CCNA Data Security Governance Questions

75 of 333 questions · Page 2/5 · Data Security Governance topic · Answers revealed

76
Multi-Selectmedium

A data engineer is configuring a data lake on Amazon S3 that contains sensitive customer information. The company requires that all access to this data be logged and monitored, and that any data shared with external partners must be anonymized before leaving the S3 bucket. Which combination of AWS services should the engineer use to meet these requirements? (Choose THREE.)

Select 3 answers
A.AWS WAF
B.AWS Lake Formation
C.AWS CloudTrail
D.AWS Direct Connect
E.Amazon Macie
AnswersB, C, E

Lake Formation provides fine-grained access control and can be used to enforce anonymization policies.

Why this answer

AWS Lake Formation (B) is correct because it provides fine-grained access control and data anonymization capabilities for data lakes on Amazon S3. It allows you to define column-level and row-level security policies, and can automatically anonymize sensitive data (e.g., via masking or tokenization) before it is shared with external partners, ensuring compliance with data governance requirements.

Exam trap

The trap here is that candidates often confuse AWS WAF (a web-layer security tool) with data-level security, or assume Direct Connect provides logging and monitoring, when in fact neither service addresses S3 data access logging or anonymization.

77
MCQhard

A data team uses AWS Glue ETL jobs to process data from an S3 bucket (s3://data-lake-raw) and write results to another S3 bucket (s3://data-lake-processed). Both buckets are encrypted with SSE-KMS using the same KMS key (alias 'data-key'). The Glue job runs in the same account. The team recently enabled S3 Server Access Logging for the raw bucket, sending logs to a separate logging account. After enabling logging, the Glue job starts failing with 'AccessDenied' when reading from the raw bucket. The Glue job's IAM role has s3:GetObject permission on the raw bucket. Which additional permission is most likely missing?

A.s3:GetBucketLocation on the raw bucket.
B.kms:Decrypt on the KMS key (alias 'data-key').
C.s3:PutObject on the processed bucket.
D.kms:GenerateDataKey on the KMS key.
AnswerB

The Glue job needs permission to decrypt the objects using the KMS key.

Why this answer

When S3 Server Access Logging is enabled for a bucket encrypted with SSE-KMS, the S3 service must write log objects to the target bucket. If the target bucket is in a different account, the S3 service needs permission to use the KMS key. However, the failure is on the Glue job reading from the raw bucket, not writing logs.

The issue could be that the raw bucket's S3 access log delivery writes to a target bucket that uses a different KMS key, but that would affect logging, not Glue reads. Re-reading: The Glue job reading the raw bucket fails after enabling logging. It's likely that the raw bucket policy was modified to allow log delivery, inadvertently restricting other access.

Actually, the most likely cause is that the S3 bucket policy now includes a condition that denies access unless a specific header is present, or the KMS key policy was changed. Given the options, the correct answer is that the KMS key policy for the data-key now denies the Glue role because the S3 service principal was added for cross-account logging. But the Glue role needs kms:Decrypt permission.

The scenario says the same key is used for both buckets. The correct answer is B: The KMS key policy does not allow the Glue role to decrypt because the S3 log delivery service is using the key and the key policy may have a condition. Actually, the most direct answer: The Glue role is missing kms:Decrypt permission on the KMS key.

But the team might have added a statement to allow S3 logging that inadvertently denies the Glue role. However, the simplest answer is that the Glue role lacks kms:Decrypt. But the question says 'Which additional permission is most likely missing?' The options are specific permissions.

I'll go with the need for kms:Decrypt on the KMS key.

78
MCQhard

A data engineer runs the command shown in the exhibit to check the bucket policy. A user from another AWS account is trying to download an object using HTTP (not HTTPS). What will happen?

A.The download will succeed because the principal is not specified
B.The download will fail with an access denied error
C.The download will succeed if the object is encrypted at rest
D.The download will succeed because the policy only denies write operations
AnswerB

The policy denies access when using HTTP.

Why this answer

Option B is correct because the bucket policy denies all actions when aws:SecureTransport is false (i.e., HTTP). Therefore, HTTP requests are denied. Option A is wrong because the policy denies HTTP requests.

Option C is wrong because the policy does not require encryption at rest. Option D is wrong because the policy explicitly denies HTTP.

79
MCQmedium

Refer to the exhibit. A data engineer applied this bucket policy to an S3 bucket. What is the effect of this policy?

A.Allows only HTTPS requests to get objects
B.Blocks HTTP requests to get objects
C.Allows only HTTP requests to get objects
D.Blocks all access to the bucket
AnswerB

The Deny effect with condition aws:SecureTransport false blocks HTTP requests.

Why this answer

The policy denies s3:GetObject when the request is made over HTTP (not HTTPS). This enforces HTTPS for object retrievals. Option A is wrong because it allows HTTPS.

Option B is wrong because it allows HTTPS. Option D is wrong because the policy does not block all access; it only blocks insecure transport.

80
MCQeasy

A company wants to grant read-only access to an S3 bucket for a data analyst. The analyst should be able to list objects and read object content. Which IAM policy effect and action combination is correct?

A.Effect: Allow, Actions: s3:GetObject, s3:DeleteObject
B.Effect: Allow, Actions: s3:ListAllMyBuckets, s3:GetObject
C.Effect: Allow, Actions: s3:PutObject, s3:GetObject
D.Effect: Allow, Actions: s3:ListBucket, s3:GetObject
AnswerD

Provides read-only access to list and read objects.

Why this answer

Option A is correct because s3:ListBucket allows listing objects, and s3:GetObject allows reading objects. Option B is incorrect because s3:PutObject is write access. Option C is incorrect because s3:DeleteObject is not needed.

Option D is incorrect because s3:ListAllMyBuckets is for listing all buckets, not bucket contents.

81
MCQeasy

A company is using AWS Lake Formation to manage permissions on a data lake. They want to grant a data scientist the ability to query tables in the 'analytics' database using Amazon Athena, but prevent them from accessing the underlying S3 data directly. What is the best way to achieve this?

A.Grant the data scientist an IAM policy with s3:GetObject on the S3 bucket.
B.Grant SELECT permission on the 'analytics' database tables in Lake Formation.
C.Create an IAM policy that allows Athena queries only.
D.Add the data scientist to a Lake Formation data lake location with read access.
AnswerB

Lake Formation fine-grained permissions allow querying via Athena without direct S3 access.

Why this answer

Option A is correct because Lake Formation can grant SELECT permission on tables, and with Lake Formation metadata filtering, the user can query via Athena without direct S3 access. Option B is incorrect because granting s3:GetObject on the entire bucket would allow direct access. Option C is incorrect because they need access to the database objects, not just the database.

Option D is incorrect because IAM policies for Athena do not restrict S3 access.

82
MCQeasy

A company uses Amazon RDS for MySQL with encryption at rest enabled. The security team requires that all database audit logs be stored in Amazon S3 for at least 7 years. Which AWS service should the data engineer use to collect and store the logs?

A.Amazon S3 with S3 Object Lock enabled for write-once-read-many (WORM) protection.
B.Amazon Kinesis Data Firehose to stream logs directly to Amazon S3.
C.Amazon CloudWatch Logs with a subscription filter to Amazon S3.
D.AWS CloudTrail to capture database queries and store in S3.
AnswerC

RDS audit logs can be sent to CloudWatch Logs, and then exported to S3.

Why this answer

Option A is correct because RDS for MySQL can publish audit logs to CloudWatch Logs, and a subscription filter can forward them to S3 for long-term storage. Option B is wrong because Kinesis Data Firehose is not directly integrated with RDS audit logs. Option C is wrong because S3 is for storage, not collection.

Option D is wrong because CloudTrail does not capture RDS audit logs.

83
MCQmedium

Refer to the exhibit. This KMS key policy is attached to a customer managed key. A data engineer finds that the DataEngineer role can encrypt but cannot decrypt data. What is the most likely cause?

A.The key policy does not include kms:Decrypt in the IAM policy section
B.The role does not have an IAM policy allowing kms:Decrypt
C.The key policy does not allow kms:Decrypt
D.The key policy does not allow kms:GenerateDataKey
AnswerB

The role needs an IAM policy that allows kms:Decrypt; the key policy alone is insufficient for IAM roles.

Why this answer

The key policy allows kms:Decrypt and kms:GenerateDataKey for the role. The role likely lacks an IAM policy that allows kms:Decrypt. KMS requires both key policy and IAM policy permissions for IAM roles (except when the key policy explicitly enables IAM).

Option A is wrong because the key policy does allow decrypt. Option B is wrong because the key policy allows it. Option D is wrong because the key policy does not need to enable IAM; by default, IAM policies are allowed.

84
MCQmedium

A company uses Amazon Redshift for data warehousing. The security team requires that all data stored in Redshift be encrypted at rest using a customer-managed KMS key. How should the data engineer configure this?

