Practice DVA-C02 Security questions with full explanations on every answer.
Start practicing
Security — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A developer has an AWS Lambda function that needs to read objects from an S3 bucket in another account. The Lambda function's execution role includes an IAM policy that allows s3:GetObject on the bucket. The bucket owner has added a bucket policy that grants s3:GetObject to the Lambda execution role. However, the Lambda function receives Access Denied errors. The S3 bucket uses SSE-KMS for encryption. What is the most likely cause?
2A company has multiple AWS accounts managed under AWS Organizations. The security team requires that all Amazon S3 buckets with bucket names containing 'logs' must be encrypted with a specific KMS key (key ID: alias/logs-key) at rest. A developer must enforce this using an SCP (Service Control Policy). Which SCP effect and condition key should be used to deny any PutObject request that does not use the required KMS key?
3A developer needs to grant a user in another AWS account (Account B) read-only access to objects in an Amazon S3 bucket owned by Account A. The developer has already added a bucket policy that grants s3:GetObject access to the IAM user in Account B. However, the user in Account B still gets Access Denied when trying to read objects. What additional configuration is required?
4A developer needs to ensure that every cryptographic operation performed on an AWS KMS customer master key (CMK) used for server-side encryption in Amazon S3 is recorded in AWS CloudTrail for auditing. The developer has already enabled CloudTrail and is logging management events. However, the security team wants to see all calls to the KMS Decrypt and Encrypt APIs for this specific key. What must the developer do?
5A developer is building a mobile application that uses Amazon Cognito for user authentication. After a user signs in, the application needs to access an Amazon DynamoDB table. The developer has set up an identity pool with an authenticated role. The IAM role attached to the authenticated identity has a policy allowing the required DynamoDB actions. However, users report that they cannot perform DynamoDB operations. What is the MOST likely cause of this issue?
6A company uses a customer managed AWS KMS key to encrypt sensitive data stored in DynamoDB. A Lambda function reads from the DynamoDB table and needs to decrypt the data. The Lambda function's execution role has an IAM policy that allows kms:Decrypt on the key. However, access is denied. What must the developer add to the KMS key policy to resolve the issue?
7A company has an AWS Lambda function that processes sensitive financial data. The function uses environment variables to store database connection strings. A security audit requires that all sensitive data be encrypted at rest and in transit. The developer must ensure that the environment variables are encrypted with a customer-managed key that is rotated quarterly. What should the developer do?
8A company has an Amazon S3 bucket (Bucket-A) in Account A that contains sensitive data. A developer in Account B needs read-only access to objects in Bucket-A. The developer in Account A added a bucket policy granting s3:GetObject to the IAM user in Account B. However, the IAM user in Account B still receives Access Denied errors. What additional step is required?
9A company uses an Amazon S3 bucket to store sensitive documents. The security team requires that all objects uploaded to the bucket must be encrypted at rest using server-side encryption with a customer-managed KMS key (SSE-KMS). A developer needs to enforce this by denying any PutObject request that does not specify the required encryption. Which bucket policy condition should be used?
10A company stores sensitive data in Amazon S3. The security team requires that all objects are encrypted at rest using server-side encryption with AWS KMS managed keys (SSE-KMS). The developer needs to enforce that any PutObject request that does not specify the 'x-amz-server-side-encryption' header with value 'aws:kms' is denied. Which S3 bucket policy condition should be used?
11A developer in Account A has an Amazon S3 bucket that contains sensitive data. The developer wants to grant an IAM user in Account B read-only access to objects in the bucket. The developer has added a bucket policy in Account A that grants s3:GetObject access to the IAM user's ARN. However, the IAM user in Account B still receives Access Denied errors. What additional configuration is required?
12A company runs an application on Amazon EC2 that needs to securely store database credentials. The security team requires that credentials be automatically rotated every 30 days to reduce the risk of compromise. The application must be able to retrieve the credentials at startup without storing them in code or configuration files. Which AWS service should the developer use?
13A company wants to grant a third-party vendor access to an Amazon S3 bucket in the company's AWS account. The vendor has their own AWS account. The company requires the vendor to include a unique identifier in each request to verify their identity before granting access. Which policy element should the company include in the S3 bucket policy?
14A company is developing a web application that runs on Amazon EC2 instances. The application needs to access an Amazon DynamoDB table to store and retrieve data. The security team requires that no IAM users or roles should be used; instead, the application must use temporary credentials that are automatically rotated. Which approach should the developer use to securely grant access to DynamoDB?
15A company uses AWS Secrets Manager to store database credentials. The credentials must be automatically rotated every 30 days. The developer needs to configure rotation without exposing the secret to any IAM user directly. Which configuration steps should the developer take?
16A developer needs to grant an IAM role in Account B read-only access to objects in an S3 bucket in Account A. The bucket is encrypted with server-side encryption using AWS KMS (SSE-KMS) with a customer managed key (CMK) in Account A. Which combination of policies is required for the cross-account access to succeed?
17A developer is storing an API secret for a third-party service in AWS Secrets Manager. The secret needs to be accessed by an AWS Lambda function that runs in a VPC. The Lambda function must have the minimum required permissions. Which IAM policy statement should the developer attach to the Lambda execution role?
18A developer is building an application that needs to read a secret API key from AWS Secrets Manager. The application runs on an EC2 instance that is part of an Auto Scaling group. The developer wants to ensure that only this application can retrieve the secret. Which set of steps should the developer take?
19A developer is designing an application that will process credit card payments and store them temporarily in an Amazon DynamoDB table. The developer must ensure that the payment data is encrypted at rest and that the encryption key is managed by the company's security team using AWS KMS. Which type of encryption should the developer enable on the DynamoDB table?
20A company uses AWS KMS customer master keys (CMKs) to encrypt sensitive data in Amazon S3. A compliance requirement mandates that the backing keys for the CMKs be automatically rotated every year. The developer must implement this with minimal operational overhead. Which solution meets the requirement?
21A developer needs to grant read-only access to objects in an S3 bucket (in Account A) to an IAM role in Account B. The bucket uses server-side encryption with AWS KMS (SSE-KMS) using a customer managed key (CMK) in Account A. Which of the following is REQUIRED for the cross-account access to succeed?
22A company manages multiple AWS accounts using AWS Organizations. A developer needs to allow an IAM role in the production account to read objects from an S3 bucket in the development account. The bucket is encrypted with an AWS KMS customer managed key (CMK) in the development account. Which of the following is required to enable this cross-account access?
