Data Protection questions on this certification test your ability to deploy and manage data protection concepts in scenario-based situations.
Start practicing
Data Protection — choose a session length
Free · No account required
Domain overview
Use this page to practise Data Protection questions for this certification. Focus on how the exam tests data protection in scenario format — understanding the why behind each answer builds more durable knowledge than memorising options.
Exam objectives
Core Data Protection concepts and how they apply in real-world cloud scenarios.
How to deploy data protection correctly and verify the outcome.
Troubleshooting data protection issues by interpreting error output and system state.
Cloud best practices and Data Protection design trade-offs tested by this certification.
Selecting the most expensive service when a simpler managed option meets the requirement.
Forgetting that cloud resources must be explicitly secured — defaults are rarely secure.
Choosing a global service fix when the issue is region-specific.
Overlooking cost implications of cross-region data transfer in architecture questions.
Click any question to see the full explanation and answer options, or start a focused practice session above.
A company stores sensitive data in Amazon S3 and wants to ensure that all objects are encrypted at rest. The security team has enabled default encryption on the S3 bucket using SSE-S3. However, an audit reveals that some objects are stored with SSE-KMS. How can the company enforce that only SSE-S3 is used for all future uploads, while still allowing existing SSE-KMS objects to be read?
2A financial services company uses AWS KMS to encrypt sensitive data. The security team has a requirement to rotate the CMK every 90 days and to maintain a record of all previous key versions for decryption of historical data. The team creates a new CMK every 90 days and manually updates applications to use the new key. This process is error-prone and causes downtime. What is the MOST operationally efficient solution that meets the requirements?
3A startup is building a web application on AWS and needs to protect sensitive customer data at rest in an Amazon RDS for MySQL database. The compliance team requires that the encryption keys be managed by the company's on-premises hardware security module (HSM) and be rotated every 6 months. Which solution should the startup use?
4A company is designing a data protection strategy for its Amazon S3 bucket that stores sensitive documents. The security team requires that all data be encrypted in transit and at rest, and that any accidental deletion of objects can be reversed within 30 days. Additionally, the company must be able to audit all access attempts to the bucket, including failed attempts. Which TWO actions should the company take to meet these requirements? (Choose two.)
5A healthcare company runs a HIPAA-compliant application on AWS. The application uses Amazon S3 to store Protected Health Information (PHI). The company has implemented the following controls: (1) All S3 buckets are configured with default encryption using SSE-S3. (2) Bucket policies restrict access to only authorized IAM roles. (3) S3 access logs are enabled and sent to a centralized logging account. (4) MFA Delete is enabled on all buckets. (5) Object lock is not enabled. Recently, an internal auditor discovered that when an authorized user deletes an object, the object is permanently deleted and cannot be recovered. The company's data retention policy requires that deleted PHI be recoverable for at least 30 days after deletion. A review of the IAM policies shows that users have s3:DeleteObject permission. The auditor also notes that the bucket versioning is not enabled. The security team needs to implement a solution that allows authorized users to delete objects but ensures that deleted objects can be recovered within 30 days. Which of the following is the MOST effective course of action?
6A company uses AWS KMS to encrypt data at rest in Amazon S3. The security team requires that all encryption keys be automatically rotated every year. Which solution meets this requirement?
7A company wants to enforce encryption in transit for all data transferred between its Amazon EC2 instances and an Application Load Balancer (ALB). The company uses AWS Certificate Manager (ACM) to provision TLS certificates. Which TWO actions should the company take? (Choose TWO.)
8Refer to the exhibit. An AWS KMS key policy includes the statement shown. The AdminRole tries to decrypt a ciphertext that was encrypted using the same KMS key with encryption context 'department=engineering'. What will happen?
9Drag and drop the steps to configure a VPC with private subnets and NAT gateway for outbound internet access in the correct order.
10Match each AWS security-related acronym to its definition.
11A company uses S3 to store sensitive customer data. The security team requires that all objects uploaded to S3 be encrypted at rest using server-side encryption with AWS KMS managed keys (SSE-KMS). A developer reports that some objects are being stored unencrypted. What is the MOST effective way to enforce this requirement?
12A company wants to protect data at rest for an Amazon RDS for PostgreSQL database. Which AWS service should be used to manage the encryption keys?
13A company has a requirement to automatically rotate encryption keys for S3 objects every 90 days. They are using SSE-KMS with a customer managed key. Which combination of actions will meet the requirement without breaking access to existing objects? (Choose two.)
14A company uses AWS KMS to encrypt EBS volumes. The security team wants to ensure that when an EC2 instance is launched, the attached EBS volumes are always encrypted using a specific customer managed key. Which action will enforce this?
15A company stores sensitive data in an S3 bucket with versioning enabled. They want to ensure that objects are encrypted at rest using SSE-KMS. A security audit reveals that some older object versions are encrypted with SSE-S3. What is the MOST efficient way to re-encrypt those older versions with SSE-KMS?
16A company needs to ensure that data in transit between an on-premises data center and Amazon S3 is encrypted. Which AWS service should be used to establish a dedicated encrypted connection?
17A company is designing a data protection strategy for an Amazon RDS for MySQL database. The database is 2 TB in size and stores financial data. The compliance team requires that database snapshots be encrypted at rest and that encryption keys be rotated every year. Which solution meets these requirements with the LEAST operational overhead?
18A company wants to protect data at rest for an Amazon S3 bucket that contains sensitive data. Which combination of actions provides the MOST comprehensive protection? (Choose two.)
19A company uses AWS KMS to encrypt data in Amazon S3. The security team receives an alert that an IAM user is attempting to decrypt data using a key that they do not have access to. Which AWS service can be used to monitor and alert on such unauthorized KMS API calls?
20A company needs to encrypt data in transit between an EC2 instance and an RDS database. Which option should be used?
21A company uses S3 to store confidential documents. They want to ensure that objects are encrypted at rest using customer-provided encryption keys (SSE-C). Which header must be included in every PUT request?
22A company has a compliance requirement to encrypt all data in Amazon S3 using keys that are managed by the company's internal security team. The keys must be stored in a hardware security module (HSM) that is FIPS 140-2 Level 3 certified. Which AWS service should be used?
23A company is using AWS KMS to encrypt S3 objects. The security team wants to ensure that only a specific IAM role can decrypt objects in a particular S3 bucket. Which KMS key policy configuration should be used?
24A financial services company must ensure that all data at rest in Amazon RDS for PostgreSQL is encrypted. The current database is unencrypted. What is the MOST operationally efficient way to enable encryption?
25A company needs to securely store database credentials for a legacy application running on Amazon EC2. The credentials are currently hardcoded in the application code. Which service should be used to rotate and retrieve secrets automatically?
26A company wants to use client-side encryption for data uploaded to Amazon S3. The encryption keys must be managed by the company and never sent to AWS. Which S3 encryption option supports this requirement?
27A company uses Amazon S3 to store sensitive documents. They must ensure that all objects are encrypted at rest and that any attempt to upload an unencrypted object is denied. Which S3 bucket policy statement achieves this?
28A company needs to encrypt data in transit between an on-premises data center and Amazon S3. Which solution should they use?
29A company has a requirement to automatically rotate encryption keys for Amazon EBS volumes every 90 days. The EBS volumes are encrypted using AWS KMS. What is the simplest way to meet this requirement?
30A company uses AWS CloudTrail to log API activity. The security team wants to ensure that log files are encrypted at rest and that any tampering with logs is detectable. Which combination of services should be used?