A.Enable encryption using a KMS key when creating the Redshift cluster
B.Configure S3 SSE-KMS on the underlying S3 storage
C.Use the AWS KMS console to encrypt the Redshift cluster after creation
D.Set a cluster parameter group with encryption enabled
AnswerA

Encryption must be enabled at launch; you cannot add it later.

Why this answer

Redshift supports encryption at rest using KMS. You enable encryption when launching the cluster by choosing a KMS key. Option B is wrong because Redshift doesn't use S3 SSE-KMS for its own storage.

Option C is wrong because you cannot encrypt an existing cluster without restoring from snapshot. Option D is wrong because cluster parameter groups do not control encryption. Option A is correct.

85
MCQmedium

A data engineering team needs to encrypt data at rest in an Amazon S3 bucket that stores sensitive customer information. The team must use an AWS Key Management Service (AWS KMS) customer managed key with automatic rotation enabled. Which configuration meets these requirements?

A.Use default encryption with SSE-KMS and specify the customer managed key ID.
B.Use default encryption with SSE-S3.
C.Use default encryption with SSE-C and provide a customer-provided key.
D.Use default encryption with SSE-KMS and leave the key ID empty to use the AWS managed key.
AnswerA

SSE-KMS with a customer managed key allows automatic rotation and customer control.

Why this answer

Option B is correct because it enables SSE-KMS with a customer managed key that has automatic key rotation. Option A is wrong because SSE-S3 uses AWS managed keys without customer control. Option C is wrong because SSE-C requires the customer to manage the key and does not support automatic rotation.

Option D is wrong because SSE-KMS with an AWS managed key does not allow customer control.

86
MCQmedium

A data engineer applies the above bucket policy to an S3 bucket containing sensitive data. The goal is to allow only encrypted (HTTPS) requests. However, a user reports being able to access an object using an HTTP (non-HTTPS) request. What is the most likely reason?

A.The policy uses Allow instead of Deny
B.The resource ARN does not include the bucket itself
C.The condition key aws:SecureTransport is used with BoolIfExists instead of Bool
D.The principal is set to "*", which allows anonymous access
AnswerC

BoolIfExists allows access if the key is missing, which happens with HTTP.

Why this answer

Option A is correct. The policy uses "BoolIfExists", which evaluates to true if the key is not present (e.g., HTTP requests do not have the SecureTransport condition key). Option B is wrong because the condition is not on the Deny effect.

Option C is wrong because the principal is "*" which includes everyone. Option D is wrong because the resource is correct.

87
MCQmedium

A company uses Amazon RDS for MySQL to store transactional data. The database contains sensitive financial information. The company's security policy requires that all data at rest be encrypted using a customer-managed KMS key. The database was originally launched without encryption at rest. The security team now needs to enable encryption without significant downtime. What should they do?

A.Create a snapshot of the database, copy the snapshot with encryption enabled, and restore a new DB instance from the encrypted snapshot.
B.Enable encryption by modifying the DB instance's storage type to 'encrypted'.
C.Use the AWS DMS (Database Migration Service) to migrate data to a new encrypted RDS instance.
D.Modify the DB instance and enable encryption under the 'Storage' settings.
AnswerA

This is the standard procedure to enable encryption on an existing RDS instance.

Why this answer

Option B is correct because you cannot enable encryption on an existing RDS instance; you must create a snapshot, copy it with encryption, and restore a new encrypted instance. Option A is wrong because RDS does not support enabling encryption in place. Option C is wrong because modifying the DB instance does not allow enabling encryption.

Option D is wrong because you cannot change the storage encryption setting directly.

88
MCQmedium

A data engineer is configuring an S3 bucket to host sensitive data. The security policy requires that all objects be encrypted with a key that is generated and managed by the customer, and that the key be stored in AWS KMS. Which encryption option should be used?

A.Server-Side Encryption with S3-Managed Keys (SSE-S3)
B.Client-Side Encryption
C.Server-Side Encryption with Customer-Provided Keys (SSE-C)
D.Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS)
AnswerD

SSE-KMS allows using customer-managed keys in KMS.

Why this answer

Option C is correct because SSE-KMS allows customer-managed keys in KMS. Option A is wrong because SSE-S3 uses AWS-managed keys. Option B is wrong because SSE-C uses customer-provided keys, not stored in KMS.

Option D is wrong because client-side encryption is not managed by S3.

89
MCQmedium

A data engineer is setting up a data pipeline that ingests streaming data from Amazon Kinesis Data Streams into an S3 data lake using Amazon Kinesis Data Firehose. The data contains personally identifiable information (PII). The security team requires that all data be encrypted at rest in S3 using an AWS KMS customer managed key (CMK) that is specific to the application. Additionally, the data must be encrypted in transit between all services. The engineer creates the KMS key and configures Firehose to use server-side encryption with the key for the S3 destination. However, Firehose delivery fails with an error indicating that the KMS key is not accessible. What is the most likely cause?

A.The KMS key policy does not grant the firehose.amazonaws.com service principal the required permissions.
B.The Kinesis data stream is not encrypted at rest.
C.The Firehose delivery stream is not in the same region as the KMS key.
D.The S3 bucket policy does not grant the Firehose delivery stream access to write objects.
AnswerA

Firehose must be allowed to use the key via the key policy.

Why this answer

Kinesis Data Firehose needs permission to use the KMS key. The key policy must grant the Firehose service principal (firehose.amazonaws.com) permission to call kms:GenerateDataKey and kms:Decrypt. Without this, Firehose cannot encrypt the data.

90
Multi-Selecteasy

A data engineer needs to monitor and log changes to IAM policies in an AWS account. Which TWO AWS services can be used together to achieve this?

Select 2 answers
A.Amazon GuardDuty
B.AWS Config
C.VPC Flow Logs
D.AWS CloudTrail
E.Amazon CloudWatch Logs
AnswersD, E

CloudTrail records all IAM API calls.

Why this answer

Options A and B are correct. AWS CloudTrail logs IAM API calls, and Amazon CloudWatch Logs can store and monitor those logs. Option C is incorrect because AWS Config tracks resource configuration but not API calls directly.

Option D is incorrect because Amazon GuardDuty is a threat detection service. Option E is incorrect because VPC Flow Logs capture network traffic.

91
MCQmedium

A company uses AWS KMS to encrypt data at rest in Amazon S3. The security team requires that all encryption keys be automatically rotated every year. Which key type should be used to meet this requirement without manual intervention?

A.Use a customer managed key with automatic rotation enabled.
B.Use an imported key material because it supports automatic rotation.
C.Use a KMS key generated by S3 on each object upload.
D.Use an AWS managed key (aws/s3).
AnswerD

AWS managed keys are automatically rotated every year without any manual intervention.

Why this answer

AWS managed keys (AWS_KMS) are automatically rotated annually. Customer managed keys (CMK) support automatic rotation but require manual enablement; however, the question specifies 'without manual intervention'. AWS managed keys are rotated automatically every year.

Option A is wrong because customer managed keys require manual enablement of rotation. Option B is wrong because imported key material cannot be rotated. Option C is correct as described.

Option D is wrong because KMS does not generate keys on demand for S3; S3 uses a bucket key or CMK.

92
MCQhard

A company has an S3 bucket with versioning enabled and a bucket policy that denies access if the request does not include encryption. A data engineer notices that some objects are not encrypted. What is the most likely cause?

A.The bucket policy does not evaluate requests from the same account.
B.The policy only applies to new uploads; existing objects remain unencrypted.
C.Default encryption was not enabled at the bucket level.
D.Versioning was enabled after the objects were uploaded.
AnswerB

Bucket policies do not retroactively encrypt existing objects.

Why this answer

Option D is correct because bucket policies with deny for unencrypted requests only apply to new uploads, not existing objects. Option A is wrong because bucket policy evaluates all requests. Option B is wrong because versioning does not affect encryption.

Option C is wrong because default encryption only applies to new objects.

93
MCQhard

A company runs a data lake on Amazon S3 with AWS Glue and Amazon Athena. The security team recently ran a report using Amazon Macie and found that multiple S3 objects containing PII are publicly accessible. The data engineer is tasked with remediating this issue immediately. The S3 bucket is configured with a bucket policy that grants public read access to all objects. The data engineer needs to ensure that no objects are publicly accessible while maintaining the ability for authorized IAM users and roles to access the data via Athena. The bucket must also remain accessible to the Glue crawler. What is the MOST effective course of action?

A.Use Amazon Macie to automatically remediate the public access by updating the object ACLs.
B.Remove the bucket policy granting public access and attach an IAM policy to the Glue and Athena roles to allow access to the bucket.
C.Set the bucket ACL to private and add a bucket policy that allows access to the Glue crawler and Athena.
D.Enable S3 Block Public Access on the bucket and use a bucket policy to allow access from the Glue and Athena service principals.
AnswerB

This removes public access while allowing authorized access.