23A company stores sensitive documents in an Amazon S3 bucket. The security team requires that all objects uploaded must be encrypted at rest using a specific customer-managed AWS KMS key (key-id: 1234-5678). The developer must enforce this by denying any PutObject request that does not use the correct key. Which S3 bucket policy condition should be used?
24A company uses AWS Organizations with multiple accounts. A developer needs to grant an IAM user in Account A (111111111111) read-only access to an S3 bucket in Account B (222222222222). The bucket is encrypted with SSE-S3. Which combination of policies is required for cross-account access?
25A company has an S3 bucket that stores sensitive data. They want to ensure that any object uploaded to the bucket is automatically encrypted with server-side encryption using AWS KMS (SSE-KMS). They also want to deny any uploads that do not specify the correct encryption. Which bucket policy condition should be used to enforce this requirement?
26A developer is deploying a containerized application on Amazon ECS with the Fargate launch type. The application needs to read data from an Amazon S3 bucket. The developer wants to follow the principle of least privilege. How should the developer grant the necessary permissions to the ECS tasks?
27A company has an IAM policy that allows access to an S3 bucket only if the request comes from a specific VPC endpoint. The developer notices that requests from an EC2 instance in that VPC are being denied. What is the most likely cause?
28A company uses AWS KMS to encrypt data at rest in S3. The security team requires that all objects uploaded to a specific S3 bucket must be encrypted with a specific KMS key (key ID: xyz). The developer needs to enforce this by denying any PutObject request that does not use the correct key. Which bucket policy condition should be used?
29A company stores application logs in an Amazon S3 bucket. The security team requires that all objects uploaded to the bucket must be encrypted at rest using an AWS KMS key. The developer needs to enforce this by denying any PutObject request that does not use the required encryption. Which bucket policy condition should be used?
30A company stores sensitive data in Amazon S3. A developer needs to implement a solution that automatically encrypts objects at rest using a key that is rotated annually. The developer must minimize operational overhead. Which solution meets these requirements?
31A developer launches an Amazon EC2 instance that needs to read and write data to an Amazon DynamoDB table. The developer must follow the principle of least privilege and ensure that no long-term credentials are stored on the instance. Which approach should the developer use?
32A company requires that all data in Amazon S3 be encrypted at rest using server-side encryption with a customer-managed KMS key. The developer needs to ensure that any object uploaded without the x-amz-server-side-encryption header set to aws:kms is denied. How can this be enforced?
33A developer needs to allow users from another AWS account (account ID: 123456789012) to read objects in an S3 bucket owned by the developer's account. The developer wants to use a bucket policy and does not want to create IAM users in the other account. Which bucket policy statement achieves this securely?
34A company wants to enforce that all uploads to an Amazon S3 bucket must be encrypted using server-side encryption. The developer needs to write an IAM policy condition that denies any s3:PutObject request that does not include the server-side encryption header. Which IAM condition key should be used?
35A company runs an application on Amazon EC2 instances that need to read files from an Amazon S3 bucket. The developer must grant access to the S3 bucket without storing long-term credentials on the instances. Which approach should the developer use?
36A company has an S3 bucket that stores sensitive data. The data is encrypted at rest using an AWS KMS customer managed key (CMK). The security team wants to ensure that only a specific IAM role in the same account can decrypt the objects. Which configuration should the developer implement?
37A developer needs to grant an IAM user in the same AWS account access to a specific object in an S3 bucket. The bucket policy currently grants access only to the bucket owner (the root account). Which identity-based policy statement should the developer add to the IAM user's permissions?
38A developer wants to enforce that all requests to an Amazon S3 bucket must use HTTPS (TLS). The bucket is used for static website hosting. Which bucket policy condition should be used to deny requests that do not use HTTPS?
39A company wants to enforce that all uploads to an Amazon S3 bucket must be encrypted using server-side encryption with a specific AWS KMS customer managed key (CMK). The developer needs to write an IAM policy condition that denies any s3:PutObject request that does not use the specified KMS key. Which IAM condition key should be used?
40A company has an Amazon S3 bucket that stores sensitive documents. The security team wants to ensure that all GET requests to the bucket are authenticated and that the requester does not have public access. Which combination of S3 features should the developer implement?
41A developer needs to grant cross-account access to an Amazon S3 bucket. The developer's AWS account (Account A) owns the bucket, and a user in another account (Account B) needs to write objects to it. The developer has already added a bucket policy that grants the user in Account B permissions. What additional step is required?
42A developer is deploying an application on Amazon EC2 instances that need to securely retrieve secrets from AWS Secrets Manager. What is the MOST secure way to provide the necessary permissions without hardcoding credentials?
43A company requires that all objects uploaded to an Amazon S3 bucket are encrypted at rest using server-side encryption with Amazon S3 managed keys (SSE-S3). The developer wants to enforce this with a bucket policy. Which condition key and value should be used in the policy to deny uploads that do not meet this requirement?
44A company requires that all API calls to create an Amazon S3 bucket must include a specific tag (e.g., 'CostCenter'). Which IAM policy condition key should a developer use to enforce this requirement?
45A company has an S3 bucket containing confidential data. The security team wants to ensure that the bucket is never publicly accessible, even if a bucket policy or ACL is incorrectly set to allow public access. Which S3 feature should the developer enable?
46A company wants to store database credentials securely and rotate them automatically on a schedule. The credentials are used by an AWS Lambda function to access an Amazon RDS instance. Which AWS service should the developer use to meet these requirements?
47A developer needs to grant an IAM role in the same AWS account read-only access to objects in a specific S3 bucket. The bucket is configured with a bucket policy that has an explicit Deny statement denying all principals except the root user. Which approach should the developer use to grant the required access?
48A developer needs to grant temporary access to an Amazon S3 bucket for a user from a different AWS account. The developer wants to use the most secure method that does not require sharing long-term credentials. Which approach should the developer take?
49A developer needs to allow an IAM user in a different AWS account to assume a role in the developer's account. The role has permissions to access an S3 bucket. Which policy is required in the developer's account to enable this cross-account access?
50A developer runs an application on Amazon EC2 that needs to securely store database credentials (username and password). The security team requires that the credentials be automatically rotated every 30 days. Which AWS service should the developer use to store and automatically rotate the credentials?
51A developer stores database credentials for an application running on Amazon EC2. The security team requires that the credentials be automatically rotated every 30 days to reduce the risk of compromise. Which AWS service should the developer use to store and automatically rotate the credentials?
