CCNA Data Security and Governance Questions

33 of 333 questions · Page 5/5 · Data Security and Governance · Answers revealed

301
Multi-Selecteasy

A company must comply with a regulation that requires logging all access to sensitive data stored in Amazon S3. Which AWS services can be used to capture and store access logs? (Choose TWO.)

Select 2 answers
A.AWS Config
B.Amazon CloudWatch Logs
C.AWS CloudTrail
D.Amazon S3 server access logs
E.VPC Flow Logs
AnswersC, D

CloudTrail logs S3 API calls.

Why this answer

Options B and D are correct. AWS CloudTrail logs API calls to S3. Amazon S3 server access logs provide detailed records of requests.

Option A is wrong because Amazon CloudWatch Logs can receive logs but doesn't generate S3 access logs directly. Option C is wrong because AWS Config tracks configuration changes, not access. Option E is wrong because VPC Flow Logs capture network traffic, not S3 access.

302
MCQeasy

A company uses Amazon QuickSight for data visualization. The data engineer needs to ensure that users can only see data relevant to their department. The data is stored in Amazon S3 and is accessed via SPICE. The engineer has created datasets in QuickSight and wants to implement row-level security (RLS). The dataset contains a column 'Department' that indicates which department a row belongs to. The engineer has configured RLS rules using a separate permissions dataset. However, users report that they can see all rows, not just their department's rows. What is the most likely reason?

A.The RLS permissions dataset is not correctly configured to map users to department values.
B.The 'Department' column is not included in the dataset.
C.The users have been granted admin access to the QuickSight dashboard.
D.The SPICE dataset does not support row-level security.
AnswerA

RLS requires a mapping between users and allowed values.

Why this answer

Option B is correct because QuickSight RLS requires a permissions dataset that maps users to the values in the restricted column. If the RLS rules are not properly set, all rows are visible. Option A is wrong because the column exists.

Option C is wrong because SPICE supports RLS. Option D is wrong because RLS is dataset-level, not dashboard-level.

303
MCQhard

A company uses AWS Lake Formation to manage data lake permissions. A data engineer notices that a user can query tables in Athena even though the user does not have SELECT permission on the table in Lake Formation. What could be the cause?

A.The user is using Redshift Spectrum
B.The user has S3 permissions to read the underlying data
C.The user has an IAM policy that allows Athena access
D.The IAMAllowedPrincipals group has been granted Super permission on the database
AnswerD

The IAMAllowedPrincipals group bypasses Lake Formation permissions and allows IAM users to access tables directly.

Why this answer

By default, Lake Formation uses IAMAllowedPrincipals group which grants full access to IAM users and roles. If this group is present, Lake Formation permissions are bypassed. Option A is wrong because IAM policy granting Athena access is not sufficient without Lake Formation permissions.

Option C is wrong because S3 permissions alone do not allow Athena queries. Option D is wrong because Lake Formation is a different service.

304
MCQhard

A company uses Redshift for analytics. The security team requires that all queries be logged and that any access to sensitive columns be blocked for non-admin users. Which combination of features should the data engineer implement?

A.Enable Redshift audit logging and create views that expose only non-sensitive columns, granting access to views.
B.Use Redshift row-level security and enable CloudTrail logging.
C.Enable CloudWatch Logs for Redshift and use IAM conditions to block sensitive columns.
D.Enable Redshift audit logging and use IAM policies to restrict column access.
AnswerA

Views can restrict column access, and audit logging captures queries.

Why this answer

Option C is correct because Redshift audit logging captures queries, and column-level access control can be enforced using views with restricted columns. Option A is wrong because IAM policies do not control column-level access in Redshift. Option B is wrong because row-level security is not yet supported.

Option D is wrong because CloudWatch Logs do not control access.

305
MCQmedium

Refer to the exhibit. Exhibit: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:role/DataEngineer" }, "Action": [ "kms:Decrypt", "kms:ReEncrypt*" ], "Resource": "*" } ] } A data engineer tries to encrypt data using the KMS key associated with this key policy and receives an access denied error. What is the cause?

A.The principal is an IAM role, which is not allowed
B.There is an explicit deny in the policy
C.The Resource element is set to "*", which is invalid for KMS key policies
D.The policy does not include kms:Encrypt action
AnswerD

Encrypt action is missing.

