Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Data Protection practice sets

SCS-C02 Data Protection • Complete Question Bank

SCS-C02 Data Protection — All Questions With Answers

Complete SCS-C02 Data Protection question bank — all 0 questions with answers and detailed explanations.

303
Questions
Free
No signup
Certifications/SCS-C02/Practice Test/Data Protection/All Questions
Question 1mediummultiple choice
Read the full Data Protection explanation →

A company stores sensitive data in Amazon S3 and wants to ensure that all objects are encrypted at rest. The security team has enabled default encryption on the S3 bucket using SSE-S3. However, an audit reveals that some objects are stored with SSE-KMS. How can the company enforce that only SSE-S3 is used for all future uploads, while still allowing existing SSE-KMS objects to be read?

Question 2hardmultiple choice
Read the full Data Protection explanation →

A financial services company uses AWS KMS to encrypt sensitive data. The security team has a requirement to rotate the CMK every 90 days and to maintain a record of all previous key versions for decryption of historical data. The team creates a new CMK every 90 days and manually updates applications to use the new key. This process is error-prone and causes downtime. What is the MOST operationally efficient solution that meets the requirements?

Question 3easymultiple choice
Read the full Data Protection explanation →

A startup is building a web application on AWS and needs to protect sensitive customer data at rest in an Amazon RDS for MySQL database. The compliance team requires that the encryption keys be managed by the company's on-premises hardware security module (HSM) and be rotated every 6 months. Which solution should the startup use?

Question 4mediummulti select
Read the full Data Protection explanation →

A company is designing a data protection strategy for its Amazon S3 bucket that stores sensitive documents. The security team requires that all data be encrypted in transit and at rest, and that any accidental deletion of objects can be reversed within 30 days. Additionally, the company must be able to audit all access attempts to the bucket, including failed attempts. Which TWO actions should the company take to meet these requirements? (Choose two.)

Question 5hardmultiple choice
Read the full Data Protection explanation →

A healthcare company runs a HIPAA-compliant application on AWS. The application uses Amazon S3 to store Protected Health Information (PHI). The company has implemented the following controls: (1) All S3 buckets are configured with default encryption using SSE-S3. (2) Bucket policies restrict access to only authorized IAM roles. (3) S3 access logs are enabled and sent to a centralized logging account. (4) MFA Delete is enabled on all buckets. (5) Object lock is not enabled. Recently, an internal auditor discovered that when an authorized user deletes an object, the object is permanently deleted and cannot be recovered. The company's data retention policy requires that deleted PHI be recoverable for at least 30 days after deletion. A review of the IAM policies shows that users have s3:DeleteObject permission. The auditor also notes that the bucket versioning is not enabled. The security team needs to implement a solution that allows authorized users to delete objects but ensures that deleted objects can be recovered within 30 days. Which of the following is the MOST effective course of action?

Question 6mediummultiple choice
Read the full Data Protection explanation →

A company uses AWS KMS to encrypt data at rest in Amazon S3. The security team requires that all encryption keys be automatically rotated every year. Which solution meets this requirement?

Question 7hardmulti select
Read the full Data Protection explanation →

A company wants to enforce encryption in transit for all data transferred between its Amazon EC2 instances and an Application Load Balancer (ALB). The company uses AWS Certificate Manager (ACM) to provision TLS certificates. Which TWO actions should the company take? (Choose TWO.)

Question 8easymultiple choice
Read the full Data Protection explanation →

Refer to the exhibit. An AWS KMS key policy includes the statement shown. The AdminRole tries to decrypt a ciphertext that was encrypted using the same KMS key with encryption context 'department=engineering'. What will happen?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/AdminRole"
      },
      "Action": "kms:Decrypt",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "kms:EncryptionContext:department": "finance"
        }
      }
    }
  ]
}
Question 9mediumdrag order
Read the full NAT/PAT explanation →

Drag and drop the steps to configure a VPC with private subnets and NAT gateway for outbound internet access in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 10mediummatching
Read the full Data Protection explanation →

Match each AWS security-related acronym to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Center for Internet Security

Payment Card Industry Data Security Standard

Health Insurance Portability and Accountability Act

System and Organization Controls

International standard for information security management

Question 11mediummultiple choice
Read the full Data Protection explanation →

A company uses S3 to store sensitive customer data. The security team requires that all objects uploaded to S3 be encrypted at rest using server-side encryption with AWS KMS managed keys (SSE-KMS). A developer reports that some objects are being stored unencrypted. What is the MOST effective way to enforce this requirement?

Question 12easymultiple choice
Read the full Data Protection explanation →

A company wants to protect data at rest for an Amazon RDS for PostgreSQL database. Which AWS service should be used to manage the encryption keys?

Question 13hardmulti select
Read the full NAT/PAT explanation →

A company has a requirement to automatically rotate encryption keys for S3 objects every 90 days. They are using SSE-KMS with a customer managed key. Which combination of actions will meet the requirement without breaking access to existing objects? (Choose two.)

Question 14mediummultiple choice
Read the full Data Protection explanation →

A company uses AWS KMS to encrypt EBS volumes. The security team wants to ensure that when an EC2 instance is launched, the attached EBS volumes are always encrypted using a specific customer managed key. Which action will enforce this?

Question 15hardmultiple choice
Read the full Data Protection explanation →

A company stores sensitive data in an S3 bucket with versioning enabled. They want to ensure that objects are encrypted at rest using SSE-KMS. A security audit reveals that some older object versions are encrypted with SSE-S3. What is the MOST efficient way to re-encrypt those older versions with SSE-KMS?

Question 16easymultiple choice
Read the full Data Protection explanation →

A company needs to ensure that data in transit between an on-premises data center and Amazon S3 is encrypted. Which AWS service should be used to establish a dedicated encrypted connection?

Question 17hardmultiple choice
Read the full Data Protection explanation →

A company is designing a data protection strategy for an Amazon RDS for MySQL database. The database is 2 TB in size and stores financial data. The compliance team requires that database snapshots be encrypted at rest and that encryption keys be rotated every year. Which solution meets these requirements with the LEAST operational overhead?

Question 18easymulti select
Read the full NAT/PAT explanation →

A company wants to protect data at rest for an Amazon S3 bucket that contains sensitive data. Which combination of actions provides the MOST comprehensive protection? (Choose two.)

Question 19hardmultiple choice
Read the full Data Protection explanation →

A company uses AWS KMS to encrypt data in Amazon S3. The security team receives an alert that an IAM user is attempting to decrypt data using a key that they do not have access to. Which AWS service can be used to monitor and alert on such unauthorized KMS API calls?

Question 20easymultiple choice
Read the full Data Protection explanation →

A company needs to encrypt data in transit between an EC2 instance and an RDS database. Which option should be used?

Question 21mediummultiple choice
Read the full Data Protection explanation →

A company uses S3 to store confidential documents. They want to ensure that objects are encrypted at rest using customer-provided encryption keys (SSE-C). Which header must be included in every PUT request?

Question 22hardmultiple choice
Read the full Data Protection explanation →

A company has a compliance requirement to encrypt all data in Amazon S3 using keys that are managed by the company's internal security team. The keys must be stored in a hardware security module (HSM) that is FIPS 140-2 Level 3 certified. Which AWS service should be used?

Question 23mediummultiple choice
Read the full Data Protection explanation →

A company is using AWS KMS to encrypt S3 objects. The security team wants to ensure that only a specific IAM role can decrypt objects in a particular S3 bucket. Which KMS key policy configuration should be used?

Question 24hardmultiple choice
Read the full Data Protection explanation →

A financial services company must ensure that all data at rest in Amazon RDS for PostgreSQL is encrypted. The current database is unencrypted. What is the MOST operationally efficient way to enable encryption?

Question 25easymultiple choice
Read the full Data Protection explanation →

A company needs to securely store database credentials for a legacy application running on Amazon EC2. The credentials are currently hardcoded in the application code. Which service should be used to rotate and retrieve secrets automatically?

Question 26mediummultiple choice
Read the full Data Protection explanation →

A company wants to use client-side encryption for data uploaded to Amazon S3. The encryption keys must be managed by the company and never sent to AWS. Which S3 encryption option supports this requirement?

Question 27hardmultiple choice
Read the full Data Protection explanation →

A company uses Amazon S3 to store sensitive documents. They must ensure that all objects are encrypted at rest and that any attempt to upload an unencrypted object is denied. Which S3 bucket policy statement achieves this?

Question 28easymultiple choice
Read the full Data Protection explanation →

A company needs to encrypt data in transit between an on-premises data center and Amazon S3. Which solution should they use?

Question 29mediummultiple choice
Read the full Data Protection explanation →

A company has a requirement to automatically rotate encryption keys for Amazon EBS volumes every 90 days. The EBS volumes are encrypted using AWS KMS. What is the simplest way to meet this requirement?

Question 30hardmultiple choice
Read the full NAT/PAT explanation →

A company uses AWS CloudTrail to log API activity. The security team wants to ensure that log files are encrypted at rest and that any tampering with logs is detectable. Which combination of services should be used?

Question 31easymultiple choice
Read the full Data Protection explanation →

A company wants to ensure that data stored in Amazon S3 is encrypted at rest using keys managed by AWS. Which encryption option should they choose?

Question 32mediummulti select
Read the full Data Protection explanation →

A company is designing a data protection strategy for sensitive customer data stored in Amazon S3. Which TWO actions should be taken to protect the data from accidental deletion?

Question 33hardmulti select
Read the full Data Protection explanation →

A company is using AWS KMS to encrypt data in Amazon S3 and Amazon RDS. Which THREE practices should be followed to ensure the security of the KMS keys?

Question 34mediummulti select
Read the full Data Protection explanation →

A company needs to enforce encryption in transit for all traffic between an Amazon EC2 instance and an Amazon RDS database. Which TWO steps should be taken?

Question 35hardmultiple choice
Read the full Data Protection explanation →

A security engineer applies the above S3 bucket policy. An application tries to upload an object with the header "x-amz-server-side-encryption: AES256". What will happen?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Id": "PolicyForDataProtection",
  "Statement": [
    {
      "Sid": "DenyIncorrectEncryptionHeader",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::my-secure-bucket/*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "aws:kms"
        }
      }
    },
    {
      "Sid": "DenyUnencryptedObjectUploads",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::my-secure-bucket/*",
      "Condition": {
        "Null": {
          "s3:x-amz-server-side-encryption": "true"
        }
      }
    }
  ]
}
Question 36mediummultiple choice
Read the full Data Protection explanation →

A security engineer inspects two KMS keys. Which key can be used for envelope encryption with automatic key rotation?

Network Topology
key-id 1234abcd-12ab-34cd-56ef-1234567890ab$ aws kms describe-keykey-id 2345bcde-23bc-45de-67fg-2345678901bcRefer to the exhibit.$ aws kms list-keys"Keys": [{"KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab"},{"KeyId": "2345bcde-23bc-45de-67fg-2345678901bc"}"KeyMetadata": {"KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab","KeyManager": "AWS","KeyState": "Enabled","Origin": "AWS_KMS","KeyRotationEnabled": true,"CreationDate": "2023-01-15T10:00:00+00:00""KeyId": "2345bcde-23bc-45de-67fg-2345678901bc","KeyManager": "CUSTOMER","KeyRotationEnabled": false,"CreationDate": "2023-06-20T10:00:00+00:00"
Question 37hardmultiple choice
Read the full Data Protection explanation →

A company has an S3 bucket with versioning and MFA Delete enabled. A user attempts to delete an object version using the AWS CLI without MFA. What will happen?

