Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsSCS-C02TopicsData Protection
Free · No Signup RequiredAmazon Web Services · SCS-C02

SCS-C02 Data Protection Practice Questions

20+ practice questions focused on Data Protection — one of the most tested topics on the AWS Certified Security Specialty SCS-C02 exam. Each question includes a detailed explanation so you learn why the right answer is correct.

Start Data Protection Practice

Exam Domains

Threat Detection and Incident ResponseSecurity Logging and MonitoringIdentity and Access ManagementManagement and Security GovernanceInfrastructure SecurityData ProtectionAll domains →

Study Tools

Practice TestMock ExamFlashcardsAll Topics

Sample Data Protection Questions

Practice all 20+ →
1.

A company stores sensitive data in Amazon S3 and wants to ensure that all objects are encrypted at rest. The security team has enabled default encryption on the S3 bucket using SSE-S3. However, an audit reveals that some objects are stored with SSE-KMS. How can the company enforce that only SSE-S3 is used for all future uploads, while still allowing existing SSE-KMS objects to be read?

A.Configure a bucket policy that denies s3:PutObject with s3:x-amz-server-side-encryption-aws:kms.
B.Use an S3 Lifecycle policy to transition existing SSE-KMS objects to SSE-S3.
C.Apply a bucket policy that denies s3:PutObject unless the x-amz-server-side-encryption header is AES256.
D.Disable SSE-KMS in the AWS KMS key policy to prevent its use.

Explanation: Option C is correct because it uses a bucket policy to deny s3:PutObject unless the x-amz-server-side-encryption header is set to AES256, which is the value for SSE-S3. This enforces that all future uploads use SSE-S3, while existing SSE-KMS objects remain readable because the policy only applies to write operations. The condition key s3:x-amz-server-side-encryption checks the encryption header value, and the Deny effect overrides any Allow, ensuring compliance.

2.

A financial services company uses AWS KMS to encrypt sensitive data. The security team has a requirement to rotate the CMK every 90 days and to maintain a record of all previous key versions for decryption of historical data. The team creates a new CMK every 90 days and manually updates applications to use the new key. This process is error-prone and causes downtime. What is the MOST operationally efficient solution that meets the requirements?

A.Enable automatic key rotation on the existing CMK.
B.Create a new CMK every 90 days and update the alias to point to the new key. Applications reference the alias.
C.Use a CMK with imported key material and rotate the material every 90 days.
D.Continue creating new CMKs but use a script to update the application configuration files.

Explanation: Option B is correct because it uses aliases to decouple the key identifier from the application configuration. By creating a new CMK every 90 days and updating the alias to point to the new key, applications that reference the alias automatically use the new key without code changes, eliminating downtime. AWS KMS aliases are mutable pointers that can be reassigned to different CMKs, and the old key versions remain available for decryption of historical data.

3.

A startup is building a web application on AWS and needs to protect sensitive customer data at rest in an Amazon RDS for MySQL database. The compliance team requires that the encryption keys be managed by the company's on-premises hardware security module (HSM) and be rotated every 6 months. Which solution should the startup use?

A.Use AWS CloudHSM to store the encryption keys and enable RDS encryption with CloudHSM.
B.Use AWS KMS with a customer master key (CMK) and import key material from the on-premises HSM.
C.Store the encryption keys in AWS Secrets Manager and use them to encrypt the database.
D.Use AWS KMS with a custom key store backed by AWS CloudHSM.

Explanation: AWS CloudHSM provides a dedicated hardware security module (HSM) that allows you to manage encryption keys on-premises-style, meeting the requirement for key management on the company's own HSM. When you enable Amazon RDS for MySQL encryption with CloudHSM, the database encryption keys are stored and managed in the CloudHSM cluster, and you can rotate them every 6 months as required. This solution directly satisfies the compliance team's mandate for on-premises HSM key management and periodic rotation.

4.

A company is designing a data protection strategy for its Amazon S3 bucket that stores sensitive documents. The security team requires that all data be encrypted in transit and at rest, and that any accidental deletion of objects can be reversed within 30 days. Additionally, the company must be able to audit all access attempts to the bucket, including failed attempts. Which TWO actions should the company take to meet these requirements? (Choose two.)

A.Enable default encryption on the bucket using SSE-S3.
B.Enable AWS CloudTrail with data events for S3.
C.Enable S3 Versioning on the bucket.
D.Enable S3 server access logs and send them to a separate bucket.

Explanation: AWS CloudTrail with data events for S3 is correct because it captures all S3 API calls, including GetObject, PutObject, and DeleteObject, and records both successful and failed access attempts. This meets the auditing requirement for all access attempts, including failed ones, as CloudTrail logs the request details, error codes, and source IP addresses.

5.

A healthcare company runs a HIPAA-compliant application on AWS. The application uses Amazon S3 to store Protected Health Information (PHI). The company has implemented the following controls: (1) All S3 buckets are configured with default encryption using SSE-S3. (2) Bucket policies restrict access to only authorized IAM roles. (3) S3 access logs are enabled and sent to a centralized logging account. (4) MFA Delete is enabled on all buckets. (5) Object lock is not enabled. Recently, an internal auditor discovered that when an authorized user deletes an object, the object is permanently deleted and cannot be recovered. The company's data retention policy requires that deleted PHI be recoverable for at least 30 days after deletion. A review of the IAM policies shows that users have s3:DeleteObject permission. The auditor also notes that the bucket versioning is not enabled. The security team needs to implement a solution that allows authorized users to delete objects but ensures that deleted objects can be recovered within 30 days. Which of the following is the MOST effective course of action?

A.Enable S3 Object Lock in Governance mode with a retention period of 30 days.
B.Enable S3 Versioning on the buckets and ensure that the IAM policies include s3:DeleteObjectVersion where appropriate.
C.Remove the s3:DeleteObject permission from all IAM policies and use S3 Lifecycle policies to expire objects after 30 days.
D.Change the default encryption from SSE-S3 to SSE-C and use a separate key for each object.

Explanation: Enabling S3 Versioning is the most effective solution because it preserves all object versions, including deleted objects (which become delete markers). With versioning enabled, authorized users can still use s3:DeleteObject to delete the current version, but the previous versions remain recoverable. Since the requirement is to recover deleted PHI within 30 days, versioning combined with a lifecycle policy to permanently delete old versions after 30 days would meet the retention policy without blocking immediate deletion.

+15 more Data Protection questions available

Practice all Data Protection questions

How to master Data Protection for SCS-C02

1. Baseline your knowledge

Start with 10 questions to gauge your current understanding of Data Protection. This tells you whether you need a concept refresher or just practice.

2. Review every explanation

For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.

3. Focus on exam traps

Data Protection questions on the SCS-C02 frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.

4. Reach 80% consistently

Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.

Frequently asked questions

How many SCS-C02 Data Protection questions are on the real exam?

The exact number varies per candidate. Data Protection is tested as part of the AWS Certified Security Specialty SCS-C02 blueprint. Practicing with targeted Data Protection questions ensures you can handle any format or difficulty that appears.

Are these SCS-C02 Data Protection practice questions free?

Yes. Courseiva provides free SCS-C02 practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.

Is Data Protection one of the harder SCS-C02 topics?

Difficulty is subjective, but Data Protection is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.

Ready to practice?

Launch a full Data Protection practice session with instant scoring and detailed explanations.

Start Data Protection Practice →

Topic Info

Topic

Data Protection

Exam

SCS-C02

Questions available

20+