Why this answer

Option B is correct. The key policy grants Decrypt and ReEncrypt, but not Encrypt. Option A is wrong because the resource is "*" which means all keys.

Option C is wrong because the principal is correct. Option D is wrong because there is no explicit deny.

306
MCQeasy

A company wants to ensure that all S3 buckets are encrypted using server-side encryption. Which AWS service can be used to automatically remediate non-compliant buckets?

A.AWS CloudTrail
B.Amazon Inspector
C.AWS Trusted Advisor
D.AWS Config
AnswerD

AWS Config can evaluate compliance and automatically remediate resources.

Why this answer

AWS Config can use managed rules like s3-bucket-server-side-encryption-enabled to check compliance and trigger auto-remediation via SSM Automation or Lambda. Option B is correct.

307
MCQeasy

A data engineer is configuring AWS Glue jobs to access data stored in Amazon S3. The data is encrypted using server-side encryption with AWS KMS (SSE-KMS). The Glue job needs to read and write data to the S3 bucket. Which IAM policy statement should be added to the Glue job's IAM role to allow it to use the KMS key?

A.{"Effect":"Allow","Action":["kms:Decrypt"],"Resource":"*"}
B.{"Effect":"Allow","Action":["kms:Decrypt","kms:GenerateDataKey"],"Resource":"*"}
C.{"Effect":"Allow","Action":["kms:Decrypt","kms:ReEncrypt"],"Resource":"*"}
D.{"Effect":"Allow","Action":["kms:Decrypt","kms:Encrypt"],"Resource":"*"}
AnswerB

These actions allow reading (Decrypt) and writing (GenerateDataKey) encrypted data.

Why this answer

To read and write data encrypted with SSE-KMS, AWS Glue needs both `kms:Decrypt` (to read existing encrypted data) and `kms:GenerateDataKey` (to create a new data key for writing encrypted data). `kms:GenerateDataKey` is required because S3 uses a data key to encrypt objects, and the caller must generate that key via KMS. Option B correctly includes both actions, allowing the Glue job to perform read and write operations on the SSE-KMS encrypted bucket.

Exam trap

The trap here is that candidates often assume `kms:Encrypt` is needed for writing encrypted data, but S3 SSE-KMS actually requires `kms:GenerateDataKey` because the encryption is done with a derived data key, not by calling `kms:Encrypt` directly.

How to eliminate wrong answers

Option A is wrong because it only grants `kms:Decrypt`, which allows reading encrypted data but not writing new encrypted objects; writing requires `kms:GenerateDataKey` to create the encryption key. Option C is wrong because `kms:ReEncrypt` is used for re-encrypting data under a different KMS key, which is not needed for standard S3 read/write operations with SSE-KMS. Option D is wrong because `kms:Encrypt` is used to encrypt plaintext data directly with a KMS key, but S3 SSE-KMS requires `kms:GenerateDataKey` (not `kms:Encrypt`) to obtain a data key for object-level encryption.

308
MCQeasy

A media company stores video files in an Amazon S3 bucket. The bucket policy allows access only from a specific VPC. The company has enabled S3 Server Access Logs to monitor access. Recently, the security team found that some requests were coming from an IP address outside the allowed VPC. They suspect that the bucket policy may have an incorrect condition. What should they check first?

A.Verify that the bucket policy uses the 'aws:SourceVpc' condition key with the correct VPC ID.
B.Review the S3 Server Access Logs to identify the source IP addresses.
C.Ensure that the IAM role used by the application has the correct permissions.
D.Check if the bucket policy allows public access.
AnswerA

The 'aws:SourceVpc' condition key restricts access to requests originating from the specified VPC.

Why this answer

Option A is correct because the 'aws:SourceVpce' condition key is used to restrict access to a specific VPC endpoint, not the VPC itself. To restrict to a VPC, they should use 'aws:SourceVpc'. Option B is wrong because the bucket policy already restricts access; the issue is with the condition key used.

Option C is wrong because S3 Server Access Logs show the source IP, but the condition key is the root cause. Option D is wrong because IAM policies are evaluated in addition to bucket policies, but the bucket policy condition is likely the issue.

309
MCQmedium

A data engineer needs to ensure that an S3 bucket is encrypted at rest using AWS KMS. The bucket policy must allow only a specific IAM role to access the bucket and enforce encryption in transit. Which combination of bucket policy statements should be used?

