CCNA Data Security and Governance Questions

75 of 333 questions · Page 3/5 · Data Security and Governance · Answers revealed

151
MCQhard

A data engineer is tasked with implementing data masking for a non-production environment. The source data contains credit card numbers stored in an Amazon RDS for PostgreSQL database. The engineer wants to automatically mask the credit card numbers when copying data to the non-production database. Which AWS service can be used to achieve this?

A.AWS Database Migration Service (DMS)
B.AWS Glue
C.AWS Lake Formation
D.Amazon Athena
AnswerA

DMS supports transformation rules that can mask columns during migration.

Why this answer

AWS DMS can transform data during migration using transformation rules. It can mask data by replacing columns with predefined values. Glue is for ETL, but DMS is purpose-built for database migrations with transformations.

Lake Formation is for data lake permissions. Athena is for querying S3 data.

152
MCQhard

A data engineer is designing a data lake on Amazon S3. The compliance team requires that objects be automatically deleted after 7 years. Additionally, objects must be transitioned to Amazon S3 Glacier Instant Retrieval after 30 days to reduce costs. Which S3 lifecycle policy configuration meets these requirements?

A.Transition to Glacier Instant Retrieval after 30 days, then expire after 90 days.
B.Transition to Glacier Instant Retrieval after 30 days, then expire after 2555 days.
C.Transition to Glacier Deep Archive after 30 days, then expire after 7 years.
D.Transition to S3 Standard-IA after 30 days, then expire after 7 years.
AnswerB

2555 days is approximately 7 years.

Why this answer

Option D is correct because it transitions objects to Glacier Instant Retrieval after 30 days and then permanently deletes them after 7 years (2555 days). Option A is wrong because Glacier Deep Archive is not Glacier Instant Retrieval. Option B is wrong because it transitions to S3 Standard-IA, not Glacier Instant Retrieval.

Option C is wrong because it deletes after 90 days, not 7 years.

153
MCQhard

A data engineer needs to share a dataset stored in an S3 bucket with a partner AWS account. The partner should be able to read the data without needing to authenticate with the engineer's account. The engineer must not share any secret keys. Which approach should be used?

A.Write a bucket policy that grants access to the partner account's IAM role.
B.Generate presigned URLs and share them with the partner.
C.Make the bucket publicly readable.
D.Create an IAM user with access keys and share them with the partner.
AnswerA

Bucket policy can grant cross-account access securely.

Why this answer

Option B is correct because S3 bucket policies can grant cross-account access to a specific IAM role in the partner account. Option A is wrong because presigned URLs are temporary and need to be generated. Option C is wrong because making the bucket public violates security.

Option D is wrong because sharing access keys is insecure and against best practices.

154
MCQhard

A healthcare organization uses AWS Lake Formation to manage a data lake in Amazon S3. The data lake contains sensitive patient information that must be encrypted at rest. The organization uses AWS KMS with a customer-managed key (CMK) for encryption. Recently, the security team noticed that a new IAM user was able to query the data lake using Amazon Athena without explicit permissions in Lake Formation. The data lake administrator suspects that the IAM user might have been granted access through an IAM policy that allows 'lakeformation:GetDataAccess' without proper resource restrictions. The organization wants to enforce that only Lake Formation permissions control access to the data lake, and IAM policies should not grant access directly. What should they do?

A.Change the KMS key policy to require that any request to decrypt data must come from the Lake Formation service role.
B.Revoke the 'lakeformation:GetDataAccess' permission from all IAM users and groups, and require that access be granted only through Lake Formation permissions.
C.Remove the IAM policy that grants 'lakeformation:GetDataAccess' from the specific user and ensure Lake Formation permissions are correctly set.
D.Add an S3 bucket policy that denies all principals except the Lake Formation service role.
AnswerB

This ensures that only Lake Formation permissions control data access.

Why this answer

Option C is correct because the 'Lakeformation:GetDataAccess' permission is required for principals to access data through Lake Formation, and revoking it for all IAM users forces them to rely solely on Lake Formation permissions. Option A is wrong because IAM policies for Lake Formation actions (like GetDataAccess) can grant access to data lake resources; removing them from the specific user is not enough. Option B is wrong because S3 bucket policies would bypass Lake Formation's fine-grained access control.

Option D is wrong because KMS keys do not control data access permissions; they control encryption.

155
Multi-Selecteasy

A company wants to audit all API calls made to Amazon S3 and Amazon RDS resources. Which TWO AWS services can be used together to achieve this?

Select 2 answers
A.AWS CloudTrail
B.AWS Config
C.Amazon GuardDuty
D.Amazon Macie
E.Amazon CloudWatch Logs
AnswersA, E

CloudTrail records API calls for auditing.

Why this answer

Options A and B are correct. CloudTrail records API calls to S3 and RDS, and CloudWatch Logs can store the logs for monitoring. Option C is wrong because Config records resource configuration changes, not API calls.

Option D is wrong because GuardDuty is a threat detection service. Option E is wrong because Macie is for data classification.

156
MCQeasy

A data engineer needs to audit all AWS KMS key usage events for the past 90 days to verify compliance. Which AWS service should be used?

A.VPC Flow Logs
B.AWS CloudTrail
C.AWS Config
D.Amazon Inspector
AnswerB

CloudTrail records KMS API calls for auditing.

Why this answer

Option C is correct because AWS CloudTrail logs all KMS API calls and can be queried for the past 90 days. Option A is wrong because AWS Config tracks resource configurations, not API calls. Option B is wrong because Amazon Inspector is for vulnerability assessments.

Option D is wrong because VPC Flow Logs capture network traffic, not API calls.

157
MCQmedium

A data engineer is setting up cross-account access to an encrypted S3 bucket. The bucket uses a customer-managed KMS key. The engineer has configured the bucket policy and the IAM role in the source account. The target account still gets access denied errors when trying to read objects. What is the most likely cause?

A.The KMS key policy does not grant the target account's IAM role the kms:Decrypt permission.
B.The S3 bucket has Object Ownership set to BucketOwnerPreferred.
C.The bucket policy does not allow the target account's root user.
D.The VPC Endpoint policy blocks access from the target account.
AnswerA

For SSE-KMS objects, the KMS key policy must allow the target account's IAM role to decrypt.

Why this answer

Option B is correct because cross-account access with customer-managed KMS keys requires the key policy to grant the target account's IAM role permission to use the key. Option A is wrong because the bucket policy and IAM role are correctly configured. Option C is wrong because S3 Object Ownership does not affect cross-account read access.

Option D is wrong because VPC Endpoint policies are not the issue here.

158
MCQhard

A company uses AWS Glue to process sensitive data. The security team requires that all data in transit between Glue and Amazon S3 be encrypted using TLS 1.2 or higher. Which configuration ensures this requirement is met?

A.Configure a VPC endpoint for S3 and enable private DNS
B.Enable S3 Block Public Access at the bucket level
C.Add a bucket policy that denies access unless aws:SecureTransport is true
D.Use SSE-KMS encryption on the S3 bucket
AnswerC

Enforces HTTPS, which typically uses TLS 1.2+.

Why this answer

S3 bucket policies can enforce aws:SecureTransport to require HTTPS. Glue by default uses HTTPS when accessing S3, but to enforce it, the bucket policy must deny requests without SecureTransport. Option A is wrong because VPC endpoints enforce private connectivity but not necessarily TLS version.

Option B is wrong because S3 Block Public Access does not affect encryption in transit. Option D is wrong because KMS is for at-rest encryption. Option C is correct.

159
MCQhard

A company needs to share a dataset stored in an S3 bucket with a partner account. The dataset contains sensitive information, so the company wants to ensure that the partner account can only access the data using a specific VPC endpoint in the partner's account. Which S3 bucket policy condition key should be used?

A.aws:SourceVpc
B.aws:SourceArn
C.aws:SourceIp
D.aws:SourceVpce
AnswerD

SourceVpce restricts to a specific VPC endpoint.

Why this answer

Option C is correct because aws:SourceVpce restricts access to a specific VPC endpoint. Option A is wrong because aws:SourceIp is for IP addresses. Option B is wrong because aws:SourceArn is for resource ARNs.

Option D is wrong because aws:SourceVpc is for VPC, not endpoint.

160
Multi-Selectmedium

A company uses S3 to store sensitive data. Which TWO S3 features can be used to protect data at rest?

Select 2 answers
A.S3 Versioning
B.Server-Side Encryption with S3 Managed Keys (SSE-S3)
C.Server-Side Encryption with AWS KMS (SSE-KMS)
D.S3 Transfer Acceleration
E.S3 Object Lock
AnswersB, C

SSE-S3 encrypts data at rest.

