated and managed by the customer, and that the key be stored in AWS KMS. Which encryption option should be used?

Question 251hardmultiple choice
Read the full Data Security and Governance explanation →

A data engineer is troubleshooting an ETL job that reads from an S3 bucket encrypted with SSE-KMS. The job is failing with an error indicating that the IAM role does not have permission to decrypt the data. What is the most likely missing permission?

Question 252mediummultiple choice
Read the full Data Security and Governance explanation →

A data engineering team needs to encrypt data at rest in an Amazon S3 bucket that stores sensitive customer information. The team must use an AWS Key Management Service (AWS KMS) customer managed key with automatic rotation enabled. Which configuration meets these requirements?

Question 253hardmultiple choice
Read the full Data Security and Governance explanation →

A company is using AWS Glue to process data stored in Amazon S3. The data includes personally identifiable information (PII) that must be masked before being written to a separate output bucket. Which AWS service or feature can be used to automatically detect and mask sensitive data in the Glue ETL job?

Question 254easymultiple choice
Read the full Data Security and Governance explanation →

A data engineer needs to audit all AWS KMS key usage events for the past 90 days to verify compliance. Which AWS service should be used?

Question 255mediummultiple choice
Read the full Data Security and Governance explanation →

A company needs to enforce encryption in transit for all data moving between its Amazon S3 bucket and a fleet of Amazon EC2 instances. The data is accessed via S3 API calls over the internet. Which configuration ensures encryption in transit?

Question 256hardmultiple choice
Read the full Data Security and Governance explanation →

A data engineer is designing a data lake on Amazon S3 that must comply with a regulatory requirement to prevent any data from being overwritten or deleted for 7 years after creation. Which S3 feature should be used?

Question 257easymultiple choice
Read the full Data Security and Governance explanation →

A company wants to centrally manage access to multiple AWS accounts for its data engineers. The company already uses AWS Organizations. Which AWS service should be used to define fine-grained permissions across accounts?

Question 258mediummultiple choice
Read the full Data Security and Governance explanation →

A company uses Amazon RDS for MySQL to store financial data. A compliance requirement mandates that all database connections must be encrypted. Which configuration step is necessary?

Question 259hardmultiple choice
Read the full Data Security and Governance explanation →

A data engineer needs to share a dataset stored in an S3 bucket with a partner AWS account. The partner should be able to read the data without needing to authenticate with the engineer's account. The engineer must not share any secret keys. Which approach should be used?

Question 260easymultiple choice
Read the full Data Security and Governance explanation →

A company uses Amazon Redshift for data warehousing. The security team requires that all data in transit between the Redshift cluster and clients be encrypted. Which feature should be enabled?

Question 261mediummulti select
Read the full Data Security and Governance explanation →

A company needs to securely store and manage database credentials used by a data pipeline. Which AWS services can be used to store and rotate secrets automatically? (Choose TWO.)

Question 262hardmulti select
Read the full Data Security and Governance explanation →

A data engineer needs to ensure that an S3 bucket policy follows the principle of least privilege. Which of the following are valid conditions to restrict access based on the requester's identity? (Choose THREE.)

Question 263easymulti select
Read the full Data Security and Governance explanation →

A company must comply with a regulation that requires logging all access to sensitive data stored in Amazon S3. Which AWS services can be used to capture and store access logs? (Choose TWO.)

Question 264mediummultiple choice
Read the full Data Security and Governance explanation →

Refer to the exhibit. An S3 bucket policy is shown. A data engineer using the DataEngineerRole tries to upload an object to s3://example-bucket/data/report.csv with SSE-S3 encryption. The upload fails. What is the most likely cause?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/DataEngineerRole"
      },
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::example-bucket/data/*",
      "Condition": {
        "StringEquals": {
          "s3:x-amz-server-side-encryption": "AES256"
        }
      }
    }
  ]
}
Question 265hardmultiple choice
Read the full Data Security and Governance explanation →

Refer to the exhibit. A data engineer runs the AWS CLI command shown to encrypt a file using AWS KMS. The command succeeds. Later, the engineer tries to decrypt the file using the same key but without providing an encryption context. The decryption fails. What is the most likely reason?