A.Use kms:ViaService: s3.*.amazonaws.com and aws:SecureTransport: true
B.Use s3:x-amz-server-side-encryption: AES256 and aws:SecureTransport: true
C.Use s3:x-amz-server-side-encryption-aws-kms-key-id and aws:SourceIp
D.Use kms:EncryptionContext: service:s3 and aws:SecureTransport: true
AnswerA

This enforces KMS encryption via S3 and TLS.

Why this answer

Option C is correct because it uses the kms:EncryptionContext condition to enforce KMS encryption and aws:SecureTransport for TLS. Option A is wrong because it requires SSE-S3, not KMS. Option B is wrong because it allows any KMS key.

Option D is wrong because it allows access without encryption in transit.

310
MCQhard

A company uses AWS Glue to process data from Amazon S3. The data contains personally identifiable information (PII). The data engineer needs to automatically detect and mask PII fields before the data is loaded into Amazon Redshift. Which combination of AWS services should be used?

A.Amazon Macie and AWS Glue
B.Amazon CloudWatch Logs and AWS Lambda
C.Amazon S3 Object Lambda and AWS Glue
D.AWS IAM Access Analyzer and AWS Glue
AnswerA

Macie detects PII, Glue can mask it in the ETL job before writing to Redshift.

Why this answer

Amazon Macie discovers sensitive data, and then AWS Glue can apply transformations to mask the PII before loading into Redshift. CloudWatch Logs is for monitoring, not detection. IAM Access Analyzer is for analyzing resource policies.

S3 Object Lambda can redact data during retrieval but not during Glue ETL.

311
Multi-Selectmedium

A healthcare company stores sensitive patient data in an S3 bucket (bucket name: patient-data-prod). The security team requires that all data be encrypted in transit and at rest, and that access be logged for auditing. The company currently uses S3 default encryption with SSE-S3. An external auditor finds that some objects have been uploaded without encryption because the default encryption setting was not applied to objects uploaded before the setting was enabled. The company wants to prevent any future unencrypted uploads and ensure all existing objects are encrypted. Which combination of actions should the data engineer take? (Choose TWO.)

Select 2 answers
A.Use S3 Batch Operations to copy all existing objects in place with the 'aws:Replicate' operation to apply default encryption.
B.Enable S3 Object Ownership and set the bucket ACL to private.
C.Enable S3 default encryption on the bucket.
D.Create a bucket policy that denies s3:PutObject if the x-amz-server-side-encryption-aws-kms-key-id is not present.
E.Create a bucket policy that denies s3:PutObject if the x-amz-server-side-encryption header is not set to 'AES256'.
AnswersA, E

Batch Operations can apply encryption to existing objects by copying them in place.

Why this answer

To prevent unencrypted uploads, the bucket policy must deny PutObject requests that do not include the x-amz-server-side-encryption header with AES256. To encrypt existing objects, S3 Batch Operations can copy them in place with the default encryption setting applied. Option D alone only covers new objects, not existing ones.

Option E is unnecessary because SSE-S3 uses AES256.

312
MCQmedium

A gaming company uses Amazon Redshift for analytics. The Redshift cluster stores user data that must be encrypted at rest using a customer-managed KMS key. The company has enabled audit logging using AWS CloudTrail. The security team wants to ensure that any attempt to disable or delete the KMS key is immediately detected and triggers an automated response. They have set up a CloudWatch Events rule that triggers an SNS notification when the KMS key is scheduled for deletion. However, they also want to prevent the key from being deleted accidentally. What should they do?

A.Enable automatic key rotation for the KMS key to ensure that even if the key is deleted, the data remains encrypted.
B.Add a statement to the KMS key policy that denies 'kms:ScheduleKeyDeletion' for all principals except the root user.
C.Attach an IAM policy to the Redshift cluster role that denies 'kms:ScheduleKeyDeletion'.
D.Set up a CloudTrail trail to monitor for 'ScheduleKeyDeletion' events and send an alert to the security team.
AnswerB

This prevents any IAM user or role from scheduling key deletion.

Why this answer

Option B is correct because enabling key rotation does not prevent deletion. Option A is wrong because while CloudTrail can detect deletion, it does not prevent it. Option C is correct because a KMS key policy can explicitly deny the 'kms:ScheduleKeyDeletion' action for all principals except the account root, preventing accidental deletion.

