CCNA Data Security Governance Questions

75 of 333 questions · Page 4/5 · Data Security Governance topic · Answers revealed

226
Multi-Selectmedium

A data engineer is designing a data pipeline that processes PII data in AWS Glue. They need to ensure data is encrypted at rest and in transit. Which TWO actions should they take? (Choose TWO.)

Select 2 answers
A.Disable SSL for Glue connections
B.Configure S3 bucket server-side encryption for job output
C.Use a KMS key for Glue job bookmarks
D.Use CloudWatch Logs for encryption
E.Enable encryption at rest for the AWS Glue Data Catalog
AnswersB, E

Encrypts data stored in S3.

Why this answer

Options A and D are correct. Enabling encryption at rest for Glue data catalog and using S3 server-side encryption for job output ensures encryption at rest. Option B is wrong because Glue connections can use SSL.

Option C is wrong because CloudWatch logs are not for encryption. Option E is wrong because KMS keys for Glue jobs encrypt job bookmarks, not all data.

227
MCQeasy

A company needs to enforce that all objects uploaded to an S3 bucket are encrypted at rest. Which bucket setting should be used?

A.Default encryption
B.S3 Object Lock
C.Bucket policy requiring s3:x-amz-server-side-encryption header
D.S3 Block Public Access
AnswerA

Default encryption automatically encrypts objects at rest.

Why this answer

Option C is correct because enabling default encryption on the S3 bucket ensures all objects are encrypted at rest. Option A is wrong because S3 Block Public Access controls public access, not encryption. Option B is wrong because bucket policies can enforce encryption but default encryption is simpler.

Option D is wrong because S3 Object Lock is for retention, not encryption.

228
MCQmedium

A data engineer needs to ensure that an Amazon S3 bucket used for sensitive data is encrypted at rest using a customer-managed AWS KMS key. The bucket policy must enforce encryption for all PUT requests. Which policy statement should be added to the bucket policy?

A.{"Effect":"Deny","Principal":"*","Action":"s3:PutObject","Resource":"arn:aws:s3:::bucket/*","Condition":{"Null":{"s3:x-amz-server-side-encryption":"true"}}}
B.{"Effect":"Allow","Principal":"*","Action":"s3:PutObject","Resource":"arn:aws:s3:::bucket/*","Condition":{"StringEquals":{"s3:x-amz-server-side-encryption-aws-kms-key-id":"arn:aws:kms:us-east-1:123456789012:key/abc123"}}}
C.{"Effect":"Deny","Principal":"*","Action":"s3:PutObject","Resource":"arn:aws:s3:::bucket/*","Condition":{"StringNotEquals":{"s3:x-amz-server-side-encryption":"aws:kms"},"Null":{"s3:x-amz-server-side-encryption-aws-kms-key-id":"true"}}}
D.{"Effect":"Deny","Principal":"*","Action":"s3:PutObject","Resource":"arn:aws:s3:::bucket/*","Condition":{"StringNotEquals":{"s3:x-amz-server-side-encryption-aws-kms-key-id":"arn:aws:kms:us-east-1:123456789012:key/abc123"}}}
AnswerC

This denies if encryption is not aws:kms or if the key ID is not provided, enforcing the required encryption.

Why this answer

Option C is correct because it uses a Deny effect with a condition that blocks PUT requests unless the encryption header specifies 'aws:kms' (SSE-KMS) AND the KMS key ID matches the required customer-managed key. The combination of StringNotEquals on the encryption type and Null on the key ID ensures that any request not using the specified KMS key is denied, enforcing both encryption at rest and the use of the customer-managed key.

Exam trap

The trap here is that candidates often choose a simple Deny on a missing encryption header (Option A) without realizing that it does not enforce the use of a specific KMS key, or they mistakenly use an Allow effect (Option B) which cannot block non-compliant requests due to the default Allow behavior of S3 bucket policies.

How to eliminate wrong answers

Option A is wrong because it denies requests only when the 's3:x-amz-server-side-encryption' header is null, which would allow requests with any encryption header (including AES256 or a different KMS key) to succeed, failing to enforce the specific customer-managed KMS key. Option B is wrong because it uses an Allow effect, which cannot override an explicit Deny and does not enforce encryption; it merely allows requests that match the condition but does not block non-compliant requests. Option D is wrong because it denies requests only when the KMS key ID does not match, but it does not require the encryption header to be present at all, allowing unencrypted PUT requests to bypass the policy.

229
MCQhard

Refer to the exhibit. A data engineer runs the command above. The DataAdminRole is used by an application to decrypt data. The security team wants to ensure that a SecurityAdminRole can revoke the grant. What must be done to allow the SecurityAdminRole to retire the grant?

A.Set the RetiringPrincipal to the root user
B.Add a grant with Revoke operation for the SecurityAdminRole
C.No action needed; the SecurityAdminRole can retire the grant
D.Create a new grant with SecurityAdminRole as GranteePrincipal
AnswerC

The RetiringPrincipal is already set.

Why this answer

Option A is correct because the RetiringPrincipal field specifies which principal can retire the grant. It is already set to SecurityAdminRole. Option B is wrong because revoke is different from retire.

Option C is wrong because the grant already exists. Option D is wrong because the retiring principal is already set.

230
MCQhard

Refer to the exhibit. A data engineer runs the above command and sees that the DataLakeAdmin role has the AmazonS3FullAccess and AWSLakeFormationDataAdmin policies attached. The engineer wants to ensure that the role can only access S3 data through Lake Formation. What should the engineer do?

A.Create a new IAM policy that explicitly denies s3:GetObject and attach it to the role
B.Detach the AWSLakeFormationDataAdmin policy from the role
C.Detach the AmazonS3FullAccess policy from the role
D.Modify the S3 bucket policy to deny all access except from Lake Formation
AnswerC

This removes direct S3 access, forcing the role to use Lake Formation for data access.

Why this answer

To enforce that access is only through Lake Formation, the engineer should detach the AmazonS3FullAccess policy because it allows direct S3 access, bypassing Lake Formation. The LakeFormationAdmin policy is needed for Lake Formation administration. Changing the S3 bucket policy to deny all access except from Lake Formation is not straightforward because Lake Formation uses the principal's IAM role.

Creating a new policy that denies S3 access would be redundant if the full access policy is removed.

231
MCQmedium

A company uses AWS Glue to catalog data in Amazon S3. The security team requires that all sensitive data be identified and encrypted at rest using customer-managed KMS keys. Which combination of steps should a data engineer take to meet these requirements?

A.Enable S3 Access Logs and use Athena to query the logs for sensitive data patterns.
B.Use Amazon Macie to scan the S3 bucket and automatically apply S3 default encryption.
C.Enable S3 default encryption for the bucket and use IAM policies to restrict access.
D.Configure AWS Glue to use Detect Sensitive Data and write encrypted output to S3 with SSE-KMS.
AnswerD

Glue's Detect Sensitive Data identifies sensitive columns, and the ETL job can encrypt output using customer-managed KMS keys.

Why this answer

Option B is correct because using AWS Glue FindMatches ML transforms or custom classifiers with Detect Sensitive Data can identify sensitive data, and then the Glue ETL job can write to S3 with SSE-KMS. Option A is wrong because S3 default encryption does not guarantee customer-managed KMS keys. Option C is wrong because Macie is not integrated directly with Glue cataloging.

Option D is wrong because S3 Access Logs do not help with identification or encryption.

232
Multi-Selecthard

A data engineer is configuring a VPC for an Amazon Redshift cluster. The cluster must be accessible only from a specific on-premises network via a Direct Connect connection. Which TWO actions should the engineer take to meet this requirement? (Choose TWO.)

Select 2 answers
A.Enable Redshift Enhanced VPC Routing.
B.Configure a security group to allow inbound traffic from the on-premises CIDR block.
C.Configure a network ACL to allow inbound traffic from the on-premises CIDR block.
D.Create a VPC endpoint for Redshift.
E.Make the Redshift cluster publicly accessible.
AnswersB, C

Security groups act as a firewall to control inbound traffic.

Why this answer

To restrict access to Redshift, you use a security group to allow inbound traffic from the on-premises CIDR, and optionally use a network ACL for subnet-level security. Option A is incorrect because Redshift does not support VPC endpoints. Option D is incorrect because Redshift Enhanced VPC Routing is for routing traffic, not for access control.

Option E is incorrect because public endpoints are not secure. Correct: B and C.