Network Topology
aws kms encryptkey-id 1234abcd-12ab-34cd-56ef-1234567890abplaintext fileb://secret.txtencryption-context department=finance
Question 266easymultiple choice
Read the full Data Security and Governance explanation →

Refer to the exhibit. An IAM policy is attached to a user. What is the security implication of this policy?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "*"
    }
  ]
}
Question 267mediummultiple choice
Read the full Data Security and Governance explanation →

A data engineer needs to ensure that an S3 bucket containing sensitive customer data is encrypted at rest. The company requires that all encryption keys be managed by AWS and rotated annually. Which encryption option meets these requirements?

Question 268hardmultiple choice
Read the full Data Security and Governance explanation →

A company is using an Amazon RDS for PostgreSQL database to store personally identifiable information (PII). The security team wants to ensure that database administrators cannot view the plaintext PII data. Which solution should a data engineer implement?

Question 269easymultiple choice
Read the full Data Security and Governance explanation →

A company wants to audit all changes to IAM policies in their AWS account. Which AWS service should be used to record these changes for compliance purposes?

Question 270mediummultiple choice
Read the full Data Security and Governance explanation →

A data engineer is configuring an S3 bucket policy to allow cross-account access for a partner account to read objects. The bucket is encrypted with SSE-KMS using a customer-managed key. What additional configuration is needed to allow the partner account to decrypt the objects?

Question 271hardmultiple choice
Read the full Data Security and Governance explanation →

A company uses AWS Lake Formation to manage data lake permissions. The data engineer notices that a user with SELECT permission on a table can also query the underlying data in Amazon S3 directly. How can the engineer enforce that access to the S3 data is only through Lake Formation?

Question 272easymultiple choice
Read the full Data Security and Governance explanation →

A company wants to securely store database credentials used by a Lambda function. Which AWS service should be used to store and rotate the credentials automatically?

Question 273mediummultiple choice
Read the full Data Security and Governance explanation →

A company is using Amazon Redshift for analytics and needs to ensure that all data is encrypted at rest. The current cluster does not have encryption enabled. What is the most efficient way to enable encryption?

Question 274hardmultiple choice
Read the full Data Security and Governance explanation →

A data engineer needs to grant a data scientist access to query a Glue Data Catalog database but must prevent the data scientist from seeing the underlying S3 data locations. Which approach should be used?

Question 275easymultiple choice
Read the full Data Security and Governance explanation →

A company has an S3 bucket that stores logs for compliance. The compliance team requires that objects are retained for 7 years and cannot be deleted or overwritten. Which S3 feature should be used?

Question 276mediummulti select
Read the full Data Security and Governance explanation →

A company needs to protect sensitive data stored in Amazon S3 from unauthorized access. Which TWO actions should the data engineer take? (Choose two.)

Question 277hardmulti select
Read the full Data Security and Governance explanation →

A company is using AWS KMS to encrypt data in Amazon S3. The security team wants to ensure that only specific IAM roles can decrypt the data. Which THREE steps should the data engineer take? (Choose three.)

Question 278easymulti select
Read the full Data Security and Governance explanation →

A company needs to audit access to their Amazon S3 buckets. Which TWO services can be used together to achieve this? (Choose two.)

Question 279mediummultiple choice
Read the full Data Security and Governance explanation →

Refer to the exhibit. A data engineer has attached this KMS key policy to a customer-managed key. The policy is intended to allow the DataEngineer role to decrypt objects in S3 only when the request comes through S3. However, the role is unable to decrypt objects stored in an S3 bucket in the us-west-2 region. What is the most likely cause?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/DataEngineer"
      },
      "Action": [
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "kms:ViaService": "s3.us-east-1.amazonaws.com"
        }
      }
    }
  ]
}
Question 280hardmultiple choice
Read the full Data Security and Governance explanation →

Refer to the exhibit. A data engineer runs the above command and sees that the DataLakeAdmin role has the AmazonS3FullAccess and AWSLakeFormationDataAdmin policies attached. The engineer wants to ensure that the role can only access S3 data through Lake Formation. What should the engineer do?