Option D is wrong because using an IAM policy to deny deletion is less reliable if the key policy allows it; the key policy is the authoritative control.

313
Multi-Selecteasy

A company is using AWS Glue to catalog data in S3. The security team wants to ensure that only authorized users can access the Glue Data Catalog and that data lineage is tracked. Which AWS services can be used together to meet these requirements? (Choose TWO.)

Select 2 answers
A.AWS CloudTrail
B.AWS Glue DataBrew
C.Amazon Athena
D.AWS Lake Formation
E.Amazon Kinesis
AnswersB, D

Provides data lineage tracking.

Why this answer

Options A and D are correct. AWS Lake Formation provides fine-grained access control for the Data Catalog. AWS Glue DataBrew provides data lineage visualization.

Option B is wrong because Athena is a query service, not for access control or lineage. Option C is wrong because CloudTrail logs API calls but does not manage permissions. Option E is wrong because Kinesis is for streaming.

314
Multi-Selecthard

A company is using AWS Lake Formation to manage a data lake. The data engineer needs to set up fine-grained access control so that users can only see specific columns in a table based on their IAM role. Which THREE steps should the data engineer take?

Select 3 answers
A.Ensure that the users query the table through a service integrated with Lake Formation, such as Athena.
B.Grant the IAM role SELECT permission on the table with column-level restrictions.
C.Create a view in the Data Catalog that exposes only the required columns.
D.Define a Lake Formation data permissions policy that includes column-level filtering.
E.Attach an S3 bucket policy to restrict access to the underlying data.
AnswersA, B, D

Lake Formation enforces permissions when queries are run through integrated services.

Why this answer

Options A, B, and D are correct. Lake Formation column-level access requires defining the policy in Lake Formation, granting permissions to the IAM role, and the user must use Lake Formation-enabled services. Option C is wrong because S3 bucket policies are not used for column-level control.

Option E is wrong because the table must be registered with Lake Formation.

315
MCQhard

A data engineer is designing a solution to securely store and rotate database credentials used by an application. The credentials should be automatically rotated every 90 days. Which AWS service should be used?

A.AWS Secrets Manager
B.AWS Systems Manager Parameter Store
C.AWS Key Management Service (KMS)
D.AWS Identity and Access Management (IAM)
AnswerA

Secrets Manager provides automatic rotation of secrets.

Why this answer

Option C is correct because AWS Secrets Manager can automatically rotate secrets, including database credentials. Option A (IAM) manages users and roles, not credentials rotation. Option B (AWS KMS) manages encryption keys, not secrets.

Option D (Parameter Store) can store secrets but does not have built-in automatic rotation.

316
Multi-Selecthard

A company needs to implement a data encryption strategy for data in transit between an Amazon EC2 instance and an Amazon RDS for MySQL database. Which THREE actions should be taken?

Select 3 answers
A.Configure the RDS instance to require SSL connections
B.Set up VPC peering between the EC2 and RDS subnets
C.Enable encryption at rest using KMS on the RDS instance
D.Use a JDBC driver with the useSSL property set to true
E.Enable the rds.force_ssl parameter in the RDS parameter group
AnswersA, D, E

Requires SSL for connections.

Why this answer

Options A, B, and D are correct. Enforcing SSL/TLS, enabling SSL parameter, and using a JDBC driver with SSL property ensure encryption in transit. Option C is wrong because encryption at rest is separate.

Option E is wrong because VPC peering doesn't encrypt data.

317
MCQhard

Refer to the exhibit. A data engineer configured CloudTrail to log data events for an S3 bucket. However, the engineer notices that no data events are being logged for objects in the 'logs/' prefix. What is the most likely reason?

A.The S3 bucket policy does not allow CloudTrail to write logs
B.The data resource should specify the bucket ARN without a prefix
C.The prefix 'logs/' must not include a trailing slash
D.Data events are not supported for S3
AnswerA

CloudTrail needs a bucket policy granting s3:PutObject.

Why this answer

The data resource value is missing a trailing slash (should be 'logs/')? Actually it has a trailing slash. Wait, the issue is that the ARN is for a prefix, but CloudTrail data event selectors for S3 require a bucket ARN or prefix ARN with a trailing slash. The provided ARN 'arn:aws:s3:::my-bucket/logs/' is correct format.

