CCNA Data Protection Questions

75 of 303 questions · Page 1/5 · Data Protection · Answers revealed

1
Multi-Selecthard

A company is designing a data protection strategy for its Amazon S3 bucket that stores sensitive customer data. The bucket must be encrypted at rest using a customer managed key (CMK) that is stored in AWS KMS. The company also needs to ensure that only authorized users can decrypt objects. Which TWO actions should the company take?

Select 2 answers
A.Create a bucket policy that denies s3:GetObject unless the request includes a specific encryption context
B.Modify the KMS key policy to allow only the authorized IAM roles to use the key
C.Attach an IAM policy to the authorized users that grants kms:Decrypt on the CMK
D.Create a VPC endpoint for S3 and use bucket policies to restrict access to the endpoint
E.Use SSE-C with a customer-provided key
AnswersB, C

Key policy controls access to the key.

Why this answer

To control decryption access, you need to grant kms:Decrypt permission to authorized users and restrict the key policy accordingly. Option B and D are correct because they control access to the key. Option A is incorrect because a bucket policy alone cannot control decryption; it works with the key policy.

Option C is incorrect because SSE-KMS uses KMS keys, not SSE-C. Option E is incorrect because S3 does not support IAM conditions for VPC endpoint on decryption.

2
Multi-Selecthard

Which THREE practices are recommended for managing encryption keys in AWS KMS? (Choose 3.)

Select 3 answers
A.Delete the KMS key immediately when it is no longer needed.
B.Enable automatic rotation of the KMS key annually.
C.Export the KMS key material and store it in a secure S3 bucket.
D.Use key policies to restrict which IAM roles can use the key.
E.Enable AWS CloudTrail logging to record KMS key usage.
AnswersB, D, E

Rotation helps meet compliance requirements.

Why this answer

Options B, C, and D are correct. B: Enabling automatic key rotation annually is a best practice. C: Using key policies to control access follows least privilege.

D: Using CloudTrail to audit KMS API calls provides visibility. Option A is wrong because sharing the key material defeats the purpose of KMS. Option E is wrong because deleting a key immediately can cause data loss; it should be scheduled for deletion.

3
MCQhard

A financial services company must ensure that all data at rest in Amazon RDS for PostgreSQL is encrypted. The current database is unencrypted. What is the MOST operationally efficient way to enable encryption?

A.Export the database to S3 using pg_dump, then import into a new encrypted RDS instance.
B.Create a read replica with encryption enabled and promote it to primary.
C.Take a snapshot of the database, copy the snapshot with encryption enabled, and restore the encrypted snapshot to a new DB instance.
D.Enable encryption directly on the existing RDS instance by modifying the DB instance settings.
AnswerC

This is the supported method to encrypt an existing unencrypted RDS instance.

Why this answer

Option C is correct because RDS does not support direct encryption of existing unencrypted databases; you must create a snapshot, copy it with encryption, and restore. Option A is wrong because you cannot enable encryption on a running instance. Option B is wrong because enabling encryption on the fly is not supported.

Option D is wrong because copying a snapshot without encryption is unnecessary.

4
Multi-Selecteasy

A company is storing sensitive data in Amazon S3. They want to ensure that all data is encrypted at rest using server-side encryption. Which THREE options are available for server-side encryption in S3? (Select THREE.)

Select 3 answers
A.Client-side encryption
B.SSE-KMS
C.SSE-S3
D.SSE-C
E.AWS CloudHSM
AnswersB, C, D

AWS KMS-managed keys.

Why this answer

Options A, B, and C are correct. SSE-S3, SSE-KMS, and SSE-C are the three server-side encryption options. Option D is wrong because client-side encryption is not server-side.

Option E is wrong because AWS CloudHSM is a service for hardware security modules, not an S3 encryption option.

5
MCQeasy

A company stores sensitive customer data in Amazon S3. They want to ensure that all objects are encrypted at rest using server-side encryption with AWS KMS. Which S3 bucket policy statement should be added to deny uploads that do not request SSE-KMS?

A.Deny PutObject unless 's3:x-amz-server-side-encryption' is 'AES256'
B.Deny PutObject unless 's3:x-amz-server-side-encryption' is 'aws:kms'
C.Deny PutObject unless 'aws:SourceArn' equals the bucket ARN
D.Deny PutObject unless 's3:x-amz-server-side-encryption-aws-kms-key-id' is present
AnswerB

This condition ensures the object is encrypted with SSE-KMS.