31A company wants to ensure that data stored in Amazon S3 is encrypted at rest using keys managed by AWS. Which encryption option should they choose?
32A company is designing a data protection strategy for sensitive customer data stored in Amazon S3. Which TWO actions should be taken to protect the data from accidental deletion?
33A company is using AWS KMS to encrypt data in Amazon S3 and Amazon RDS. Which THREE practices should be followed to ensure the security of the KMS keys?
34A company needs to enforce encryption in transit for all traffic between an Amazon EC2 instance and an Amazon RDS database. Which TWO steps should be taken?
35A security engineer applies the above S3 bucket policy. An application tries to upload an object with the header "x-amz-server-side-encryption: AES256". What will happen?
36A security engineer inspects two KMS keys. Which key can be used for envelope encryption with automatic key rotation?
37A company has an S3 bucket with versioning and MFA Delete enabled. A user attempts to delete an object version using the AWS CLI without MFA. What will happen?
38A company is designing a data protection strategy for sensitive data stored in Amazon S3. Compliance requirements mandate that all data be encrypted at rest using customer-provided keys (SSE-C). Which solution meets the requirements with minimal operational overhead?
39A security engineer needs to ensure that data at rest in an Amazon RDS for PostgreSQL DB instance is encrypted. Which action should the engineer take?
40A company uses AWS KMS to encrypt data in Amazon S3. The security team wants to enforce that all S3 PUT requests include an encryption context that matches a specific key-value pair. Which S3 bucket policy condition key should be used?
41A company is implementing a data loss prevention (DLP) solution for data stored in Amazon S3. The data includes personally identifiable information (PII). The company wants to automatically identify and classify PII objects, then apply encryption using AWS KMS with a customer-managed key. Which AWS service should be used to identify PII?
42A security engineer needs to protect data in transit between an EC2 instance and an RDS database. The RDS database uses SSL/TLS certificates. What is the MOST secure way to ensure that the connection is encrypted?
43A company needs to securely store database credentials that are used by an application running on Amazon EC2. The credentials must be automatically rotated every 90 days. Which AWS service should be used?
44A company stores sensitive data in an S3 bucket. The security team wants to ensure that all objects are encrypted at rest using server-side encryption with AWS KMS managed keys (SSE-KMS). An application writes objects to the bucket but sometimes fails because the encryption key is not found. What is the MOST likely cause?
45A company uses Amazon S3 to store sensitive documents. The security policy requires that all objects be encrypted using server-side encryption with customer-provided keys (SSE-C). An application fails when trying to read an object with the error 'The request includes an invalid header.' What is the MOST likely cause?
46A company wants to encrypt data in transit between an Application Load Balancer (ALB) and its targets. Which configuration should be used?
47Which TWO actions can help protect data at rest in Amazon EBS volumes? (Choose 2.)
48Which THREE practices are recommended for managing encryption keys in AWS KMS? (Choose 3.)
49Which TWO methods can be used to encrypt data at rest in Amazon S3? (Choose 2.)
50Refer to the exhibit. A security engineer reviews the key policy of an AWS KMS customer managed key. The AppRole role is used by an application to encrypt and decrypt data. However, the application is unable to decrypt data. What is the MOST likely cause?
51A company uses S3 to store sensitive customer data. They want to ensure that all S3 buckets have encryption enabled at rest. Which S3 feature should be used to automatically enforce encryption on all newly created objects?
52A company is migrating on-premises data to AWS using AWS Snowball Edge. The data must be encrypted in transit and at rest. Which combination of steps should be taken?
53A security engineer needs to ensure that an Amazon RDS for MySQL database is encrypted at rest. Which action should be taken?
54A company uses AWS KMS to manage encryption keys for sensitive data stored in S3. The security team wants to ensure that keys are rotated automatically every year. What should they do?
55A company wants to share an encrypted Amazon Machine Image (AMI) with another AWS account. The AMI uses an EBS snapshot encrypted with a customer managed key in KMS. What is the correct procedure to allow the other account to launch an EC2 instance from this AMI?
56A company needs to protect data stored in S3 from accidental deletion by users. Which S3 feature should be used?
57A security team wants to audit who accessed an S3 object that contains sensitive data. Which AWS service provides this capability?
58A company is using AWS DMS to migrate data from an on-premises Oracle database to Amazon RDS for PostgreSQL. The data must be encrypted in transit. What should the company do?
59A company wants to ensure that data at rest in Amazon EBS volumes is encrypted. What is the simplest way to achieve this?
60A company wants to protect sensitive data stored in S3 from being accessed by unauthorized users. Which TWO actions should be taken? (Choose two.)
61A company is using AWS KMS to encrypt data at rest. The security team needs to ensure that keys cannot be deleted before a retention period. Which THREE steps should be taken? (Choose three.)
62A company needs to encrypt data at rest in Amazon RDS for SQL Server. Which TWO methods can be used? (Choose two.)
63A security engineer created the above IAM policy for an S3 bucket. What does this policy accomplish?
64A security engineer examines the above output. The company requires automatic yearly key rotation. What should the engineer do?
65The above CLI output shows the encryption configuration for an S3 bucket. What type of encryption is enabled by default?
66A company stores sensitive customer data in an S3 bucket. The security team wants to ensure that all data is encrypted at rest using server-side encryption with AWS KMS (SSE-KMS). Which bucket policy statement should be added to deny uploads that do not use SSE-KMS?
67A company is using AWS KMS to encrypt data in Amazon S3. The security team wants to ensure that KMS keys are rotated automatically every year. Which action should be taken?
68A company uses AWS CloudHSM to generate and store encryption keys for a custom database. The security team needs to back up the keys to another AWS Region for disaster recovery. What is the most secure and efficient way to achieve this?
69An application running on Amazon EC2 needs to access an S3 bucket containing sensitive data. The security team wants to avoid storing long-term AWS credentials on the instance. How should the EC2 instance be configured to access S3 securely?
70A company is designing a data encryption solution for its Amazon RDS for PostgreSQL database. The database must be encrypted at rest. What is the simplest way to achieve this?
71A company uses AWS Secrets Manager to rotate secrets for its RDS database. The rotation fails periodically, and the security team needs to troubleshoot. Which CloudWatch metric should be monitored to detect rotation failures?
72A company wants to protect data in transit between its on-premises network and Amazon VPC using IPsec VPN. Which AWS service should be used to establish this VPN connection?
73A company stores sensitive documents in an S3 bucket. The security team wants to ensure that any object uploaded to the bucket is automatically encrypted using server-side encryption with AWS KMS. Which S3 bucket feature should be configured?
74A company is using AWS KMS with a customer managed key for encrypting EBS volumes. The security team wants to ensure that only specific IAM roles can use the key for encryption and decryption. What is the best way to achieve this?
75A company is designing a data protection strategy for its Amazon S3 buckets. Which TWO actions can help protect data from accidental deletion or overwrite?
76A company is using AWS Key Management Service (KMS) with a customer managed key. The security team needs to ensure that the key can be rotated automatically every year. Which TWO steps are required?
77A company needs to protect data in transit between an on-premises data center and AWS. Which THREE services can be used to encrypt data in transit?
78A company is storing sensitive customer data in Amazon S3. The security team requires that all data be encrypted at rest using a key that is rotated automatically every year. Which solution meets these requirements with the LEAST operational overhead?
79A company uses AWS KMS to encrypt data in Amazon RDS. The security team discovers that a developer accidentally deleted a customer master key (CMK) used for RDS encryption. What is the impact on the RDS instances that were encrypted with that key?
