CCNA Data Security and Governance Questions

75 of 333 questions · Page 1/5 · Data Security and Governance · Answers revealed

1
Multi-Selectmedium

A data engineer needs to securely store database credentials used by an AWS Glue ETL job. Which THREE steps should the engineer take?

Select 3 answers
A.Hardcode the credentials in the Glue job script.
B.Store the credentials in AWS Secrets Manager.
C.Grant the Glue job's IAM role permission to read the secret.
D.Configure the Glue job to use the Secrets Manager connector to retrieve credentials.
E.Use AWS Systems Manager Parameter Store with a SecureString parameter.
AnswersB, C, D

Secrets Manager provides secure storage and rotation.

Why this answer

Options A, B, and D are correct. AWS Secrets Manager securely stores credentials, and the Glue job can retrieve them via the AWS Secrets Manager connector or directly from the service. Option C is wrong because hardcoding credentials is insecure.

Option E is wrong because Parameter Store does not support automatic rotation.

2
MCQhard

Refer to the exhibit. A data engineer is troubleshooting a permissions issue. The IAM role 'DataEngineerRole' is used by an AWS Glue job that needs to read data from an S3 bucket encrypted with a customer managed KMS key. The above key policy is attached to the KMS key. The Glue job fails with an AccessDenied error when trying to read the data. What is the MOST likely cause?

A.The key policy requires requests to originate from a VPC endpoint, but the Glue job is not using one.
B.The key policy denies requests that are not using HTTPS, but the Glue job is using HTTPS.
C.The key policy condition 'kms:ViaService' restricts KMS actions to only when they are made through S3, but AWS Glue calls KMS directly, not via S3.
D.The Glue job is running in a different AWS region than the S3 bucket.
AnswerC

Glue does not use S3 to make KMS calls; it calls KMS directly, so the condition fails.

Why this answer

The key policy includes a condition `kms:ViaService` that restricts KMS actions to only when they are made through the S3 service. However, AWS Glue does not call KMS via S3; it calls KMS directly to decrypt the S3 object's data key. Because the Glue job's KMS request does not originate from the S3 service, the condition fails, resulting in an AccessDenied error.

Exam trap

AWS often tests the nuance that `kms:ViaService` only applies when the KMS API call is made through the specified service's endpoint, not when a service like Glue calls KMS directly to decrypt an S3 object's key.

How to eliminate wrong answers

Option A is wrong because the key policy does not contain any VPC endpoint condition; the condition shown is `kms:ViaService`, not `aws:SourceVpce`. Option B is wrong because the key policy does not include an HTTPS condition, and even if it did, AWS Glue uses HTTPS by default, so this would not cause an AccessDenied error. Option D is wrong because cross-region access to an S3 bucket is allowed as long as the KMS key is in the same region as the bucket; the error is not region-related.

3
MCQmedium

A company uses AWS Glue to process sensitive customer data stored in S3. The data engineer must ensure that the Glue ETL jobs do not write any data to S3 buckets that lack encryption. Which approach meets this requirement?

A.Use AWS CloudTrail to monitor and alert on unencrypted writes
B.Attach an S3 bucket policy that denies s3:PutObject unless the request includes the x-amz-server-side-encryption header
C.Enable S3 default encryption on the bucket
D.Configure an IAM role for Glue with a policy that denies s3:PutObject without encryption
AnswerB

S3 bucket policies can enforce encryption on uploads.

Why this answer

Option B is correct because an S3 bucket policy with a condition key `s3:x-amz-server-side-encryption` or `s3:x-amz-server-side-encryption-aws-kms-key-id` can deny PutObject if encryption is not specified. Option A is wrong because IAM policies cannot enforce encryption at the bucket level as effectively. Option C is wrong because CloudTrail is for auditing, not prevention.

Option D is wrong because encryption at rest does not enforce encryption on writes.

4
MCQmedium

A company uses AWS KMS to encrypt data in Amazon S3. The security team requires that all encryption keys be rotated automatically every year. Which key type should the company use?

A.Use a customer managed key with automatic rotation enabled
B.Use the default S3 managed encryption key (SSE-S3)
C.Use an AWS managed key (aws/s3)
D.Use a customer managed key with manual rotation
AnswerD

Customer managed keys can be rotated manually or automatically; automatic rotation can be set to yearly, so this option is correct.

Why this answer

AWS managed keys (AWS-managed KMS keys) are automatically rotated every year. Customer managed keys do not rotate automatically unless configured with a custom rotation period. The correct answer is C because AWS managed keys satisfy the requirement of automatic yearly rotation without additional configuration.

5
MCQhard

A data engineer notices that an S3 bucket policy allows access to a user from another AWS account, but the access is being denied. What could be the reason?

A.The bucket policy does not include KMS permissions
B.The other account's IAM user does not have permissions to access the bucket
C.S3 does not support cross-account access
D.The bucket is in a different region
AnswerB

Cross-account access requires IAM permissions in the other account.

Why this answer

For cross-account S3 access to succeed, both the bucket policy (resource-based policy) and the IAM user policy (identity-based policy) in the other account must grant the necessary permissions. Option B is correct because even if the bucket policy allows access from the other account, the IAM user in that account must have an explicit IAM policy that permits the S3 action (e.g., s3:GetObject) on the bucket. Without this, the request is denied by the other account's own IAM evaluation.

Exam trap

The trap here is that candidates assume a bucket policy alone is sufficient for cross-account access, forgetting that the requesting account's IAM user must also have explicit permissions, which is a classic AWS cross-account authorization nuance.

How to eliminate wrong answers

Option A is wrong because KMS permissions are only required if the bucket uses SSE-KMS encryption; the question does not mention encryption, and a missing KMS permission would cause a different error (e.g., AccessDenied with KMS key context). Option C is wrong because S3 fully supports cross-account access via bucket policies and ACLs, as documented in the AWS S3 User Guide. Option D is wrong because S3 is a global service and cross-region access is allowed; region does not inherently block cross-account access.

6
MCQhard

A company has a multi-account AWS environment with a centralized data lake in the Security account. Data producers in other accounts use AWS Glue to write data to S3 buckets in the Security account. The Security account uses AWS Lake Formation to manage permissions. The data engineer is setting up cross-account access so that users in the Producer account can query the data using Athena in their own account. The engineer has registered the S3 buckets and Data Catalog tables in Lake Formation. The IAM roles in the Producer account have the necessary permissions. However, when a user in the Producer account tries to query the table, they get an AccessDenied error. The error message indicates that the principal is not authorized to perform lakeformation:GetTable on the resource. What is the most likely cause?

A.The Glue Data Catalog resource policy is missing a statement to allow cross-account access.
B.The S3 bucket policy does not allow the Producer account's IAM role to read the data.
C.The KMS key policy does not allow the Producer account's IAM role to decrypt objects.
D.The Lake Formation permissions in the Security account do not include a grant to the Producer account's IAM role.
AnswerD

Lake Formation must grant cross-account access to the external IAM role.

Why this answer

Option A is correct because Lake Formation requires that the producer account's IAM role be granted cross-account permissions in Lake Formation. Option B is wrong because the S3 bucket policy should allow the Producer account's IAM role. Option C is wrong because the KMS key policy must allow the Producer account's IAM role.

Option D is wrong because the Glue Data Catalog policy may need cross-account access but Lake Formation is the primary issue.

7
MCQeasy

A company wants to audit all data access events in their S3 buckets, including who accessed objects and from which IP address. Which AWS service should be used to capture these events?

A.AWS CloudTrail with data events enabled
B.Amazon CloudWatch Logs
C.AWS Config
D.Amazon S3 Server Access Logs
AnswerA

CloudTrail can log S3 object-level operations and capture user identity and source IP.

Why this answer

Option C is correct because AWS CloudTrail can log S3 API calls including GetObject, PutObject, etc. Option A is wrong because S3 Server Access Logs provide object-level logs but do not include IAM user details. Option B is wrong because CloudWatch Logs can store logs but not capture them directly.

Option D is wrong because Config records resource configuration changes, not data access.

8
MCQmedium

A data engineer needs to grant cross-account access to an S3 bucket. The engineer wants to use a role in the source account and assume that role from the target account. Which permissions are required?

