Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsDVA-C02DomainsSecurity
DVA-C02Free — No Signup

Security

Practice DVA-C02 Security questions with full explanations on every answer.

429questions

Start practicing

Security — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

DVA-C02 Domains

Development with AWS ServicesSecurityDeploymentTroubleshooting and Optimization

Practice Security questions

10Q20Q30Q50Q

DVA-C02 Security questions (showing 300 of 429)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A developer has an AWS Lambda function that needs to read objects from an S3 bucket in another account. The Lambda function's execution role includes an IAM policy that allows s3:GetObject on the bucket. The bucket owner has added a bucket policy that grants s3:GetObject to the Lambda execution role. However, the Lambda function receives Access Denied errors. The S3 bucket uses SSE-KMS for encryption. What is the most likely cause?

2

A company has multiple AWS accounts managed under AWS Organizations. The security team requires that all Amazon S3 buckets with bucket names containing 'logs' must be encrypted with a specific KMS key (key ID: alias/logs-key) at rest. A developer must enforce this using an SCP (Service Control Policy). Which SCP effect and condition key should be used to deny any PutObject request that does not use the required KMS key?

3

A developer needs to grant a user in another AWS account (Account B) read-only access to objects in an Amazon S3 bucket owned by Account A. The developer has already added a bucket policy that grants s3:GetObject access to the IAM user in Account B. However, the user in Account B still gets Access Denied when trying to read objects. What additional configuration is required?

4

A developer needs to ensure that every cryptographic operation performed on an AWS KMS customer master key (CMK) used for server-side encryption in Amazon S3 is recorded in AWS CloudTrail for auditing. The developer has already enabled CloudTrail and is logging management events. However, the security team wants to see all calls to the KMS Decrypt and Encrypt APIs for this specific key. What must the developer do?

5

A developer is building a mobile application that uses Amazon Cognito for user authentication. After a user signs in, the application needs to access an Amazon DynamoDB table. The developer has set up an identity pool with an authenticated role. The IAM role attached to the authenticated identity has a policy allowing the required DynamoDB actions. However, users report that they cannot perform DynamoDB operations. What is the MOST likely cause of this issue?

6

A company uses a customer managed AWS KMS key to encrypt sensitive data stored in DynamoDB. A Lambda function reads from the DynamoDB table and needs to decrypt the data. The Lambda function's execution role has an IAM policy that allows kms:Decrypt on the key. However, access is denied. What must the developer add to the KMS key policy to resolve the issue?

7

A company has an AWS Lambda function that processes sensitive financial data. The function uses environment variables to store database connection strings. A security audit requires that all sensitive data be encrypted at rest and in transit. The developer must ensure that the environment variables are encrypted with a customer-managed key that is rotated quarterly. What should the developer do?

8

A company has an Amazon S3 bucket (Bucket-A) in Account A that contains sensitive data. A developer in Account B needs read-only access to objects in Bucket-A. The developer in Account A added a bucket policy granting s3:GetObject to the IAM user in Account B. However, the IAM user in Account B still receives Access Denied errors. What additional step is required?

9

A company uses an Amazon S3 bucket to store sensitive documents. The security team requires that all objects uploaded to the bucket must be encrypted at rest using server-side encryption with a customer-managed KMS key (SSE-KMS). A developer needs to enforce this by denying any PutObject request that does not specify the required encryption. Which bucket policy condition should be used?

10

A company stores sensitive data in Amazon S3. The security team requires that all objects are encrypted at rest using server-side encryption with AWS KMS managed keys (SSE-KMS). The developer needs to enforce that any PutObject request that does not specify the 'x-amz-server-side-encryption' header with value 'aws:kms' is denied. Which S3 bucket policy condition should be used?

11

A developer in Account A has an Amazon S3 bucket that contains sensitive data. The developer wants to grant an IAM user in Account B read-only access to objects in the bucket. The developer has added a bucket policy in Account A that grants s3:GetObject access to the IAM user's ARN. However, the IAM user in Account B still receives Access Denied errors. What additional configuration is required?

12

A company runs an application on Amazon EC2 that needs to securely store database credentials. The security team requires that credentials be automatically rotated every 30 days to reduce the risk of compromise. The application must be able to retrieve the credentials at startup without storing them in code or configuration files. Which AWS service should the developer use?

13

A company wants to grant a third-party vendor access to an Amazon S3 bucket in the company's AWS account. The vendor has their own AWS account. The company requires the vendor to include a unique identifier in each request to verify their identity before granting access. Which policy element should the company include in the S3 bucket policy?

14

A company is developing a web application that runs on Amazon EC2 instances. The application needs to access an Amazon DynamoDB table to store and retrieve data. The security team requires that no IAM users or roles should be used; instead, the application must use temporary credentials that are automatically rotated. Which approach should the developer use to securely grant access to DynamoDB?

15

A company uses AWS Secrets Manager to store database credentials. The credentials must be automatically rotated every 30 days. The developer needs to configure rotation without exposing the secret to any IAM user directly. Which configuration steps should the developer take?

16

A developer needs to grant an IAM role in Account B read-only access to objects in an S3 bucket in Account A. The bucket is encrypted with server-side encryption using AWS KMS (SSE-KMS) with a customer managed key (CMK) in Account A. Which combination of policies is required for the cross-account access to succeed?

17

A developer is storing an API secret for a third-party service in AWS Secrets Manager. The secret needs to be accessed by an AWS Lambda function that runs in a VPC. The Lambda function must have the minimum required permissions. Which IAM policy statement should the developer attach to the Lambda execution role?

18

A developer is building an application that needs to read a secret API key from AWS Secrets Manager. The application runs on an EC2 instance that is part of an Auto Scaling group. The developer wants to ensure that only this application can retrieve the secret. Which set of steps should the developer take?

19

A developer is designing an application that will process credit card payments and store them temporarily in an Amazon DynamoDB table. The developer must ensure that the payment data is encrypted at rest and that the encryption key is managed by the company's security team using AWS KMS. Which type of encryption should the developer enable on the DynamoDB table?

20

A company uses AWS KMS customer master keys (CMKs) to encrypt sensitive data in Amazon S3. A compliance requirement mandates that the backing keys for the CMKs be automatically rotated every year. The developer must implement this with minimal operational overhead. Which solution meets the requirement?

21

A developer needs to grant read-only access to objects in an S3 bucket (in Account A) to an IAM role in Account B. The bucket uses server-side encryption with AWS KMS (SSE-KMS) using a customer managed key (CMK) in Account A. Which of the following is REQUIRED for the cross-account access to succeed?