Network Topology
# aws s3api get-bucket-versioningbucket my-versioned-bucket# aws s3api get-bucket-lifecycle-configurationRefer to the exhibit."Status": "Enabled","MFADelete": "Enabled""Rules": ["ID": "ExpireOldVersions","Filter": {},"Expiration": {"Days": 30
Question 38hardmultiple choice
Read the full Data Protection explanation →

A company is designing a data protection strategy for sensitive data stored in Amazon S3. Compliance requirements mandate that all data be encrypted at rest using customer-provided keys (SSE-C). Which solution meets the requirements with minimal operational overhead?

Question 39easymultiple choice
Read the full Data Protection explanation →

A security engineer needs to ensure that data at rest in an Amazon RDS for PostgreSQL DB instance is encrypted. Which action should the engineer take?

Question 40mediummultiple choice
Read the full Data Protection explanation →

A company uses AWS KMS to encrypt data in Amazon S3. The security team wants to enforce that all S3 PUT requests include an encryption context that matches a specific key-value pair. Which S3 bucket policy condition key should be used?

Question 41hardmultiple choice
Read the full Data Protection explanation →

A company is implementing a data loss prevention (DLP) solution for data stored in Amazon S3. The data includes personally identifiable information (PII). The company wants to automatically identify and classify PII objects, then apply encryption using AWS KMS with a customer-managed key. Which AWS service should be used to identify PII?

Question 42mediummultiple choice
Read the full Data Protection explanation →

A security engineer needs to protect data in transit between an EC2 instance and an RDS database. The RDS database uses SSL/TLS certificates. What is the MOST secure way to ensure that the connection is encrypted?

Question 43easymultiple choice
Read the full Data Protection explanation →

A company needs to securely store database credentials that are used by an application running on Amazon EC2. The credentials must be automatically rotated every 90 days. Which AWS service should be used?

Question 44mediummultiple choice
Read the full Data Protection explanation →

A company stores sensitive data in an S3 bucket. The security team wants to ensure that all objects are encrypted at rest using server-side encryption with AWS KMS managed keys (SSE-KMS). An application writes objects to the bucket but sometimes fails because the encryption key is not found. What is the MOST likely cause?

Question 45hardmultiple choice
Read the full Data Protection explanation →

A company uses Amazon S3 to store sensitive documents. The security policy requires that all objects be encrypted using server-side encryption with customer-provided keys (SSE-C). An application fails when trying to read an object with the error 'The request includes an invalid header.' What is the MOST likely cause?

Question 46easymultiple choice
Read the full Data Protection explanation →

A company wants to encrypt data in transit between an Application Load Balancer (ALB) and its targets. Which configuration should be used?

Question 47mediummulti select
Read the full Data Protection explanation →

Which TWO actions can help protect data at rest in Amazon EBS volumes? (Choose 2.)

Question 48hardmulti select
Read the full Data Protection explanation →

Which THREE practices are recommended for managing encryption keys in AWS KMS? (Choose 3.)

Question 49easymulti select
Read the full Data Protection explanation →

Which TWO methods can be used to encrypt data at rest in Amazon S3? (Choose 2.)

Question 50mediummultiple choice
Read the full Data Protection explanation →

Refer to the exhibit. A security engineer reviews the key policy of an AWS KMS customer managed key. The AppRole role is used by an application to encrypt and decrypt data. However, the application is unable to decrypt data. What is the MOST likely cause?

Network Topology
aws kms get-key-policykey-id 1234abcd-12ab-34cd-56ef-1234567890abpolicy-name defaultRefer to the exhibit.```"Version": "2012-10-17","Id": "key-consolepolicy-3","Statement": ["Sid": "Enable IAM User Permissions","Effect": "Allow","Principal": {"AWS": "arn:aws:iam::111122223333:root"},"Action": "kms:*","Resource": "*""AWS": "arn:aws:iam::111122223333:role/Admin""Action": ["kms:Create*","kms:Describe*","kms:Enable*","kms:List*","kms:Put*","kms:Update*","kms:Revoke*","kms:Disable*","kms:Get*","kms:Delete*","kms:ScheduleKeyDeletion"],"AWS": "arn:aws:iam::111122223333:role/AppRole""kms:Encrypt","kms:Decrypt","kms:ReEncrypt*","kms:GenerateDataKey*","kms:DescribeKey"
Question 51mediummultiple choice
Read the full Data Protection explanation →

A company uses S3 to store sensitive customer data. They want to ensure that all S3 buckets have encryption enabled at rest. Which S3 feature should be used to automatically enforce encryption on all newly created objects?

Question 52hardmultiple choice
Read the full NAT/PAT explanation →

A company is migrating on-premises data to AWS using AWS Snowball Edge. The data must be encrypted in transit and at rest. Which combination of steps should be taken?

Question 53easymultiple choice
Read the full Data Protection explanation →

A security engineer needs to ensure that an Amazon RDS for MySQL database is encrypted at rest. Which action should be taken?

Question 54mediummultiple choice
Read the full Data Protection explanation →

A company uses AWS KMS to manage encryption keys for sensitive data stored in S3. The security team wants to ensure that keys are rotated automatically every year. What should they do?

Question 55hardmultiple choice
Read the full Data Protection explanation →

A company wants to share an encrypted Amazon Machine Image (AMI) with another AWS account. The AMI uses an EBS snapshot encrypted with a customer managed key in KMS. What is the correct procedure to allow the other account to launch an EC2 instance from this AMI?

Question 56easymultiple choice
Read the full Data Protection explanation →

A company needs to protect data stored in S3 from accidental deletion by users. Which S3 feature should be used?

Question 57mediummultiple choice
Read the full Data Protection explanation →

A security team wants to audit who accessed an S3 object that contains sensitive data. Which AWS service provides this capability?

Question 58hardmultiple choice
Read the full Data Protection explanation →

A company is using AWS DMS to migrate data from an on-premises Oracle database to Amazon RDS for PostgreSQL. The data must be encrypted in transit. What should the company do?

Question 59easymultiple choice
Read the full Data Protection explanation →

A company wants to ensure that data at rest in Amazon EBS volumes is encrypted. What is the simplest way to achieve this?

Question 60mediummulti select
Read the full Data Protection explanation →

A company wants to protect sensitive data stored in S3 from being accessed by unauthorized users. Which TWO actions should be taken? (Choose two.)

Question 61hardmulti select
Read the full Data Protection explanation →

A company is using AWS KMS to encrypt data at rest. The security team needs to ensure that keys cannot be deleted before a retention period. Which THREE steps should be taken? (Choose three.)

Question 62easymulti select
Read the full Data Protection explanation →

A company needs to encrypt data at rest in Amazon RDS for SQL Server. Which TWO methods can be used? (Choose two.)

Question 63mediummultiple choice
Read the full Data Protection explanation →

A security engineer created the above IAM policy for an S3 bucket. What does this policy accomplish?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "aws:kms"
        }
      }
    }
  ]
}
Question 64hardmultiple choice
Read the full Data Protection explanation →

A security engineer examines the above output. The company requires automatic yearly key rotation. What should the engineer do?

Network Topology
aws kms list-keysregion us-east-1aws kms get-key-rotation-statuskey-id 1234abcd-12ab-34cd-56ef-1234567890abRefer to the exhibit."Keys": ["KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab","KeyArn": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab""KeyRotationEnabled": false
Question 65easymultiple choice
Read the full Data Protection explanation →

The above CLI output shows the encryption configuration for an S3 bucket. What type of encryption is enabled by default?

Network Topology
aws s3api get-bucket-encryptionbucket my-bucketRefer to the exhibit."ServerSideEncryptionConfiguration": {"Rules": ["ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "AES256"
Question 66easymultiple choice
Read the full Data Protection explanation →

A company stores sensitive customer data in an S3 bucket. The security team wants to ensure that all data is encrypted at rest using server-side encryption with AWS KMS (SSE-KMS). Which bucket policy statement should be added to deny uploads that do not use SSE-KMS?

Question 67mediummultiple choice
Read the full Data Protection explanation →

A company is using AWS KMS to encrypt data in Amazon S3. The security team wants to ensure that KMS keys are rotated automatically every year. Which action should be taken?

Question 68hardmultiple choice
Read the full Data Protection explanation →

A company uses AWS CloudHSM to generate and store encryption keys for a custom database. The security team needs to back up the keys to another AWS Region for disaster recovery. What is the most secure and efficient way to achieve this?

Question 69easymultiple choice
Read the full Data Protection explanation →

An application running on Amazon EC2 needs to access an S3 bucket containing sensitive data. The security team wants to avoid storing long-term AWS credentials on the instance. How should the EC2 instance be configured to access S3 securely?

Question 70mediummultiple choice
Read the full Data Protection explanation →

A company is designing a data encryption solution for its Amazon RDS for PostgreSQL database. The database must be encrypted at rest. What is the simplest way to achieve this?

Question 71hardmultiple choice
Read the full Data Protection explanation →

A company uses AWS Secrets Manager to rotate secrets for its RDS database. The rotation fails periodically, and the security team needs to troubleshoot. Which CloudWatch metric should be monitored to detect rotation failures?

Question 72mediummultiple choice
Read the full VPN explanation →

A company wants to protect data in transit between its on-premises network and Amazon VPC using IPsec VPN. Which AWS service should be used to establish this VPN connection?

Question 73easymultiple choice
Read the full Data Protection explanation →

A company stores sensitive documents in an S3 bucket. The security team wants to ensure that any object uploaded to the bucket is automatically encrypted using server-side encryption with AWS KMS. Which S3 bucket feature should be configured?

Question 74hardmultiple choice
Read the full Data Protection explanation →

A company is using AWS KMS with a customer managed key for encrypting EBS volumes. The security team wants to ensure that only specific IAM roles can use the key for encryption and decryption. What is the best way to achieve this?

Question 75mediummulti select
Read the full Data Protection explanation →

A company is designing a data protection strategy for its Amazon S3 buckets. Which TWO actions can help protect data from accidental deletion or overwrite?

Question 76hardmulti select
Read the full Data Protection explanation →

A company is using AWS Key Management Service (KMS) with a customer managed key. The security team needs to ensure that the key can be rotated automatically every year. Which TWO steps are required?

Question 77easymulti select
Read the full Data Protection explanation →

A company needs to protect data in transit between an on-premises data center and AWS. Which THREE services can be used to encrypt data in transit?

Question 78mediummultiple choice
Read the full Data Protection explanation →

A company is storing sensitive customer data in Amazon S3. The security team requires that all data be encrypted at rest using a key that is rotated automatically every year. Which solution meets these requirements with the LEAST operational overhead?

Question 79hardmultiple choice
Read the full Data Protection explanation →

A company uses AWS KMS to encrypt data in Amazon RDS. The security team discovers that a developer accidentally deleted a customer master key (CMK) used for RDS encryption. What is the impact on the RDS instances that were encrypted with that key?