Why this answer

Option B is correct because removing the bucket policy that grants public access and using an S3 bucket policy or IAM policies to allow specific IAM principals (like Glue and Athena) resolves the public exposure while allowing authorized access. Option A is incorrect because Macie does not enforce access control. Option C is incorrect because enabling block public access is a good practice but does not grant access to authorized users; it may also block Glue if not configured correctly.

Option D is incorrect because ACLs are legacy and less secure; also, public objects may have ACLs granting public access.

94
MCQhard

A company has a requirement to store audit logs for 7 years for compliance. The logs are stored in S3 and must be immutable. Which S3 feature should be used?

A.Use a bucket policy that denies s3:DeleteObject
B.Enable MFA Delete on the bucket
C.Enable S3 Versioning and set a lifecycle policy
D.Enable S3 Object Lock in compliance mode
AnswerD

Compliance mode prevents any user, including root, from overwriting or deleting objects.

Why this answer

S3 Object Lock prevents objects from being deleted or overwritten for a specified retention period. Option A is wrong because versioning does not prevent deletion. Option B is wrong because MFA Delete adds an extra step but can be bypassed by root.

Option C is wrong because bucket policies do not enforce immutability. Option D is correct.

95
Multi-Selecthard

A data engineer needs to ensure that an S3 bucket policy follows the principle of least privilege. Which of the following are valid conditions to restrict access based on the requester's identity? (Choose THREE.)

Select 3 answers
A.aws:PrincipalOrgID
B.s3:x-amz-server-side-encryption
C.aws:Referer
D.aws:SourceIp
E.aws:userId
AnswersA, D, E

Restricts to accounts in an AWS Organization.

Why this answer

Options A, C, and D are correct. aws:SourceIp restricts based on IP address. aws:PrincipalOrgID restricts to a specific AWS Organization. aws:userId restricts to a specific IAM user ID. Option B is wrong because aws:Referer is for HTTP referrer, not identity. Option E is wrong because s3:x-amz-server-side-encryption is for encryption, not identity.

96
MCQhard

Refer to the exhibit. A data engineer runs the AWS CLI command to look up GetObject events. The output shows an event from the DataEngineer role. However, the engineer suspects that some GetObject requests are not being logged. What is the MOST likely reason?

A.The IAM role does not have permission to read the CloudTrail logs.
B.The CloudTrail trail is not configured to log data events.
C.The trail is not enabled in the us-east-1 region.
D.The S3 bucket is in a different region than the CloudTrail trail.
AnswerB

By default, CloudTrail does not log data events for S3 objects; they must be enabled.

Why this answer

Option B is correct because CloudTrail must have Data Events enabled for S3 object-level operations such as GetObject. Option A is wrong because the event is logged, so the trail exists. Option C is wrong because the engineer is looking up events, not configuring logging.

Option D is wrong because the lookup is for a specific region, but the bucket might be in a different region, but that would not cause missing logs if events are logged in the bucket's region.

97
MCQhard

A company runs a data lake on AWS using S3 for storage and AWS Glue for ETL. The security team discovers that a contractor who left the company two months ago still has access to an S3 bucket containing sensitive data. The access was granted via an IAM user that was not deleted. The data engineer is asked to implement a solution to prevent future occurrences. The company uses AWS Organizations and has multiple accounts. The requirement is to automatically detect and remediate IAM users that have not been used for 90 days by disabling their access keys and notifying the security team. The solution must be least privilege and use AWS-native services. Which approach should the data engineer take?

A.Use AWS IAM Access Analyzer to generate findings for unused access and create an AWS Config managed rule to automatically disable the IAM user's access keys.
B.Use AWS CloudTrail to monitor IAM user activity and set up a CloudWatch alarm that triggers an SNS notification to the security team to manually disable the keys.
C.Use AWS Lake Formation to revoke the permissions of the IAM user and set up a scheduled Lambda function to check for unused IAM users.
D.Use AWS IAM Access Analyzer to generate findings for unused access and create an AWS Config custom rule with a Lambda function that automatically disables the access keys and sends a notification via SNS.
AnswerD

This automates detection and remediation.

Why this answer

Option D is correct. AWS IAM Access Analyzer can generate findings for unused access, and AWS Config with a custom rule can auto-remediate by invoking a Lambda function to disable keys and notify via SNS. Option A is wrong because IAM roles are not relevant for user access keys.

Option B is wrong because CloudTrail does not automatically disable keys. Option C is wrong because Lake Formation does not manage IAM users.

98
MCQhard

Refer to the exhibit. A data engineer is running an AWS Glue job that reads from an S3 bucket encrypted with a customer-managed KMS key. The job fails with the error shown. What is the most likely cause?

A.The S3 bucket policy denies the kms:Decrypt action.
B.The IAM role used by the Glue job is missing the kms:Decrypt permission.
C.The Glue job does not have permission to call kms:GenerateDataKey.
D.The KMS key policy does not grant the Glue service principal access.
AnswerB

The error says no identity-based policy allows kms:Decrypt.

Why this answer

The error indicates that the AWS Glue job cannot access the S3 bucket because it lacks the necessary KMS permissions. Since the bucket is encrypted with a customer-managed KMS key, the IAM role assigned to the Glue job must include the kms:Decrypt permission to read the encrypted objects. Without this permission, the job fails when attempting to decrypt the data.

Exam trap

AWS often tests the distinction between kms:Decrypt and kms:GenerateDataKey, leading candidates to mistakenly choose the latter when the job is only reading data, not writing or generating new encryption keys.

How to eliminate wrong answers

Option A is wrong because the S3 bucket policy denying kms:Decrypt would cause a different error (e.g., Access Denied), but the error shown specifically points to a missing permission, not a denial. Option C is wrong because kms:GenerateDataKey is used for encrypting new data, not for reading existing encrypted objects; the job only needs kms:Decrypt to read the encrypted data. Option D is wrong because the KMS key policy does not need to grant the Glue service principal directly; the IAM role used by the Glue job is the entity that requires the kms:Decrypt permission, and the key policy must allow that role (or the account) to use the key.

99
Multi-Selectmedium

A data engineer is configuring an S3 bucket policy to allow cross-account access for a partner organization to write data to a specific prefix. The partner's AWS account ID is 111111111111. The engineer wants to ensure that only the partner can write, and that the partner cannot read or delete objects. Which policy statements should be included? (Choose TWO.)

Select 2 answers
A.{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::111111111111:user/PartnerUser"},"Action":"s3:PutObject","Resource":"arn:aws:s3:::mybucket/partner/*"}
B.{"Effect":"Allow","Principal":"*","Action":"s3:PutObject","Resource":"arn:aws:s3:::mybucket/partner/*","Condition":{"StringEquals":{"aws:SourceAccount":"111111111111"}}}
C.{"Effect":"Allow","Principal":{"AWS":"111111111111"},"Action":"s3:PutObject","Resource":"arn:aws:s3:::mybucket/partner/*"}
D.{"Effect":"Allow","Principal":{"AWS":"111111111111"},"Action":["s3:GetObject","s3:DeleteObject"],"Resource":"arn:aws:s3:::mybucket/partner/*"}
E.{"Effect":"Deny","Principal":{"AWS":"111111111111"},"NotAction":"s3:PutObject","Resource":"arn:aws:s3:::mybucket/partner/*"}
AnswersC, E

Grants write access to the prefix.

Why this answer

Options A and C are correct. Option A grants s3:PutObject for the prefix. Option C explicitly denies all other actions.

Option B is wrong because it grants read and delete. Option D is wrong because the principal should be the partner's account root. Option E is wrong because using a condition without explicit deny may not block all actions.

100
MCQeasy

A company is using Amazon Redshift for data warehousing. They need to ensure that all queries are logged for audit purposes. Which AWS service should be used to capture query logs?

A.AWS CloudTrail
B.Amazon S3
C.Amazon CloudWatch Logs
D.Amazon Athena
AnswerC

Redshift can send query logs to CloudWatch Logs.

Why this answer

Option A is correct because Amazon Redshift can publish audit logs to CloudWatch Logs. Option B is wrong because CloudTrail captures API activity, not query logs. Option C is wrong because S3 is a storage service, not for logging.

Option D is wrong because Athena is a query service, not a logging service.

101
MCQeasy

A company uses Amazon Athena to query data in S3. The security team wants to ensure that users can only query tables they have permissions to in the AWS Glue Data Catalog. Which service should be used to manage these permissions centrally?

A.AWS Lake Formation
B.AWS IAM
C.AWS CloudTrail
D.S3 bucket policies
AnswerA

Lake Formation provides fine-grained access control to Data Catalog resources.

Why this answer

Option A is correct because Lake Formation provides centralized permissions management for the Glue Data Catalog. Option B (IAM) is too low-level and does not integrate directly with Data Catalog tables. Option C (S3 bucket policy) does not control table access.

Option D (CloudTrail) is for auditing, not access control.

102
MCQhard

A company uses Amazon Redshift for data warehousing. The security team requires that all data stored in Redshift be encrypted at rest. The current cluster is unencrypted. Which approach should the data engineer take to meet this requirement with minimal downtime?

