Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsSCS-C02DomainsData Protection
SCS-C02Free — No Signup

Data Protection

Data Protection questions on this certification test your ability to deploy and manage data protection concepts in scenario-based situations.

303questions

Start practicing

Data Protection — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

SCS-C02 Domains

Threat Detection and Incident ResponseSecurity Logging and MonitoringIdentity and Access ManagementManagement and Security GovernanceInfrastructure SecurityData Protection

Domain overview

About the Data Protection domain

Use this page to practise Data Protection questions for this certification. Focus on how the exam tests data protection in scenario format — understanding the why behind each answer builds more durable knowledge than memorising options.

Exam objectives

What Data Protection tests on SCS-C02

  1. 1

    Core Data Protection concepts and how they apply in real-world cloud scenarios.

  2. 2

    How to deploy data protection correctly and verify the outcome.

  3. 3

    Troubleshooting data protection issues by interpreting error output and system state.

  4. 4

    Cloud best practices and Data Protection design trade-offs tested by this certification.

Watch out — common Data Protection traps

  • !

    Selecting the most expensive service when a simpler managed option meets the requirement.

  • !

    Forgetting that cloud resources must be explicitly secured — defaults are rarely secure.

  • !

    Choosing a global service fix when the issue is region-specific.

  • !

    Overlooking cost implications of cross-region data transfer in architecture questions.

Practice Data Protection questions

10Q20Q30Q50Q

SCS-C02 Data Protection questions (showing 300 of 303)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A company stores sensitive data in Amazon S3 and wants to ensure that all objects are encrypted at rest. The security team has enabled default encryption on the S3 bucket using SSE-S3. However, an audit reveals that some objects are stored with SSE-KMS. How can the company enforce that only SSE-S3 is used for all future uploads, while still allowing existing SSE-KMS objects to be read?

2

A financial services company uses AWS KMS to encrypt sensitive data. The security team has a requirement to rotate the CMK every 90 days and to maintain a record of all previous key versions for decryption of historical data. The team creates a new CMK every 90 days and manually updates applications to use the new key. This process is error-prone and causes downtime. What is the MOST operationally efficient solution that meets the requirements?

3

A startup is building a web application on AWS and needs to protect sensitive customer data at rest in an Amazon RDS for MySQL database. The compliance team requires that the encryption keys be managed by the company's on-premises hardware security module (HSM) and be rotated every 6 months. Which solution should the startup use?

4

A company is designing a data protection strategy for its Amazon S3 bucket that stores sensitive documents. The security team requires that all data be encrypted in transit and at rest, and that any accidental deletion of objects can be reversed within 30 days. Additionally, the company must be able to audit all access attempts to the bucket, including failed attempts. Which TWO actions should the company take to meet these requirements? (Choose two.)

5

A healthcare company runs a HIPAA-compliant application on AWS. The application uses Amazon S3 to store Protected Health Information (PHI). The company has implemented the following controls: (1) All S3 buckets are configured with default encryption using SSE-S3. (2) Bucket policies restrict access to only authorized IAM roles. (3) S3 access logs are enabled and sent to a centralized logging account. (4) MFA Delete is enabled on all buckets. (5) Object lock is not enabled. Recently, an internal auditor discovered that when an authorized user deletes an object, the object is permanently deleted and cannot be recovered. The company's data retention policy requires that deleted PHI be recoverable for at least 30 days after deletion. A review of the IAM policies shows that users have s3:DeleteObject permission. The auditor also notes that the bucket versioning is not enabled. The security team needs to implement a solution that allows authorized users to delete objects but ensures that deleted objects can be recovered within 30 days. Which of the following is the MOST effective course of action?

6

A company uses AWS KMS to encrypt data at rest in Amazon S3. The security team requires that all encryption keys be automatically rotated every year. Which solution meets this requirement?

7

A company wants to enforce encryption in transit for all data transferred between its Amazon EC2 instances and an Application Load Balancer (ALB). The company uses AWS Certificate Manager (ACM) to provision TLS certificates. Which TWO actions should the company take? (Choose TWO.)

8

Refer to the exhibit. An AWS KMS key policy includes the statement shown. The AdminRole tries to decrypt a ciphertext that was encrypted using the same KMS key with encryption context 'department=engineering'. What will happen?

9

Drag and drop the steps to configure a VPC with private subnets and NAT gateway for outbound internet access in the correct order.

10

Match each AWS security-related acronym to its definition.

11

A company uses S3 to store sensitive customer data. The security team requires that all objects uploaded to S3 be encrypted at rest using server-side encryption with AWS KMS managed keys (SSE-KMS). A developer reports that some objects are being stored unencrypted. What is the MOST effective way to enforce this requirement?

12

A company wants to protect data at rest for an Amazon RDS for PostgreSQL database. Which AWS service should be used to manage the encryption keys?

13

A company has a requirement to automatically rotate encryption keys for S3 objects every 90 days. They are using SSE-KMS with a customer managed key. Which combination of actions will meet the requirement without breaking access to existing objects? (Choose two.)

14

A company uses AWS KMS to encrypt EBS volumes. The security team wants to ensure that when an EC2 instance is launched, the attached EBS volumes are always encrypted using a specific customer managed key. Which action will enforce this?

15

A company stores sensitive data in an S3 bucket with versioning enabled. They want to ensure that objects are encrypted at rest using SSE-KMS. A security audit reveals that some older object versions are encrypted with SSE-S3. What is the MOST efficient way to re-encrypt those older versions with SSE-KMS?

16

A company needs to ensure that data in transit between an on-premises data center and Amazon S3 is encrypted. Which AWS service should be used to establish a dedicated encrypted connection?

17

A company is designing a data protection strategy for an Amazon RDS for MySQL database. The database is 2 TB in size and stores financial data. The compliance team requires that database snapshots be encrypted at rest and that encryption keys be rotated every year. Which solution meets these requirements with the LEAST operational overhead?

18

A company wants to protect data at rest for an Amazon S3 bucket that contains sensitive data. Which combination of actions provides the MOST comprehensive protection? (Choose two.)

19

A company uses AWS KMS to encrypt data in Amazon S3. The security team receives an alert that an IAM user is attempting to decrypt data using a key that they do not have access to. Which AWS service can be used to monitor and alert on such unauthorized KMS API calls?

20

A company needs to encrypt data in transit between an EC2 instance and an RDS database. Which option should be used?

21

A company uses S3 to store confidential documents. They want to ensure that objects are encrypted at rest using customer-provided encryption keys (SSE-C). Which header must be included in every PUT request?

22

A company has a compliance requirement to encrypt all data in Amazon S3 using keys that are managed by the company's internal security team. The keys must be stored in a hardware security module (HSM) that is FIPS 140-2 Level 3 certified. Which AWS service should be used?

23

A company is using AWS KMS to encrypt S3 objects. The security team wants to ensure that only a specific IAM role can decrypt objects in a particular S3 bucket. Which KMS key policy configuration should be used?

24

A financial services company must ensure that all data at rest in Amazon RDS for PostgreSQL is encrypted. The current database is unencrypted. What is the MOST operationally efficient way to enable encryption?

25

A company needs to securely store database credentials for a legacy application running on Amazon EC2. The credentials are currently hardcoded in the application code. Which service should be used to rotate and retrieve secrets automatically?

26

A company wants to use client-side encryption for data uploaded to Amazon S3. The encryption keys must be managed by the company and never sent to AWS. Which S3 encryption option supports this requirement?

27

A company uses Amazon S3 to store sensitive documents. They must ensure that all objects are encrypted at rest and that any attempt to upload an unencrypted object is denied. Which S3 bucket policy statement achieves this?

28

A company needs to encrypt data in transit between an on-premises data center and Amazon S3. Which solution should they use?