52A company wants to enforce multi-factor authentication (MFA) for all users accessing the AWS Management Console. The company has an existing IAM setup with users and groups. Which approach should the developer recommend to enforce MFA?
53A company needs to grant another AWS account read-only access to an S3 bucket. The developer wants to use a bucket policy without requiring IAM users in the trusted account. Which resource-based policy statement should the developer add to the bucket?
54A company runs an application on Amazon EC2 instances that need to read data from an Amazon DynamoDB table. The developer must grant access to DynamoDB without storing any long-term credentials on the instance. Which approach should the developer use?
55A company wants to restrict access to an Amazon S3 bucket so that only requests originating from a specific Amazon VPC are allowed. The bucket is in the same AWS account as the VPC. Which configuration should the developer implement?
56A developer is creating a web application that uses Amazon Cognito for user authentication. The application needs to verify the identity of users before allowing access to the API. Which Cognito feature should the developer use?
57A developer is building a REST API with Amazon API Gateway and needs to authorize requests based on a custom JSON Web Token (JWT) that includes claims for user roles. Which authorization mechanism should the developer use?
58A developer wants to grant a user in a different AWS account access to an S3 bucket. The developer has written a bucket policy that allows the user's IAM user ARN. However, the access is still denied. What is the most likely reason?
59A company wants to ensure that no Amazon S3 buckets in the AWS account can be made publicly accessible, even if a bucket policy or ACL is later configured to allow public access. Which AWS feature should the developer enable to enforce this at the account level?
60A developer is building a REST API using API Gateway and AWS Lambda. The API must only be accessible by authenticated users who belong to a specific group within an Amazon Cognito user pool. Which API Gateway authorization mechanism should the developer use?
61A developer needs to grant cross-account access to an S3 bucket for an IAM user from another AWS account. The developer has added a bucket policy that allows the user's ARN. However, the user still cannot access the bucket. What additional step is required?
62A company wants to enforce that all IAM users use multi-factor authentication (MFA) when accessing the AWS Management Console. Which IAM policy condition key should be used in a policy attached to each user or group to deny access if MFA is not present?
63A developer is deploying a web application on EC2 instances behind an Application Load Balancer (ALB). The application needs to encrypt data in transit between the client and the ALB. Which AWS service should be used to manage the SSL/TLS certificate?
64A company stores sensitive customer data in Amazon S3. The security policy requires that all data be encrypted at rest using server-side encryption with a customer-managed AWS KMS key. Which S3 server-side encryption option should the developer use?
65A developer needs to store a database password for an AWS Lambda function. The password must be encrypted at rest with a customer-managed key that can be rotated manually. Which solution meets these requirements with minimal operational overhead?
66An API Gateway HTTP API should allow access only to users authenticated by an external OIDC provider. Which authorizer type is most appropriate?
67A Lambda function needs to decrypt data encrypted with a customer managed KMS key. Which two permissions are commonly required?
68A developer stores database credentials in Secrets Manager. The application sometimes receives AccessDeniedException from Lambda after secret rotation. What should be checked first?
69A mobile application must let authenticated users upload only to their own S3 prefix. Which approach best follows least privilege?
70An application receives webhooks from a partner. The developer must verify that each request was signed by the partner and not modified in transit. What should the application validate?
71A developer needs to call AWS APIs from application code running on EC2. Which credential source should the AWS SDK use by default?
72An S3 bucket policy allows GetObject from another account, but objects encrypted with SSE-KMS still return AccessDenied. Which additional authorization is required?
73A developer needs to prevent accidental public access to all S3 buckets in an account. Which account-level control should be enabled?
74A Lambda function in a VPC must retrieve secrets from Secrets Manager without traversing the public internet. Which configuration should be used?
75A developer uses API Gateway with Cognito. Which two token validations are important when authorizing API access?
76An application in ECS Fargate needs to read a secret and decrypt it with KMS. Which two permissions/configurations are needed?
77A developer needs to securely distribute temporary AWS credentials to authenticated mobile users. Which two components are commonly involved?
78A team wants to prevent secrets from being committed to source control and reduce blast radius if a secret is exposed. Which two practices help?
79Drag and drop the steps to deploy a containerized application using AWS ECS with Fargate in the correct order.
80Drag and drop the steps to implement a disaster recovery plan using cross-region replication for S3 in the correct order.
81Drag and drop the steps to set up a DynamoDB table with auto scaling in the correct order.
82Match each AWS tool or feature to its description.
83Match each AWS CLI command to its function.
84Match each DynamoDB concept to its description.
85A company wants to securely store secrets for a Lambda function. Which AWS service should they use?
86A developer needs to allow an EC2 instance to read items from a DynamoDB table. Which is the best practice for granting permissions?
87A company uses AWS KMS with customer managed keys to encrypt S3 objects. The security team requires automatic key rotation. What must the developer do to enable rotation?
88A developer is writing a Lambda function that needs to access an RDS database. The function currently fails with a timeout. What is the most likely cause?
89An application running on EC2 needs to access an S3 bucket. What is the most secure way to grant access?
90A company wants to audit all API calls made to AWS. Which service should be used to collect and store these logs?
91A developer receives an AccessDenied error when trying to upload a file to an S3 bucket that has a bucket policy requiring encryption in transit. What is the most likely cause?
92A developer needs to securely store database credentials for a serverless application. Which service should be used?
93A company has an S3 bucket with versioning enabled. A developer accidentally deleted an object. What must be done to recover it?
94Which TWO are best practices for securing an AWS account? (Choose 2)
95Which THREE are valid methods to encrypt data at rest in Amazon S3? (Choose 3)
96Which TWO actions are required to enable server-side encryption for an Amazon RDS instance? (Choose 2)
97A developer attached the above IAM policy to an IAM user. The user tries to download an object from example-bucket using the AWS CLI without specifying server-side encryption. What will happen?
98A developer runs the commands above. The key is disabled. An application that uses this key to encrypt S3 objects starts failing. What should the developer do to fix the issue?
99A developer receives the above error when trying to launch an EC2 instance. What is the most likely cause?
100A developer is building a serverless application using AWS Lambda. The application needs to access a DynamoDB table and an S3 bucket. What is the MOST secure way to provide the necessary permissions?
101A company wants to encrypt data at rest in Amazon S3. Which AWS service can be used to manage the encryption keys?
102A developer is tasked with rotating database credentials stored in AWS Secrets Manager for an RDS MySQL instance. The rotation must occur automatically every 30 days. What is the BEST approach?
103A developer is creating a new IAM policy to allow an application to read objects from a specific S3 bucket and write logs to a CloudWatch log group. Which policy statement is correct?