22

A company manages multiple AWS accounts using AWS Organizations. A developer needs to allow an IAM role in the production account to read objects from an S3 bucket in the development account. The bucket is encrypted with an AWS KMS customer managed key (CMK) in the development account. Which of the following is required to enable this cross-account access?

23

A company stores sensitive documents in an Amazon S3 bucket. The security team requires that all objects uploaded must be encrypted at rest using a specific customer-managed AWS KMS key (key-id: 1234-5678). The developer must enforce this by denying any PutObject request that does not use the correct key. Which S3 bucket policy condition should be used?

24

A company uses AWS Organizations with multiple accounts. A developer needs to grant an IAM user in Account A (111111111111) read-only access to an S3 bucket in Account B (222222222222). The bucket is encrypted with SSE-S3. Which combination of policies is required for cross-account access?

25

A company has an S3 bucket that stores sensitive data. They want to ensure that any object uploaded to the bucket is automatically encrypted with server-side encryption using AWS KMS (SSE-KMS). They also want to deny any uploads that do not specify the correct encryption. Which bucket policy condition should be used to enforce this requirement?

26

A developer is deploying a containerized application on Amazon ECS with the Fargate launch type. The application needs to read data from an Amazon S3 bucket. The developer wants to follow the principle of least privilege. How should the developer grant the necessary permissions to the ECS tasks?

27

A company has an IAM policy that allows access to an S3 bucket only if the request comes from a specific VPC endpoint. The developer notices that requests from an EC2 instance in that VPC are being denied. What is the most likely cause?

28

A company uses AWS KMS to encrypt data at rest in S3. The security team requires that all objects uploaded to a specific S3 bucket must be encrypted with a specific KMS key (key ID: xyz). The developer needs to enforce this by denying any PutObject request that does not use the correct key. Which bucket policy condition should be used?

29

A company stores application logs in an Amazon S3 bucket. The security team requires that all objects uploaded to the bucket must be encrypted at rest using an AWS KMS key. The developer needs to enforce this by denying any PutObject request that does not use the required encryption. Which bucket policy condition should be used?

30

A company stores sensitive data in Amazon S3. A developer needs to implement a solution that automatically encrypts objects at rest using a key that is rotated annually. The developer must minimize operational overhead. Which solution meets these requirements?

31

A developer launches an Amazon EC2 instance that needs to read and write data to an Amazon DynamoDB table. The developer must follow the principle of least privilege and ensure that no long-term credentials are stored on the instance. Which approach should the developer use?

32

A company requires that all data in Amazon S3 be encrypted at rest using server-side encryption with a customer-managed KMS key. The developer needs to ensure that any object uploaded without the x-amz-server-side-encryption header set to aws:kms is denied. How can this be enforced?

33

A developer needs to allow users from another AWS account (account ID: 123456789012) to read objects in an S3 bucket owned by the developer's account. The developer wants to use a bucket policy and does not want to create IAM users in the other account. Which bucket policy statement achieves this securely?

34

A company wants to enforce that all uploads to an Amazon S3 bucket must be encrypted using server-side encryption. The developer needs to write an IAM policy condition that denies any s3:PutObject request that does not include the server-side encryption header. Which IAM condition key should be used?

35

A company runs an application on Amazon EC2 instances that need to read files from an Amazon S3 bucket. The developer must grant access to the S3 bucket without storing long-term credentials on the instances. Which approach should the developer use?

36

A company has an S3 bucket that stores sensitive data. The data is encrypted at rest using an AWS KMS customer managed key (CMK). The security team wants to ensure that only a specific IAM role in the same account can decrypt the objects. Which configuration should the developer implement?

37

A developer needs to grant an IAM user in the same AWS account access to a specific object in an S3 bucket. The bucket policy currently grants access only to the bucket owner (the root account). Which identity-based policy statement should the developer add to the IAM user's permissions?

38

A developer wants to enforce that all requests to an Amazon S3 bucket must use HTTPS (TLS). The bucket is used for static website hosting. Which bucket policy condition should be used to deny requests that do not use HTTPS?

39

A company wants to enforce that all uploads to an Amazon S3 bucket must be encrypted using server-side encryption with a specific AWS KMS customer managed key (CMK). The developer needs to write an IAM policy condition that denies any s3:PutObject request that does not use the specified KMS key. Which IAM condition key should be used?

40

A company has an Amazon S3 bucket that stores sensitive documents. The security team wants to ensure that all GET requests to the bucket are authenticated and that the requester does not have public access. Which combination of S3 features should the developer implement?

41

A developer needs to grant cross-account access to an Amazon S3 bucket. The developer's AWS account (Account A) owns the bucket, and a user in another account (Account B) needs to write objects to it. The developer has already added a bucket policy that grants the user in Account B permissions. What additional step is required?

42

A developer is deploying an application on Amazon EC2 instances that need to securely retrieve secrets from AWS Secrets Manager. What is the MOST secure way to provide the necessary permissions without hardcoding credentials?

43

A company requires that all objects uploaded to an Amazon S3 bucket are encrypted at rest using server-side encryption with Amazon S3 managed keys (SSE-S3). The developer wants to enforce this with a bucket policy. Which condition key and value should be used in the policy to deny uploads that do not meet this requirement?

44

A company requires that all API calls to create an Amazon S3 bucket must include a specific tag (e.g., 'CostCenter'). Which IAM policy condition key should a developer use to enforce this requirement?

45

A company has an S3 bucket containing confidential data. The security team wants to ensure that the bucket is never publicly accessible, even if a bucket policy or ACL is incorrectly set to allow public access. Which S3 feature should the developer enable?

46

A company wants to store database credentials securely and rotate them automatically on a schedule. The credentials are used by an AWS Lambda function to access an Amazon RDS instance. Which AWS service should the developer use to meet these requirements?

47

A developer needs to grant an IAM role in the same AWS account read-only access to objects in a specific S3 bucket. The bucket is configured with a bucket policy that has an explicit Deny statement denying all principals except the root user. Which approach should the developer use to grant the required access?

48

A developer needs to grant temporary access to an Amazon S3 bucket for a user from a different AWS account. The developer wants to use the most secure method that does not require sharing long-term credentials. Which approach should the developer take?

49

A developer needs to allow an IAM user in a different AWS account to assume a role in the developer's account. The role has permissions to access an S3 bucket. Which policy is required in the developer's account to enable this cross-account access?

50

A developer runs an application on Amazon EC2 that needs to securely store database credentials (username and password). The security team requires that the credentials be automatically rotated every 30 days. Which AWS service should the developer use to store and automatically rotate the credentials?

51

A developer stores database credentials for an application running on Amazon EC2. The security team requires that the credentials be automatically rotated every 30 days to reduce the risk of compromise. Which AWS service should the developer use to store and automatically rotate the credentials?

