Back to AWS Certified Data Engineer Associate DEA-C01 questions

Scenario-based practice

Refer to the Exhibit Practice Questions

Practise AWS Certified Data Engineer Associate DEA-C01 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

15
scenario questions
DEA-C01
exam code
Amazon Web Services
vendor

Scenario guide

How to approach refer to the exhibit practice questions

Practise exhibit-style questions that ask you to read a topology, table, command output or diagram before choosing the best answer.

Quick answer

Exhibit-style questions test whether you can read a topology, command output, diagram or table before choosing the best answer.

How to extract the relevant detail from an exhibit.

How topology, command output or routing information affects the answer.

How to avoid answering from memory before reading the evidence.

How to map the exhibit back to the exam objective.

Related practice questions

Related DEA-C01 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1hardmultiple choice
Full question →

A data engineer is setting up an Amazon Kinesis Data Analytics application to process streaming data from a Kinesis data stream named "input-stream". The application uses a reference data source from an S3 bucket. The engineer has attached the IAM policy shown in the exhibit to the application's IAM role. When starting the application, the engineer receives an 'AccessDeniedException' error. Which additional permission is required?

Exhibit

Refer to the exhibit.

"Effect": "Allow",
"Action": [
  "kinesis:DescribeStream",
  "kinesis:GetShardIterator",
  "kinesis:GetRecords",
  "kinesis:ListShards"
],
"Resource": "arn:aws:kinesis:us-east-1:123456789012:stream/input-stream"
Question 2mediummultiple choice
Full question →

Refer to the exhibit. A data engineer runs the above AWS CLI command to view the table metadata in the AWS Glue Data Catalog. The data is stored as CSV in S3 with partitions by year and month. When querying the table using Amazon Athena, no data is returned. What is the most likely cause?

Network Topology
aws glue get-tabledatabase-name sales_dbname transactionsRefer to the exhibit."Table": {"Name": "transactions","StorageDescriptor": {"Columns": [{"Name": "id", "Type": "int"},{"Name": "amount", "Type": "double"},{"Name": "tx_date", "Type": "string"}],"Location": "s3://data-lake/transactions/","InputFormat": "org.apache.hadoop.mapred.TextInputFormat","OutputFormat": "org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat","SerdeInfo": {"SerializationLibrary": "org.apache.hadoop.hive.serde2.OpenCSVSerde"},"PartitionKeys": [{"Name": "year", "Type": "string"},{"Name": "month", "Type": "string"}
Question 3hardmultiple choice
Full question →

Refer to the exhibit. A data engineer has attached this bucket policy to an S3 bucket. What is the effect of this policy?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/DataLakeRole"
      },
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::example-bucket/*"
    },
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}
Question 4hardmultiple choice
Full question →

Refer to the exhibit. A data engineer applies this bucket policy to an S3 bucket named my-data-bucket. The bucket contains sensitive data. The company's security team reports that data was accessed from an IP address outside the allowed range. What is the MOST likely reason that the policy failed to block the unauthorized access?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-data-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/24"
        }
      }
    },
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::my-data-bucket/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}
Question 5mediummultiple choice
Full question →

Refer to the exhibit. A data engineer configured the lifecycle policy shown. The 'logs/' prefix contains important audit logs. After 365 days, what happens to the objects?

Network Topology
aws s3api get-bucket-lifecycle-configurationbucket my-bucketRefer to the exhibit.```"Rules": ["ID": "ArchiveAndDelete","Status": "Enabled","Filter": {"Prefix": "logs/"},"Transitions": ["Days": 30,"StorageClass": "STANDARD_IA""Days": 90,"StorageClass": "GLACIER"],"Expiration": {"Days": 365
Question 6easymultiple choice
Full question →

The exhibit shows a build log from AWS CodeBuild. The build fails with a permission error when trying to open the downloaded file. What is the most likely cause?

Exhibit

Refer to the exhibit.

[Container] 2024/01/15 10:00:00 Running command aws s3 cp s3://my-bucket/report.csv .
[Container] 2024/01/15 10:00:02 download: s3://my-bucket/report.csv to ./report.csv
[Container] 2024/01/15 10:00:02 Running command python3 process.py
[Container] 2024/01/15 10:00:05 Error: Unable to open file 'report.csv': Permission denied
Question 7mediummultiple choice
Full question →

The exhibit shows an S3 bucket policy. What is the effect of this policy?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "true"
        }
      }
    },
    {
      "Effect": "Deny",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}
Question 8hardmultiple choice
Full question →

The exhibit shows the output of describe-table for a DynamoDB table. The table is used for a reporting job that queries by 'pk' and filters on 'sk' using a range condition. The job is running slowly. What is the most likely cause?