Why this answer

Option A is correct because the condition 's3:x-amz-server-side-encryption' with 'aws:SecureTransport' is not the right condition. Option B uses 's3:x-amz-server-side-encryption-aws-kms-key-id' which is too specific. Option C is the correct standard policy to deny PutObject without SSE-KMS.

Option D is wrong because it requires a specific KMS key ID, not just any KMS key.

6
MCQhard

A company uses AWS CloudHSM to generate and store encryption keys for a custom application. The security team needs to ensure high availability and durability of the keys. Which architecture should be recommended?

A.Use AWS KMS instead of CloudHSM for better durability
B.Deploy a single CloudHSM instance in one Availability Zone
C.Deploy CloudHSM in two AWS Regions with automatic replication
D.Deploy a CloudHSM cluster with at least two HSMs in different Availability Zones
AnswerD

Provides redundancy and high availability.

Why this answer

Option B is correct because CloudHSM clusters with multiple HSMs provide high availability and durability. Option A is wrong because a single HSM is a single point of failure. Option C is wrong because CloudHSM is a hardware appliance, not a software service.

Option D is wrong because CloudHSM does not automatically replicate to another region.

7
Multi-Selecthard

A company is designing a data protection strategy for Amazon S3. The compliance team requires that all objects be encrypted at rest and that any attempt to upload an unencrypted object be blocked. Which THREE steps should the company take? (Choose THREE.)

Select 3 answers
A.Enable default encryption on the bucket with SSE-S3 or SSE-KMS.
B.Add a bucket policy that denies s3:PutObject unless the request includes the x-amz-server-side-encryption header.
C.Enable S3 Object Lock.
D.Enable S3 Transfer Acceleration.
E.Enable S3 Block Public Access.
AnswersA, B, E

Default encryption encrypts objects automatically.

Why this answer

Options A, B, and D are correct. Option A: Enabling default encryption ensures objects are encrypted at rest. Option B: Using a bucket policy to deny PutObject without encryption header blocks unencrypted uploads.

Option D: Using S3 Block Public Access prevents public exposure. Option C is wrong because S3 Transfer Acceleration does not encrypt data. Option E is wrong because S3 Object Lock does not enforce encryption.

8
MCQhard

A company uses AWS Secrets Manager to store database credentials. The security team needs to ensure that secrets are automatically rotated every 30 days. The rotation function must be implemented with minimal operational overhead. Which approach should be used?

A.Create an Amazon EventBridge rule that triggers a Lambda function to rotate the secret
B.Use AWS CLI to schedule a cron job that runs every 30 days and rotates the secret
C.Use Amazon CloudWatch Events to invoke an AWS Lambda function that updates the secret
D.Enable automatic rotation in Secrets Manager and configure the rotation interval to 30 days
AnswerD

Correct: Secrets Manager natively supports automatic rotation with a configurable interval.

Why this answer

Option B is correct because Secrets Manager provides built-in rotation support for supported services like RDS, with automatic trigger via Lambda. Option A is wrong because EventBridge rules are not needed; Secrets Manager handles scheduling. Option C is wrong because manual rotation using CLI defeats automation.

Option D is wrong because CloudWatch Events is not needed; rotation is managed internally.

9
MCQmedium

A company wants to protect data at rest in Amazon S3 using client-side encryption. The application will run on Amazon EC2 instances. Which approach meets these requirements?

A.Use SSE-S3 and rely on S3 to manage keys
B.Enable S3 default encryption on the bucket
C.Use SSE-KMS with a customer managed key
D.Use the AWS Encryption SDK to encrypt data before uploading to S3
AnswerD

Client-side encryption occurs before data reaches S3.

Why this answer

Client-side encryption requires the encryption process to occur on the client side before data is uploaded to S3. The AWS Encryption SDK is designed for this purpose, allowing you to encrypt data locally on the EC2 instance using your own keys, ensuring that S3 never sees the plaintext data. This meets the requirement to protect data at rest with client-side encryption, as the data is encrypted before leaving the application environment.

Exam trap

The trap here is that candidates confuse server-side encryption options (SSE-S3, SSE-KMS) with client-side encryption, assuming that using a customer managed key (SSE-KMS) satisfies client-side requirements when it actually still encrypts data on the server side.