80A company wants to ensure that all data transferred between its on-premises data center and AWS is encrypted in transit. Which AWS service should be used to meet this requirement?
81A company uses AWS KMS to encrypt data in Amazon S3. The security team needs to ensure that only a specific IAM role can decrypt objects in a particular S3 bucket. What is the most secure way to enforce this restriction?
82A company needs to share an encrypted Amazon Machine Image (AMI) with another AWS account. The AMI was encrypted using a customer managed key (CMK) in AWS KMS. What steps are required to allow the target account to launch an EC2 instance from the shared AMI?
83A company stores data in Amazon S3 and wants to ensure that objects are encrypted at rest. The security team decides to use server-side encryption with AWS KMS (SSE-KMS). Which additional benefit does SSE-KMS provide over SSE-S3?
84A company uses Amazon RDS for MySQL with encryption at rest enabled. The security team needs to ensure that automated backups are also encrypted. How can this be achieved?
85A company uses AWS CloudHSM to generate and store encryption keys for a custom application. The security team needs to ensure high availability and durability of the keys. Which architecture should be recommended?
86A company is designing a data lake on Amazon S3 and needs to encrypt data at rest. The compliance team requires that the encryption keys be managed by the company and not by AWS. Which encryption option should be used?
87A company is implementing a data protection strategy for Amazon S3. Which TWO actions should be taken to protect data from accidental deletion or overwrite?
88A company is designing a disaster recovery plan for encrypted Amazon EBS volumes. Which THREE steps are required to ensure that encrypted EBS snapshots can be restored in a different AWS Region?
89A company wants to protect sensitive data in Amazon S3 from unauthorized access. Which TWO AWS services can be used to detect and alert on suspicious access patterns?
90A security engineer is reviewing a KMS key policy. What does this policy accomplish?
91A security engineer is reviewing the configuration of an S3 bucket. What is a security concern with the current configuration?
92A security engineer is investigating a potential data breach and finds this CloudTrail log entry. What does this entry indicate?
93A company uses S3 to store sensitive customer data. Which AWS service can automatically discover and classify this data to help meet compliance requirements?
94A security engineer needs to ensure that all data in an S3 bucket is encrypted at rest using AWS KMS. The bucket policy must deny any PutObject request that does not include the x-amz-server-side-encryption header with value aws:kms. Which bucket policy element should be used?
95A company is using AWS CloudHSM to store encryption keys for a custom application. The application needs high availability across two AWS Regions. What is the MOST secure and cost-effective approach to synchronize key material between the HSMs in each Region?
96A security engineer is designing a data protection strategy for an S3 bucket that contains sensitive documents. The bucket is accessed by multiple IAM users and roles. Which TWO actions will help protect the data at rest and in transit?
97A company is migrating a legacy application to AWS. The application stores sensitive data and must comply with PCI DSS. The security team needs to ensure that data is encrypted at rest using keys that are rotated every 12 months. Which THREE steps should the team take?
98A security engineer is designing a data protection strategy for an S3 bucket that contains sensitive data. The data must be encrypted at rest and the key material must be stored in a hardware security module (HSM) that is FIPS 140-2 Level 3 validated. Which TWO services can be used to meet these requirements?
99A company wants to protect data in transit between an EC2 instance and an S3 bucket. Which method should be used?
100A security engineer needs to audit all access to a KMS customer managed key. Which AWS service should be used?
101A company has a requirement to encrypt all data in an S3 bucket using keys that are stored in an on-premises HSM. Which S3 encryption option should be used?
102A company wants to automate the detection of sensitive data in an S3 bucket. Which AWS service should be used?
103A security engineer is tasked with ensuring that all data stored in an RDS DB instance is encrypted at rest. The database is already running and contains data. What should the engineer do?
104A company uses AWS KMS to encrypt data in S3. The security policy requires that keys be rotated every 12 months. Which type of KMS key supports automatic rotation?
105A company stores sensitive data in an S3 bucket with default encryption (SSE-S3) enabled. A security audit reveals that objects are being accessed by users from unexpected IP addresses. The company wants to enforce that only objects encrypted with a specific KMS key (managed by the security team) can be accessed. Which combination of actions should be taken?
106A company uses AWS KMS to encrypt data at rest in Amazon RDS for MySQL. The security team needs to ensure that the RDS instance can only be decrypted by a specific IAM role used by the production application, and not by any other IAM user or role. What is the most secure way to achieve this?
107A company is using Amazon S3 to store sensitive customer data. They need to ensure that data is encrypted at rest and that the encryption keys are managed by the company, not AWS. Which S3 encryption option should they use?
108A company is designing a data lake on Amazon S3. The data contains personally identifiable information (PII). The security team requires that all data be encrypted at rest and that access to the data is logged for auditing. Additionally, the team wants to ensure that if an object is accidentally deleted, it can be recovered within 30 days. Which combination of S3 features should be enabled?
109A company uses AWS KMS to encrypt EBS volumes attached to EC2 instances. The security team wants to ensure that when an EC2 instance is terminated, the associated EBS volume is automatically deleted and the data is unrecoverable. However, the team also needs to retain the volume's data for 90 days for compliance purposes. What is the most secure and cost-effective approach?
110A company is using Amazon S3 to store sensitive data. They want to ensure that all objects uploaded to a specific bucket are encrypted using server-side encryption with AWS KMS. Which bucket policy condition should be used to enforce this?
111A company uses AWS KMS with a custom key store backed by AWS CloudHSM. The security team wants to ensure that the key material never leaves the HSM and that all cryptographic operations are performed within the HSM. Which of the following actions should the team take?
112A company uses Amazon RDS for PostgreSQL with encryption at rest enabled using AWS KMS. The security team wants to ensure that database backups (automated snapshots) are also encrypted and that the encryption key can be rotated on demand without re-encrypting the data. Which approach should be taken?
113A company is using Amazon S3 to store confidential documents. They want to ensure that all data is encrypted in transit between the S3 bucket and their on-premises application. Which of the following should be enforced?
114A company is designing a secure data sharing solution with a third party. The company needs to share sensitive files stored in an S3 bucket with the third party, ensuring that the files are encrypted at rest and in transit, and that the third party can only access specific files. The company also wants to rotate the access credentials every 30 days. Which TWO actions should the company take? (Select TWO.)
115A company uses AWS KMS to encrypt data in Amazon S3. The security team wants to detect any attempts to use a KMS key that has been disabled. Which THREE steps should the team take to achieve this? (Select THREE.)
116A company is storing sensitive data in Amazon S3. They want to ensure that all data is encrypted at rest using server-side encryption. Which THREE options are available for server-side encryption in S3? (Select THREE.)
117A company is migrating its on-premises data warehouse to AWS. The data includes highly sensitive customer financial information. The company has the following requirements: 1) All data must be encrypted at rest using a key that is managed by the company's internal security team. 2) The encryption keys must be rotated every 90 days. 3) The data warehouse must support SQL queries and be highly available across multiple Availability Zones. 4) The solution must minimize the administrative overhead of managing keys. The security team has chosen Amazon Redshift as the data warehouse. They have enabled encryption using AWS KMS with a customer-managed key (CMK). They have set the key rotation period to 90 days using automatic key rotation. However, during a security review, an auditor points out that the key material is still stored in AWS KMS, and the company wants the key material to be stored in a hardware security module (HSM) that they control. Which of the following is the BEST course of action to meet the auditor's requirement while maintaining the other requirements?