104A developer needs to securely pass a secret API key to an AWS Lambda function. What is the MOST secure and recommended approach?
105A company is using AWS CodeCommit for source control. Developers need to access the repository from their local machines. Which authentication method is recommended for secure access?
106A developer notices that an IAM user has permissions to terminate EC2 instances, but the user should only be allowed to stop instances. The developer needs to update the policy to prevent termination while allowing stop. Which IAM policy statement should be added?
107A developer wants to encrypt data in transit between an application and an S3 bucket. Which option achieves this?
108A company has an S3 bucket with a policy that denies access to all users. The bucket owner wants to grant read access to a specific IAM user. What must be done?
109A developer is designing a system that must meet the following security requirements: (1) Encrypt data at rest in S3, (2) Automatically rotate encryption keys annually, (3) Use an encryption key that is managed by AWS. Which services or features should the developer use? (Choose TWO.)
110A developer is troubleshooting an issue where an EC2 instance cannot access an S3 bucket despite having an IAM role with the correct permissions attached. Which THREE steps should the developer take to diagnose the issue?
111Which TWO of the following are best practices for securing AWS account root user?
112A developer is using AWS Lambda and needs to ensure that the function can access an RDS database securely. Which THREE steps should be taken?
113Refer to the exhibit. An IAM policy is attached to a user. The user attempts to download an object from my-bucket that was uploaded without server-side encryption. What happens?
114Refer to the exhibit. A developer in account 111111111111 tries to assume a role in account 123456789012. The error occurs. What is the MOST likely cause?
115A company is using an Application Load Balancer (ALB) to route traffic to a set of EC2 instances. The security team wants to ensure that only traffic from the ALB can reach the instances. Which security group configuration should be used?
116A developer needs to grant an IAM user access to an S3 bucket for read-only operations. Which IAM policy action should be used?
117A company has an S3 bucket configured with server-side encryption using AWS KMS (SSE-KMS). An application running on EC2 with an appropriate IAM role is unable to write objects to the bucket. The error message indicates an access denied error. Which additional permission is most likely required?
118A developer is building a serverless application using AWS Lambda and needs to securely store database credentials. Which AWS service should be used to store and retrieve the credentials?
119A company wants to encrypt data at rest in an Amazon RDS for PostgreSQL database. The database is already running, and the company wants to enable encryption without significant downtime. Which approach should be taken?
120A developer needs to allow an IAM user to stop and start EC2 instances but not terminate them. Which IAM policy effect and action combination should be used?
121A company is using Amazon Cognito for user authentication. The developers need to add multi-factor authentication (MFA) for security. Which Cognito feature should be enabled?
122A developer is troubleshooting an issue where an S3 bucket policy is not granting cross-account access to a user in another AWS account. The bucket policy uses a Principal element with the AWS account ID. What is the most likely reason for the failure?
123A company wants to ensure that all data in transit between a web application and its users is encrypted. Which AWS service can provide SSL/TLS termination?
124Which TWO actions can help protect an S3 bucket from data leaks? (Choose two.)
125Which THREE are best practices for managing IAM users and roles? (Choose three.)
126Which TWO services can be used to encrypt data at rest in Amazon S3? (Choose two.)
127A company is using an S3 bucket to store sensitive data. They want to ensure that all objects uploaded to the bucket are encrypted at rest using server-side encryption with AWS KMS (SSE-KMS). What is the most secure way to enforce this?
128A developer is troubleshooting access to an S3 bucket from an EC2 instance. The instance has an IAM role with an attached policy that allows s3:GetObject on the bucket. However, the application is receiving Access Denied errors. What is a likely cause?
129A developer needs to securely store database credentials for an application running on AWS Lambda. Which AWS service should they use?
130A company is using AWS KMS to encrypt data in S3. They want to ensure that only specific IAM roles can decrypt the data, even if the IAM role has full S3 access. What should they do?
131A developer is building an application that uploads files to S3. The application uses an IAM user with access keys. The developer wants to rotate the access keys regularly. Which approach is the most secure?
132A company wants to give a third-party auditor read-only access to their AWS account for compliance purposes. What is the most appropriate way to grant this access?
133A developer is using AWS Lambda to process sensitive data. The Lambda function needs to access a DynamoDB table that is encrypted with a customer-managed CMK. The developer is using the default Lambda execution role. What must be done to allow Lambda to decrypt the DynamoDB table?
134A developer is configuring a load balancer in front of an EC2 instance running a web application. The application needs to authenticate users via an identity provider. Which AWS service should the developer use to handle authentication and authorization?
135A company wants to encrypt data in transit between an EC2 instance and an S3 bucket. What should they do?
136A developer is designing a microservices architecture where each service communicates over HTTPS. They need to ensure that only authorized services can invoke each other. Which TWO services can be used to manage authentication and authorization between services?
137A developer is storing secrets such as database passwords. Which TWO AWS services can be used to securely store and retrieve secrets?
138A company wants to ensure that only encrypted connections are used to access their S3 bucket. Which THREE methods can be used to enforce this?
139Refer to the exhibit. An IAM policy is attached to a user. The user reports that they can access objects in the S3 bucket from their office IP address (192.0.2.15) but cannot access from home (203.0.113.5). What is the most likely reason?
140Refer to the exhibit. An IAM role has the attached policy. A developer is writing an application that will upload objects to the S3 bucket using server-side encryption with AWS KMS (SSE-KMS). The application is failing with an Access Denied error when trying to upload. What is the missing permission?
141Refer to the exhibit. A developer is trying to query a DynamoDB table from a Lambda function that uses an execution role named MyRole. The Lambda function is failing with the error shown. Which step should the developer take to resolve this?
142A developer is creating an IAM policy to allow an EC2 instance to access an S3 bucket. Which AWS service should the developer use to securely provide credentials to the EC2 instance?
143A company uses AWS KMS to encrypt data at rest in S3. The security team wants to audit all use of the KMS key, including decryption operations. What should the developer enable?
144A developer is building a serverless application with AWS Lambda that needs to read from an Amazon DynamoDB table. The Lambda function is in a VPC. What is the MOST secure way to grant the Lambda function access to DynamoDB?
145A developer needs to allow an IAM user to temporarily access an AWS account for 12 hours. The developer must not create long-term credentials. What should the developer use?
146A company is using AWS CodePipeline to deploy a web application. The pipeline must securely store and use database credentials. Which AWS service should the developer use to store the credentials and retrieve them during deployment?