Why this answer

Options A and D are correct. SSE-S3 and SSE-KMS both encrypt data at rest. Option B is wrong because S3 Transfer Acceleration accelerates transfers, not encryption.

Option C is wrong because S3 Versioning protects against deletion, not encryption. Option E is wrong because S3 Object Lock prevents deletion/overwrite, not encryption.

161
Multi-Selecthard

A company stores sensitive customer data in an Amazon S3 bucket. The security team requires that all data be encrypted at rest using server-side encryption with AWS KMS managed keys (SSE-KMS). Additionally, they want to ensure that the encryption context is enforced for all PutObject requests. Which THREE steps should be taken to meet these requirements?

Select 3 answers
A.Set the default encryption on the bucket to SSE-KMS with the desired KMS key.
B.Add a bucket policy that requires the s3:x-amz-server-side-encryption-aws-kms-key-id header and the kms:EncryptionContext condition.
C.Configure the bucket to use SSE-C and provide the encryption key.
D.Enable S3 Versioning on the bucket.
E.Create an IAM role that includes kms:GenerateDataKey and kms:Decrypt permissions for the KMS key.
AnswersA, B, E

Default encryption ensures objects are encrypted.

Why this answer

Options A, C, and E are correct. To enforce encryption context, you must use a bucket policy with a condition for kms:EncryptionContext (A). You must also set the default encryption on the bucket to SSE-KMS (C).

The IAM role used by applications must have permission to use the KMS key (E). Option B is incorrect because the bucket policy can enforce encryption context without SSE-C. Option D is incorrect because SSE-S3 is not allowed.

162
MCQhard

A data engineering team uses AWS Glue Data Catalog to manage metadata for datasets in Amazon S3. The datasets contain personally identifiable information (PII). The team needs to implement column-level security so that only authorized users can access columns with PII. They use Amazon Athena for querying. The team has enabled AWS Lake Formation and defined data lake locations. They have created a Lake Formation tag called 'PII' and assigned it to the columns containing PII. They have also granted 'SELECT' permission on those columns to a specific IAM role. However, when a user assumes that role and queries the table using Athena, they can still see all columns, including the PII columns. What is the most likely cause?

A.The data in S3 is not encrypted, so Lake Formation cannot enforce column-level security.
B.The S3 bucket policy grants direct access to the IAM role, bypassing Lake Formation.
C.The IAM role does not have the necessary Lake Formation permissions; it only has IAM permissions to the S3 data.
D.The Lake Formation tag 'PII' is not properly associated with the columns.
AnswerC

Lake Formation column-level security requires that the principal has Lake Formation 'SELECT' permission on the table and columns, and that the principal does not have direct S3 access.

Why this answer

Option C is correct because Lake Formation column-level security requires that the table be registered as a data lake location in Lake Formation and that the IAM role has Lake Formation permissions, not just IAM permissions. The IAM role might be bypassing Lake Formation if it has S3 permissions directly. Option A is wrong because the tags are applied correctly.

Option B is wrong because the S3 bucket policy should not allow direct access; Lake Formation should be the access point. Option D is wrong because disabling encryption would not cause this issue.

163
Multi-Selecteasy

A data engineer is setting up an Amazon Redshift cluster. Which TWO measures can be taken to secure the data at rest?

Select 2 answers
A.Enable encryption on the Redshift cluster using AWS KMS
B.Encrypt data on the client side before loading into Redshift
C.Enable AWS IAM database authentication
D.Use VPC security groups to restrict network access
E.Use an HSM (Hardware Security Module) to manage encryption keys
AnswersA, E

KMS encryption protects data at rest in Redshift.

Why this answer

Redshift supports encryption at rest using KMS or HSM. Cluster encryption can be enabled at launch. Client-side encryption before loading protects data before it reaches Redshift, but not necessarily at rest.

VPC security groups control network access. IAM roles control who can access the cluster.

164
MCQhard

A multinational corporation uses AWS Organizations to manage multiple accounts. The data engineering team has a central data lake account that stores all data in S3. The security team requires that all cross-account access to the data lake be logged and that any access from outside the organization be blocked. The team has enabled S3 server access logs and AWS CloudTrail. However, they notice that some requests from an external AWS account are still able to read data from the data lake. The bucket policy currently allows cross-account access to a specific partner account for data exchange. What additional step should the team take to block access from all other external accounts?

A.Add a condition to the existing Allow statement to require that the source account be in the organization.
B.Remove the cross-account access statement from the bucket policy.
C.Add a Deny statement to the bucket policy that denies access to any principal not in the organization or the partner account.
D.Use S3 Access Points to restrict access to only the partner account.
AnswerC

Blocks all external accounts except the partner.

Why this answer

Option C is correct. To block access from all external accounts except the allowed partner, you can add a Deny statement with a condition that checks if the account is not in the organization and not the partner account. Option A is wrong because disabling cross-account access would block the partner.

Option B is wrong because the bucket policy already allows the partner. Option D is wrong because S3 Access Points do not inherently block external accounts unless explicitly configured.

165
MCQeasy

A data engineer wants to ensure that only users with a specific tag (e.g., "Department": "DataEngineering") can access an S3 bucket. How can this be enforced?

A.Use a bucket policy with aws:PrincipalTag condition
B.Use S3 object tags and a bucket policy condition
C.Attach an IAM policy to each user with the tag
D.Use S3 Object Lambda to check user tags
AnswerA

The aws:PrincipalTag condition key can restrict access based on the principal's tags.

Why this answer

S3 bucket policies support condition keys like aws:PrincipalTag to restrict access based on IAM user tags. Option A is wrong because resource tags are for objects, not principals. Option C is wrong because IAM policies can also be used, but bucket policy is more direct.

Option D is wrong because S3 Object Lambda transforms data, not access control.

166
MCQhard

A company uses Amazon RDS for PostgreSQL with encryption at rest using AWS KMS. The company needs to share a database snapshot with a different AWS account. What must be done to allow the target account to restore the snapshot?

A.Copy the snapshot to the target account's region and share it
B.Create an IAM role in the source account that allows cross-account snapshot access
C.Share the snapshot and update the KMS key policy to allow the target account to use the key
D.Disable encryption on the snapshot before sharing
AnswerC

The target account needs decrypt permission on the KMS key.

Why this answer

Option C is correct. The snapshot must be shared with the target account, and the KMS key policy must grant the target account decrypt permissions. Option A is wrong because copying the snapshot without sharing the key won't help.

Option B is wrong because sharing the key policy alone is insufficient. Option D is wrong because changing the encryption to a different key after sharing is not possible.

167
MCQeasy

A data engineer needs to grant an IAM user access to query a specific table in Amazon Athena, but the user should not be able to view other tables in the same database. Which method should the engineer use?

A.Attach an IAM policy that allows athena:StartQueryExecution and restrict the query by table name
B.Use AWS Lake Formation to grant SELECT permission on the specific table to the user
C.Apply an S3 bucket policy that restricts access to the table's underlying data
D.Create a separate Athena workgroup with a query limit that only allows queries on that table
AnswerB

Lake Formation enables table-level access control.

Why this answer

Option A is correct because Lake Formation provides fine-grained table-level permissions. Option B is wrong because S3 bucket policies do not control Athena table access. Option C is wrong because IAM policies alone cannot restrict table access in Athena without Lake Formation.

Option D is wrong because Workgroup policies do not provide table-level security.

168
MCQmedium

A data engineer needs to audit all access to an S3 bucket for compliance. They want to capture object-level operations such as GetObject and PutObject, as well as bucket-level operations like ListBucket. Which AWS service should be used?

A.Amazon CloudWatch Logs
B.S3 server access logs
C.AWS CloudTrail management events
D.AWS Config
AnswerB

S3 server access logs provide detailed records about requests made to a bucket, including object-level and bucket-level operations.

Why this answer

S3 server access logs record object-level and bucket-level operations. CloudTrail can also record S3 API calls, but by default it logs bucket-level operations only; object-level logging requires enabling data events. Option A is wrong because CloudTrail management events do not include object-level operations.

Option C is wrong because CloudWatch Logs alone does not capture S3 access. Option D is wrong because Config records resource configuration changes, not API calls.

169
MCQhard

A company has multiple AWS accounts and wants to centrally manage permissions and access to data lakes. They have enabled AWS Organizations and want to use a single set of policies that apply to all accounts. Which policy type should be used at the organization level?

A.IAM policies
B.KMS key policies
C.S3 bucket policies
D.Service control policies (SCPs)
AnswerD

SCPs centrally manage permissions across all accounts in an organization.

Why this answer

Option D is correct because Service Control Policies (SCPs) are used in AWS Organizations to centrally manage permissions across accounts. Option A (IAM policies) are attached to IAM users/roles within an account, not across accounts. Option B (bucket policies) are specific to S3 buckets.