Network Topology
aws iam list-attached-role-policiesrole-name DataLakeAdmin"AttachedPolicies": ["PolicyName": "S3FullAccess","PolicyArn": "arn:aws:iam::aws:policy/AmazonS3FullAccess"},"PolicyName": "LakeFormationAdmin","PolicyArn": "arn:aws:iam::aws:policy/AWSLakeFormationDataAdmin"
Question 281easymultiple choice
Read the full Data Security and Governance explanation →

Refer to the exhibit. A data engineer checks the versioning status of an S3 bucket and sees the above output. The bucket contains critical logs that must not be permanently deleted. What should the engineer do to enhance protection against accidental or malicious deletion?

Network Topology
aws s3api get-bucket-versioningbucket my-company-logs"Status": "Enabled","MFADelete": "Disabled"
Question 282mediummultiple choice
Read the full Data Security and Governance explanation →

A company uses AWS KMS to encrypt data at rest in Amazon S3. The security team requires that all encryption keys be automatically rotated every year. Which key type should be used to meet this requirement without manual intervention?

Question 283easymultiple choice
Read the full Data Security and Governance explanation →

A data engineer needs to grant an IAM role read-only access to Amazon DynamoDB tables in a specific AWS account. Which IAM policy element should be used to restrict access to only the 'GetItem' and 'Query' actions?

Question 284hardmultiple choice
Read the full Data Security and Governance explanation →

A company stores sensitive customer data in an Amazon S3 bucket with versioning enabled. A data engineer accidentally deleted the current version of an object. What is the quickest way to restore the object to its previous state without additional data transfer costs?

Question 285mediummultiple choice
Read the full Data Security and Governance explanation →

A data engineer is configuring an Amazon Redshift cluster to encrypt data at rest. The company policy requires that encryption keys be stored in AWS CloudHSM. Which integration should the engineer use to meet this requirement?

Question 286hardmultiple choice
Read the full Data Security and Governance explanation →

A company uses AWS Lake Formation to manage data lakes on Amazon S3. The data engineer needs to grant a data analyst access to query specific columns in a table using Amazon Athena, but deny access to columns containing personally identifiable information (PII). Which Lake Formation feature should be used?

Question 287easymultiple choice
Read the full Data Security and Governance explanation →

A company is using Amazon S3 to store log files. The security team requires that all data be encrypted in transit. Which of the following ensures encryption in transit for S3?

Question 288mediummultiple choice
Read the full Data Security and Governance explanation →

An organization wants to audit all API calls made to AWS services for compliance. Which AWS service should be used to capture and store these API calls?

Question 289hardmultiple choice
Read the full Data Security and Governance explanation →

A data engineer is troubleshooting an issue where an Amazon Redshift query returns an error: 'ERROR: permission denied for relation table_name'. The user has been granted SELECT on the table. What is the most likely cause?

Question 290easymultiple choice
Read the full Data Security and Governance explanation →

A company is designing a data pipeline that ingests data from an on-premises database to Amazon S3. The data contains personally identifiable information (PII) that must be masked before storage. Which AWS service can be used to mask the data in transit?

Question 291mediummulti select
Read the full Data Security and Governance explanation →

A company needs to enforce encryption at rest for all data stored in Amazon S3. Which of the following are valid methods to achieve this? (Choose TWO.)

Question 292hardmulti select
Read the full Data Security and Governance explanation →

A data engineer is configuring a VPC for an Amazon Redshift cluster. The cluster must be accessible only from a specific on-premises network via a Direct Connect connection. Which TWO actions should the engineer take to meet this requirement? (Choose TWO.)

Question 293easymulti select
Read the full Data Security and Governance explanation →

A company wants to ensure that an IAM user can only launch Amazon EC2 instances of a specific instance type. Which THREE IAM policy elements are required to define this permission? (Choose THREE.)