A.Role in source account with trust policy allowing target account, and bucket policy granting access to the role
B.Bucket policy in source account allowing the target account's root user
C.Role in target account with trust policy allowing source account
D.IAM policy in target account allowing s3:GetObject on the bucket
AnswerA

This is the correct cross-account access pattern using role assumption.

Why this answer

The target account needs sts:AssumeRole permission on the role ARN in the source account. The source account's bucket policy must also grant access to the assumed role. Option D is correct.

9
MCQeasy

A company needs to audit all API calls made in their AWS account, including actions performed by the root user. Which AWS service should be used?

A.VPC Flow Logs
B.AWS CloudTrail
C.Amazon CloudWatch Logs
D.AWS Config
AnswerB

CloudTrail records API activity for auditing.

Why this answer

Option B is correct because AWS CloudTrail records all API calls for auditing. Option A is incorrect because CloudWatch Logs stores logs but does not capture API calls natively. Option C is incorrect because AWS Config tracks resource configuration changes, not API calls.

Option D is incorrect because VPC Flow Logs capture network traffic, not API calls.

10
MCQhard

A company stores sensitive data in S3 and uses VPC Endpoints to restrict access. They want to ensure that data can only be accessed from their VPC. What configuration is required?

A.Configure VPC Flow Logs to monitor access
B.Add a bucket policy condition aws:SourceVpce
C.Enable S3 Block Public Access
D.Associate a security group with the S3 bucket
AnswerB

This condition restricts access to requests originating from the specified VPC endpoint.

Why this answer

S3 bucket policies can use aws:SourceVpce condition to restrict access to a specific VPC endpoint. Option A is wrong because S3 Block Public Access is a broader setting. Option B is wrong because VPC Flow Logs log traffic but do not restrict access.

Option D is wrong because security groups apply to EC2 instances, not to S3 bucket policies directly.

11
Multi-Selecthard

A company uses AWS KMS to encrypt data in multiple services. They want to ensure that only specific IAM roles can decrypt data using a particular KMS key. Which THREE steps are necessary?

Select 3 answers
A.Attach an IAM policy to each role with kms:Decrypt permission
B.Enable IAM policies in the key policy
C.Enable automatic key rotation
D.Ensure the key policy allows kms:GenerateDataKey for the roles
E.Add a statement to the KMS key policy allowing kms:Decrypt for the IAM roles
AnswersA, D, E

The roles need an IAM policy that allows decrypt actions.

Why this answer

The KMS key policy must grant decrypt permission to the IAM roles. Each role must have an IAM policy allowing kms:Decrypt. Additionally, the key policy should also grant kms:GenerateDataKey for encryption.

Option D is wrong because the key policy does not need to enable IAM policies; by default, IAM policies are allowed unless the key policy denies them. Option E is wrong because key rotation is not required for access control.

12
MCQmedium

A data engineer is troubleshooting an issue where an AWS Glue ETL job fails when trying to read data from an S3 bucket encrypted with SSE-KMS. The job has an IAM role that includes `kms:Decrypt` permission. What is the most likely reason for the failure?

A.The IAM role does not have s3:GetObject permission
B.The KMS key policy does not allow the Glue job to use the key
C.The S3 bucket is in a different AWS region than the Glue job
D.The Glue job is not configured to use the KMS key for decryption
AnswerD

Glue needs the key ID or alias in the job parameters.

Why this answer

Option B is correct because Glue needs the KMS key to be specified in the job parameters or the connection. Option A is wrong because the Glue role likely has the permission. Option C is wrong because the bucket may be in the same region.

Option D is wrong because the key must be specified explicitly.

13
MCQeasy

A company wants to use AWS Lake Formation to manage permissions on a data lake. What is the primary benefit of using Lake Formation for data security?

A.Automatically encrypts data at rest and in transit.
B.Replaces IAM for all data access policies.
C.Provides a unified view of data across all AWS regions.
D.Centralized fine-grained access control to data in S3, Redshift, and RDS.
AnswerD

Lake Formation provides column and row-level security.

Why this answer

Option A is correct because Lake Formation provides centralized fine-grained access control at the table, column, and row level. Option B is wrong because Lake Formation does not replace IAM. Option C is wrong because it does not encrypt data.

Option D is wrong because Lake Formation works with S3, not just Redshift.

14
MCQhard

A company is using AWS Glue to process data stored in an S3 bucket that is encrypted with SSE-KMS. The Glue job fails with an 'Access Denied' error when trying to read the data. The IAM role used by the Glue job has permissions to read from the S3 bucket and to use the KMS key. What is the most likely cause of the failure?

A.The S3 bucket is using SSE-S3 instead of SSE-KMS
B.The S3 bucket policy denies access to the Glue job
C.The KMS key is in a different AWS account
D.The IAM role is missing the kms:Decrypt permission
AnswerD

Glue jobs need kms:Decrypt to read SSE-KMS encrypted data.

Why this answer

Option D is correct because AWS Glue jobs need the kms:Decrypt permission on the KMS key to read data encrypted with SSE-KMS. The IAM role may have the S3 read permissions but lack the kms:Decrypt permission. Option A (SSE-S3) is not relevant as the bucket uses SSE-KMS.

Option B (bucket policy) could also be a cause, but the most common issue is missing kms:Decrypt. Option C (cross-account access) is less likely if the key is in the same account.

15
MCQeasy

A data engineer needs to ensure that an Amazon Redshift cluster encrypts all data at rest. Which setting must be enabled when creating the cluster?

A.Enable automated snapshots
B.Enable encryption
C.Enable SSL/TLS
D.Enable VPC
AnswerB

Redshift supports encryption at rest.

Why this answer

Option B is correct. Redshift cluster encryption is enabled at creation. Option A is wrong because SSL is for in-transit.

Option C is wrong because VPC is network isolation. Option D is wrong because automated snapshots are for backup.

16
MCQhard

A data engineer is troubleshooting an Amazon Redshift cluster that is not allowing connections from a specific IP range. The engineer verified that the cluster's security group allows inbound traffic from the IP range. What is the next step to resolve the issue?

A.Modify the Redshift cluster parameter group to enable public accessibility.
B.Verify that the cluster's security group is attached to the Redshift cluster.
C.Check the IAM role associated with the Redshift cluster.
D.Check the network ACL (NACL) associated with the Redshift cluster's subnet.
AnswerD

NACLs can block traffic at the subnet level even if security groups allow it.

Why this answer

Option C is correct because Redshift also uses a VPC network ACL (NACL) that can block traffic at the subnet level, independent of security groups. Option A is wrong because the security group already allows traffic. Option B is wrong because IAM roles do not control network-level access.

Option D is wrong because the cluster parameter group does not control network access.

17
Multi-Selectmedium

A company uses Amazon Redshift to store customer data. The security team requires that all queries are logged for auditing purposes. Which combination of steps should be taken to meet this requirement? (Select TWO.)

Select 2 answers
A.Enable AWS CloudTrail database audit logging.
B.Use AWS CloudTrail to log Redshift API calls.
C.Enable logging on the Redshift security group.
D.Enable VPC Flow Logs for the Redshift cluster.
E.Enable Amazon Redshift audit logging to an S3 bucket.
AnswersB, E

CloudTrail logs API calls, including query execution.

Why this answer

Option B is correct because AWS CloudTrail can be configured to log Redshift API calls, such as CreateCluster, DeleteCluster, and ModifyCluster, which provides an audit trail of administrative actions. Option E is correct because Amazon Redshift supports native audit logging, including connection logs, user activity logs, and query logs, which can be exported to an Amazon S3 bucket for long-term retention and analysis.

Exam trap

The trap here is that candidates confuse AWS CloudTrail's ability to log API calls with database-level query logging, leading them to incorrectly select CloudTrail as the sole solution, while overlooking the need for Redshift's native audit logging to capture actual SQL queries.

18
Multi-Selectmedium

A company is designing a data lake on Amazon S3. The security policy requires that all data be encrypted at rest using AWS KMS with automatic key rotation. Which encryption option meets these requirements? (Select THREE.)

Select 3 answers
A.Enable automatic key rotation on the KMS key.
B.Use SSE-KMS with an AWS managed key.
C.Set the default encryption on the S3 bucket to SSE-KMS with the CMK.
D.Use SSE-KMS with a customer-managed key (CMK).
E.Use SSE-C with a customer-provided key.
AnswersA, C, D

This is a requirement.