A.Modify the cluster to enable encryption.
B.Unload data to S3 and reload into a new encrypted cluster.
C.Use the COPY command to load data into a new encrypted table.
D.Take a snapshot of the existing cluster and restore it to a new encrypted cluster.
AnswerD

Snapshot restore allows creating an encrypted cluster with minimal downtime.

Why this answer

Option D is correct because Redshift allows restoring a snapshot to a new encrypted cluster. The engineer can take a snapshot of the existing cluster, restore it to a new cluster with encryption enabled, and then redirect traffic to the new cluster. Option A is wrong because encryption cannot be enabled on an existing cluster.

Option B is wrong because COPY command does not encrypt the cluster. Option C is wrong because unloading and reloading data would cause significant downtime.

103
MCQhard

A company uses Amazon DynamoDB to store session data. The security team requires that all data be encrypted at rest using a customer-managed KMS key. The data engineer has enabled encryption with a KMS key, but discovers that old data remains encrypted with the previous AWS-managed key. How can the engineer re-encrypt all existing data with the new key?

A.Disable and re-enable encryption with the new KMS key
B.Use AWS Backup to back up the table and restore it with the new encryption key
C.Use the DynamoDB console to change the encryption key and select 'Apply to existing data'
D.Export the table to S3 using DynamoDB Export to S3, then import using DynamoDB Import from S3 with the new encryption key specified
AnswerD

Export/Import re-encrypts data.

Why this answer

Option C is correct because Export to S3 and Import from S3 can re-encrypt the data with the new key. Option A is wrong because DynamoDB does not support in-place re-encryption. Option B is wrong because enabling encryption with a new key only applies to new writes.

Option D is wrong because copying the table does not re-encrypt with the new key; it uses the table's default key.

104
MCQeasy

A company needs to ensure that data stored in Amazon RDS is encrypted at rest. Which action should the data engineer take?

A.Enable encryption at rest by modifying the existing RDS instance.
B.Encrypt the underlying EBS volumes using AWS KMS.
C.Create a new RDS instance with encryption enabled using AWS KMS.
D.Enable SSL/TLS for connections to the RDS instance.
AnswerC

Encryption at rest must be enabled at launch time for RDS.

Why this answer

Option D is correct because encryption at rest for RDS is enabled at instance creation time by enabling encryption with KMS. Option A is wrong because encryption is not automatic; it must be enabled. Option B is wrong because encrypting the EBS volumes is not sufficient for RDS; the database must be encrypted.

Option C is wrong because encryption in transit is different from at rest.

105
MCQmedium

A company uses Amazon RDS for MySQL to store financial data. A compliance requirement mandates that all database connections must be encrypted. Which configuration step is necessary?

A.Set the RDS parameter enforce_ssl to 1.
B.Create the RDS DB instance in a private subnet.
C.Enable encryption for the RDS DB instance at creation time.
D.Configure the VPC security group to only allow traffic from certain IPs.
AnswerC

Encryption at rest and in transit can be enabled at creation; SSL/TLS can be enforced via parameter group.

Why this answer

Option D is correct because enabling encryption for RDS instances requires using a DB instance that supports encryption and enabling it at creation. Option A is wrong because VPC security groups control network access, not encryption. Option B is wrong because RDS does not support enforcing encryption at the subnet level.

Option C is wrong because RDS does not have a parameter enforce_ssl; it needs to be enabled in the DB parameter group.

106
MCQmedium

Refer to the exhibit. A data engineer runs the AWS CLI command and gets the output shown. The engineer wants to grant a data analyst read-only access to the 'sales_db' database in AWS Glue Data Catalog using IAM. Which IAM policy statement is required?

A.{"Effect": "Allow", "Action": "glue:GetTable", "Resource": "arn:aws:glue:us-east-1:123456789012:table/sales_db/*"}
B.{"Effect": "Allow", "Action": "glue:GetDatabase", "Resource": "arn:aws:glue:us-east-1:123456789012:database/sales_db"}
C.{"Effect": "Allow", "Action": "glue:GetDatabases", "Resource": "*"}
D.{"Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::data-lake-sales/*"}
AnswerB

Grants read access to the specific database.

Why this answer

Option A is correct because to read a database, the user needs glue:GetDatabase. Option B is wrong because glue:GetDatabases is for listing databases. Option C is wrong because s3:GetObject is for data access.

Option D is wrong because glue:GetTable is for tables, not databases.

107
Multi-Selectmedium

A data engineer needs to encrypt data at rest in Amazon S3 using server-side encryption with a customer-managed KMS key. Which TWO steps are required to ensure that the KMS key can be used for S3 object encryption?

Select 2 answers
A.Configure a VPC endpoint for KMS to allow S3 to access the key.
B.Set the S3 bucket policy to require SSE-KMS for all PutObject requests.
C.Add a statement in the KMS key policy that allows the S3 service to use the key.
D.Grant the IAM role that writes objects the kms:GenerateDataKey and kms:Decrypt permissions.
E.Create a service-linked role for S3 to access KMS.
AnswersC, D

The key policy must allow S3 to call GenerateDataKey and Decrypt.

Why this answer

Options A and B are correct. The KMS key policy must grant the S3 service principal kms:GenerateDataKey and kms:Decrypt permissions. Option C is not required because S3 does not use KMS via VPC.

Option D is not required because S3 does not need to assume a role for SSE-KMS. Option E is not required because SSE-KMS does not use S3 bucket policies.

108
MCQmedium

Refer to the exhibit. An S3 bucket policy is shown. A data engineer using the DataEngineerRole tries to upload an object to s3://example-bucket/data/report.csv with SSE-S3 encryption. The upload fails. What is the most likely cause?

A.The resource ARN does not match the object.
B.The role does not have s3:PutObject permission.
C.The condition requires SSE-S3 encryption header, but the upload did not include it.
D.The principal is not authorized.
AnswerC

The condition requires the encryption header to be present and set to AES256.

Why this answer

Option D is correct because the condition s3:x-amz-server-side-encryption: AES256 requires SSE-S3, but the policy also requires that encryption header be present. Option A is wrong because the role has GetObject and PutObject permissions. Option B is wrong because the resource is data/*, which should match.

Option C is wrong because the policy allows the role.

109
MCQhard

A company stores data in Amazon S3 with server-side encryption using AWS KMS (SSE-KMS). The data engineer needs to give a third-party auditor read-only access to the encrypted objects. The auditor has an AWS account. Which strategy should be used?

A.Generate a presigned URL for each object the auditor needs to access.
B.Copy the objects to a new bucket encrypted with SSE-S3 and share that bucket.
C.Grant the auditor's IAM role permission to use the KMS key.
D.Update the S3 bucket policy to allow access from the auditor's account and update the KMS key policy to allow the auditor's account to decrypt.
AnswerD

Both policies are required for cross-account access with SSE-KMS.

Why this answer

Option D is correct because cross-account access to SSE-KMS encrypted objects requires both an S3 bucket policy allowing the auditor's account and a KMS key policy granting the auditor's account decrypt permissions. Option A is wrong because presigned URLs don't solve the cross-account KMS issue. Option B is wrong because simply granting access to the KMS key is insufficient without S3 permissions.

Option C is wrong because copying objects with SSE-S3 changes encryption and may not be allowed.

110
MCQeasy

A data engineer needs to ensure that an Amazon Redshift cluster encrypts data at rest using a customer-managed AWS KMS key. Which configuration step is required?

A.Create a new cluster and select the default AWS managed key for encryption.
B.Create a new cluster and specify a customer-managed KMS key for encryption.
C.Use AWS CloudHSM to generate a key and attach it to the cluster.
D.Enable encryption on the existing cluster by modifying the cluster configuration.
AnswerB

Encryption must be set at cluster creation with a KMS key.

Why this answer

Option C is correct because Redshift supports encryption with KMS keys, but encryption cannot be enabled on an existing unencrypted cluster; a new encrypted cluster must be created. Option A is wrong because enabling encryption on an existing cluster is not supported. Option B is wrong because default KMS key is not customer-managed.

Option D is wrong because CloudHSM is for hardware-based key storage, not KMS integration.

111
Multi-Selecteasy

A data engineer needs to audit data access in Amazon S3 for compliance. Which TWO services can be used to capture and analyze S3 access logs? (Choose TWO.)

Select 2 answers
A.Amazon CloudWatch Logs
B.AWS CloudTrail
C.S3 server access logs
D.Amazon Macie
E.AWS Config
AnswersB, C

Records S3 API calls.

Why this answer

Options B and D are correct. S3 server access logs capture detailed access logs, and AWS CloudTrail records API calls. Option A is wrong because Amazon Macie is for sensitive data discovery.

Option C is wrong because Amazon CloudWatch is for monitoring metrics. Option E is wrong because AWS Config is for resource configuration.