Question 80easymultiple choice
Read the full Data Protection explanation →

A company wants to ensure that all data transferred between its on-premises data center and AWS is encrypted in transit. Which AWS service should be used to meet this requirement?

Question 81mediummultiple choice
Read the full Data Protection explanation →

A company uses AWS KMS to encrypt data in Amazon S3. The security team needs to ensure that only a specific IAM role can decrypt objects in a particular S3 bucket. What is the most secure way to enforce this restriction?

Question 82hardmultiple choice
Read the full Data Protection explanation →

A company needs to share an encrypted Amazon Machine Image (AMI) with another AWS account. The AMI was encrypted using a customer managed key (CMK) in AWS KMS. What steps are required to allow the target account to launch an EC2 instance from the shared AMI?

Question 83easymultiple choice
Read the full Data Protection explanation →

A company stores data in Amazon S3 and wants to ensure that objects are encrypted at rest. The security team decides to use server-side encryption with AWS KMS (SSE-KMS). Which additional benefit does SSE-KMS provide over SSE-S3?

Question 84mediummultiple choice
Read the full Data Protection explanation →

A company uses Amazon RDS for MySQL with encryption at rest enabled. The security team needs to ensure that automated backups are also encrypted. How can this be achieved?

Question 85hardmultiple choice
Read the full Data Protection explanation →

A company uses AWS CloudHSM to generate and store encryption keys for a custom application. The security team needs to ensure high availability and durability of the keys. Which architecture should be recommended?

Question 86easymultiple choice
Read the full Data Protection explanation →

A company is designing a data lake on Amazon S3 and needs to encrypt data at rest. The compliance team requires that the encryption keys be managed by the company and not by AWS. Which encryption option should be used?

Question 87mediummulti select
Read the full Data Protection explanation →

A company is implementing a data protection strategy for Amazon S3. Which TWO actions should be taken to protect data from accidental deletion or overwrite?

Question 88hardmulti select
Read the full Data Protection explanation →

A company is designing a disaster recovery plan for encrypted Amazon EBS volumes. Which THREE steps are required to ensure that encrypted EBS snapshots can be restored in a different AWS Region?

Question 89mediummulti select
Read the full NAT/PAT explanation →

A company wants to protect sensitive data in Amazon S3 from unauthorized access. Which TWO AWS services can be used to detect and alert on suspicious access patterns?

Question 90mediummultiple choice
Read the full Data Protection explanation →

A security engineer is reviewing a KMS key policy. What does this policy accomplish?

Exhibit

Refer to the exhibit.
```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/SecurityAudit"
      },
      "Action": [
        "kms:Decrypt",
        "kms:ReEncrypt*"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "kms:CallerAccount": "123456789012"
        }
      }
    }
  ]
}
```
Question 91hardmultiple choice
Read the full Data Protection explanation →

A security engineer is reviewing the configuration of an S3 bucket. What is a security concern with the current configuration?

Network Topology
$ aws s3api get-bucket-versioningbucket my-secure-bucket$ aws s3api get-bucket-lifecycle-configuration$ aws s3api get-bucket-policyRefer to the exhibit.```"Status": "Enabled","MFADelete": "Enabled""Rules": ["ID": "DeleteOldVersions","Filter": {},"NoncurrentVersionExpiration": {"NoncurrentDays": 30"Policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":\"s3:GetObject\",\"Resource\":\"arn:aws:s3:::my-secure-bucket/*\"}]}"
Question 92easymultiple choice
Read the full Data Protection explanation →

A security engineer is investigating a potential data breach and finds this CloudTrail log entry. What does this entry indicate?

Network Topology
$ aws cloudtrail lookup-eventslookup-attributes AttributeKey=EventNamemax-results 1Refer to the exhibit.```"Events": ["EventId": "example1","EventName": "Decrypt","EventTime": "2023-01-15T10:30:00Z","Username": "arn:aws:iam::123456789012:user/john.doe","Resources": ["ResourceType": "AWS::KMS::Key","ResourceName": "arn:aws:kms:us-east-1:123456789012:key/abc123"
Question 93easymultiple choice
Read the full Data Protection explanation →

A company uses S3 to store sensitive customer data. Which AWS service can automatically discover and classify this data to help meet compliance requirements?

Question 94mediummultiple choice
Read the full Data Protection explanation →

A security engineer needs to ensure that all data in an S3 bucket is encrypted at rest using AWS KMS. The bucket policy must deny any PutObject request that does not include the x-amz-server-side-encryption header with value aws:kms. Which bucket policy element should be used?

Question 95hardmultiple choice
Read the full Data Protection explanation →

A company is using AWS CloudHSM to store encryption keys for a custom application. The application needs high availability across two AWS Regions. What is the MOST secure and cost-effective approach to synchronize key material between the HSMs in each Region?

Question 96mediummulti select
Read the full Data Protection explanation →

A security engineer is designing a data protection strategy for an S3 bucket that contains sensitive documents. The bucket is accessed by multiple IAM users and roles. Which TWO actions will help protect the data at rest and in transit?

Question 97hardmulti select
Read the full Data Protection explanation →

A company is migrating a legacy application to AWS. The application stores sensitive data and must comply with PCI DSS. The security team needs to ensure that data is encrypted at rest using keys that are rotated every 12 months. Which THREE steps should the team take?

Question 98easymulti select
Read the full Data Protection explanation →

A security engineer is designing a data protection strategy for an S3 bucket that contains sensitive data. The data must be encrypted at rest and the key material must be stored in a hardware security module (HSM) that is FIPS 140-2 Level 3 validated. Which TWO services can be used to meet these requirements?

Question 99easymultiple choice
Read the full Data Protection explanation →

A company wants to protect data in transit between an EC2 instance and an S3 bucket. Which method should be used?

Question 100mediummultiple choice
Read the full Data Protection explanation →

A security engineer needs to audit all access to a KMS customer managed key. Which AWS service should be used?

Question 101hardmultiple choice
Read the full Data Protection explanation →

A company has a requirement to encrypt all data in an S3 bucket using keys that are stored in an on-premises HSM. Which S3 encryption option should be used?

Question 102easymultiple choice
Read the full Data Protection explanation →

A company wants to automate the detection of sensitive data in an S3 bucket. Which AWS service should be used?

Question 103mediummultiple choice
Read the full Data Protection explanation →

A security engineer is tasked with ensuring that all data stored in an RDS DB instance is encrypted at rest. The database is already running and contains data. What should the engineer do?

Question 104hardmultiple choice
Read the full Data Protection explanation →

A company uses AWS KMS to encrypt data in S3. The security policy requires that keys be rotated every 12 months. Which type of KMS key supports automatic rotation?

Question 105mediummultiple choice
Read the full NAT/PAT explanation →

A company stores sensitive data in an S3 bucket with default encryption (SSE-S3) enabled. A security audit reveals that objects are being accessed by users from unexpected IP addresses. The company wants to enforce that only objects encrypted with a specific KMS key (managed by the security team) can be accessed. Which combination of actions should be taken?

Question 106hardmultiple choice
Read the full Data Protection explanation →

A company uses AWS KMS to encrypt data at rest in Amazon RDS for MySQL. The security team needs to ensure that the RDS instance can only be decrypted by a specific IAM role used by the production application, and not by any other IAM user or role. What is the most secure way to achieve this?

Question 107easymultiple choice
Read the full Data Protection explanation →

A company is using Amazon S3 to store sensitive customer data. They need to ensure that data is encrypted at rest and that the encryption keys are managed by the company, not AWS. Which S3 encryption option should they use?

Question 108mediummultiple choice
Read the full NAT/PAT explanation →

A company is designing a data lake on Amazon S3. The data contains personally identifiable information (PII). The security team requires that all data be encrypted at rest and that access to the data is logged for auditing. Additionally, the team wants to ensure that if an object is accidentally deleted, it can be recovered within 30 days. Which combination of S3 features should be enabled?

Question 109hardmultiple choice
Read the full NAT/PAT explanation →

A company uses AWS KMS to encrypt EBS volumes attached to EC2 instances. The security team wants to ensure that when an EC2 instance is terminated, the associated EBS volume is automatically deleted and the data is unrecoverable. However, the team also needs to retain the volume's data for 90 days for compliance purposes. What is the most secure and cost-effective approach?

Question 110easymultiple choice
Read the full Data Protection explanation →

A company is using Amazon S3 to store sensitive data. They want to ensure that all objects uploaded to a specific bucket are encrypted using server-side encryption with AWS KMS. Which bucket policy condition should be used to enforce this?

Question 111mediummultiple choice
Read the full Data Protection explanation →

A company uses AWS KMS with a custom key store backed by AWS CloudHSM. The security team wants to ensure that the key material never leaves the HSM and that all cryptographic operations are performed within the HSM. Which of the following actions should the team take?

Question 112hardmultiple choice
Read the full Data Protection explanation →

A company uses Amazon RDS for PostgreSQL with encryption at rest enabled using AWS KMS. The security team wants to ensure that database backups (automated snapshots) are also encrypted and that the encryption key can be rotated on demand without re-encrypting the data. Which approach should be taken?

Question 113easymultiple choice
Read the full Data Protection explanation →

A company is using Amazon S3 to store confidential documents. They want to ensure that all data is encrypted in transit between the S3 bucket and their on-premises application. Which of the following should be enforced?

Question 114mediummulti select
Read the full Data Protection explanation →

A company is designing a secure data sharing solution with a third party. The company needs to share sensitive files stored in an S3 bucket with the third party, ensuring that the files are encrypted at rest and in transit, and that the third party can only access specific files. The company also wants to rotate the access credentials every 30 days. Which TWO actions should the company take? (Select TWO.)

Question 115hardmulti select
Read the full Data Protection explanation →

A company uses AWS KMS to encrypt data in Amazon S3. The security team wants to detect any attempts to use a KMS key that has been disabled. Which THREE steps should the team take to achieve this? (Select THREE.)

Question 116easymulti select
Read the full Data Protection explanation →

A company is storing sensitive data in Amazon S3. They want to ensure that all data is encrypted at rest using server-side encryption. Which THREE options are available for server-side encryption in S3? (Select THREE.)

Question 117hardmultiple choice
Read the full Data Protection explanation →

A company is migrating its on-premises data warehouse to AWS. The data includes highly sensitive customer financial information. The company has the following requirements: 1) All data must be encrypted at rest using a key that is managed by the company's internal security team. 2) The encryption keys must be rotated every 90 days. 3) The data warehouse must support SQL queries and be highly available across multiple Availability Zones. 4) The solution must minimize the administrative overhead of managing keys. The security team has chosen Amazon Redshift as the data warehouse. They have enabled encryption using AWS KMS with a customer-managed key (CMK). They have set the key rotation period to 90 days using automatic key rotation. However, during a security review, an auditor points out that the key material is still stored in AWS KMS, and the company wants the key material to be stored in a hardware security module (HSM) that they control. Which of the following is the BEST course of action to meet the auditor's requirement while maintaining the other requirements?

Question 118easymultiple choice
Read the full Data Protection explanation →

A company is migrating sensitive data to Amazon S3. They need to ensure that data is encrypted at rest using an AWS KMS customer managed key (CMK). The security team wants to enforce encryption for all new objects uploaded to an S3 bucket. Which policy should be attached to the bucket?