Why this answer

Option A is correct because AWS KMS customer-managed keys (CMKs) support automatic key rotation, which can be enabled to rotate the key material annually. This satisfies the security policy requirement for automatic key rotation. SSE-KMS with a CMK (Option D) is also required because AWS managed keys (Option B) do not support automatic key rotation, and SSE-C (Option E) does not use KMS at all.

Setting default encryption on the S3 bucket to SSE-KMS with the CMK (Option C) ensures all objects are encrypted with that key, meeting the encryption-at-rest requirement.

Exam trap

The trap here is that candidates often assume AWS managed keys (aws/s3) support automatic key rotation, but they do not; only customer-managed CMKs allow you to enable automatic rotation, and the question requires selecting three correct options that together meet both the KMS and automatic rotation requirements.

19
MCQmedium

A company uses AWS KMS to encrypt sensitive data in S3. The security team requires that the KMS key must be rotated automatically every year. Which key type should be used?

A.Asymmetric customer managed key
B.AWS managed key (aws/s3)
C.Custom key store backed by CloudHSM
D.Customer managed key with automatic rotation enabled
AnswerB

AWS managed keys automatically rotate every year, meeting the requirement.

Why this answer

Option A is correct because AWS managed keys (with automatic rotation) rotate annually by default. Option B is wrong because customer managed keys (with rotation enabled) rotate annually, but the key material is not rotated automatically unless imported key material is used. Option C is wrong because AWS managed keys rotate automatically, but custom key stores are for CloudHSM.

Option D is wrong because asymmetric keys are not automatically rotated.

20
MCQmedium

A data engineer is designing a data lake on S3 and needs to ensure that data is encrypted at rest using customer-managed KMS keys. The engineer also needs to audit all access to the KMS keys. Which combination of services should be used?

A.SSE-KMS with AWS CloudTrail
B.SSE-C with CloudWatch Logs
C.SSE-KMS with S3 Inventory
D.SSE-S3 with S3 server access logs
AnswerA

SSE-KMS uses customer-managed KMS keys; CloudTrail records KMS API calls for auditing.

Why this answer

S3 server-side encryption with KMS (SSE-KMS) uses customer-managed KMS keys. CloudTrail logs all KMS API calls, including Decrypt and GenerateDataKey. Option A is wrong because SSE-S3 uses AWS-managed keys, not customer-managed.

Option B is wrong because S3 Inventory does not audit KMS access. Option D is wrong because S3 access logs do not capture KMS operations. Option C is correct.

21
MCQeasy

A data engineer needs to ensure that an S3 bucket is not publicly accessible. Which S3 block public access setting should be applied to achieve this?

A.BlockPublicAcls (both new and existing)
B.IgnorePublicAcls
C.BlockPublicAcls (new ACLs)
D.BlockPublicPolicy
AnswerA

Blocks all public ACLs.

Why this answer

Option B is correct because BlockPublicAcls prevents public ACLs on the bucket. Option A is wrong because it only applies to new ACLs. Option C is wrong because it blocks public bucket policies.

Option D is wrong because it blocks public cross-account access. The combination of all four is recommended, but the question asks for a single setting.

22
MCQmedium

Refer to the exhibit. A data engineer has attached this KMS key policy to a customer-managed key. The policy is intended to allow the DataEngineer role to decrypt objects in S3 only when the request comes through S3. However, the role is unable to decrypt objects stored in an S3 bucket in the us-west-2 region. What is the most likely cause?

A.The key policy does not allow the role to use GenerateDataKey
B.The role does not have an IAM policy that allows kms:Decrypt
C.The condition restricts the permission to the us-east-1 region only
D.The role does not have permission to decrypt from S3
AnswerC

The kms:ViaService condition specifies s3.us-east-1.amazonaws.com, so it only works for S3 requests in us-east-1.

Why this answer

The condition in the policy restricts the permission to requests coming through S3 in us-east-1 only (s3.us-east-1.amazonaws.com). For buckets in us-west-2, the viaService would be s3.us-west-2.amazonaws.com, so the condition fails. The key policy does not allow decrypt from other services, but the issue is region mismatch.

23
MCQmedium

A data engineering team uses AWS Lambda functions to process streaming data from Amazon Kinesis Data Streams and write the results to an S3 bucket. The S3 bucket is encrypted with SSE-KMS using a customer-managed key (CMK). The Lambda function's IAM role has permissions for kms:Decrypt and kms:GenerateDataKey on the CMK. However, the Lambda function fails with an 'Access Denied' error when writing to S3. The S3 bucket policy allows s3:PutObject from the Lambda function's IAM role. What is the most likely cause?

A.The Lambda function's execution role does not have permission to invoke the function.
B.The Lambda function's IAM role is missing the kms:Encrypt permission on the CMK.
C.The S3 bucket policy denies s3:PutObject from the Lambda function.
D.The Kinesis data stream is not encrypted, causing the Lambda function to fail.
AnswerB

Writing encrypted data requires kms:Encrypt.

Why this answer

Option A is correct. When writing to S3 with SSE-KMS, the Lambda function needs kms:Encrypt permission to encrypt the data. The role only has kms:Decrypt and kms:GenerateDataKey, missing kms:Encrypt.

Option B is wrong because Kinesis encryption is separate. Option C is wrong because the bucket policy allows PutObject. Option D is wrong because Lambda has permissions, but missing kms:Encrypt.

24
Multi-Selecteasy

A data engineer needs to enforce that all data in an Amazon S3 bucket is encrypted at rest. Which of the following can be used to achieve this? (Choose TWO.)

Select 2 answers
A.Use AWS CloudTrail to monitor for unencrypted objects
B.Use VPC endpoints to restrict access
C.Configure a bucket policy to deny PutObject if encryption headers are missing
D.Enable default encryption on the S3 bucket using SSE-S3
E.Use AWS KMS to generate encryption keys for the bucket
AnswersC, D

This policy enforces encryption on uploads.

Why this answer

Option B and D are correct. S3 bucket policies can deny PutObject requests without encryption headers, and SSE-S3 ensures encryption at rest. Option A is wrong because CloudTrail logs API calls but does not enforce encryption.

Option C is wrong because VPC endpoints provide network isolation, not encryption. Option E is wrong because KMS alone does not enforce encryption on S3.

25
MCQmedium

A company uses AWS Glue DataBrew to clean and normalize data. The data contains sensitive columns that must be masked before being written to the output. Which DataBrew action should be applied?

A.Apply a Hash transform to the sensitive columns.
B.Apply an Encrypt transform to the sensitive columns.
C.Apply a Delete transform to remove the sensitive columns.
D.Apply a Mask transform to the sensitive columns.
AnswerD

Mask transform obfuscates data, e.g., showing only last 4 digits.

Why this answer

Option C is correct because DataBrew has a built-in 'Mask' transform that can obfuscate sensitive data. Option A is wrong because 'Hash' is for hashing, not masking. Option B is wrong because 'Delete' removes the column entirely.

Option D is wrong because 'Encrypt' is not a DataBrew transform; encryption is handled at the storage layer.

26
MCQeasy

A company wants to securely store database credentials used by a Lambda function. Which AWS service should be used to store and rotate the credentials automatically?

A.AWS CloudHSM
B.AWS Secrets Manager
C.AWS Key Management Service (KMS)
D.AWS Systems Manager Parameter Store
AnswerB

Secrets Manager is designed for storing secrets and supports automatic rotation of database credentials.

Why this answer

AWS Secrets Manager is designed for storing secrets and provides automatic rotation. Systems Manager Parameter Store can store secrets but does not natively support automatic rotation for database credentials. KMS is for encryption keys, not storing secrets.

CloudHSM is for hardware security modules.

27
MCQmedium

A company uses AWS Glue to run ETL jobs on data stored in S3. The data is encrypted with SSE-KMS. The Glue job fails with an 'AccessDenied' error when trying to read the data. What is the MOST likely cause?

A.The S3 bucket policy denies access to the Glue service role.
B.The AWS Glue Data Catalog does not have permission to the table.
C.The IAM role used by Glue does not have kms:Decrypt permission on the KMS key.
D.The Glue job's connection does not have the necessary permissions.
AnswerC

Glue needs kms:Decrypt to read SSE-KMS encrypted data.

Why this answer

Option B is correct because Glue jobs need kms:Decrypt permission on the KMS key to read encrypted data. Option A is wrong because the S3 bucket policy may allow access but KMS permission is separate. Option C is wrong because Glue Data Catalog permissions are for the catalog, not data access.