52

A company wants to enforce multi-factor authentication (MFA) for all users accessing the AWS Management Console. The company has an existing IAM setup with users and groups. Which approach should the developer recommend to enforce MFA?

53

A company needs to grant another AWS account read-only access to an S3 bucket. The developer wants to use a bucket policy without requiring IAM users in the trusted account. Which resource-based policy statement should the developer add to the bucket?

54

A company runs an application on Amazon EC2 instances that need to read data from an Amazon DynamoDB table. The developer must grant access to DynamoDB without storing any long-term credentials on the instance. Which approach should the developer use?

55

A company wants to restrict access to an Amazon S3 bucket so that only requests originating from a specific Amazon VPC are allowed. The bucket is in the same AWS account as the VPC. Which configuration should the developer implement?

56

A developer is creating a web application that uses Amazon Cognito for user authentication. The application needs to verify the identity of users before allowing access to the API. Which Cognito feature should the developer use?

57

A developer is building a REST API with Amazon API Gateway and needs to authorize requests based on a custom JSON Web Token (JWT) that includes claims for user roles. Which authorization mechanism should the developer use?

58

A developer wants to grant a user in a different AWS account access to an S3 bucket. The developer has written a bucket policy that allows the user's IAM user ARN. However, the access is still denied. What is the most likely reason?

59

A company wants to ensure that no Amazon S3 buckets in the AWS account can be made publicly accessible, even if a bucket policy or ACL is later configured to allow public access. Which AWS feature should the developer enable to enforce this at the account level?

60

A developer is building a REST API using API Gateway and AWS Lambda. The API must only be accessible by authenticated users who belong to a specific group within an Amazon Cognito user pool. Which API Gateway authorization mechanism should the developer use?

61

A developer needs to grant cross-account access to an S3 bucket for an IAM user from another AWS account. The developer has added a bucket policy that allows the user's ARN. However, the user still cannot access the bucket. What additional step is required?

62

A company wants to enforce that all IAM users use multi-factor authentication (MFA) when accessing the AWS Management Console. Which IAM policy condition key should be used in a policy attached to each user or group to deny access if MFA is not present?

63

A developer is deploying a web application on EC2 instances behind an Application Load Balancer (ALB). The application needs to encrypt data in transit between the client and the ALB. Which AWS service should be used to manage the SSL/TLS certificate?

64

A company stores sensitive customer data in Amazon S3. The security policy requires that all data be encrypted at rest using server-side encryption with a customer-managed AWS KMS key. Which S3 server-side encryption option should the developer use?

65

A developer needs to store a database password for an AWS Lambda function. The password must be encrypted at rest with a customer-managed key that can be rotated manually. Which solution meets these requirements with minimal operational overhead?

66

An API Gateway HTTP API should allow access only to users authenticated by an external OIDC provider. Which authorizer type is most appropriate?

67

A Lambda function needs to decrypt data encrypted with a customer managed KMS key. Which two permissions are commonly required?

68

A developer stores database credentials in Secrets Manager. The application sometimes receives AccessDeniedException from Lambda after secret rotation. What should be checked first?

69

A mobile application must let authenticated users upload only to their own S3 prefix. Which approach best follows least privilege?

70

An application receives webhooks from a partner. The developer must verify that each request was signed by the partner and not modified in transit. What should the application validate?

71

A developer needs to call AWS APIs from application code running on EC2. Which credential source should the AWS SDK use by default?

72

An S3 bucket policy allows GetObject from another account, but objects encrypted with SSE-KMS still return AccessDenied. Which additional authorization is required?

73

A developer needs to prevent accidental public access to all S3 buckets in an account. Which account-level control should be enabled?

74

A Lambda function in a VPC must retrieve secrets from Secrets Manager without traversing the public internet. Which configuration should be used?

75

A developer uses API Gateway with Cognito. Which two token validations are important when authorizing API access?

76

An application in ECS Fargate needs to read a secret and decrypt it with KMS. Which two permissions/configurations are needed?

77

A developer needs to securely distribute temporary AWS credentials to authenticated mobile users. Which two components are commonly involved?

78

A team wants to prevent secrets from being committed to source control and reduce blast radius if a secret is exposed. Which two practices help?

79

Drag and drop the steps to deploy a containerized application using AWS ECS with Fargate in the correct order.

80

Drag and drop the steps to implement a disaster recovery plan using cross-region replication for S3 in the correct order.

81

Drag and drop the steps to set up a DynamoDB table with auto scaling in the correct order.

82

Match each AWS tool or feature to its description.

83

Match each AWS CLI command to its function.

84

Match each DynamoDB concept to its description.

85

A company wants to securely store secrets for a Lambda function. Which AWS service should they use?

86

A developer needs to allow an EC2 instance to read items from a DynamoDB table. Which is the best practice for granting permissions?

87

A company uses AWS KMS with customer managed keys to encrypt S3 objects. The security team requires automatic key rotation. What must the developer do to enable rotation?

88

A developer is writing a Lambda function that needs to access an RDS database. The function currently fails with a timeout. What is the most likely cause?

89

An application running on EC2 needs to access an S3 bucket. What is the most secure way to grant access?

90

A company wants to audit all API calls made to AWS. Which service should be used to collect and store these logs?

91

A developer receives an AccessDenied error when trying to upload a file to an S3 bucket that has a bucket policy requiring encryption in transit. What is the most likely cause?

92

A developer needs to securely store database credentials for a serverless application. Which service should be used?

93

A company has an S3 bucket with versioning enabled. A developer accidentally deleted an object. What must be done to recover it?

94

Which TWO are best practices for securing an AWS account? (Choose 2)

95

Which THREE are valid methods to encrypt data at rest in Amazon S3? (Choose 3)

96

Which TWO actions are required to enable server-side encryption for an Amazon RDS instance? (Choose 2)

97

A developer attached the above IAM policy to an IAM user. The user tries to download an object from example-bucket using the AWS CLI without specifying server-side encryption. What will happen?

98

A developer runs the commands above. The key is disabled. An application that uses this key to encrypt S3 objects starts failing. What should the developer do to fix the issue?

99

A developer receives the above error when trying to launch an EC2 instance. What is the most likely cause?

100

A developer is building a serverless application using AWS Lambda. The application needs to access a DynamoDB table and an S3 bucket. What is the MOST secure way to provide the necessary permissions?

101

A company wants to encrypt data at rest in Amazon S3. Which AWS service can be used to manage the encryption keys?

102

A developer is tasked with rotating database credentials stored in AWS Secrets Manager for an RDS MySQL instance. The rotation must occur automatically every 30 days. What is the BEST approach?

103

A developer is creating a new IAM policy to allow an application to read objects from a specific S3 bucket and write logs to a CloudWatch log group. Which policy statement is correct?

