Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsDVA-C02TopicsSecurity
Free · No Signup RequiredAmazon Web Services · DVA-C02

DVA-C02 Security Practice Questions

20+ practice questions focused on Security — one of the most tested topics on the AWS Certified Developer Associate DVA-C02 exam. Each question includes a detailed explanation so you learn why the right answer is correct.

Start Security Practice

Exam Domains

Development with AWS ServicesSecurityDeploymentTroubleshooting and OptimizationAll domains →

Study Tools

Practice TestMock ExamFlashcardsAll Topics

Sample Security Questions

Practice all 20+ →
1.

A developer has an AWS Lambda function that needs to read objects from an S3 bucket in another account. The Lambda function's execution role includes an IAM policy that allows s3:GetObject on the bucket. The bucket owner has added a bucket policy that grants s3:GetObject to the Lambda execution role. However, the Lambda function receives Access Denied errors. The S3 bucket uses SSE-KMS for encryption. What is the most likely cause?

A.The S3 bucket does not have versioning enabled.
B.The Lambda function's execution role does not have an explicit allow for s3:GetObject.
C.The Lambda function is not in the same AWS region as the S3 bucket.
D.The Lambda function does not have kms:Decrypt permission on the KMS key used by the bucket.

Explanation: When an S3 bucket uses SSE-KMS, the Lambda function must have explicit kms:Decrypt permission on the KMS key to decrypt the object after s3:GetObject retrieves the encrypted data. Even though the bucket policy and execution role allow s3:GetObject, the missing KMS permission causes an Access Denied error because S3 returns the encrypted object and the Lambda runtime cannot decrypt it without the key.

2.

A company has multiple AWS accounts managed under AWS Organizations. The security team requires that all Amazon S3 buckets with bucket names containing 'logs' must be encrypted with a specific KMS key (key ID: alias/logs-key) at rest. A developer must enforce this using an SCP (Service Control Policy). Which SCP effect and condition key should be used to deny any PutObject request that does not use the required KMS key?

A.Deny effect with a Condition: StringNotEquals on s3:x-amz-server-side-encryption-aws-kms-key-id
B.Deny effect with a Condition: StringEquals on s3:x-amz-server-side-encryption
C.Allow effect with a Condition: StringEquals on kms:RequestTag/key-id
D.Deny effect with a Condition: IpAddress on aws:SourceIp

Explanation: Option A is correct because SCPs use a Deny effect to block non-compliant requests. The condition key `s3:x-amz-server-side-encryption-aws-kms-key-id` with `StringNotEquals` ensures that any PutObject request that does not specify the exact KMS key alias/logs-key is denied. This enforces encryption with the required key for all S3 buckets containing 'logs' in their name.

3.

A developer needs to grant a user in another AWS account (Account B) read-only access to objects in an Amazon S3 bucket owned by Account A. The developer has already added a bucket policy that grants s3:GetObject access to the IAM user in Account B. However, the user in Account B still gets Access Denied when trying to read objects. What additional configuration is required?

A.The user in Account B must have an IAM policy that allows s3:GetObject on the bucket ARN
B.The bucket must be made public by unchecking 'Block all public access'
C.The developer must create a new IAM role in Account A and have the user in Account B assume that role
D.The user in Account B must use the S3 console instead of the AWS CLI

Explanation: The bucket policy in Account A grants s3:GetObject access to the IAM user in Account B, but this alone is insufficient. For cross-account access, the IAM user in Account B must also have an IAM policy attached that explicitly allows s3:GetObject on the bucket ARN. Without this, the user’s own account denies the request before it reaches Account A’s bucket policy, resulting in Access Denied.

4.

A developer needs to ensure that every cryptographic operation performed on an AWS KMS customer master key (CMK) used for server-side encryption in Amazon S3 is recorded in AWS CloudTrail for auditing. The developer has already enabled CloudTrail and is logging management events. However, the security team wants to see all calls to the KMS Decrypt and Encrypt APIs for this specific key. What must the developer do?

A.Enable CloudTrail data events for the S3 bucket containing the encrypted objects.
B.Create an additional CloudTrail trail that logs all management events for the KMS key.
C.Enable CloudTrail data events for the specific KMS key ARN.
D.Enable CloudTrail Insights events on the existing trail.

Explanation: Option C is correct because CloudTrail data events can be configured to log individual API operations (such as Decrypt and Encrypt) on specific KMS keys. By default, CloudTrail management events do not include these data-plane operations; enabling data events for the specific KMS key ARN ensures every cryptographic call is recorded for auditing.

5.

A developer is building a mobile application that uses Amazon Cognito for user authentication. After a user signs in, the application needs to access an Amazon DynamoDB table. The developer has set up an identity pool with an authenticated role. The IAM role attached to the authenticated identity has a policy allowing the required DynamoDB actions. However, users report that they cannot perform DynamoDB operations. What is the MOST likely cause of this issue?

A.The identity pool is not configured to use the authenticated role.
B.The app is not passing the correct identity ID.
C.The IAM role's trust policy does not allow Cognito to assume it.
D.The DynamoDB table is encrypted with a different KMS key.

Explanation: The most likely cause is that the IAM role's trust policy does not include a statement allowing Amazon Cognito (specifically the `cognito-identity.amazonaws.com` service principal) to assume the role. Even if the identity pool is configured to use the authenticated role and the role's permissions policy grants DynamoDB actions, Cognito must be able to assume the role via AWS Security Token Service (STS) `AssumeRoleWithWebIdentity`. Without the correct trust relationship, Cognito cannot obtain temporary credentials for the user, so all DynamoDB operations fail.

+15 more Security questions available

Practice all Security questions

How to master Security for DVA-C02

1. Baseline your knowledge

Start with 10 questions to gauge your current understanding of Security. This tells you whether you need a concept refresher or just practice.

2. Review every explanation

For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.

3. Focus on exam traps

Security questions on the DVA-C02 frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.

4. Reach 80% consistently

Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.

Frequently asked questions

How many DVA-C02 Security questions are on the real exam?

The exact number varies per candidate. Security is tested as part of the AWS Certified Developer Associate DVA-C02 blueprint. Practicing with targeted Security questions ensures you can handle any format or difficulty that appears.

Are these DVA-C02 Security practice questions free?

Yes. Courseiva provides free DVA-C02 practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.

Is Security one of the harder DVA-C02 topics?

Difficulty is subjective, but Security is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.

Ready to practice?

Launch a full Security practice session with instant scoring and detailed explanations.

Start Security Practice →

Topic Info

Topic

Security

Exam

DVA-C02

Questions available

20+