How to eliminate wrong answers

Option A is wrong because SSE-S3 is a server-side encryption method where S3 manages the keys and encrypts data after it is received, not client-side encryption. Option B is wrong because enabling S3 default encryption on the bucket applies server-side encryption (SSE-S3 or SSE-KMS) to objects at the time of upload, not client-side encryption. Option C is wrong because SSE-KMS with a customer managed key is still server-side encryption; the encryption happens on the S3 side after the data is transmitted, not on the client side.

10
MCQeasy

A company wants to encrypt data in transit between an on-premises data center and AWS over a VPN connection. Which AWS service or feature should be used?

A.AWS Route 53 Resolver
B.AWS Certificate Manager (ACM)
C.AWS Site-to-Site VPN
D.Amazon API Gateway
AnswerC

Site-to-Site VPN creates encrypted tunnels.

Why this answer

Option A is correct because AWS Site-to-Site VPN provides encrypted tunnels. Option B is for domain registration. Option C is for managing SSL certificates.

Option D is for API gateway.

11
MCQeasy

A company wants to protect data in transit between an EC2 instance and an S3 bucket. Which method should be used?

A.Use a VPN connection with IPsec
B.Install an SSL certificate on the EC2 instance
C.Use SSH to transfer files
D.Use HTTPS endpoints for S3 API calls
AnswerD

HTTPS encrypts data in transit between EC2 and S3.

Why this answer

Using HTTPS (TLS) encrypts data in transit. Option C is correct. Option A is incorrect because SSL certificates are for web servers.

Option B is incorrect because IPsec is for site-to-site VPN. Option D is incorrect because SSH is for remote administration.

12
MCQmedium

A company uses AWS KMS to manage encryption keys for sensitive data stored in S3. The security team wants to ensure that keys are rotated automatically every year. What should they do?

A.Enable automatic key rotation on a customer managed key.
B.Use a custom key store and rotate keys manually.
C.Use a CloudHSM to store keys and rotate them manually.
D.Use an AWS managed key, which rotates automatically every year.
AnswerD

AWS managed keys are automatically rotated every year.

Why this answer

Option C is correct because AWS managed KMS keys automatically rotate yearly. Option A is incorrect because customer managed keys do not auto-rotate by default. Option B is incorrect because key rotation is not disabled by default.

Option D is incorrect because manual rotation is not automatic.

13
MCQhard

A company uses AWS KMS to encrypt its RDS database. The security team needs to ensure that the key can be used only from within the company's VPC and not from the internet. Which action should be taken?

A.Enable automatic key rotation and use an alias to restrict access
B.Use a key policy that denies all access except from the RDS instance's security group
C.Create a VPC endpoint for KMS and modify the key policy to allow only requests from the VPC endpoint
D.Create the key with a region restriction in the key policy
AnswerC

VPC endpoint with key policy condition allows VPC-only usage.

Why this answer

KMS supports VPC endpoints (AWS PrivateLink) and key policies with conditions. To restrict usage to a VPC, you can create a VPC endpoint for KMS and modify the key policy to deny access unless the request comes from the VPC endpoint. Option D is correct.

Option A is incorrect because KMS keys are regional, not restricted to VPCs via that attribute. Option B is incorrect as it would deny all access. Option C is incorrect because the VPC endpoint is needed, and the key policy must reference it.

14
MCQeasy

A company wants to protect sensitive data stored in Amazon S3 by encrypting it at rest. Which AWS service can be used to manage the encryption keys?

A.AWS Secrets Manager
B.AWS CloudHSM
C.AWS S3-managed keys (SSE-S3)
D.AWS Key Management Service (AWS KMS)
AnswerD

KMS is the managed key management service.

Why this answer

AWS KMS is the service for managing encryption keys. Option A is wrong because S3-managed keys (SSE-S3) are managed by AWS, not the customer. Option B is wrong because AWS CloudHSM provides hardware security modules but is not a key management service.

Option D is wrong because AWS Secrets Manager is for secrets, not encryption keys.

15
MCQmedium

A company runs a web application on Amazon EC2 instances that processes credit card data. The application must store the data in an encrypted format. The security team wants to minimize the performance impact of encryption and offload the encryption operations to a dedicated hardware security module (HSM). Which solution should the architect choose?