Question 119mediummultiple choice
Read the full Data Protection explanation →

A security engineer is troubleshooting an issue where an Amazon RDS for MySQL DB instance encrypted at rest with AWS KMS is failing to launch. The error message indicates a KMS access issue. Which IAM role or policy is most likely missing?

Question 120hardmultiple choice
Read the full Data Protection explanation →

A company uses AWS CloudHSM to store encryption keys for a custom database encryption application. The application runs on Amazon EC2 instances and uses the PKCS#11 library to communicate with the HSM. Recently, the application started failing with 'CKR_SESSION_HANDLE_INVALID' errors. Which of the following is the most likely cause?

Question 121easymultiple choice
Read the full Data Protection explanation →

A company uses S3 Server Access Logs to audit access to their S3 buckets. The security team wants to ensure that the log files themselves are encrypted at rest using SSE-KMS. Which configuration step is necessary?

Question 122mediummultiple choice
Read the full Data Protection explanation →

A company is designing a data protection strategy for Amazon EBS volumes. They want to automate the creation of point-in-time snapshots for all production volumes and retain them for 90 days. Which solution meets these requirements with the least operational overhead?

Question 123hardmultiple choice
Read the full Data Protection explanation →

Refer to the exhibit. A security engineer is troubleshooting why an IAM user (Alice) cannot encrypt data using a KMS key. Alice has full S3 and KMS permissions via an IAM policy. The key policy is shown. Which statement explains the issue?

Exhibit

{
  "Version": "2012-10-17",
  "Id": "KMSKeyPolicy",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "Allow access for Key Administrators",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::123456789012:role/Admin"
        ]
      },
      "Action": [
        "kms:Create*",
        "kms:Put*"
      ],
      "Resource": "*"
    }
  ]
}
Question 124easymultiple choice
Read the full Data Protection explanation →

A company wants to protect data in transit between an on-premises data center and Amazon S3. Which AWS service should be used to establish a dedicated, encrypted connection?

Question 125mediummultiple choice
Read the full Data Protection explanation →

A company uses Amazon S3 to store sensitive documents. The security policy requires that all objects be encrypted with server-side encryption using customer-provided encryption keys (SSE-C). A developer uploads objects using the AWS SDK but forgets to include the encryption key in the request. What happens to the upload?

Question 126hardmultiple choice
Read the full Data Protection explanation →

A company is using AWS KMS to encrypt data in Amazon Redshift. They need to rotate the KMS key annually. Which approach meets the requirement with minimal operational impact?

Question 127mediummultiple choice
Read the full Data Protection explanation →

Refer to the exhibit. A security engineer applies the bucket policy to an S3 bucket. A user uploads an object without specifying any encryption header. What happens?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "aws:kms"
        }
      }
    }
  ]
}
Question 128hardmultiple choice
Read the full Data Protection explanation →

A company uses Amazon DynamoDB with client-side encryption using AWS KMS. The application is experiencing high latency on write operations. Which change is most likely to reduce latency?

Question 129easymulti select
Read the full Data Protection explanation →

A company is designing a data protection strategy for Amazon S3. Which TWO of the following are valid methods to protect data at rest in S3?

Question 130mediummulti select
Read the full Data Protection explanation →

A security engineer is configuring a new AWS KMS customer managed key. Which THREE of the following are required components of a KMS key policy?

Question 131hardmulti select
Read the full Data Protection explanation →

A company uses AWS CloudTrail to log API calls. They want to ensure that log files are encrypted at rest and that integrity is verified. Which TWO services can be used together to achieve this?

Question 132mediummultiple choice
Read the full NAT/PAT explanation →

A financial services company runs a web application on Amazon EC2 instances behind an Application Load Balancer. The application processes credit card numbers and stores them in an Amazon RDS for PostgreSQL database. The database is encrypted at rest using AWS KMS. The security team is concerned about data in transit between the ALB and EC2 instances, and between EC2 and RDS. They also want to ensure that the application never logs the full credit card number. The current setup: ALB terminates SSL using a certificate from AWS Certificate Manager (ACM). EC2 instances are in a private subnet. RDS is in a private subnet. The application logs to CloudWatch Logs. The security team reviews the logs and finds full credit card numbers in the logs. Which of the following actions should the security engineer take to address the data protection issues?

Question 133easymultiple choice
Read the full Data Protection explanation →

A company uses AWS KMS to encrypt data at rest in Amazon S3. The security team wants to ensure that only users with a specific IAM role can decrypt objects. What is the MOST secure way to achieve this?

Question 134mediummultiple choice
Read the full Data Protection explanation →

A company is designing a data protection strategy for its Amazon RDS for PostgreSQL database. The database contains sensitive customer data. Compliance requirements mandate that all backups be encrypted at rest and that the encryption keys be rotated annually. Which solution meets these requirements?

Question 135hardmultiple choice
Read the full Data Protection explanation →

A company uses AWS CloudHSM to generate and store encryption keys for a custom application. The application runs on Amazon EC2 instances and uses the PKCS#11 interface to interact with the HSM. The security team recently discovered that a former employee may have obtained a copy of the cryptographic materials from the HSM. What should the security team do to minimize the impact?

Question 136easymultiple choice
Read the full Data Protection explanation →

A company wants to encrypt data stored in Amazon S3 using server-side encryption with customer-provided keys (SSE-C). Which statement is correct regarding SSE-C?

Question 137mediummultiple choice
Read the full Data Protection explanation →

A company uses AWS KMS to encrypt data in Amazon S3. The security team wants to ensure that if a KMS key is disabled, all subsequent attempts to decrypt data encrypted with that key fail. What is the BEST way to achieve this?

Question 138mediummulti select
Read the full Data Protection explanation →

Which TWO of the following are valid methods to protect data in transit between an on-premises data center and AWS? (Choose two.)

Question 139hardmulti select
Read the full Data Protection explanation →

Which THREE of the following are required to use client-side encryption with Amazon S3 using AWS KMS? (Choose three.)

Question 140easymulti select
Read the full Data Protection explanation →

Which TWO of the following are valid options for encrypting data at rest in Amazon EBS? (Choose two.)

Question 141hardmultiple choice
Read the full Data Protection explanation →

Refer to the exhibit. An IAM policy allows kms:Decrypt on a specific KMS key only when the encryption context includes department=finance. A user attempts to decrypt an S3 object that was encrypted with the same KMS key but with encryption context department=hr. Will the decryption succeed?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowKMSDecrypt",
      "Effect": "Allow",
      "Action": "kms:Decrypt",
      "Resource": "arn:aws:kms:us-east-1:123456789012:key/abc12345-6789-4def-1234-56789abcdef0",
      "Condition": {
        "StringEquals": {
          "kms:EncryptionContext:department": "finance"
        }
      }
    }
  ]
}
Question 142hardmultiple choice
Read the full Data Protection explanation →

A company runs a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application processes credit card numbers and must comply with PCI DSS. The security team requires that all credit card numbers be encrypted at rest and in transit. The application stores the encrypted credit card numbers in Amazon RDS for MySQL. The RDS instance is encrypted at rest using AWS KMS. The application decrypts the credit card numbers after retrieval using a KMS key. The security team has noticed that some credit card numbers are being logged in plaintext in Amazon CloudWatch Logs by the application. The developers claim they are not logging the decrypted values. What is the MOST likely cause and solution?

Question 143mediummultiple choice
Read the full Data Protection explanation →

A company is using Amazon S3 to store sensitive documents. The security team has implemented a bucket policy that denies access unless the request uses HTTPS. However, a security audit reveals that some objects were accessed over HTTP. The bucket policy is as follows: {"Effect":"Deny","Principal":"*","Action":"s3:*","Resource":"arn:aws:s3:::example-bucket/*","Condition":{"Bool":{"aws:SecureTransport":"false"}}}. The team also enabled S3 Block Public Access at the account level. What is the MOST likely reason that HTTP access was still possible?

Question 144hardmultiple choice
Read the full Data Protection explanation →

A company uses Amazon SQS to decouple its microservices. The messages contain personally identifiable information (PII). The security team requires that all messages be encrypted at rest. Currently, SQS is configured with SSE enabled using a customer managed KMS key. However, the team discovers that some messages are still being stored in plaintext in the dead-letter queue (DLQ) after the maximum receives are exceeded. The DLQ is also an SQS queue. What is the MOST likely reason?

Question 145mediummultiple choice
Read the full Data Protection explanation →

A company is migrating its on-premises file server to Amazon EFS. The data includes sensitive financial records. The security team requires encryption at rest and in transit. The team plans to mount the EFS file system on EC2 instances using the NFS client. They have enabled encryption at rest on the EFS file system. However, they are unsure how to enforce encryption in transit. What should they do to ensure all data transferred between the EC2 instance and EFS is encrypted?

Question 146easymultiple choice
Read the full Data Protection explanation →

A company runs a workload on Amazon EC2 that needs to access an Amazon S3 bucket to store sensitive data. The security team wants to ensure that the data is encrypted at rest in S3 without requiring any changes to the application. The application currently uses the AWS SDK to upload objects. Which solution meets the requirement with the LEAST operational overhead?

Question 147mediummultiple choice
Read the full Data Protection explanation →

A company uses AWS KMS to encrypt data in Amazon DynamoDB. The table has a TTL attribute that triggers automatic deletion of expired items. The security team is concerned that deleted items may still be recoverable. What should the team do to ensure that deleted items are cryptographically erased and cannot be recovered?

Question 148mediummultiple choice
Read the full Data Protection explanation →

A company is using AWS KMS to encrypt data at rest in Amazon S3. The security team requires that all encryption keys be automatically rotated every year. However, the current KMS key policy does not allow rotation. Which action should the security team take to meet the requirement?

Question 149hardmultiple choice
Read the full Data Protection explanation →

A financial services company stores sensitive customer data in Amazon RDS for MySQL. The compliance team mandates that all database backups must be encrypted at rest. The current configuration uses a customer managed KMS key for encryption. However, during a recent audit, it was discovered that some automated backups are not encrypted. What is the MOST likely cause?

Question 150hardmulti select
Read the full Data Protection explanation →

A company uses AWS KMS to encrypt data in Amazon S3. The security team wants to ensure that only users from a specific AWS account can decrypt objects. Which TWO steps should be taken to achieve this?

Question 151easymulti select
Read the full Data Protection explanation →

A company needs to protect data at rest in Amazon S3. Which THREE mechanisms can be used to encrypt objects stored in S3?

Question 152mediummultiple choice
Read the full NAT/PAT explanation →

A healthcare company stores sensitive patient data in Amazon S3. The security team has implemented a data protection strategy that includes S3 default encryption using SSE-KMS with a customer managed key. They also use S3 Object Lock to prevent deletion. Recently, an administrator accidentally deleted the KMS key used for encryption. As a result, all objects in the bucket are now inaccessible. The company has a backup of the key material but does not have the original key ID. Which action should the team take to restore access to the data?

Question 153mediummultiple choice
Read the full Data Protection explanation →

A company uses AWS KMS to encrypt data in Amazon S3. The security team wants to ensure that when an object is retrieved, it is automatically decrypted. They have configured the S3 bucket to use SSE-KMS with a customer managed key. However, when a user downloads an object using the AWS CLI, the object is still encrypted. The IAM policy for the user includes kms:Decrypt permission. What is the MOST likely reason for this issue?