29

A company has a requirement to automatically rotate encryption keys for Amazon EBS volumes every 90 days. The EBS volumes are encrypted using AWS KMS. What is the simplest way to meet this requirement?

30

A company uses AWS CloudTrail to log API activity. The security team wants to ensure that log files are encrypted at rest and that any tampering with logs is detectable. Which combination of services should be used?

31

A company wants to ensure that data stored in Amazon S3 is encrypted at rest using keys managed by AWS. Which encryption option should they choose?

32

A company is designing a data protection strategy for sensitive customer data stored in Amazon S3. Which TWO actions should be taken to protect the data from accidental deletion?

33

A company is using AWS KMS to encrypt data in Amazon S3 and Amazon RDS. Which THREE practices should be followed to ensure the security of the KMS keys?

34

A company needs to enforce encryption in transit for all traffic between an Amazon EC2 instance and an Amazon RDS database. Which TWO steps should be taken?

35

A security engineer applies the above S3 bucket policy. An application tries to upload an object with the header "x-amz-server-side-encryption: AES256". What will happen?

36

A security engineer inspects two KMS keys. Which key can be used for envelope encryption with automatic key rotation?

37

A company has an S3 bucket with versioning and MFA Delete enabled. A user attempts to delete an object version using the AWS CLI without MFA. What will happen?

38

A company is designing a data protection strategy for sensitive data stored in Amazon S3. Compliance requirements mandate that all data be encrypted at rest using customer-provided keys (SSE-C). Which solution meets the requirements with minimal operational overhead?

39

A security engineer needs to ensure that data at rest in an Amazon RDS for PostgreSQL DB instance is encrypted. Which action should the engineer take?

40

A company uses AWS KMS to encrypt data in Amazon S3. The security team wants to enforce that all S3 PUT requests include an encryption context that matches a specific key-value pair. Which S3 bucket policy condition key should be used?

41

A company is implementing a data loss prevention (DLP) solution for data stored in Amazon S3. The data includes personally identifiable information (PII). The company wants to automatically identify and classify PII objects, then apply encryption using AWS KMS with a customer-managed key. Which AWS service should be used to identify PII?

42

A security engineer needs to protect data in transit between an EC2 instance and an RDS database. The RDS database uses SSL/TLS certificates. What is the MOST secure way to ensure that the connection is encrypted?

43

A company needs to securely store database credentials that are used by an application running on Amazon EC2. The credentials must be automatically rotated every 90 days. Which AWS service should be used?

44

A company stores sensitive data in an S3 bucket. The security team wants to ensure that all objects are encrypted at rest using server-side encryption with AWS KMS managed keys (SSE-KMS). An application writes objects to the bucket but sometimes fails because the encryption key is not found. What is the MOST likely cause?

45

A company uses Amazon S3 to store sensitive documents. The security policy requires that all objects be encrypted using server-side encryption with customer-provided keys (SSE-C). An application fails when trying to read an object with the error 'The request includes an invalid header.' What is the MOST likely cause?

46

A company wants to encrypt data in transit between an Application Load Balancer (ALB) and its targets. Which configuration should be used?

47

Which TWO actions can help protect data at rest in Amazon EBS volumes? (Choose 2.)

48

Which THREE practices are recommended for managing encryption keys in AWS KMS? (Choose 3.)

49

Which TWO methods can be used to encrypt data at rest in Amazon S3? (Choose 2.)

50

Refer to the exhibit. A security engineer reviews the key policy of an AWS KMS customer managed key. The AppRole role is used by an application to encrypt and decrypt data. However, the application is unable to decrypt data. What is the MOST likely cause?

51

A company uses S3 to store sensitive customer data. They want to ensure that all S3 buckets have encryption enabled at rest. Which S3 feature should be used to automatically enforce encryption on all newly created objects?

52

A company is migrating on-premises data to AWS using AWS Snowball Edge. The data must be encrypted in transit and at rest. Which combination of steps should be taken?

53

A security engineer needs to ensure that an Amazon RDS for MySQL database is encrypted at rest. Which action should be taken?

54

A company uses AWS KMS to manage encryption keys for sensitive data stored in S3. The security team wants to ensure that keys are rotated automatically every year. What should they do?

55

A company wants to share an encrypted Amazon Machine Image (AMI) with another AWS account. The AMI uses an EBS snapshot encrypted with a customer managed key in KMS. What is the correct procedure to allow the other account to launch an EC2 instance from this AMI?

56

A company needs to protect data stored in S3 from accidental deletion by users. Which S3 feature should be used?

57

A security team wants to audit who accessed an S3 object that contains sensitive data. Which AWS service provides this capability?

58

A company is using AWS DMS to migrate data from an on-premises Oracle database to Amazon RDS for PostgreSQL. The data must be encrypted in transit. What should the company do?

59

A company wants to ensure that data at rest in Amazon EBS volumes is encrypted. What is the simplest way to achieve this?

60

A company wants to protect sensitive data stored in S3 from being accessed by unauthorized users. Which TWO actions should be taken? (Choose two.)

61

A company is using AWS KMS to encrypt data at rest. The security team needs to ensure that keys cannot be deleted before a retention period. Which THREE steps should be taken? (Choose three.)

62

A company needs to encrypt data at rest in Amazon RDS for SQL Server. Which TWO methods can be used? (Choose two.)

63

A security engineer created the above IAM policy for an S3 bucket. What does this policy accomplish?

64

A security engineer examines the above output. The company requires automatic yearly key rotation. What should the engineer do?

65

The above CLI output shows the encryption configuration for an S3 bucket. What type of encryption is enabled by default?

66

A company stores sensitive customer data in an S3 bucket. The security team wants to ensure that all data is encrypted at rest using server-side encryption with AWS KMS (SSE-KMS). Which bucket policy statement should be added to deny uploads that do not use SSE-KMS?

67

A company is using AWS KMS to encrypt data in Amazon S3. The security team wants to ensure that KMS keys are rotated automatically every year. Which action should be taken?

68

A company uses AWS CloudHSM to generate and store encryption keys for a custom database. The security team needs to back up the keys to another AWS Region for disaster recovery. What is the most secure and efficient way to achieve this?

69

An application running on Amazon EC2 needs to access an S3 bucket containing sensitive data. The security team wants to avoid storing long-term AWS credentials on the instance. How should the EC2 instance be configured to access S3 securely?

70

A company is designing a data encryption solution for its Amazon RDS for PostgreSQL database. The database must be encrypted at rest. What is the simplest way to achieve this?

71

A company uses AWS Secrets Manager to rotate secrets for its RDS database. The rotation fails periodically, and the security team needs to troubleshoot. Which CloudWatch metric should be monitored to detect rotation failures?

72

A company wants to protect data in transit between its on-premises network and Amazon VPC using IPsec VPN. Which AWS service should be used to establish this VPN connection?

73

A company stores sensitive documents in an S3 bucket. The security team wants to ensure that any object uploaded to the bucket is automatically encrypted using server-side encryption with AWS KMS. Which S3 bucket feature should be configured?

74

A company is using AWS KMS with a customer managed key for encrypting EBS volumes. The security team wants to ensure that only specific IAM roles can use the key for encryption and decryption. What is the best way to achieve this?

75

A company is designing a data protection strategy for its Amazon S3 buckets. Which TWO actions can help protect data from accidental deletion or overwrite?

76

A company is using AWS Key Management Service (KMS) with a customer managed key. The security team needs to ensure that the key can be rotated automatically every year. Which TWO steps are required?

77

A company needs to protect data in transit between an on-premises data center and AWS. Which THREE services can be used to encrypt data in transit?

78

A company is storing sensitive customer data in Amazon S3. The security team requires that all data be encrypted at rest using a key that is rotated automatically every year. Which solution meets these requirements with the LEAST operational overhead?