A.Use Amazon EBS encryption on the EC2 instance's root volume.
B.Use the Linux dm-crypt utility to encrypt the data at the application level.
C.Use AWS CloudHSM to perform encryption operations from the application.
D.Use AWS KMS with a customer-managed key to encrypt the data in the application.
AnswerC

CloudHSM provides a dedicated HSM, offloading encryption.

Why this answer

Option C is correct because AWS CloudHSM provides a dedicated HSM appliance that can be used to offload encryption operations, reducing performance impact on EC2. Option A is wrong because AWS KMS is a software-based service; it does not provide a dedicated HSM. Option B is wrong because using host-based encryption on the application server adds CPU overhead.

Option D is wrong because EBS encryption encrypts the volume but does not offload encryption operations for application-level encryption.

16
MCQmedium

A company is migrating on-premises databases to Amazon RDS for MySQL. The security team requires that data be encrypted at rest and in transit. Which combination of steps should the team take to meet these requirements?

A.Use an RDS proxy with TLS termination and enable encryption at rest.
B.Enable encryption at rest on the RDS instance and set the rds.force_ssl parameter to 1 in the DB parameter group.
C.Enable encryption at rest on the RDS instance and use a client-side encryption library.
D.Enable encryption at rest and configure the security group to allow only HTTPS traffic.
AnswerB

This ensures both at-rest and in-transit encryption.

Why this answer

Option D is correct because enabling encryption at rest on the RDS instance (which can be done during creation or via snapshot) and requiring SSL for connections (by setting the rds.force_ssl parameter to 1) meets both requirements. Option A is wrong because enabling encryption at rest alone does not cover in-transit. Option B is wrong because using a client-side encryption library is not a standard RDS feature.

Option C is wrong because using an RDS proxy with TLS does not enforce SSL for direct connections.

17
Multi-Selectmedium

Which THREE of the following are best practices for protecting data in transit within AWS? (Choose 3.)

Select 3 answers
A.Use VPC Peering with encryption
B.Use TLS listeners on Elastic Load Balancers
C.Enable S3 Transfer Acceleration
D.Configure Amazon CloudFront to require HTTPS
E.Use AWS Site-to-Site VPN for on-premises connectivity
AnswersB, D, E

Correct: TLS encrypts traffic between clients and load balancers.

Why this answer

Options A, C, and E are correct. Using TLS for ELB, enforcing HTTPS on CloudFront, and using VPN for on-premises connectivity are all best practices. Option B is wrong because S3 Transfer Acceleration does not enforce encryption.

Option D is wrong because VPC Peering does not encrypt traffic.

18
Multi-Selecthard

Which TWO of the following are valid methods to enforce encryption at rest for an Amazon RDS for PostgreSQL DB instance? (Choose 2.)

Select 2 answers
A.Enable encryption on an existing unencrypted DB instance
B.Restore a DB instance from an encrypted snapshot
C.Take a snapshot of the unencrypted instance and enable encryption on the snapshot
D.Create an encrypted read replica and promote it
E.Create a new encrypted DB instance from the start
AnswersB, E

Correct: The restored instance inherits encryption from the snapshot.

Why this answer

Options B and D are correct. You can only enable encryption at creation time or by restoring from an encrypted snapshot. Option A is wrong because you cannot encrypt an existing unencrypted instance.

Option C is wrong because enabling encryption on a snapshot is not supported; you must copy it. Option E is wrong because read replicas inherit encryption settings from the source.

19
Multi-Selecteasy

Which TWO methods can be used to encrypt data at rest in Amazon S3? (Choose 2.)

Select 2 answers
A.Set a bucket policy that denies uploads without encryption.
B.Use SSE-S3 to have Amazon S3 manage the encryption keys.
C.Enable encryption in transit using HTTPS.
D.Enable MFA Delete on the S3 bucket.
E.Encrypt the objects client-side before uploading to S3.
AnswersB, E

SSE-S3 encrypts data at rest.

Why this answer

Options A and D are correct. A: Server-side encryption with S3 managed keys (SSE-S3) encrypts data at rest. D: Client-side encryption using the AWS Encryption SDK encrypts data before uploading.

Option B is wrong because S3 does not support encrypting data in transit at rest; encryption in transit is handled by HTTPS. Option C is wrong because bucket policies do not encrypt data. Option E is wrong because MFA Delete protects against accidental deletion, not encryption.