118A company is migrating sensitive data to Amazon S3. They need to ensure that data is encrypted at rest using an AWS KMS customer managed key (CMK). The security team wants to enforce encryption for all new objects uploaded to an S3 bucket. Which policy should be attached to the bucket?
119A security engineer is troubleshooting an issue where an Amazon RDS for MySQL DB instance encrypted at rest with AWS KMS is failing to launch. The error message indicates a KMS access issue. Which IAM role or policy is most likely missing?
120A company uses AWS CloudHSM to store encryption keys for a custom database encryption application. The application runs on Amazon EC2 instances and uses the PKCS#11 library to communicate with the HSM. Recently, the application started failing with 'CKR_SESSION_HANDLE_INVALID' errors. Which of the following is the most likely cause?
121A company uses S3 Server Access Logs to audit access to their S3 buckets. The security team wants to ensure that the log files themselves are encrypted at rest using SSE-KMS. Which configuration step is necessary?
122A company is designing a data protection strategy for Amazon EBS volumes. They want to automate the creation of point-in-time snapshots for all production volumes and retain them for 90 days. Which solution meets these requirements with the least operational overhead?
123Refer to the exhibit. A security engineer is troubleshooting why an IAM user (Alice) cannot encrypt data using a KMS key. Alice has full S3 and KMS permissions via an IAM policy. The key policy is shown. Which statement explains the issue?
124A company wants to protect data in transit between an on-premises data center and Amazon S3. Which AWS service should be used to establish a dedicated, encrypted connection?
125A company uses Amazon S3 to store sensitive documents. The security policy requires that all objects be encrypted with server-side encryption using customer-provided encryption keys (SSE-C). A developer uploads objects using the AWS SDK but forgets to include the encryption key in the request. What happens to the upload?
126A company is using AWS KMS to encrypt data in Amazon Redshift. They need to rotate the KMS key annually. Which approach meets the requirement with minimal operational impact?
127Refer to the exhibit. A security engineer applies the bucket policy to an S3 bucket. A user uploads an object without specifying any encryption header. What happens?
128A company uses Amazon DynamoDB with client-side encryption using AWS KMS. The application is experiencing high latency on write operations. Which change is most likely to reduce latency?
129A company is designing a data protection strategy for Amazon S3. Which TWO of the following are valid methods to protect data at rest in S3?
130A security engineer is configuring a new AWS KMS customer managed key. Which THREE of the following are required components of a KMS key policy?
131A company uses AWS CloudTrail to log API calls. They want to ensure that log files are encrypted at rest and that integrity is verified. Which TWO services can be used together to achieve this?
132A financial services company runs a web application on Amazon EC2 instances behind an Application Load Balancer. The application processes credit card numbers and stores them in an Amazon RDS for PostgreSQL database. The database is encrypted at rest using AWS KMS. The security team is concerned about data in transit between the ALB and EC2 instances, and between EC2 and RDS. They also want to ensure that the application never logs the full credit card number. The current setup: ALB terminates SSL using a certificate from AWS Certificate Manager (ACM). EC2 instances are in a private subnet. RDS is in a private subnet. The application logs to CloudWatch Logs. The security team reviews the logs and finds full credit card numbers in the logs. Which of the following actions should the security engineer take to address the data protection issues?
133A company uses AWS KMS to encrypt data at rest in Amazon S3. The security team wants to ensure that only users with a specific IAM role can decrypt objects. What is the MOST secure way to achieve this?
134A company is designing a data protection strategy for its Amazon RDS for PostgreSQL database. The database contains sensitive customer data. Compliance requirements mandate that all backups be encrypted at rest and that the encryption keys be rotated annually. Which solution meets these requirements?
135A company uses AWS CloudHSM to generate and store encryption keys for a custom application. The application runs on Amazon EC2 instances and uses the PKCS#11 interface to interact with the HSM. The security team recently discovered that a former employee may have obtained a copy of the cryptographic materials from the HSM. What should the security team do to minimize the impact?
136A company wants to encrypt data stored in Amazon S3 using server-side encryption with customer-provided keys (SSE-C). Which statement is correct regarding SSE-C?
137A company uses AWS KMS to encrypt data in Amazon S3. The security team wants to ensure that if a KMS key is disabled, all subsequent attempts to decrypt data encrypted with that key fail. What is the BEST way to achieve this?
138Which TWO of the following are valid methods to protect data in transit between an on-premises data center and AWS? (Choose two.)
139Which THREE of the following are required to use client-side encryption with Amazon S3 using AWS KMS? (Choose three.)
140Which TWO of the following are valid options for encrypting data at rest in Amazon EBS? (Choose two.)
141Refer to the exhibit. An IAM policy allows kms:Decrypt on a specific KMS key only when the encryption context includes department=finance. A user attempts to decrypt an S3 object that was encrypted with the same KMS key but with encryption context department=hr. Will the decryption succeed?
142A company runs a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application processes credit card numbers and must comply with PCI DSS. The security team requires that all credit card numbers be encrypted at rest and in transit. The application stores the encrypted credit card numbers in Amazon RDS for MySQL. The RDS instance is encrypted at rest using AWS KMS. The application decrypts the credit card numbers after retrieval using a KMS key. The security team has noticed that some credit card numbers are being logged in plaintext in Amazon CloudWatch Logs by the application. The developers claim they are not logging the decrypted values. What is the MOST likely cause and solution?
143A company is using Amazon S3 to store sensitive documents. The security team has implemented a bucket policy that denies access unless the request uses HTTPS. However, a security audit reveals that some objects were accessed over HTTP. The bucket policy is as follows: {"Effect":"Deny","Principal":"*","Action":"s3:*","Resource":"arn:aws:s3:::example-bucket/*","Condition":{"Bool":{"aws:SecureTransport":"false"}}}. The team also enabled S3 Block Public Access at the account level. What is the MOST likely reason that HTTP access was still possible?
144A company uses Amazon SQS to decouple its microservices. The messages contain personally identifiable information (PII). The security team requires that all messages be encrypted at rest. Currently, SQS is configured with SSE enabled using a customer managed KMS key. However, the team discovers that some messages are still being stored in plaintext in the dead-letter queue (DLQ) after the maximum receives are exceeded. The DLQ is also an SQS queue. What is the MOST likely reason?
145A company is migrating its on-premises file server to Amazon EFS. The data includes sensitive financial records. The security team requires encryption at rest and in transit. The team plans to mount the EFS file system on EC2 instances using the NFS client. They have enabled encryption at rest on the EFS file system. However, they are unsure how to enforce encryption in transit. What should they do to ensure all data transferred between the EC2 instance and EFS is encrypted?
146A company runs a workload on Amazon EC2 that needs to access an Amazon S3 bucket to store sensitive data. The security team wants to ensure that the data is encrypted at rest in S3 without requiring any changes to the application. The application currently uses the AWS SDK to upload objects. Which solution meets the requirement with the LEAST operational overhead?
147A company uses AWS KMS to encrypt data in Amazon DynamoDB. The table has a TTL attribute that triggers automatic deletion of expired items. The security team is concerned that deleted items may still be recoverable. What should the team do to ensure that deleted items are cryptographically erased and cannot be recovered?
148A company is using AWS KMS to encrypt data at rest in Amazon S3. The security team requires that all encryption keys be automatically rotated every year. However, the current KMS key policy does not allow rotation. Which action should the security team take to meet the requirement?
