20+ practice questions focused on Security — one of the most tested topics on the AWS Certified Developer Associate DVA-C02 exam. Each question includes a detailed explanation so you learn why the right answer is correct.
Start Security PracticeA developer has an AWS Lambda function that needs to read objects from an S3 bucket in another account. The Lambda function's execution role includes an IAM policy that allows s3:GetObject on the bucket. The bucket owner has added a bucket policy that grants s3:GetObject to the Lambda execution role. However, the Lambda function receives Access Denied errors. The S3 bucket uses SSE-KMS for encryption. What is the most likely cause?
Explanation: When an S3 bucket uses SSE-KMS, the Lambda function must have explicit kms:Decrypt permission on the KMS key to decrypt the object after s3:GetObject retrieves the encrypted data. Even though the bucket policy and execution role allow s3:GetObject, the missing KMS permission causes an Access Denied error because S3 returns the encrypted object and the Lambda runtime cannot decrypt it without the key.
A company has multiple AWS accounts managed under AWS Organizations. The security team requires that all Amazon S3 buckets with bucket names containing 'logs' must be encrypted with a specific KMS key (key ID: alias/logs-key) at rest. A developer must enforce this using an SCP (Service Control Policy). Which SCP effect and condition key should be used to deny any PutObject request that does not use the required KMS key?
Explanation: Option A is correct because SCPs use a Deny effect to block non-compliant requests. The condition key `s3:x-amz-server-side-encryption-aws-kms-key-id` with `StringNotEquals` ensures that any PutObject request that does not specify the exact KMS key alias/logs-key is denied. This enforces encryption with the required key for all S3 buckets containing 'logs' in their name.
A developer needs to grant a user in another AWS account (Account B) read-only access to objects in an Amazon S3 bucket owned by Account A. The developer has already added a bucket policy that grants s3:GetObject access to the IAM user in Account B. However, the user in Account B still gets Access Denied when trying to read objects. What additional configuration is required?
Explanation: The bucket policy in Account A grants s3:GetObject access to the IAM user in Account B, but this alone is insufficient. For cross-account access, the IAM user in Account B must also have an IAM policy attached that explicitly allows s3:GetObject on the bucket ARN. Without this, the user’s own account denies the request before it reaches Account A’s bucket policy, resulting in Access Denied.
A developer needs to ensure that every cryptographic operation performed on an AWS KMS customer master key (CMK) used for server-side encryption in Amazon S3 is recorded in AWS CloudTrail for auditing. The developer has already enabled CloudTrail and is logging management events. However, the security team wants to see all calls to the KMS Decrypt and Encrypt APIs for this specific key. What must the developer do?
Explanation: Option C is correct because CloudTrail data events can be configured to log individual API operations (such as Decrypt and Encrypt) on specific KMS keys. By default, CloudTrail management events do not include these data-plane operations; enabling data events for the specific KMS key ARN ensures every cryptographic call is recorded for auditing.
A developer is building a mobile application that uses Amazon Cognito for user authentication. After a user signs in, the application needs to access an Amazon DynamoDB table. The developer has set up an identity pool with an authenticated role. The IAM role attached to the authenticated identity has a policy allowing the required DynamoDB actions. However, users report that they cannot perform DynamoDB operations. What is the MOST likely cause of this issue?
Explanation: The most likely cause is that the IAM role's trust policy does not include a statement allowing Amazon Cognito (specifically the `cognito-identity.amazonaws.com` service principal) to assume the role. Even if the identity pool is configured to use the authenticated role and the role's permissions policy grants DynamoDB actions, Cognito must be able to assume the role via AWS Security Token Service (STS) `AssumeRoleWithWebIdentity`. Without the correct trust relationship, Cognito cannot obtain temporary credentials for the user, so all DynamoDB operations fail.
+15 more Security questions available
Practice all Security questions1. Baseline your knowledge
Start with 10 questions to gauge your current understanding of Security. This tells you whether you need a concept refresher or just practice.
2. Review every explanation
For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.
3. Focus on exam traps
Security questions on the DVA-C02 frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.
4. Reach 80% consistently
Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.
The exact number varies per candidate. Security is tested as part of the AWS Certified Developer Associate DVA-C02 blueprint. Practicing with targeted Security questions ensures you can handle any format or difficulty that appears.
Yes. Courseiva provides free DVA-C02 practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.
Difficulty is subjective, but Security is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.
Launch a full Security practice session with instant scoring and detailed explanations.
Start Security Practice →