112
MCQmedium

A financial services company uses Amazon Redshift for its data warehouse. The compliance team requires that all access to the database be logged, including the SQL queries executed, and that the logs be stored in a separate S3 bucket that is encrypted with a customer-managed KMS key. Additionally, the logs must be retained for 7 years. The data engineer has enabled audit logging on the Redshift cluster and configured it to deliver logs to an S3 bucket. However, the compliance team reports that the logs are not being delivered. The S3 bucket policy allows the Redshift service to write logs. What is the most likely reason for the failure?

A.The S3 bucket is in a different region than the Redshift cluster.
B.The S3 bucket has versioning enabled, which blocks log delivery.
C.The KMS key policy does not grant the Redshift service principal decrypt permissions.
D.The S3 bucket policy does not include a statement allowing the Redshift service principal to write objects.
AnswerD

Redshift requires explicit bucket policy for audit logging.

Why this answer

Option C is correct. Redshift audit logging requires that the S3 bucket have a specific bucket policy that allows the Redshift service principal to write logs. Without that policy, delivery fails.

Option A is wrong because KMS key permissions are not the issue if bucket policy is correct. Option B is wrong because versioning is not required. Option D is wrong because cross-region is supported.

113
MCQmedium

A data engineer needs to encrypt data at rest in an Amazon Redshift cluster. The company requires that the encryption key be managed by the customer and rotated annually. Which solution meets these requirements?

A.Use S3 server-side encryption with customer-provided keys (SSE-C).
B.Use AWS Secrets Manager to store the encryption key and configure Redshift to reference it.
C.Use AWS KMS with automatic key rotation enabled.
D.Use AWS CloudHSM to create and manage the encryption key, and configure Redshift to use it.
AnswerD

CloudHSM provides customer-managed HSMs with key rotation capabilities.

Why this answer

Option C is correct because AWS CloudHSM provides dedicated hardware security modules for key management, allowing customer-managed keys with rotation. Option A is incorrect because Redshift cannot use Secrets Manager for encryption keys. Option B is incorrect because AWS KMS with automatic rotation meets the rotation requirement but the key is AWS-managed unless using customer-managed KMS keys; however, CloudHSM is more appropriate for dedicated control.

Option D is incorrect because S3 server-side encryption is not applicable to Redshift.

114
Multi-Selectmedium

A company is designing a data lake on Amazon S3. The security team requires granular access control based on data classifications. Which TWO AWS services can be used together to implement attribute-based access control (ABAC) for objects in S3?

Select 2 answers
A.AWS Secrets Manager
B.AWS Lake Formation
C.Amazon S3 object tags
D.AWS Identity and Access Management (IAM)
E.AWS Key Management Service (KMS)
AnswersC, D

Object tags are used in IAM policy conditions to enable ABAC.

Why this answer

IAM policies support ABAC using tags. S3 object tags can be used as condition keys in IAM policies to control access based on object tags. Lake Formation also supports ABAC for data lake permissions.

KMS and Secrets Manager are not for access control.

115
MCQeasy

A data engineer needs to audit who accessed specific objects in an S3 bucket over the past 30 days. Which AWS service should be used?

A.AWS Config
B.Amazon CloudWatch Logs
C.Amazon S3 server access logs
D.AWS CloudTrail
AnswerC

These logs record access to objects.

Why this answer

Option B is correct. S3 server access logs record object-level access. Option A is wrong because CloudTrail logs API calls, but S3 server access logs provide detailed object access.

Option C is wrong because Config records resource changes, not access. Option D is wrong because CloudWatch Logs can store logs but not generate them.

116
MCQmedium

Refer to the exhibit. An IAM policy allows kms:Decrypt and kms:GenerateDataKey on a specific KMS key. A data engineer is unable to upload an object to an S3 bucket that uses SSE-KMS with that key. What is the MOST likely missing permission?

A.kms:Decrypt permission on the key.
B.s3:PutObject permission on the bucket.
C.kms:Encrypt permission on the key.
D.kms:CreateGrant permission on the key.
AnswerB

The user needs S3 permission to upload objects.

Why this answer

Option A is correct because to upload an object with SSE-KMS, the user needs kms:GenerateDataKey, which is already allowed, but also s3:PutObject permission on the bucket. Option B is wrong because kms:Decrypt is already allowed. Option C is wrong because kms:CreateGrant is not required for uploading.

Option D is wrong because kms:Encrypt is not required; GenerateDataKey is sufficient.

117
MCQeasy

A data engineer needs to grant an IAM user the ability to view Amazon CloudWatch Logs log groups and stream log events from a specific log group. Which IAM policy action should be used?

A.logs:DescribeLogGroups and logs:GetLogEvents
B.logs:PutLogEvents
C.logs:CreateLogGroup
D.logs:DeleteLogGroup
AnswerA

These allow listing and reading logs.

Why this answer

Option A is correct because logs:DescribeLogGroups and logs:GetLogEvents are the required actions. Option B is wrong because logs:PutLogEvents is for writing. Option C is wrong because logs:CreateLogGroup is for creation.

Option D is wrong because logs:DeleteLogGroup is for deletion.

118
MCQhard

Refer to the exhibit. A data engineer creates this KMS key policy. An IAM role in account 123456789012 is granted decrypt access to the key. However, when the DataAnalystRole tries to decrypt an S3 object encrypted with this key, the operation fails. What is the most likely reason?

A.The S3 bucket policy does not allow the role to call s3:GetObject
B.The KMS key is in a different region than the S3 bucket
C.The role does not have permission to call kms:DescribeKey
D.The KMS key policy does not grant kms:Decrypt permission to the role
AnswerA

Even with decrypt permission, the role needs s3:GetObject permission on the encrypted object.

Why this answer

KMS key policies grant access to principals. However, if the S3 bucket policy does not allow the role to call kms:Decrypt, the combination of policies might still deny. But the key policy itself grants decrypt.

A common issue is that the S3 bucket policy might not allow the s3:GetObject action, or the role might not have S3 permissions. Another possibility is that the KMS key is in a different region (us-east-1) but the S3 object is in another region, causing cross-region access which is not allowed by default. However, the most likely reason based on typical exam scenarios is that the S3 bucket policy does not grant the necessary S3 permissions.

119
MCQmedium

A company stores sensitive data in an Amazon S3 bucket. To comply with regulations, all data must be encrypted at rest using server-side encryption. The security team wants to ensure that any attempt to upload an unencrypted object is automatically denied. Which S3 bucket policy condition should be used?

A.s3:x-amz-server-side-encryption-aws-kms-key-id
B.s3:x-amz-acl
C.s3:x-amz-server-side-encryption
D.s3:x-amz-storage-class
AnswerC

Setting this condition to require 'AES256' enforces SSE-S3 encryption.

Why this answer

The s3:x-amz-server-side-encryption condition key enforces that objects must be encrypted with AES-256 (SSE-S3). s3:x-amz-server-side-encryption-aws-kms-key-id is for KMS key enforcement. s3:x-amz-acl controls access control lists, not encryption.

120
MCQmedium

A team is designing a data lake on S3 and needs to enforce encryption at rest. They want to use server-side encryption with a KMS key that they manage. Which encryption option should they configure on the S3 bucket?

A.SSE-KMS
B.Client-side encryption
C.SSE-S3
D.SSE-C
AnswerA

SSE-KMS uses KMS keys that the customer manages.

Why this answer

SSE-KMS is the correct choice because it provides server-side encryption using a customer-managed KMS key. This allows the team to enforce encryption at rest with their own key, giving them control over key rotation, access policies, and audit trails via AWS CloudTrail, which aligns with the requirement to manage the encryption key themselves.

Exam trap

The trap here is that candidates often confuse SSE-S3 with SSE-KMS, assuming both use customer-managed keys, but SSE-S3 uses AWS-managed keys and does not provide the customer with key management control or audit capabilities.

How to eliminate wrong answers

Option B (Client-side encryption) is wrong because it encrypts data before it is sent to S3, not at rest on the server side, and does not involve configuring encryption on the S3 bucket itself. Option C (SSE-S3) is wrong because it uses an AWS-managed key, not a customer-managed KMS key, so the team would not have control over key management. Option D (SSE-C) is wrong because it requires the customer to provide their own encryption keys in each request, and the bucket configuration does not manage the key; instead, the key is supplied per-object, which is not a bucket-level encryption setting.

121
MCQmedium

A company is using Amazon Redshift Spectrum to query data in Amazon S3. The S3 bucket uses SSE-KMS encryption. The Redshift cluster has an IAM role that allows access to S3 and KMS. However, queries fail with an 'Access Denied' error. What is the most likely cause?

A.The Redshift cluster does not have the IAM role attached.
B.The external schema does not have the IAM role specified.
C.The IAM role does not have the kms:Decrypt permission.
D.The external table is not defined in the schema.
AnswerB

The schema must reference the IAM role for Redshift Spectrum to assume it.