Question 154easymultiple choice
Read the full Data Protection explanation →

A company is storing sensitive data in Amazon S3 buckets. They want to ensure that all uploaded objects are encrypted at rest using server-side encryption with AWS KMS (SSE-KMS). Which bucket policy statement will enforce this?

Question 155mediummultiple choice
Read the full Data Protection explanation →

A company uses AWS KMS to encrypt data in Amazon RDS. They need to ensure that the key material is automatically rotated every year. Which key type should they use?

Question 156hardmultiple choice
Read the full Data Protection explanation →

A security engineer is designing a data encryption solution for a multi-region application that uses Amazon S3. The solution must use envelope encryption with a key hierarchy that allows the application to encrypt data locally using a data key, while the data key is protected by a master key stored in AWS KMS. The application should be able to decrypt data even if connectivity to AWS KMS is temporarily lost. Which approach meets these requirements?

Question 157easymultiple choice
Read the full Data Protection explanation →

A company uses AWS CloudTrail to log data events for S3 buckets. They notice that some S3 object-level API calls are not being logged. Which configuration could be the cause?

Question 158mediummultiple choice
Read the full Data Protection explanation →

A company needs to encrypt data at rest in Amazon Redshift. They want to use an AWS KMS customer managed key. What is the correct procedure to enable encryption for an existing Redshift cluster?

Question 159hardmultiple choice
Read the full NAT/PAT explanation →

A company has an Amazon S3 bucket with versioning enabled. They want to ensure that all objects in the bucket are encrypted at rest using server-side encryption with AWS KMS (SSE-KMS). They also want to prevent any future uploads that are not encrypted with SSE-KMS. Which combination of actions should they take?

Question 160easymultiple choice
Read the full Data Protection explanation →

A company uses AWS Secrets Manager to store database credentials. They need to rotate the secrets automatically every 30 days. Which rotation strategy should they use?

Question 161mediummultiple choice
Read the full Data Protection explanation →

A company stores sensitive data in an Amazon S3 bucket. They want to ensure that data is encrypted in transit when accessed from the internet. Which policy should they attach to the bucket?

Question 162hardmultiple choice
Read the full Data Protection explanation →

A company uses AWS KMS to encrypt EBS volumes. They want to ensure that the key used for EBS encryption is not shared across different AWS accounts. Which feature should they use?

Question 163mediummulti select
Read the full NAT/PAT explanation →

Which TWO AWS services can be used to monitor and audit data access patterns to Amazon S3 buckets? (Choose 2.)

Question 164hardmulti select
Read the full Data Protection explanation →

Which THREE actions are required to enforce encryption in transit for an Amazon S3 bucket? (Choose 3.)

Question 165easymulti select
Read the full Data Protection explanation →

Which TWO AWS services provide key management for encryption at rest? (Choose 2.)

Question 166mediummultiple choice
Read the full Data Protection explanation →

A security engineer runs the command shown in the exhibit. What is the primary purpose of this command?

Network Topology
aws kms encryptkey-id 1234abcd-12ab-34cd-56ef-1234567890abplaintext fileb://secret.txtoutput textquery CiphertextBlobdecode > encrypted_secret.txtRefer to the exhibit.
Question 167hardmultiple choice
Read the full Data Protection explanation →

A security engineer applies the bucket policy shown in the exhibit to an S3 bucket. What is the effect of this policy?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "aws:kms"
        }
      }
    },
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Condition": {
        "Null": {
          "s3:x-amz-server-side-encryption": "true"
        }
      }
    }
  ]
}
Question 168easymultiple choice
Read the full Data Protection explanation →

A security engineer runs the command shown in the exhibit. What is the outcome?

Network Topology
aws s3api put-bucket-encryptionbucket my-bucketserver-side-encryption-configuration '{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"AES256"}}]}'Refer to the exhibit.
Question 169mediummultiple choice
Read the full Data Protection explanation →

A company needs to encrypt data at rest in Amazon S3 using customer-provided encryption keys. The keys must be stored securely and rotated automatically every 90 days. Which solution meets these requirements?

Question 170hardmultiple choice
Read the full Data Protection explanation →

A security engineer is designing a solution to protect sensitive data in an Amazon RDS for MySQL database. The data must be encrypted at rest using a key stored in AWS KMS. Additionally, the database must support automated backups and cross-region disaster recovery. Which architecture meets these requirements?

Question 171easymultiple choice
Read the full Data Protection explanation →

A company uses Amazon S3 to store sensitive documents. The security team wants to ensure that all objects are encrypted at rest using server-side encryption. Additionally, any attempt to upload an unencrypted object must be denied. What should the security team do?

Question 172mediummultiple choice
Read the full Data Protection explanation →

A company wants to securely share an Amazon S3 object with an external partner. The partner needs to download the object using an HTTP GET request. The object must be accessible for only 24 hours. What is the most secure way to grant access?

Question 173mediummultiple choice
Read the full Data Protection explanation →

A company runs a web application on Amazon EC2 instances that processes credit card data. The application must store the data in an encrypted format. The security team wants to minimize the performance impact of encryption and offload the encryption operations to a dedicated hardware security module (HSM). Which solution should the architect choose?

Question 174easymultiple choice
Read the full Data Protection explanation →

A company stores sensitive data in an Amazon S3 bucket. The security team requires that all data in transit between the company's on-premises data center and S3 be encrypted. Which solution meets this requirement?

Question 175hardmultiple choice
Read the full Data Protection explanation →

A company uses AWS KMS to encrypt data in Amazon S3. The security team notices that a KMS key has been deleted accidentally, causing data loss. The company wants to implement a solution to prevent accidental key deletion and enable recovery. What should the security team do?

Question 176easymultiple choice
Read the full Data Protection explanation →

A company is migrating sensitive data to Amazon S3. The data must be encrypted at rest using keys managed by the company. The company also requires an audit trail of key usage. Which solution meets these requirements?

Question 177hardmultiple choice
Read the full Data Protection explanation →

A company's security policy requires that all data stored in Amazon S3 be encrypted using envelope encryption with a key hierarchy. The master key must be stored in a hardware security module (HSM) that is FIPS 140-2 Level 3 validated. Which solution should the company implement?

Question 178mediummulti select
Read the full Data Protection explanation →

A company needs to encrypt data at rest for an Amazon RDS for Oracle database. The database is deployed in a Multi-AZ configuration. The company also wants to encrypt automated backups and snapshots. Which TWO steps should the security team take?

Question 179hardmulti select
Read the full Data Protection explanation →

A company is designing a data protection strategy for Amazon EFS file systems. The security team requires encryption at rest and in transit. Additionally, the team needs to control which KMS keys can be used to encrypt the file system. Which THREE steps should the team take?

Question 180easymulti select
Read the full Data Protection explanation →

A company wants to protect data stored in Amazon S3 Glacier. The data must be encrypted at rest and the encryption keys must be rotated annually. Which TWO options meet these requirements?

Question 181mediummultiple choice
Read the full Data Protection explanation →

Refer to the exhibit. A security engineer applies the bucket policy shown to an S3 bucket. The engineer attempts to upload a file using the AWS CLI without specifying any encryption. What is the outcome?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "aws:kms"
        }
      }
    }
  ]
}
Question 182hardmultiple choice
Read the full Data Protection explanation →

Refer to the exhibit. A user named John encrypts a file using the AWS CLI. John then tries to decrypt the file but receives an AccessDenied error. John has full administrator permissions in IAM. What is the most likely cause?

Network Topology
$ aws kms encryptkey-id 1234abcd-12ab-34cd-56ef-1234567890abplaintext fileb://secret.txtoutput textquery CiphertextBlobciphertext-blob fileb://encrypted.secretquery Plaintext$ aws kms decryptRefer to the exhibit.AQICAHg...
Question 183easymultiple choice
Read the full Data Protection explanation →

Refer to the exhibit. A security engineer reviews the bucket policy for an S3 bucket. The engineer attempts to upload an object to the bucket using the AWS CLI without the --ssl flag (HTTP). What is the outcome?

Network Topology
$ aws s3api get-bucket-policybucket my-secure-bucketRefer to the exhibit."Policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Deny\",\"Principal\":\"*\",\"Action\":\"s3:*\",\"Resource\":\"arn:aws:s3:::my-secure-bucket/*\",\"Condition\":{\"Bool\":{\"aws:SecureTransport\":\"false\"}}}]}"
Question 184mediummultiple choice
Read the full Data Protection explanation →

A company wants to encrypt data at rest in Amazon S3 using server-side encryption. They must manage the encryption keys themselves and rotate them annually. Which S3 encryption option should they use?

Question 185easymultiple choice
Read the full Data Protection explanation →

A security engineer needs to ensure that all data in transit between an Application Load Balancer and EC2 instances is encrypted using TLS. Which configuration is required?

Question 186hardmultiple choice
Read the full Data Protection explanation →

A company uses AWS KMS to encrypt data in Amazon S3. They need to audit all KMS key usage for an S3 bucket. Which AWS service should be used to capture KMS Decrypt API calls?

Question 187mediummultiple choice
Read the full Data Protection explanation →

A company stores sensitive data in Amazon S3 and requires that objects are automatically encrypted using server-side encryption with AWS KMS. The bucket policy must deny any PUT request that does not include the x-amz-server-side-encryption header with value aws:kms. Which bucket policy condition key should be used?

Question 188easymultiple choice
Read the full Data Protection explanation →

A company wants to protect data in transit between an on-premises data center and AWS over the internet. Which AWS service should they use to create a dedicated, encrypted connection?

Question 189hardmultiple choice
Read the full Data Protection explanation →

A security engineer is troubleshooting an issue where an EC2 instance cannot access an S3 bucket via a VPC endpoint. The bucket policy allows access only from the VPC endpoint. The instance has an IAM role that grants s3:GetObject on the bucket. The EC2 instance receives an AccessDenied error. What is the most likely cause?

Question 190mediummultiple choice
Read the full Data Protection explanation →

A company uses AWS KMS to encrypt data in Amazon RDS. The security team needs to ensure that the KMS key cannot be deleted accidentally. Which action should be taken?

Question 191hardmultiple choice
Read the full Data Protection explanation →

A company has an S3 bucket with versioning enabled. They want to ensure that all deleted objects are retained for 90 days before permanent deletion. Which S3 feature should be used?

Question 192easymultiple choice
Read the full Data Protection explanation →

A company needs to encrypt data at rest in Amazon EBS volumes. They want to use an AWS managed key that is automatically rotated. Which encryption option should they choose?

Question 193mediummulti select
Read the full Data Protection explanation →

A security engineer is designing a data protection strategy for Amazon RDS for PostgreSQL. The database contains sensitive personal information. Which TWO actions should the engineer take to protect the data at rest? (Choose TWO.)

Question 194mediummulti select
Read the full Data Protection explanation →

A company uses AWS KMS to encrypt sensitive data. The security team wants to ensure that KMS keys are not used by unauthorized principals. Which TWO measures should be implemented? (Choose TWO.)

Question 195hardmulti select
Read the full Data Protection explanation →

A company is designing a data protection solution for Amazon S3. They need to ensure that all objects are encrypted at rest and that any attempt to upload an unencrypted object is denied. Which THREE steps should they take? (Choose THREE.)