147A developer is deploying an application on EC2 that must access an S3 bucket. The developer wants to avoid hard-coding credentials. What is the MOST secure way to grant access?
148A developer needs to encrypt data in an S3 bucket. The company requires that the encryption key be managed by AWS but with the ability to audit key usage. Which S3 encryption option should the developer use?
149A developer is using Amazon API Gateway with a Lambda authorizer to secure a REST API. The developer wants to pass user context from the authorizer to the backend Lambda function. How should the developer accomplish this?
150A company has a multi-account architecture using AWS Organizations. The security team wants to centrally manage IAM policies that apply to all accounts. Which AWS feature should the developer use?
151A developer is implementing a solution to encrypt data in transit for a web application running on an Application Load Balancer (ALB). Which TWO actions should the developer take?
152A developer wants to ensure that an S3 bucket is not publicly accessible. Which TWO measures should the developer implement?
153A developer is designing a CI/CD pipeline using AWS CodePipeline. The pipeline must deploy to multiple AWS accounts. Which THREE components are required to securely deploy across accounts?
154The exhibit shows an S3 bucket policy. If an IAM user in the same AWS account attempts to download an object from the bucket from IP address 203.0.113.5, what will happen?
155A developer ran the AWS CLI command shown in the exhibit. What is the most likely cause of the error?
156The exhibit shows an IAM policy attached to a Lambda function's execution role. When the Lambda function tries to decrypt data using the KMS key, it receives an access denied error. What is the most likely cause?
157A developer needs to allow an EC2 instance to read objects from a specific S3 bucket. Which is the MOST secure way to grant permissions?
158A company wants to allow cross-account access to a DynamoDB table. They set up an IAM role in Account A (table owner) and allow Account B's users to assume the role. Which additional step is required?
159A developer is encrypting an S3 bucket using server-side encryption with AWS KMS (SSE-KMS). What is a benefit of using SSE-KMS over SSE-S3?
160A developer set up a Lambda function that reads from an SQS queue and processes messages. The function sometimes times out. How can the developer improve security while minimizing execution time?
161An application uses a custom KMS key to encrypt data. The application runs on an EC2 instance. To decrypt data, the application must call KMS. What is the BEST practice to securely provide the KMS key ID to the application?
162A developer wants to ensure that an S3 bucket only allows HTTPS requests. What S3 bucket policy condition should be used?
163A developer is deploying an application with AWS CodeDeploy. The application needs to access a database password. Which service should be used to securely store and retrieve the password?
164A company uses AWS KMS with imported key material. The key material is expired. What must the developer do to continue using the KMS key?
165A developer needs to grant least-privilege access to a Lambda function to write logs to CloudWatch Logs. Which IAM policy effect should be used?
166Which TWO actions are recommended to secure an S3 bucket? (Choose 2)
167Which THREE are valid methods to authenticate to AWS APIs? (Choose 3)
168Which TWO are features of AWS Identity and Access Management (IAM)? (Choose 2)
169A developer attached the above IAM policy to an IAM user. The user is trying to get an object from the bucket 'example-bucket' from an on-premises machine with public IP 203.0.113.5. What will happen?
170A developer runs the above command and gets the output shown. What is the developer verifying?
171A developer attaches the above S3 bucket policy to my-bucket. A user tries to upload an object using HTTP (not HTTPS). What will happen?
172A developer is troubleshooting an S3 bucket policy that is denying all access. The policy has an explicit Deny for s3:PutObject. What is the most likely reason for the denial even though an Allow exists?
173A company wants to securely store database credentials for a Lambda function. Which AWS service should be used?
174A developer is designing a multi-tier application. The web tier must be accessible from the internet, while the application tier should only be accessible from the web tier. Which security group configuration meets these requirements?
175A developer needs to grant an IAM user access to an S3 bucket owned by another AWS account. Which method should be used?
176A company uses AWS KMS to encrypt data at rest. A developer wants to allow a Lambda function to decrypt data using a KMS key. What is the minimum permissions required?
177A developer is using an S3 bucket to store sensitive files. The bucket policy includes a condition that requires TLS for all requests. A user reports that they can access the bucket via the AWS Management Console but not via an application using HTTP. What is the likely issue?
178A developer needs to allow an EC2 instance to access an S3 bucket without storing credentials on the instance. Which approach is the most secure?
179A company is using AWS CloudTrail to monitor API activity. A developer notices that some actions are not logged. What is a possible reason?
180A developer is building a serverless application using API Gateway and Lambda. The API must be accessed only by authenticated users from a specific AWS Cognito User Pool. Which method should be used?
181A developer wants to encrypt data in an S3 bucket using server-side encryption with AWS KMS (SSE-KMS). Which TWO steps are required?
182A company has an IAM policy that allows s3:GetObject for all users in the account. However, a specific user is receiving access denied errors. Which TWO possible causes should the developer investigate?
183A developer is tasked with securing a legacy application that stores secrets in environment variables. Which THREE AWS services can be used to improve the security posture?
184A developer attaches this IAM policy to an IAM user. The user is trying to access an object in example-bucket from an IP address 203.0.113.5. What will happen?
185A developer runs the AWS CLI command to decrypt a file using a KMS key. What is the most likely cause of the error?
186A developer attaches this IAM policy. What happens when the developer attempts to launch a t2.micro instance?
187A company is using AWS KMS to encrypt data at rest in Amazon S3. The security team requires that all encryption keys be rotated automatically every 12 months. Which type of KMS key should be used?
188A developer is creating an IAM policy for an Amazon S3 bucket that must allow read access to a specific object only. Which policy element should be used to restrict access to the object?
189A developer is troubleshooting access to an Amazon S3 bucket. The bucket policy allows access to the developer's IAM role, but the developer receives an Access Denied error when trying to upload objects. The developer is using an IAM user with access keys for API calls. What is the most likely cause?
190A company uses AWS Secrets Manager to store database credentials. The application runs on Amazon EC2 instances with an IAM role attached. How should the application retrieve the secret securely?
191A developer needs to allow an Amazon EC2 instance to send messages to an Amazon SQS queue. What is the most secure way to grant this access?
192A developer is using AWS Lambda to process files uploaded to an S3 bucket. The Lambda function needs to write logs to CloudWatch Logs. Which of the following is required to allow this?
193A company wants to encrypt data in transit between an on-premises application and an Amazon RDS instance. Which of the following should be implemented?
194A developer is building a serverless application using AWS Lambda and Amazon API Gateway. The developer wants to restrict access to the API so that only authenticated users can invoke it. Which API Gateway feature should be used?