233
MCQmedium

A data engineer needs to ensure that an S3 bucket containing sensitive customer data is encrypted at rest. The company requires that all encryption keys be managed by AWS and rotated annually. Which encryption option meets these requirements?

A.Use server-side encryption with AWS KMS (SSE-KMS)
B.Use client-side encryption with AWS KMS
C.Use server-side encryption with customer-provided keys (SSE-C)
D.Use server-side encryption with S3-managed keys (SSE-S3)
AnswerD

SSE-S3 uses AWS-managed keys that are rotated automatically.

Why this answer

SSE-S3 uses AWS-managed keys and handles key rotation automatically. SSE-KMS also uses AWS-managed keys but gives more control; however, the requirement does not specify customer-managed keys. SSE-C requires the customer to manage keys, which does not meet the requirement of AWS-managed keys.

Option D is not a valid encryption type.

234
MCQmedium

A company needs to tag all resources created in a specific AWS account to enforce data governance policies. Which AWS service can automatically enforce tagging rules?

A.AWS Organizations SCPs
B.AWS Service Catalog
C.AWS Resource Access Manager
D.AWS Systems Manager
AnswerA

SCPs can enforce tagging policies.

Why this answer

Option B is correct. AWS Organizations service control policies (SCPs) can enforce tagging across accounts. Option A is wrong because Resource Access Manager is for sharing resources.

Option C is wrong because Systems Manager is for management. Option D is wrong because Service Catalog is for IT services.

235
MCQmedium

A company uses AWS Lake Formation to manage permissions on a data lake stored in S3. A data engineer notices that a new IAM user can query data via Athena but cannot see the tables in the Lake Formation console. What is the most likely cause?

A.The user has not been granted DESCRIBE or SELECT permissions on the tables in Lake Formation
B.The Athena workgroup is not encrypted
C.The Glue Data Catalog is not enabled for the account
D.The IAM user lacks s3:GetObject permissions
AnswerA

Lake Formation controls metadata access.

Why this answer

Lake Formation permissions are separate from IAM permissions. Even if IAM allows Athena, Lake Formation must grant the user permissions on the tables. Option A is wrong because IAM policies are not sufficient for Lake Formation.

Option B is irrelevant. Option D is wrong because the Glue Data Catalog may be accessible but Lake Formation can restrict visibility. Option C is correct.

236
MCQeasy

Refer to the exhibit. A security analyst is reviewing CloudTrail logs and notices a PutObject event to the 'company-data-lake' bucket. The bucket policy requires all objects to be encrypted with SSE-KMS. What should the analyst conclude?

A.The object was uploaded by the bucket owner, bypassing the policy.
B.The request succeeded because SSE-S3 is acceptable.
C.The object was encrypted with SSE-KMS as required.
D.The object was encrypted with SSE-S3, which violates the bucket policy.
AnswerD

AES256 indicates SSE-S3, not KMS.

Why this answer

The bucket policy requires all objects to be encrypted with SSE-KMS. The CloudTrail log shows a PutObject event, but the encryption context (not shown in the exhibit) would indicate the encryption method used. Since the correct answer states the object was encrypted with SSE-S3, this violates the bucket policy, which mandates SSE-KMS.

Therefore, the analyst should conclude that the request succeeded but violated the policy, as SSE-S3 does not meet the requirement.

Exam trap

AWS often tests the nuance that a bucket policy requiring SSE-KMS does not automatically deny requests using SSE-S3; the policy must include an explicit Deny effect for non-compliant encryption to block the upload, so candidates may mistakenly think a requirement alone prevents the action.

How to eliminate wrong answers

Option A is wrong because the bucket owner does not bypass bucket policies; all principals, including the owner, are subject to the policy unless explicitly exempted (which is not indicated). Option B is wrong because the bucket policy explicitly requires SSE-KMS, so SSE-S3 is not acceptable; the request would succeed only if the policy allowed it, but it does not. Option C is wrong because if the object were encrypted with SSE-KMS as required, there would be no violation, but the correct answer indicates a violation occurred, meaning SSE-KMS was not used.

237
MCQeasy

A company is using Amazon S3 to store log files. The security team wants to ensure that any object uploaded to the S3 bucket is automatically scanned for malware before being processed by downstream applications. The data engineer needs to implement a solution that integrates with AWS services and minimizes latency. The bucket receives thousands of objects per day. Which solution should the data engineer use?

A.Deploy an EC2 instance with antivirus software that triggers on S3 events.
B.Enable Amazon GuardDuty with malware protection for S3.
C.Use AWS WAF to inspect objects as they are uploaded.
D.Enable Amazon Macie on the S3 bucket to detect malware.
AnswerB

GuardDuty malware protection scans S3 objects.

Why this answer

Option B is correct because Amazon GuardDuty has a malware protection feature that can scan S3 objects for malware upon upload. It integrates with S3 events and minimizes latency. Option A is incorrect because Amazon Macie is for sensitive data discovery, not malware.

Option C is incorrect because AWS WAF is for web application firewall, not S3 scanning. Option D is incorrect because running a custom scanning solution on EC2 adds operational overhead and latency.

238
MCQmedium

A data engineer receives the error shown in the exhibit when trying to upload a file to my-bucket. The engineer uses the AWS CLI with the following command: aws s3 cp file.txt s3://my-bucket/. What is the most likely cause of the error?

A.The KMS key specified in the command is incorrect
B.The VPC endpoint policy is blocking the request
C.The object is not encrypted with SSE-KMS
D.The bucket does not have a default encryption configuration
AnswerC

The policy requires SSE-KMS encryption header.

Why this answer

Option B is correct because the bucket policy denies PutObject if the encryption header is not set to aws:kms (SSE-KMS). The CLI command does not specify encryption, so the condition StringNotEquals matches and denies the request. Option A is wrong because the bucket policy explicitly denies non-KMS encrypted uploads.

Option C is wrong because the error is not a network issue. Option D is wrong because the policy does not require KMS key ID, just the header value.

239
MCQmedium

A company uses Amazon S3 to store log files. The security team notices that some objects are being accessed from an unexpected AWS account. The data engineer needs to identify which specific IAM user or role is accessing the objects. Which AWS service should be used to get this information?

A.AWS Trusted Advisor
B.Amazon S3 server access logs
C.AWS CloudTrail
D.AWS Config
AnswerC

CloudTrail logs API calls and can be used to trace S3 access to specific IAM users or roles.

Why this answer

AWS CloudTrail records API calls including S3 object-level operations. It logs who made the call, from which account, and other details. S3 server access logs provide similar info but are log files themselves, not a queryable service.

Config is for resource configuration tracking. Trusted Advisor gives best practice checks.

240
MCQeasy

A data engineer needs to restrict access to an Amazon S3 bucket so that only objects encrypted with a specific AWS KMS key can be uploaded. Which S3 bucket policy condition should be used?

A.s3:x-amz-server-side-encryption-aws-kms-key-id
B.kms:ViaService
C.s3:x-amz-server-side-encryption
D.kms:EncryptionContext
AnswerA

This condition key allows you to specify a required KMS key ID for server-side encryption.

Why this answer

The kms:EncryptionContext condition key is used to enforce encryption context, not the key itself. The s3:x-amz-server-side-encryption-aws-kms-key-id condition key is used to require a specific KMS key ID for server-side encryption. Option C is correct.

241
MCQhard

Refer to the exhibit. A data engineer runs the AWS CLI command shown to encrypt a file using AWS KMS. The command succeeds. Later, the engineer tries to decrypt the file using the same key but without providing an encryption context. The decryption fails. What is the most likely reason?

A.The KMS key policy does not allow decryption.
B.The KMS key has been disabled.
C.The plaintext file was corrupted.
D.The encryption context must be provided during decryption.
AnswerD

KMS uses encryption context as AAD; it must match exactly.

Why this answer

Option C is correct because KMS encryption context is used as additional authenticated data (AAD) and must be provided for decryption. Option A is wrong because the key is not disabled. Option B is wrong because key policy does not affect decryption with the same key.

Option D is wrong because the command did not fail.

242
Multi-Selecteasy

A company wants to ensure that an IAM user can only launch Amazon EC2 instances of a specific instance type. Which THREE IAM policy elements are required to define this permission? (Choose THREE.)

Select 3 answers
A.Action
B.Principal
C.Effect
D.Resource
E.Condition
AnswersA, C, E

Action specifies ec2:RunInstances.