Question 196mediummultiple choice
Read the full Data Protection explanation →

Refer to the exhibit. A security engineer applies the bucket policy shown to an S3 bucket. A developer attempts to upload an object with the header x-amz-server-side-encryption: AES256. What will happen?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "aws:kms"
        }
      }
    }
  ]
}
Question 197hardmultiple choice
Read the full Data Protection explanation →

Refer to the exhibit. A security engineer runs the AWS CLI command shown and receives an AccessDenied error. The IAM user Alice has a policy that grants kms:Decrypt on all resources. What is the most likely cause of the error?

Network Topology
$ aws kms decryptciphertext-blob fileb://encrypted.txtkey-id 1234abcd-12ab-34cd-56ef-1234567890abRefer to the exhibit.
Question 198easymultiple choice
Read the full Data Protection explanation →

Refer to the exhibit. A security engineer runs the command shown and gets the output. What does this output indicate about the bucket's encryption configuration?

Network Topology
$ aws s3api get-bucket-encryptionbucket DOC-EXAMPLE-BUCKETRefer to the exhibit."ServerSideEncryptionConfiguration": {"Rules": ["ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "AES256"
Question 199mediummultiple choice
Read the full Data Protection explanation →

A company uses AWS KMS to encrypt data at rest in Amazon S3. The security team requires that all encryption keys be automatically rotated every year. Which key type meets this requirement?

Question 200hardmultiple choice
Read the full Data Protection explanation →

A financial services company is designing a data protection strategy for its DynamoDB table containing sensitive customer data. The table has a global secondary index (GSI). The company needs to encrypt the data at rest using a customer managed key (CMK) that is rotated annually. Which solution meets these requirements?

Question 201easymultiple choice
Read the full Data Protection explanation →

A company uses Amazon S3 to store confidential documents. The security team wants to ensure that all objects are encrypted at rest using server-side encryption with AES-256. Which S3 encryption option should be used?

Question 202hardmultiple choice
Read the full Data Protection explanation →

A company uses AWS KMS to encrypt its RDS database. The security team needs to ensure that the key can be used only from within the company's VPC and not from the internet. Which action should be taken?

Question 203mediummultiple choice
Read the full NAT/PAT explanation →

A company is using Amazon S3 to store backup files that must be retained for 7 years. The files are accessed infrequently but must be available within minutes when needed. The company wants to minimize storage costs while ensuring data is encrypted at rest. Which storage class and encryption combination is most cost-effective?

Question 204easymultiple choice
Read the full Data Protection explanation →

A company needs to encrypt data at rest in its Amazon EBS volumes. The company wants to use an encryption key that is automatically rotated every year without any manual intervention. Which key type should be used?

Question 205hardmultiple choice
Read the full Data Protection explanation →

A company uses AWS KMS to encrypt data in Amazon S3. The security team needs to audit all KMS key usage, including who used the key, when, and what operation was performed. Which AWS service should be used to meet this requirement?

Question 206mediummultiple choice
Read the full Data Protection explanation →

A company is designing a data protection strategy for its Amazon RDS for MySQL database. The database contains sensitive data that must be encrypted at rest. The company also needs to manage the encryption keys using its own HSM. Which solution should be used?

Question 207easymultiple choice
Read the full Data Protection explanation →

A company is using Amazon S3 to store sensitive data. The security team wants to ensure that all data is encrypted in transit between the company's on-premises data center and AWS. Which solution should be used?

Question 208hardmulti select
Read the full Data Protection explanation →

A company is designing a data protection strategy for its Amazon S3 bucket that stores sensitive customer data. The bucket must be encrypted at rest using a customer managed key (CMK) that is stored in AWS KMS. The company also needs to ensure that only authorized users can decrypt objects. Which TWO actions should the company take?

Question 209mediummulti select
Read the full Data Protection explanation →

A company uses AWS KMS to encrypt data in Amazon RDS. The security team wants to ensure that the KMS key can be used only by specific IAM roles and that all usage of the key is logged. Which TWO actions should the team take?

Question 210hardmulti select
Read the full Data Protection explanation →

A company is implementing a data protection strategy for its Amazon S3 bucket that contains sensitive data. The company requires that all objects be encrypted at rest using server-side encryption with a customer managed key (SSE-KMS). Additionally, the company wants to ensure that only a specific IAM role can decrypt objects. Which THREE actions should the company take?

Question 211mediummultiple choice
Read the full Data Protection explanation →

Refer to the exhibit. A security engineer is reviewing the key policy for a customer managed key. The engineer notices that a user with the IAM role 'Admin' can encrypt and decrypt data using this key. However, the engineer wants to ensure that only requests coming from the company's VPC (vpc-12345678) can use the key. What should be added to the key policy?

Network Topology
aws kms get-key-policykey-id 1234abcd-12ab-34cd-56ef-1234567890abpolicy-name defaultRefer to the exhibit."Version": "2012-10-17","Id": "key-default-1","Statement": ["Sid": "Enable IAM User Permissions","Effect": "Allow","Principal": {"AWS": "arn:aws:iam::111122223333:root"},"Action": "kms:*","Resource": "*""AWS": "arn:aws:iam::111122223333:role/Admin""Action": ["kms:Encrypt","kms:Decrypt","kms:ReEncrypt*","kms:GenerateDataKey*","kms:DescribeKey"],"kms:CreateGrant","kms:ListGrants","kms:RevokeGrant""Resource": "*","Condition": {"Bool": {"kms:GrantIsForAWSResource": "true"
Question 212hardmultiple choice
Read the full Data Protection explanation →

Refer to the exhibit. A security engineer is reviewing the bucket encryption configuration. The bucket is used to store sensitive data. The company policy requires that all objects be encrypted using AWS KMS with a customer managed key. What should the engineer do to meet the policy?

Network Topology
aws s3api get-bucket-encryptionbucket my-encrypted-bucketRefer to the exhibit."ServerSideEncryptionConfiguration": {"Rules": ["ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "AES256"},"BucketKeyEnabled": false
Question 213hardmultiple choice
Read the full Data Protection explanation →

Refer to the exhibit. A security engineer is reviewing the CloudWatch Logs configuration for a Lambda function. The log group is encrypted with a customer managed key. The engineer needs to ensure that only the Lambda service can write logs to this log group and that only a specific IAM role can read logs. Which additional configuration is required?

Network Topology
aws logs describe-log-groupslog-group-name-prefix /aws/lambda/my-functionRefer to the exhibit."logGroups": ["logGroupName": "/aws/lambda/my-function","creationTime": 1625097600000,"metricFilterCount": 0,"arn": "arn:aws:logs:us-east-1:111122223333:log-group:/aws/lambda/my-function:*","storedBytes": 0,"kmsKeyId": "arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
Question 214mediummultiple choice
Read the full Data Protection explanation →

A company stores sensitive customer data in Amazon S3. To comply with data protection regulations, they need to automatically prevent any new objects from being made publicly accessible. Which S3 feature should they configure?

Question 215hardmultiple choice
Read the full Data Protection explanation →

A company uses AWS KMS to encrypt data in Amazon S3. Security team wants to ensure that only specific IAM roles can decrypt objects. Which KMS key policy configuration should be used?

Question 216easymultiple choice
Read the full Data Protection explanation →

A company needs to protect data at rest on Amazon EBS volumes attached to EC2 instances. Which solution provides the most control over the encryption keys?

Question 217hardmultiple choice
Read the full Data Protection explanation →

A company uses Amazon RDS for MySQL with encryption at rest enabled using AWS KMS. They need to ensure that automated backups and snapshots are also encrypted. Which configuration is required?

Question 218mediummultiple choice
Read the full Data Protection explanation →

A company uses AWS Secrets Manager to rotate database credentials automatically. The security team wants to ensure that while the secret is being rotated, applications can always retrieve a valid credential. Which rotation strategy should be used?

Question 219easymultiple choice
Read the full Data Protection explanation →

A company needs to share an encrypted Amazon S3 object with another AWS account. The object is encrypted with an AWS KMS customer managed key. Which steps are required?

Question 220mediummultiple choice
Read the full NAT/PAT explanation →

A company is designing a data protection solution for Amazon S3 that must prevent any user from accidentally deleting objects. Which combination of S3 features should be used?

Question 221hardmultiple choice
Read the full Data Protection explanation →

A company stores sensitive data in Amazon DynamoDB and uses AWS KMS with a customer managed key for encryption. The security team wants to ensure that only specific applications can access the table data. Which policy configuration should be used?

Question 222easymultiple choice
Read the full Data Protection explanation →

A company wants to protect data in transit between an on-premises application and Amazon S3. Which solution provides the highest security?

Question 223mediummulti select
Read the full Data Protection explanation →

A company is using AWS KMS to encrypt data in Amazon S3. They need to ensure that the KMS key can only be used from within a specific VPC. Which TWO actions should be taken?

Question 224hardmulti select
Read the full Data Protection explanation →

A company uses Amazon Redshift with encryption at rest using AWS KMS. They want to ensure that automated snapshots are encrypted with the same key and that cross-account snapshot sharing is secured. Which THREE steps should be taken?

Question 225easymulti select
Read the full Data Protection explanation →

A company needs to implement data protection for Amazon EFS file systems. Which TWO features should be configured?

Question 226easymultiple choice
Read the full Data Protection explanation →

A company stores sensitive customer data in an S3 bucket. The security team requires that all data be encrypted at rest using a customer-managed KMS key. What should the team configure to enforce this requirement?

Question 227mediummultiple choice
Read the full NAT/PAT explanation →

A company is migrating on-premises databases to Amazon RDS for MySQL. The security team requires that data be encrypted at rest and in transit. Which combination of steps should the team take to meet these requirements?

Question 228hardmultiple choice
Read the full Data Protection explanation →

A company uses AWS KMS to encrypt secrets stored in AWS Secrets Manager. The security team wants to audit all KMS key usage, including attempts to use the key without proper authorization. Which AWS service should the team use to meet this requirement?

Question 229easymultiple choice
Read the full Data Protection explanation →

A company has an S3 bucket that stores financial records. The security team wants to ensure that any object uploaded to the bucket is automatically encrypted with a specific AWS KMS key. The team creates a bucket policy that denies s3:PutObject unless the request includes the correct encryption header. However, some users who upload objects using the AWS Management Console report that their uploads fail. What is the most likely cause?

Question 230mediummultiple choice
Read the full Data Protection explanation →

A company uses AWS KMS to encrypt data in Amazon S3. The security team notices that some KMS key usage is not being logged in AWS CloudTrail. What is the most likely reason for this?

Question 231hardmultiple choice
Read the full Data Protection explanation →

A company uses Amazon EBS volumes for EC2 instances. The security team requires that all EBS volumes be encrypted at rest. The team creates an AWS Config rule to check whether EBS volumes are encrypted. However, some volumes are non-compliant even though they have encryption enabled. What is the most likely reason?

Question 232easymultiple choice
Read the full Data Protection explanation →

A company wants to encrypt data at rest in Amazon S3 using server-side encryption with Amazon S3-managed keys (SSE-S3). What is the minimum permission required for an IAM user to upload an object that will be encrypted with SSE-S3?

Question 233mediummultiple choice
Read the full Data Protection explanation →

A company stores sensitive data in an S3 bucket and uses AWS KMS to encrypt the data. The security team wants to ensure that only specific IAM roles can decrypt the data. What should the team do?