104

A developer needs to securely pass a secret API key to an AWS Lambda function. What is the MOST secure and recommended approach?

105

A company is using AWS CodeCommit for source control. Developers need to access the repository from their local machines. Which authentication method is recommended for secure access?

106

A developer notices that an IAM user has permissions to terminate EC2 instances, but the user should only be allowed to stop instances. The developer needs to update the policy to prevent termination while allowing stop. Which IAM policy statement should be added?

107

A developer wants to encrypt data in transit between an application and an S3 bucket. Which option achieves this?

108

A company has an S3 bucket with a policy that denies access to all users. The bucket owner wants to grant read access to a specific IAM user. What must be done?

109

A developer is designing a system that must meet the following security requirements: (1) Encrypt data at rest in S3, (2) Automatically rotate encryption keys annually, (3) Use an encryption key that is managed by AWS. Which services or features should the developer use? (Choose TWO.)

110

A developer is troubleshooting an issue where an EC2 instance cannot access an S3 bucket despite having an IAM role with the correct permissions attached. Which THREE steps should the developer take to diagnose the issue?

111

Which TWO of the following are best practices for securing AWS account root user?

112

A developer is using AWS Lambda and needs to ensure that the function can access an RDS database securely. Which THREE steps should be taken?

113

Refer to the exhibit. An IAM policy is attached to a user. The user attempts to download an object from my-bucket that was uploaded without server-side encryption. What happens?

114

Refer to the exhibit. A developer in account 111111111111 tries to assume a role in account 123456789012. The error occurs. What is the MOST likely cause?

115

A company is using an Application Load Balancer (ALB) to route traffic to a set of EC2 instances. The security team wants to ensure that only traffic from the ALB can reach the instances. Which security group configuration should be used?

116

A developer needs to grant an IAM user access to an S3 bucket for read-only operations. Which IAM policy action should be used?

117

A company has an S3 bucket configured with server-side encryption using AWS KMS (SSE-KMS). An application running on EC2 with an appropriate IAM role is unable to write objects to the bucket. The error message indicates an access denied error. Which additional permission is most likely required?

118

A developer is building a serverless application using AWS Lambda and needs to securely store database credentials. Which AWS service should be used to store and retrieve the credentials?

119

A company wants to encrypt data at rest in an Amazon RDS for PostgreSQL database. The database is already running, and the company wants to enable encryption without significant downtime. Which approach should be taken?

120

A developer needs to allow an IAM user to stop and start EC2 instances but not terminate them. Which IAM policy effect and action combination should be used?

121

A company is using Amazon Cognito for user authentication. The developers need to add multi-factor authentication (MFA) for security. Which Cognito feature should be enabled?

122

A developer is troubleshooting an issue where an S3 bucket policy is not granting cross-account access to a user in another AWS account. The bucket policy uses a Principal element with the AWS account ID. What is the most likely reason for the failure?

123

A company wants to ensure that all data in transit between a web application and its users is encrypted. Which AWS service can provide SSL/TLS termination?

124

Which TWO actions can help protect an S3 bucket from data leaks? (Choose two.)

125

Which THREE are best practices for managing IAM users and roles? (Choose three.)

126

Which TWO services can be used to encrypt data at rest in Amazon S3? (Choose two.)

127

A company is using an S3 bucket to store sensitive data. They want to ensure that all objects uploaded to the bucket are encrypted at rest using server-side encryption with AWS KMS (SSE-KMS). What is the most secure way to enforce this?

128

A developer is troubleshooting access to an S3 bucket from an EC2 instance. The instance has an IAM role with an attached policy that allows s3:GetObject on the bucket. However, the application is receiving Access Denied errors. What is a likely cause?

129

A developer needs to securely store database credentials for an application running on AWS Lambda. Which AWS service should they use?

130

A company is using AWS KMS to encrypt data in S3. They want to ensure that only specific IAM roles can decrypt the data, even if the IAM role has full S3 access. What should they do?

131

A developer is building an application that uploads files to S3. The application uses an IAM user with access keys. The developer wants to rotate the access keys regularly. Which approach is the most secure?

132

A company wants to give a third-party auditor read-only access to their AWS account for compliance purposes. What is the most appropriate way to grant this access?

133

A developer is using AWS Lambda to process sensitive data. The Lambda function needs to access a DynamoDB table that is encrypted with a customer-managed CMK. The developer is using the default Lambda execution role. What must be done to allow Lambda to decrypt the DynamoDB table?

134

A developer is configuring a load balancer in front of an EC2 instance running a web application. The application needs to authenticate users via an identity provider. Which AWS service should the developer use to handle authentication and authorization?

135

A company wants to encrypt data in transit between an EC2 instance and an S3 bucket. What should they do?

136

A developer is designing a microservices architecture where each service communicates over HTTPS. They need to ensure that only authorized services can invoke each other. Which TWO services can be used to manage authentication and authorization between services?

137

A developer is storing secrets such as database passwords. Which TWO AWS services can be used to securely store and retrieve secrets?

138

A company wants to ensure that only encrypted connections are used to access their S3 bucket. Which THREE methods can be used to enforce this?

139

Refer to the exhibit. An IAM policy is attached to a user. The user reports that they can access objects in the S3 bucket from their office IP address (192.0.2.15) but cannot access from home (203.0.113.5). What is the most likely reason?

140

Refer to the exhibit. An IAM role has the attached policy. A developer is writing an application that will upload objects to the S3 bucket using server-side encryption with AWS KMS (SSE-KMS). The application is failing with an Access Denied error when trying to upload. What is the missing permission?

141

Refer to the exhibit. A developer is trying to query a DynamoDB table from a Lambda function that uses an execution role named MyRole. The Lambda function is failing with the error shown. Which step should the developer take to resolve this?

142

A developer is creating an IAM policy to allow an EC2 instance to access an S3 bucket. Which AWS service should the developer use to securely provide credentials to the EC2 instance?

143

A company uses AWS KMS to encrypt data at rest in S3. The security team wants to audit all use of the KMS key, including decryption operations. What should the developer enable?

144

A developer is building a serverless application with AWS Lambda that needs to read from an Amazon DynamoDB table. The Lambda function is in a VPC. What is the MOST secure way to grant the Lambda function access to DynamoDB?

145

A developer needs to allow an IAM user to temporarily access an AWS account for 12 hours. The developer must not create long-term credentials. What should the developer use?

146

A company is using AWS CodePipeline to deploy a web application. The pipeline must securely store and use database credentials. Which AWS service should the developer use to store the credentials and retrieve them during deployment?

147

A developer is deploying an application on EC2 that must access an S3 bucket. The developer wants to avoid hard-coding credentials. What is the MOST secure way to grant access?