Why this answer

To restrict to specific instance types, you need Effect (Allow), Action (ec2:RunInstances), and Condition (to specify instance type). Resource could be used but is not strictly required if you use Condition. Option A is needed to allow.

Option C is needed for the action. Option D is needed to restrict. Option B is not required; you can use Condition to specify instance type instead of Resource.

Option E is optional. Correct: A, C, D.

243
MCQhard

A data engineer is designing a system to handle sensitive customer data in Amazon RDS for PostgreSQL. The compliance team requires that the data be encrypted at rest and that encryption keys be rotated every 90 days. Which solution meets these requirements?

A.Use AWS CloudHSM to store the encryption key and create a custom key rotation Lambda function
B.Enable RDS encryption with a customer managed KMS key, enable automatic key rotation, and manually rotate the key every 90 days
C.Enable Transparent Data Encryption (TDE) on the RDS instance
D.Enable RDS encryption with a customer managed KMS key and enable automatic key rotation
AnswerB

Manual rotation every 90 days satisfies the requirement.

Why this answer

Option D is correct because enabling RDS encryption with KMS and using automatic key rotation (annually) and manual rotation every 90 days meets the requirement. Option A is wrong because RDS does not support Transparent Data Encryption. Option B is wrong because CloudHSM is not integrated with RDS.

Option C is wrong because KMS automatic rotation is yearly, not 90 days.

244
MCQhard

A company uses AWS Lake Formation to manage permissions on a data lake. A data engineer creates a table in the Data Catalog and grants SELECT permission to a group of analysts. The analysts report they can see the table but get an AccessDenied error when querying it with Amazon Athena. What is the most likely cause?

A.The analysts' IAM role does not have permission to call the Athena API.
B.The table is not registered with Lake Formation as a resource.
C.The Athena workgroup is configured with a per-query result location that the analysts cannot write to.
D.The S3 bucket policy does not allow the analysts' IAM role.
AnswerA

Lake Formation grants database permissions, but IAM must allow Athena actions.

Why this answer

Option C is correct because Lake Formation integrates with Athena for fine-grained access control. The analysts need both Lake Formation permissions and IAM permissions to use Athena. Option A is wrong because S3 bucket policy is not the issue if Lake Formation is managing permissions.

Option B is wrong because Workgroup settings are not likely the cause. Option D is wrong because the table is registered with Lake Formation.

245
MCQmedium

Refer to the exhibit. A data engineer applies this S3 bucket policy to an S3 bucket. What is the effect of this policy?

A.Allows access only from specific IP addresses.
B.Allows only HTTPS requests to get and put objects, and denies HTTP requests.
C.Allows only GetObject actions over HTTPS.
D.Allows anonymous access to get and put objects over HTTP.
AnswerB

The condition enforces secure transport.

Why this answer

Option A is correct because the policy allows GetObject and PutObject only when the request uses HTTPS (secure transport), and explicitly denies all S3 actions when the request uses HTTP. Option B is wrong because the policy does not allow anonymous access; it allows only secure transport. Option C is wrong because the policy allows both Get and Put.

Option D is wrong because the policy allows access from any IP as long as transport is secure.

246
MCQeasy

A company needs to centralize audit logs from multiple AWS accounts into a single S3 bucket. Which service should be used to aggregate these logs?

A.AWS Config
B.Amazon Kinesis Data Firehose
C.AWS CloudTrail
D.Amazon CloudWatch Logs
AnswerC

CloudTrail supports multi-account trail that aggregates logs into a single S3 bucket.

Why this answer

AWS CloudTrail can be configured to deliver logs from multiple accounts to a single S3 bucket using a trail in the management account. Option B is correct.

247
MCQeasy

A data engineer needs to ensure that data in transit between an Amazon RDS for PostgreSQL database and an application is encrypted. Which configuration should be used?

A.Use VPC peering to connect the application to the database
B.Enable SSL/TLS for the database connection
C.Enable encryption at rest for the RDS instance
D.Use IAM database authentication
AnswerB

SSL/TLS encrypts data in transit.

Why this answer

Option A is correct because SSL/TLS encryption secures data in transit between the application and the RDS database. Option B (storage encryption at rest) does not protect data in transit. Option C (VPC peering) is a network connectivity option, not encryption.

Option D (IAM database authentication) is for access control, not encryption in transit.

248
MCQmedium

A company wants to enable automatic encryption for all new objects written to an S3 bucket. The bucket has existing objects that are unencrypted. Which solution meets these requirements with the least operational overhead?

A.Configure a lifecycle policy to transition objects to a new bucket with encryption
B.Enable default encryption on the bucket using SSE-S3
C.Use S3 server-side encryption with S3 managed keys (SSE-S3) and apply a bucket policy that denies writes without encryption
D.Use S3 Batch Operations to copy existing objects with SSE-S3
AnswerB

Default encryption encrypts all new objects automatically.

Why this answer

Option C is correct because bucket default encryption automatically encrypts new objects. Option A is wrong because it only encrypts objects during upload, not after. Option B is wrong because S3 Batch Operations is more complex.

Option D is wrong because it's not automatic.

249
MCQeasy

A company wants to ensure that only encrypted connections are used when data is transferred to S3. Which policy condition should be used in an S3 bucket policy?

A.Condition: { Null: { s3:x-amz-server-side-encryption: true } }
B.Condition: { StringEquals: { s3:signatureversion: ["AWS4-HMAC-SHA256"] } }
C.Condition: { StringNotEquals: { aws:SourceIp: ["0.0.0.0/0"] } }
D.Condition: { Bool: { aws:SecureTransport: false } }
AnswerD

Denying requests where SecureTransport is false enforces HTTPS.

Why this answer

Option B is correct because aws:SecureTransport checks if the request is sent over SSL/TLS. Option A is wrong because aws:SourceIp checks IP address. Option C is wrong because s3:x-amz-server-side-encryption checks encryption at rest.

Option D is wrong because s3:signatureversion checks the signature version, not encryption in transit.

250
MCQmedium

Refer to the exhibit. The S3 bucket policy above is applied to the bucket "example-bucket". An IAM user attempts to upload an object to the bucket without specifying any encryption header. What is the outcome?

A.The upload succeeds but the object is not encrypted
B.The upload fails because GetObject requires encryption
C.The object is uploaded successfully with SSE-S3 encryption by default
D.The upload fails with an Access Denied error
AnswerD

The Deny statement blocks the upload.

Why this answer

Option B is correct because the Deny statement denies PutObject if the encryption header is not AES256. Since the user did not specify encryption, the condition StringNotEquals evaluates to true, and the request is denied. Option A is wrong because the Deny overrides the Allow.

Option C is wrong because the Deny is specific. Option D is wrong because the bucket policy does not require encryption for GetObject.

251
Multi-Selectmedium

A company needs to securely store and manage database credentials used by a data pipeline. Which AWS services can be used to store and rotate secrets automatically? (Choose TWO.)

Select 2 answers
A.AWS Systems Manager Parameter Store
B.AWS IAM
C.AWS Key Management Service (AWS KMS)
D.AWS CloudHSM
E.AWS Secrets Manager
AnswersA, E

Parameter Store can store secrets, but rotation requires custom setup.

Why this answer

Options A and B are correct. AWS Secrets Manager can rotate secrets automatically. AWS Systems Manager Parameter Store can store secrets securely, but automatic rotation requires custom logic or integration.

Option C is wrong because IAM stores certificates, not secrets. Option D is wrong because KMS is for encryption keys, not secrets. Option E is wrong because CloudHSM is for hardware security modules.

252
MCQmedium

A company uses Amazon EMR to process large datasets stored in Amazon S3. The data is encrypted at rest using SSE-S3. The security team now requires that all data at rest be encrypted with customer-managed KMS keys (SSE-KMS). The data engineer needs to migrate existing data to use SSE-KMS without downtime. The engineer plans to use S3 Batch Operations to copy objects in place. However, the Batch Operations job fails with a KMS access denied error. The engineer has confirmed that the Batch Operations service role has the necessary KMS permissions. What is the most likely cause?

A.The KMS key policy does not allow the S3 service to use the key.
B.The Batch Operations job is using the wrong IAM role.
C.The source objects are encrypted with SSE-S3, which cannot be copied to SSE-KMS.
D.The Batch Operations service role is missing the kms:GenerateDataKey permission for the destination KMS key.
AnswerD

Batch Operations needs to generate a new data key for the destination.