79

A company uses AWS KMS to encrypt data in Amazon RDS. The security team discovers that a developer accidentally deleted a customer master key (CMK) used for RDS encryption. What is the impact on the RDS instances that were encrypted with that key?

80

A company wants to ensure that all data transferred between its on-premises data center and AWS is encrypted in transit. Which AWS service should be used to meet this requirement?

81

A company uses AWS KMS to encrypt data in Amazon S3. The security team needs to ensure that only a specific IAM role can decrypt objects in a particular S3 bucket. What is the most secure way to enforce this restriction?

82

A company needs to share an encrypted Amazon Machine Image (AMI) with another AWS account. The AMI was encrypted using a customer managed key (CMK) in AWS KMS. What steps are required to allow the target account to launch an EC2 instance from the shared AMI?

83

A company stores data in Amazon S3 and wants to ensure that objects are encrypted at rest. The security team decides to use server-side encryption with AWS KMS (SSE-KMS). Which additional benefit does SSE-KMS provide over SSE-S3?

84

A company uses Amazon RDS for MySQL with encryption at rest enabled. The security team needs to ensure that automated backups are also encrypted. How can this be achieved?

85

A company uses AWS CloudHSM to generate and store encryption keys for a custom application. The security team needs to ensure high availability and durability of the keys. Which architecture should be recommended?

86

A company is designing a data lake on Amazon S3 and needs to encrypt data at rest. The compliance team requires that the encryption keys be managed by the company and not by AWS. Which encryption option should be used?

87

A company is implementing a data protection strategy for Amazon S3. Which TWO actions should be taken to protect data from accidental deletion or overwrite?

88

A company is designing a disaster recovery plan for encrypted Amazon EBS volumes. Which THREE steps are required to ensure that encrypted EBS snapshots can be restored in a different AWS Region?

89

A company wants to protect sensitive data in Amazon S3 from unauthorized access. Which TWO AWS services can be used to detect and alert on suspicious access patterns?

90

A security engineer is reviewing a KMS key policy. What does this policy accomplish?

91

A security engineer is reviewing the configuration of an S3 bucket. What is a security concern with the current configuration?

92

A security engineer is investigating a potential data breach and finds this CloudTrail log entry. What does this entry indicate?

93

A company uses S3 to store sensitive customer data. Which AWS service can automatically discover and classify this data to help meet compliance requirements?

94

A security engineer needs to ensure that all data in an S3 bucket is encrypted at rest using AWS KMS. The bucket policy must deny any PutObject request that does not include the x-amz-server-side-encryption header with value aws:kms. Which bucket policy element should be used?

95

A company is using AWS CloudHSM to store encryption keys for a custom application. The application needs high availability across two AWS Regions. What is the MOST secure and cost-effective approach to synchronize key material between the HSMs in each Region?

96

A security engineer is designing a data protection strategy for an S3 bucket that contains sensitive documents. The bucket is accessed by multiple IAM users and roles. Which TWO actions will help protect the data at rest and in transit?

97

A company is migrating a legacy application to AWS. The application stores sensitive data and must comply with PCI DSS. The security team needs to ensure that data is encrypted at rest using keys that are rotated every 12 months. Which THREE steps should the team take?

98

A security engineer is designing a data protection strategy for an S3 bucket that contains sensitive data. The data must be encrypted at rest and the key material must be stored in a hardware security module (HSM) that is FIPS 140-2 Level 3 validated. Which TWO services can be used to meet these requirements?

99

A company wants to protect data in transit between an EC2 instance and an S3 bucket. Which method should be used?

100

A security engineer needs to audit all access to a KMS customer managed key. Which AWS service should be used?

101

A company has a requirement to encrypt all data in an S3 bucket using keys that are stored in an on-premises HSM. Which S3 encryption option should be used?

102

A company wants to automate the detection of sensitive data in an S3 bucket. Which AWS service should be used?

103

A security engineer is tasked with ensuring that all data stored in an RDS DB instance is encrypted at rest. The database is already running and contains data. What should the engineer do?

104

A company uses AWS KMS to encrypt data in S3. The security policy requires that keys be rotated every 12 months. Which type of KMS key supports automatic rotation?

105

A company stores sensitive data in an S3 bucket with default encryption (SSE-S3) enabled. A security audit reveals that objects are being accessed by users from unexpected IP addresses. The company wants to enforce that only objects encrypted with a specific KMS key (managed by the security team) can be accessed. Which combination of actions should be taken?

106

A company uses AWS KMS to encrypt data at rest in Amazon RDS for MySQL. The security team needs to ensure that the RDS instance can only be decrypted by a specific IAM role used by the production application, and not by any other IAM user or role. What is the most secure way to achieve this?

107

A company is using Amazon S3 to store sensitive customer data. They need to ensure that data is encrypted at rest and that the encryption keys are managed by the company, not AWS. Which S3 encryption option should they use?

108

A company is designing a data lake on Amazon S3. The data contains personally identifiable information (PII). The security team requires that all data be encrypted at rest and that access to the data is logged for auditing. Additionally, the team wants to ensure that if an object is accidentally deleted, it can be recovered within 30 days. Which combination of S3 features should be enabled?

109

A company uses AWS KMS to encrypt EBS volumes attached to EC2 instances. The security team wants to ensure that when an EC2 instance is terminated, the associated EBS volume is automatically deleted and the data is unrecoverable. However, the team also needs to retain the volume's data for 90 days for compliance purposes. What is the most secure and cost-effective approach?

110

A company is using Amazon S3 to store sensitive data. They want to ensure that all objects uploaded to a specific bucket are encrypted using server-side encryption with AWS KMS. Which bucket policy condition should be used to enforce this?

111

A company uses AWS KMS with a custom key store backed by AWS CloudHSM. The security team wants to ensure that the key material never leaves the HSM and that all cryptographic operations are performed within the HSM. Which of the following actions should the team take?

112

A company uses Amazon RDS for PostgreSQL with encryption at rest enabled using AWS KMS. The security team wants to ensure that database backups (automated snapshots) are also encrypted and that the encryption key can be rotated on demand without re-encrypting the data. Which approach should be taken?

113

A company is using Amazon S3 to store confidential documents. They want to ensure that all data is encrypted in transit between the S3 bucket and their on-premises application. Which of the following should be enforced?

114

A company is designing a secure data sharing solution with a third party. The company needs to share sensitive files stored in an S3 bucket with the third party, ensuring that the files are encrypted at rest and in transit, and that the third party can only access specific files. The company also wants to rotate the access credentials every 30 days. Which TWO actions should the company take? (Select TWO.)

115

A company uses AWS KMS to encrypt data in Amazon S3. The security team wants to detect any attempts to use a KMS key that has been disabled. Which THREE steps should the team take to achieve this? (Select THREE.)

116

A company is storing sensitive data in Amazon S3. They want to ensure that all data is encrypted at rest using server-side encryption. Which THREE options are available for server-side encryption in S3? (Select THREE.)

117

A company is migrating its on-premises data warehouse to AWS. The data includes highly sensitive customer financial information. The company has the following requirements: 1) All data must be encrypted at rest using a key that is managed by the company's internal security team. 2) The encryption keys must be rotated every 90 days. 3) The data warehouse must support SQL queries and be highly available across multiple Availability Zones. 4) The solution must minimize the administrative overhead of managing keys. The security team has chosen Amazon Redshift as the data warehouse. They have enabled encryption using AWS KMS with a customer-managed key (CMK). They have set the key rotation period to 90 days using automatic key rotation. However, during a security review, an auditor points out that the key material is still stored in AWS KMS, and the company wants the key material to be stored in a hardware security module (HSM) that they control. Which of the following is the BEST course of action to meet the auditor's requirement while maintaining the other requirements?