Option C (KMS key policies) control access to KMS keys.

170
Multi-Selectmedium

Which TWO actions should a data engineer take to protect sensitive data in an Amazon S3 bucket from being accessed by unauthorized users? (Select TWO.)

Select 2 answers
A.Create a VPC endpoint for S3
B.Enable S3 server access logging
C.Add a bucket policy with a Deny effect for unauthorized principals
D.Enable AWS CloudTrail for the bucket
E.Enable S3 Block Public Access
AnswersC, E

A Deny policy explicitly denies access.

Why this answer

Options A and C are correct. Option A (S3 Block Public Access) prevents public access to the bucket. Option C (bucket policy with Deny effect) explicitly denies access to unauthorized users.

Option B (S3 server access logs) is for auditing, not prevention. Option D (CloudTrail) is for logging, not prevention. Option E (VPC endpoint) is for network connectivity, not access control.

171
Multi-Selecteasy

A data engineer needs to securely store database credentials for an RDS instance. Which TWO AWS services can be used?

Select 2 answers
A.AWS KMS
B.AWS Secrets Manager
C.AWS IAM
D.AWS CloudFormation
E.AWS Systems Manager Parameter Store
AnswersB, E

Secrets Manager is designed for managing secrets, including automatic rotation.

Why this answer

AWS Systems Manager Parameter Store can securely store secrets like database credentials. AWS Secrets Manager is designed specifically for secrets management and automatic rotation. Option C is wrong because CloudFormation is for infrastructure as code.

Option D is wrong because KMS is a key management service, not a secret store (though it can encrypt secrets stored elsewhere). Option E is wrong because IAM is for identity management.

172
MCQmedium

A company uses AWS Glue to catalog data in Amazon S3. The data includes personally identifiable information (PII). The security team requires that PII be masked when queried by users who are not data owners. Which AWS service should be used to enforce this requirement?

A.Use Amazon Macie to automatically redact PII from S3 objects.
B.Use IAM policies with condition keys to restrict access based on tags.
C.Use AWS Lake Formation to define column-level security and data masking.
D.Use Amazon S3 Object Lambda to transform data on the fly.
AnswerC

Lake Formation provides column-level permissions and dynamic masking.

Why this answer

Option B is correct because AWS Lake Formation provides fine-grained access control and column-level masking for data cataloged in the Glue Data Catalog. Option A is wrong because S3 Object Lambda modifies data at the S3 API level, not at the query level. Option C is wrong because IAM policies cannot mask data.

Option D is wrong because Macie discovers and classifies PII but does not enforce access controls.

173
MCQmedium

A company is using Amazon S3 to store sensitive data. The security team requires that all objects be encrypted using server-side encryption with AWS KMS (SSE-KMS) and that the bucket policy denies any PutObject request that does not include the required encryption header. Which bucket policy condition should be added?

A.s3:x-amz-server-side-encryption-aws-kms-key-id
B.s3:x-amz-server-side-encryption
C.kms:EncryptionContext
D.aws:SecureTransport
AnswerA

This condition enforces the use of a specific KMS key.

Why this answer

Option A is correct because s3:x-amz-server-side-encryption-aws-kms-key-id can be used to enforce a specific KMS key. Option B is wrong because s3:x-amz-server-side-encryption only enforces SSE-S3 or SSE-KMS, not a specific key. Option C is wrong because kms:EncryptionContext is for KMS, not S3.

Option D is wrong because aws:SecureTransport is for in-transit encryption.

174
MCQhard

Refer to the exhibit. A data engineer applies this bucket policy to an S3 bucket named my-data-bucket. The bucket contains sensitive data. The company's security team reports that data was accessed from an IP address outside the allowed range. What is the MOST likely reason that the policy failed to block the unauthorized access?

A.The Deny statement's condition on SecureTransport overrides the IP condition.
B.The policy has a syntax error in the Condition element.
C.The Deny statement does not restrict access based on IP address; it only denies non-HTTPS requests.
D.The bucket policy does not apply to requests made from within the same AWS account.
AnswerC

The Deny only applies to non-SecureTransport, not to IP addresses outside the allowed range.

Why this answer

Option C is correct because the Deny statement in the policy only denies requests that are not using HTTPS (SecureTransport: false). It does not include any condition to restrict access based on IP address. Therefore, a request made from an IP outside the allowed range but using HTTPS would not be denied by this policy, allowing unauthorized access to the sensitive data.

Exam trap

The trap here is that candidates assume a Deny statement with any condition will block all unauthorized access, but in reality, each condition must be explicitly specified to deny the intended requests.

How to eliminate wrong answers

Option A is wrong because SecureTransport and IP address conditions are independent; a Deny statement with SecureTransport does not override an IP condition—it simply does not evaluate IP at all. Option B is wrong because there is no syntax error indicated in the exhibit; the policy is syntactically valid but logically incomplete. Option D is wrong because bucket policies apply to all principals, including requests made from within the same AWS account, unless explicitly scoped otherwise.

175
MCQeasy

A company wants to encrypt data at rest in Amazon S3 using server-side encryption. They need to manage the encryption keys themselves and rotate them annually. Which S3 encryption option should they use?

A.SSE-KMS
B.SSE-S3
C.SSE-C
D.Client-side encryption
AnswerC

SSE-C allows the customer to provide their own encryption keys and manage them.

Why this answer

SSE-C allows the customer to provide and manage their own encryption keys. SSE-S3 uses AWS-managed keys, and SSE-KMS uses AWS KMS keys but with AWS managing the key material. Option A is wrong because SSE-S3 does not allow customer-managed keys.

Option B is wrong because SSE-KMS still involves AWS management of the key material. Option D is wrong because client-side encryption is not server-side.

176
MCQmedium

Refer to the exhibit. An IAM policy is attached to an IAM user. The user is trying to download an object from the S3 bucket 'example-bucket' from an IP address 10.1.1.1, but the request is denied. What is the most likely reason?

A.The policy does not allow the s3:GetObject action.
B.The policy has a syntax error.
C.There is an explicit deny statement elsewhere that overrides the allow.
D.The user's IP address does not match the condition in the policy.
AnswerD

The condition restricts access to IP range 10.0.0.0/16; 10.1.1.1 is outside.

Why this answer

The policy uses a condition to allow access only from the 10.0.0.0/16 IP range. The user's IP 10.1.1.1 is outside that range, so the condition fails and access is denied (implicit deny). Option B is correct.

Option A is wrong because the policy allows GetObject. Option C is wrong because there is no explicit deny. Option D is wrong because the policy is valid.

177
MCQmedium

A data engineer needs to share a dataset stored in Amazon S3 with another AWS account. The bucket policy currently grants access only to the owning account. What is the simplest way to grant cross-account access?

A.Add a bucket policy that grants access to the other account's IAM role
B.Set the object ACL to public-read
C.Use an S3 access control list (ACL) to grant access to the other account
D.Create an IAM role in the other account and attach a policy to it
AnswerA

A bucket policy can specify a principal from another account.

Why this answer

Option C is correct because a bucket policy with a principal ARN of the other account's IAM role is the standard way to grant cross-account access. Option A is wrong because that would make the object public, which is not recommended. Option B is wrong because a bucket policy can directly grant cross-account access without needing an IAM role in the other account.

Option D is wrong because an ACL grants basic permissions but is less flexible.

178
Multi-Selecthard

A company wants to monitor and alert on any IAM user creation in their AWS account. Which THREE services should be used together to achieve this? (Choose three.)

Select 3 answers
A.Amazon Simple Notification Service (SNS)
B.AWS CloudTrail
C.Amazon CloudWatch Logs
D.Amazon CloudWatch Events (EventBridge)
E.AWS Config
AnswersB, C, D

Records API calls including IAM user creation.

Why this answer

AWS CloudTrail captures IAM user creation API calls (option A). Amazon CloudWatch Logs can be the target for CloudTrail logs (option B). Amazon CloudWatch Events (EventBridge) can create a rule to trigger an alert (option C).

Option D is for configuration compliance, not API monitoring. Option E is for sending notifications, but the question asks for monitoring and alerting, and EventBridge can directly trigger SNS or Lambda.

179
MCQeasy

A data engineer needs to audit data access events in Amazon S3. Which AWS service should be used to record and monitor API calls for S3 buckets?

A.AWS CloudTrail
B.AWS Config
C.Amazon Macie
D.Amazon GuardDuty
AnswerA

CloudTrail records API calls for auditing.

Why this answer

Option D is correct because AWS CloudTrail records API calls for auditing. Option A is wrong because Amazon GuardDuty is a threat detection service. Option B is wrong because AWS Config tracks resource configuration changes.