149A financial services company stores sensitive customer data in Amazon RDS for MySQL. The compliance team mandates that all database backups must be encrypted at rest. The current configuration uses a customer managed KMS key for encryption. However, during a recent audit, it was discovered that some automated backups are not encrypted. What is the MOST likely cause?
150A company uses AWS KMS to encrypt data in Amazon S3. The security team wants to ensure that only users from a specific AWS account can decrypt objects. Which TWO steps should be taken to achieve this?
151A company needs to protect data at rest in Amazon S3. Which THREE mechanisms can be used to encrypt objects stored in S3?
152A healthcare company stores sensitive patient data in Amazon S3. The security team has implemented a data protection strategy that includes S3 default encryption using SSE-KMS with a customer managed key. They also use S3 Object Lock to prevent deletion. Recently, an administrator accidentally deleted the KMS key used for encryption. As a result, all objects in the bucket are now inaccessible. The company has a backup of the key material but does not have the original key ID. Which action should the team take to restore access to the data?
153A company uses AWS KMS to encrypt data in Amazon S3. The security team wants to ensure that when an object is retrieved, it is automatically decrypted. They have configured the S3 bucket to use SSE-KMS with a customer managed key. However, when a user downloads an object using the AWS CLI, the object is still encrypted. The IAM policy for the user includes kms:Decrypt permission. What is the MOST likely reason for this issue?
154A company is storing sensitive data in Amazon S3 buckets. They want to ensure that all uploaded objects are encrypted at rest using server-side encryption with AWS KMS (SSE-KMS). Which bucket policy statement will enforce this?
155A company uses AWS KMS to encrypt data in Amazon RDS. They need to ensure that the key material is automatically rotated every year. Which key type should they use?
156A security engineer is designing a data encryption solution for a multi-region application that uses Amazon S3. The solution must use envelope encryption with a key hierarchy that allows the application to encrypt data locally using a data key, while the data key is protected by a master key stored in AWS KMS. The application should be able to decrypt data even if connectivity to AWS KMS is temporarily lost. Which approach meets these requirements?
157A company uses AWS CloudTrail to log data events for S3 buckets. They notice that some S3 object-level API calls are not being logged. Which configuration could be the cause?
158A company needs to encrypt data at rest in Amazon Redshift. They want to use an AWS KMS customer managed key. What is the correct procedure to enable encryption for an existing Redshift cluster?
159A company has an Amazon S3 bucket with versioning enabled. They want to ensure that all objects in the bucket are encrypted at rest using server-side encryption with AWS KMS (SSE-KMS). They also want to prevent any future uploads that are not encrypted with SSE-KMS. Which combination of actions should they take?
160A company uses AWS Secrets Manager to store database credentials. They need to rotate the secrets automatically every 30 days. Which rotation strategy should they use?
161A company stores sensitive data in an Amazon S3 bucket. They want to ensure that data is encrypted in transit when accessed from the internet. Which policy should they attach to the bucket?
162A company uses AWS KMS to encrypt EBS volumes. They want to ensure that the key used for EBS encryption is not shared across different AWS accounts. Which feature should they use?
163Which TWO AWS services can be used to monitor and audit data access patterns to Amazon S3 buckets? (Choose 2.)
164Which THREE actions are required to enforce encryption in transit for an Amazon S3 bucket? (Choose 3.)
165Which TWO AWS services provide key management for encryption at rest? (Choose 2.)
166A security engineer runs the command shown in the exhibit. What is the primary purpose of this command?
167A security engineer applies the bucket policy shown in the exhibit to an S3 bucket. What is the effect of this policy?
168A security engineer runs the command shown in the exhibit. What is the outcome?
169A company needs to encrypt data at rest in Amazon S3 using customer-provided encryption keys. The keys must be stored securely and rotated automatically every 90 days. Which solution meets these requirements?
170A security engineer is designing a solution to protect sensitive data in an Amazon RDS for MySQL database. The data must be encrypted at rest using a key stored in AWS KMS. Additionally, the database must support automated backups and cross-region disaster recovery. Which architecture meets these requirements?
171A company uses Amazon S3 to store sensitive documents. The security team wants to ensure that all objects are encrypted at rest using server-side encryption. Additionally, any attempt to upload an unencrypted object must be denied. What should the security team do?
172A company wants to securely share an Amazon S3 object with an external partner. The partner needs to download the object using an HTTP GET request. The object must be accessible for only 24 hours. What is the most secure way to grant access?
173A company runs a web application on Amazon EC2 instances that processes credit card data. The application must store the data in an encrypted format. The security team wants to minimize the performance impact of encryption and offload the encryption operations to a dedicated hardware security module (HSM). Which solution should the architect choose?
174A company stores sensitive data in an Amazon S3 bucket. The security team requires that all data in transit between the company's on-premises data center and S3 be encrypted. Which solution meets this requirement?
175A company uses AWS KMS to encrypt data in Amazon S3. The security team notices that a KMS key has been deleted accidentally, causing data loss. The company wants to implement a solution to prevent accidental key deletion and enable recovery. What should the security team do?
176A company is migrating sensitive data to Amazon S3. The data must be encrypted at rest using keys managed by the company. The company also requires an audit trail of key usage. Which solution meets these requirements?
177A company's security policy requires that all data stored in Amazon S3 be encrypted using envelope encryption with a key hierarchy. The master key must be stored in a hardware security module (HSM) that is FIPS 140-2 Level 3 validated. Which solution should the company implement?
178A company needs to encrypt data at rest for an Amazon RDS for Oracle database. The database is deployed in a Multi-AZ configuration. The company also wants to encrypt automated backups and snapshots. Which TWO steps should the security team take?
179A company is designing a data protection strategy for Amazon EFS file systems. The security team requires encryption at rest and in transit. Additionally, the team needs to control which KMS keys can be used to encrypt the file system. Which THREE steps should the team take?
180A company wants to protect data stored in Amazon S3 Glacier. The data must be encrypted at rest and the encryption keys must be rotated annually. Which TWO options meet these requirements?
181Refer to the exhibit. A security engineer applies the bucket policy shown to an S3 bucket. The engineer attempts to upload a file using the AWS CLI without specifying any encryption. What is the outcome?
182Refer to the exhibit. A user named John encrypts a file using the AWS CLI. John then tries to decrypt the file but receives an AccessDenied error. John has full administrator permissions in IAM. What is the most likely cause?
183Refer to the exhibit. A security engineer reviews the bucket policy for an S3 bucket. The engineer attempts to upload an object to the bucket using the AWS CLI without the --ssl flag (HTTP). What is the outcome?
184A company wants to encrypt data at rest in Amazon S3 using server-side encryption. They must manage the encryption keys themselves and rotate them annually. Which S3 encryption option should they use?
185A security engineer needs to ensure that all data in transit between an Application Load Balancer and EC2 instances is encrypted using TLS. Which configuration is required?
186A company uses AWS KMS to encrypt data in Amazon S3. They need to audit all KMS key usage for an S3 bucket. Which AWS service should be used to capture KMS Decrypt API calls?
187A company stores sensitive data in Amazon S3 and requires that objects are automatically encrypted using server-side encryption with AWS KMS. The bucket policy must deny any PUT request that does not include the x-amz-server-side-encryption header with value aws:kms. Which bucket policy condition key should be used?
188A company wants to protect data in transit between an on-premises data center and AWS over the internet. Which AWS service should they use to create a dedicated, encrypted connection?