Option D is wrong because Glue connection permissions are for JDBC connections, not S3.

28
Multi-Selecteasy

A company wants to enforce encryption in transit for data moving between an EC2 instance and an S3 bucket. Which TWO methods can achieve this? (Choose 2)

Select 2 answers
A.Add a bucket policy that denies requests without the aws:SecureTransport condition.
B.Use a VPC endpoint for S3.
C.Enable default SSE-S3 encryption on the bucket.
D.Use the HTTPS endpoint for S3 API calls.
E.Enable CloudTrail to monitor for non-encrypted requests.
AnswersA, D

This enforces HTTPS.

Why this answer

Options A and C are correct. Option A: HTTPS ensures encryption in transit. Option C: S3 bucket policy enforcing aws:SecureTransport ensures HTTPS.

Option B is wrong because SSE-S3 is for at-rest encryption. Option D is wrong because VPC endpoints do not automatically enforce encryption. Option E is wrong because CloudTrail is for logging.

29
MCQeasy

A company wants to audit all changes to IAM policies in their AWS account. Which AWS service should be used to record these changes?

A.AWS Config
B.AWS CloudTrail
C.Amazon GuardDuty
D.Amazon Inspector
AnswerA

Config tracks configuration changes and can record IAM policy changes.

Why this answer

AWS Config records configuration changes to AWS resources, including IAM policies. CloudTrail records API calls, not configuration snapshots. GuardDuty is for threat detection.

Inspector is for vulnerability assessment.

30
MCQhard

An organization is using AWS Glue to process sensitive data. The data is stored in S3 with server-side encryption using AWS KMS (SSE-KMS). The Glue job fails with an error indicating that it cannot read the data. The IAM role used by Glue has the following policy. What is missing?

A.The s3:GetObject permission on the bucket
B.The kms:Decrypt permission on the KMS key
C.The kms:GenerateDataKey permission on the KMS key
D.The kms:ReEncrypt permission on the KMS key
AnswerB

Glue needs decrypt permission to read encrypted data.

Why this answer

Option B is correct because the Glue job needs kms:Decrypt permission to read data encrypted with SSE-KMS. Option A is wrong because s3:GetObject is present. Option C is wrong because kms:GenerateDataKey is for writing, not reading.

Option D is wrong because kms:ReEncrypt is not needed.

31
MCQmedium

A company uses Amazon Kinesis Data Streams to ingest real-time data. The compliance team requires that all data in the stream be encrypted at rest. Which configuration should be enabled?

A.Enable TLS encryption on the Kinesis stream
B.Enable server-side encryption using an AWS KMS key
C.Use client-side encryption in the producer application
D.Store the data in Amazon CloudWatch Logs instead
AnswerB

Kinesis supports SSE with KMS.

Why this answer

Option A is correct. Kinesis Data Streams supports server-side encryption with KMS. Option B is wrong because client-side encryption is not built-in.

Option C is wrong because TLS is for in-transit. Option D is wrong because CloudWatch Logs is not for encryption.

32
Multi-Selecteasy

A company is designing a data lake on AWS using S3. The security team requires that all data be encrypted at rest and that encryption keys be rotated annually. Which services can be used to meet these requirements? (Choose TWO.)

Select 2 answers
A.AWS Secrets Manager
B.AWS Certificate Manager (ACM)
C.AWS Key Management Service (AWS KMS)
D.AWS CloudHSM
E.Amazon S3 managed keys (SSE-S3)
AnswersC, E

Allows customer-managed keys with automatic yearly rotation.

Why this answer

Option A and D are correct. SSE-S3 provides encryption at rest with Amazon-managed keys that are rotated automatically. AWS KMS allows customer-managed keys with manual rotation or automatic yearly rotation.

Option B is wrong because CloudHSM provides hardware security modules but is not directly integrated with S3 for automatic key rotation. Option C is wrong because ACM is for TLS certificates. Option E is wrong because Secrets Manager is for secrets, not encryption keys.

33
MCQmedium

A data engineer needs to audit all access to an Amazon S3 bucket containing sensitive data. The audit must capture who accessed the bucket, from which IP address, and what actions were performed. Which AWS service should be enabled?

A.Enable S3 server access logging for the bucket.
B.Enable AWS CloudTrail with data events for the S3 bucket.
C.Use AWS Config to record S3 bucket-level changes.
D.Configure Amazon CloudWatch Logs to monitor S3 access.
AnswerB

CloudTrail data events capture detailed API activity.

Why this answer

Option B is correct because AWS CloudTrail logs all API calls to S3, including the caller identity, source IP, and actions. Option A is wrong because S3 server access logs provide similar info but are not as detailed or centralized. Option C is wrong because CloudWatch Logs can store logs but does not generate them.

Option D is wrong because AWS Config tracks resource configuration changes, not API calls.

34
MCQeasy

A data engineer needs to share a dataset from an S3 bucket in Account A with another AWS account (Account B). The data must remain encrypted at rest with KMS. Which steps are required?

A.Update the KMS key policy to allow Account B's root user
B.Create an IAM role in Account A and grant cross-account access
C.Update the S3 bucket policy and the KMS key policy to allow Account B
D.Update the S3 bucket policy to allow Account B's root user
AnswerC

Both are required for decryption and access.

Why this answer

To share S3 objects encrypted with a KMS key, you must grant the consuming account access to both the S3 bucket and the KMS key. Option A is wrong because a bucket policy alone does not grant KMS permissions. Option B is wrong because the KMS key policy must explicitly allow Account B.

Option C is correct as it includes both. Option D is wrong because cross-account roles are not necessary if bucket policy and key policy are used.

35
MCQmedium

A company is using Amazon Redshift for analytics and needs to ensure that all data is encrypted at rest. The current cluster does not have encryption enabled. What is the most efficient way to enable encryption?

A.Change the cluster parameter group to enable encryption
B.Modify the cluster configuration to enable encryption
C.Use AWS DMS to migrate data to a new encrypted cluster
D.Create a snapshot of the cluster and restore it to a new cluster with encryption enabled
AnswerD

This is the supported method to migrate to an encrypted cluster.

Why this answer

Redshift does not support enabling encryption on an existing cluster; a new encrypted cluster must be created and data migrated. Modifying the cluster configuration or parameter groups does not enable encryption. Creating a snapshot and restoring it to a new cluster with encryption enabled is the standard approach.

36
MCQeasy

A data engineer needs to securely store database credentials used by a Lambda function. The solution must automatically rotate the credentials every 90 days. Which AWS service should the engineer use?

A.AWS CloudHSM
B.AWS Systems Manager Parameter Store
C.IAM Roles for Lambda
D.AWS Secrets Manager
AnswerD

Secrets Manager provides automatic rotation of secrets.

Why this answer

Option D is correct because AWS Secrets Manager supports automatic rotation of secrets. Option A is wrong because Parameter Store does not natively rotate secrets. Option B is wrong because CloudHSM is a hardware security module, not a secret store with rotation.

Option C is wrong because IAM Roles are for access to AWS services, not for storing database credentials.

37
MCQhard

A company is using AWS Glue to process data stored in Amazon S3. The data includes personally identifiable information (PII) that must be masked before being written to a separate output bucket. Which AWS service or feature can be used to automatically detect and mask sensitive data in the Glue ETL job?

A.Configure CloudWatch Logs to filter and mask PII.
B.Use Amazon Macie to identify sensitive data and apply masking logic in the Glue job.
C.Use an IAM policy to restrict access to the PII columns.
D.Enable S3 Object Lock on the output bucket.
AnswerB

Amazon Macie can detect sensitive data, and the Glue job can use that information to mask it.

Why this answer

Option D is correct because Amazon Macie can be integrated with AWS Glue to detect and mask sensitive data. Option A is wrong because IAM policies control access, not data masking. Option B is wrong because S3 Object Lock prevents object deletion or modification, not masking.

Option C is wrong because CloudWatch Logs do not mask data.

38
MCQeasy

A company is designing a data pipeline that ingests data from an on-premises database to Amazon S3. The data contains personally identifiable information (PII) that must be masked before storage. Which AWS service can be used to mask the data in transit?

A.AWS Database Migration Service (DMS)
B.AWS Data Pipeline
C.Amazon Kinesis Data Firehose
D.AWS Glue
AnswerD

AWS Glue can run ETL jobs to mask PII before writing to S3.