Question 294mediummultiple choice
Read the full Data Security and Governance explanation →

Refer to the exhibit. An IAM policy is attached to an IAM user. The user is trying to download an object from the S3 bucket 'example-bucket' from an IP address 10.1.1.1, but the request is denied. What is the most likely reason?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/16"
        }
      }
    }
  ]
}
Question 295hardmultiple choice
Read the full Data Security and Governance explanation →

Refer to the exhibit. A data engineer runs a CLI command to decrypt a file and receives an access denied error. The IAM user 'DataEngineer' has the following policy attached:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "kms:Decrypt",
      "Resource": "*"
    }
  ]
}

What is the most likely cause of the error?

Network Topology
$ aws kms decryptciphertext-blob fileb://encrypted.txtkey-id arn:aws:kms:us-east-1:123456789012:key/abc123Refer to the exhibit.
Question 296easymultiple choice
Read the full Data Security and Governance explanation →

Refer to the exhibit. A data engineer creates an external table in AWS Glue Data Catalog pointing to an S3 bucket that contains encrypted objects (SSE-S3). The CREATE TABLE statement fails with an error. What change should be made to fix the error?

Exhibit

Refer to the exhibit.

CREATE EXTERNAL TABLE IF NOT EXISTS mydb.sales (
  id INT,
  product STRING,
  price DOUBLE
)
ROW FORMAT SERDE 'org.apache.hadoop.hive.serde2.OpenCSVSerde'
LOCATION 's3://my-bucket/sales-data/'
TBLPROPERTIES ('has_encrypted_data'='false');
Question 297mediummultiple choice
Read the full Data Security and Governance explanation →

A company uses AWS Glue to process sensitive data stored in S3. The security team requires that all data be encrypted at rest using customer-managed KMS keys. The data engineers are encountering 'Access Denied' errors when running Glue ETL jobs. What is the most likely cause?

Question 298hardmultiple choice
Read the full Data Security and Governance explanation →

A company stores PII in an S3 bucket. The security team wants to use Amazon Macie to discover sensitive data. After enabling Macie, they notice that no sensitive data findings are generated. The S3 bucket is in the same account. What is the most likely reason?

Question 299easymultiple choice
Read the full Data Security and Governance explanation →

A company needs to audit all API calls made in their AWS account, including actions performed by the root user. Which AWS service should be used?

Question 300mediummultiple choice
Read the full Data Security and Governance explanation →

A data engineer needs to encrypt data at rest in an Amazon Redshift cluster. The company requires that the encryption key be managed by the customer and rotated annually. Which solution meets these requirements?

Question 301easymultiple choice
Read the full NAT/PAT explanation →

A company wants to grant read-only access to an S3 bucket for a data analyst. The analyst should be able to list objects and read object content. Which IAM policy effect and action combination is correct?

Question 302hardmultiple choice
Read the full Data Security and Governance explanation →

A company is using Amazon EMR with Kerberos authentication. They want to ensure that data in transit between EMR cluster nodes is encrypted. Which configuration should be applied?

Question 303mediummultiple choice
Read the full Data Security and Governance explanation →

A data engineer needs to store sensitive data in Amazon S3 and automatically classify the data using a managed service. The data is uploaded via an S3 bucket. Which AWS service can automatically detect and classify sensitive data?

Question 304easymultiple choice
Read the full Data Security and Governance explanation →

A company is using AWS Lake Formation to manage permissions on a data lake. They want to grant a data scientist the ability to query tables in the 'analytics' database using Amazon Athena, but prevent them from accessing the underlying S3 data directly. What is the best way to achieve this?

Question 305hardmultiple choice
Read the full Data Security and Governance explanation →

A company is designing a data pipeline using Amazon Kinesis Data Streams. The data includes personally identifiable information (PII). The security team requires that data be encrypted at rest using a customer-managed KMS key. How should the data engineer configure the Kinesis stream?

Question 306mediummulti select
Read the full Data Security and Governance explanation →

A company wants to use AWS CloudTrail to monitor data events for an S3 bucket. Which TWO configurations are required to capture object-level API operations?

Question 307hardmulti select
Read the full Data Security and Governance explanation →

A company is using AWS KMS with customer-managed keys to encrypt data in Amazon RDS. The security team wants to ensure that the key can be rotated automatically every year. Which THREE steps are required to achieve automatic key rotation?