195A developer is deploying a web application on Amazon ECS with a Fargate launch type. The application needs to securely access an Amazon DynamoDB table. How should the developer grant permissions?
196A company is designing a secure CI/CD pipeline using AWS CodePipeline and AWS CodeBuild. The pipeline must securely store and access sensitive parameters (e.g., API keys) used during the build. Which TWO services can be used to securely store and retrieve these parameters?
197A developer is creating an IAM policy to allow access to an Amazon DynamoDB table. The policy must allow the user to read and write items, but not to delete the table or modify its schema. Which TWO DynamoDB actions should be included in the policy?
198A developer needs to encrypt data at rest in an Amazon S3 bucket. Which THREE options are available for server-side encryption?
199A developer attached the IAM policy above to an IAM user. What is the effect when the user tries to download an object from the 'confidential' folder in 'example-bucket'?
200A developer attached the managed policy above to an IAM role used by an application. The application tries to decrypt data using a KMS key that has an encryption context of {"department": "finance"}. However, the request fails with access denied. What is the most likely reason?
201The above resource-based policy is attached to an SQS queue. An application running on an EC2 instance with the IAM role 'AppRole' tries to send a message to the queue but receives an access denied error. What is the most likely cause?
202A company is using AWS Secrets Manager to rotate database credentials automatically. The rotation Lambda function fails with a timeout error after 30 seconds. The developer checked the Lambda logs and saw that the function is making network calls to the database but never receives a response. What is the MOST likely cause?
203A developer wants to grant an IAM user permissions to list all S3 buckets in the account, but deny access to a specific bucket named 'confidential-data'. Which IAM policy should be attached?
204A company uses AWS KMS to encrypt data at rest in S3. The security team requires that all encryption keys be rotated automatically every year. Which solution meets this requirement with the LEAST operational overhead?
205A developer is deploying a web application on EC2 instances behind an Application Load Balancer. The application needs to authenticate users via a third-party identity provider (IdP) that supports OpenID Connect (OIDC). The developer wants to offload authentication to the ALB. Which configuration is required?
206A company wants to store sensitive data in S3. The data must be encrypted at rest using server-side encryption with a key that is automatically rotated annually. Which S3 encryption option should be used?
207A developer is building a serverless application using API Gateway and Lambda. The API must be accessible only from a specific VPC. How can the developer achieve this?
208A company uses IAM roles to grant permissions to EC2 instances. The security team notices that an instance is using a role that has administrator privileges, which is a security risk. What is the BEST way to restrict the instance's permissions without disrupting the application?
209A developer needs to grant an IAM user the ability to create and manage CloudFormation stacks. Which IAM policy action should be allowed?
210A company uses AWS Organizations to manage multiple accounts. The security team wants to ensure that all S3 buckets across all accounts are encrypted with SSE-S3. What is the MOST effective way to enforce this?
211A developer is using AWS KMS to encrypt data. Which of the following are true about customer master keys (CMKs)? (Choose TWO.)
212A company is deploying a web application on EC2 instances behind an ALB. The application needs to authenticate users using a corporate identity provider that supports SAML 2.0. Which of the following are required to configure this? (Choose THREE.)
213A developer needs to securely store database credentials and retrieve them programmatically from a Lambda function. Which AWS services can be used for this purpose? (Choose TWO.)
214Refer to the exhibit. A developer attached this bucket policy to an S3 bucket named 'my-bucket'. The IAM role 'AppRole' is used by an application running on EC2 instances with an IP address of 192.0.2.10. The application tries to upload an object to 'my-bucket/confidential/report.pdf'. Will the upload succeed?
215Refer to the exhibit. A developer ran the above commands to inspect a KMS key. What can be determined about this key?
216Refer to the exhibit. An IAM policy is attached to an IAM user. The user tries to download an object from 'example-bucket' from an IP address of 10.0.1.5. Will the download succeed?
217A company is using AWS Lambda to process sensitive data. The Lambda function needs to access an S3 bucket in the same account. What is the BEST practice for granting permissions?
218A developer is troubleshooting an application that uses an IAM role to access DynamoDB. The application is running on an EC2 instance and intermittently fails with an AccessDenied error. The IAM role has the following policy attached. What is the MOST likely cause?
219A developer needs to securely store database credentials for a serverless application. Which service should be used?
220A company's S3 bucket contains sensitive data. The security team requires that all data be encrypted at rest. Which combination of actions will enforce encryption for all objects written to the bucket?
221A developer is deploying an application on EC2 instances behind an Application Load Balancer (ALB). The application must authenticate users using an identity provider (IdP) that supports OpenID Connect (OIDC). What is the MOST secure way to offload authentication to the ALB?
222A developer needs to grant an IAM user the ability to create and manage EC2 instances, but only in the us-east-1 region. Which IAM policy statement should be used?
223A company is using AWS Key Management Service (KMS) to encrypt data in S3. The security team wants to ensure that only the company's AWS account can access the KMS key. What should be done?
224A developer is building a serverless application using AWS Lambda and API Gateway. The API should be accessible only from a specific VPC. What is the MOST secure way to achieve this?
225A developer wants to allow an IAM user to rotate their own access keys. Which IAM policy action should be included?
226A company is using AWS CloudTrail to monitor API activity. Which TWO actions are required to ensure the integrity and security of the log files?
227A developer is designing a system that stores sensitive user data in DynamoDB. The data must be encrypted at rest and in transit. Which THREE actions should the developer take?
228A developer is using IAM roles to grant permissions to an EC2 instance. Which TWO statements are true about IAM roles for EC2?
229A company runs a web application on EC2 instances in an Auto Scaling group. The application uses an IAM role to access an S3 bucket that stores user uploads. Recently, the security team discovered that some uploaded files contain malicious content. The team wants to implement a solution that automatically scans new objects for malware and blocks access if threats are detected. The solution must be cost-effective and minimize latency for legitimate uploads. The developer is tasked with designing this solution. Which approach should the developer take?
230A developer is building a mobile application that uses Amazon Cognito User Pools for authentication. The app needs to access a REST API hosted on AWS. The developer wants to use Cognito to authorize API requests. The API Gateway is configured with a Cognito User Pool authorizer. However, when testing, the API returns a 401 Unauthorized error even though the user is authenticated. The developer verified that the user exists in the user pool and the ID token is valid. What is the MOST likely cause and solution?