However, the likely issue is that the bucket is in a different region, but the trail is in a different region? No, more common: the IAM role for CloudTrail lacks permissions to log to S3. But the exhibit shows a correct selector. Actually, common mistake: the selector must have a trailing slash, which it does.

The most likely cause is that the trail is not logging because the S3 bucket policy does not grant CloudTrail write access. Option A is plausible. Option B is wrong because prefix is correct.

Option C is wrong because it includes trailing slash. Option D is wrong because data events are enabled. So option A is correct.

318
MCQmedium

The IAM policy shown is attached to an IAM role. When a user assumes this role and tries to read an object in example-bucket that has no tags, what will happen?

A.The request will be denied because the object does not have the 'public' tag
B.The request will be allowed because the Allow statement grants access to all objects
C.The request will be allowed because there is no explicit Deny
D.The request will be denied because the Deny statement applies when the tag is missing
AnswerD

The Deny statement explicitly denies access when the tag is null.

Why this answer

Option D is correct. The Deny statement denies s3:GetObject if the object does not have the tag 'classification' (i.e., the tag is null). Since the object has no tags, the condition evaluates to true, and the action is denied.

The Allow statement only allows if the tag equals 'public', which is not the case. The explicit Deny overrides any Allow, so access is denied.

319
MCQhard

A company is designing a data pipeline using Amazon Kinesis Data Streams. The data includes personally identifiable information (PII). The security team requires that data be encrypted at rest using a customer-managed KMS key. How should the data engineer configure the Kinesis stream?

A.Configure the Kinesis stream to use AWS CloudHSM for encryption.
B.Enable server-side encryption on the Kinesis stream and specify the customer-managed KMS key.
C.Store the encrypted data in S3 and use Kinesis to stream the S3 object keys.
D.Use client-side encryption in the producer application to encrypt data before sending to Kinesis.
AnswerB

Kinesis supports server-side encryption with KMS.

Why this answer

Option A is correct because Kinesis Data Streams supports server-side encryption using a KMS key. Option B is incorrect because client-side encryption must be implemented by the producer, not the stream. Option C is incorrect because CloudHSM is not directly supported for Kinesis encryption.

Option D is incorrect because Kinesis does not use S3 for storage.

320
MCQmedium

A company is using AWS Lake Formation to manage access to a data lake in S3. They want to grant a data analyst access to specific columns in a table, but not to the entire table. Which Lake Formation feature should be used?

A.Row-level security (cell-level filtering)
B.IAM policies on the S3 bucket
C.Column-level filtering
D.Tag-based access control (TBAC)
AnswerC

Column-level filtering restricts access to specific columns.

Why this answer

Option B is correct because Lake Formation column-level filtering allows granting access to specific columns. Option A (cell-level security) is for row-level security, not columns. Option C (tag-based access control) uses tags to control access, not column-level.

Option D (IAM policies) are not column-specific.

321
MCQmedium

A data engineer is designing a data pipeline that ingests customer data from an on-premises database into Amazon S3. The data contains personally identifiable information (PII). The company policy requires that all PII be masked before it is stored in S3. The pipeline uses AWS DMS for migration and AWS Glue for transformation. The engineer needs to ensure that the masking is applied consistently and that no unmasked data is written to S3. The engineer has set up DMS to replicate data to an S3 bucket, and then a Glue job reads from S3, applies masking, and writes to another S3 bucket. However, there is a risk that unmasked data in the first S3 bucket could be accessed before the Glue job runs. What should the engineer do to mitigate this risk?

A.Configure DMS to apply masking transformations before writing to S3 using DMS's built-in transformation rules.
B.Block all access to the first S3 bucket except for the Glue job's IAM role.
C.Use Amazon Kinesis Data Firehose to stream data directly to Glue for real-time masking.
D.Set an S3 Lifecycle policy on the first bucket to delete objects after 1 hour.
AnswerD

This limits the time unmasked data is available.

Why this answer

Option B is correct because an S3 Lifecycle policy with expiration can automatically delete objects from the first bucket after a short time, reducing the window of exposure. Option A is wrong because DMS does not have native masking capabilities. Option C is wrong because blocking all access would prevent the Glue job from reading.

Option D is wrong because Kinesis is not part of the pipeline.