Question 308easymulti select
Read the full Data Security and Governance explanation →

A data engineer needs to monitor and log changes to IAM policies in an AWS account. Which TWO AWS services can be used together to achieve this?

Question 309hardmulti select
Read the full Data Security and Governance explanation →

A company stores sensitive customer data in an Amazon S3 bucket. The security team requires that all data be encrypted at rest using server-side encryption with AWS KMS managed keys (SSE-KMS). Additionally, they want to ensure that the encryption context is enforced for all PutObject requests. Which THREE steps should be taken to meet these requirements?

Question 310mediummulti select
Read the full Data Security and Governance explanation →

A company is using Amazon Redshift for data warehousing. They need to ensure that data is encrypted at rest and in transit. Which TWO configurations are required to meet these requirements?

Question 311hardmultiple choice
Read the full Data Security and Governance explanation →

A company runs a data lake on Amazon S3 with AWS Glue and Amazon Athena. The security team recently ran a report using Amazon Macie and found that multiple S3 objects containing PII are publicly accessible. The data engineer is tasked with remediating this issue immediately. The S3 bucket is configured with a bucket policy that grants public read access to all objects. The data engineer needs to ensure that no objects are publicly accessible while maintaining the ability for authorized IAM users and roles to access the data via Athena. The bucket must also remain accessible to the Glue crawler. What is the MOST effective course of action?

Question 312mediummultiple choice
Read the full Data Security and Governance explanation →

A company uses Amazon RDS for MySQL to store application data. The security team requires that all database credentials be rotated automatically every 90 days. The data engineer needs to implement a solution that minimizes operational overhead. The database credentials are stored in AWS Secrets Manager. The application retrieves the credentials at startup and caches them for the duration of the session. The application is deployed on Amazon ECS with Fargate. Which solution should the data engineer implement to meet the rotation requirement with minimal overhead?

Question 313easymultiple choice
Read the full Data Security and Governance explanation →

A company is using Amazon S3 to store log files. The security team wants to ensure that any object uploaded to the S3 bucket is automatically scanned for malware before being processed by downstream applications. The data engineer needs to implement a solution that integrates with AWS services and minimizes latency. The bucket receives thousands of objects per day. Which solution should the data engineer use?

Question 314mediummultiple choice
Read the full Data Security and Governance explanation →

A company stores sensitive customer data in an S3 bucket. The security team requires that all data be encrypted at rest using a customer-managed AWS KMS key. However, when a data engineer attempts to upload an object using the AWS CLI, the upload fails with an access denied error. The engineer has s3:PutObject permission on the bucket. Which additional permission is most likely missing?

Question 315hardmultiple choice
Read the full Data Security and Governance explanation →

A data engineering team uses AWS Glue ETL jobs to process data from an S3 data lake and load it into an Amazon Redshift cluster. The security policy mandates that all data in transit between AWS Glue and Redshift must be encrypted using TLS. The team uses a JDBC connection. Currently, the connection is failing with an SSL-related error. Which configuration change should the team make to ensure encrypted connectivity?

Question 316easymulti select
Read the full NAT/PAT explanation →

A data analytics company uses Amazon Athena to query data stored in an S3 bucket. The data contains personally identifiable information (PII). The security team wants to ensure that only authorized users can access the data through Athena, and that the data is encrypted at rest in S3. Which combination of actions should the company take? (Choose two.)

Question 317mediummultiple choice
Read the full Data Security and Governance explanation →

A company uses AWS Lake Formation to manage permissions on a data lake stored in S3. A data scientist is unable to query a table in Amazon Athena, receiving an 'Access Denied' error. The data scientist has IAM permissions to call Athena and has been granted SELECT permission on the table in Lake Formation. What is the most likely cause?

Question 318hardmultiple choice
Read the full Data Security and Governance explanation →

A company has an AWS Glue ETL job that reads data from an S3 bucket, transforms it, and writes to another S3 bucket. The security team requires that data in transit between the Glue job and S3 be encrypted using TLS. The Glue job runs in a VPC with a VPC endpoint for S3. Which configuration ensures TLS encryption for all data transfer?