20
Multi-Selectmedium

A company is using AWS KMS to encrypt data in Amazon S3. They need to ensure that the KMS key can only be used from within a specific VPC. Which TWO actions should be taken?

Select 2 answers
A.Create a VPC endpoint for AWS KMS.
B.Attach an IAM policy to the role that denies kms:Decrypt unless the request comes from the VPC.
C.Create a VPC endpoint for Amazon S3.
D.Add a bucket policy condition to restrict access to the VPC.
E.Modify the KMS key policy to include a condition on kms:SourceVpc.
AnswersA, E

Enables private connectivity to KMS from the VPC.

Why this answer

Option A is correct because a VPC endpoint for KMS is needed to access KMS privately. Option D is correct because a key policy condition using kms:SourceVpc restricts usage to the VPC. Option B is wrong because bucket policy cannot restrict KMS key usage.

Option C is wrong because IAM policy alone cannot restrict based on VPC for KMS; it's the key policy. Option E is wrong because a VPC endpoint for S3 does not restrict KMS calls.

21
Multi-Selecteasy

A company wants to protect data at rest for an Amazon S3 bucket that contains sensitive data. Which combination of actions provides the MOST comprehensive protection? (Choose two.)

Select 2 answers
A.Enable versioning on the bucket
B.Enable default encryption on the bucket with SSE-S3
C.Configure a bucket policy to deny requests over HTTP
D.Enable MFA Delete on the bucket
E.Configure a lifecycle policy to transition objects to Glacier
AnswersB, C

Ensures encryption at rest.

Why this answer

Option B is correct because enabling default encryption with SSE-S3 ensures that all objects uploaded to the bucket are automatically encrypted at rest using server-side encryption with Amazon S3-managed keys (AES-256). Option C is correct because configuring a bucket policy to deny requests over HTTP enforces HTTPS for all data in transit, preventing exposure of sensitive data during transmission. Together, they protect data both at rest and in transit, providing comprehensive coverage.

Exam trap

The trap here is that candidates often confuse versioning or MFA Delete with data protection, but these features address data durability and deletion prevention, not encryption or transport security, which are required for comprehensive data protection.

22
MCQeasy

A company wants to encrypt data at rest in Amazon S3 using server-side encryption with Amazon S3-managed keys (SSE-S3). What is the minimum permission required for an IAM user to upload an object that will be encrypted with SSE-S3?

A.s3:PutObjectAcl
B.kms:Decrypt
C.s3:PutObject
D.kms:GenerateDataKey
AnswerC

SSE-S3 is transparent; no additional permissions are needed.

Why this answer

Option A is correct because SSE-S3 does not require any special permissions beyond s3:PutObject; S3 handles the encryption automatically. Option B is wrong because kms:GenerateDataKey is needed for SSE-KMS, not SSE-S3. Option C is wrong because s3:PutObjectAcl is for ACLs.

Option D is wrong because kms:Decrypt is not needed for SSE-S3.

23
MCQhard

A company has a requirement to encrypt all data in an S3 bucket using keys that are stored in an on-premises HSM. Which S3 encryption option should be used?

A.SSE-S3
B.Client-side encryption
C.SSE-KMS
D.SSE-C
AnswerD

SSE-C allows customers to provide their own encryption keys.

Why this answer

SSE-C allows customers to provide their own encryption keys. The keys are not stored in AWS. Option D is correct.

Option A is incorrect because SSE-S3 uses S3-managed keys. Option B is incorrect because SSE-KMS uses AWS KMS. Option C is incorrect because client-side encryption encrypts locally, but the keys are managed by the customer.

24
MCQmedium

A security engineer is troubleshooting an issue where an Amazon RDS for MySQL DB instance encrypted at rest with AWS KMS is failing to launch. The error message indicates a KMS access issue. Which IAM role or policy is most likely missing?

A.The RDS subnet group is in a private subnet without a NAT gateway
B.The DB instance's security group does not allow outbound traffic to KMS
C.The KMS key policy does not grant access to the root account
D.The AWSServiceRoleForRDS service-linked role is missing
AnswerD

Required for RDS to access KMS keys.

Why this answer

The AWSServiceRoleForRDS service-linked role is required for RDS to call AWS KMS on your behalf to manage encryption keys for encrypted DB instances. If this role is missing, RDS cannot obtain the necessary permissions to decrypt the KMS key during instance launch, resulting in a KMS access error. This role is automatically created the first time you create an RDS resource, but if it was deleted or not present, you must recreate it to resolve the issue.