Why this answer

AWS Glue can transform and mask data during ETL jobs. Option C is correct. Kinesis is for streaming data.

Data Pipeline orchestrates but does not have native masking. DMS is for migration, not masking.

39
MCQhard

A company uses AWS KMS to encrypt sensitive data stored in S3. To meet compliance requirements, they need to ensure that the encryption keys are automatically rotated every year. Which type of KMS key should they use?

A.Customer managed key with manual rotation
B.AWS managed key
C.Custom key store (CloudHSM) key
D.Customer managed key with automatic rotation enabled
AnswerD

Customer managed keys can have automatic rotation enabled, which rotates the key annually.

Why this answer

Option A is correct because AWS managed keys with automatic rotation are rotated annually. Option B is wrong because customer managed keys can have automatic rotation but it is not mandatory. Option C is wrong because custom key stores do not support automatic rotation.

Option D is wrong because AWS managed keys are not created by the customer.

40
Multi-Selecthard

A company uses AWS KMS to encrypt data in Amazon Redshift. The data engineer needs to rotate the customer-managed KMS key annually. Which TWO actions must be taken to successfully rotate the key without data loss?

Select 2 answers
A.Create a new KMS key and update the Redshift cluster to use the new key
B.Keep the old KMS key enabled to allow decryption of existing encrypted data
C.Use AWS CloudTrail to verify the key rotation was successful
D.Store the new key in Amazon S3 for backup
E.Enable automatic KMS key rotation on the existing key
AnswersA, B

Needed to re-encrypt data with new key.

Why this answer

Option A is correct because the Redshift cluster must be configured to use the new key. Option C is correct because the old key must remain enabled to decrypt existing data. Option B is wrong because automatic rotation is optional.

Option D is wrong because CloudTrail logs rotation but is not required. Option E is wrong because Redshift does not use S3 for key storage.

41
MCQeasy

Refer to the exhibit. A data engineer applies this S3 bucket policy to the bucket 'example-bucket'. What is the effect of this policy?

A.PutObject requests are denied unless they include the x-amz-server-side-encryption header set to AES256
B.All PutObject requests are denied regardless of encryption
C.All PutObject requests are allowed only if they use SSE-KMS
D.The policy has no effect because it does not allow any action
AnswerA

The condition StringNotEquals denies if the header is not AES256, so only requests with AES256 are allowed.

Why this answer

The policy denies s3:PutObject if the encryption header is not set to AES256 (SSE-S3). It does not enforce a specific KMS key. It allows uploads with SSE-S3.

It denies uploads without encryption or with other encryption types.

42
Multi-Selectmedium

Which TWO actions are required to enforce encryption in transit for data being loaded into Amazon Redshift from Amazon S3? (Choose two.)

Select 2 answers
A.Configure Redshift to require SSL connections
B.Use client-side encryption for data in S3
C.Enable encryption at rest on Redshift cluster
D.Enable S3 server-side encryption
E.Use S3 VPC endpoints with HTTPS
AnswersA, E

Ensures data in transit to Redshift is encrypted.

Why this answer

To enforce encryption in transit, you must use S3 endpoints that support HTTPS (option A) and configure Redshift to use SSL (option D). Option B is about encryption at rest, not in transit. Option C is about encryption at rest in S3.

Option E is about client-side encryption, which is not required for transit encryption.

43
MCQmedium

A data engineer needs to store sensitive data in Amazon S3 and automatically classify the data using a managed service. The data is uploaded via an S3 bucket. Which AWS service can automatically detect and classify sensitive data?

A.Amazon Macie
B.AWS WAF
C.Amazon Inspector
D.AWS Shield
AnswerA

Macie automatically discovers and classifies sensitive data.

Why this answer

Option C is correct because Amazon Macie uses machine learning to discover and classify sensitive data in S3. Option A is incorrect because AWS Shield is for DDoS protection. Option B is incorrect because Amazon Inspector is for vulnerability assessment on EC2.

Option D is incorrect because AWS WAF is a web application firewall.

44
Multi-Selecteasy

Which THREE AWS services can be used to centrally manage and govern data across multiple AWS accounts? (Select THREE.)

Select 3 answers
A.Amazon S3
B.AWS Control Tower
C.AWS Organizations
D.Amazon Redshift
E.AWS Lake Formation
AnswersB, C, E

Control Tower provides a governance framework for multi-account environments.

Why this answer

Options A, C, and E are correct. Option A (AWS Organizations) provides centralized management. Option C (AWS Lake Formation) can manage data lake permissions across accounts.

Option E (AWS Control Tower) offers a pre-configured environment for governance. Option B (Amazon S3) is a storage service, not central governance. Option D (Amazon Redshift) is a data warehouse, not a governance service.

45
Multi-Selectmedium

A data engineer is designing a data pipeline that processes PII data using AWS Glue and stores results in S3. Which TWO actions should be taken to protect the data? (Choose 2)

Select 2 answers
A.Use S3 default encryption with SSE-S3 for the output bucket.
B.Store database credentials in AWS Secrets Manager and reference them in Glue connections.
C.Enable S3 object deletion protection by setting a retention policy.
D.Configure AWS Glue to use a KMS key for encrypting data written to S3.
E.Use HTTPS for all data transfer between Glue and S3.
AnswersB, D

Secrets Manager secures credentials.

Why this answer

Options A and D are correct. Option A: Glue can use KMS to encrypt data at rest. Option D: Secrets Manager securely stores database credentials.

Option B is wrong because SSE-S3 does not use KMS. Option C is wrong because deleting data after processing is not a security best practice for compliance (may need to retain). Option E is wrong because HTTPS is not a substitute for encryption at rest.

46
MCQhard

A data engineer is designing a data pipeline that ingests data from an on-premises system into Amazon S3 using AWS Transfer Family. The data must be encrypted at rest using a customer-managed key in AWS KMS. The S3 bucket policy must allow only encrypted connections. Which policy condition should be used?

A.aws:SecureTransport
B.kms:EncryptionContext
C.s3:x-amz-server-side-encryption-aws-kms-key-id
D.s3:x-amz-server-side-encryption
AnswerA

This condition enforces that connections use TLS.

Why this answer

Option D is correct because the condition aws:SecureTransport is used to enforce encrypted connections (TLS). Option A is wrong because s3:x-amz-server-side-encryption-aws-kms-key-id enforces the use of a specific KMS key, not encrypted connections. Option B is wrong because kms:EncryptionContext is for additional context, not connection encryption.

Option C is wrong because s3:x-amz-server-side-encryption enforces SSE, not in-transit encryption.

47
Multi-Selecteasy

Which TWO AWS services can be used to protect sensitive data stored in Amazon S3 by preventing accidental public access? (Choose two.)

Select 2 answers
A.AWS WAF
B.Amazon GuardDuty
C.AWS Trusted Advisor
D.Amazon S3 Block Public Access
E.AWS Key Management Service (KMS)
AnswersC, D

Provides S3 bucket permissions check and recommendations.

Why this answer

Amazon S3 Block Public Access (option C) is a service that blocks public access at the bucket or account level. AWS Trusted Advisor (option D) has a check for S3 bucket permissions that can identify publicly accessible buckets. Option A is for network security, not S3.

Option B is for malware protection. Option E is for encryption at rest, not public access prevention.

48
MCQhard

A data engineering team uses AWS Glue ETL jobs to process data from an S3 data lake and load it into an Amazon Redshift cluster. The security policy mandates that all data in transit between AWS Glue and Redshift must be encrypted using TLS. The team uses a JDBC connection. Currently, the connection is failing with an SSL-related error. Which configuration change should the team make to ensure encrypted connectivity?

A.Modify the Redshift security group to allow inbound traffic on port 5439 from the Glue subnet.
B.Update the JDBC connection string to include ssl=true and sslmode=require.
C.Enable server-side encryption on the S3 bucket using AWS KMS.
D.Set the Redshift cluster parameter group to require_ssl=ON.
AnswerB

Ensures the JDBC driver uses SSL encryption.

Why this answer

To enforce SSL for JDBC connections to Redshift, you must add the ssl=true parameter in the connection URL. Option D is correct. Option A is wrong because the security group controls network access, not encryption.

