DEA-C01 · topic practice

Data Security and Governance practice questions

Practise AWS Certified Data Engineer Associate DEA-C01 Data Security and Governance practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Data Security and Governance

What the exam tests

What to know about Data Security and Governance

Data Security and Governance questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Data Security and Governance exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Data Security and Governance questions

20 questions · select your answer, then reveal the explanation

A data engineer needs to ensure that an Amazon S3 bucket used for sensitive data is encrypted at rest using a customer-managed AWS KMS key. The bucket policy must enforce encryption for all PUT requests. Which policy statement should be added to the bucket policy?

A company uses AWS Glue to process sensitive data stored in Amazon S3. The security team requires that all data in transit between AWS Glue and S3 be encrypted. Which configuration should be used to meet this requirement?

A data engineer is troubleshooting an AWS Lake Formation permissions issue. A user is able to query an Amazon Athena table but cannot see the underlying S3 data in the AWS Glue Data Catalog. The user has been granted SELECT permission on the table in Lake Formation. What is the most likely cause?

Question 4mediummulti select
Read the full NAT/PAT explanation →

A company uses Amazon Redshift to store customer data. The security team requires that all queries are logged for auditing purposes. Which combination of steps should be taken to meet this requirement? (Select TWO.)

A company is designing a data lake on Amazon S3. The security policy requires that all data be encrypted at rest using AWS KMS with automatic key rotation. Which encryption option meets these requirements? (Select THREE.)

Refer to the exhibit. A data engineer is running an AWS Glue job that reads from an S3 bucket encrypted with a customer-managed KMS key. The job fails with the error shown. What is the most likely cause?

Exhibit

Refer to the exhibit.

Error from AWS Glue job:
```
ERROR: An error occurred while calling o75.pyWriteDynamicFrame.
Access Denied. User: arn:aws:sts::123456789012:assumed-role/GlueServiceRole/i-abc123 is not authorized to perform: kms:Decrypt on resource: arn:aws:kms:us-east-1:123456789012:key/mrk-1234567890 because no identity-based policy allows the kms:Decrypt action
```

Refer to the exhibit. A security analyst is reviewing CloudTrail logs and notices a PutObject event to the 'company-data-lake' bucket. The bucket policy requires all objects to be encrypted with SSE-KMS. What should the analyst conclude?

Exhibit

Refer to the exhibit.

AWS CloudTrail log entry:
```
{
  "eventVersion": "1.08",
  "userIdentity": {
    "arn": "arn:aws:iam::123456789012:user/DataEngineer",
    "principalId": "AIDACKCEVSQ6C2EXAMPLE"
  },
  "eventTime": "2023-09-15T14:30:00Z",
  "eventSource": "s3.amazonaws.com",
  "eventName": "PutObject",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "203.0.113.5",
  "userAgent": "[S3Console]",
  "requestParameters": {
    "bucketName": "company-data-lake",
    "key": "sensitive/customer-data.csv",
    "x-amz-server-side-encryption": "AES256"
  },
  "responseElements": null,
  "additionalEventData": {
    "AuthenticationMethod": "AuthHeader"
  }
}
```

A company is using Amazon Redshift Spectrum to query data in Amazon S3. The S3 bucket uses SSE-KMS encryption. The Redshift cluster has an IAM role that allows access to S3 and KMS. However, queries fail with an 'Access Denied' error. What is the most likely cause?

A company is using Amazon EMR to process data stored in Amazon S3. The S3 bucket is configured with a bucket policy that denies access unless the request includes a specific tag. The EMR cluster's IAM role has s3:GetObject permission. However, the EMR job fails to read data from S3. What is the most likely cause?

Question 10mediummultiple choice
Read the full NAT/PAT explanation →

A company uses AWS Lake Formation to manage data lake permissions. The data lake contains sensitive customer data in the 'customer' database. The security team wants to ensure that only users with a specific tag 'access_level=analyst' can query the 'customer' table. Which combination of steps should the data engineer take to enforce this?

A financial services company uses AWS KMS to encrypt data in Amazon S3. The compliance team requires that all encryption keys be rotated automatically every 365 days. The data engineer needs to implement this requirement without manual intervention. Which solution meets the requirement with the LEAST operational overhead?