Why this answer

When using Redshift Spectrum with SSE-KMS encrypted data in S3, the IAM role must be explicitly associated with the external schema via the `CREATE EXTERNAL SCHEMA` command using the `IAM_ROLE` parameter. Even if the cluster has the IAM role attached, Spectrum queries fail with 'Access Denied' if the role is not specified at the schema level, because Redshift needs to pass that role to S3 and KMS for each query execution. Option B correctly identifies this missing configuration as the most likely cause.

Exam trap

The trap here is that candidates assume attaching an IAM role to the Redshift cluster is sufficient for all Spectrum operations, but the DEA-C01 exam tests the specific requirement that the role must be declared in the external schema definition for Spectrum to use it.

How to eliminate wrong answers

Option A is wrong because the question states the Redshift cluster has an IAM role attached, so the role is present on the cluster; the issue is that it is not specified in the external schema. Option C is wrong because the IAM role is explicitly stated to allow access to KMS, and the 'Access Denied' error typically occurs before KMS permission checks if the role is not passed to Spectrum at all. Option D is wrong because the external table definition is irrelevant to the 'Access Denied' error; the error occurs at the schema or role association level, not due to missing table definitions.

122
MCQhard

Refer to the exhibit. A data engineer reviews an Amazon S3 server access log entry for an object upload. The log shows a status of 200 and encryption status "AES256". The company policy requires that all data be encrypted with SSE-KMS. Which action should the engineer take to enforce this policy?

A.Attach an S3 bucket policy that denies s3:PutObject unless the request includes x-amz-server-side-encryption: aws:kms
B.Revoke the IAM role's s3:PutObject permission
C.Enable AWS CloudTrail data events to monitor future uploads
D.Enable S3 default encryption with SSE-KMS on the bucket
AnswerA

Enforces SSE-KMS.

Why this answer

Option C is correct because the log shows the object was encrypted with AES256 (SSE-S3), not KMS. The engineer should attach a bucket policy that denies PutObject unless the encryption header is aws:kms. Option A is wrong because the upload succeeded.

Option B is wrong because CloudTrail does not prevent uploads. Option D is wrong because default encryption only applies to new objects without encryption headers, but the policy must deny SSE-S3.

123
Multi-Selectmedium

A company uses AWS CloudTrail to log all API calls. The security team wants to ensure that log files are tamper-proof and cannot be deleted. Which TWO actions should the data engineer take? (Choose TWO.)

Select 2 answers
A.Enable CloudTrail log file validation
B.Enable S3 Object Lock on the S3 bucket
C.Enable MFA Delete on the S3 bucket
D.Enable S3 Versioning on the S3 bucket
E.Enable SSE-KMS encryption on the S3 bucket
AnswersA, B

Provides integrity verification to detect tampering.

Why this answer

S3 Object Lock prevents deletion, and CloudTrail log file validation provides integrity verification. Option A is wrong because SSE-KMS encrypts but does not prevent deletion. Option B is wrong because MFA Delete is not set up by CloudTrail.

Option D is wrong because versioning alone does not prevent deletion. Options C and E are correct.

124
MCQhard

A data engineer needs to share a dataset stored in an Amazon S3 bucket with another AWS account. The dataset must remain encrypted at rest using AWS KMS. The data engineer creates a bucket policy that grants the other account access to the bucket. However, the other account reports that objects appear encrypted and they cannot decrypt them. What is the most likely cause?

A.The KMS key policy does not grant the other account the kms:Decrypt permission
B.The bucket policy does not grant the s3:GetObject permission
C.The other account must use the same KMS key to upload objects
D.The objects are encrypted with SSE-S3, which is not supported for cross-account access
AnswerA

Without decrypt permission on the KMS key, the other account cannot decrypt the objects even if they can download them.

Why this answer

When using SSE-KMS, the bucket policy alone is not enough; the KMS key policy must also grant the consuming account permission to use the key (kms:Decrypt). The bucket policy controls access to the S3 objects, but KMS key policy controls who can decrypt.

125
Multi-Selecthard

A company needs to enforce encryption at rest for all data stored in Amazon S3. The security team wants to ensure that no objects can be uploaded without encryption. Which THREE steps should be taken to meet this requirement?

Select 3 answers
A.Require all clients to use AWS CloudTrail for logging
B.Enable Amazon S3 Transfer Acceleration
C.Use AWS Key Management Service (KMS) to manage encryption keys
D.Create an S3 bucket policy that denies s3:PutObject if the x-amz-server-side-encryption header is not present
E.Enable default encryption on the S3 bucket using SSE-S3
AnswersC, D, E

SSE-KMS is a valid option for encryption at rest, and enforcing its use can be part of the policy.

Why this answer

A bucket policy denying s3:PutObject without the x-amz-server-side-encryption header enforces encryption. Using SSE-S3 or SSE-KMS ensures encryption at rest. SSE-C is not recommended for most cases.

Requiring HTTPS ensures encryption in transit, not at rest. CloudTrail is for auditing.

126
MCQeasy

A data engineer receives an alert that an AWS KMS key has been scheduled for deletion by mistake. What is the immediate action to prevent the key from being deleted?

A.Cancel the key deletion from the KMS console or API.
B.Create a new KMS key and re-encrypt the data.
C.Wait for the key to be deleted and restore it from backup.
D.Disable the key immediately to stop usage.
AnswerA

Canceling deletion restores the key.

Why this answer

Option B is correct because KMS keys in pending deletion can be canceled to restore the key to its previous state. Option A is wrong because creating a new key does not restore the old one. Option C is wrong because disabling the key does not cancel deletion.

Option D is wrong because the default waiting period is 7-30 days, but the deletion can be canceled during that time.

127
MCQmedium

A data engineer is designing a data pipeline that ingests personally identifiable information (PII) into Amazon Redshift. The engineer needs to ensure that only authorized users can view the data, and that all queries are logged for auditing. Which combination of AWS services should the engineer use?

A.AWS CloudTrail and Amazon Redshift audit logging
B.AWS IAM Access Analyzer and Amazon Redshift audit logging
C.Amazon S3 access logs and AWS CloudTrail
D.AWS CloudTrail and Amazon CloudWatch Logs
AnswerD

CloudTrail logs API calls; CloudWatch Logs can capture Redshift audit logs.

Why this answer

Option B is correct because AWS CloudTrail logs Redshift API calls and Amazon Redshift audit logging captures SQL queries. Option A is wrong because CloudWatch Logs can also be used, but CloudTrail is the standard for API auditing. Option C is wrong because S3 access logs do not capture Redshift queries.

Option D is wrong because IAM Access Analyzer does not log queries.

128
MCQeasy

Refer to the exhibit. An IAM policy is attached to a user. What is the security implication of this policy?

A.The policy only allows read access.
B.The policy is invalid because it uses asterisks.
C.The policy is too restrictive.
D.The policy grants excessive permissions, violating least privilege.
AnswerD

It grants full S3 access to all resources.

Why this answer

Option B is correct because the policy grants full S3 access to all resources, violating least privilege. Option A is wrong because it's too permissive. Option C is wrong because the policy is valid syntax.

Option D is wrong because it grants access to all actions.

129
Multi-Selectmedium

A company stores sensitive data in Amazon S3. The data engineer needs to implement a solution that automatically detects and redacts PII in new objects as they are uploaded. Which TWO AWS services should be used together?

Select 2 answers
A.AWS Glue ETL
B.Amazon Macie
C.Amazon DynamoDB
D.Amazon Comprehend
E.AWS Glue Data Catalog
AnswersB, D

Detects PII in S3.

Why this answer

Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect sensitive data in Amazon S3. Amazon Comprehend is a natural language processing (NLP) service that can be used to detect and redact PII entities from text. Together, they enable automated detection and redaction of PII in newly uploaded S3 objects by triggering Macie to identify sensitive data and then using Comprehend to redact the PII.

Exam trap

AWS often tests the distinction between data discovery (Macie) and data processing/redaction (Comprehend), leading candidates to incorrectly select only Macie or to confuse Glue ETL as a redaction tool.

130
MCQmedium

A healthcare company uses AWS Glue to process patient data stored in Amazon S3. The data is encrypted at rest using SSE-KMS with a customer managed key. The Glue ETL job runs on a schedule and reads from an S3 bucket, transforms the data, and writes to another S3 bucket also encrypted with the same KMS key. Recently, the security team rotated the KMS key. After the rotation, the Glue job started failing with 'AccessDenied' errors when trying to read from the source bucket. The Glue job's IAM role has permissions to use the KMS key (kms:Decrypt, kms:GenerateDataKey). The S3 bucket policies allow the role to read/write. What is the MOST likely cause of the failure?

A.The KMS key rotation created a new backing key, but the Glue job's IAM role does not have permission to decrypt with the old backing key.
B.The Glue job's IAM role is missing the kms:Encrypt permission on the KMS key.
C.The Glue job is using the wrong encryption context when calling KMS.
D.The S3 bucket policy has a condition that requires the request to use the latest version of the KMS key.
AnswerA

If automatic rotation is enabled, old backing keys are retained, but if the key was manually rotated (new key created), the old key may be disabled. Also, the key policy may have been updated incorrectly.