189A security engineer is troubleshooting an issue where an EC2 instance cannot access an S3 bucket via a VPC endpoint. The bucket policy allows access only from the VPC endpoint. The instance has an IAM role that grants s3:GetObject on the bucket. The EC2 instance receives an AccessDenied error. What is the most likely cause?
190A company uses AWS KMS to encrypt data in Amazon RDS. The security team needs to ensure that the KMS key cannot be deleted accidentally. Which action should be taken?
191A company has an S3 bucket with versioning enabled. They want to ensure that all deleted objects are retained for 90 days before permanent deletion. Which S3 feature should be used?
192A company needs to encrypt data at rest in Amazon EBS volumes. They want to use an AWS managed key that is automatically rotated. Which encryption option should they choose?
193A security engineer is designing a data protection strategy for Amazon RDS for PostgreSQL. The database contains sensitive personal information. Which TWO actions should the engineer take to protect the data at rest? (Choose TWO.)
194A company uses AWS KMS to encrypt sensitive data. The security team wants to ensure that KMS keys are not used by unauthorized principals. Which TWO measures should be implemented? (Choose TWO.)
195A company is designing a data protection solution for Amazon S3. They need to ensure that all objects are encrypted at rest and that any attempt to upload an unencrypted object is denied. Which THREE steps should they take? (Choose THREE.)
196Refer to the exhibit. A security engineer applies the bucket policy shown to an S3 bucket. A developer attempts to upload an object with the header x-amz-server-side-encryption: AES256. What will happen?
197Refer to the exhibit. A security engineer runs the AWS CLI command shown and receives an AccessDenied error. The IAM user Alice has a policy that grants kms:Decrypt on all resources. What is the most likely cause of the error?
198Refer to the exhibit. A security engineer runs the command shown and gets the output. What does this output indicate about the bucket's encryption configuration?
199A company uses AWS KMS to encrypt data at rest in Amazon S3. The security team requires that all encryption keys be automatically rotated every year. Which key type meets this requirement?
200A financial services company is designing a data protection strategy for its DynamoDB table containing sensitive customer data. The table has a global secondary index (GSI). The company needs to encrypt the data at rest using a customer managed key (CMK) that is rotated annually. Which solution meets these requirements?
201A company uses Amazon S3 to store confidential documents. The security team wants to ensure that all objects are encrypted at rest using server-side encryption with AES-256. Which S3 encryption option should be used?
202A company uses AWS KMS to encrypt its RDS database. The security team needs to ensure that the key can be used only from within the company's VPC and not from the internet. Which action should be taken?
203A company is using Amazon S3 to store backup files that must be retained for 7 years. The files are accessed infrequently but must be available within minutes when needed. The company wants to minimize storage costs while ensuring data is encrypted at rest. Which storage class and encryption combination is most cost-effective?
204A company needs to encrypt data at rest in its Amazon EBS volumes. The company wants to use an encryption key that is automatically rotated every year without any manual intervention. Which key type should be used?
205A company uses AWS KMS to encrypt data in Amazon S3. The security team needs to audit all KMS key usage, including who used the key, when, and what operation was performed. Which AWS service should be used to meet this requirement?
206A company is designing a data protection strategy for its Amazon RDS for MySQL database. The database contains sensitive data that must be encrypted at rest. The company also needs to manage the encryption keys using its own HSM. Which solution should be used?
207A company is using Amazon S3 to store sensitive data. The security team wants to ensure that all data is encrypted in transit between the company's on-premises data center and AWS. Which solution should be used?
208A company is designing a data protection strategy for its Amazon S3 bucket that stores sensitive customer data. The bucket must be encrypted at rest using a customer managed key (CMK) that is stored in AWS KMS. The company also needs to ensure that only authorized users can decrypt objects. Which TWO actions should the company take?
209A company uses AWS KMS to encrypt data in Amazon RDS. The security team wants to ensure that the KMS key can be used only by specific IAM roles and that all usage of the key is logged. Which TWO actions should the team take?
210A company is implementing a data protection strategy for its Amazon S3 bucket that contains sensitive data. The company requires that all objects be encrypted at rest using server-side encryption with a customer managed key (SSE-KMS). Additionally, the company wants to ensure that only a specific IAM role can decrypt objects. Which THREE actions should the company take?
211Refer to the exhibit. A security engineer is reviewing the key policy for a customer managed key. The engineer notices that a user with the IAM role 'Admin' can encrypt and decrypt data using this key. However, the engineer wants to ensure that only requests coming from the company's VPC (vpc-12345678) can use the key. What should be added to the key policy?
212Refer to the exhibit. A security engineer is reviewing the bucket encryption configuration. The bucket is used to store sensitive data. The company policy requires that all objects be encrypted using AWS KMS with a customer managed key. What should the engineer do to meet the policy?
213Refer to the exhibit. A security engineer is reviewing the CloudWatch Logs configuration for a Lambda function. The log group is encrypted with a customer managed key. The engineer needs to ensure that only the Lambda service can write logs to this log group and that only a specific IAM role can read logs. Which additional configuration is required?
214A company stores sensitive customer data in Amazon S3. To comply with data protection regulations, they need to automatically prevent any new objects from being made publicly accessible. Which S3 feature should they configure?
215A company uses AWS KMS to encrypt data in Amazon S3. Security team wants to ensure that only specific IAM roles can decrypt objects. Which KMS key policy configuration should be used?
216A company needs to protect data at rest on Amazon EBS volumes attached to EC2 instances. Which solution provides the most control over the encryption keys?
217A company uses Amazon RDS for MySQL with encryption at rest enabled using AWS KMS. They need to ensure that automated backups and snapshots are also encrypted. Which configuration is required?
218A company uses AWS Secrets Manager to rotate database credentials automatically. The security team wants to ensure that while the secret is being rotated, applications can always retrieve a valid credential. Which rotation strategy should be used?
219A company needs to share an encrypted Amazon S3 object with another AWS account. The object is encrypted with an AWS KMS customer managed key. Which steps are required?
220A company is designing a data protection solution for Amazon S3 that must prevent any user from accidentally deleting objects. Which combination of S3 features should be used?
221A company stores sensitive data in Amazon DynamoDB and uses AWS KMS with a customer managed key for encryption. The security team wants to ensure that only specific applications can access the table data. Which policy configuration should be used?
222A company wants to protect data in transit between an on-premises application and Amazon S3. Which solution provides the highest security?
223A company is using AWS KMS to encrypt data in Amazon S3. They need to ensure that the KMS key can only be used from within a specific VPC. Which TWO actions should be taken?
224A company uses Amazon Redshift with encryption at rest using AWS KMS. They want to ensure that automated snapshots are encrypted with the same key and that cross-account snapshot sharing is secured. Which THREE steps should be taken?
225A company needs to implement data protection for Amazon EFS file systems. Which TWO features should be configured?
226A company stores sensitive customer data in an S3 bucket. The security team requires that all data be encrypted at rest using a customer-managed KMS key. What should the team configure to enforce this requirement?
227A company is migrating on-premises databases to Amazon RDS for MySQL. The security team requires that data be encrypted at rest and in transit. Which combination of steps should the team take to meet these requirements?
228A company uses AWS KMS to encrypt secrets stored in AWS Secrets Manager. The security team wants to audit all KMS key usage, including attempts to use the key without proper authorization. Which AWS service should the team use to meet this requirement?
229A company has an S3 bucket that stores financial records. The security team wants to ensure that any object uploaded to the bucket is automatically encrypted with a specific AWS KMS key. The team creates a bucket policy that denies s3:PutObject unless the request includes the correct encryption header. However, some users who upload objects using the AWS Management Console report that their uploads fail. What is the most likely cause?
