DVA-C02 · topic practice

Security practice questions

Practise AWS Certified Developer Associate DVA-C02 Security practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Security

What the exam tests

What to know about Security

Security questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Security exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Security questions

20 questions · select your answer, then reveal the explanation

Question 1mediummultiple choice
Read the full Security explanation →

A developer has an AWS Lambda function that needs to read objects from an S3 bucket in another account. The Lambda function's execution role includes an IAM policy that allows s3:GetObject on the bucket. The bucket owner has added a bucket policy that grants s3:GetObject to the Lambda execution role. However, the Lambda function receives Access Denied errors. The S3 bucket uses SSE-KMS for encryption. What is the most likely cause?

Question 2hardmultiple choice
Read the full Security explanation →

A company has multiple AWS accounts managed under AWS Organizations. The security team requires that all Amazon S3 buckets with bucket names containing 'logs' must be encrypted with a specific KMS key (key ID: alias/logs-key) at rest. A developer must enforce this using an SCP (Service Control Policy). Which SCP effect and condition key should be used to deny any PutObject request that does not use the required KMS key?

Question 3hardmultiple choice
Read the full Security explanation →

A developer needs to grant a user in another AWS account (Account B) read-only access to objects in an Amazon S3 bucket owned by Account A. The developer has already added a bucket policy that grants s3:GetObject access to the IAM user in Account B. However, the user in Account B still gets Access Denied when trying to read objects. What additional configuration is required?

Question 4hardmultiple choice
Read the full Security explanation →

A developer needs to ensure that every cryptographic operation performed on an AWS KMS customer master key (CMK) used for server-side encryption in Amazon S3 is recorded in AWS CloudTrail for auditing. The developer has already enabled CloudTrail and is logging management events. However, the security team wants to see all calls to the KMS Decrypt and Encrypt APIs for this specific key. What must the developer do?

Question 5mediummultiple choice
Read the full Security explanation →

A developer is building a mobile application that uses Amazon Cognito for user authentication. After a user signs in, the application needs to access an Amazon DynamoDB table. The developer has set up an identity pool with an authenticated role. The IAM role attached to the authenticated identity has a policy allowing the required DynamoDB actions. However, users report that they cannot perform DynamoDB operations. What is the MOST likely cause of this issue?

Question 6hardmultiple choice
Read the full Security explanation →

A company uses a customer managed AWS KMS key to encrypt sensitive data stored in DynamoDB. A Lambda function reads from the DynamoDB table and needs to decrypt the data. The Lambda function's execution role has an IAM policy that allows kms:Decrypt on the key. However, access is denied. What must the developer add to the KMS key policy to resolve the issue?

Question 7hardmultiple choice
Read the full Security explanation →

A company has an AWS Lambda function that processes sensitive financial data. The function uses environment variables to store database connection strings. A security audit requires that all sensitive data be encrypted at rest and in transit. The developer must ensure that the environment variables are encrypted with a customer-managed key that is rotated quarterly. What should the developer do?

Question 8mediummultiple choice
Read the full Security explanation →

A company has an Amazon S3 bucket (Bucket-A) in Account A that contains sensitive data. A developer in Account B needs read-only access to objects in Bucket-A. The developer in Account A added a bucket policy granting s3:GetObject to the IAM user in Account B. However, the IAM user in Account B still receives Access Denied errors. What additional step is required?

Question 9hardmultiple choice
Read the full Security explanation →

A company uses an Amazon S3 bucket to store sensitive documents. The security team requires that all objects uploaded to the bucket must be encrypted at rest using server-side encryption with a customer-managed KMS key (SSE-KMS). A developer needs to enforce this by denying any PutObject request that does not specify the required encryption. Which bucket policy condition should be used?