Option B is wrong because enabling encryption on the S3 bucket does not affect the Glue-to-Redshift connection. Option C is wrong because Redshift uses SSL by default, but the JDBC driver requires explicit ssl=true in the URL to enable it.

49
MCQhard

A company runs an Amazon EMR cluster that processes sensitive data stored in Amazon S3. The security team requires that all data in transit between the EMR cluster and S3 be encrypted. Which configuration ensures this requirement is met?

A.Enable in-transit encryption within the EMR cluster using EMRFS.
B.Enable server-side encryption with S3 managed keys (SSE-S3) on the S3 bucket.
C.Configure the S3 endpoint to use TLS and ensure the EMR cluster uses HTTPS for S3 access.
D.Use an S3 access point with a bucket policy that denies HTTP requests.
AnswerC

TLS encrypts data in transit between EMR and S3.

Why this answer

Option A is correct because enabling S3 encryption in transit via TLS for the S3 endpoint enforces HTTPS for all S3 requests. Option B is wrong because SSE-S3 encrypts data at rest, not in transit. Option C is wrong because EMR encryption at rest does not cover transit.

Option D is wrong because S3 access points do not enforce encryption in transit by default.

50
MCQmedium

A company needs to monitor and record all changes to IAM policies in their AWS account. Which AWS service should be used?

A.Amazon CloudWatch Logs
B.Amazon GuardDuty
C.AWS CloudTrail
D.AWS IAM Access Analyzer
AnswerC

CloudTrail records all API calls, including IAM policy changes.

Why this answer

AWS CloudTrail records API calls, including IAM policy changes. AWS Config records resource configuration changes and can evaluate compliance rules. Option A is wrong because IAM Access Analyzer is for analyzing resource policies for public access, not recording changes.

Option C is wrong because GuardDuty is for threat detection. Option D is wrong because CloudWatch Logs does not directly record IAM changes.

51
Multi-Selectmedium

A company wants to use AWS CloudTrail to monitor data events for an S3 bucket. Which TWO configurations are required to capture object-level API operations?

Select 2 answers
A.Configure the CloudTrail trail to log data events for the S3 bucket.
B.Enable management events in the CloudTrail trail.
C.Enable S3 server access logs on the bucket.
D.Create a CloudTrail trail in the same AWS Region as the S3 bucket.
E.Set up an Amazon CloudWatch Events rule to capture S3 events.
AnswersA, D

Data events capture object-level operations like GetObject, PutObject.

Why this answer

Option B and Option D are correct. CloudTrail must be enabled in the S3 bucket's Region, and data events for S3 must be specified to capture object-level operations. Option A is incorrect because S3 server access logs are separate.

Option C is incorrect because management events capture bucket-level operations, not object-level. Option E is incorrect because CloudWatch Events is not required for CloudTrail to capture events.

52
Multi-Selecthard

A company uses Amazon Redshift for its data warehouse and needs to enforce column-level security on sensitive columns. Which TWO approaches can achieve this?

Select 2 answers
A.Apply an S3 bucket policy to the underlying data files.
B.Create views that expose only non-sensitive columns and grant access to the views.
C.Use Redshift Spectrum to query external tables and restrict columns via the external schema.
D.Use Redshift column-level security to grant or revoke permissions on specific columns.
E.Use Redshift row-level security policies to restrict column access.
AnswersB, D

Views can limit column visibility.

Why this answer

Options A and D are correct. Redshift column-level security allows defining access controls at the column level. Views can also restrict column access.

Option B is wrong because row-level security does not restrict columns. Option C is wrong because S3 bucket policies are unrelated. Option E is wrong because Redshift Spectrum queries external data, not column-level control.

53
Multi-Selecteasy

A data analytics company uses Amazon Athena to query data stored in an S3 bucket. The data contains personally identifiable information (PII). The security team wants to ensure that only authorized users can access the data through Athena, and that the data is encrypted at rest in S3. Which combination of actions should the company take? (Choose two.)

Select 2 answers
A.Attach an IAM policy to users that grants Athena access and S3 read access to the bucket.
B.Use AWS Lake Formation to define data lake permissions.
C.Use AWS Kinesis to stream data to Athena.
D.Create an S3 Access Point with a restricted policy.
E.Enable server-side encryption (SSE-S3) on the S3 bucket.
AnswersA, E

Controls access to Athena and underlying data.

Why this answer

Option A and D are correct. Option A enables encryption at rest. Option D restricts Athena access via IAM policies and bucket policies.

Option B is wrong because Lake Formation is not required for basic access control; IAM policies suffice. Option C is wrong because S3 Access Points can provide granular access but are not necessary. Option E is wrong because Athena does not support Kinesis.

54
MCQmedium

A company wants to centrally manage encryption keys for multiple AWS services and automatically rotate them every year. Which AWS service should be used?

A.AWS CloudHSM
B.AWS Certificate Manager (ACM)
C.AWS Secrets Manager
D.AWS Key Management Service (KMS)
AnswerD

KMS can automatically rotate customer managed keys yearly.

Why this answer

Option A is correct. AWS KMS supports automatic key rotation annually. Option B is wrong because CloudHSM is for hardware-based keys but does not provide automatic rotation.

Option C is wrong because Secrets Manager is for secrets, not encryption keys. Option D is wrong because ACM is for certificates.

55
MCQeasy

Refer to the exhibit. A data engineer creates an external table in AWS Glue Data Catalog pointing to an S3 bucket that contains encrypted objects (SSE-S3). The CREATE TABLE statement fails with an error. What change should be made to fix the error?

A.Change the SERDE to 'org.apache.hadoop.hive.serde2.lazy.LazySimpleSerDe'.
B.Add 'aws_iam_role' as a table property.
C.Include the KMS key ARN in the LOCATION.
D.Set 'has_encrypted_data' to 'true'.
AnswerD

The property tells the catalog that data is encrypted.

Why this answer

If the data is encrypted with SSE-S3, the table property 'has_encrypted_data' should be set to 'true'. Option C is correct. Option A is unnecessary.

Option B is not the cause. Option D is not required for SSE-S3.

56
Multi-Selecthard

A company is using AWS KMS to encrypt data in Amazon S3. The security team wants to ensure that only specific IAM roles can decrypt the data. Which THREE steps should the data engineer take? (Choose three.)

Select 2 answers
A.Use the default AWS managed KMS key for S3 (aws/s3)
B.Use SSE-S3 encryption instead of KMS
C.Create a customer-managed KMS key with a key policy that grants kms:Decrypt only to the allowed IAM roles
D.Add an IAM policy to the role that requires MFA for kms:Decrypt
E.Configure the S3 bucket to use SSE-KMS with the customer-managed key
AnswersC, E

This restricts decryption to the specified roles.

Why this answer

To restrict decryption to specific roles, you need to create a customer-managed key, configure the key policy to allow only those roles to use kms:Decrypt, and use SSE-KMS when writing objects. Using the default KMS key does not allow custom policies. SSE-S3 uses different keys.

Requiring MFA for API calls does not restrict decryption to specific roles.

57
MCQmedium

A company wants to monitor and alert on unauthorized API calls in their AWS account. Which AWS service should be used to detect and notify on such events?

A.Amazon GuardDuty and AWS Security Hub
B.Amazon VPC Flow Logs and Amazon CloudWatch Logs
C.AWS Config and AWS Systems Manager
D.AWS CloudTrail and Amazon CloudWatch Events
AnswerD

CloudTrail logs API calls, and CloudWatch Events can trigger alerts on specific events.

Why this answer

Option A is correct because AWS CloudTrail logs API calls, and Amazon CloudWatch Events (or EventBridge) can be used to create rules that trigger notifications on specific API calls. Option B is wrong because AWS Config monitors resource configuration, not API calls. Option C is wrong because Amazon GuardDuty is a threat detection service that can detect API call anomalies but is not primarily designed for monitoring all unauthorized API calls.

Option D is wrong because VPC Flow Logs monitor network traffic.

58
Multi-Selectmedium

A company is using Amazon Redshift for data warehousing. They need to ensure that data is encrypted at rest and in transit. Which TWO configurations are required to meet these requirements?

Select 2 answers
A.Enable encryption on the Redshift cluster using AWS KMS.
B.Configure the Redshift cluster to require SSL connections.
C.Use AWS CloudHSM to manage encryption keys for Redshift.
D.Enable VPC Flow Logs on the Redshift subnet.
E.Enable EBS encryption on the Redshift cluster nodes.
AnswersA, B

KMS encrypts data at rest.