118

A company is migrating sensitive data to Amazon S3. They need to ensure that data is encrypted at rest using an AWS KMS customer managed key (CMK). The security team wants to enforce encryption for all new objects uploaded to an S3 bucket. Which policy should be attached to the bucket?

119

A security engineer is troubleshooting an issue where an Amazon RDS for MySQL DB instance encrypted at rest with AWS KMS is failing to launch. The error message indicates a KMS access issue. Which IAM role or policy is most likely missing?

120

A company uses AWS CloudHSM to store encryption keys for a custom database encryption application. The application runs on Amazon EC2 instances and uses the PKCS#11 library to communicate with the HSM. Recently, the application started failing with 'CKR_SESSION_HANDLE_INVALID' errors. Which of the following is the most likely cause?

121

A company uses S3 Server Access Logs to audit access to their S3 buckets. The security team wants to ensure that the log files themselves are encrypted at rest using SSE-KMS. Which configuration step is necessary?

122

A company is designing a data protection strategy for Amazon EBS volumes. They want to automate the creation of point-in-time snapshots for all production volumes and retain them for 90 days. Which solution meets these requirements with the least operational overhead?

123

Refer to the exhibit. A security engineer is troubleshooting why an IAM user (Alice) cannot encrypt data using a KMS key. Alice has full S3 and KMS permissions via an IAM policy. The key policy is shown. Which statement explains the issue?

124

A company wants to protect data in transit between an on-premises data center and Amazon S3. Which AWS service should be used to establish a dedicated, encrypted connection?

125

A company uses Amazon S3 to store sensitive documents. The security policy requires that all objects be encrypted with server-side encryption using customer-provided encryption keys (SSE-C). A developer uploads objects using the AWS SDK but forgets to include the encryption key in the request. What happens to the upload?

126

A company is using AWS KMS to encrypt data in Amazon Redshift. They need to rotate the KMS key annually. Which approach meets the requirement with minimal operational impact?

127

Refer to the exhibit. A security engineer applies the bucket policy to an S3 bucket. A user uploads an object without specifying any encryption header. What happens?

128

A company uses Amazon DynamoDB with client-side encryption using AWS KMS. The application is experiencing high latency on write operations. Which change is most likely to reduce latency?

129

A company is designing a data protection strategy for Amazon S3. Which TWO of the following are valid methods to protect data at rest in S3?

130

A security engineer is configuring a new AWS KMS customer managed key. Which THREE of the following are required components of a KMS key policy?

131

A company uses AWS CloudTrail to log API calls. They want to ensure that log files are encrypted at rest and that integrity is verified. Which TWO services can be used together to achieve this?

132

A financial services company runs a web application on Amazon EC2 instances behind an Application Load Balancer. The application processes credit card numbers and stores them in an Amazon RDS for PostgreSQL database. The database is encrypted at rest using AWS KMS. The security team is concerned about data in transit between the ALB and EC2 instances, and between EC2 and RDS. They also want to ensure that the application never logs the full credit card number. The current setup: ALB terminates SSL using a certificate from AWS Certificate Manager (ACM). EC2 instances are in a private subnet. RDS is in a private subnet. The application logs to CloudWatch Logs. The security team reviews the logs and finds full credit card numbers in the logs. Which of the following actions should the security engineer take to address the data protection issues?

133

A company uses AWS KMS to encrypt data at rest in Amazon S3. The security team wants to ensure that only users with a specific IAM role can decrypt objects. What is the MOST secure way to achieve this?

134

A company is designing a data protection strategy for its Amazon RDS for PostgreSQL database. The database contains sensitive customer data. Compliance requirements mandate that all backups be encrypted at rest and that the encryption keys be rotated annually. Which solution meets these requirements?

135

A company uses AWS CloudHSM to generate and store encryption keys for a custom application. The application runs on Amazon EC2 instances and uses the PKCS#11 interface to interact with the HSM. The security team recently discovered that a former employee may have obtained a copy of the cryptographic materials from the HSM. What should the security team do to minimize the impact?

136

A company wants to encrypt data stored in Amazon S3 using server-side encryption with customer-provided keys (SSE-C). Which statement is correct regarding SSE-C?

137

A company uses AWS KMS to encrypt data in Amazon S3. The security team wants to ensure that if a KMS key is disabled, all subsequent attempts to decrypt data encrypted with that key fail. What is the BEST way to achieve this?

138

Which TWO of the following are valid methods to protect data in transit between an on-premises data center and AWS? (Choose two.)

139

Which THREE of the following are required to use client-side encryption with Amazon S3 using AWS KMS? (Choose three.)

140

Which TWO of the following are valid options for encrypting data at rest in Amazon EBS? (Choose two.)

141

Refer to the exhibit. An IAM policy allows kms:Decrypt on a specific KMS key only when the encryption context includes department=finance. A user attempts to decrypt an S3 object that was encrypted with the same KMS key but with encryption context department=hr. Will the decryption succeed?

142

A company runs a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application processes credit card numbers and must comply with PCI DSS. The security team requires that all credit card numbers be encrypted at rest and in transit. The application stores the encrypted credit card numbers in Amazon RDS for MySQL. The RDS instance is encrypted at rest using AWS KMS. The application decrypts the credit card numbers after retrieval using a KMS key. The security team has noticed that some credit card numbers are being logged in plaintext in Amazon CloudWatch Logs by the application. The developers claim they are not logging the decrypted values. What is the MOST likely cause and solution?

143

A company is using Amazon S3 to store sensitive documents. The security team has implemented a bucket policy that denies access unless the request uses HTTPS. However, a security audit reveals that some objects were accessed over HTTP. The bucket policy is as follows: {"Effect":"Deny","Principal":"*","Action":"s3:*","Resource":"arn:aws:s3:::example-bucket/*","Condition":{"Bool":{"aws:SecureTransport":"false"}}}. The team also enabled S3 Block Public Access at the account level. What is the MOST likely reason that HTTP access was still possible?

144

A company uses Amazon SQS to decouple its microservices. The messages contain personally identifiable information (PII). The security team requires that all messages be encrypted at rest. Currently, SQS is configured with SSE enabled using a customer managed KMS key. However, the team discovers that some messages are still being stored in plaintext in the dead-letter queue (DLQ) after the maximum receives are exceeded. The DLQ is also an SQS queue. What is the MOST likely reason?

145

A company is migrating its on-premises file server to Amazon EFS. The data includes sensitive financial records. The security team requires encryption at rest and in transit. The team plans to mount the EFS file system on EC2 instances using the NFS client. They have enabled encryption at rest on the EFS file system. However, they are unsure how to enforce encryption in transit. What should they do to ensure all data transferred between the EC2 instance and EFS is encrypted?

146

A company runs a workload on Amazon EC2 that needs to access an Amazon S3 bucket to store sensitive data. The security team wants to ensure that the data is encrypted at rest in S3 without requiring any changes to the application. The application currently uses the AWS SDK to upload objects. Which solution meets the requirement with the LEAST operational overhead?

147

A company uses AWS KMS to encrypt data in Amazon DynamoDB. The table has a TTL attribute that triggers automatic deletion of expired items. The security team is concerned that deleted items may still be recoverable. What should the team do to ensure that deleted items are cryptographically erased and cannot be recovered?

148

A company is using AWS KMS to encrypt data at rest in Amazon S3. The security team requires that all encryption keys be automatically rotated every year. However, the current KMS key policy does not allow rotation. Which action should the security team take to meet the requirement?

149

A financial services company stores sensitive customer data in Amazon RDS for MySQL. The compliance team mandates that all database backups must be encrypted at rest. The current configuration uses a customer managed KMS key for encryption. However, during a recent audit, it was discovered that some automated backups are not encrypted. What is the MOST likely cause?