Why this answer

Option D is correct because Batch Operations uses a service role that must have kms:Decrypt permission for the source objects and kms:GenerateDataKey for the destination. The source objects are encrypted with SSE-S3, which does not use KMS, so the service role does not need kms:Decrypt for source. However, the error indicates KMS access denied, likely because the service role does not have kms:GenerateDataKey for the destination KMS key.

Option A is wrong because the service role is used. Option B is wrong because the source objects are SSE-S3. Option C is wrong because KMS key policy is for the destination key.

253
MCQmedium

The IAM policy shown in the exhibit is attached to a user. The user tries to upload an object to my-bucket using the AWS CLI without specifying encryption. What will happen?

A.The upload will succeed because the bucket has default encryption
B.The upload will succeed but the object will not be encrypted
C.The upload will fail because a KMS key is required
D.The upload will fail with an access denied error
AnswerD

The condition requires the encryption header to be present.

Why this answer

Option C is correct because the policy allows s3:PutObject only if the request includes the header x-amz-server-side-encryption: AES256. Without that header, the condition is not met and the request is denied. Option A is wrong because the condition is not optional.

Option B is wrong because default encryption applies to objects uploaded without encryption headers, but the policy explicitly requires the header. Option D is wrong because the policy does not require a specific KMS key.

254
MCQeasy

A data engineer needs to ensure that data stored in Amazon S3 is automatically deleted after 30 days. Which S3 feature should be used?

A.S3 Lifecycle policy
B.S3 MFA Delete
C.S3 Versioning
D.S3 Object Lock
AnswerA

Lifecycle policies can expire objects after 30 days.

Why this answer

Option C is correct because S3 Lifecycle policies can automatically transition objects to different storage classes or expire them after a specified time. Option A (versioning) keeps multiple versions of objects. Option B (object lock) prevents deletion.

Option D (MFA delete) requires multi-factor authentication for deletion.

255
Multi-Selectmedium

A data engineer is designing a data lake on S3 with fine-grained access control using AWS Lake Formation. Which THREE permissions can be managed by Lake Formation?

Select 3 answers
A.SELECT on a table
B.INSERT on a table
C.DESCRIBE on a table
D.ALTER TABLE on a table
E.DELETE on a table
AnswersA, B, C

Lake Formation grants SELECT permission.

Why this answer

Options A, B, and D are correct. Lake Formation manages SELECT, INSERT, and DESCRIBE permissions. Option C is wrong because DELETE is not supported for S3 data lakes? Actually Lake Formation supports DELETE on tables? For data lakes, DELETE is not typically managed.

Option E is wrong because ALTER TABLE is not managed by Lake Formation.

256
MCQhard

A company stores PII in an S3 bucket. The security team wants to use Amazon Macie to discover sensitive data. After enabling Macie, they notice that no sensitive data findings are generated. The S3 bucket is in the same account. What is the most likely reason?

A.The bucket policy blocks access from Macie's service principal.
B.Macie is not configured with cross-account access to the bucket.
C.The S3 bucket is in a different AWS Region than the Macie session.
D.The S3 objects have private ACLs that prevent Macie from reading them.
AnswerC

Macie only analyzes data in the same Region.

Why this answer

Option D is correct because Macie requires the bucket to be in the same AWS Region as the Macie session. Option A is incorrect because Macie can access buckets in the same account without cross-account roles. Option B is incorrect because Macie uses service-linked roles, not object ACLs.

Option C is incorrect because Macie does not require public access; it reads objects via IAM.

257
MCQeasy

A company uses S3 to store sensitive customer data. To prevent accidental public access, a data engineer needs to ensure that all S3 buckets block public access at the account level. Which AWS service should be used to enforce this policy?

A.Enable S3 Block Public Access at the account level in the management account
B.Create an IAM policy that denies s3:PutBucketPolicy
C.Use an SCP in AWS Organizations to deny s3:PutBucketPublicAccessBlock
D.Set up AWS Config rules to automatically remediate public buckets
AnswerC

SCPs can enforce that no account can disable block public access, covering all accounts.

Why this answer

AWS Organizations with SCPs can centrally control permissions across all accounts, including blocking public access to S3 buckets. Option A is wrong because IAM policies are per-identity and not account-wide. Option B is wrong because S3 Block Public Access settings exist per bucket or account, but to enforce across all accounts, Organizations is needed.

Option D is wrong because AWS Config can detect non-compliance but not enforce. Option C is correct.

258
MCQhard

Refer to the exhibit. A data engineer attached this S3 bucket policy to the bucket 'example-bucket'. What is the effect of this policy?

A.It allows all PutObject requests that do not use encryption
B.It denies PutObject requests that do not use SSE-S3
C.It denies all PutObject requests unless they use SSE-KMS
D.It denies all PutObject requests from anonymous users
AnswerB

The condition denies if encryption is not AES256.

Why this answer

Option C is correct. The policy denies PutObject if the request does not use SSE-S3 (AES256). Option A is wrong because it does not enforce SSE-KMS.

Option B is wrong because it allows requests with SSE-S3. Option D is wrong because it does not deny all requests.

259
MCQhard

A healthcare company stores patient records in an S3 bucket encrypted with SSE-S3. The data engineering team uses AWS Glue ETL jobs to process this data and load it into an Amazon Redshift cluster for analytics. Recently, the security team mandated that all sensitive data must be encrypted at rest using customer-managed keys (CMK) in AWS KMS, and that the keys must be rotated automatically every year. The team updated the S3 bucket to use SSE-KMS with a CMK and enabled automatic key rotation. However, after the change, the Glue ETL jobs that read from the S3 bucket started failing with 'Access Denied' errors. The Glue job uses an IAM role named 'GlueETLRole' that has the following permissions: s3:GetObject on the bucket, kms:Decrypt and kms:GenerateDataKey on the CMK, and all necessary Glue permissions. The Redshift cluster is also encrypted with a different CMK, and the Glue role has kms:Decrypt on that key as well. What is the most likely cause of the failure?

A.The KMS key policy for the CMK used for S3 encryption does not grant 'GlueETLRole' permission to use the key.
B.The IAM role 'GlueETLRole' does not have kms:Decrypt permission on the CMK used for S3 encryption.
C.The Glue job requires kms:Encrypt permission to read encrypted data from S3.
D.The S3 VPC endpoint policy does not allow the Glue job to access the KMS key.
AnswerA

The key policy must allow the IAM role to use the key.

Why this answer

Option B is correct. When using SSE-KMS, the Glue job needs to call kms:Decrypt to decrypt the data, but the S3 GET request also requires kms:Decrypt permission. The role has kms:Decrypt, but the key policy of the CMK must also grant the role permission.

Option A is wrong because the role has the required KMS permissions. Option C is wrong because Glue does not need kms:Encrypt for reading. Option D is wrong because VPC endpoint policy may block but is less likely.

260
MCQmedium

A company needs to automate the detection of sensitive data in Amazon S3 and generate reports. Which AWS service should be used?

A.Amazon Macie
B.Amazon Inspector
C.Amazon GuardDuty
D.AWS Config
AnswerA

Macie discovers sensitive data in S3.

Why this answer

Option B is correct. Amazon Macie uses machine learning to discover and classify sensitive data. Option A is wrong because GuardDuty is for threat detection.

Option C is wrong because Inspector is for vulnerability management. Option D is wrong because Config is for resource compliance.

261
MCQmedium

Refer to the exhibit. A data engineer runs this AWS CLI command to execute an Athena query. What is the purpose of the EncryptionConfiguration parameter?

A.It encrypts the query string in transit
B.It encrypts the data in the source table
C.It enables client-side encryption for the query output
D.It encrypts the query results stored in Amazon S3 at rest
AnswerD

The parameter defines encryption for the result set in S3.

Why this answer

The EncryptionConfiguration parameter in Athena specifies how the query results stored in S3 are encrypted at rest. SSE_S3 means server-side encryption with S3-managed keys. It does not encrypt the query itself, data in transit, or the source data.

262
MCQhard

A company uses Amazon EMR to process data stored in S3 with server-side encryption using AWS KMS. The EMR cluster fails with a "403 Access Denied" error when reading data from S3. The IAM role for the EMR cluster has s3:GetObject and kms:Decrypt permissions. What is the most likely issue?

A.The EC2 instance profile does not have kms:Decrypt permission
B.The S3 bucket policy denies access to the EMR cluster's IAM role
C.The EMRFS consistent view is not enabled
D.The EMR cluster is using an incorrect KMS key ID
AnswerA

The instance profile must have KMS decrypt permission.