Why this answer

When you rotate a customer managed KMS key, AWS KMS retains the old backing key to allow decryption of data encrypted before the rotation. However, the Glue job's IAM role must have permission to use the old backing key via the kms:Decrypt action. If the key policy or IAM policy does not explicitly allow decryption with the old backing key (or if the key policy was inadvertently updated to remove access to the old key material), the Glue job will fail with AccessDenied when reading SSE-KMS encrypted objects that were encrypted with the previous key version.

Exam trap

The trap here is that candidates assume KMS key rotation is seamless and never breaks existing access, but they overlook that the IAM role or key policy must still grant kms:Decrypt on the key resource, and that the old backing key remains in use for previously encrypted data.

How to eliminate wrong answers

Option B is wrong because the Glue job is failing on read (decrypt), not write; the error occurs when reading from the source bucket, so missing kms:Encrypt would only affect writes to the destination bucket. Option C is wrong because the encryption context is set by the S3 service when the object was uploaded; the Glue job does not control the encryption context used during decryption, and a mismatch would cause a different error (e.g., InvalidCiphertextException), not AccessDenied. Option D is wrong because S3 bucket policies cannot require the request to use the latest version of a KMS key; KMS key versioning is transparent to S3 policies, and there is no such condition key in S3 bucket policies.

131
MCQmedium

A company uses AWS Glue to process sensitive data stored in S3. The security team requires that all data be encrypted at rest using customer-managed KMS keys. The data engineers are encountering 'Access Denied' errors when running Glue ETL jobs. What is the most likely cause?

A.The Glue service role does not have kms:Decrypt and kms:Encrypt permissions for the KMS key.
B.The KMS key policy does not allow the AWS Glue service to use the key.
C.The Glue Data Catalog is encrypted with a different KMS key.
D.The S3 bucket policy denies access to the Glue service role.
AnswerA

Glue needs KMS permissions to decrypt objects from S3 and encrypt output.

Why this answer

Option A is correct because Glue service role must have kms:Decrypt and kms:Encrypt permissions for the KMS key to read/write encrypted data from S3. Option B is incorrect because S3 bucket policies can restrict access but the error is likely due to missing KMS permissions. Option C is incorrect because KMS key policies or IAM policies can grant access to Glue role.

Option D is incorrect because the issue is not about cross-account access.

132
MCQmedium

An organization wants to audit all API calls made to AWS services for compliance. Which AWS service should be used to capture and store these API calls?

A.AWS CloudTrail
B.AWS Config
C.Amazon VPC Flow Logs
D.Amazon CloudWatch Logs
AnswerA

CloudTrail records AWS API calls for auditing.

Why this answer

AWS CloudTrail records API calls and stores them in S3. Option B is correct. CloudWatch Logs is for log data, not API calls.

VPC Flow Logs capture network traffic. Config records resource configuration changes.

133
MCQmedium

Refer to the exhibit. A data engineer attaches this bucket policy to an S3 bucket. A developer tries to upload an object to the bucket using the AWS CLI with the command: `aws s3 cp file.txt s3://my-bucket/`. The upload fails. What is the most likely reason?

A.The CLI command does not specify the encryption header, so the request is denied by the policy
B.The developer used the wrong AWS region
C.The CLI command does not include the required KMS key ID
D.The IAM user does not have s3:PutObject permission
AnswerA

The policy denies requests without encryption header.

Why this answer

Option B is correct because the CLI does not automatically set encryption headers for `aws s3 cp`; it uses SSE-S3 by default unless `--sse` is specified. The policy denies PutObject if encryption header is missing or not SSE-KMS. Option A is wrong because the user may have s3:PutObject.

Option C is wrong because the policy does not require a specific KMS key ID. Option D is wrong because SSE-S3 is not allowed.

134
MCQeasy

A company needs to encrypt data in transit between an EC2 instance and an S3 bucket. Which method should be used?

A.Use HTTPS endpoints
B.Use plain HTTP
C.Use an IPsec VPN
D.Server-side encryption (SSE)
AnswerA

HTTPS encrypts data in transit using TLS.

Why this answer

HTTPS endpoints encrypt data in transit between EC2 and S3 using TLS/SSL, ensuring confidentiality and integrity over the public internet. S3 supports HTTPS natively on its REST endpoints, and the AWS SDKs default to HTTPS, making this the simplest and most secure method for encrypting data in motion.

Exam trap

The trap here is confusing encryption in transit (HTTPS) with encryption at rest (SSE), leading candidates to select server-side encryption even though it does not protect data during network transfer.

How to eliminate wrong answers

Option B is wrong because plain HTTP transmits data in cleartext, exposing it to interception and tampering, which violates encryption-in-transit requirements. Option C is wrong because an IPsec VPN encrypts traffic between networks but is unnecessary and overly complex for direct EC2-to-S3 communication, which can be secured via HTTPS without additional infrastructure. Option D is wrong because server-side encryption (SSE) protects data at rest within S3, not data in transit between EC2 and S3.

135
MCQeasy

A data engineer needs to grant an IAM user read-only access to a specific KMS key for decrypting S3 objects. Which policy element should be used?

A.Attach an IAM policy to the user allowing kms:Decrypt
B.Add a statement to the KMS key policy allowing the IAM user to call kms:Decrypt
C.Add a bucket policy that grants kms:Decrypt
D.Use an SCP in AWS Organizations to allow kms:Decrypt
AnswerB

Key policies directly grant access to the key.

Why this answer

A KMS key policy can grant IAM users permissions directly. Option B is wrong because IAM policies can also grant KMS permissions, but the key policy must allow the IAM policy. Option C is wrong because SCPs are for Organizations.

Option D is wrong because bucket policies do not grant KMS permissions. Option A is correct, though both A and B are possible; typically key policy is used for cross-account or specific grants.

136
Multi-Selecthard

A company uses Amazon Redshift for data warehousing. The security team requires that data be encrypted at rest using a customer-managed key (CMK) in AWS KMS, and that the key be rotated automatically every year. Additionally, the team wants to restrict access to the key to only the Redshift cluster and a security admin IAM role. Which steps should the company take? (Choose THREE.)

Select 3 answers
A.Add the security admin IAM role as a key user in the KMS key policy.
B.Alter the existing Redshift cluster to enable encryption with the CMK.
C.Enable automatic key rotation in the KMS key policy.
D.Disable automatic key rotation to comply with security policy.
E.Create a new Redshift cluster and specify the CMK for encryption.
AnswersA, C, E

Allows the admin to manage the key.

Why this answer

Options A, C, and E are correct. Option A enables encryption with a CMK. Option C enables automatic yearly rotation.

Option E adds the security admin to the key policy. Option B is wrong because enabling encryption on an existing encrypted cluster requires creating a new snapshot and restoring, not just altering. Option D is wrong because disabling rotation prevents automatic rotation.

137
Drag & Dropmedium

Order the steps to migrate an on-premises database to Amazon RDS using AWS DMS.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First, create the replication instance. Then configure endpoints, create the migration task, start it, and finally validate the migrated data.

138
MCQmedium

A company stores sensitive customer data in an S3 bucket. The security team requires that all data be encrypted at rest using a customer-managed AWS KMS key. However, when a data engineer attempts to upload an object using the AWS CLI, the upload fails with an access denied error. The engineer has s3:PutObject permission on the bucket. Which additional permission is most likely missing?

A.kms:CreateKey
B.kms:Decrypt
C.s3:PutObjectAcl
D.kms:GenerateDataKey
AnswerD

Required to generate a data key for server-side encryption.

Why this answer

To upload an object with SSE-KMS, the IAM user or role must have kms:GenerateDataKey permission to generate a data key for encryption. Option A is correct because without it, the upload fails. Option B is wrong because kms:Decrypt is for decryption, not upload.

Option C is wrong because kms:CreateKey is for creating keys, not using them. Option D is wrong because s3:PutObjectAcl is for ACLs, not encryption.

139
MCQeasy

A company uses AWS KMS to encrypt data in Amazon S3. The security team wants to ensure that the KMS key can only be used from within the company's VPC. Which policy element should be added to the KMS key policy?

A.Set the Principal element to restrict access to the VPC.
B.Add a condition using aws:SourceIp to allow only IP addresses from the VPC.
C.Add a condition using aws:SourceVpc to allow only requests from the VPC.
D.Add a condition using kms:ViaService to allow only via VPC endpoints.
AnswerC

This condition restricts key usage to the specified VPC.

Why this answer

Option C is correct because using a condition with aws:SourceVpc restricts key usage to requests originating from a specific VPC. Option A is wrong because the Principal element specifies who can use the key, not where. Option B is wrong because aws:SourceIp is for IP addresses, not VPC.

Option D is wrong because kms:ViaService restricts usage to specific AWS services, not network location.