150

A company uses AWS KMS to encrypt data in Amazon S3. The security team wants to ensure that only users from a specific AWS account can decrypt objects. Which TWO steps should be taken to achieve this?

151

A company needs to protect data at rest in Amazon S3. Which THREE mechanisms can be used to encrypt objects stored in S3?

152

A healthcare company stores sensitive patient data in Amazon S3. The security team has implemented a data protection strategy that includes S3 default encryption using SSE-KMS with a customer managed key. They also use S3 Object Lock to prevent deletion. Recently, an administrator accidentally deleted the KMS key used for encryption. As a result, all objects in the bucket are now inaccessible. The company has a backup of the key material but does not have the original key ID. Which action should the team take to restore access to the data?

153

A company uses AWS KMS to encrypt data in Amazon S3. The security team wants to ensure that when an object is retrieved, it is automatically decrypted. They have configured the S3 bucket to use SSE-KMS with a customer managed key. However, when a user downloads an object using the AWS CLI, the object is still encrypted. The IAM policy for the user includes kms:Decrypt permission. What is the MOST likely reason for this issue?

154

A company is storing sensitive data in Amazon S3 buckets. They want to ensure that all uploaded objects are encrypted at rest using server-side encryption with AWS KMS (SSE-KMS). Which bucket policy statement will enforce this?

155

A company uses AWS KMS to encrypt data in Amazon RDS. They need to ensure that the key material is automatically rotated every year. Which key type should they use?

156

A security engineer is designing a data encryption solution for a multi-region application that uses Amazon S3. The solution must use envelope encryption with a key hierarchy that allows the application to encrypt data locally using a data key, while the data key is protected by a master key stored in AWS KMS. The application should be able to decrypt data even if connectivity to AWS KMS is temporarily lost. Which approach meets these requirements?

157

A company uses AWS CloudTrail to log data events for S3 buckets. They notice that some S3 object-level API calls are not being logged. Which configuration could be the cause?

158

A company needs to encrypt data at rest in Amazon Redshift. They want to use an AWS KMS customer managed key. What is the correct procedure to enable encryption for an existing Redshift cluster?

159

A company has an Amazon S3 bucket with versioning enabled. They want to ensure that all objects in the bucket are encrypted at rest using server-side encryption with AWS KMS (SSE-KMS). They also want to prevent any future uploads that are not encrypted with SSE-KMS. Which combination of actions should they take?

160

A company uses AWS Secrets Manager to store database credentials. They need to rotate the secrets automatically every 30 days. Which rotation strategy should they use?

161

A company stores sensitive data in an Amazon S3 bucket. They want to ensure that data is encrypted in transit when accessed from the internet. Which policy should they attach to the bucket?

162

A company uses AWS KMS to encrypt EBS volumes. They want to ensure that the key used for EBS encryption is not shared across different AWS accounts. Which feature should they use?

163

Which TWO AWS services can be used to monitor and audit data access patterns to Amazon S3 buckets? (Choose 2.)

164

Which THREE actions are required to enforce encryption in transit for an Amazon S3 bucket? (Choose 3.)

165

Which TWO AWS services provide key management for encryption at rest? (Choose 2.)

166

A security engineer runs the command shown in the exhibit. What is the primary purpose of this command?

167

A security engineer applies the bucket policy shown in the exhibit to an S3 bucket. What is the effect of this policy?

168

A security engineer runs the command shown in the exhibit. What is the outcome?

169

A company needs to encrypt data at rest in Amazon S3 using customer-provided encryption keys. The keys must be stored securely and rotated automatically every 90 days. Which solution meets these requirements?

170

A security engineer is designing a solution to protect sensitive data in an Amazon RDS for MySQL database. The data must be encrypted at rest using a key stored in AWS KMS. Additionally, the database must support automated backups and cross-region disaster recovery. Which architecture meets these requirements?

171

A company uses Amazon S3 to store sensitive documents. The security team wants to ensure that all objects are encrypted at rest using server-side encryption. Additionally, any attempt to upload an unencrypted object must be denied. What should the security team do?

172

A company wants to securely share an Amazon S3 object with an external partner. The partner needs to download the object using an HTTP GET request. The object must be accessible for only 24 hours. What is the most secure way to grant access?

173

A company runs a web application on Amazon EC2 instances that processes credit card data. The application must store the data in an encrypted format. The security team wants to minimize the performance impact of encryption and offload the encryption operations to a dedicated hardware security module (HSM). Which solution should the architect choose?

174

A company stores sensitive data in an Amazon S3 bucket. The security team requires that all data in transit between the company's on-premises data center and S3 be encrypted. Which solution meets this requirement?

175

A company uses AWS KMS to encrypt data in Amazon S3. The security team notices that a KMS key has been deleted accidentally, causing data loss. The company wants to implement a solution to prevent accidental key deletion and enable recovery. What should the security team do?

176

A company is migrating sensitive data to Amazon S3. The data must be encrypted at rest using keys managed by the company. The company also requires an audit trail of key usage. Which solution meets these requirements?

177

A company's security policy requires that all data stored in Amazon S3 be encrypted using envelope encryption with a key hierarchy. The master key must be stored in a hardware security module (HSM) that is FIPS 140-2 Level 3 validated. Which solution should the company implement?

178

A company needs to encrypt data at rest for an Amazon RDS for Oracle database. The database is deployed in a Multi-AZ configuration. The company also wants to encrypt automated backups and snapshots. Which TWO steps should the security team take?

179

A company is designing a data protection strategy for Amazon EFS file systems. The security team requires encryption at rest and in transit. Additionally, the team needs to control which KMS keys can be used to encrypt the file system. Which THREE steps should the team take?

180

A company wants to protect data stored in Amazon S3 Glacier. The data must be encrypted at rest and the encryption keys must be rotated annually. Which TWO options meet these requirements?

181

Refer to the exhibit. A security engineer applies the bucket policy shown to an S3 bucket. The engineer attempts to upload a file using the AWS CLI without specifying any encryption. What is the outcome?

182

Refer to the exhibit. A user named John encrypts a file using the AWS CLI. John then tries to decrypt the file but receives an AccessDenied error. John has full administrator permissions in IAM. What is the most likely cause?

183

Refer to the exhibit. A security engineer reviews the bucket policy for an S3 bucket. The engineer attempts to upload an object to the bucket using the AWS CLI without the --ssl flag (HTTP). What is the outcome?

184

A company wants to encrypt data at rest in Amazon S3 using server-side encryption. They must manage the encryption keys themselves and rotate them annually. Which S3 encryption option should they use?

185

A security engineer needs to ensure that all data in transit between an Application Load Balancer and EC2 instances is encrypted using TLS. Which configuration is required?

186

A company uses AWS KMS to encrypt data in Amazon S3. They need to audit all KMS key usage for an S3 bucket. Which AWS service should be used to capture KMS Decrypt API calls?

187

A company stores sensitive data in Amazon S3 and requires that objects are automatically encrypted using server-side encryption with AWS KMS. The bucket policy must deny any PUT request that does not include the x-amz-server-side-encryption header with value aws:kms. Which bucket policy condition key should be used?

188

A company wants to protect data in transit between an on-premises data center and AWS over the internet. Which AWS service should they use to create a dedicated, encrypted connection?

189

A security engineer is troubleshooting an issue where an EC2 instance cannot access an S3 bucket via a VPC endpoint. The bucket policy allows access only from the VPC endpoint. The instance has an IAM role that grants s3:GetObject on the bucket. The EC2 instance receives an AccessDenied error. What is the most likely cause?

190

A company uses AWS KMS to encrypt data in Amazon RDS. The security team needs to ensure that the KMS key cannot be deleted accidentally. Which action should be taken?

191

A company has an S3 bucket with versioning enabled. They want to ensure that all deleted objects are retained for 90 days before permanent deletion. Which S3 feature should be used?