Why this answer

Option D is correct. EMR EC2 instance profile must have the necessary permissions. Often the instance profile is missing kms:Decrypt.

Option A is wrong because SSE-KMS requires kms:Decrypt. Option B is wrong because S3 bucket policy might allow. Option C is wrong because EMRFS consistent view is not related.

263
MCQhard

A company has an S3 bucket policy that allows access to a specific IAM role. However, an administrator notices that requests from that role are being denied. The bucket is encrypted with AES-256. What is the MOST likely reason for the denial?

A.The IAM role does not have s3:Decrypt permission on the bucket.
B.The bucket policy has an explicit deny statement that overrides the allow.
C.The bucket policy allows access, but the VPC endpoint policy denies the action.
D.The S3 Block Public Access settings are blocking the request.
AnswerC

A VPC endpoint policy can restrict actions even if the bucket policy allows them.

Why this answer

Option B is correct because even if the bucket policy allows access, if the bucket is not publicly accessible and the VPC endpoint policy does not allow the action, access will be denied. Option A is wrong because AES-256 encryption does not require additional permissions. Option C is wrong because an explicit deny in the bucket policy would override an allow.

Option D is wrong because S3 Block Public Access settings affect only public access, not IAM role access.

264
MCQeasy

A data engineer needs to encrypt data in transit between an Amazon RDS for MySQL instance and an application. Which solution should be used?

A.Enable encryption at rest using AWS KMS
B.Use SSL/TLS to connect to the RDS instance
C.Store the data in Amazon S3 with server-side encryption
D.Use AWS CloudHSM to generate and store encryption keys
AnswerB

SSL/TLS encrypts data in transit between client and database.

Why this answer

Option B is correct because SSL/TLS is used to encrypt data in transit between clients and RDS. Option A is wrong because KMS encrypts data at rest, not in transit. Option C is wrong because S3 is not involved in this scenario.

Option D is wrong because CloudHSM provides hardware security modules for key storage, not encryption in transit.

265
Multi-Selecthard

A financial services company needs to share sensitive customer data with a third-party analytics firm. The data resides in an S3 bucket encrypted with an AWS KMS customer managed key. The third party has their own AWS account. Which combination of steps is required to securely share the data? (Choose TWO.)

Select 2 answers
A.Share the KMS key material with the third party
B.Update the KMS key policy to include the third-party account as a principal with kms:Decrypt permission
C.Create an IAM role in the third-party account that can be assumed by the data owner
D.Grant the third-party account access to the KMS key management
E.Configure an S3 bucket policy that grants the third-party account access to the objects
AnswersB, E

The key policy must allow the third party to decrypt.

Why this answer

Options A and D are correct. Option A: The S3 bucket policy must grant cross-account access. Option D: The KMS key policy must grant decrypt permission to the third-party account.

Option B is wrong because the third party does not need access to the KMS key management. Option C is wrong because the third party should not have cross-account access to the S3 bucket without appropriate permissions. Option E is wrong because sharing the KMS key directly is not secure.

266
MCQeasy

A data engineer needs to ensure that all data in an S3 bucket is encrypted at rest. The bucket contains objects uploaded by various applications. What is the simplest method to enforce encryption for all new objects?

A.Enable S3 Block Public Access to block public access to the bucket.
B.Enable default encryption on the S3 bucket using S3-Managed Keys (SSE-S3).
C.Enable S3 Object Lock on the bucket.
D.Configure an S3 bucket policy that denies PutObject requests without the x-amz-server-side-encryption header.
AnswerD

A bucket policy can conditionally deny uploads that lack the required encryption header, enforcing encryption for all new objects.

Why this answer

Option B is correct because S3 Bucket Policies can enforce encryption by denying PutObject requests that do not include the x-amz-server-side-encryption header. Option A is wrong because default encryption applies only if the upload request does not specify encryption headers; it does not enforce encryption for requests that specify 'None'. Option C is wrong because enabling S3 Block Public Access does not enforce encryption.

Option D is wrong because S3 Object Lock prevents deletion but does not enforce encryption.

267
MCQhard

A company has an AWS Glue ETL job that reads from an RDS MySQL instance and writes to S3. The security team requires that the connection to RDS be encrypted and that credentials be rotated automatically. Which configuration should be used?

A.Store the database password in an encrypted parameter in Systems Manager Parameter Store and enable SSL for the connection.
B.Use IAM database authentication for RDS and store credentials in Glue connection properties.
C.Store the password in a text file in an encrypted S3 bucket and use SSL.
D.Store the password in AWS Secrets Manager with automatic rotation enabled and configure Glue to use SSL for the connection.
AnswerD

Secrets Manager supports rotation and Glue can use SSL.

Why this answer

Option C is correct because Secrets Manager provides automatic rotation of RDS credentials, and Glue can use the secret. Option A does not rotate credentials. Option B does not provide encryption for the connection.

Option D is not a service for storing credentials.

268
MCQhard

A company uses AWS KMS to encrypt data in Amazon S3 and RDS. They need to ensure that encryption keys are automatically rotated every year. Which KMS key type supports automatic annual rotation?

A.AWS owned keys
B.AWS managed keys (aws/xxx)
C.Customer managed keys
D.Custom key stores
AnswerB

AWS managed keys rotate automatically every year.

Why this answer

AWS managed keys (AWS-managed KMS keys) have automatic rotation enabled by default every year. Customer managed keys can also have automatic rotation enabled optionally. AWS owned keys are not visible to the customer and cannot be managed.

Custom key stores do not support automatic rotation. Option B is wrong because customer managed keys require explicit enabling of rotation. Option C is wrong because AWS owned keys are not customer-accessible.

Option D is wrong because custom key stores do not support automatic rotation.

269
MCQhard

A data engineer is troubleshooting an ETL job that reads from an S3 bucket encrypted with SSE-KMS. The job is failing with an error indicating that the IAM role does not have permission to decrypt the data. What is the most likely missing permission?

A.kms:GenerateDataKey
B.s3:ListBucket
C.kms:Decrypt
D.s3:GetObject
AnswerC

To read SSE-KMS encrypted objects, the role must have kms:Decrypt permission on the KMS key.

Why this answer

Option D is correct because the role needs kms:Decrypt to read data encrypted with KMS keys. Option A is wrong because s3:ListBucket allows listing, not reading. Option B is wrong because s3:GetObject allows reading but without decrypt permission, the encrypted object cannot be read.

Option C is wrong because kms:GenerateDataKey is for encryption, not decryption.

270
MCQeasy

A company wants to audit all changes to IAM policies in their AWS account. Which AWS service should be used to record these changes for compliance purposes?

A.Amazon CloudWatch Logs
B.AWS Config
C.AWS CloudTrail
D.Amazon S3
AnswerC

CloudTrail records API calls made in the account, including IAM policy changes.

Why this answer

AWS CloudTrail records API calls, including IAM policy changes. AWS Config records resource configurations but not all API calls. CloudWatch Logs can store logs but does not record API calls itself.

S3 is the destination for logs, not the recording service.

271
MCQeasy

A data engineer needs to audit all changes to IAM policies in an AWS account. Which AWS service should be used?

A.AWS CloudTrail
B.AWS Config
C.AWS Organizations
D.Amazon CloudWatch Logs
AnswerA

CloudTrail records all API activity for auditing.

Why this answer

Option D is correct because AWS CloudTrail records API calls, including IAM policy changes. Option A is wrong because AWS Config tracks resource configuration changes, not API calls. Option B is wrong because CloudWatch Logs is for log storage.

Option C is wrong because AWS Organizations manages multiple accounts.

272
MCQeasy

A data engineer needs to ensure that data in an S3 bucket is encrypted at rest. The bucket policy includes a condition that denies PutObject requests if the object is not encrypted. Which S3 encryption feature does this enforce?

A.S3 Object Lock
B.S3 MFA Delete
C.S3 Default Encryption
D.S3 Bucket Policy
AnswerD

Bucket policy can deny uploads if encryption is not set.

Why this answer

Option D is correct because S3 bucket policies can require server-side encryption by denying PutObject without encryption headers. Option A (default encryption) is a bucket-level setting that automatically encrypts objects, but it does not enforce encryption via policy. Option B (object lock) prevents deletion.

Option C (MFA delete) requires multi-factor authentication.