148

A developer needs to encrypt data in an S3 bucket. The company requires that the encryption key be managed by AWS but with the ability to audit key usage. Which S3 encryption option should the developer use?

149

A developer is using Amazon API Gateway with a Lambda authorizer to secure a REST API. The developer wants to pass user context from the authorizer to the backend Lambda function. How should the developer accomplish this?

150

A company has a multi-account architecture using AWS Organizations. The security team wants to centrally manage IAM policies that apply to all accounts. Which AWS feature should the developer use?

151

A developer is implementing a solution to encrypt data in transit for a web application running on an Application Load Balancer (ALB). Which TWO actions should the developer take?

152

A developer wants to ensure that an S3 bucket is not publicly accessible. Which TWO measures should the developer implement?

153

A developer is designing a CI/CD pipeline using AWS CodePipeline. The pipeline must deploy to multiple AWS accounts. Which THREE components are required to securely deploy across accounts?

154

The exhibit shows an S3 bucket policy. If an IAM user in the same AWS account attempts to download an object from the bucket from IP address 203.0.113.5, what will happen?

155

A developer ran the AWS CLI command shown in the exhibit. What is the most likely cause of the error?

156

The exhibit shows an IAM policy attached to a Lambda function's execution role. When the Lambda function tries to decrypt data using the KMS key, it receives an access denied error. What is the most likely cause?

157

A developer needs to allow an EC2 instance to read objects from a specific S3 bucket. Which is the MOST secure way to grant permissions?

158

A company wants to allow cross-account access to a DynamoDB table. They set up an IAM role in Account A (table owner) and allow Account B's users to assume the role. Which additional step is required?

159

A developer is encrypting an S3 bucket using server-side encryption with AWS KMS (SSE-KMS). What is a benefit of using SSE-KMS over SSE-S3?

160

A developer set up a Lambda function that reads from an SQS queue and processes messages. The function sometimes times out. How can the developer improve security while minimizing execution time?

161

An application uses a custom KMS key to encrypt data. The application runs on an EC2 instance. To decrypt data, the application must call KMS. What is the BEST practice to securely provide the KMS key ID to the application?

162

A developer wants to ensure that an S3 bucket only allows HTTPS requests. What S3 bucket policy condition should be used?

163

A developer is deploying an application with AWS CodeDeploy. The application needs to access a database password. Which service should be used to securely store and retrieve the password?

164

A company uses AWS KMS with imported key material. The key material is expired. What must the developer do to continue using the KMS key?

165

A developer needs to grant least-privilege access to a Lambda function to write logs to CloudWatch Logs. Which IAM policy effect should be used?

166

Which TWO actions are recommended to secure an S3 bucket? (Choose 2)

167

Which THREE are valid methods to authenticate to AWS APIs? (Choose 3)

168

Which TWO are features of AWS Identity and Access Management (IAM)? (Choose 2)

169

A developer attached the above IAM policy to an IAM user. The user is trying to get an object from the bucket 'example-bucket' from an on-premises machine with public IP 203.0.113.5. What will happen?

170

A developer runs the above command and gets the output shown. What is the developer verifying?

171

A developer attaches the above S3 bucket policy to my-bucket. A user tries to upload an object using HTTP (not HTTPS). What will happen?

172

A developer is troubleshooting an S3 bucket policy that is denying all access. The policy has an explicit Deny for s3:PutObject. What is the most likely reason for the denial even though an Allow exists?

173

A company wants to securely store database credentials for a Lambda function. Which AWS service should be used?

174

A developer is designing a multi-tier application. The web tier must be accessible from the internet, while the application tier should only be accessible from the web tier. Which security group configuration meets these requirements?

175

A developer needs to grant an IAM user access to an S3 bucket owned by another AWS account. Which method should be used?

176

A company uses AWS KMS to encrypt data at rest. A developer wants to allow a Lambda function to decrypt data using a KMS key. What is the minimum permissions required?

177

A developer is using an S3 bucket to store sensitive files. The bucket policy includes a condition that requires TLS for all requests. A user reports that they can access the bucket via the AWS Management Console but not via an application using HTTP. What is the likely issue?

178

A developer needs to allow an EC2 instance to access an S3 bucket without storing credentials on the instance. Which approach is the most secure?

179

A company is using AWS CloudTrail to monitor API activity. A developer notices that some actions are not logged. What is a possible reason?

180

A developer is building a serverless application using API Gateway and Lambda. The API must be accessed only by authenticated users from a specific AWS Cognito User Pool. Which method should be used?

181

A developer wants to encrypt data in an S3 bucket using server-side encryption with AWS KMS (SSE-KMS). Which TWO steps are required?

182

A company has an IAM policy that allows s3:GetObject for all users in the account. However, a specific user is receiving access denied errors. Which TWO possible causes should the developer investigate?

183

A developer is tasked with securing a legacy application that stores secrets in environment variables. Which THREE AWS services can be used to improve the security posture?

184

A developer attaches this IAM policy to an IAM user. The user is trying to access an object in example-bucket from an IP address 203.0.113.5. What will happen?

185

A developer runs the AWS CLI command to decrypt a file using a KMS key. What is the most likely cause of the error?

186

A developer attaches this IAM policy. What happens when the developer attempts to launch a t2.micro instance?

187

A company is using AWS KMS to encrypt data at rest in Amazon S3. The security team requires that all encryption keys be rotated automatically every 12 months. Which type of KMS key should be used?

188

A developer is creating an IAM policy for an Amazon S3 bucket that must allow read access to a specific object only. Which policy element should be used to restrict access to the object?

189

A developer is troubleshooting access to an Amazon S3 bucket. The bucket policy allows access to the developer's IAM role, but the developer receives an Access Denied error when trying to upload objects. The developer is using an IAM user with access keys for API calls. What is the most likely cause?

190

A company uses AWS Secrets Manager to store database credentials. The application runs on Amazon EC2 instances with an IAM role attached. How should the application retrieve the secret securely?

191

A developer needs to allow an Amazon EC2 instance to send messages to an Amazon SQS queue. What is the most secure way to grant this access?

192

A developer is using AWS Lambda to process files uploaded to an S3 bucket. The Lambda function needs to write logs to CloudWatch Logs. Which of the following is required to allow this?

193

A company wants to encrypt data in transit between an on-premises application and an Amazon RDS instance. Which of the following should be implemented?

194

A developer is building a serverless application using AWS Lambda and Amazon API Gateway. The developer wants to restrict access to the API so that only authenticated users can invoke it. Which API Gateway feature should be used?

195

A developer is deploying a web application on Amazon ECS with a Fargate launch type. The application needs to securely access an Amazon DynamoDB table. How should the developer grant permissions?