Question 319mediummultiple choice
Read the full Data Security and Governance explanation →

A data engineer needs to grant an IAM user read-only access to a specific prefix (folder) in an S3 bucket. The bucket contains sensitive data. Which S3 bucket policy statement achieves this?

Question 320easymulti select
Read the full Data Security and Governance explanation →

A company is designing a data lake on AWS using S3. The security team requires that all data be encrypted at rest and that encryption keys be rotated annually. Which services can be used to meet these requirements? (Choose TWO.)

Question 321mediummulti select
Read the full Data Security and Governance explanation →

A data engineer needs to audit all access to an S3 bucket containing sensitive data. The engineer must capture who accessed the bucket, from which IP address, and what actions were performed. Which AWS services should be used together to meet this requirement? (Choose THREE.)

Question 322hardmulti select
Read the full Data Security and Governance explanation →

A company uses Amazon Redshift for data warehousing. The security team requires that data be encrypted at rest using a customer-managed key (CMK) in AWS KMS, and that the key be rotated automatically every year. Additionally, the team wants to restrict access to the key to only the Redshift cluster and a security admin IAM role. Which steps should the company take? (Choose THREE.)

Question 323easymulti select
Read the full Data Security and Governance explanation →

A company is using AWS Glue to catalog data in S3. The security team wants to ensure that only authorized users can access the Glue Data Catalog and that data lineage is tracked. Which AWS services can be used together to meet these requirements? (Choose TWO.)

Question 324mediummulti select
Read the full Data Security and Governance explanation →

A data engineer is configuring an S3 bucket policy to allow cross-account access for a partner organization to write data to a specific prefix. The partner's AWS account ID is 111111111111. The engineer wants to ensure that only the partner can write, and that the partner cannot read or delete objects. Which policy statements should be included? (Choose TWO.)

Question 325hardmultiple choice
Read the full NAT/PAT explanation →

A healthcare company stores patient records in an S3 bucket encrypted with SSE-S3. The data engineering team uses AWS Glue ETL jobs to process this data and load it into an Amazon Redshift cluster for analytics. Recently, the security team mandated that all sensitive data must be encrypted at rest using customer-managed keys (CMK) in AWS KMS, and that the keys must be rotated automatically every year. The team updated the S3 bucket to use SSE-KMS with a CMK and enabled automatic key rotation. However, after the change, the Glue ETL jobs that read from the S3 bucket started failing with 'Access Denied' errors. The Glue job uses an IAM role named 'GlueETLRole' that has the following permissions: s3:GetObject on the bucket, kms:Decrypt and kms:GenerateDataKey on the CMK, and all necessary Glue permissions. The Redshift cluster is also encrypted with a different CMK, and the Glue role has kms:Decrypt on that key as well. What is the most likely cause of the failure?

Question 326mediummultiple choice
Read the full Data Security and Governance explanation →

A financial services company uses Amazon Athena to query a data lake in S3. The data lake contains sensitive financial transactions. The security team has implemented row-level security using views in AWS Glue Data Catalog. Each view is defined with a WHERE clause that filters rows based on the user's IAM role using a custom tag. However, when a data analyst runs a SELECT * FROM view_name in Athena, the query returns all rows, ignoring the row-level filter. The analyst's IAM role has the tag 'department=analytics'. The view was created with a filter condition 'department = current_user_department()', where current_user_department() is a user-defined function that extracts the department tag from the caller's IAM role. The function is defined in the Glue Data Catalog. What is the most likely reason the filter is not applied?

Question 327easymultiple choice
Read the full Data Security and Governance explanation →

A company uses Amazon RDS for MySQL to store application data. The database contains personally identifiable information (PII). The security team requires that all data be encrypted at rest using AWS KMS. The database is currently unencrypted. The data engineer needs to enable encryption without significant downtime. Which approach should the data engineer take?

Question 328mediummultiple choice
Read the full Data Security and Governance explanation →

A data engineering team uses AWS Lambda functions to process streaming data from Amazon Kinesis Data Streams and write the results to an S3 bucket. The S3 bucket is encrypted with SSE-KMS using a customer-managed key (CMK). The Lambda function's IAM role has permissions for kms:Decrypt and kms:GenerateDataKey on the CMK. However, the Lambda function fails with an 'Access Denied' error when writing to S3. The S3 bucket policy allows s3:PutObject from the Lambda function's IAM role. What is the most likely cause?