Exam trap

The trap here is that candidates often focus on KMS key policies or network configurations, but the real issue is the missing service-linked role that grants RDS the service-level permissions to interact with KMS, which is a common oversight in encrypted RDS troubleshooting scenarios.

How to eliminate wrong answers

Option A is wrong because the subnet group configuration (private subnet without NAT gateway) affects network connectivity, not KMS permissions; RDS can launch in a private subnet without a NAT gateway as long as it has a VPC endpoint or proper routing to KMS. Option B is wrong because security groups control network traffic at the instance level, but KMS access is managed via IAM policies and key policies, not outbound traffic rules; RDS uses AWS KMS over HTTPS, which does not require a specific security group rule for outbound traffic to KMS. Option C is wrong because the KMS key policy granting access to the root account is a default best practice, but the missing element is the service-linked role that allows RDS to assume the necessary permissions; the root account already has full access by default.

25
MCQeasy

A company wants to ensure that data stored in Amazon EBS volumes is encrypted at rest. What is the easiest way to achieve this?

A.Use AWS KMS to rotate the EBS encryption key
B.Use a script to encrypt each volume after creation
C.Enable EBS encryption by default in the AWS Region
D.Use application-level encryption
AnswerC

EBS encryption by default ensures all new volumes are encrypted.

Why this answer

Enable EBS encryption by default for the AWS Region. Option B is wrong because individual volume encryption can be done, but default is easier. Option C is wrong because encryption at the application layer is not necessary.

Option D is wrong because KMS key rotation does not enable encryption.

26
MCQmedium

A company uses S3 to store sensitive customer data. The security team requires that all objects uploaded to S3 be encrypted at rest using server-side encryption with AWS KMS managed keys (SSE-KMS). A developer reports that some objects are being stored unencrypted. What is the MOST effective way to enforce this requirement?

A.Enable default encryption on the bucket using SSE-S3
B.Use a bucket policy to deny s3:PutObject if encryption is not set to aws:kms
C.Use an SCP to deny s3:PutObject without encryption
D.Set a bucket policy to require the x-amz-server-side-encryption header
AnswerB

Policy condition can enforce SSE-KMS.

Why this answer

Option D is correct because an S3 bucket policy with a Deny condition for s3:PutObject without the x-amz-server-side-encryption header set to aws:kms will block unencrypted uploads. Option A is wrong because SSE-C uses customer-provided keys, not KMS. Option B is wrong because bucket policies are more direct than service control policies for this.

Option C is wrong because default encryption only applies when no encryption is specified, but a PUT request can still override it.

27
MCQmedium

Refer to the exhibit. A security engineer reviews the key policy of an AWS KMS customer managed key. The AppRole role is used by an application to encrypt and decrypt data. However, the application is unable to decrypt data. What is the MOST likely cause?

A.The root user does not have permission to use the key.
B.The KMS key is disabled.
C.The key administrator has not granted the AppRole permission to use the key.
D.The kms:Decrypt permission is not granted to the AppRole.
AnswerB

If the key is disabled, decryption will fail despite the permissions.

Why this answer

Option B is correct because the 'Allow use of the key' statement grants Encrypt, Decrypt, ReEncrypt*, GenerateDataKey*, and DescribeKey actions, which should allow decryption. However, the issue might be that the key is disabled or the application is not using the correct key. The exhibit shows the key policy allows the actions; if decryption fails, the key might be disabled.

Option A is wrong because the policy includes kms:Decrypt. Option C is wrong because the Admin role has key administration permissions, but that doesn't affect decryption by AppRole. Option D is wrong because the root principal is allowed full access, so that's not an issue.

28
MCQmedium

A company uses Amazon S3 to store sensitive documents. The security policy requires that all objects be encrypted with server-side encryption using customer-provided encryption keys (SSE-C). A developer uploads objects using the AWS SDK but forgets to include the encryption key in the request. What happens to the upload?

A.The upload succeeds and the object is encrypted with the default S3 managed key
B.The upload succeeds and the object is encrypted with the bucket's default encryption settings
C.The upload succeeds but the object is stored without server-side encryption
D.The upload fails with a 400 Bad Request error
AnswerC

SSE-C only encrypts if key provided.