196

A company is designing a secure CI/CD pipeline using AWS CodePipeline and AWS CodeBuild. The pipeline must securely store and access sensitive parameters (e.g., API keys) used during the build. Which TWO services can be used to securely store and retrieve these parameters?

197

A developer is creating an IAM policy to allow access to an Amazon DynamoDB table. The policy must allow the user to read and write items, but not to delete the table or modify its schema. Which TWO DynamoDB actions should be included in the policy?

198

A developer needs to encrypt data at rest in an Amazon S3 bucket. Which THREE options are available for server-side encryption?

199

A developer attached the IAM policy above to an IAM user. What is the effect when the user tries to download an object from the 'confidential' folder in 'example-bucket'?

200

A developer attached the managed policy above to an IAM role used by an application. The application tries to decrypt data using a KMS key that has an encryption context of {"department": "finance"}. However, the request fails with access denied. What is the most likely reason?

201

The above resource-based policy is attached to an SQS queue. An application running on an EC2 instance with the IAM role 'AppRole' tries to send a message to the queue but receives an access denied error. What is the most likely cause?

202

A company is using AWS Secrets Manager to rotate database credentials automatically. The rotation Lambda function fails with a timeout error after 30 seconds. The developer checked the Lambda logs and saw that the function is making network calls to the database but never receives a response. What is the MOST likely cause?

203

A developer wants to grant an IAM user permissions to list all S3 buckets in the account, but deny access to a specific bucket named 'confidential-data'. Which IAM policy should be attached?

204

A company uses AWS KMS to encrypt data at rest in S3. The security team requires that all encryption keys be rotated automatically every year. Which solution meets this requirement with the LEAST operational overhead?

205

A developer is deploying a web application on EC2 instances behind an Application Load Balancer. The application needs to authenticate users via a third-party identity provider (IdP) that supports OpenID Connect (OIDC). The developer wants to offload authentication to the ALB. Which configuration is required?

206

A company wants to store sensitive data in S3. The data must be encrypted at rest using server-side encryption with a key that is automatically rotated annually. Which S3 encryption option should be used?

207

A developer is building a serverless application using API Gateway and Lambda. The API must be accessible only from a specific VPC. How can the developer achieve this?

208

A company uses IAM roles to grant permissions to EC2 instances. The security team notices that an instance is using a role that has administrator privileges, which is a security risk. What is the BEST way to restrict the instance's permissions without disrupting the application?

209

A developer needs to grant an IAM user the ability to create and manage CloudFormation stacks. Which IAM policy action should be allowed?

210

A company uses AWS Organizations to manage multiple accounts. The security team wants to ensure that all S3 buckets across all accounts are encrypted with SSE-S3. What is the MOST effective way to enforce this?

211

A developer is using AWS KMS to encrypt data. Which of the following are true about customer master keys (CMKs)? (Choose TWO.)

212

A company is deploying a web application on EC2 instances behind an ALB. The application needs to authenticate users using a corporate identity provider that supports SAML 2.0. Which of the following are required to configure this? (Choose THREE.)

213

A developer needs to securely store database credentials and retrieve them programmatically from a Lambda function. Which AWS services can be used for this purpose? (Choose TWO.)

214

Refer to the exhibit. A developer attached this bucket policy to an S3 bucket named 'my-bucket'. The IAM role 'AppRole' is used by an application running on EC2 instances with an IP address of 192.0.2.10. The application tries to upload an object to 'my-bucket/confidential/report.pdf'. Will the upload succeed?

215

Refer to the exhibit. A developer ran the above commands to inspect a KMS key. What can be determined about this key?

216

Refer to the exhibit. An IAM policy is attached to an IAM user. The user tries to download an object from 'example-bucket' from an IP address of 10.0.1.5. Will the download succeed?

217

A company is using AWS Lambda to process sensitive data. The Lambda function needs to access an S3 bucket in the same account. What is the BEST practice for granting permissions?

218

A developer is troubleshooting an application that uses an IAM role to access DynamoDB. The application is running on an EC2 instance and intermittently fails with an AccessDenied error. The IAM role has the following policy attached. What is the MOST likely cause?

219

A developer needs to securely store database credentials for a serverless application. Which service should be used?

220

A company's S3 bucket contains sensitive data. The security team requires that all data be encrypted at rest. Which combination of actions will enforce encryption for all objects written to the bucket?

221

A developer is deploying an application on EC2 instances behind an Application Load Balancer (ALB). The application must authenticate users using an identity provider (IdP) that supports OpenID Connect (OIDC). What is the MOST secure way to offload authentication to the ALB?

222

A developer needs to grant an IAM user the ability to create and manage EC2 instances, but only in the us-east-1 region. Which IAM policy statement should be used?

223

A company is using AWS Key Management Service (KMS) to encrypt data in S3. The security team wants to ensure that only the company's AWS account can access the KMS key. What should be done?

224

A developer is building a serverless application using AWS Lambda and API Gateway. The API should be accessible only from a specific VPC. What is the MOST secure way to achieve this?

225

A developer wants to allow an IAM user to rotate their own access keys. Which IAM policy action should be included?

226

A company is using AWS CloudTrail to monitor API activity. Which TWO actions are required to ensure the integrity and security of the log files?

227

A developer is designing a system that stores sensitive user data in DynamoDB. The data must be encrypted at rest and in transit. Which THREE actions should the developer take?

228

A developer is using IAM roles to grant permissions to an EC2 instance. Which TWO statements are true about IAM roles for EC2?

229

A company runs a web application on EC2 instances in an Auto Scaling group. The application uses an IAM role to access an S3 bucket that stores user uploads. Recently, the security team discovered that some uploaded files contain malicious content. The team wants to implement a solution that automatically scans new objects for malware and blocks access if threats are detected. The solution must be cost-effective and minimize latency for legitimate uploads. The developer is tasked with designing this solution. Which approach should the developer take?

230

A developer is building a mobile application that uses Amazon Cognito User Pools for authentication. The app needs to access a REST API hosted on AWS. The developer wants to use Cognito to authorize API requests. The API Gateway is configured with a Cognito User Pool authorizer. However, when testing, the API returns a 401 Unauthorized error even though the user is authenticated. The developer verified that the user exists in the user pool and the ID token is valid. What is the MOST likely cause and solution?

231

A company has an S3 bucket that contains sensitive financial data. The security team requires that all access to the bucket be logged for audit purposes. The developer needs to enable logging that captures who accessed the bucket, the actions performed, and the source IP addresses. The logs must be stored in a separate bucket for security. Which solution meets these requirements?