192

A company needs to encrypt data at rest in Amazon EBS volumes. They want to use an AWS managed key that is automatically rotated. Which encryption option should they choose?

193

A security engineer is designing a data protection strategy for Amazon RDS for PostgreSQL. The database contains sensitive personal information. Which TWO actions should the engineer take to protect the data at rest? (Choose TWO.)

194

A company uses AWS KMS to encrypt sensitive data. The security team wants to ensure that KMS keys are not used by unauthorized principals. Which TWO measures should be implemented? (Choose TWO.)

195

A company is designing a data protection solution for Amazon S3. They need to ensure that all objects are encrypted at rest and that any attempt to upload an unencrypted object is denied. Which THREE steps should they take? (Choose THREE.)

196

Refer to the exhibit. A security engineer applies the bucket policy shown to an S3 bucket. A developer attempts to upload an object with the header x-amz-server-side-encryption: AES256. What will happen?

197

Refer to the exhibit. A security engineer runs the AWS CLI command shown and receives an AccessDenied error. The IAM user Alice has a policy that grants kms:Decrypt on all resources. What is the most likely cause of the error?

198

Refer to the exhibit. A security engineer runs the command shown and gets the output. What does this output indicate about the bucket's encryption configuration?

199

A company uses AWS KMS to encrypt data at rest in Amazon S3. The security team requires that all encryption keys be automatically rotated every year. Which key type meets this requirement?

200

A financial services company is designing a data protection strategy for its DynamoDB table containing sensitive customer data. The table has a global secondary index (GSI). The company needs to encrypt the data at rest using a customer managed key (CMK) that is rotated annually. Which solution meets these requirements?

201

A company uses Amazon S3 to store confidential documents. The security team wants to ensure that all objects are encrypted at rest using server-side encryption with AES-256. Which S3 encryption option should be used?

202

A company uses AWS KMS to encrypt its RDS database. The security team needs to ensure that the key can be used only from within the company's VPC and not from the internet. Which action should be taken?

203

A company is using Amazon S3 to store backup files that must be retained for 7 years. The files are accessed infrequently but must be available within minutes when needed. The company wants to minimize storage costs while ensuring data is encrypted at rest. Which storage class and encryption combination is most cost-effective?

204

A company needs to encrypt data at rest in its Amazon EBS volumes. The company wants to use an encryption key that is automatically rotated every year without any manual intervention. Which key type should be used?

205

A company uses AWS KMS to encrypt data in Amazon S3. The security team needs to audit all KMS key usage, including who used the key, when, and what operation was performed. Which AWS service should be used to meet this requirement?

206

A company is designing a data protection strategy for its Amazon RDS for MySQL database. The database contains sensitive data that must be encrypted at rest. The company also needs to manage the encryption keys using its own HSM. Which solution should be used?

207

A company is using Amazon S3 to store sensitive data. The security team wants to ensure that all data is encrypted in transit between the company's on-premises data center and AWS. Which solution should be used?

208

A company is designing a data protection strategy for its Amazon S3 bucket that stores sensitive customer data. The bucket must be encrypted at rest using a customer managed key (CMK) that is stored in AWS KMS. The company also needs to ensure that only authorized users can decrypt objects. Which TWO actions should the company take?

209

A company uses AWS KMS to encrypt data in Amazon RDS. The security team wants to ensure that the KMS key can be used only by specific IAM roles and that all usage of the key is logged. Which TWO actions should the team take?

210

A company is implementing a data protection strategy for its Amazon S3 bucket that contains sensitive data. The company requires that all objects be encrypted at rest using server-side encryption with a customer managed key (SSE-KMS). Additionally, the company wants to ensure that only a specific IAM role can decrypt objects. Which THREE actions should the company take?

211

Refer to the exhibit. A security engineer is reviewing the key policy for a customer managed key. The engineer notices that a user with the IAM role 'Admin' can encrypt and decrypt data using this key. However, the engineer wants to ensure that only requests coming from the company's VPC (vpc-12345678) can use the key. What should be added to the key policy?

212

Refer to the exhibit. A security engineer is reviewing the bucket encryption configuration. The bucket is used to store sensitive data. The company policy requires that all objects be encrypted using AWS KMS with a customer managed key. What should the engineer do to meet the policy?

213

Refer to the exhibit. A security engineer is reviewing the CloudWatch Logs configuration for a Lambda function. The log group is encrypted with a customer managed key. The engineer needs to ensure that only the Lambda service can write logs to this log group and that only a specific IAM role can read logs. Which additional configuration is required?

214

A company stores sensitive customer data in Amazon S3. To comply with data protection regulations, they need to automatically prevent any new objects from being made publicly accessible. Which S3 feature should they configure?

215

A company uses AWS KMS to encrypt data in Amazon S3. Security team wants to ensure that only specific IAM roles can decrypt objects. Which KMS key policy configuration should be used?

216

A company needs to protect data at rest on Amazon EBS volumes attached to EC2 instances. Which solution provides the most control over the encryption keys?

217

A company uses Amazon RDS for MySQL with encryption at rest enabled using AWS KMS. They need to ensure that automated backups and snapshots are also encrypted. Which configuration is required?

218

A company uses AWS Secrets Manager to rotate database credentials automatically. The security team wants to ensure that while the secret is being rotated, applications can always retrieve a valid credential. Which rotation strategy should be used?

219

A company needs to share an encrypted Amazon S3 object with another AWS account. The object is encrypted with an AWS KMS customer managed key. Which steps are required?

220

A company is designing a data protection solution for Amazon S3 that must prevent any user from accidentally deleting objects. Which combination of S3 features should be used?

221

A company stores sensitive data in Amazon DynamoDB and uses AWS KMS with a customer managed key for encryption. The security team wants to ensure that only specific applications can access the table data. Which policy configuration should be used?

222

A company wants to protect data in transit between an on-premises application and Amazon S3. Which solution provides the highest security?

223

A company is using AWS KMS to encrypt data in Amazon S3. They need to ensure that the KMS key can only be used from within a specific VPC. Which TWO actions should be taken?

224

A company uses Amazon Redshift with encryption at rest using AWS KMS. They want to ensure that automated snapshots are encrypted with the same key and that cross-account snapshot sharing is secured. Which THREE steps should be taken?

225

A company needs to implement data protection for Amazon EFS file systems. Which TWO features should be configured?

226

A company stores sensitive customer data in an S3 bucket. The security team requires that all data be encrypted at rest using a customer-managed KMS key. What should the team configure to enforce this requirement?

227

A company is migrating on-premises databases to Amazon RDS for MySQL. The security team requires that data be encrypted at rest and in transit. Which combination of steps should the team take to meet these requirements?

228

A company uses AWS KMS to encrypt secrets stored in AWS Secrets Manager. The security team wants to audit all KMS key usage, including attempts to use the key without proper authorization. Which AWS service should the team use to meet this requirement?

229

A company has an S3 bucket that stores financial records. The security team wants to ensure that any object uploaded to the bucket is automatically encrypted with a specific AWS KMS key. The team creates a bucket policy that denies s3:PutObject unless the request includes the correct encryption header. However, some users who upload objects using the AWS Management Console report that their uploads fail. What is the most likely cause?

230

A company uses AWS KMS to encrypt data in Amazon S3. The security team notices that some KMS key usage is not being logged in AWS CloudTrail. What is the most likely reason for this?

231

A company uses Amazon EBS volumes for EC2 instances. The security team requires that all EBS volumes be encrypted at rest. The team creates an AWS Config rule to check whether EBS volumes are encrypted. However, some volumes are non-compliant even though they have encryption enabled. What is the most likely reason?

232

A company wants to encrypt data at rest in Amazon S3 using server-side encryption with Amazon S3-managed keys (SSE-S3). What is the minimum permission required for an IAM user to upload an object that will be encrypted with SSE-S3?