Question 329hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation uses AWS Organizations to manage multiple accounts. The data engineering team has a central data lake account that stores all data in S3. The security team requires that all cross-account access to the data lake be logged and that any access from outside the organization be blocked. The team has enabled S3 server access logs and AWS CloudTrail. However, they notice that some requests from an external AWS account are still able to read data from the data lake. The bucket policy currently allows cross-account access to a specific partner account for data exchange. What additional step should the team take to block access from all other external accounts?

Question 330hardmultiple choice
Read the full Data Security and Governance explanation →

A financial services company uses a multi-account AWS Organization with hundreds of accounts. The data engineering team needs to enable cross-account access to an encrypted S3 bucket in the data lake account (account ID 111111111111) for a Glue ETL job running in the analytics account (account ID 222222222222). The S3 bucket uses AWS KMS customer managed key (CMK) for server-side encryption (SSE-KMS). The Glue job fails with an AccessDenied error when trying to read data from the bucket. The IAM roles in both accounts have the necessary S3 permissions and the bucket policy allows access from the analytics account. What is the most likely cause of the failure?

Question 331mediummulti select
Read the full NAT/PAT explanation →

A healthcare company stores sensitive patient data in an S3 bucket (bucket name: patient-data-prod). The security team requires that all data be encrypted in transit and at rest, and that access be logged for auditing. The company currently uses S3 default encryption with SSE-S3. An external auditor finds that some objects have been uploaded without encryption because the default encryption setting was not applied to objects uploaded before the setting was enabled. The company wants to prevent any future unencrypted uploads and ensure all existing objects are encrypted. Which combination of actions should the data engineer take? (Choose TWO.)

Question 332hardmultiple choice
Read the full Data Security and Governance explanation →

A data team uses AWS Glue ETL jobs to process data from an S3 bucket (s3://data-lake-raw) and write results to another S3 bucket (s3://data-lake-processed). Both buckets are encrypted with SSE-KMS using the same KMS key (alias 'data-key'). The Glue job runs in the same account. The team recently enabled S3 Server Access Logging for the raw bucket, sending logs to a separate logging account. After enabling logging, the Glue job starts failing with 'AccessDenied' when reading from the raw bucket. The Glue job's IAM role has s3:GetObject permission on the raw bucket. Which additional permission is most likely missing?

Question 333mediummultiple choice
Read the full NAT/PAT explanation →

A data engineer is setting up a data pipeline that ingests streaming data from Amazon Kinesis Data Streams into an S3 data lake using Amazon Kinesis Data Firehose. The data contains personally identifiable information (PII). The security team requires that all data be encrypted at rest in S3 using an AWS KMS customer managed key (CMK) that is specific to the application. Additionally, the data must be encrypted in transit between all services. The engineer creates the KMS key and configures Firehose to use server-side encryption with the key for the S3 destination. However, Firehose delivery fails with an error indicating that the KMS key is not accessible. What is the most likely cause?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

DEA-C01 Practice Test 1 — 10 Questions→DEA-C01 Practice Test 2 — 10 Questions→DEA-C01 Practice Test 3 — 10 Questions→DEA-C01 Practice Test 4 — 10 Questions→DEA-C01 Practice Test 5 — 10 Questions→DEA-C01 Practice Exam 1 — 20 Questions→DEA-C01 Practice Exam 2 — 20 Questions→DEA-C01 Practice Exam 3 — 20 Questions→DEA-C01 Practice Exam 4 — 20 Questions→Free DEA-C01 Practice Test 1 — 30 Questions→Free DEA-C01 Practice Test 2 — 30 Questions→Free DEA-C01 Practice Test 3 — 30 Questions→DEA-C01 Practice Questions 1 — 50 Questions→DEA-C01 Practice Questions 2 — 50 Questions→DEA-C01 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Data Ingestion and TransformationData Operations and SupportData Security and GovernanceData Store Management

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Data Security and Governance setsAll Data Security and Governance questionsDEA-C01 Practice Hub