232

A company stores sensitive data in an S3 bucket that must be encrypted at rest. The security team requires that all objects uploaded to the bucket are automatically encrypted using server-side encryption with AWS KMS (SSE-KMS). A developer uploads an object without specifying any encryption header. The upload succeeds, but the object is not encrypted. What is the most likely cause?

233

A developer is configuring cross-account access to an S3 bucket. The bucket in Account A has a bucket policy granting access to an IAM role in Account B. The IAM role's trust policy allows the developer's IAM user in Account B to assume the role. When the developer tries to access the bucket from Account B using the assumed role, they receive an Access Denied error. Which additional step is required to resolve this?

234

A developer needs to allow an EC2 instance to access an S3 bucket securely without storing long-term credentials on the instance. Which AWS service should be used to provide temporary credentials?

235

A company's security policy requires that all data in transit between an Application Load Balancer (ALB) and its backend EC2 instances be encrypted. The ALB currently uses HTTPS listeners. What configuration ensures encryption between the ALB and targets?

236

Refer to the exhibit. An IAM policy attached to a user includes the above statement. The user uploads an object to the S3 bucket without specifying any encryption header. What is the outcome?

237

A developer is using AWS Lambda to process files uploaded to an S3 bucket. The Lambda function needs to read the files and write results to a DynamoDB table. What is the MOST secure way to grant the necessary permissions?

238

A developer needs to encrypt secrets (database passwords) that are used by an application running on EC2. The application retrieves the secrets at startup. Which combination of services provides the MOST secure and manageable solution?

239

A company has a VPC with public and private subnets. The private subnets contain Amazon RDS databases. Which TWO actions are required to secure the database instances?

240

A developer is designing a serverless application using AWS Lambda, Amazon API Gateway, and Amazon DynamoDB. The application requires that only authenticated users can invoke the API, and the data must be encrypted at rest. Which THREE steps should the developer take?

241

A developer is using AWS KMS to encrypt data. Which TWO are valid operations that can be performed using KMS?

242

A company wants to audit access to their S3 buckets. Which TWO services can be used to log and monitor S3 API calls?

243

A developer is deploying an application on EC2 that must access an S3 bucket and an SQS queue. The developer wants to follow the principle of least privilege. Which THREE steps should be taken?

244

A company runs a web application on EC2 instances behind an Application Load Balancer. The security team discovers that the application is vulnerable to SQL injection attacks. The team wants to implement a web application firewall (WAF) to block these attacks. The architecture includes an ALB, EC2 instances in an Auto Scaling group, and an RDS database. The ALB currently has a listener on port 443 with an SSL certificate. The developer must integrate AWS WAF with minimal changes to the existing infrastructure. Which action should the developer take?

245

A developer is managing an application that uses Amazon S3 to store user-uploaded images. The application generates thumbnails using AWS Lambda and stores them in a separate S3 bucket. The security team requires that all objects in both buckets be encrypted at rest using server-side encryption with AWS KMS (SSE-KMS). The developer has configured the Lambda function to use an IAM role with permissions to call KMS Encrypt and Decrypt. However, when a user uploads an image, the Lambda function fails to write the thumbnail with an 'Access Denied' error. The upload bucket has default encryption set to SSE-KMS. What is the MOST likely cause of the failure?

246

A developer needs to share an S3 bucket with a third-party AWS account. The third-party will upload files to the bucket using their own IAM users. The developer creates a bucket policy that grants s3:PutObject to the third-party account's root user. However, the third-party reports that their IAM users cannot upload files. What is the MOST likely reason?

247

A company uses AWS Organizations with multiple accounts. The security team wants to enforce that all S3 buckets across all accounts have server-side encryption enabled. They have created an SCP that denies the s3:PutBucketAcl action unless the request includes the x-amz-server-side-encryption header. However, some application teams report that they cannot create buckets even when they include the required header. What is the MOST likely cause of this issue?

248

A developer is deploying a serverless application using AWS Lambda and API Gateway. The application needs to authenticate users via a third-party OIDC provider. The developer wants to minimize latency and avoid managing sessions. What is the BEST approach to achieve this?

249

A company stores sensitive data in an S3 bucket that must be encrypted at rest. The security team requires that the encryption keys be rotated every 90 days and that access to the keys be auditable. Which solution meets these requirements with the LEAST operational overhead?

250

A developer is building a web application that stores user session data in an ElastiCache Redis cluster. The cluster is in a VPC and is not publicly accessible. The developer needs to ensure that data in transit is encrypted. What should the developer do?

251

A company has a DynamoDB table that stores personally identifiable information (PII). A developer needs to allow a Lambda function to read and write to this table. What is the MOST secure way to grant the Lambda function access?

252

A developer is creating a new IAM policy to allow users to list objects in a specific S3 bucket. The policy must follow the principle of least privilege. Which policy statement should the developer use?

253

A company uses AWS Secrets Manager to rotate database credentials. The rotation process uses a Lambda function that updates the secret. The developer notices that the rotation sometimes fails because the Lambda function does not have permission to update the secret. What is the MOST likely cause?

254

A developer is deploying an application on Amazon ECS with Fargate. The application needs to access an S3 bucket that contains sensitive data. The developer wants to avoid storing AWS credentials in the container image. What is the MOST secure way to grant the application access to the S3 bucket?

255

A developer needs to allow a user to deploy AWS CloudFormation stacks but restrict the user from creating or modifying IAM resources. Which IAM policy should the developer attach to the user?

256

A company has an S3 bucket that stores log files. The bucket policy grants the AWSServiceRoleForSSO service role write access. However, the logs are not being written. What is the MOST likely reason?

257

A developer is designing a system that uses AWS KMS to encrypt data. Which of the following are valid ways to grant a user permission to decrypt data using a KMS key? (Select TWO.)

258

A company wants to encrypt data at rest in an Amazon RDS for MySQL DB instance. Which of the following are true about RDS encryption? (Select THREE.)

259

A company hosts a web application on EC2 instances behind an Application Load Balancer. The application stores sensitive user data in an S3 bucket. A security audit reveals that the S3 bucket policy allows access from any AWS account. Which combination of actions should be taken to secure the bucket?

260

A developer is configuring cross-account access for an S3 bucket. The source account (111111111111) wants to allow the target account (222222222222) to write objects to the bucket. The developer attaches the following bucket policy. However, the write operation fails with AccessDenied. What is the most likely cause?

261

A developer wants to securely store database credentials used by a Lambda function. The credentials should be automatically rotated every 90 days. Which service should be used?

262

A company has an S3 bucket that stores sensitive customer data. The security team requires that all data be encrypted at rest using server-side encryption with AWS KMS. Additionally, they want to enforce that objects are not uploaded without encryption. Which bucket policy should be used?