Why this answer

Options A and D are correct. To encrypt data at rest, enable encryption on the Redshift cluster using KMS (A). To encrypt data in transit, configure the cluster to use SSL (D).

Option B is incorrect because VPC Flow Logs do not encrypt. Option C is incorrect because EBS encryption is not directly applicable to Redshift cluster storage. Option E is incorrect because Redshift does not support CloudHSM natively for encryption; it uses KMS for at-rest encryption.

59
MCQhard

A data engineer is troubleshooting an AWS Glue ETL job that fails with an access denied error when writing to an S3 bucket. The Glue job uses an IAM role that has an S3 bucket policy attached. The bucket policy denies access to any principal that does not use server-side encryption. What is the most likely cause of the failure?

A.The VPC endpoint policy for S3 is too restrictive.
B.The IAM role does not have s3:PutObject permission.
C.The Glue job is not using server-side encryption when writing to S3.
D.The S3 bucket uses S3 Block Public Access which denies all writes.
AnswerC

The bucket policy denies requests without encryption, causing access denied even if the role has PutObject permission.

Why this answer

Option C is correct because if the Glue job does not set the encryption header (or the role does not have the kms:GenerateDataKey permission for SSE-KMS), the bucket policy will deny the request. Option A is wrong because Glue requires permissions on the S3 bucket and KMS key. Option B is wrong because VPC endpoints do not cause access denied errors for encryption.

Option D is wrong because S3 Block Public Access does not deny write access to authorized roles.

60
MCQhard

A company is using an Amazon RDS for PostgreSQL database to store personally identifiable information (PII). The security team wants to ensure that database administrators cannot view the plaintext PII data. Which solution should a data engineer implement?

A.Use IAM policies to restrict DBA access to the RDS instance
B.Enable Dynamic Data Masking in RDS to obfuscate PII for all users
C.Enable encryption at rest for the RDS instance using AWS KMS
D.Use client-side encryption with AWS KMS to encrypt PII before inserting into the database
AnswerD

Client-side encryption ensures data is encrypted before reaching the database, so DBAs cannot see the plaintext.

Why this answer

Using AWS KMS with client-side encryption ensures that data is encrypted before being sent to RDS, so database administrators cannot read the plaintext. Dynamic data masking in RDS is not natively supported; application-level masking would be needed. RDS encryption at rest protects data on disk but DBAs with access can still query plaintext.

Using IAM policies to restrict access does not prevent DBAs with database credentials from viewing data.

61
MCQmedium

A company uses AWS Lake Formation to manage data lake permissions. The data lake contains sensitive customer data in the 'customer' database. The security team wants to ensure that only users with a specific tag 'access_level=analyst' can query the 'customer' table. Which combination of steps should the data engineer take to enforce this?

A.In Lake Formation, create an LF-tag 'access_level' with values 'analyst' and 'admin'. Grant 'SELECT' permission on the 'customer' table to the tag value 'analyst'. Associate the LF-tag with the 'customer' table.
B.Create an IAM policy that conditionally allows 'glue:GetTable' based on the tag 'access_level=analyst'.
C.Apply a bucket policy on the S3 location of the 'customer' table that allows access only if the request carries the tag 'access_level=analyst'.
D.Use Lake Formation column-level filters to restrict access to columns based on the tag 'access_level=analyst'.
AnswerA

This uses Lake Formation TBAC to restrict access based on the user's tag.

Why this answer

Option A is correct because Lake Formation LF-tags allow you to define metadata tags (key-value pairs) and grant permissions to those tags. By creating an LF-tag 'access_level' with values 'analyst' and 'admin', granting SELECT on the 'customer' table to the tag value 'analyst', and associating that LF-tag with the table, only principals who have the tag 'access_level=analyst' (or are granted via the tag) can query the table. This enforces tag-based access control at the Lake Formation permission layer, which is the intended mechanism for fine-grained, attribute-based access control in Lake Formation.

Exam trap

The trap here is that candidates often confuse IAM tag-based policies (Option B) or S3 bucket policies (Option C) with Lake Formation's native LF-tag mechanism, not realizing that LF-tags are a Lake Formation-specific construct that must be managed within Lake Formation itself, not at the IAM or S3 level.

How to eliminate wrong answers

Option B is wrong because an IAM policy conditionally allowing 'glue:GetTable' based on a tag controls access to the Glue Data Catalog API, but it does not enforce Lake Formation permissions on the underlying data; Lake Formation permissions override IAM policies for registered locations, and this approach would not prevent a user with the tag from querying the table if Lake Formation grants are not also configured. Option C is wrong because S3 bucket policies operate at the object storage layer and cannot evaluate Lake Formation LF-tags; they can use IAM tags via the 'aws:RequestTag' condition key, but this would require the request to carry the tag, which is not how Lake Formation principals are identified, and it would bypass Lake Formation's centralized permission model. Option D is wrong because column-level filters in Lake Formation restrict access to specific columns based on a filter expression, not based on LF-tags; LF-tags are used for row-level or table-level permission grants, not for column-level filtering.

62
Multi-Selectmedium

A data engineer needs to audit all access to an S3 bucket containing sensitive data. The engineer must capture who accessed the bucket, from which IP address, and what actions were performed. Which AWS services should be used together to meet this requirement? (Choose THREE.)

Select 3 answers
A.Amazon CloudWatch Logs
B.AWS Config
C.Amazon S3 server access logs
D.AWS CloudTrail
E.VPC Flow Logs
AnswersA, C, D

Can store and analyze logs from S3 and CloudTrail.

Why this answer

Options A, B, and D are correct. S3 server access logs record detailed information about requests. CloudTrail records API calls with identity and source IP.

CloudWatch Logs can ingest and analyze logs. Option C is wrong because VPC Flow Logs capture network traffic but not S3 API details. Option E is wrong because Config records resource configuration changes, not access.

63
MCQeasy

Refer to the exhibit. A data engineer creates an IAM policy for a service role used by AWS Glue. What does the condition in the policy enforce?

A.The role can use the KMS key from any AWS service
B.The role can only use the KMS key when the request comes from Glue
C.The role can only use the KMS key for decrypting data
D.The role can only use the KMS key when the request comes from S3
AnswerD

kms:ViaService limits to S3 endpoints.

Why this answer

The condition restricts KMS actions to requests that come from S3 via the kms:ViaService condition key. Option B is wrong because it says Glue, but the condition is for S3. Option C is wrong because it's not for any service.

Option D is wrong because it restricts to S3, not any KMS key. Option A is correct.

64
Multi-Selectmedium

A company needs to protect sensitive data stored in Amazon S3 from unauthorized access. Which TWO actions should the data engineer take? (Choose two.)

Select 2 answers
A.Configure S3 bucket policies to require MFA for delete operations
B.Enable cross-region replication for all buckets
C.Set up an S3 Lifecycle policy to transition objects to Glacier
D.Enable S3 Block Public Access at the account level
E.Enable S3 Versioning on all buckets
AnswersA, D

MFA adds an extra layer of security for sensitive operations.

Why this answer

Enabling S3 Block Public Access at the account level prevents any public access. Using bucket policies with conditions to require MFA adds an extra layer of security. Versioning does not prevent unauthorized access.

Lifecycle policies manage storage, not security. Cross-region replication is for disaster recovery, not security.

65
MCQhard

A company uses Amazon Redshift for data warehousing. The security team requires that all data be encrypted at rest using a key managed by the company. Which Redshift encryption option should be used?

A.Enable encryption using AWS managed key (default)
B.Use SSL/TLS encryption
C.Use hardware security module (HSM)
D.Specify a customer managed KMS key when enabling encryption
AnswerD

Redshift allows you to specify a customer managed KMS key for encryption.

Why this answer

Redshift supports encryption at rest using KMS keys. To use a customer-managed key, you need to specify a KMS key ID. Option C is correct.

HSM is not directly supported by Redshift.

66
MCQmedium

A company wants to grant cross-account access to an S3 bucket without using IAM roles. The data engineer needs to write a bucket policy that allows another AWS account to list objects. Which Principal should be specified in the bucket policy?

A.The AWS account ID that owns the bucket
B.The AWS account ID of the other account
C.The IAM user ARN in the other account
D.The root user of the other account
AnswerB

The Principal should be the other account's ID.