Option C is wrong because Amazon Macie discovers sensitive data.

180
Matchingmedium

Match each AWS storage class to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Frequent access, low latency

Auto-moves data between tiers

Archive retrieval in minutes to hours

Lowest cost, 12-hour retrieval

Infrequent access, single AZ

Why these pairings

S3 storage classes balance cost and access frequency.

181
MCQhard

A company uses AWS Lake Formation to manage access to data in a data lake. The data engineer needs to grant a user the ability to query tables in the 'sales' database using Amazon Athena, but only when the user's IP address is within the corporate network (10.0.0.0/8). Which combination of actions should the data engineer take?

A.Grant Lake Formation permissions on the tables and attach an S3 bucket policy with aws:SourceIp condition
B.Grant Lake Formation permissions on the tables and attach an IAM policy to the user with aws:SourceIp condition
C.Use an S3 VPC endpoint and grant Lake Formation permissions on the tables
D.Grant Lake Formation permissions on the tables and configure a network ACL in the VPC
AnswerB

Correct combination.

Why this answer

Option D is correct because Lake Formation permissions control access to tables, and an IAM policy with a condition key `aws:SourceIp` can restrict Athena access to the corporate IP range. Option B is missing the IAM policy. Option A is wrong because S3 bucket policies do not restrict Athena queries through Lake Formation.

Option C is wrong because VPC endpoints alone do not enforce IP-based restrictions.

182
MCQmedium

A data engineer is configuring an Amazon Redshift cluster to encrypt data at rest. The company policy requires that encryption keys be stored in AWS CloudHSM. Which integration should the engineer use to meet this requirement?

A.Use AWS KMS with a customer managed key.
B.Configure Redshift to use an HSM for encryption.
C.Enable encryption using the AWS Redshift SSL/TLS feature.
D.Use Redshift automatic key rotation.
AnswerB

Redshift supports integration with CloudHSM for key storage.

Why this answer

Amazon Redshift supports AWS CloudHSM for encryption key management. The integration is done via the Hardware Security Module (HSM) integration. Option A is correct.

Option B is for KMS. Option C is for database encryption, not key storage. Option D is for key rotation.

183
MCQeasy

A company wants to enforce that all data written to an S3 bucket is encrypted with a customer-managed AWS KMS key. The data engineer has created the KMS key and attached an S3 bucket policy. However, users are still able to upload objects without specifying the KMS key. What is the most likely cause?

A.The S3 bucket policy does not include a condition that denies s3:PutObject without the correct encryption
B.The S3 bucket has default encryption enabled with SSE-S3
C.The KMS key policy does not grant the users kms:Encrypt permission
D.The IAM role for the users does not have s3:PutObject permission
AnswerA

The bucket policy must have a deny condition.

Why this answer

Option C is correct because the bucket policy must explicitly deny PutObject if the encryption header does not match the required KMS key. Option A is wrong because KMS key policy is needed but the issue is the bucket policy. Option B is wrong because the IAM role must allow kms:GenerateDataKey, but the issue is the bucket policy.

Option D is wrong because S3 default encryption does not force the use of a specific KMS key.

184
MCQeasy

A financial services company uses AWS Glue ETL jobs to process credit card transaction data stored in Amazon S3. The data includes PII such as names and credit card numbers. The security team requires that all PII be masked before the data is written to the curated zone of the data lake. The data engineer has implemented a Glue job that reads from the raw zone, applies a custom transform to mask credit card numbers using a regular expression, and writes to the curated zone. However, during a recent audit, the security team discovered that some masked data still contained partial credit card numbers (e.g., showing the last four digits) when viewed by analysts who should only see masked data. The company's policy is that credit card numbers must be completely masked, showing only asterisks or a fixed string like "XXXX-XXXX-XXXX-XXXX". The Glue job uses a DynamicFrame and applies a Map transform with a Python function that replaces digits with 'X'. The data is stored in Parquet format. What should the data engineer do to ensure complete masking of credit card numbers?

A.Use an AWS Glue crawler to classify the data and apply a masking rule based on the classification.
B.Enable server-side encryption with AWS KMS on the curated S3 bucket.
C.Replace the custom Python Map transform with a built-in Glue Transform for data masking, such as the Mask transform available in Glue Studio.
D.Change the output format from Parquet to CSV and use a different write mode.
AnswerC

Built-in masking transforms are designed to handle common patterns and ensure complete masking.

Why this answer

Option C is correct because AWS Glue provides a built-in Mask transform that can be applied directly in Glue Studio or via the AWS Glue API. This transform is designed to reliably obfuscate sensitive data like credit card numbers by replacing them with a fixed string (e.g., 'XXXX-XXXX-XXXX-XXXX') or asterisks, ensuring complete masking regardless of input format. The custom Python Map transform in the current implementation is error-prone because it relies on a regular expression that may not catch all patterns or partial digits, whereas the Mask transform uses predefined logic to guarantee full masking.

Exam trap

The trap here is that candidates may assume any custom Python logic with a regex is sufficient for masking, but the exam tests the understanding that AWS Glue's built-in Mask transform provides a more reliable and policy-compliant solution for sensitive data obfuscation.

How to eliminate wrong answers

Option A is wrong because an AWS Glue crawler is used for schema discovery and classification, not for applying data masking rules; masking must be performed during ETL processing, not at the crawler level. Option B is wrong because enabling server-side encryption with AWS KMS protects data at rest but does not alter the content of the data; it does not mask or obfuscate credit card numbers, so analysts would still see partial digits. Option D is wrong because changing the output format from Parquet to CSV and using a different write mode has no effect on the masking logic; the custom Python Map transform would still produce the same incomplete masking, and CSV format does not inherently mask data.

185
MCQeasy

A data engineer needs to restrict access to an S3 bucket so that only users from a specific AWS account can read objects. Which S3 bucket policy element should be used?

A.Action
B.Principal
C.Resource
D.Condition
AnswerB

Principal identifies the account or user.

Why this answer

Option B is correct. The Principal element specifies the account. Option A is wrong because Resource is the bucket.

Option C is wrong because Action is the operation. Option D is wrong because Condition can be used but is not the primary element.

186
MCQmedium

A data engineer is designing a data pipeline that processes sensitive financial data. The data must be encrypted at rest and in transit. The pipeline uses Amazon Kinesis Data Streams to ingest data and AWS Lambda to process it. Which combination of actions ensures the data is encrypted in transit? (Select TWO.)

A.Enable TLS for Kinesis Data Streams.
B.Enable Encryption in Transit for the Lambda function's VPC configuration.
C.Enable Server-Side Encryption (SSE-S3) on the S3 bucket used for data storage.
D.Use AWS KMS to encrypt data at rest in Kinesis Data Streams.
E.Encrypt the Lambda function's CloudWatch Logs using KMS.
AnswerA, B

TLS encrypts data in transit between producers and Kinesis.

Why this answer

Option A is correct because enabling TLS for Kinesis Data Streams encrypts data in transit between producers and the stream. Option D is correct because enabling Encryption in Transit for Lambda's VPC configuration ensures TLS is used for Lambda's network connections. Option B is wrong because SSE-S3 encrypts data at rest in S3.

Option C is wrong because SSE-KMS encrypts data at rest in Kinesis. Option E is wrong because CloudWatch Logs encryption is at rest.

187
Multi-Selecteasy

A company needs to audit access to their Amazon S3 buckets. Which TWO services can be used together to achieve this? (Choose two.)

Select 2 answers
A.Amazon Macie
B.Amazon S3 Inventory
C.Amazon CloudWatch Logs
D.AWS Config
E.AWS CloudTrail
AnswersC, E

CloudWatch Logs can store and monitor CloudTrail logs for access patterns.

Why this answer

CloudTrail records S3 API calls, and CloudWatch Logs can be used to store and monitor those logs. Config records configuration changes, not data access. S3 server access logs record object-level access, but the question asks for auditing access; CloudTrail with CloudWatch Logs is a common solution.

S3 Inventory provides metadata, not access logs.

188
Multi-Selecteasy

A company wants to audit API calls made to its Amazon S3 buckets. Which AWS services can be used to achieve this? (Choose TWO.)

Select 2 answers
A.IAM Access Analyzer
B.AWS Config
C.VPC Flow Logs
D.AWS CloudTrail
E.Amazon S3 server access logs
AnswersD, E

CloudTrail can log S3 data events.

Why this answer

Options A and C are correct. AWS CloudTrail can log data events for S3, and S3 server access logs record detailed request information. Option B is wrong because AWS Config tracks configuration changes, not API calls.

Option D is wrong because IAM Access Analyzer reviews resource policies, not API calls. Option E is wrong because VPC Flow Logs capture network traffic, not API calls.