273
MCQeasy

A company uses Amazon S3 to store sensitive customer data. The security policy requires that all objects in the bucket be encrypted at rest using server-side encryption with a customer-managed KMS key. The data engineer has enabled default encryption on the bucket using SSE-KMS with the required KMS key. However, a security scan reveals that some objects in the bucket are not encrypted with the KMS key. The objects were uploaded before the default encryption was enabled. The data engineer needs to ensure that all objects are encrypted with the KMS key without disrupting ongoing data access. What should the data engineer do?

A.Use the AWS CLI to copy the objects to themselves with the --sse-kms-key-id parameter.
B.Modify the bucket policy to deny access to objects not encrypted with the KMS key.
C.Delete the unencrypted objects and re-upload them with encryption.
D.Use S3 Batch Operations with a Lambda function to apply SSE-KMS encryption to all existing objects using the KMS key.
AnswerD

S3 Batch Operations can encrypt existing objects in place.

Why this answer

Option A is correct. S3 Batch Operations can apply SSE-KMS encryption to existing objects using the KMS key. Option B is wrong because copying objects manually is inefficient and error-prone.

Option C is wrong because the bucket policy only prevents new unencrypted uploads. Option D is wrong because deleting and re-uploading is disruptive.

274
Multi-Selectmedium

A company is building a data lake on AWS and must encrypt data at rest. Which services can provide server-side encryption for data stored in Amazon S3? (Choose TWO.)

Select 2 answers
A.SSE-S3
B.SSL/TLS
C.AWS SDK client-side encryption
D.AWS CloudHSM
E.SSE-KMS
AnswersA, E

Server-side encryption with S3 managed keys.

Why this answer

Options B and C are correct because SSE-S3 and SSE-KMS are two methods for server-side encryption in S3. Option A is wrong because client-side encryption is not server-side. Option D is wrong because CloudHSM is not a server-side encryption option for S3.

Option E is wrong because SSL/TLS is encryption in transit, not at rest.

275
MCQhard

Refer to the exhibit. A data engineer runs a CLI command to decrypt a file and receives an access denied error. The IAM user 'DataEngineer' has the following policy attached: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "kms:Decrypt", "Resource": "*" } ] } What is the most likely cause of the error?

A.The CLI command is missing the --encryption-context parameter.
B.The key policy does not grant the IAM user permission to decrypt.
C.The key is an AWS managed key and cannot be used for decryption.
D.The IAM policy does not allow kms:Decrypt on the specific key.
AnswerB

Key policy is separate from IAM policy; it must explicitly allow the user.

Why this answer

Even with an Allow on kms:Decrypt for all resources, the key policy must also grant the user access. The error indicates that the key policy does not allow the user. Option C is correct.

Option A is wrong because the IAM policy allows all keys. Option B is wrong because AWS managed keys are not used. Option D is wrong because the CLI command is correct.

276
MCQeasy

A company uses AWS Glue to process data. The security team requires that all data in transit between AWS Glue and Amazon S3 be encrypted using TLS. Which configuration should be used?

A.Enable S3 server-side encryption and use HTTPS endpoints
B.Configure a bucket policy to require aws:SecureTransport
C.Enable default encryption on the S3 bucket using SSE-KMS
D.Use an S3 VPC endpoint
AnswerA

Glue uses HTTPS, which includes TLS.

Why this answer

Option A is correct because AWS Glue uses TLS for data in transit by default. Option B is wrong because S3 default encryption is for at-rest. Option C is wrong because VPC endpoints use AWS PrivateLink but don't enforce encryption.

Option D is wrong because it's not required for TLS.

277
MCQmedium

A financial services company uses AWS Glue ETL jobs to process sensitive customer data stored in Amazon S3. The data is encrypted at rest with SSE-KMS using a customer-managed key. Recently, the security team discovered that the Glue job's IAM role has an overly permissive policy that allows the 'kms:Decrypt' action for all KMS keys in the account. The company wants to follow the principle of least privilege. The Glue job runs on a schedule and reads from a specific S3 bucket. The security team needs to update the IAM policy to restrict KMS decryption to only the specific key used for that bucket. What should they do?

A.Update the policy to allow 'kms:Decrypt' with a resource of 'arn:aws:kms:us-east-1:123456789012:key/*' to cover all keys in the account.
B.Update the policy to allow 'kms:Decrypt' with a resource of '*' to ensure the job can always decrypt data.
C.Update the policy to allow 'kms:Decrypt' only for the specific KMS key ARN used by the S3 bucket containing the customer data.
D.Remove the 'kms:Decrypt' action from the policy and rely on S3 bucket policies to grant decryption permissions.
AnswerC

This restricts decryption to only the required key.

Why this answer

Option B is correct because the IAM policy should grant 'kms:Decrypt' only for the specific KMS key ARN used by the target S3 bucket, following least privilege. Option A is wrong because using '*' for the key is overly permissive. Option C is wrong because using a wildcard in the key ARN (key/*) is not a valid ARN pattern; KMS key ARNs are specific.

Option D is wrong because 'kms:Decrypt' is required for the Glue job to access encrypted data; removing it would break the job.

278
MCQmedium

A data engineer needs to allow an IAM user to rotate the secret in AWS Secrets Manager for an RDS database. Which IAM action should be included in the policy?

A.secretsmanager:RotateSecret
B.secretsmanager:PutSecretValue
C.secretsmanager:UpdateSecret
D.secretsmanager:GetSecretValue
AnswerA

This action allows rotating the secret.

Why this answer

The secretmanager:RotateSecret action allows the user to initiate rotation of a secret. Option B is correct. secretmanager:GetSecretValue only retrieves the secret value, not rotate it.

279
MCQeasy

A data engineer needs to ensure that an Amazon S3 bucket containing sensitive customer data is encrypted at rest. Which AWS service can be used to manage the encryption keys?

A.AWS Certificate Manager
B.AWS Secrets Manager
C.AWS CloudHSM
D.AWS Key Management Service (KMS)
AnswerD

KMS is the managed service for creating and controlling encryption keys used by S3 SSE-KMS.

Why this answer

AWS KMS is the service for managing encryption keys. S3 SSE-S3 uses S3-managed keys, while SSE-C uses customer-provided keys. CloudHSM is a hardware security module but not directly used for S3 encryption key management.

280
MCQhard

A company uses Amazon DynamoDB with encryption at rest using an AWS managed KMS key. The security team requires that the encryption key be rotated every 90 days. What should the data engineer do to meet this requirement?

A.Switch to AWS CloudHSM to manage the encryption key
B.Create a scheduled AWS Lambda function to rotate the AWS managed key
C.Enable a custom encryption context in DynamoDB to trigger rotation
D.Use a customer managed KMS key and configure automatic rotation
AnswerD

Customer managed keys support automatic yearly rotation.

Why this answer

Option D is correct. AWS managed keys are rotated automatically every 3 years, but not configurable. To meet 90-day rotation, the company must use a customer managed key and configure automatic yearly rotation (or manual).

Option A is wrong because DynamoDB does not support custom encryption contexts. Option B is wrong because managed keys cannot be rotated on demand. Option C is wrong because CloudHSM is not required.

281
MCQmedium

Refer to the exhibit. The exhibit shows output from AWS CLI commands. Which key can be used to enable automatic annual rotation?

A.The second key (5678efgh-...)
B.Both keys
C.Neither key
D.The first key (1234abcd-...)
AnswerD

Customer managed keys can have automatic rotation enabled.

Why this answer

Option A is correct because only customer managed keys support automatic rotation. Option B is wrong because AWS managed keys are rotated automatically but cannot be configured by the user. Option C is wrong because both keys can be rotated, but only customer managed keys have user-controlled rotation.

Option D is wrong because the second key is AWS managed.

282
Multi-Selectmedium

A company is using AWS Lake Formation to manage permissions on a data lake. Which of the following are valid ways to grant access to a user or role? (Choose THREE.)

Select 3 answers
A.Grant permissions to a SAML or SCIM group
B.Grant permissions using tag-based access control (LF-Tags)
C.Grant permissions to an IAM user or role
D.Grant permissions to an AWS Organizations unit
E.Grant permissions via an S3 bucket policy
AnswersA, B, C

Lake Formation can integrate with SAML/SCIM for group-based access.

Why this answer

Options A, B, and E are correct. Lake Formation can grant directly to IAM users/roles, to SAML/SCIM groups, and through tag-based access control. Option C is wrong because AWS Organizations is for account management, not individual permissions.