Why this answer

Option D is correct because the Principal should be the AWS account ID of the other account. Option A is wrong because a specific IAM user ARN would grant access only to that user. Option B is wrong because the root user is not best practice.

Option C is wrong because the bucket policy is on the resource side.

67
MCQhard

A data engineer is designing a data lake on Amazon S3 that must comply with a regulatory requirement to prevent any data from being overwritten or deleted for 7 years after creation. Which S3 feature should be used?

A.S3 bucket policy that denies s3:DeleteObject
B.S3 bucket versioning with MFA Delete
C.S3 Object Lock with retention mode set to COMPLIANCE
D.S3 bucket versioning only
AnswerC

COMPLIANCE retention prevents any deletion or overwrite during the retention period.

Why this answer

Option A is correct because S3 Object Lock with retention mode COMPLIANCE prevents any deletion or overwrite for the specified period. Option B is wrong because MFA Delete requires a token but can still be disabled. Option C is wrong because bucket policies can be changed.

Option D is wrong because versioning alone does not prevent deletion; objects can still be deleted with delete markers.

68
MCQeasy

Refer to the exhibit. A data engineer checks the versioning status of an S3 bucket and sees the above output. The bucket contains critical logs that must not be permanently deleted. What should the engineer do to enhance protection against accidental or malicious deletion?

A.Enable MFA Delete on the bucket
B.Enable versioning on the bucket
C.Enable cross-region replication
D.Configure a lifecycle policy to expire noncurrent versions
AnswerA

MFA Delete requires additional authentication to permanently delete versions, protecting against accidental or malicious deletion.

Why this answer

Enabling MFA Delete on the bucket requires multi-factor authentication to delete object versions, which adds protection. Versioning is already enabled, so that is not needed. Enabling Object Lock with retention mode is another option, but the question asks for enhancement using the current setup; MFA Delete is a direct enhancement.

A lifecycle policy does not prevent deletion. Cross-region replication is for disaster recovery, not deletion protection.

69
MCQhard

A company stores sensitive customer data in an Amazon S3 bucket with versioning enabled. A data engineer accidentally deleted the current version of an object. What is the quickest way to restore the object to its previous state without additional data transfer costs?

A.Use S3 Batch Operations to restore the object from the Recycle Bin.
B.Delete the delete marker that was created by the deletion.
C.Copy the previous version from the bucket to itself.
D.Use the S3 sync command to restore the previous version.
AnswerB

Deleting the delete marker restores the previous version as the current object without copying data.

Why this answer

With versioning enabled, deleted objects become delete markers. To restore, you delete the delete marker, which makes the previous version current again. Option A is correct.

Option B costs data transfer. Option C restores to a different bucket. Option D is not a valid operation.

70
MCQeasy

A company uses AWS Glue to process sensitive data stored in Amazon S3. The security team requires that all data in transit between AWS Glue and S3 be encrypted. Which configuration should be used to meet this requirement?

A.Use an S3 bucket policy that denies requests not using HTTPS.
B.Use an AWS KMS key to encrypt the data before uploading to S3.
C.Configure AWS Glue to use SSL by setting the 'ssl' parameter to 'true'.
D.Enable default encryption on the S3 bucket using SSE-S3.
AnswerA

This enforces encryption in transit for all requests.

Why this answer

Option A is correct because requiring HTTPS for all requests to the S3 bucket ensures that data in transit between AWS Glue and S3 is encrypted using TLS. By using an S3 bucket policy with a condition that denies requests where `aws:SecureTransport` is false, the company enforces encryption for all connections, including those from AWS Glue. This meets the security requirement without needing to modify Glue or S3 configurations beyond the bucket policy.

Exam trap

The trap here is that candidates often confuse encryption at rest (SSE-S3, SSE-KMS, client-side encryption) with encryption in transit (TLS/HTTPS), and may incorrectly assume that enabling default encryption or using KMS keys secures the data during transfer.

How to eliminate wrong answers

Option B is wrong because encrypting data with an AWS KMS key before uploading to S3 (client-side encryption) protects data at rest, not data in transit; the security team specifically requires encryption in transit. Option C is wrong because AWS Glue does not have an 'ssl' parameter; Glue uses HTTPS by default when connecting to S3, and this setting is not configurable via a simple parameter. Option D is wrong because enabling default encryption on the S3 bucket (SSE-S3) only encrypts data at rest, not data in transit between Glue and S3.

71
MCQmedium

An organization needs to audit all access to their S3 buckets for compliance purposes. They want to log both successful and failed API calls. Which AWS service should be used?

A.Amazon CloudWatch Logs
B.AWS Config
C.AWS CloudTrail
D.VPC Flow Logs
AnswerC

CloudTrail logs API calls for auditing.

Why this answer

Option C is correct because AWS CloudTrail logs API activity in an AWS account, including S3 operations. Option A (Amazon CloudWatch) monitors metrics, not API calls. Option B (AWS Config) tracks resource configuration changes, not API calls.

Option D (VPC Flow Logs) captures network traffic, not API calls.

72
MCQeasy

A company uses Amazon RDS for MySQL to store application data. The database contains personally identifiable information (PII). The security team requires that all data be encrypted at rest using AWS KMS. The database is currently unencrypted. The data engineer needs to enable encryption without significant downtime. Which approach should the data engineer take?

A.Use AWS DMS to migrate data to a new encrypted RDS instance continuously.
B.Take a snapshot of the database, copy it with encryption enabled, and restore from the encrypted snapshot.
C.Create a read replica with encryption enabled and promote it to primary.
D.Modify the RDS instance and enable encryption in the configuration.
AnswerB

Standard procedure to enable encryption on existing RDS.

Why this answer

Option D is correct. To enable encryption on an existing RDS instance, you must take a snapshot, copy it with encryption, and restore from the encrypted snapshot. This process involves some downtime but is the only way.

Option A is wrong because you cannot modify the instance to enable encryption directly. Option B is wrong because you cannot enable encryption on the existing instance via modification. Option C is wrong because DMS requires source and target, and the target can be encrypted, but it's more complex.

73
MCQmedium

A company uses AWS Lake Formation to manage permissions on a data lake stored in S3. A data scientist is unable to query a table in Amazon Athena, receiving an 'Access Denied' error. The data scientist has IAM permissions to call Athena and has been granted SELECT permission on the table in Lake Formation. What is the most likely cause?

A.The data scientist does not have DESCRIBE permission on the table.
B.The data is encrypted with SSE-KMS and the data scientist lacks kms:Decrypt permission.
C.The S3 bucket policy denies access to the data scientist's IAM role.
D.The S3 bucket containing the data is not registered as a Lake Formation location.
AnswerD

Prevents Lake Formation from granting S3 access.

Why this answer

Lake Formation requires explicit S3 permission via a resource link or register location. Option B is correct because if the underlying S3 location is not registered or the IAM role does not have S3 access, the query fails. Option A is wrong because the data scientist has SELECT permission.

Option C is wrong because encryption is not the issue. Option D is wrong because Lake Formation bypasses S3 bucket policies for registered locations.

74
MCQmedium

A data engineer needs to ensure that an S3 bucket can only be accessed from a specific VPC. Which policy element should be used?

A.Use the condition key aws:VpcSourceIp in the bucket policy.
B.Use the condition key aws:SourceIp in the bucket policy.
C.Use the condition key aws:SourceVpce in the bucket policy.
D.Use the condition key aws:SourceVpc in the bucket policy.
AnswerD

This restricts access to requests from the specified VPC.

Why this answer

Option B is correct because the condition key aws:SourceVpc restricts requests to originate from a specific VPC. Option A limits to a VPC endpoint, not the VPC itself. Option C is for specific IPs.

Option D is for VPC endpoint IDs.

75
MCQeasy

A data engineer needs to grant an IAM role read-only access to Amazon DynamoDB tables in a specific AWS account. Which IAM policy element should be used to restrict access to only the 'GetItem' and 'Query' actions?

A.Resource
B.Action
C.Effect
D.Condition
AnswerB

Action specifies the API actions like GetItem and Query.

Why this answer

The 'Action' element specifies the allowed API actions. 'Effect' is 'Allow' or 'Deny'. 'Resource' specifies the ARN. 'Condition' adds conditions. So Action is correct.

Page 1 of 5 · 333 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Data Security and Governance questions.