189
MCQhard

A company uses AWS Lake Formation to manage access to data in a data lake. A new data engineer has been granted SELECT permission on a table but receives an 'AccessDeniedException' when querying via Amazon Athena. The table is registered in Lake Formation and the data is encrypted with SSE-KMS. Which of the following is the MOST likely cause?

A.The table's resource-based policy does not include the engineer's IAM role.
B.The S3 bucket policy denies access to the engineer's IAM role.
C.The AWS Glue Data Catalog has not been granted permission to the engineer's role.
D.The IAM role used by Athena does not have kms:Decrypt permission on the KMS key.
AnswerD

Athena must decrypt data with the KMS key, and the IAM role needs kms:Decrypt permission.

Why this answer

Option B is correct because Lake Formation integrates with AWS KMS for encrypted data; the IAM role used by Athena must have kms:Decrypt permission on the KMS key. Option A is wrong because Lake Formation permissions are not passed via the resource-based policy on the table. Option C is wrong because the AWS Glue Data Catalog does not enforce data access by default.

Option D is wrong because S3 bucket policies can block access, but the primary issue with encrypted data is KMS permissions.

190
MCQeasy

A data engineer needs to grant an IAM user read-only access to an S3 bucket named 'data-lake'. Which IAM policy statement should be used?

A.{"Effect":"Allow","Action":["s3:PutObject","s3:DeleteObject"],"Resource":"arn:aws:s3:::data-lake/*"}
B.{"Effect":"Allow","Action":"s3:*","Resource":"*"}
C.{"Effect":"Allow","Action":["s3:ListBucket","s3:GetObject"],"Resource":["arn:aws:s3:::data-lake","arn:aws:s3:::data-lake/*"]}
D.{"Effect":"Allow","Action":"s3:ListBucket","Resource":"arn:aws:s3:::data-lake"}
AnswerC

This grants read-only access to the specific bucket and its objects.

Why this answer

Option B is correct because it allows ListBucket on the bucket and GetObject on objects. Option A is wrong because it allows all actions. Option C is wrong because it allows write actions.

Option D is wrong because it only allows ListBucket, not GetObject.

191
MCQmedium

A data engineer is configuring S3 bucket policies to restrict access to a specific VPC. Which condition key should be used in the bucket policy to enforce that requests originate only from the desired VPC?

A.aws:VpcSourceIp
B.aws:SourceVpc
C.aws:RequestedRegion
D.aws:SourceIp
AnswerB

aws:SourceVpc restricts requests to a specific VPC.

Why this answer

Option C is correct because aws:SourceVpc is the condition key used to restrict access to a specific VPC. Option A is wrong because aws:SourceIp is for IP addresses. Option B is wrong because aws:VpcSourceIp is not a valid key.

Option D is wrong because aws:RequestedRegion is for region restriction.

192
MCQmedium

A company uses AWS Glue to process sensitive customer data stored in S3. The security team requires that all data be encrypted at rest using a customer-managed KMS key and that access to the key be auditable. Which solution meets these requirements?

A.Encrypt the data client-side before uploading to S3.
B.Configure the S3 bucket to use SSE-KMS with a customer-managed KMS key and enable CloudTrail for KMS events.
C.Enable default SSE-S3 encryption on the S3 bucket.
D.Use SSE-C with a customer-provided key.
AnswerB

SSE-KMS with customer-managed key provides encryption and auditability via CloudTrail.

Why this answer

Option D is correct because SSE-KMS with a customer-managed key provides encryption with an auditable CMK. Option A (SSE-S3) uses AWS-managed keys with no audit capability. Option B (client-side encryption) is not at rest encryption within S3.

Option C (SSE-C) does not use KMS keys.

193
MCQhard

A company has a data lake in Amazon S3 with millions of objects. The security team wants to enforce that all objects are encrypted with a specific customer-managed KMS key. The data engineer configures an S3 bucket policy to deny PutObject if the encryption is not set to that key. However, some existing objects are not encrypted with that key. What is the most efficient way to remediate the existing objects?

A.Use S3 Cross-Region Replication to replicate objects to a new bucket with the correct encryption.
B.Write a script using the AWS SDK to iterate over all objects and re-upload them with the correct encryption.
C.Use S3 Batch Operations to copy objects in the same bucket with the new encryption settings.
D.Use S3 Object Lambda to dynamically encrypt objects on read.
AnswerC

Batch Operations can efficiently update encryption for large numbers of objects.

Why this answer

Option D is correct because S3 Batch Operations can copy objects in place with new encryption settings, efficiently updating millions of objects. Option A is wrong because it is inefficient for millions of objects. Option B is wrong because S3 Replication is for cross-region or cross-bucket copying.

Option C is wrong because S3 Object Lambda modifies data on read, not at rest.

194
MCQhard

A company has an AWS Glue ETL job that reads data from an S3 bucket encrypted with SSE-S3. The job runs successfully, but the output written to another S3 bucket with SSE-KMS fails. The IAM role for the Glue job has s3:PutObject and kms:GenerateDataKey permissions. What is the most likely cause?

A.The IAM role is missing kms:Encrypt permission
B.The target S3 bucket policy denies s3:PutObject
C.The KMS key policy does not grant the Glue role kms:GenerateDataKey
D.The source bucket's encryption type is incompatible with the target
AnswerA

Writing with SSE-KMS requires kms:Encrypt.

Why this answer

Option D is correct. Glue needs kms:Encrypt permission to write with SSE-KMS. Option A is wrong because SSE-S3 doesn't need KMS.

Option B is wrong because S3 bucket policy is not the issue. Option C is wrong because KMS key policy needs to allow the role, but the role already has GenerateDataKey; missing Encrypt is more likely.

195
MCQhard

A company uses AWS Lake Formation to manage data lake permissions. The data engineer notices that a user with SELECT permission on a table can also query the underlying data in Amazon S3 directly. How can the engineer enforce that access to the S3 data is only through Lake Formation?

A.Use S3 Access Points with a policy that restricts access to only Lake Formation
B.Grant the user permissions only through Lake Formation and remove any IAM policies that allow direct S3 access to the data location
C.Enable S3 Block Public Access on the bucket
D.Change the S3 bucket policy to deny all access except from Lake Formation
AnswerB

This ensures that the user can only access data through Lake Formation, and direct S3 access is blocked.

Why this answer

Registering the S3 location with Lake Formation and using the 'Lake Formation managed' option ensures that IAM policies do not grant direct S3 access. Lake Formation provides fine-grained access control, and by granting only Lake Formation permissions and revoking direct S3 bucket permissions, users cannot bypass Lake Formation. Option B and D do not prevent direct S3 access.

Option C suggests Lake Formation does not control S3 access, which is incorrect.

196
MCQhard

A company is using Amazon EMR to process data stored in Amazon S3. The S3 bucket is configured with a bucket policy that denies access unless the request includes a specific tag. The EMR cluster's IAM role has s3:GetObject permission. However, the EMR job fails to read data from S3. What is the most likely cause?

A.The bucket policy is not attached to the EMR role.
B.The EMR cluster is not in the same account as the S3 bucket.
C.The IAM role does not have a condition that matches the required tag.
D.The EMR role does not have s3:GetObject permission.
AnswerC

The bucket policy requires a tag, and the role must have a matching condition.

Why this answer

The bucket policy denies access unless the request includes a specific tag. Even though the EMR cluster's IAM role has s3:GetObject permission, the IAM role does not have a condition key (e.g., aws:RequestTag) that matches the required tag. Therefore, the request is denied by the bucket policy, causing the EMR job to fail.

Exam trap

AWS often tests the interaction between IAM policies and S3 bucket policies, specifically that a bucket policy with a deny condition can override IAM permissions, and candidates mistakenly think the issue is missing IAM permissions rather than a missing condition in the request.

How to eliminate wrong answers

Option A is wrong because bucket policies are attached to the S3 bucket, not to IAM roles; the policy is already configured on the bucket. Option B is wrong because cross-account access is possible with proper permissions, and the question does not indicate a different account; the failure is due to the tag condition, not account mismatch. Option D is wrong because the question explicitly states the IAM role has s3:GetObject permission, so the failure is not due to missing permission.

197
MCQhard

A company is using Amazon EMR with Kerberos authentication. They want to ensure that data in transit between EMR cluster nodes is encrypted. Which configuration should be applied?

A.Use VPC peering to connect the cluster nodes.
B.Configure the EMR cluster to use in-transit encryption.
C.Enable S3 server-side encryption for the cluster's output data.
D.Enable EBS encryption on the cluster instances.
AnswerB

In-transit encryption uses TLS to protect data between nodes.