322
MCQhard

A data engineer needs to grant a data scientist access to query a Glue Data Catalog database but must prevent the data scientist from seeing the underlying S3 data locations. Which approach should be used?

A.Use a Glue resource policy to restrict access to the database
B.Grant the data scientist IAM permissions to access the Glue Data Catalog and the underlying S3 data
C.Create a VPC endpoint for Glue and S3 to restrict network access
D.Use AWS Lake Formation to grant SELECT permission on the database and tables without granting S3 access
AnswerD

Lake Formation can grant access to the Data Catalog and data without giving direct S3 access, and it can hide the S3 locations.

Why this answer

Lake Formation can be used to grant SELECT permission on the database and tables, and by using column-level and row-level filters, but to hide S3 locations, the data scientist should not have direct S3 access. Lake Formation does not require the user to see the S3 path. Granting IAM read-only access to S3 would expose locations.

Using a VPC endpoint does not hide locations. Glue resource policies cannot hide S3 locations.

323
Multi-Selecteasy

A data engineer is setting up a data pipeline using AWS DMS to migrate data from an on-premises database to Amazon RDS for MySQL. The data must be encrypted in transit. Which TWO options can the engineer use? (Choose TWO.)

Select 2 answers
A.Use VPC peering between on-premises and AWS
B.Enable SSL encryption on the DMS endpoint
C.Set up a VPN connection between on-premises and AWS
D.Use KMS to encrypt the DMS connection
E.Use a VPC endpoint for DMS
AnswersB, C

SSL encrypts the connection.

Why this answer

DMS supports SSL/TLS for encrypting connections. Option A is wrong because VPN creates encrypted tunnel. Option D is wrong because VPC peering does not encrypt.

Options B and C are correct (B uses SSL, C uses VPN). Option E is wrong because DMS does not use KMS for transit encryption.

324
Multi-Selectmedium

A data engineer needs to protect sensitive data in an S3 bucket. Which TWO AWS services can be used to detect and prevent accidental public access?

Select 2 answers
A.AWS Config
B.AWS Trusted Advisor
C.AWS CloudTrail
D.S3 Block Public Access
E.Amazon Macie
AnswersB, D

Trusted Advisor checks for S3 buckets that have public read/write access.

Why this answer

AWS Trusted Advisor checks for S3 buckets with public access. S3 Block Public Access can be enabled on the account or bucket level to prevent public access. Option C is wrong because CloudTrail records API calls but does not prevent public access.

Option D is wrong because Macie discovers sensitive data, not public access. Option E is wrong because Config can evaluate rules but Trusted Advisor and Block Public Access are more direct.

325
Drag & Dropmedium

Arrange the steps to implement data encryption at rest for an Amazon Redshift cluster using AWS KMS.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First, create the KMS key. Then launch a new encrypted cluster, specify the key, configure, and verify encryption.

326
MCQmedium

A company uses Amazon Redshift for data warehousing. The security team requires that all data loading into Redshift be encrypted in transit. Which configuration ensures this requirement is met?

A.Use a VPC security group to restrict access
B.Configure the Redshift cluster to require SSL connections
C.Use client-side encryption before loading data
D.Enable server-side encryption on the Redshift cluster
AnswerB

SSL encrypts data in transit between clients and Redshift.

Why this answer

Encryption in transit for Redshift is achieved by using SSL connections. Client-side encryption before loading does not encrypt the transmission. Server-side encryption is for at-rest.

VPC security groups control network access, not encryption.

327
MCQhard

A data engineer is troubleshooting an issue where an Amazon Redshift query returns an error: 'ERROR: permission denied for relation table_name'. The user has been granted SELECT on the table. What is the most likely cause?

A.The user's session has timed out.
B.The user does not have CONNECT permission on the database.
C.The table is in a different schema than expected.
D.The user does not have USAGE permission on the schema.
AnswerD

Without USAGE on the schema, the user cannot access tables even with SELECT.

Why this answer

In Redshift, users need usage permission on the schema to access tables within it. Option B is correct. Option A is unrelated.

Option C would result in a schema not found error. Option D would be a connection timeout.

328
Multi-Selecthard

A company must encrypt all data at rest in their Amazon RDS for MySQL instance. Which THREE steps are required to achieve this? (Select THREE.)