Option D is wrong because S3 bucket policies are separate from Lake Formation.

283
MCQmedium

A data engineer is troubleshooting an Amazon Redshift cluster that is not responding to queries. The engineer suspects that the cluster may have been accidentally deleted. Which AWS service should be used to investigate the deletion?

A.AWS Config
B.AWS CloudTrail
C.Amazon CloudWatch Logs
D.AWS Trusted Advisor
AnswerB

CloudTrail logs API calls like DeleteCluster.

Why this answer

Option A is correct because AWS CloudTrail records DeleteCluster API calls. Option B is wrong because CloudWatch Logs stores logs but not API calls. Option C is wrong because AWS Config records resource changes, not deletions? Actually Config would show a deletion, but CloudTrail is more direct for API calls.

The best answer is CloudTrail. Option D is wrong because AWS Trusted Advisor is for best practices.

284
MCQhard

A data engineer is designing a data lake on S3 that must be encrypted at rest using customer-managed keys in AWS KMS. The security team requires that the key be used only for S3 operations and that the key be rotated every 180 days. Which solution meets these requirements?

A.Create a customer managed key with a key policy that grants usage only to S3, and enable automatic rotation with a 180-day period.
B.Use an AWS managed key (aws/s3) and enable automatic rotation.
C.Use an S3 bucket policy to enforce SSE-KMS with a CloudHSM key.
D.Use a custom key store backed by CloudHSM and rotate the key manually.
AnswerA

Customer managed keys allow custom rotation periods and key policies to restrict usage.

Why this answer

Option B is correct because customer managed keys can have a custom key rotation period (180 days) and a key policy can restrict usage to S3. Option A is wrong because AWS managed keys have a fixed annual rotation. Option C is wrong because custom key stores do not support automatic rotation.

Option D is wrong because S3 does not use CloudHSM directly for S3 encryption.

285
Multi-Selecthard

A company is using AWS KMS with customer-managed keys to encrypt data in Amazon RDS. The security team wants to ensure that the key can be rotated automatically every year. Which THREE steps are required to achieve automatic key rotation?

Select 3 answers
A.Migrate the key to AWS CloudHSM.
B.Enable automatic key rotation in the KMS key configuration.
C.Use a symmetric KMS key.
D.Configure the RDS instance to use the KMS key for encryption.
E.Create a new KMS key and configure RDS to use it.
AnswersB, C, D

This is required to rotate the key automatically.

Why this answer

Options B, C, and D are correct. To enable automatic rotation for a customer-managed KMS key, you must enable rotation via the KMS console or API (B), ensure the key is a symmetric key (C) as asymmetric keys do not support automatic rotation, and configure the RDS instance to use the key (D) for encryption. Option A is incorrect because rotation can be enabled for existing keys.

Option E is incorrect because CloudHSM is not involved.

286
MCQhard

A data engineer is troubleshooting an AWS Lake Formation permissions issue. A user is able to query an Amazon Athena table but cannot see the underlying S3 data in the AWS Glue Data Catalog. The user has been granted SELECT permission on the table in Lake Formation. What is the most likely cause?

A.The user does not have DESCRIBE permission on the table in Lake Formation.
B.The data location is not registered with Lake Formation.
C.The S3 bucket policy does not grant the user access.
D.The user does not have the aws:SourceArn condition in the IAM policy.
AnswerA

SELECT permission allows querying but not viewing the table metadata; DESCRIBE is needed to see the table in the catalog.

Why this answer

In AWS Lake Formation, the ability to query a table via Athena (which requires SELECT permission) is separate from the ability to view the table's metadata in the Glue Data Catalog. To see the underlying S3 data location or table properties in the catalog, a user needs DESCRIBE permission on the table. Without DESCRIBE, the table appears invisible in the Glue console or API, even though SELECT queries succeed.

Exam trap

The trap here is that candidates assume SELECT permission is sufficient for all table interactions, overlooking that Lake Formation separates metadata visibility (DESCRIBE) from data access (SELECT).

How to eliminate wrong answers

Option B is wrong because registering the data location with Lake Formation is a prerequisite for granting permissions, but the user can already query the table, so the location must be registered. Option C is wrong because if the S3 bucket policy were blocking access, the Athena query would fail, not just the catalog visibility. Option D is wrong because the aws:SourceArn condition is a security best practice for cross-account access, but its absence does not cause the described symptom of a missing table in the catalog.

287
MCQmedium

A data engineer needs to share an S3 bucket with another AWS account. They want to ensure that the objects in the bucket remain encrypted with SSE-KMS using a customer managed key. What additional step is required for cross-account access?

A.Modify the KMS key policy to grant the target account kms:Decrypt permission
B.Add an IAM policy in the target account to allow kms:Decrypt
C.Disable SSE-KMS encryption on the bucket
D.Add a bucket policy that grants the target account s3:GetObject
AnswerA

The KMS key policy must allow the target account to use the key for decryption.

Why this answer

When using SSE-KMS with a customer managed key, the key policy must grant the target account's IAM role or user permission to use the key. S3 bucket policy and IAM permissions are also required, but the key policy is the additional step specific to KMS. Option A is wrong because the bucket policy alone does not grant KMS permissions.

Option B is wrong because the target account's IAM policy alone cannot override the key policy. Option D is wrong because disabling encryption is not required.

288
MCQeasy

A data engineer runs the command shown to check the encryption configuration of an S3 bucket. The output shows SSEAlgorithm: AES256. What does this mean?

A.The bucket uses SSE-S3 with Amazon S3-managed keys
B.The bucket uses SSE-KMS with a customer-managed key
C.The bucket uses SSE-C with customer-provided keys
D.The bucket does not have encryption enabled
AnswerA

AES256 indicates SSE-S3.

Why this answer

Option A is correct. AES256 refers to SSE-S3, where Amazon S3 manages the encryption keys using AES-256. Option B (SSE-KMS) would show 'aws:kms'.

Option C (SSE-C) would require the customer to provide keys. Option D (no encryption) is incorrect because encryption is enabled.

289
MCQmedium

Refer to the exhibit. A data engineer queries AWS CloudTrail to investigate a PutObject event. What does the exhibit reveal about the object sensitive.csv?

A.The upload failed due to encryption mismatch.
B.The object was uploaded with server-side encryption using AWS KMS.
C.The object was not encrypted at rest.
D.The object was encrypted with SSE-S3.
AnswerB

x-amz-server-side-encryption: aws:kms indicates SSE-KMS.

Why this answer

Option D is correct because the CloudTrail event shows x-amz-server-side-encryption: aws:kms, indicating the object was uploaded with SSE-KMS. Option A is wrong because the event does not indicate SSE-S3 (would be AES256). Option B is wrong because the object is encrypted at rest, not in transit.

Option C is wrong because the event shows the object was uploaded, not that encryption failed.

290
MCQmedium

A data engineer is configuring an S3 bucket for storing sensitive customer data. The bucket must be encrypted at rest using an AWS Key Management Service (KMS) key that is managed by the data engineering team. The team wants to ensure that only users with explicit permission can decrypt the data. Which S3 encryption option should be used?

A.SSE-KMS
B.Client-side encryption
C.SSE-S3
D.SSE-C
AnswerA

SSE-KMS uses a customer-managed KMS key, allowing fine-grained access control.

Why this answer

Option B is correct because SSE-KMS uses a customer-managed KMS key, allowing the team to control access and permissions for decryption. Option A (SSE-S3) uses Amazon S3-managed keys, which does not provide customer-controlled access. Option C (SSE-C) requires the customer to manage the encryption keys themselves, not using KMS.

Option D (client-side encryption) encrypts data before sending to S3, which is not an S3 server-side encryption option.

291
MCQmedium

A data engineer is designing a data lake on S3 with sensitive data. The security policy mandates that data must be encrypted at rest and in transit, and that an inventory of all objects must be maintained for compliance. Which actions should be taken?

A.Enforce HTTPS via bucket policy, enable default SSE-S3 encryption, and enable S3 Inventory.
B.Use SSE-KMS encryption and enable CloudTrail for S3 events.
C.Enable S3 default encryption using SSE-S3 and enable S3 Inventory.
D.Enforce HTTPS using bucket policy and enable S3 Server Access Logging.
AnswerA

Covers in-transit, at-rest encryption, and inventory.