Question 234hardmultiple choice
Read the full Data Protection explanation →

A company stores data in Amazon S3 and uses AWS KMS with Customer Master Keys (CMKs) for encryption. The security team wants to audit when the CMK is used to decrypt data. Which of the following will provide this information?

Question 235mediummulti select
Read the full Data Protection explanation →

A company wants to protect sensitive data stored in Amazon S3. Which TWO actions should the company take to meet this goal? (Choose TWO.)

Question 236mediummulti select
Read the full Data Protection explanation →

A company uses AWS KMS to encrypt data. The security team wants to ensure that KMS keys are not used outside of the company's AWS account. Which TWO measures would help achieve this? (Choose TWO.)

Question 237hardmulti select
Read the full Data Protection explanation →

A company is designing a data protection strategy for Amazon S3. The compliance team requires that all objects be encrypted at rest and that any attempt to upload an unencrypted object be blocked. Which THREE steps should the company take? (Choose THREE.)

Question 238mediummultiple choice
Read the full Data Protection explanation →

Refer to the exhibit. An administrator applies this bucket policy to an S3 bucket. Which of the following statements describes the effect of this policy?

Exhibit

Refer to the exhibit.

```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyIncorrectEncryptionHeader",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "aws:kms"
        }
      }
    },
    {
      "Sid": "DenyUnencryptedObjectUploads",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "Null": {
          "s3:x-amz-server-side-encryption": "true"
        }
      }
    }
  ]
}
```
Question 239hardmultiple choice
Read the full Data Protection explanation →

Refer to the exhibit. A security engineer configures the above KMS key policy. The DataAccess role is used by an application that runs on EC2 instances in the us-east-1 region. The application needs to read encrypted objects from an S3 bucket in the same region. Which of the following is true about this configuration?

Exhibit

Refer to the exhibit.

```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/DataAccess"
      },
      "Action": [
        "kms:Decrypt",
        "kms:GenerateDataKey"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "kms:ViaService": "s3.us-east-1.amazonaws.com"
        }
      }
    }
  ]
}
```
Question 240easymultiple choice
Read the full Data Protection explanation →

Refer to the exhibit. A security engineer runs the above AWS CLI command to encrypt a secret file. The command succeeds and returns a base64-encoded ciphertext. Which of the following statements is correct?

Network Topology
aws kms encryptkey-id 1234abcd-12ab-34cd-56ef-1234567890abplaintext fileb://secret.txtoutput textquery CiphertextBlobRefer to the exhibit.```
Question 241easymultiple choice
Read the full Data Protection explanation →

A company wants to protect sensitive data stored in Amazon S3 by encrypting it at rest. Which AWS service can be used to manage the encryption keys?

Question 242easymultiple choice
Read the full Data Protection explanation →

A company needs to ensure that data in transit between an EC2 instance and an RDS database is encrypted. Which solution meets this requirement?

Question 243mediummultiple choice
Read the full Data Protection explanation →

A company is using AWS KMS to encrypt data in Amazon S3. The security team wants to ensure that only a specific IAM role can decrypt the data. What is the MOST secure way to enforce this?

Question 244mediummultiple choice
Read the full Data Protection explanation →

A company wants to protect sensitive data stored in Amazon S3 by enforcing encryption in transit. Which policy should be used to deny requests that do not use HTTPS?

Question 245hardmultiple choice
Read the full Data Protection explanation →

A company uses AWS KMS with a customer managed key to encrypt an S3 bucket. The security team notices that the KMS key is being used by an unintended IAM role. What is the MOST effective way to restrict the key usage to only the intended role?

Question 246hardmultiple choice
Read the full Data Protection explanation →

A company needs to ensure that data in Amazon S3 is encrypted at rest using envelope encryption. The company wants to rotate the encryption key every 90 days. Which solution meets these requirements with minimal operational overhead?

Question 247easymultiple choice
Read the full Data Protection explanation →

A company wants to ensure that data stored in Amazon EBS volumes is encrypted at rest. What is the easiest way to achieve this?

Question 248mediummultiple choice
Read the full Data Protection explanation →

A company uses AWS KMS to encrypt data in Amazon Redshift. The security team needs to ensure that the KMS key cannot be deleted accidentally. What should be done?

Question 249hardmultiple choice
Read the full Data Protection explanation →

A company is using AWS KMS to encrypt data in Amazon S3. The security team discovers that an S3 bucket has a bucket policy that allows s3:PutObject without requiring encryption. What is the risk?

Question 250mediummulti select
Read the full Data Protection explanation →

Which TWO of the following are valid ways to enforce encryption at rest for data in Amazon S3? (Choose TWO.)

Question 251mediummulti select
Read the full Data Protection explanation →

Which TWO of the following are best practices for protecting data in transit? (Choose TWO.)

Question 252hardmulti select
Read the full Data Protection explanation →

Which THREE of the following are valid key management features of AWS KMS? (Choose THREE.)

Question 253mediummultiple choice
Read the full Data Protection explanation →

A company is using AWS KMS to encrypt data at rest in Amazon S3. The security team wants to ensure that only a specific IAM role can decrypt objects in a particular S3 bucket. Which policy should be attached to the KMS key to enforce this restriction?

Question 254easymultiple choice
Read the full Data Protection explanation →

A company wants to protect data stored in Amazon S3 by encrypting it at rest using keys managed by the company. Which encryption option should be used?

Question 255hardmultiple choice
Read the full Data Protection explanation →

A security engineer is troubleshooting an issue where an Amazon RDS for MySQL DB instance is not encrypting data at rest. The DB instance was created without encryption. The engineer needs to enable encryption without significant downtime. What is the MOST effective approach?

Question 256mediummultiple choice
Read the full Data Protection explanation →

A company uses AWS CloudHSM to store encryption keys. The security team wants to ensure that keys stored in CloudHSM are backed up and can be restored in another AWS Region. What is the BEST approach?

Question 257easymultiple choice
Read the full Data Protection explanation →

A company needs to ensure that data in transit between an on-premises data center and Amazon S3 is encrypted. The data will be transferred using HTTPS. What additional step should be taken to ensure the encryption is enforced?

Question 258hardmultiple choice
Read the full NAT/PAT explanation →

A company has a critical application that stores sensitive data in Amazon DynamoDB. The security team requires that all data stored in DynamoDB is encrypted at rest using a customer-managed KMS key. Additionally, they want to ensure that the key can be rotated automatically every year. Which combination of actions should be taken?

Question 259mediummultiple choice
Read the full Data Protection explanation →

A company uses Amazon S3 to store sensitive documents. The security policy requires that all objects in the bucket are encrypted at rest. The bucket currently has default encryption configured with SSE-S3. A new requirement mandates that all objects must be encrypted with SSE-KMS using a specific customer-managed key. What is the MOST efficient way to enforce this without re-uploading existing objects?

Question 260easymultiple choice
Read the full Data Protection explanation →

A company wants to protect sensitive data stored in an Amazon EBS volume. The volume is attached to an EC2 instance. Which action should be taken to ensure data at rest is encrypted?

Question 261hardmultiple choice
Read the full Data Protection explanation →

A company uses AWS Secrets Manager to store database credentials. The security team needs to ensure that secrets are automatically rotated every 30 days. The rotation function must be implemented with minimal operational overhead. Which approach should be used?

Question 262easymulti select
Read the full Data Protection explanation →

Which TWO of the following are valid options for encrypting data at rest in Amazon S3? (Choose 2.)

Question 263mediummulti select
Read the full Data Protection explanation →

Which THREE of the following are best practices for protecting data in transit within AWS? (Choose 3.)

Question 264hardmulti select
Read the full Data Protection explanation →

Which TWO of the following are valid methods to enforce encryption at rest for an Amazon RDS for PostgreSQL DB instance? (Choose 2.)

Question 265mediummultiple choice
Read the full Data Protection explanation →

Refer to the exhibit. A security engineer applies the above bucket policy to an S3 bucket. What is the effect of this policy?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "AES256"
        }
      }
    }
  ]
}
Question 266hardmultiple choice
Read the full Data Protection explanation →

Refer to the exhibit. A user receives the above error when trying to decrypt a file using AWS KMS. The key policy is shown below:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/AdminRole"
      },
      "Action": "kms:Decrypt",
      "Resource": "*"
    }
  ]
}

What is the likely cause of the error?

Network Topology
aws kms decryptciphertext-blob fileb://encrypted-datakey-id 1234abcd-12ab-34cd-56ef-1234567890abRefer to the exhibit.
Question 267hardmultiple choice
Read the full Data Protection explanation →

A company runs a critical application on Amazon EC2 instances that store sensitive data on EBS volumes. The security team has enabled EBS encryption by default for the region. However, after a recent security audit, it was discovered that some EBS volumes are not encrypted. The team finds that these volumes were created before the default encryption setting was enabled. The company's security policy mandates that all EBS volumes must be encrypted at rest, and the process must minimize downtime. The application cannot tolerate more than 5 minutes of downtime. The EC2 instances are running production workloads. What should the security engineer do to remediate the unencrypted volumes?

Question 268easymultiple choice
Read the full Data Protection explanation →

A company stores sensitive customer data in Amazon S3. They want to ensure that all objects are encrypted at rest using server-side encryption with AWS KMS. Which S3 bucket policy statement should be added to deny uploads that do not request SSE-KMS?

Question 269mediummultiple choice
Read the full Data Protection explanation →

A security engineer is configuring a new Amazon RDS for MySQL database. The compliance team requires that all database connections be encrypted in transit. Which configuration ensures this requirement is met?

Question 270hardmultiple choice
Read the full Data Protection explanation →

A financial company uses AWS KMS to encrypt sensitive data. The security team notices that a KMS key has been deleted, but the encrypted data is still needed for a short period. What is the fastest way to make the data decryptable again?

Question 271easymultiple choice
Read the full Data Protection explanation →

A company uses AWS Secrets Manager to rotate secrets for an RDS database. The rotation fails with an error indicating that the secret cannot be accessed. What is the most likely cause?

Question 272mediummultiple choice
Read the full Data Protection explanation →

A company wants to protect data at rest in Amazon S3 using client-side encryption. The application will run on Amazon EC2 instances. Which approach meets these requirements?

Question 273hardmultiple choice
Read the full Data Protection explanation →

A company uses AWS CloudHSM to generate and store encryption keys for a custom application. The security team is concerned about key durability and wants to ensure that keys are not lost if the HSM fails. Which action should be taken?

Question 274easymultiple choice
Read the full VPN explanation →

A company wants to encrypt data in transit between an on-premises data center and AWS over a VPN connection. Which AWS service or feature should be used?

Question 275mediummultiple choice
Read the full NAT/PAT explanation →

A company needs to protect sensitive data in Amazon S3 from accidental deletion or overwriting. The data must be retained for at least 7 years after creation. Which combination of S3 features should be used?

Question 276hardmultiple choice
Read the full Data Protection explanation →

Refer to the exhibit. An administrator is investigating why an application that uses KMS for encryption is failing. The IAM role used by the application has the following policy attached: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "kms:Decrypt", "Resource": "arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" } ] }. What is the most likely cause of the failure?