230A company uses AWS KMS to encrypt data in Amazon S3. The security team notices that some KMS key usage is not being logged in AWS CloudTrail. What is the most likely reason for this?
231A company uses Amazon EBS volumes for EC2 instances. The security team requires that all EBS volumes be encrypted at rest. The team creates an AWS Config rule to check whether EBS volumes are encrypted. However, some volumes are non-compliant even though they have encryption enabled. What is the most likely reason?
232A company wants to encrypt data at rest in Amazon S3 using server-side encryption with Amazon S3-managed keys (SSE-S3). What is the minimum permission required for an IAM user to upload an object that will be encrypted with SSE-S3?
233A company stores sensitive data in an S3 bucket and uses AWS KMS to encrypt the data. The security team wants to ensure that only specific IAM roles can decrypt the data. What should the team do?
234A company stores data in Amazon S3 and uses AWS KMS with Customer Master Keys (CMKs) for encryption. The security team wants to audit when the CMK is used to decrypt data. Which of the following will provide this information?
235A company wants to protect sensitive data stored in Amazon S3. Which TWO actions should the company take to meet this goal? (Choose TWO.)
236A company uses AWS KMS to encrypt data. The security team wants to ensure that KMS keys are not used outside of the company's AWS account. Which TWO measures would help achieve this? (Choose TWO.)
237A company is designing a data protection strategy for Amazon S3. The compliance team requires that all objects be encrypted at rest and that any attempt to upload an unencrypted object be blocked. Which THREE steps should the company take? (Choose THREE.)
238Refer to the exhibit. An administrator applies this bucket policy to an S3 bucket. Which of the following statements describes the effect of this policy?
239Refer to the exhibit. A security engineer configures the above KMS key policy. The DataAccess role is used by an application that runs on EC2 instances in the us-east-1 region. The application needs to read encrypted objects from an S3 bucket in the same region. Which of the following is true about this configuration?
240Refer to the exhibit. A security engineer runs the above AWS CLI command to encrypt a secret file. The command succeeds and returns a base64-encoded ciphertext. Which of the following statements is correct?
241A company wants to protect sensitive data stored in Amazon S3 by encrypting it at rest. Which AWS service can be used to manage the encryption keys?
242A company needs to ensure that data in transit between an EC2 instance and an RDS database is encrypted. Which solution meets this requirement?
243A company is using AWS KMS to encrypt data in Amazon S3. The security team wants to ensure that only a specific IAM role can decrypt the data. What is the MOST secure way to enforce this?
244A company wants to protect sensitive data stored in Amazon S3 by enforcing encryption in transit. Which policy should be used to deny requests that do not use HTTPS?
245A company uses AWS KMS with a customer managed key to encrypt an S3 bucket. The security team notices that the KMS key is being used by an unintended IAM role. What is the MOST effective way to restrict the key usage to only the intended role?
246A company needs to ensure that data in Amazon S3 is encrypted at rest using envelope encryption. The company wants to rotate the encryption key every 90 days. Which solution meets these requirements with minimal operational overhead?
247A company wants to ensure that data stored in Amazon EBS volumes is encrypted at rest. What is the easiest way to achieve this?
248A company uses AWS KMS to encrypt data in Amazon Redshift. The security team needs to ensure that the KMS key cannot be deleted accidentally. What should be done?
249A company is using AWS KMS to encrypt data in Amazon S3. The security team discovers that an S3 bucket has a bucket policy that allows s3:PutObject without requiring encryption. What is the risk?
250Which TWO of the following are valid ways to enforce encryption at rest for data in Amazon S3? (Choose TWO.)
251Which TWO of the following are best practices for protecting data in transit? (Choose TWO.)
252Which THREE of the following are valid key management features of AWS KMS? (Choose THREE.)
253A company is using AWS KMS to encrypt data at rest in Amazon S3. The security team wants to ensure that only a specific IAM role can decrypt objects in a particular S3 bucket. Which policy should be attached to the KMS key to enforce this restriction?
254A company wants to protect data stored in Amazon S3 by encrypting it at rest using keys managed by the company. Which encryption option should be used?
255A security engineer is troubleshooting an issue where an Amazon RDS for MySQL DB instance is not encrypting data at rest. The DB instance was created without encryption. The engineer needs to enable encryption without significant downtime. What is the MOST effective approach?
256A company uses AWS CloudHSM to store encryption keys. The security team wants to ensure that keys stored in CloudHSM are backed up and can be restored in another AWS Region. What is the BEST approach?
257A company needs to ensure that data in transit between an on-premises data center and Amazon S3 is encrypted. The data will be transferred using HTTPS. What additional step should be taken to ensure the encryption is enforced?
258A company has a critical application that stores sensitive data in Amazon DynamoDB. The security team requires that all data stored in DynamoDB is encrypted at rest using a customer-managed KMS key. Additionally, they want to ensure that the key can be rotated automatically every year. Which combination of actions should be taken?
259A company uses Amazon S3 to store sensitive documents. The security policy requires that all objects in the bucket are encrypted at rest. The bucket currently has default encryption configured with SSE-S3. A new requirement mandates that all objects must be encrypted with SSE-KMS using a specific customer-managed key. What is the MOST efficient way to enforce this without re-uploading existing objects?
260A company wants to protect sensitive data stored in an Amazon EBS volume. The volume is attached to an EC2 instance. Which action should be taken to ensure data at rest is encrypted?
261A company uses AWS Secrets Manager to store database credentials. The security team needs to ensure that secrets are automatically rotated every 30 days. The rotation function must be implemented with minimal operational overhead. Which approach should be used?
262Which TWO of the following are valid options for encrypting data at rest in Amazon S3? (Choose 2.)
263Which THREE of the following are best practices for protecting data in transit within AWS? (Choose 3.)
264Which TWO of the following are valid methods to enforce encryption at rest for an Amazon RDS for PostgreSQL DB instance? (Choose 2.)
265Refer to the exhibit. A security engineer applies the above bucket policy to an S3 bucket. What is the effect of this policy?
266Refer to the exhibit. A user receives the above error when trying to decrypt a file using AWS KMS. The key policy is shown below: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:role/AdminRole" }, "Action": "kms:Decrypt", "Resource": "*" } ] } What is the likely cause of the error?
267A company runs a critical application on Amazon EC2 instances that store sensitive data on EBS volumes. The security team has enabled EBS encryption by default for the region. However, after a recent security audit, it was discovered that some EBS volumes are not encrypted. The team finds that these volumes were created before the default encryption setting was enabled. The company's security policy mandates that all EBS volumes must be encrypted at rest, and the process must minimize downtime. The application cannot tolerate more than 5 minutes of downtime. The EC2 instances are running production workloads. What should the security engineer do to remediate the unencrypted volumes?
268A company stores sensitive customer data in Amazon S3. They want to ensure that all objects are encrypted at rest using server-side encryption with AWS KMS. Which S3 bucket policy statement should be added to deny uploads that do not request SSE-KMS?
269A security engineer is configuring a new Amazon RDS for MySQL database. The compliance team requires that all database connections be encrypted in transit. Which configuration ensures this requirement is met?
270A financial company uses AWS KMS to encrypt sensitive data. The security team notices that a KMS key has been deleted, but the encrypted data is still needed for a short period. What is the fastest way to make the data decryptable again?
271A company uses AWS Secrets Manager to rotate secrets for an RDS database. The rotation fails with an error indicating that the secret cannot be accessed. What is the most likely cause?