Why this answer

Option D is correct because enabling in-transit encryption in Amazon EMR uses TLS to encrypt data between nodes. Option A is incorrect because S3 SSE encrypts data at rest. Option B is incorrect because EBS encryption encrypts data at rest.

Option C is incorrect because VPC peering does not provide encryption; it is a network connectivity feature.

198
MCQeasy

A data engineer needs to audit all AWS KMS key usage in the account. Which AWS service should be used to record KMS API calls?

A.AWS CloudTrail
B.AWS Config
C.Amazon CloudWatch Logs
D.Amazon GuardDuty
AnswerA

CloudTrail records KMS API calls.

Why this answer

Option A is correct because AWS CloudTrail records API calls for KMS. Option B is wrong because CloudWatch Logs stores logs but does not record API calls. Option C is wrong because AWS Config records resource changes, not API calls.

Option D is wrong because Amazon GuardDuty is for threat detection.

199
MCQmedium

A data engineer needs to audit all access to an S3 bucket containing sensitive customer data. The engineer must record the requester, timestamp, action, and whether the access was denied. Which AWS solution meets these requirements?

A.Use AWS Config to record S3 bucket-level configuration changes.
B.Enable VPC Flow Logs for the VPC where the bucket resides.
C.Enable AWS CloudTrail Data Events for the S3 bucket.
D.Enable S3 server access logs for the bucket, storing them in a different bucket.
AnswerD

S3 server access logs provide detailed records of all requests, including requester and access status.

Why this answer

Option C is correct because S3 server access logs capture detailed records of requests made to a bucket, including requester, timestamp, action, and response status. Option A is wrong because CloudTrail logs object-level events only if Data Events are enabled, but server access logs are specifically designed for this purpose and are more granular. Option B is wrong because VPC Flow Logs capture network traffic metadata but not application-level S3 operations.

Option D is wrong because AWS Config tracks resource configuration changes, not access requests.

200
MCQhard

A company wants to audit all changes to IAM policies in their AWS account. Which combination of services should be used to achieve this?

A.AWS Config and Amazon SNS
B.AWS CloudTrail and Amazon CloudWatch Logs
C.Amazon CloudWatch Logs and Amazon SNS
D.AWS CloudTrail and Amazon DynamoDB
AnswerB

CloudTrail records IAM API calls and can deliver logs to CloudWatch Logs for monitoring and alerting.

Why this answer

AWS CloudTrail records API calls for IAM policy changes (e.g., PutRolePolicy, PutUserPolicy). Amazon CloudWatch Logs can be the target for CloudTrail logs, and CloudWatch Events (now Amazon EventBridge) can trigger notifications or actions. Option D is correct.

AWS Config records resource configuration changes but not all API calls.

201
MCQhard

A data engineer is setting up an Amazon EMR cluster to process sensitive data. The data is stored in S3 with SSE-S3. The company policy requires that data in transit between the EMR cluster and S3 be encrypted. Which configuration should be used?

A.Enable S3 encryption in transit using TLS
B.Disable encryption and use VPC endpoints
C.Configure EMRFS to use SSE-KMS
D.Use SSE-C for S3 objects
AnswerA

TLS encrypts data in transit between EMR and S3.

Why this answer

Option C is correct because enabling S3 encryption in transit uses TLS to encrypt data between EMR and S3. Option A is wrong because SSE-S3 encrypts at rest, not in transit. Option B is wrong because EMRFS with SSE-KMS is for at-rest encryption.

Option D is wrong because disabling encryption is not an option.

202
MCQhard

Refer to the exhibit. A data engineer runs this CLI command to investigate a recent change to an S3 bucket policy. What information does the command return?

A.An evaluation of bucket policy compliance
B.The current bucket policy for all buckets
C.A report of all S3 bucket policy changes
D.A list of event IDs for PutBucketPolicy calls
AnswerD

The output includes event IDs, but also other details like user identity and timestamp.

Why this answer

The command uses CloudTrail's lookup-events to find all PutBucketPolicy API calls in a 24-hour period. It returns a list of events, each containing details like who made the call, when, and the request parameters. Option A is wrong because it only returns the event IDs, not the full policy.

Option B is wrong because the command does not show the current policy, only past events. Option C is wrong because the command does not evaluate compliance.

203
MCQhard

A company stores sensitive data in S3 and uses VPC endpoints to access the bucket. They need to ensure that only traffic from their VPC can access the data, and that the traffic cannot leave the AWS network. Which combination of bucket policy and endpoint policy should they use?

A.Use only a bucket policy with aws:SourceIp condition
B.Use an S3 VPC Gateway endpoint and add a bucket policy with aws:SourceVpc condition
C.Use an S3 VPC Interface endpoint and add a bucket policy with aws:SourceVpce condition
D.Use an S3 VPC Gateway endpoint with no bucket policy
AnswerB

Gateway endpoints keep traffic within AWS network and the condition restricts to the VPC.

Why this answer

Option A is correct because using an S3 VPC Gateway endpoint and a bucket policy with aws:SourceVpc condition restricts traffic to the VPC and keeps it within AWS network. Option B is wrong because Interface endpoints still use public internet. Option C is wrong because bucket policies alone cannot restrict to VPC.

Option D is wrong because aws:SourceIp does not restrict to VPC.

204
Multi-Selecthard

A data engineer is configuring an Amazon Redshift cluster for compliance. The cluster must encrypt data at rest and automatically rotate the encryption key every year. Which steps should the engineer take? (Choose THREE.)

Select 3 answers
A.Create the Redshift cluster with encryption enabled.
B.Enable automatic yearly rotation of the KMS key.
C.Configure the Redshift cluster to rotate its encryption key every year.
D.Modify an existing unencrypted cluster to enable encryption.
E.Specify a customer-managed AWS KMS key for encryption.
AnswersA, B, E

Encryption must be enabled at creation.

Why this answer

Options A, C, and D are correct. A: Enable encryption at cluster creation. C: Use a customer-managed KMS key.

D: Enable automatic key rotation for the KMS key. Option B is wrong because encryption cannot be enabled on an existing cluster. Option E is wrong because rotation of the cluster's encryption key is not automatic in Redshift; KMS key rotation handles it.

205
MCQmedium

A company needs to enforce encryption in transit for all data moving between its Amazon S3 bucket and a fleet of Amazon EC2 instances. The data is accessed via S3 API calls over the internet. Which configuration ensures encryption in transit?

A.Enable SSE-S3 on the bucket.
B.Enable S3 Transfer Acceleration.
C.Use a VPC endpoint for S3.
D.Configure the bucket policy to deny requests that do not use HTTPS.
AnswerD

Bucket policy with condition aws:SecureTransport true enforces HTTPS.

Why this answer

Option B is correct because requiring HTTPS for S3 API calls ensures encryption in transit. Option A is wrong because SSE-S3 encrypts data at rest, not in transit. Option C is wrong because a VPC endpoint uses AWS network but does not enforce encryption; HTTPS must still be used.

Option D is wrong because a bucket policy denying HTTP access is the correct way to enforce HTTPS.

206
Multi-Selectmedium

A company is building a data pipeline that ingests sensitive customer data from an on-premises database into Amazon S3 using AWS DMS. The data must be encrypted at rest in S3 and in transit. The security team requires that the encryption keys be managed by the company (not AWS). Which TWO actions should the data engineer take to meet these requirements? (Choose TWO.)

Select 2 answers
A.Enable encryption at rest using the default DMS encryption settings.
B.Configure the S3 bucket to use server-side encryption with AWS KMS (SSE-KMS) using a customer managed key.
C.Configure the S3 bucket to use server-side encryption with S3 managed keys (SSE-S3).
D.Enable SSL/TLS encryption on the DMS source and target endpoints.
E.Create an AWS KMS key and use it in the DMS endpoint to encrypt data in transit.
AnswersB, D

Customer managed keys allow the company to control the keys.

Why this answer

Option B is correct because SSE-KMS with a customer managed key allows the company to control the encryption keys used for S3 server-side encryption, meeting the requirement that keys be managed by the company, not AWS. Option D is correct because enabling SSL/TLS on both the DMS source and target endpoints ensures data is encrypted in transit between the on-premises database and AWS DMS, and between DMS and S3, satisfying the in-transit encryption requirement.

Exam trap

The trap here is that candidates often confuse encryption at rest with encryption in transit, and mistakenly think that KMS keys can be used for both, or that default DMS encryption or SSE-S3 satisfies the customer-managed key requirement.

207
MCQhard

A data engineer runs an AWS Glue ETL job that reads from a table in the AWS Glue Data Catalog. The job fails with the error shown. The IAM role used by the Glue job has the following policy attached: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "glue:GetTable", "glue:GetDatabase" ], "Resource": "*" } ] } What should be added to the IAM role's policy to resolve the error?

