20+ practice questions focused on Data Security and Governance — one of the most tested topics on the AWS Certified Data Engineer Associate DEA-C01 exam. Each question includes a detailed explanation so you learn why the right answer is correct.
Start Data Security and Governance PracticeA data engineer needs to ensure that an Amazon S3 bucket used for sensitive data is encrypted at rest using a customer-managed AWS KMS key. The bucket policy must enforce encryption for all PUT requests. Which policy statement should be added to the bucket policy?
Explanation: Option C is correct because it uses a Deny effect with a condition that blocks PUT requests unless the encryption header specifies 'aws:kms' (SSE-KMS) AND the KMS key ID matches the required customer-managed key. The combination of StringNotEquals on the encryption type and Null on the key ID ensures that any request not using the specified KMS key is denied, enforcing both encryption at rest and the use of the customer-managed key.
A company uses AWS Glue to process sensitive data stored in Amazon S3. The security team requires that all data in transit between AWS Glue and S3 be encrypted. Which configuration should be used to meet this requirement?
Explanation: Option A is correct because requiring HTTPS for all requests to the S3 bucket ensures that data in transit between AWS Glue and S3 is encrypted using TLS. By using an S3 bucket policy with a condition that denies requests where `aws:SecureTransport` is false, the company enforces encryption for all connections, including those from AWS Glue. This meets the security requirement without needing to modify Glue or S3 configurations beyond the bucket policy.
A data engineer is troubleshooting an AWS Lake Formation permissions issue. A user is able to query an Amazon Athena table but cannot see the underlying S3 data in the AWS Glue Data Catalog. The user has been granted SELECT permission on the table in Lake Formation. What is the most likely cause?
Explanation: In AWS Lake Formation, the ability to query a table via Athena (which requires SELECT permission) is separate from the ability to view the table's metadata in the Glue Data Catalog. To see the underlying S3 data location or table properties in the catalog, a user needs DESCRIBE permission on the table. Without DESCRIBE, the table appears invisible in the Glue console or API, even though SELECT queries succeed.
A company uses Amazon Redshift to store customer data. The security team requires that all queries are logged for auditing purposes. Which combination of steps should be taken to meet this requirement? (Select TWO.)
Explanation: Option B is correct because AWS CloudTrail can be configured to log Redshift API calls, such as CreateCluster, DeleteCluster, and ModifyCluster, which provides an audit trail of administrative actions. Option E is correct because Amazon Redshift supports native audit logging, including connection logs, user activity logs, and query logs, which can be exported to an Amazon S3 bucket for long-term retention and analysis.
A company is designing a data lake on Amazon S3. The security policy requires that all data be encrypted at rest using AWS KMS with automatic key rotation. Which encryption option meets these requirements? (Select THREE.)
Explanation: Option A is correct because AWS KMS customer-managed keys (CMKs) support automatic key rotation, which can be enabled to rotate the key material annually. This satisfies the security policy requirement for automatic key rotation. SSE-KMS with a CMK (Option D) is also required because AWS managed keys (Option B) do not support automatic key rotation, and SSE-C (Option E) does not use KMS at all. Setting default encryption on the S3 bucket to SSE-KMS with the CMK (Option C) ensures all objects are encrypted with that key, meeting the encryption-at-rest requirement.
+15 more Data Security and Governance questions available
Practice all Data Security and Governance questions1. Baseline your knowledge
Start with 10 questions to gauge your current understanding of Data Security and Governance. This tells you whether you need a concept refresher or just practice.
2. Review every explanation
For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.
3. Focus on exam traps
Data Security and Governance questions on the DEA-C01 frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.
4. Reach 80% consistently
Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.
The exact number varies per candidate. Data Security and Governance is tested as part of the AWS Certified Data Engineer Associate DEA-C01 blueprint. Practicing with targeted Data Security and Governance questions ensures you can handle any format or difficulty that appears.
Yes. Courseiva provides free DEA-C01 practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.
Difficulty is subjective, but Data Security and Governance is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.
Launch a full Data Security and Governance practice session with instant scoring and detailed explanations.
Start Data Security and Governance Practice →