272A company wants to protect data at rest in Amazon S3 using client-side encryption. The application will run on Amazon EC2 instances. Which approach meets these requirements?
273A company uses AWS CloudHSM to generate and store encryption keys for a custom application. The security team is concerned about key durability and wants to ensure that keys are not lost if the HSM fails. Which action should be taken?
274A company wants to encrypt data in transit between an on-premises data center and AWS over a VPN connection. Which AWS service or feature should be used?
275A company needs to protect sensitive data in Amazon S3 from accidental deletion or overwriting. The data must be retained for at least 7 years after creation. Which combination of S3 features should be used?
276Refer to the exhibit. An administrator is investigating why an application that uses KMS for encryption is failing. The IAM role used by the application has the following policy attached: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "kms:Decrypt", "Resource": "arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" } ] }. What is the most likely cause of the failure?
277A company wants to protect sensitive data in Amazon S3 by ensuring that all objects are encrypted at rest. Which TWO options meet this requirement? (Choose TWO.)
278A company is designing a data protection strategy for Amazon EBS volumes. Which THREE practices should be implemented? (Choose THREE.)
279A company needs to protect data in Amazon S3 by ensuring that only authorized users can access objects, and all access is logged. Which TWO services should be used together? (Choose TWO.)
280A company runs a web application on Amazon EC2 behind an Application Load Balancer (ALB). The application handles payment card information (PCI) and must comply with PCI DSS. The security team wants to ensure that all data in transit between the client and the ALB is encrypted using TLS 1.2 or higher. The ALB currently uses a default certificate from AWS Certificate Manager (ACM) that was issued by Amazon. The compliance team has flagged that the certificate must be issued by a public Certificate Authority (CA) that is trusted by major browsers. The company wants to minimize operational overhead. What should the security team do?
281A company uses Amazon S3 to store sensitive documents. The security engineer notices that an S3 bucket named 'documents-prod' has been configured with a bucket policy that allows s3:PutObject from any principal, but only if the request includes the x-amz-server-side-encryption header set to 'AES256'. The company's security policy requires that all objects be encrypted at rest using server-side encryption with AWS KMS (SSE-KMS). The engineer needs to ensure that any new objects uploaded to the bucket are encrypted with SSE-KMS, and that existing objects remain accessible. What should the engineer do?
282A company uses Amazon RDS for MySQL to store customer data. The security team wants to ensure that the database is encrypted at rest. The database is already running and contains production data. The team needs to enable encryption at rest with minimal downtime. What should they do?
283A company is using AWS KMS to encrypt data at rest in Amazon S3. The security team wants to ensure that only a specific IAM role can decrypt objects in a particular S3 bucket. Which policy configuration should be used?
284A financial services company must ensure that all data written to Amazon S3 is encrypted at rest and that the encryption keys are rotated every 90 days. The company also needs to maintain an audit trail of when keys were used. Which solution meets these requirements with the least operational overhead?
285A company is designing a disaster recovery plan for its Amazon RDS for MySQL database. The database must be encrypted at rest. Which approach ensures that the database is encrypted and can be restored in another AWS Region?
286A company uses AWS Organizations and wants to enforce that all S3 buckets created in any account within the organization have default encryption enabled. Which policy should be used?
287A company uses Amazon EBS volumes for EC2 instances. Security policy requires that all EBS volumes be encrypted at rest. The company already has a default KMS key for EBS encryption. However, some new volumes are created without encryption. What is the most efficient way to enforce encryption for all new EBS volumes?
288A company stores sensitive data in Amazon S3. The security team needs to ensure that data is encrypted at rest and that access is logged. Which TWO actions meet these requirements?
289A company is using Amazon RDS for PostgreSQL with encryption at rest using AWS KMS. The security team wants to ensure that only a specific set of IAM roles can manage the KMS key used for encryption. Which TWO steps should the team take?
290A company is migrating on-premises file servers to Amazon EFS. The data must be encrypted at rest and in transit. Which THREE steps should the company take to meet these requirements?
291A company has an AWS Lambda function that processes sensitive data and writes the results to an Amazon S3 bucket. The security team requires that the data is encrypted at rest in S3 and that the Lambda function has the minimum permissions necessary. Which THREE actions should the team take?
292Refer to the exhibit. An S3 bucket policy is shown. An administrator uploads an object to 'example-bucket' without specifying any encryption header. What is the outcome?
293Refer to the exhibit. A security engineer is troubleshooting a decryption failure. The command uses the AWS CLI to decrypt a file. The decryption fails with an 'AccessDeniedException' error. The IAM user has the following policy attached: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "kms:Decrypt", "Resource": "*" } ] } What is the most likely cause of the failure?
294Refer to the exhibit. A KMS key policy is shown. An IAM role named 'DataProcessor' in account 123456789012 is trying to encrypt data using this key. The role also has an IAM policy that allows kms:Encrypt on the key. Will the encryption succeed?
295A company runs a web application on Amazon EC2 instances behind an Application Load Balancer. The application uses an Amazon RDS for MySQL database. The security team requires that all data in transit between the EC2 instances and the database be encrypted. The database is in a private subnet. The EC2 instances are in a public subnet. The security team also wants to minimize latency. What should be done to meet these requirements?
296A company stores sensitive customer data in Amazon S3. The security team has enabled default encryption with SSE-S3 on the bucket. The compliance team requires that all access to the bucket be logged and that any unauthorized access attempts be detected in real time. The company has AWS CloudTrail enabled. Which additional steps should the security team take to meet the compliance requirements?
297A company is using AWS KMS to encrypt sensitive data in Amazon DynamoDB. The security team wants to ensure that the KMS key can only be used from within the company's VPC and not from the internet. The VPC has an interface VPC endpoint for KMS. What should the security team do to enforce this restriction?
298A security engineer is designing a data protection strategy for a healthcare application that stores Protected Health Information (PHI) in an S3 bucket. The bucket is accessed by multiple AWS services, including Athena and SageMaker. Which TWO actions should the engineer take to ensure encryption at rest and in transit? (Choose two.)
299A financial services company uses AWS KMS to encrypt sensitive data in S3 and RDS. The security team requires a centralized audit trail of all KMS key usage, including key creation, deletion, and cryptographic operations. The audit logs must be stored in a separate AWS account for compliance. The team has enabled CloudTrail in the management account and configured a trail that logs to an S3 bucket in the audit account. However, they notice that KMS events such as Decrypt and GenerateDataKey are not appearing in the CloudTrail logs. The KMS key policy includes the following statement: {"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::management-account:root"},"Action":"kms:*","Resource":"*"}. What is the MOST likely reason for the missing KMS events?
300A startup is building a serverless application using AWS Lambda to process user-uploaded images. The images are stored in an S3 bucket with server-side encryption (SSE-S3) enabled. The Lambda function reads the images, performs transformations, and writes the results to a different S3 bucket. The security engineer wants to ensure that data is encrypted at rest and in transit throughout the pipeline. The Lambda function is configured with an IAM role that has permissions to read from the source bucket and write to the destination bucket. Which additional configuration is REQUIRED to ensure end-to-end encryption?
Deep-dive questions
The most-searched questions in this domain — detailed explanations, worked examples, full answer breakdowns.
Data Protection questions on this certification test your ability to deploy and manage data protection concepts in scenario-based situations.
The Courseiva SCS-C02 question bank contains 300 questions in the Data Protection domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Data Protection domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included