Exhibit

[ec2-user@ip-10-0-1-5 ~]$ aws kms list-keys
{
    "Keys": [
        {
            "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
            "KeyArn": "arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
        }
    ]
}
[ec2-user@ip-10-0-1-5 ~]$ aws kms describe-key --key-id 1234abcd-12ab-34cd-56ef-1234567890ab
{
    "KeyMetadata": {
        "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
        "Arn": "arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
        "CreationDate": "2023-01-15T10:00:00-05:00",
        "Enabled": false,
        "KeyState": "Disabled",
        "KeyUsage": "ENCRYPT_DECRYPT",
        "KeySpec": "SYMMETRIC_DEFAULT"
    }
}
Question 277easymulti select
Read the full Data Protection explanation →

A company wants to protect sensitive data in Amazon S3 by ensuring that all objects are encrypted at rest. Which TWO options meet this requirement? (Choose TWO.)

Question 278mediummulti select
Read the full Data Protection explanation →

A company is designing a data protection strategy for Amazon EBS volumes. Which THREE practices should be implemented? (Choose THREE.)

Question 279hardmulti select
Read the full Data Protection explanation →

A company needs to protect data in Amazon S3 by ensuring that only authorized users can access objects, and all access is logged. Which TWO services should be used together? (Choose TWO.)

Question 280mediummultiple choice
Read the full Data Protection explanation →

A company runs a web application on Amazon EC2 behind an Application Load Balancer (ALB). The application handles payment card information (PCI) and must comply with PCI DSS. The security team wants to ensure that all data in transit between the client and the ALB is encrypted using TLS 1.2 or higher. The ALB currently uses a default certificate from AWS Certificate Manager (ACM) that was issued by Amazon. The compliance team has flagged that the certificate must be issued by a public Certificate Authority (CA) that is trusted by major browsers. The company wants to minimize operational overhead. What should the security team do?

Question 281hardmultiple choice
Read the full Data Protection explanation →

A company uses Amazon S3 to store sensitive documents. The security engineer notices that an S3 bucket named 'documents-prod' has been configured with a bucket policy that allows s3:PutObject from any principal, but only if the request includes the x-amz-server-side-encryption header set to 'AES256'. The company's security policy requires that all objects be encrypted at rest using server-side encryption with AWS KMS (SSE-KMS). The engineer needs to ensure that any new objects uploaded to the bucket are encrypted with SSE-KMS, and that existing objects remain accessible. What should the engineer do?

Question 282easymultiple choice
Read the full Data Protection explanation →

A company uses Amazon RDS for MySQL to store customer data. The security team wants to ensure that the database is encrypted at rest. The database is already running and contains production data. The team needs to enable encryption at rest with minimal downtime. What should they do?

Question 283mediummultiple choice
Read the full Data Protection explanation →

A company is using AWS KMS to encrypt data at rest in Amazon S3. The security team wants to ensure that only a specific IAM role can decrypt objects in a particular S3 bucket. Which policy configuration should be used?

Question 284hardmultiple choice
Read the full Data Protection explanation →

A financial services company must ensure that all data written to Amazon S3 is encrypted at rest and that the encryption keys are rotated every 90 days. The company also needs to maintain an audit trail of when keys were used. Which solution meets these requirements with the least operational overhead?

Question 285easymultiple choice
Read the full Data Protection explanation →

A company is designing a disaster recovery plan for its Amazon RDS for MySQL database. The database must be encrypted at rest. Which approach ensures that the database is encrypted and can be restored in another AWS Region?

Question 286mediummultiple choice
Read the full Data Protection explanation →

A company uses AWS Organizations and wants to enforce that all S3 buckets created in any account within the organization have default encryption enabled. Which policy should be used?

Question 287hardmultiple choice
Read the full Data Protection explanation →

A company uses Amazon EBS volumes for EC2 instances. Security policy requires that all EBS volumes be encrypted at rest. The company already has a default KMS key for EBS encryption. However, some new volumes are created without encryption. What is the most efficient way to enforce encryption for all new EBS volumes?

Question 288mediummulti select
Read the full Data Protection explanation →

A company stores sensitive data in Amazon S3. The security team needs to ensure that data is encrypted at rest and that access is logged. Which TWO actions meet these requirements?

Question 289mediummulti select
Read the full Data Protection explanation →

A company is using Amazon RDS for PostgreSQL with encryption at rest using AWS KMS. The security team wants to ensure that only a specific set of IAM roles can manage the KMS key used for encryption. Which TWO steps should the team take?

Question 290hardmulti select
Read the full Data Protection explanation →

A company is migrating on-premises file servers to Amazon EFS. The data must be encrypted at rest and in transit. Which THREE steps should the company take to meet these requirements?

Question 291hardmulti select
Read the full Data Protection explanation →

A company has an AWS Lambda function that processes sensitive data and writes the results to an Amazon S3 bucket. The security team requires that the data is encrypted at rest in S3 and that the Lambda function has the minimum permissions necessary. Which THREE actions should the team take?

Question 292mediummultiple choice
Read the full Data Protection explanation →

Refer to the exhibit. An S3 bucket policy is shown. An administrator uploads an object to 'example-bucket' without specifying any encryption header. What is the outcome?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "AES256"
        }
      }
    }
  ]
}
Question 293hardmultiple choice
Read the full Data Protection explanation →

Refer to the exhibit. A security engineer is troubleshooting a decryption failure. The command uses the AWS CLI to decrypt a file. The decryption fails with an 'AccessDeniedException' error. The IAM user has the following policy attached:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "kms:Decrypt",
      "Resource": "*"
    }
  ]
}

What is the most likely cause of the failure?

Network Topology
aws kms decryptciphertext-blob fileb://encrypted.txtoutput textquery Plaintextdecode
Question 294easymultiple choice
Read the full Data Protection explanation →

Refer to the exhibit. A KMS key policy is shown. An IAM role named 'DataProcessor' in account 123456789012 is trying to encrypt data using this key. The role also has an IAM policy that allows kms:Encrypt on the key. Will the encryption succeed?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/DataProcessor"
      },
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt"
      ],
      "Resource": "*"
    }
  ]
}
Question 295mediummultiple choice
Review the full subnetting walkthrough →

A company runs a web application on Amazon EC2 instances behind an Application Load Balancer. The application uses an Amazon RDS for MySQL database. The security team requires that all data in transit between the EC2 instances and the database be encrypted. The database is in a private subnet. The EC2 instances are in a public subnet. The security team also wants to minimize latency. What should be done to meet these requirements?

Question 296hardmultiple choice
Read the full Data Protection explanation →

A company stores sensitive customer data in Amazon S3. The security team has enabled default encryption with SSE-S3 on the bucket. The compliance team requires that all access to the bucket be logged and that any unauthorized access attempts be detected in real time. The company has AWS CloudTrail enabled. Which additional steps should the security team take to meet the compliance requirements?

Question 297easymultiple choice
Read the full Data Protection explanation →

A company is using AWS KMS to encrypt sensitive data in Amazon DynamoDB. The security team wants to ensure that the KMS key can only be used from within the company's VPC and not from the internet. The VPC has an interface VPC endpoint for KMS. What should the security team do to enforce this restriction?

Question 298mediummulti select
Read the full Data Protection explanation →

A security engineer is designing a data protection strategy for a healthcare application that stores Protected Health Information (PHI) in an S3 bucket. The bucket is accessed by multiple AWS services, including Athena and SageMaker. Which TWO actions should the engineer take to ensure encryption at rest and in transit? (Choose two.)

Question 299hardmultiple choice
Read the full Data Protection explanation →

A financial services company uses AWS KMS to encrypt sensitive data in S3 and RDS. The security team requires a centralized audit trail of all KMS key usage, including key creation, deletion, and cryptographic operations. The audit logs must be stored in a separate AWS account for compliance. The team has enabled CloudTrail in the management account and configured a trail that logs to an S3 bucket in the audit account. However, they notice that KMS events such as Decrypt and GenerateDataKey are not appearing in the CloudTrail logs. The KMS key policy includes the following statement: {"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::management-account:root"},"Action":"kms:*","Resource":"*"}. What is the MOST likely reason for the missing KMS events?

Question 300easymultiple choice
Read the full NAT/PAT explanation →

A startup is building a serverless application using AWS Lambda to process user-uploaded images. The images are stored in an S3 bucket with server-side encryption (SSE-S3) enabled. The Lambda function reads the images, performs transformations, and writes the results to a different S3 bucket. The security engineer wants to ensure that data is encrypted at rest and in transit throughout the pipeline. The Lambda function is configured with an IAM role that has permissions to read from the source bucket and write to the destination bucket. Which additional configuration is REQUIRED to ensure end-to-end encryption?

Question 301hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation uses AWS Organizations to manage multiple accounts. The security team requires that all data in S3 buckets across all accounts be encrypted at rest using customer-managed KMS keys. They have created a Service Control Policy (SCP) to deny creation of S3 buckets without encryption. However, upon testing, they find that a user in a member account can still create an unencrypted bucket. The SCP is attached to the root organizational unit. The SCP statement is: {"Effect":"Deny","Action":"s3:CreateBucket","Resource":"*","Condition":{"Null":{"s3:x-amz-server-side-encryption":"true"}}}. What is the MOST likely reason the SCP is not working?

Question 302easymultiple choice
Read the full Data Protection explanation →

A company is migrating sensitive customer data to Amazon RDS for MySQL. The security team requires that data be encrypted at rest and in transit. The database will be accessed by a web application running on Amazon EC2 instances in the same VPC. The RDS instance is launched with encryption enabled using an AWS managed KMS key. The security team also enables SSL/TLS for connections. Which additional step is necessary to ensure that the web application uses encrypted connections?

Question 303mediummultiple choice
Read the full DNS explanation →

A company uses AWS Shield Advanced to protect its web application against DDoS attacks. The application runs behind an Application Load Balancer (ALB) and uses Amazon CloudFront as a CDN. The security team notices that some requests are bypassing CloudFront and hitting the ALB directly. They want to ensure that all traffic goes through CloudFront to benefit from DDoS protection and to enforce encryption in transit. The ALB has a public DNS name and is accessible from the internet. What should the security team do to restrict direct access to the ALB while allowing CloudFront traffic?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

SCS-C02 Practice Test 1 — 10 Questions→SCS-C02 Practice Test 2 — 10 Questions→SCS-C02 Practice Test 3 — 10 Questions→SCS-C02 Practice Test 4 — 10 Questions→SCS-C02 Practice Test 5 — 10 Questions→SCS-C02 Practice Exam 1 — 20 Questions→SCS-C02 Practice Exam 2 — 20 Questions→SCS-C02 Practice Exam 3 — 20 Questions→SCS-C02 Practice Exam 4 — 20 Questions→Free SCS-C02 Practice Test 1 — 30 Questions→Free SCS-C02 Practice Test 2 — 30 Questions→Free SCS-C02 Practice Test 3 — 30 Questions→SCS-C02 Practice Questions 1 — 50 Questions→SCS-C02 Practice Questions 2 — 50 Questions→SCS-C02 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Threat Detection and Incident ResponseSecurity Logging and MonitoringIdentity and Access ManagementManagement and Security GovernanceInfrastructure SecurityData Protection

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Data Protection setsAll Data Protection questionsSCS-C02 Practice Hub