Question 10mediummultiple choice
Read the full Security explanation →

A company stores sensitive data in Amazon S3. The security team requires that all objects are encrypted at rest using server-side encryption with AWS KMS managed keys (SSE-KMS). The developer needs to enforce that any PutObject request that does not specify the 'x-amz-server-side-encryption' header with value 'aws:kms' is denied. Which S3 bucket policy condition should be used?

Question 11easymultiple choice
Read the full Security explanation →

A developer in Account A has an Amazon S3 bucket that contains sensitive data. The developer wants to grant an IAM user in Account B read-only access to objects in the bucket. The developer has added a bucket policy in Account A that grants s3:GetObject access to the IAM user's ARN. However, the IAM user in Account B still receives Access Denied errors. What additional configuration is required?

Question 12mediummultiple choice
Read the full Security explanation →

A company runs an application on Amazon EC2 that needs to securely store database credentials. The security team requires that credentials be automatically rotated every 30 days to reduce the risk of compromise. The application must be able to retrieve the credentials at startup without storing them in code or configuration files. Which AWS service should the developer use?

Question 13hardmultiple choice
Read the full Security explanation →

A company wants to grant a third-party vendor access to an Amazon S3 bucket in the company's AWS account. The vendor has their own AWS account. The company requires the vendor to include a unique identifier in each request to verify their identity before granting access. Which policy element should the company include in the S3 bucket policy?

Question 14mediummultiple choice
Read the full Security explanation →

A company is developing a web application that runs on Amazon EC2 instances. The application needs to access an Amazon DynamoDB table to store and retrieve data. The security team requires that no IAM users or roles should be used; instead, the application must use temporary credentials that are automatically rotated. Which approach should the developer use to securely grant access to DynamoDB?

Question 15hardmultiple choice
Read the full Security explanation →

A company uses AWS Secrets Manager to store database credentials. The credentials must be automatically rotated every 30 days. The developer needs to configure rotation without exposing the secret to any IAM user directly. Which configuration steps should the developer take?

Question 16hardmultiple choice
Read the full NAT/PAT explanation →

A developer needs to grant an IAM role in Account B read-only access to objects in an S3 bucket in Account A. The bucket is encrypted with server-side encryption using AWS KMS (SSE-KMS) with a customer managed key (CMK) in Account A. Which combination of policies is required for the cross-account access to succeed?

Question 17hardmultiple choice
Read the full Security explanation →

A developer is storing an API secret for a third-party service in AWS Secrets Manager. The secret needs to be accessed by an AWS Lambda function that runs in a VPC. The Lambda function must have the minimum required permissions. Which IAM policy statement should the developer attach to the Lambda execution role?

Question 18hardmultiple choice
Read the full Security explanation →

A developer is building an application that needs to read a secret API key from AWS Secrets Manager. The application runs on an EC2 instance that is part of an Auto Scaling group. The developer wants to ensure that only this application can retrieve the secret. Which set of steps should the developer take?

Question 19mediummultiple choice
Read the full Security explanation →

A developer is designing an application that will process credit card payments and store them temporarily in an Amazon DynamoDB table. The developer must ensure that the payment data is encrypted at rest and that the encryption key is managed by the company's security team using AWS KMS. Which type of encryption should the developer enable on the DynamoDB table?

Question 20hardmultiple choice
Read the full Security explanation →

A company uses AWS KMS customer master keys (CMKs) to encrypt sensitive data in Amazon S3. A compliance requirement mandates that the backing keys for the CMKs be automatically rotated every year. The developer must implement this with minimal operational overhead. Which solution meets the requirement?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Security sessions

Start a Security only practice session

Every question in these sessions is drawn from the Security domain — nothing else.

Related practice questions

Related DVA-C02 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the DVA-C02 exam test about Security?
Security questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Security questions in a focused session?
Yes — the session launcher on this page draws every question from the Security domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other DVA-C02 topics?
Use the topic links above to move to related areas, or go back to the DVA-C02 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the DVA-C02 exam covers. They are not copied from any real exam or dump site.