Network Topology
aws dynamodb describe-tabletable-name my-tableRefer to the exhibit."Table": {"TableArn": "arn:aws:dynamodb:us-east-1:123456789012:table/my-table","AttributeDefinitions": ["AttributeName": "pk","AttributeType": "S"},"AttributeName": "sk",],"KeySchema": ["KeyType": "HASH""KeyType": "RANGE""TableStatus": "ACTIVE","ProvisionedThroughput": {"ReadCapacityUnits": 5,"WriteCapacityUnits": 5
Question 9hardmultiple choice
Full question →

An application uses the 'orders' DynamoDB table with the schema and provisioned throughput shown in the exhibit. The application frequently queries by customer_id (range key) without specifying the order_id (partition key). What is the most likely impact on performance?

Network Topology
$ aws dynamodb describe-tabletable-name ordersRefer to the exhibit."Table": {"TableName": "orders","KeySchema": [{"AttributeName": "order_id", "KeyType": "HASH"},{"AttributeName": "customer_id", "KeyType": "RANGE"}],"ProvisionedThroughput": {"ReadCapacityUnits": 5000,"WriteCapacityUnits": 2000},"ItemCount": 10000000,"TableSizeBytes": 5000000000
Question 10hardmultiple choice
Full question →

Refer to the exhibit. A data engineer applies this bucket policy to an S3 bucket. A user within the 10.0.0.0/24 IP range attempts to upload an object to the bucket using an HTTP (non-HTTPS) request. What is the outcome?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/24"
        }
      }
    },
    {
      "Effect": "Deny",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}
Question 11easymultiple choice
Full question →

Refer to the exhibit. A data engineer creates an Amazon Redshift table with the above DDL. The engineer runs a query to find all orders for a specific customer within a date range. Which statement about query performance is correct?

Exhibit

Refer to the exhibit.

CREATE TABLE orders (
    order_id INT PRIMARY KEY,
    customer_id INT,
    order_date DATE,
    total_amount DECIMAL(10,2)
) DISTSTYLE KEY DISTKEY (customer_id) SORTKEY (order_date);
Question 12mediummultiple choice
Full question →

Refer to the exhibit. A data engineer runs the above CLI command and sees the output. The security team requires that the RDS instance not be accessible from the internet. Which change should the engineer make?

Network Topology
$ aws rds describe-db-instancesdb-instance-identifier mydbRefer to the exhibit."DBInstances": ["DBInstanceIdentifier": "mydb","DBInstanceClass": "db.r5.large","Engine": "mysql","DBInstanceStatus": "available","MasterUsername": "admin","Endpoint": {"Address": "mydb.123456789012.us-east-1.rds.amazonaws.com","Port": 3306},"AllocatedStorage": 100,"StorageType": "gp2","MultiAZ": false,"PubliclyAccessible": true,"VpcSecurityGroups": ["VpcSecurityGroupId": "sg-12345678","Status": "active"
Question 13hardmultiple choice
Full question →

Refer to the exhibit. A data engineer is troubleshooting an IAM policy attached to a user. The user reports that they cannot upload objects to the S3 bucket 'data-lake-bucket' unless they explicitly specify the 'x-amz-server-side-encryption' header with value 'AES256'. The engineer wants to modify the policy to allow uploads without requiring encryption headers, but still enforce encryption on the bucket itself. Which change should the engineer make?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:DeleteObject"
      ],
      "Resource": [
        "arn:aws:s3:::data-lake-bucket/*",
        "arn:aws:s3:::data-lake-bucket"
      ],
      "Condition": {
        "StringEquals": {
          "s3:x-amz-server-side-encryption": "AES256"
        }
      }
    },
    {
      "Effect": "Deny",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::data-lake-bucket/*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "AES256"
        }
      }
    }
  ]
}
Question 14hardmultiple choice
Full question →

Refer to the exhibit. A data engineer is analyzing a query performance issue on an Amazon Redshift table. The table 'sales' has 100 million rows. The query is performing a full table scan. Which optimization should the engineer apply to improve query performance?

Exhibit

CREATE TABLE sales (
    id INT NOT NULL,
    product_id INT NOT NULL,
    sale_date DATE NOT NULL,
    amount DECIMAL(10,2),
    region VARCHAR(20)
) DISTKEY(product_id) SORTKEY(sale_date);

-- Query:
SELECT region, SUM(amount) 
FROM sales 
WHERE sale_date BETWEEN '2023-01-01' AND '2023-12-31' 
GROUP BY region;
Question 15mediummultiple choice
Full question →

Refer to the exhibit. An AWS Glue ETL job is failing with an OutOfMemoryError. The job reads from Amazon S3 and performs a GROUP BY on a large dataset. Which change should the data engineer make to resolve this error?

Exhibit

Error Log:
[ERROR] org.apache.spark.SparkException: Job aborted due to stage failure: Task 0 in stage 1.0 failed 4 times, most recent failure: Lost task 0.3 in stage 1.0 (TID 6, ip-10-0-0-12.ec2.internal, executor 1): java.lang.OutOfMemoryError: Java heap space
	at org.apache.spark.sql.catalyst.expressions.UnsafeRow.<init>(UnsafeRow.java:42)

These DEA-C01 practice questions are part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style DEA-C01 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.