Why this answer

Option D is correct because enforcing HTTPS (in-transit) and SSE-S3 (at-rest) with S3 Inventory provides compliance. Option A misses in-transit encryption. Option B misses inventory.

Option C uses KMS which may not be required and does not include inventory.

292
MCQmedium

A company uses Amazon RDS for MySQL to store application data. The security team requires that all database credentials be rotated automatically every 90 days. The data engineer needs to implement a solution that minimizes operational overhead. The database credentials are stored in AWS Secrets Manager. The application retrieves the credentials at startup and caches them for the duration of the session. The application is deployed on Amazon ECS with Fargate. Which solution should the data engineer implement to meet the rotation requirement with minimal overhead?

A.Store the credentials in AWS Systems Manager Parameter Store and use a scheduled job to update the password.
B.Use Secrets Manager's automatic rotation feature with a custom Lambda function that updates the RDS password.
C.Create a scheduled Lambda function that updates the password in Secrets Manager and manually updates the application configuration.
D.Configure IAM database authentication for the RDS instance and update the application to use IAM credentials.
AnswerB

Secrets Manager can rotate secrets automatically with a Lambda.

Why this answer

Option C is correct because Secrets Manager can automatically rotate secrets using a Lambda function that updates the RDS password. This minimizes overhead compared to manual rotation or changing IAM policies. Option A is incorrect because IAM database authentication is a separate feature that does not rotate credentials automatically.

Option B is incorrect because manual rotation is operationally heavy. Option D is incorrect because Parameter Store does not have built-in rotation; it would require additional automation.

293
MCQeasy

A company has an S3 bucket that stores logs for compliance. The compliance team requires that objects are retained for 7 years and cannot be deleted or overwritten. Which S3 feature should be used?

A.Enable S3 Object Lock with retention mode COMPLIANCE and a retention period of 7 years
B.Enable MFA Delete on the bucket
C.Configure an S3 bucket policy that denies delete and overwrite actions
D.Enable S3 Versioning and configure a lifecycle policy to expire objects after 7 years
AnswerA

Object Lock with COMPLIANCE mode ensures objects cannot be deleted or overwritten for the retention period.

Why this answer

S3 Object Lock with retention mode COMPLIANCE prevents objects from being deleted or overwritten for the specified retention period. Versioning alone does not prevent deletion. MFA Delete prevents accidental deletion but not overwrite.

Lifecycle policies can expire objects but do not prevent deletion.

294
MCQmedium

A company is designing a data lake on AWS and must comply with GDPR requirements. The company needs to implement data masking for personally identifiable information (PII) columns in Amazon Redshift. Which feature should be used?

A.Use Amazon RDS Proxy to intercept queries
B.Amazon S3 Object Lambda to mask data on the fly
C.Create views in Redshift that apply masking functions
D.AWS Lake Formation row-level security
AnswerC

Redshift views can apply masking functions to hide PII.

Why this answer

Option C is correct. Redshift supports dynamic data masking through views that apply masking functions. Option A is wrong because S3 Object Lambda is for S3.

Option B is wrong because Lake Formation does not mask data in Redshift directly. Option D is wrong because RDS Proxy is for RDS, not Redshift.

295
MCQmedium

A financial services company uses Amazon Athena to query a data lake in S3. The data lake contains sensitive financial transactions. The security team has implemented row-level security using views in AWS Glue Data Catalog. Each view is defined with a WHERE clause that filters rows based on the user's IAM role using a custom tag. However, when a data analyst runs a SELECT * FROM view_name in Athena, the query returns all rows, ignoring the row-level filter. The analyst's IAM role has the tag 'department=analytics'. The view was created with a filter condition 'department = current_user_department()', where current_user_department() is a user-defined function that extracts the department tag from the caller's IAM role. The function is defined in the Glue Data Catalog. What is the most likely reason the filter is not applied?

A.The user-defined function current_user_department() is not registered in the Glue Data Catalog.
B.Athena does not support user-defined functions in views.
C.The IAM role does not have the tag 'department=analytics'.
D.The view is not defined with the filter condition properly; the function current_user_department() may not be invoked correctly in the view definition.
AnswerD

The function must be used in the view's SELECT statement.

Why this answer

Option A is correct. Views in Athena do not automatically enforce row-level security; the filter must be applied via the view definition. Option B is wrong because the function exists.

Option C is wrong because Athena executes the view's SQL. Option D is wrong because the tag is present.

296
MCQhard

A data engineer is troubleshooting an issue where an IAM role used by AWS Glue cannot read data from an S3 bucket encrypted with SSE-KMS. The bucket policy allows the role to perform s3:GetObject. What additional permission is needed?

A.s3:GetObjectVersion
B.kms:Decrypt on the KMS key
C.s3:GetObjectAcl
D.kms:GenerateDataKey on the KMS key
AnswerB

The role must be able to decrypt the S3 object.

Why this answer

For SSE-KMS, the IAM role must have kms:Decrypt permission on the KMS key. Option A is wrong because s3:GetObject is already allowed. Option B is wrong because SSE-KMS does not require s3:GetObjectAcl.

Option D is wrong because kms:GenerateDataKey is used for writes. Option C is correct.

297
MCQmedium

A data engineer needs to allow a Lambda function to read data from an S3 bucket in the same account. The Lambda function's execution role has the required permissions, but access is denied. The S3 bucket has a bucket policy that explicitly denies access to any principal that is not from the organization. What is the most likely issue?

A.The Lambda execution role is not part of the AWS organization.
B.The Lambda function is in a VPC without an S3 VPC endpoint.
C.The S3 bucket is in a different AWS account.
D.The Lambda function does not have kms:Decrypt permission.
AnswerA

The bucket policy explicitly denies access to principals not in the organization, so the Lambda role must be part of the organization.

Why this answer

Option C is correct because the explicit deny in the bucket policy overrides any allow in the Lambda role. Option A is wrong because the VPC endpoint policy is not mentioned. Option B is wrong because KMS permissions are not relevant.

Option D is wrong because the bucket is in the same account.

298
MCQmedium

A data engineer is configuring an S3 bucket policy to allow cross-account access for a partner account to read objects. The bucket is encrypted with SSE-KMS using a customer-managed key. What additional configuration is needed to allow the partner account to decrypt the objects?

A.Add a bucket policy that grants the partner account s3:GetObject
B.Create a VPC endpoint for S3 and add it to the bucket policy
C.Update the KMS key policy to grant the partner account kms:Decrypt permission
D.Add a bucket policy that grants s3:GetObject and s3:GetEncryptionConfiguration
AnswerC

The KMS key policy must allow the partner account to use the key for decryption.

Why this answer

For cross-account access with SSE-KMS, the KMS key policy must grant the partner account access to use the key. The bucket policy alone is insufficient. The partner account does not need VPC endpoints, and the bucket policy for decryption is not needed.

The partner account does not need access to the S3 bucket's encryption configuration.

299
MCQhard

Refer to the exhibit. A data engineer runs the commands shown. What can be determined about the key with ID 1234abcd-12ab-34cd-56ef-1234567890ab?

A.It is pending deletion.
B.It was created in us-west-2.
C.It is a customer managed key.
D.It is an AWS managed key.
AnswerD

KeyManager: AWS means it's AWS managed.

Why this answer

Option A is correct because the KeyManager is "AWS", indicating it is an AWS managed key. Option B is wrong because the key is enabled. Option C is wrong because the key was created in us-east-1 (implied by ARN).

Option D is wrong because the key state is Enabled, not PendingDeletion.

300
MCQhard

A company uses AWS Lake Formation to manage permissions on a data lake in S3. A data analyst reports that queries using Amazon Athena return zero rows for a table that the analyst has been granted SELECT permission on. The table is registered in Lake Formation and uses a partition projection. What is the most likely cause?

A.The table is not registered as a resource in Lake Formation
B.The analyst does not have DESCRIBE permission on the table
C.The analyst lacks GetObject and ListBucket permissions on the underlying S3 location
D.The table uses server-side encryption with KMS and the analyst lacks kms:Decrypt permission
AnswerC

Lake Formation grants metadata permissions, but S3 permissions are still needed for partition projection.

Why this answer

Option B is correct because partition projection requires explicit S3 permissions to list the partition location, which Lake Formation may not automatically grant. Option A is wrong because SELECT permission is granted. Option C is wrong because encryption settings don't cause zero rows.

Option D is wrong because the table is registered.

← PreviousPage 4 of 5 · 333 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Data Security Governance questions.