231A company has an S3 bucket that contains sensitive financial data. The security team requires that all access to the bucket be logged for audit purposes. The developer needs to enable logging that captures who accessed the bucket, the actions performed, and the source IP addresses. The logs must be stored in a separate bucket for security. Which solution meets these requirements?
232A company stores sensitive data in an S3 bucket that must be encrypted at rest. The security team requires that all objects uploaded to the bucket are automatically encrypted using server-side encryption with AWS KMS (SSE-KMS). A developer uploads an object without specifying any encryption header. The upload succeeds, but the object is not encrypted. What is the most likely cause?
233A developer is configuring cross-account access to an S3 bucket. The bucket in Account A has a bucket policy granting access to an IAM role in Account B. The IAM role's trust policy allows the developer's IAM user in Account B to assume the role. When the developer tries to access the bucket from Account B using the assumed role, they receive an Access Denied error. Which additional step is required to resolve this?
234A developer needs to allow an EC2 instance to access an S3 bucket securely without storing long-term credentials on the instance. Which AWS service should be used to provide temporary credentials?
235A company's security policy requires that all data in transit between an Application Load Balancer (ALB) and its backend EC2 instances be encrypted. The ALB currently uses HTTPS listeners. What configuration ensures encryption between the ALB and targets?
236Refer to the exhibit. An IAM policy attached to a user includes the above statement. The user uploads an object to the S3 bucket without specifying any encryption header. What is the outcome?
237A developer is using AWS Lambda to process files uploaded to an S3 bucket. The Lambda function needs to read the files and write results to a DynamoDB table. What is the MOST secure way to grant the necessary permissions?
238A developer needs to encrypt secrets (database passwords) that are used by an application running on EC2. The application retrieves the secrets at startup. Which combination of services provides the MOST secure and manageable solution?
239A company has a VPC with public and private subnets. The private subnets contain Amazon RDS databases. Which TWO actions are required to secure the database instances?
240A developer is designing a serverless application using AWS Lambda, Amazon API Gateway, and Amazon DynamoDB. The application requires that only authenticated users can invoke the API, and the data must be encrypted at rest. Which THREE steps should the developer take?
241A developer is using AWS KMS to encrypt data. Which TWO are valid operations that can be performed using KMS?
242A company wants to audit access to their S3 buckets. Which TWO services can be used to log and monitor S3 API calls?
243A developer is deploying an application on EC2 that must access an S3 bucket and an SQS queue. The developer wants to follow the principle of least privilege. Which THREE steps should be taken?
244A company runs a web application on EC2 instances behind an Application Load Balancer. The security team discovers that the application is vulnerable to SQL injection attacks. The team wants to implement a web application firewall (WAF) to block these attacks. The architecture includes an ALB, EC2 instances in an Auto Scaling group, and an RDS database. The ALB currently has a listener on port 443 with an SSL certificate. The developer must integrate AWS WAF with minimal changes to the existing infrastructure. Which action should the developer take?
245A developer is managing an application that uses Amazon S3 to store user-uploaded images. The application generates thumbnails using AWS Lambda and stores them in a separate S3 bucket. The security team requires that all objects in both buckets be encrypted at rest using server-side encryption with AWS KMS (SSE-KMS). The developer has configured the Lambda function to use an IAM role with permissions to call KMS Encrypt and Decrypt. However, when a user uploads an image, the Lambda function fails to write the thumbnail with an 'Access Denied' error. The upload bucket has default encryption set to SSE-KMS. What is the MOST likely cause of the failure?
246A developer needs to share an S3 bucket with a third-party AWS account. The third-party will upload files to the bucket using their own IAM users. The developer creates a bucket policy that grants s3:PutObject to the third-party account's root user. However, the third-party reports that their IAM users cannot upload files. What is the MOST likely reason?
247A company uses AWS Organizations with multiple accounts. The security team wants to enforce that all S3 buckets across all accounts have server-side encryption enabled. They have created an SCP that denies the s3:PutBucketAcl action unless the request includes the x-amz-server-side-encryption header. However, some application teams report that they cannot create buckets even when they include the required header. What is the MOST likely cause of this issue?
248A developer is deploying a serverless application using AWS Lambda and API Gateway. The application needs to authenticate users via a third-party OIDC provider. The developer wants to minimize latency and avoid managing sessions. What is the BEST approach to achieve this?
249A company stores sensitive data in an S3 bucket that must be encrypted at rest. The security team requires that the encryption keys be rotated every 90 days and that access to the keys be auditable. Which solution meets these requirements with the LEAST operational overhead?
250A developer is building a web application that stores user session data in an ElastiCache Redis cluster. The cluster is in a VPC and is not publicly accessible. The developer needs to ensure that data in transit is encrypted. What should the developer do?
251A company has a DynamoDB table that stores personally identifiable information (PII). A developer needs to allow a Lambda function to read and write to this table. What is the MOST secure way to grant the Lambda function access?
252A developer is creating a new IAM policy to allow users to list objects in a specific S3 bucket. The policy must follow the principle of least privilege. Which policy statement should the developer use?
253A company uses AWS Secrets Manager to rotate database credentials. The rotation process uses a Lambda function that updates the secret. The developer notices that the rotation sometimes fails because the Lambda function does not have permission to update the secret. What is the MOST likely cause?
254A developer is deploying an application on Amazon ECS with Fargate. The application needs to access an S3 bucket that contains sensitive data. The developer wants to avoid storing AWS credentials in the container image. What is the MOST secure way to grant the application access to the S3 bucket?
255A developer needs to allow a user to deploy AWS CloudFormation stacks but restrict the user from creating or modifying IAM resources. Which IAM policy should the developer attach to the user?
256A company has an S3 bucket that stores log files. The bucket policy grants the AWSServiceRoleForSSO service role write access. However, the logs are not being written. What is the MOST likely reason?
257A developer is designing a system that uses AWS KMS to encrypt data. Which of the following are valid ways to grant a user permission to decrypt data using a KMS key? (Select TWO.)
258A company wants to encrypt data at rest in an Amazon RDS for MySQL DB instance. Which of the following are true about RDS encryption? (Select THREE.)
259A company hosts a web application on EC2 instances behind an Application Load Balancer. The application stores sensitive user data in an S3 bucket. A security audit reveals that the S3 bucket policy allows access from any AWS account. Which combination of actions should be taken to secure the bucket?
260A developer is configuring cross-account access for an S3 bucket. The source account (111111111111) wants to allow the target account (222222222222) to write objects to the bucket. The developer attaches the following bucket policy. However, the write operation fails with AccessDenied. What is the most likely cause?