Select 3 answers
A.Enable SSL/TLS for database connections
B.Use an AWS KMS key to encrypt the instance
C.Enable encryption at rest when creating the DB instance
D.Modify the DB parameter group to require encryption
E.Ensure that automated backups and snapshots are encrypted
AnswersB, C, E

KMS key is used for encryption at rest.

Why this answer

Options A, C, and D are correct. Option A (enable encryption at rest) is required. Option C (use KMS key) is needed to manage encryption keys.

Option D (ensure backups are encrypted) is necessary because encrypted instances require encrypted backups. Option B (enable SSL) is for encryption in transit, not at rest. Option E (use parameter groups) does not enable encryption.

329
Multi-Selectmedium

A company needs to enforce encryption at rest for all data stored in Amazon S3. Which of the following are valid methods to achieve this? (Choose TWO.)

Select 2 answers
A.Use Amazon S3 Transfer Acceleration.
B.Enable default bucket encryption using SSE-S3.
C.Enable S3 Versioning.
D.Use client-side encryption before uploading objects.
E.Use SSL/TLS for all S3 API calls.
AnswersB, D

Default bucket encryption ensures all objects are encrypted at rest with SSE-S3.

Why this answer

Server-side encryption with S3 managed keys (SSE-S3) and client-side encryption are both methods for encryption at rest. Option A is for in transit. Option D is for data in motion.

Option E is not encryption at rest. Correct: B and C.

330
MCQmedium

Refer to the exhibit. A data engineer applies the following S3 bucket policy to an S3 bucket. What does this policy enforce?

A.Denies all uploads unless SSE-S3 is used
B.Allows only SSE-S3 encrypted uploads
C.Allows any type of server-side encryption
D.Requires that all objects uploaded to the bucket be encrypted with SSE-KMS
AnswerD

Denies PutObject if encryption header is not KMS.

Why this answer

The policy denies s3:PutObject if the object is not encrypted with SSE-KMS. Option A is wrong because it denies if not SSE-KMS, not allows only SSE-S3. Option B is wrong because it doesn't require SSE-S3.

Option D is wrong because it doesn't allow any encryption. Option C is correct.

331
MCQeasy

A data engineer needs to store encryption keys used for protecting data in Amazon S3 and automatically rotate them every year. Which service should be used?

A.AWS KMS
B.AWS CloudHSM
C.AWS Certificate Manager
D.AWS Secrets Manager
AnswerA

KMS provides automatic key rotation.

Why this answer

Option A is correct. AWS KMS supports automatic key rotation for customer managed keys. Option B is wrong because CloudHSM does not provide automatic rotation.

Option C is wrong because Secrets Manager is for secrets. Option D is wrong because ACM is for certificates.

332
MCQeasy

A company wants to enforce that all data in Amazon S3 is encrypted at rest. They want to automatically reject any PUT request that does not include encryption headers. What S3 feature should they use?

A.Bucket policy with a condition for encryption headers
B.Default encryption
C.MFA Delete
D.S3 Block Public Access
AnswerA

A bucket policy can deny requests that lack the required encryption header, enforcing encryption.

Why this answer

S3 bucket policies can be used to deny requests that do not include the x-amz-server-side-encryption header. This enforces encryption. Option A is wrong because default encryption only encrypts objects that are uploaded without encryption headers, but it does not reject unencrypted requests.

Option B is wrong because S3 Block Public Access is about public access, not encryption. Option D is wrong because MFA Delete is about deletion protection.

333
MCQeasy

A data engineer needs to share a dataset from an S3 bucket in Account A with users in Account B. The dataset must remain encrypted at rest with an S3-managed key. What is the MOST secure way to grant cross-account access?

A.Make the bucket public and use bucket policies to allow only Account B users.
B.Create a bucket policy that grants cross-account access to an IAM role in Account B.
C.Use S3 object ACLs to grant access to Account B's root user.
D.Use an S3 VPC endpoint to allow Account B users through private IPs.
AnswerB

Bucket policy with cross-account IAM role is secure and follows best practices.

Why this answer

Option B is correct because a bucket policy granting access to the IAM role in Account B is the recommended secure method. Option A is insecure because it grants public access. Option C is incorrect because ACLs are legacy and less secure.

Option D is not a valid AWS feature.

← PreviousPage 5 of 5 · 333 questions total

Ready to test yourself?

Try a timed practice session using only Data Security and Governance questions.