140
Multi-Selecteasy

A data engineer is designing a data lake on Amazon S3 that must comply with GDPR. The engineer needs to ensure that individuals can request deletion of their personal data. Which THREE AWS services can be used together to automate the deletion of specific records?

Select 3 answers
A.AWS Lambda
B.AWS Glue
C.Amazon S3 Batch Operations
D.Amazon S3 Select
E.Amazon DynamoDB
AnswersA, C, D

Can process deletion logic.

Why this answer

Option B (S3 Select) can query specific records, Option C (Lambda) can process deletion, Option E (S3 Batch Operations) can delete objects. Option A (Glue) is for ETL, not for selective deletion. Option D (DynamoDB) is not for S3.

141
MCQhard

A company has a multi-account strategy using AWS Organizations. The data engineering team needs to share a central S3 bucket across multiple accounts while maintaining fine-grained access control. Which solution should be used?

A.Use IAM roles in each account with cross-account access
B.Use Amazon CloudFront to serve the data
C.Use S3 access points with a policy per account
D.Create a bucket policy with principal ARNs for each account
AnswerC

Access points allow separate policies for each account.

Why this answer

Option D is correct. S3 access points support per-account policies and can be used with AWS Organizations to enforce policies. Option A is wrong because bucket policies become complex.

Option B is wrong because cross-account roles are not fine-grained at the object level. Option C is wrong because CloudFront is for content delivery.

142
Multi-Selecthard

A company uses Amazon EMR to process sensitive data. The data engineer needs to ensure that data in transit between EMR and S3 is encrypted. Which THREE configurations achieve this? (Choose THREE.)

Select 3 answers
A.Enable S3 Block Public Access on the bucket
B.Configure EMRFS to use server-side encryption with S3 (SSE-S3) and require HTTPS
C.Enable SSE-KMS on the S3 bucket
D.Use SSE-C with HTTPS for S3 communication
E.Configure EMR to use VPC endpoints for S3 with a policy that enforces HTTPS
AnswersB, D, E

EMRFS can enforce HTTPS for data transfer.

Why this answer

EMR can use S3 SSE-C with HTTPS, VPC endpoints with policies, and EMRFS with SSE-S3 all support encryption in transit. Option A is wrong because SSE-KMS encrypts at rest. Option D is wrong because S3 Block Public Access is unrelated to transit.

Options B, C, and E are correct.

143
MCQhard

A company stores sensitive data in Amazon S3. The security team requires that all data be encrypted at rest and that the encryption keys be stored in AWS CloudHSM. Which S3 encryption option should be used?

A.SSE-S3
B.SSE-KMS with an AWS managed key
C.SSE-KMS with a customer managed key
D.SSE-C
AnswerD

SSE-C allows the customer to provide their own encryption keys, which can be stored and managed in CloudHSM.

Why this answer

SSE-C allows customers to provide their own encryption keys, which can be stored in CloudHSM. SSE-S3 and SSE-KMS use AWS-managed keys or KMS keys, not CloudHSM. Option D is correct.

144
MCQeasy

Refer to the exhibit. An IAM policy includes this statement. What access does it grant?

A.It denies GetObject access to the bucket from IP addresses in 10.0.0.0/8
B.It allows GetObject access to the bucket only from a specific VPC
C.It allows PutObject access to the bucket from any IP address
D.It allows GetObject access to the bucket only from IP addresses in 10.0.0.0/8
AnswerD

The policy allows access from the specified IP range.

Why this answer

Option B is correct because the policy allows GetObject from the specified IP range. Option A is wrong because it allows, not denies. Option C is wrong because it does not restrict to VPC.

Option D is wrong because it allows GetObject, not PutObject.

145
MCQhard

Refer to the exhibit. An S3 bucket policy allows the DataEngineerRole to get objects only if the request uses HTTPS. However, requests from this role are being denied even when using HTTPS. What is the MOST likely reason?

A.The IAM role does not have permission to use SSE-S3.
B.The condition key aws:SecureTransport is misspelled.
C.The bucket policy does not include a Deny statement for HTTP requests.
D.The IAM role's attached policy does not allow s3:GetObject on the bucket.
AnswerD

The bucket policy allows the role, but the role itself must also have an IAM policy that allows s3:GetObject.

Why this answer

Option D is correct because the condition key aws:SecureTransport evaluates to true when the request is made over HTTPS, but the IAM role's policy might also need to allow the action. Option A is wrong because the bucket policy already allows the role. Option B is wrong because SSE-S3 does not require additional permissions.

Option C is wrong because the condition is correctly written.

146
Multi-Selecthard

A company wants to implement least privilege access for its data lake on S3. Which THREE practices should be followed? (Choose THREE.)

Select 3 answers
A.Grant s3:* to all users for simplicity
B.Use S3 bucket policies for cross-account access
C.Use S3 access points to enforce network policies
D.Disable S3 Block Public Access to allow flexibility
E.Use IAM policies to grant specific permissions to users and roles
AnswersB, C, E

Bucket policies are appropriate for cross-account.

Why this answer

Options A, C, and D are correct. Using IAM policies to grant least privilege, applying bucket policies for cross-account access, and using S3 access points are best practices. Option B is wrong because S3 Block Public Access should be enabled, not disabled.

Option E is wrong because granting s3:* is not least privilege.

147
MCQmedium

A data engineer needs to grant an IAM user read-only access to a specific prefix (folder) in an S3 bucket. The bucket contains sensitive data. Which S3 bucket policy statement achieves this?

A.{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::123456789012:user/DataEng"},"Action":"s3:GetObject","Resource":"arn:aws:s3:::mybucket"}
B.{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::123456789012:user/DataEng"},"Action":"s3:GetObject","Resource":"arn:aws:s3:::mybucket/sensitive/*"}
C.{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::123456789012:user/DataEng"},"Action":"s3:GetObject","Resource":"arn:aws:s3:::mybucket/*","Condition":{"StringLike":{"s3:prefix":"sensitive/"}}}
D.{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::123456789012:user/DataEng"},"Action":"s3:GetObject","Resource":"arn:aws:s3:::mybucket/*"}
AnswerB

Grants access only to objects under sensitive/ prefix.

Why this answer

Option B is correct because it grants s3:GetObject for the specific prefix and denies access to other prefixes implicitly. Option A is wrong because it grants access to all objects. Option C is wrong because it uses a condition that does not restrict prefix.

Option D is wrong because it grants access to all objects in the bucket.

148
Multi-Selecthard

A data engineer is troubleshooting an Amazon Redshift cluster that is unable to access an S3 bucket for COPY operations. The cluster has an IAM role attached. Which of the following could be causing the failure? (Choose TWO.)

Select 2 answers
A.The VPC security group does not allow outbound HTTPS traffic
B.The S3 bucket policy denies access to the IAM role
C.The S3 bucket has default encryption enabled
D.The IAM role does not have the s3:GetObject permission
E.The KMS key used for encryption is not shared with Redshift
AnswersB, D

The bucket policy can override the IAM role permissions.

Why this answer

Options B and D are correct. The IAM role must have permission to the S3 bucket, and the bucket policy must allow the role. Option A is wrong because VPC security groups control network traffic, not S3 access.

Option C is wrong because encryption is not required for COPY. Option E is wrong because Redshift does not need KMS permissions unless using SSE-KMS.

149
MCQmedium

A company is using AWS Lake Formation to manage access to data in a data lake stored in Amazon S3. A data engineer notices that users with SELECT permissions on a table can still query the underlying S3 data directly using Athena. What is the most likely cause?

A.The S3 bucket policy allows full access to all principals
B.The users are using a version of Athena that does not support Lake Formation
C.The S3 bucket does not have server-side encryption enabled
D.Lake Formation does not support integration with Athena
AnswerB

Older Athena versions do not enforce Lake Formation permissions.

Why this answer

Option C is correct because Lake Formation integrates with Athena by default when using the Athena engine version 2 or later. Option A is wrong because Lake Formation can be used with Athena. Option B is wrong because the issue is about direct S3 access, not encryption.

Option D is wrong because Lake Formation can work with S3 bucket policies.

150
MCQeasy

A company is using Amazon S3 to store log files. The security team requires that all data be encrypted in transit. Which of the following ensures encryption in transit for S3?

A.Use HTTPS (SSL/TLS) when accessing S3 endpoints.
B.Use Amazon S3 Transfer Acceleration.
C.Enable client-side encryption before uploading to S3.
D.Use server-side encryption with S3 managed keys (SSE-S3).
AnswerA

HTTPS encrypts data in transit between client and S3.

Why this answer

Encryption in transit for S3 is achieved by using HTTPS (SSL/TLS) when accessing S3 endpoints. Option B is correct. SSE-S3 is at-rest encryption.

Client-side encryption is also at-rest. VPC endpoints provide private connectivity but not encryption by default; you need to use HTTPS.

← PreviousPage 2 of 5 · 333 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Data Security Governance questions.