261A developer wants to securely store database credentials used by a Lambda function. The credentials should be automatically rotated every 90 days. Which service should be used?
262A company has an S3 bucket that stores sensitive customer data. The security team requires that all data be encrypted at rest using server-side encryption with AWS KMS. Additionally, they want to enforce that objects are not uploaded without encryption. Which bucket policy should be used?
263A Lambda function needs to read from a DynamoDB table and send messages to an SQS queue. The function's IAM role should follow the principle of least privilege. Which policy statement should be attached to the role?
264A developer is using the AWS CLI to upload a file to an S3 bucket with server-side encryption. The bucket is configured with default encryption (SSE-S3). The developer wants to ensure the object is encrypted with SSE-KMS instead. What should the developer do?
265An application running on an EC2 instance needs to access a DynamoDB table. The instance is in a private subnet without internet access. Which method should be used to grant the instance access to DynamoDB securely?
266A company uses AWS KMS to encrypt data in S3. The security team wants to ensure that all KMS keys are rotated every year. Which action should be taken?
267A developer needs to allow an IAM user to perform only specific actions on an S3 bucket. Which type of policy should be attached to the IAM user?
268A company wants to audit all API calls made in their AWS account for security analysis. Which TWO services should be used together to achieve this?
269A developer is designing a serverless application using AWS Lambda and API Gateway. The application needs to authenticate users via a third-party identity provider (IdP). Which TWO services can be used to manage user authentication?
270A company stores sensitive data in an S3 bucket. The security team requires that all data be encrypted at rest and in transit. Which THREE measures should be implemented?
271A developer is troubleshooting an AccessDenied error when a Lambda function tries to write to CloudWatch Logs. The function's IAM role includes the following policy. Which TWO missing permissions are causing the error? (Choose TWO.)
272A company wants to enforce multi-factor authentication (MFA) for all IAM users accessing the AWS Management Console. Which THREE actions are required?
273A company runs a containerized application on Amazon ECS using Fargate. The application needs to access an S3 bucket to read configuration files and a DynamoDB table to store session state. The ECS task role is configured with the following IAM policy: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "dynamodb:PutItem", "dynamodb:GetItem" ], "Resource": "*" } ] } The application fails to read from the S3 bucket and write to DynamoDB. The error messages indicate AccessDenied. The S3 bucket has a bucket policy that denies all access unless the request includes a specific aws:SourceIp condition. The DynamoDB table has a resource-based policy that allows access only from the VPC endpoint. The ECS tasks are running in a private subnet with a VPC endpoint for DynamoDB but no VPC endpoint for S3. Which action should be taken to resolve the errors?
274A company is using AWS Secrets Manager to rotate database credentials automatically. The rotation Lambda function fails with a timeout. Which action should be taken to resolve this issue?
275A developer needs to grant an IAM user read-only access to an S3 bucket named 'my-bucket'. Which IAM policy statement should be attached?
276A developer is using AWS KMS to encrypt data in an S3 bucket. The developer wants to ensure that the S3 bucket uses server-side encryption with AWS KMS managed keys (SSE-KMS) by default. Which configuration should be applied?
277A company uses AWS IAM roles to grant permissions to EC2 instances. An application running on an instance fails to access an S3 bucket. The IAM role has the following policy attached: {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:GetObject","Resource":"arn:aws:s3:::my-bucket/*"}]}. What is the likely cause?
278A developer wants to securely store database credentials for a Lambda function. Which AWS service should be used?
279A company uses AWS CloudTrail to log all API calls. The security team wants to be notified immediately when an IAM user creates a new access key. Which solution is most efficient?
280A developer needs to allow an EC2 instance to read from a DynamoDB table. Which is the best practice to grant permissions?
281A developer is building a web application that must encrypt data in transit between the client and the server. Which AWS service should be used to offload SSL/TLS termination?
282A company has an S3 bucket that contains sensitive data. The security team requires that all objects uploaded to the bucket must be encrypted at rest using AWS KMS. Which combination of actions will enforce this?
283A developer is configuring a Lambda function to access a DynamoDB table in a VPC. Which TWO steps are required to ensure the Lambda function can securely access DynamoDB? (Select TWO.)
284A security audit reveals that an S3 bucket is publicly accessible. The bucket policy is as follows: {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":"*","Action":"s3:GetObject","Resource":"arn:aws:s3:::my-bucket/*"}]}. Which TWO actions should be taken to remediate this issue? (Select TWO.)
285A developer is creating an IAM policy for a Lambda function that needs to read from an SQS queue and write to a DynamoDB table. Which THREE permissions are required? (Select THREE.)
286Given the IAM policy above, what is the effective permission for an IAM user?
287Based on the CloudTrail log entry, which security concern should be investigated?
288What is required for the Lambda function to access the code in the S3 bucket?
289A developer is configuring an S3 bucket to host a static website. The bucket policy allows public read access. However, users receive a 403 Forbidden error when accessing the website. What is the most likely cause?
290A developer needs to grant a Lambda function read-only access to an S3 bucket. Which IAM entity should be used to attach the permissions?
291An application running on an EC2 instance needs to access a DynamoDB table. The instance is in a private subnet. What is the most secure way to grant access without using long-lived credentials?
292A company uses AWS KMS to encrypt S3 objects. A developer needs to allow an IAM user to decrypt objects but not encrypt them. Which IAM policy action should be allowed?
293A developer is using AWS Secrets Manager to rotate database credentials automatically. The rotation fails with the error 'The secret value is not valid JSON.' What is the most likely cause?
294A developer needs to enforce encryption in transit for all traffic between an application and an RDS database. Which configuration should be used?
295A developer has an IAM policy that allows 's3:GetObject' for a specific S3 bucket. However, when the developer tries to download an object using the AWS CLI, access is denied. What could be the issue?
296A developer wants to securely store API keys for a third-party service and retrieve them at runtime in a Lambda function. Which AWS service should be used?
297A company's S3 bucket policy includes a condition that uses 'aws:SourceIp' to restrict access to a specific IP range. However, requests from that IP range are still denied. What is a possible reason?
298A developer is designing a system that must meet PCI DSS compliance. Which THREE AWS services can help with logging and monitoring security events?
299Which TWO actions should a developer take to securely manage database credentials in a serverless application?
300Which THREE practices help protect data at rest in Amazon S3?
The Security domain covers the key concepts tested in this area of the DVA-C02 exam blueprint published by Amazon Web Services. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all DVA-C02 domains — no account required.
The Courseiva DVA-C02 question bank contains 300 questions in the Security domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Security domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included