A.s3:GetObject on the underlying S3 bucket
B.glue:GetTable on the specific table resource
C.lakeformation:GetDataAccess on the table resource
D.kms:Decrypt on the KMS key
AnswerC

This permission is required to access tables governed by Lake Formation.

Why this answer

Option C is correct. Lake Formation requires lakeformation:GetDataAccess permission on the table. Option A is wrong because the error is about Lake Formation, not S3.

Option B is wrong because the role already has glue:GetTable. Option D is wrong because kms:Decrypt is not indicated.

208
MCQhard

A financial services company uses a multi-account AWS Organization with hundreds of accounts. The data engineering team needs to enable cross-account access to an encrypted S3 bucket in the data lake account (account ID 111111111111) for a Glue ETL job running in the analytics account (account ID 222222222222). The S3 bucket uses AWS KMS customer managed key (CMK) for server-side encryption (SSE-KMS). The Glue job fails with an AccessDenied error when trying to read data from the bucket. The IAM roles in both accounts have the necessary S3 permissions and the bucket policy allows access from the analytics account. What is the most likely cause of the failure?

A.The KMS key policy does not grant the analytics account's IAM role permission to use the key for decryption.
B.The S3 bucket is in a different region than the Glue job.
C.The Glue job does not have an IAM role assigned.
D.The S3 bucket policy does not allow the s3:GetObject action for the analytics account's IAM role.
AnswerA

Cross-account access to SSE-KMS encrypted objects requires the key policy to allow the decrypt action for the external principal.

Why this answer

The Glue job fails because the KMS key policy does not grant the analytics account's IAM role permission to use the key for decryption. S3 permissions alone are insufficient when SSE-KMS is used; the key policy must explicitly allow the decrypt action for the cross-account principal.

209
MCQhard

A company uses Amazon DynamoDB to store session data. The security team requires that all data be encrypted at rest using a customer-managed KMS key. The data engineer has enabled DynamoDB encryption with a customer-managed key. However, the security team notices that the key is not being used for all tables; some tables still use the default AWS-managed key. The engineer needs to ensure that all new tables are automatically encrypted with the customer-managed key. The company has hundreds of developers who create tables using various methods (console, CLI, SDK, CloudFormation). What is the most efficient way to enforce this policy?

A.Create a CloudFormation template that all developers must use to create tables.
B.Attach an SCP to deny creating DynamoDB tables without the customer-managed key.
C.Use an AWS Config rule to check for tables not using the customer-managed key and trigger auto-remediation.
D.Update the company's internal documentation and require all developers to specify the KMS key in their code.
AnswerC

Config can detect and remediate non-compliant resources.

Why this answer

Option C is correct because AWS Config rules can evaluate whether DynamoDB tables use customer-managed KMS keys and take remediation actions. Option A is wrong because it requires updating all existing code. Option B is wrong because CloudFormation templates can be bypassed.

Option D is wrong because SCPs cannot enforce encryption configuration for DynamoDB.

210
MCQmedium

A company uses AWS Lake Formation to manage data lake permissions. A data analyst is unable to query a table in the data lake using Amazon Athena. The table is registered in Lake Formation, and the analyst has SELECT permission granted via Lake Formation. What is the most likely reason for the failure?

A.Athena is configured to use encryption in transit
B.The IAM role used by Athena does not have necessary Lake Formation permissions
C.The S3 bucket policy does not grant access to the analyst's IAM role
D.The table is not registered in the AWS Glue Data Catalog
AnswerB

Athena needs permissions to call Lake Formation APIs.

Why this answer

Option B is correct because Lake Formation integrates with Athena, and the IAM role assumed by Athena must have necessary Lake Formation permissions. Option A is wrong because Lake Formation permissions are separate from S3 bucket policies. Option C is wrong because Data Catalog permissions are managed by Lake Formation.

Option D is wrong because enabling encryption in transit is not required for access.

211
MCQeasy

Refer to the exhibit. An IAM policy includes the above statement to allow decryption of a KMS key under specific conditions. What does this policy allow?

A.Decrypt any data encrypted with any KMS key
B.Decrypt data that was encrypted with the encryption context {"aws:pi":"db-123"}
C.Encrypt data with the KMS key using the specified encryption context
D.Decrypt data encrypted with the KMS key without any encryption context
AnswerB

The condition matches that context.

Why this answer

Option A is correct because the policy allows decryption only when the encryption context contains the key "aws:pi" with value "db-123". Option B is wrong because the condition requires a specific value. Option C is wrong because the action is Decrypt, not Encrypt.

Option D is wrong because the resource is "*", not a specific key.

212
MCQeasy

A data engineer needs to ensure that all data in an S3 bucket is encrypted at rest. The bucket currently contains unencrypted objects from past uploads. Which action will encrypt these existing objects without re-uploading them?

A.Attach a bucket policy requiring SSE-S3
B.Enable default encryption on the bucket
C.Use the S3 console to select all objects and apply encryption
D.Use S3 Batch Operations with an encryption job
AnswerD

S3 Batch Operations can apply encryption to existing objects.

Why this answer

Option A is correct because S3 Batch Operations can apply SSE-S3 or SSE-KMS to existing objects. Option B is wrong because default encryption only applies to new objects. Option C is wrong because bucket policies do not retroactively encrypt.

Option D is wrong because S3 console does not batch-encrypt existing objects.

213
MCQhard

A company has an AWS Glue ETL job that reads data from an S3 bucket, transforms it, and writes to another S3 bucket. The security team requires that data in transit between the Glue job and S3 be encrypted using TLS. The Glue job runs in a VPC with a VPC endpoint for S3. Which configuration ensures TLS encryption for all data transfer?

A.Use an S3 Gateway Endpoint and ensure the Glue job uses HTTP instead of HTTPS.
B.Use an S3 Interface Endpoint and disable TLS.
C.Use an S3 Gateway Endpoint and ensure the Glue job uses HTTPS.
D.Enable SSE-KMS encryption on both source and destination S3 buckets.
AnswerC

Gateway Endpoint forces traffic through AWS network, and HTTPS ensures TLS.

Why this answer

For S3 VPC endpoints, traffic is encrypted via TLS by default when using Gateway Endpoints. Option C is correct. Option A is wrong because HTTPS is the default protocol for S3 API calls.

Option B is wrong because encryption in transit is independent of KMS. Option D is wrong because interface endpoints also support TLS, but Gateway Endpoints are sufficient.

214
MCQeasy

A company wants to centrally manage access to multiple AWS accounts for its data engineers. The company already uses AWS Organizations. Which AWS service should be used to define fine-grained permissions across accounts?

A.AWS IAM
B.AWS IAM Identity Center (AWS Single Sign-On)
C.AWS Resource Access Manager (AWS RAM)
D.AWS Key Management Service (AWS KMS)
AnswerB

IAM Identity Center provides centralized access management across accounts.

Why this answer

Option C is correct because AWS IAM Identity Center (formerly AWS SSO) allows central management of permissions across accounts. Option A is wrong because IAM is per-account. Option B is wrong because AWS RAM shares resources, not permissions.

Option D is wrong because AWS KMS manages encryption keys.

215
MCQhard

A financial services company uses AWS KMS to encrypt data in Amazon S3. The compliance team requires that all encryption keys be rotated automatically every 365 days. The data engineer needs to implement this requirement without manual intervention. Which solution meets the requirement with the LEAST operational overhead?

A.Create a customer managed key (CMK) in KMS with automatic rotation enabled every 365 days. Use this CMK to encrypt S3 objects.
B.Create a customer managed key with imported key material and configure a Lambda function to rotate the key every 365 days.
C.Use the AWS managed key for Amazon S3 (aws/s3) for server-side encryption.
D.Use S3 server-side encryption with S3 managed keys (SSE-S3).
AnswerC

AWS managed keys are automatically rotated every year with no operational overhead.

Why this answer

Option C is correct because the AWS managed key for Amazon S3 (aws/s3) is automatically rotated by AWS every 365 days (or less) with no configuration or maintenance required. This satisfies the compliance requirement with zero operational overhead, as the rotation is handled entirely by the AWS KMS service without any manual intervention or custom automation.

Exam trap

The trap here is that candidates often assume customer managed keys (CMK) with automatic rotation are the only way to meet a specific rotation interval, overlooking that AWS managed keys already rotate on a 365-day schedule and require zero configuration, making them the least overhead solution.