A data engineer is configuring AWS Glue jobs to access data stored in Amazon S3. The data is encrypted using server-side encryption with AWS KMS (SSE-KMS). The Glue job needs to read and write data to the S3 bucket. Which IAM policy statement should be added to the Glue job's IAM role to allow it to use the KMS key?

Refer to the exhibit. A data engineer is troubleshooting a permissions issue. The IAM role 'DataEngineerRole' is used by an AWS Glue job that needs to read data from an S3 bucket encrypted with a customer managed KMS key. The above key policy is attached to the KMS key. The Glue job fails with an AccessDenied error when trying to read the data. What is the MOST likely cause?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/DataEngineerRole"
      },
      "Action": [
        "kms:Decrypt",
        "kms:GenerateDataKey"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "kms:ViaService": "s3.us-east-1.amazonaws.com"
        }
      }
    },
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "kms:*",
      "Resource": "*",
      "Condition": {
        "BoolIfExists": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}

A company is building a data pipeline that ingests sensitive customer data from an on-premises database into Amazon S3 using AWS DMS. The data must be encrypted at rest in S3 and in transit. The security team requires that the encryption keys be managed by the company (not AWS). Which TWO actions should the data engineer take to meet these requirements? (Choose TWO.)

A data engineer is designing a data lake on Amazon S3 with AWS Lake Formation. The data lake contains personally identifiable information (PII). The company has a policy that only users who have completed data privacy training can access the PII data. The training status is stored in an external identity provider (IdP) as an attribute. The data engineer needs to enforce this policy using Lake Formation. Which THREE steps should the data engineer take? (Choose THREE.)

Question 16mediummultiple choice
Read the full NAT/PAT explanation →

A healthcare company uses AWS Glue to process patient data stored in Amazon S3. The data is encrypted at rest using SSE-KMS with a customer managed key. The Glue ETL job runs on a schedule and reads from an S3 bucket, transforms the data, and writes to another S3 bucket also encrypted with the same KMS key. Recently, the security team rotated the KMS key. After the rotation, the Glue job started failing with 'AccessDenied' errors when trying to read from the source bucket. The Glue job's IAM role has permissions to use the KMS key (kms:Decrypt, kms:GenerateDataKey). The S3 bucket policies allow the role to read/write. What is the MOST likely cause of the failure?

Question 17mediummulti select
Read the full NAT/PAT explanation →

A data engineer is configuring a data lake on Amazon S3 that contains sensitive customer information. The company requires that all access to this data be logged and monitored, and that any data shared with external partners must be anonymized before leaving the S3 bucket. Which combination of AWS services should the engineer use to meet these requirements? (Choose THREE.)

Refer to the exhibit. A data engineer applies this bucket policy to an S3 bucket named my-data-bucket. The bucket contains sensitive data. The company's security team reports that data was accessed from an IP address outside the allowed range. What is the MOST likely reason that the policy failed to block the unauthorized access?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-data-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/24"
        }
      }
    },
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::my-data-bucket/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}

A financial services company uses AWS Glue ETL jobs to process credit card transaction data stored in Amazon S3. The data includes PII such as names and credit card numbers. The security team requires that all PII be masked before the data is written to the curated zone of the data lake. The data engineer has implemented a Glue job that reads from the raw zone, applies a custom transform to mask credit card numbers using a regular expression, and writes to the curated zone. However, during a recent audit, the security team discovered that some masked data still contained partial credit card numbers (e.g., showing the last four digits) when viewed by analysts who should only see masked data. The company's policy is that credit card numbers must be completely masked, showing only asterisks or a fixed string like "XXXX-XXXX-XXXX-XXXX". The Glue job uses a DynamicFrame and applies a Map transform with a Python function that replaces digits with 'X'. The data is stored in Parquet format. What should the data engineer do to ensure complete masking of credit card numbers?

Order the steps to migrate an on-premises database to Amazon RDS using AWS DMS.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Data Security and Governance sessions

Start a Data Security and Governance only practice session

Every question in these sessions is drawn from the Data Security and Governance domain — nothing else.

Related practice questions

Related DEA-C01 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the DEA-C01 exam test about Data Security and Governance?
Data Security and Governance questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Data Security and Governance questions in a focused session?
Yes — the session launcher on this page draws every question from the Data Security and Governance domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other DEA-C01 topics?
Use the topic links above to move to related areas, or go back to the DEA-C01 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the DEA-C01 exam covers. They are not copied from any real exam or dump site.