233

A company stores sensitive data in an S3 bucket and uses AWS KMS to encrypt the data. The security team wants to ensure that only specific IAM roles can decrypt the data. What should the team do?

234

A company stores data in Amazon S3 and uses AWS KMS with Customer Master Keys (CMKs) for encryption. The security team wants to audit when the CMK is used to decrypt data. Which of the following will provide this information?

235

A company wants to protect sensitive data stored in Amazon S3. Which TWO actions should the company take to meet this goal? (Choose TWO.)

236

A company uses AWS KMS to encrypt data. The security team wants to ensure that KMS keys are not used outside of the company's AWS account. Which TWO measures would help achieve this? (Choose TWO.)

237

A company is designing a data protection strategy for Amazon S3. The compliance team requires that all objects be encrypted at rest and that any attempt to upload an unencrypted object be blocked. Which THREE steps should the company take? (Choose THREE.)

238

Refer to the exhibit. An administrator applies this bucket policy to an S3 bucket. Which of the following statements describes the effect of this policy?

239

Refer to the exhibit. A security engineer configures the above KMS key policy. The DataAccess role is used by an application that runs on EC2 instances in the us-east-1 region. The application needs to read encrypted objects from an S3 bucket in the same region. Which of the following is true about this configuration?

240

Refer to the exhibit. A security engineer runs the above AWS CLI command to encrypt a secret file. The command succeeds and returns a base64-encoded ciphertext. Which of the following statements is correct?

241

A company wants to protect sensitive data stored in Amazon S3 by encrypting it at rest. Which AWS service can be used to manage the encryption keys?

242

A company needs to ensure that data in transit between an EC2 instance and an RDS database is encrypted. Which solution meets this requirement?

243

A company is using AWS KMS to encrypt data in Amazon S3. The security team wants to ensure that only a specific IAM role can decrypt the data. What is the MOST secure way to enforce this?

244

A company wants to protect sensitive data stored in Amazon S3 by enforcing encryption in transit. Which policy should be used to deny requests that do not use HTTPS?

245

A company uses AWS KMS with a customer managed key to encrypt an S3 bucket. The security team notices that the KMS key is being used by an unintended IAM role. What is the MOST effective way to restrict the key usage to only the intended role?

246

A company needs to ensure that data in Amazon S3 is encrypted at rest using envelope encryption. The company wants to rotate the encryption key every 90 days. Which solution meets these requirements with minimal operational overhead?

247

A company wants to ensure that data stored in Amazon EBS volumes is encrypted at rest. What is the easiest way to achieve this?

248

A company uses AWS KMS to encrypt data in Amazon Redshift. The security team needs to ensure that the KMS key cannot be deleted accidentally. What should be done?

249

A company is using AWS KMS to encrypt data in Amazon S3. The security team discovers that an S3 bucket has a bucket policy that allows s3:PutObject without requiring encryption. What is the risk?

250

Which TWO of the following are valid ways to enforce encryption at rest for data in Amazon S3? (Choose TWO.)

251

Which TWO of the following are best practices for protecting data in transit? (Choose TWO.)

252

Which THREE of the following are valid key management features of AWS KMS? (Choose THREE.)

253

A company is using AWS KMS to encrypt data at rest in Amazon S3. The security team wants to ensure that only a specific IAM role can decrypt objects in a particular S3 bucket. Which policy should be attached to the KMS key to enforce this restriction?

254

A company wants to protect data stored in Amazon S3 by encrypting it at rest using keys managed by the company. Which encryption option should be used?

255

A security engineer is troubleshooting an issue where an Amazon RDS for MySQL DB instance is not encrypting data at rest. The DB instance was created without encryption. The engineer needs to enable encryption without significant downtime. What is the MOST effective approach?

256

A company uses AWS CloudHSM to store encryption keys. The security team wants to ensure that keys stored in CloudHSM are backed up and can be restored in another AWS Region. What is the BEST approach?

257

A company needs to ensure that data in transit between an on-premises data center and Amazon S3 is encrypted. The data will be transferred using HTTPS. What additional step should be taken to ensure the encryption is enforced?

258

A company has a critical application that stores sensitive data in Amazon DynamoDB. The security team requires that all data stored in DynamoDB is encrypted at rest using a customer-managed KMS key. Additionally, they want to ensure that the key can be rotated automatically every year. Which combination of actions should be taken?

259

A company uses Amazon S3 to store sensitive documents. The security policy requires that all objects in the bucket are encrypted at rest. The bucket currently has default encryption configured with SSE-S3. A new requirement mandates that all objects must be encrypted with SSE-KMS using a specific customer-managed key. What is the MOST efficient way to enforce this without re-uploading existing objects?

260

A company wants to protect sensitive data stored in an Amazon EBS volume. The volume is attached to an EC2 instance. Which action should be taken to ensure data at rest is encrypted?

261

A company uses AWS Secrets Manager to store database credentials. The security team needs to ensure that secrets are automatically rotated every 30 days. The rotation function must be implemented with minimal operational overhead. Which approach should be used?

262

Which TWO of the following are valid options for encrypting data at rest in Amazon S3? (Choose 2.)

263

Which THREE of the following are best practices for protecting data in transit within AWS? (Choose 3.)

264

Which TWO of the following are valid methods to enforce encryption at rest for an Amazon RDS for PostgreSQL DB instance? (Choose 2.)

265

Refer to the exhibit. A security engineer applies the above bucket policy to an S3 bucket. What is the effect of this policy?

266

Refer to the exhibit. A user receives the above error when trying to decrypt a file using AWS KMS. The key policy is shown below: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:role/AdminRole" }, "Action": "kms:Decrypt", "Resource": "*" } ] } What is the likely cause of the error?

267

A company runs a critical application on Amazon EC2 instances that store sensitive data on EBS volumes. The security team has enabled EBS encryption by default for the region. However, after a recent security audit, it was discovered that some EBS volumes are not encrypted. The team finds that these volumes were created before the default encryption setting was enabled. The company's security policy mandates that all EBS volumes must be encrypted at rest, and the process must minimize downtime. The application cannot tolerate more than 5 minutes of downtime. The EC2 instances are running production workloads. What should the security engineer do to remediate the unencrypted volumes?

268

A company stores sensitive customer data in Amazon S3. They want to ensure that all objects are encrypted at rest using server-side encryption with AWS KMS. Which S3 bucket policy statement should be added to deny uploads that do not request SSE-KMS?

269

A security engineer is configuring a new Amazon RDS for MySQL database. The compliance team requires that all database connections be encrypted in transit. Which configuration ensures this requirement is met?

270

A financial company uses AWS KMS to encrypt sensitive data. The security team notices that a KMS key has been deleted, but the encrypted data is still needed for a short period. What is the fastest way to make the data decryptable again?

271

A company uses AWS Secrets Manager to rotate secrets for an RDS database. The rotation fails with an error indicating that the secret cannot be accessed. What is the most likely cause?

272

A company wants to protect data at rest in Amazon S3 using client-side encryption. The application will run on Amazon EC2 instances. Which approach meets these requirements?

273

A company uses AWS CloudHSM to generate and store encryption keys for a custom application. The security team is concerned about key durability and wants to ensure that keys are not lost if the HSM fails. Which action should be taken?

274

A company wants to encrypt data in transit between an on-premises data center and AWS over a VPN connection. Which AWS service or feature should be used?

275

A company needs to protect sensitive data in Amazon S3 from accidental deletion or overwriting. The data must be retained for at least 7 years after creation. Which combination of S3 features should be used?

276

Refer to the exhibit. An administrator is investigating why an application that uses KMS for encryption is failing. The IAM role used by the application has the following policy attached: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "kms:Decrypt", "Resource": "arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" } ] }. What is the most likely cause of the failure?