How to eliminate wrong answers

Option A is wrong because customer managed keys (CMKs) with automatic rotation have a default rotation period of 365 days, but enabling automatic rotation requires manual activation and does not meet the 'least operational overhead' requirement compared to using an AWS managed key. Option B is wrong because using imported key material disables automatic rotation in KMS, requiring a custom Lambda function to manually rotate the key, which introduces significant operational overhead and complexity. Option D is wrong because SSE-S3 uses S3 managed keys (Amazon S3-managed keys) that are rotated automatically, but the rotation frequency is not guaranteed to be exactly every 365 days and is not configurable; the compliance team specifically requires a 365-day rotation interval, which is not a documented behavior of SSE-S3.

216
MCQeasy

A company uses Amazon Redshift for data warehousing. The security team requires that all data in transit between the Redshift cluster and clients be encrypted. Which feature should be enabled?

A.Client-side VPN
B.SSL/TLS encryption
C.AWS KMS key
D.VPC peering
AnswerB

Redshift supports SSL/TLS for encrypting client connections.

Why this answer

Option C is correct because Redshift supports SSL/TLS encryption for client connections. Option A is wrong because VPC peering does not encrypt. Option B is wrong because Redshift doesn't use a VPN.

Option D is wrong because KMS encrypts data at rest.

217
Multi-Selecthard

A company uses Amazon Redshift for data warehousing. The security team requires that all queries be logged for audit and that sensitive columns be masked for non-privileged users. Which THREE steps should the data engineer take? (Choose 3)

Select 3 answers
A.Implement row-level security using Redshift's row-level security feature.
B.Enable audit logging on the Redshift cluster.
C.Enable CloudTrail logging for Redshift data events.
D.Use IAM roles to restrict access to specific columns.
E.Create views that expose only non-sensitive columns and grant access to those views.
AnswersA, B, E

Row-level security filters rows based on user.

Why this answer

Options A, C, and D are correct. Option A: audit logging captures queries. Option C: column-level access control can be achieved with views.

Option D: row-level security filters rows. Option B is wrong because IAM roles do not control column access. Option E is wrong because CloudTrail does not log queries.

218
MCQhard

A company uses Amazon RDS for PostgreSQL to store financial data. The security team requires that all database connections be encrypted in transit and that the database audit logs be stored in Amazon S3 for at least 7 years. Which steps should the data engineer take to meet these requirements?

A.Enable encryption at rest using AWS KMS, and configure the RDS instance to publish logs to an S3 bucket with a lifecycle policy
B.Configure the DB security group to allow only TLS connections, and set up AWS CloudTrail to log all database queries
C.Use an SSL certificate from AWS Certificate Manager (ACM) and attach it to the RDS instance, and stream logs to Amazon Kinesis Data Firehose with S3 destination
D.Set the `rds.force_ssl` parameter to 1 in the DB parameter group, and export RDS audit logs to Amazon CloudWatch Logs with a subscription to Amazon S3
AnswerD

Forces TLS and enables long-term storage.

Why this answer

Option A is correct because enabling `ssl` parameter forces TLS connections, and exporting logs to CloudWatch Logs with an export to S3 provides long-term retention. Option B is wrong because S3 event notifications are not needed for retention. Option C is wrong because KMS encryption does not ensure TLS.

Option D is wrong because CloudTrail does not capture database audit logs.

219
MCQeasy

A data engineer needs to ensure that all data stored in an S3 bucket is encrypted at rest. Which S3 bucket policy condition key should be used to enforce encryption using AWS KMS?

A.s3:x-amz-server-side-encryption
B.kms:EncryptionContext
C.s3:x-amz-acl
D.s3:x-amz-server-side-encryption-aws-kms-key-id
AnswerD

This condition key enforces the use of a specific KMS key.

Why this answer

Option A is correct because the s3:x-amz-server-side-encryption-aws-kms-key-id condition key can be used to require a specific KMS key. Option B is wrong because s3:x-amz-server-side-encryption only checks for encryption, not the specific key. Option C is wrong because kms:EncryptionContext is for KMS-level conditions.

Option D is wrong because s3:x-amz-acl is for access control lists.

220
MCQhard

A company uses AWS Lake Formation to manage data lakes on Amazon S3. The data engineer needs to grant a data analyst access to query specific columns in a table using Amazon Athena, but deny access to columns containing personally identifiable information (PII). Which Lake Formation feature should be used?

A.Row-level security filters.
B.Column-level permissions in Lake Formation.
C.Tag-based access control with Lake Formation tags.
D.Cell-level security with AWS Glue.
AnswerB

Column-level permissions allow granting access to specific columns and denying others.

Why this answer

Lake Formation column-level permissions allow granting access to specific columns and denying access to others. Option A is correct. Row-level security is for rows, not columns.

Cell-level is not supported. Tag-based access control is for resources, not fine-grained column access.

221
MCQeasy

A data engineer needs to ensure that an Amazon Redshift cluster only accepts encrypted connections. Which parameter should be modified?

A.enable_user_activity_logging
B.max_concurrency_scaling_clusters
C.require_SSL
D.wlm_json_configuration
AnswerC

This parameter enforces SSL connections.

Why this answer

Option A is correct. The require_SSL parameter enforces SSL connections. Option B is wrong because enable_user_activity_logging is for auditing.

Option C is wrong because max_concurrency_scaling_clusters is for concurrency. Option D is wrong because wlm_json_configuration is for workload management.

222
Multi-Selecthard

A data engineer is designing a data lake on Amazon S3 with AWS Lake Formation. The data lake contains personally identifiable information (PII). The company has a policy that only users who have completed data privacy training can access the PII data. The training status is stored in an external identity provider (IdP) as an attribute. The data engineer needs to enforce this policy using Lake Formation. Which THREE steps should the data engineer take? (Choose THREE.)

Select 3 answers
A.Create an LF-tag called 'trainingCompleted' with values 'true' and 'false'. Grant 'SELECT' permission on the LF-tag 'trainingCompleted=true' to the federated users.
B.Configure SAML-based federation between the IdP and AWS to pass the training status attribute in the SAML assertion.
C.Create a column-level filter on the PII columns that limits access based on the user's training attribute.
D.Create an IAM role for each user and attach a policy that allows 'lakeformation:GetDataAccess' only if the user has the training attribute.
E.Associate the LF-tag 'trainingCompleted=true' with the PII columns in the tables.
AnswersA, B, E

This allows users with the tag to access data associated with that tag.

Why this answer

Option A is correct because LF-tags allow Lake Formation to manage access based on metadata attributes. By creating an LF-tag 'trainingCompleted' with values 'true' and 'false', and granting SELECT permission on the tag value 'true' to federated users, the data engineer can enforce that only users with the training attribute can access the tagged resources. This approach decouples access control from IAM roles and leverages tag-based authorization, which is the recommended method for attribute-based access control (ABAC) in Lake Formation.

Exam trap

The trap here is that candidates often confuse column-level filters (Option C) with tag-based access control, not realizing that column-level filters cannot dynamically evaluate external IdP attributes, whereas LF-tags with SAML assertions can enforce attribute-based policies.

223
MCQhard

A data engineer uses the AWS CLI to list KMS keys and describe one. The output shows two keys. The described key has KeyState 'Enabled' and Origin 'AWS_KMS'. Which statement is true about this key?

A.The key is a KMS managed key that is enabled and ready for use
B.The key material was imported from an external source
C.The key is scheduled for deletion
D.The key is disabled and cannot be used
AnswerA

Origin 'AWS_KMS' and KeyState 'Enabled' indicate it is a managed, enabled key.

Why this answer

Option C is correct. The key has Origin 'AWS_KMS', which means it is a KMS managed key (not imported). The KeyState 'Enabled' means it can be used for encryption and decryption.

Option A is incorrect because it is not imported (Origin 'AWS_KMS'). Option B is incorrect because the key is not disabled. Option D is incorrect because the key is not pending deletion.

224
MCQeasy

A data engineer is setting up an Amazon RDS for MySQL database. The compliance team requires that all data at rest be encrypted. What must the engineer do to enable encryption for this database?

A.Specify an AWS KMS key when launching the DB instance
B.Enable encryption after the DB instance is created by modifying the DB instance
C.Use AWS Secrets Manager to store the encryption key and attach it to the DB instance
D.Encrypt the underlying EBS volumes after the instance is created
AnswerA

Encryption must be enabled at launch by choosing a KMS key.

Why this answer

Encryption at rest for Amazon RDS can only be enabled at launch time. After creation, you cannot enable encryption; you must create a new encrypted instance and migrate data.

225
Matchingmedium

Match each AWS networking concept to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Virtual private cloud isolated network

Segment of VPC IP address range

Stateful firewall for instances

Stateless firewall for subnets

Enables VPC to internet communication

Why these pairings

Networking fundamentals for AWS.

← PreviousPage 3 of 5 · 333 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Data Security and Governance questions.