263

A Lambda function needs to read from a DynamoDB table and send messages to an SQS queue. The function's IAM role should follow the principle of least privilege. Which policy statement should be attached to the role?

264

A developer is using the AWS CLI to upload a file to an S3 bucket with server-side encryption. The bucket is configured with default encryption (SSE-S3). The developer wants to ensure the object is encrypted with SSE-KMS instead. What should the developer do?

265

An application running on an EC2 instance needs to access a DynamoDB table. The instance is in a private subnet without internet access. Which method should be used to grant the instance access to DynamoDB securely?

266

A company uses AWS KMS to encrypt data in S3. The security team wants to ensure that all KMS keys are rotated every year. Which action should be taken?

267

A developer needs to allow an IAM user to perform only specific actions on an S3 bucket. Which type of policy should be attached to the IAM user?

268

A company wants to audit all API calls made in their AWS account for security analysis. Which TWO services should be used together to achieve this?

269

A developer is designing a serverless application using AWS Lambda and API Gateway. The application needs to authenticate users via a third-party identity provider (IdP). Which TWO services can be used to manage user authentication?

270

A company stores sensitive data in an S3 bucket. The security team requires that all data be encrypted at rest and in transit. Which THREE measures should be implemented?

271

A developer is troubleshooting an AccessDenied error when a Lambda function tries to write to CloudWatch Logs. The function's IAM role includes the following policy. Which TWO missing permissions are causing the error? (Choose TWO.)

272

A company wants to enforce multi-factor authentication (MFA) for all IAM users accessing the AWS Management Console. Which THREE actions are required?

273

A company runs a containerized application on Amazon ECS using Fargate. The application needs to access an S3 bucket to read configuration files and a DynamoDB table to store session state. The ECS task role is configured with the following IAM policy: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "dynamodb:PutItem", "dynamodb:GetItem" ], "Resource": "*" } ] } The application fails to read from the S3 bucket and write to DynamoDB. The error messages indicate AccessDenied. The S3 bucket has a bucket policy that denies all access unless the request includes a specific aws:SourceIp condition. The DynamoDB table has a resource-based policy that allows access only from the VPC endpoint. The ECS tasks are running in a private subnet with a VPC endpoint for DynamoDB but no VPC endpoint for S3. Which action should be taken to resolve the errors?

274

A company is using AWS Secrets Manager to rotate database credentials automatically. The rotation Lambda function fails with a timeout. Which action should be taken to resolve this issue?

275

A developer needs to grant an IAM user read-only access to an S3 bucket named 'my-bucket'. Which IAM policy statement should be attached?

276

A developer is using AWS KMS to encrypt data in an S3 bucket. The developer wants to ensure that the S3 bucket uses server-side encryption with AWS KMS managed keys (SSE-KMS) by default. Which configuration should be applied?

277

A company uses AWS IAM roles to grant permissions to EC2 instances. An application running on an instance fails to access an S3 bucket. The IAM role has the following policy attached: {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:GetObject","Resource":"arn:aws:s3:::my-bucket/*"}]}. What is the likely cause?

278

A developer wants to securely store database credentials for a Lambda function. Which AWS service should be used?

279

A company uses AWS CloudTrail to log all API calls. The security team wants to be notified immediately when an IAM user creates a new access key. Which solution is most efficient?

280

A developer needs to allow an EC2 instance to read from a DynamoDB table. Which is the best practice to grant permissions?

281

A developer is building a web application that must encrypt data in transit between the client and the server. Which AWS service should be used to offload SSL/TLS termination?

282

A company has an S3 bucket that contains sensitive data. The security team requires that all objects uploaded to the bucket must be encrypted at rest using AWS KMS. Which combination of actions will enforce this?

283

A developer is configuring a Lambda function to access a DynamoDB table in a VPC. Which TWO steps are required to ensure the Lambda function can securely access DynamoDB? (Select TWO.)

284

A security audit reveals that an S3 bucket is publicly accessible. The bucket policy is as follows: {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":"*","Action":"s3:GetObject","Resource":"arn:aws:s3:::my-bucket/*"}]}. Which TWO actions should be taken to remediate this issue? (Select TWO.)

285

A developer is creating an IAM policy for a Lambda function that needs to read from an SQS queue and write to a DynamoDB table. Which THREE permissions are required? (Select THREE.)

286

Given the IAM policy above, what is the effective permission for an IAM user?

287

Based on the CloudTrail log entry, which security concern should be investigated?

288

What is required for the Lambda function to access the code in the S3 bucket?

289

A developer is configuring an S3 bucket to host a static website. The bucket policy allows public read access. However, users receive a 403 Forbidden error when accessing the website. What is the most likely cause?

290

A developer needs to grant a Lambda function read-only access to an S3 bucket. Which IAM entity should be used to attach the permissions?

291

An application running on an EC2 instance needs to access a DynamoDB table. The instance is in a private subnet. What is the most secure way to grant access without using long-lived credentials?

292

A company uses AWS KMS to encrypt S3 objects. A developer needs to allow an IAM user to decrypt objects but not encrypt them. Which IAM policy action should be allowed?

293

A developer is using AWS Secrets Manager to rotate database credentials automatically. The rotation fails with the error 'The secret value is not valid JSON.' What is the most likely cause?

294

A developer needs to enforce encryption in transit for all traffic between an application and an RDS database. Which configuration should be used?

295

A developer has an IAM policy that allows 's3:GetObject' for a specific S3 bucket. However, when the developer tries to download an object using the AWS CLI, access is denied. What could be the issue?

296

A developer wants to securely store API keys for a third-party service and retrieve them at runtime in a Lambda function. Which AWS service should be used?

297

A company's S3 bucket policy includes a condition that uses 'aws:SourceIp' to restrict access to a specific IP range. However, requests from that IP range are still denied. What is a possible reason?

298

A developer is designing a system that must meet PCI DSS compliance. Which THREE AWS services can help with logging and monitoring security events?

299

Which TWO actions should a developer take to securely manage database credentials in a serverless application?

300

Which THREE practices help protect data at rest in Amazon S3?

Practice all 300 Security questions

Other DVA-C02 exam domains

Development with AWS ServicesDeploymentTroubleshooting and Optimization

Frequently asked questions

What does the Security domain cover on the DVA-C02 exam?

The Security domain covers the key concepts tested in this area of the DVA-C02 exam blueprint published by Amazon Web Services. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all DVA-C02 domains — no account required.

How many Security questions are in the DVA-C02 question bank?

The Courseiva DVA-C02 question bank contains 300 questions in the Security domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Security for DVA-C02?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Security questions for DVA-C02?

Yes — the session launcher on this page draws questions exclusively from the Security domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your DVA-C02 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

SAA-C03DOP-C02CLF-C02