277

A company wants to protect sensitive data in Amazon S3 by ensuring that all objects are encrypted at rest. Which TWO options meet this requirement? (Choose TWO.)

278

A company is designing a data protection strategy for Amazon EBS volumes. Which THREE practices should be implemented? (Choose THREE.)

279

A company needs to protect data in Amazon S3 by ensuring that only authorized users can access objects, and all access is logged. Which TWO services should be used together? (Choose TWO.)

280

A company runs a web application on Amazon EC2 behind an Application Load Balancer (ALB). The application handles payment card information (PCI) and must comply with PCI DSS. The security team wants to ensure that all data in transit between the client and the ALB is encrypted using TLS 1.2 or higher. The ALB currently uses a default certificate from AWS Certificate Manager (ACM) that was issued by Amazon. The compliance team has flagged that the certificate must be issued by a public Certificate Authority (CA) that is trusted by major browsers. The company wants to minimize operational overhead. What should the security team do?

281

A company uses Amazon S3 to store sensitive documents. The security engineer notices that an S3 bucket named 'documents-prod' has been configured with a bucket policy that allows s3:PutObject from any principal, but only if the request includes the x-amz-server-side-encryption header set to 'AES256'. The company's security policy requires that all objects be encrypted at rest using server-side encryption with AWS KMS (SSE-KMS). The engineer needs to ensure that any new objects uploaded to the bucket are encrypted with SSE-KMS, and that existing objects remain accessible. What should the engineer do?

282

A company uses Amazon RDS for MySQL to store customer data. The security team wants to ensure that the database is encrypted at rest. The database is already running and contains production data. The team needs to enable encryption at rest with minimal downtime. What should they do?

283

A company is using AWS KMS to encrypt data at rest in Amazon S3. The security team wants to ensure that only a specific IAM role can decrypt objects in a particular S3 bucket. Which policy configuration should be used?

284

A financial services company must ensure that all data written to Amazon S3 is encrypted at rest and that the encryption keys are rotated every 90 days. The company also needs to maintain an audit trail of when keys were used. Which solution meets these requirements with the least operational overhead?

285

A company is designing a disaster recovery plan for its Amazon RDS for MySQL database. The database must be encrypted at rest. Which approach ensures that the database is encrypted and can be restored in another AWS Region?

286

A company uses AWS Organizations and wants to enforce that all S3 buckets created in any account within the organization have default encryption enabled. Which policy should be used?

287

A company uses Amazon EBS volumes for EC2 instances. Security policy requires that all EBS volumes be encrypted at rest. The company already has a default KMS key for EBS encryption. However, some new volumes are created without encryption. What is the most efficient way to enforce encryption for all new EBS volumes?

288

A company stores sensitive data in Amazon S3. The security team needs to ensure that data is encrypted at rest and that access is logged. Which TWO actions meet these requirements?

289

A company is using Amazon RDS for PostgreSQL with encryption at rest using AWS KMS. The security team wants to ensure that only a specific set of IAM roles can manage the KMS key used for encryption. Which TWO steps should the team take?

290

A company is migrating on-premises file servers to Amazon EFS. The data must be encrypted at rest and in transit. Which THREE steps should the company take to meet these requirements?

291

A company has an AWS Lambda function that processes sensitive data and writes the results to an Amazon S3 bucket. The security team requires that the data is encrypted at rest in S3 and that the Lambda function has the minimum permissions necessary. Which THREE actions should the team take?

292

Refer to the exhibit. An S3 bucket policy is shown. An administrator uploads an object to 'example-bucket' without specifying any encryption header. What is the outcome?

293

Refer to the exhibit. A security engineer is troubleshooting a decryption failure. The command uses the AWS CLI to decrypt a file. The decryption fails with an 'AccessDeniedException' error. The IAM user has the following policy attached: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "kms:Decrypt", "Resource": "*" } ] } What is the most likely cause of the failure?

294

Refer to the exhibit. A KMS key policy is shown. An IAM role named 'DataProcessor' in account 123456789012 is trying to encrypt data using this key. The role also has an IAM policy that allows kms:Encrypt on the key. Will the encryption succeed?

295

A company runs a web application on Amazon EC2 instances behind an Application Load Balancer. The application uses an Amazon RDS for MySQL database. The security team requires that all data in transit between the EC2 instances and the database be encrypted. The database is in a private subnet. The EC2 instances are in a public subnet. The security team also wants to minimize latency. What should be done to meet these requirements?

296

A company stores sensitive customer data in Amazon S3. The security team has enabled default encryption with SSE-S3 on the bucket. The compliance team requires that all access to the bucket be logged and that any unauthorized access attempts be detected in real time. The company has AWS CloudTrail enabled. Which additional steps should the security team take to meet the compliance requirements?

297

A company is using AWS KMS to encrypt sensitive data in Amazon DynamoDB. The security team wants to ensure that the KMS key can only be used from within the company's VPC and not from the internet. The VPC has an interface VPC endpoint for KMS. What should the security team do to enforce this restriction?

298

A security engineer is designing a data protection strategy for a healthcare application that stores Protected Health Information (PHI) in an S3 bucket. The bucket is accessed by multiple AWS services, including Athena and SageMaker. Which TWO actions should the engineer take to ensure encryption at rest and in transit? (Choose two.)

299

A financial services company uses AWS KMS to encrypt sensitive data in S3 and RDS. The security team requires a centralized audit trail of all KMS key usage, including key creation, deletion, and cryptographic operations. The audit logs must be stored in a separate AWS account for compliance. The team has enabled CloudTrail in the management account and configured a trail that logs to an S3 bucket in the audit account. However, they notice that KMS events such as Decrypt and GenerateDataKey are not appearing in the CloudTrail logs. The KMS key policy includes the following statement: {"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::management-account:root"},"Action":"kms:*","Resource":"*"}. What is the MOST likely reason for the missing KMS events?

300

A startup is building a serverless application using AWS Lambda to process user-uploaded images. The images are stored in an S3 bucket with server-side encryption (SSE-S3) enabled. The Lambda function reads the images, performs transformations, and writes the results to a different S3 bucket. The security engineer wants to ensure that data is encrypted at rest and in transit throughout the pipeline. The Lambda function is configured with an IAM role that has permissions to read from the source bucket and write to the destination bucket. Which additional configuration is REQUIRED to ensure end-to-end encryption?

Practice all 300 Data Protection questions

Deep-dive questions

Must-know Data Protection questions

The most-searched questions in this domain — detailed explanations, worked examples, full answer breakdowns.

  • AWS KMS Key Management Best Practices→
  • AWS KMS Key Management Best Practices→
  • Encrypt an Existing Unencrypted RDS for PostgreSQL→
  • S3 Server-Side Encryption — Options Overview→
  • Three Server-Side Encryption Options in Amazon S3→
  • Achieve High Availability with CloudHSM Cluster Across AZs→
  • CloudHSM High Availability with Multi-AZ Cluster→
  • How to Encrypt Data in Transit from EC2 to S3 Using HTTPS→

Other SCS-C02 exam domains

Threat Detection and Incident ResponseSecurity Logging and MonitoringIdentity and Access ManagementManagement and Security GovernanceInfrastructure Security

Frequently asked questions

What does the Data Protection domain cover on the SCS-C02 exam?

Data Protection questions on this certification test your ability to deploy and manage data protection concepts in scenario-based situations.

How many Data Protection questions are in the SCS-C02 question bank?

The Courseiva SCS-C02 question bank contains 300 questions in the Data Protection domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Data Protection for SCS-C02?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Data Protection questions for SCS-C02?

Yes — the session launcher on this page draws questions exclusively from the Data Protection domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your SCS-C02 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

SAA-C03SY0-701CISSP