Why this answer

With SSE-C, the request must include the encryption key. If not provided, the upload succeeds but the object is stored without server-side encryption (i.e., as plaintext). Option C is correct.

Option A is wrong because S3 does not deny; B is wrong because no error; D is wrong because default encryption is not applied.

29
MCQeasy

A security engineer is investigating a potential data breach and finds this CloudTrail log entry. What does this entry indicate?

A.A user encrypted data using a KMS key
B.A user decrypted data using a KMS key
C.An anonymous user accessed the KMS key
D.The KMS key was deleted
AnswerB

The event name is Decrypt.

Why this answer

Option D is correct because the event shows a user calling Decrypt on a KMS key. Option A is wrong because it's a Decrypt, not an Encrypt. Option B is wrong because the key is specified.

Option C is wrong because the user is identified.

30
Multi-Selectmedium

A company is designing a data protection strategy for its Amazon S3 bucket that stores sensitive documents. The security team requires that all data be encrypted in transit and at rest, and that any accidental deletion of objects can be reversed within 30 days. Additionally, the company must be able to audit all access attempts to the bucket, including failed attempts. Which TWO actions should the company take to meet these requirements? (Choose two.)

Select 2 answers
A.Enable default encryption on the bucket using SSE-S3.
B.Enable AWS CloudTrail with data events for S3.
C.Enable S3 Versioning on the bucket.
D.Enable S3 server access logs and send them to a separate bucket.
E.Enable MFA Delete on the bucket.
AnswersB, C

CloudTrail logs all API calls, including failed ones, for auditing.

Why this answer

AWS CloudTrail with data events for S3 is correct because it captures all S3 API calls, including GetObject, PutObject, and DeleteObject, and records both successful and failed access attempts. This meets the auditing requirement for all access attempts, including failed ones, as CloudTrail logs the request details, error codes, and source IP addresses.

Exam trap

The trap here is that candidates often confuse S3 server access logs (which log successful requests only) with CloudTrail data events (which log all API calls, including failures), leading them to select Option D instead of Option B.

31
MCQmedium

A company uses S3 to store confidential documents. They want to ensure that objects are encrypted at rest using customer-provided encryption keys (SSE-C). Which header must be included in every PUT request?

A.x-amz-server-side-encryption: AES256
B.x-amz-server-side-encryption-customer-key: <key>
C.x-amz-server-side-encryption-customer-algorithm: AES256
D.x-amz-server-side-encryption: aws:kms
AnswerC

Required for SSE-C.

Why this answer

Option A is correct because SSE-C requires x-amz-server-side-encryption-customer-algorithm to be set to AES256. Option B is wrong because that header is for SSE-S3. Option C is wrong for SSE-KMS.

Option D is wrong because the key header must be provided separately.

32
Multi-Selectmedium

A company wants to protect sensitive data stored in S3 from being accessed by unauthorized users. Which TWO actions should be taken? (Choose two.)

Select 2 answers
A.Use IAM policies to restrict access to the bucket.
B.Enable S3 Versioning.
C.Enable default encryption on all S3 buckets.
D.Enable S3 Block Public Access at the account level.
E.Enable MFA Delete on the bucket.
AnswersA, D

IAM policies grant or deny access to S3 actions and resources.

Why this answer

Options A and C are correct. S3 Block Public Access prevents public access, and IAM policies control access at the user/role level. Option B is incorrect because encryption does not prevent access; it protects data if accessed.

Option D is incorrect because MFA Delete is for deletion protection, not access control. Option E is incorrect because Versioning does not control access.

33
MCQmedium

Refer to the exhibit. A security engineer applies the bucket policy shown to an S3 bucket. The engineer attempts to upload a file using the AWS CLI without specifying any encryption. What is the outcome?

A.The upload fails because the policy denies all PutObject requests.
B.The upload succeeds because default encryption on the bucket will encrypt the object with SSE-S3.
C.The upload fails because the policy denies PutObject when encryption is not SSE-KMS.
D.The upload succeeds because the object is encrypted with SSE-S3 by default.
AnswerC

The condition denies if encryption is not SSE-KMS; no encryption header leads to denial.

Why this answer

Option B is correct because the bucket policy denies PutObject if the encryption is not SSE-KMS. If the upload does not specify encryption, the encryption header is not set, so the condition StringNotEquals evaluates to true (since no encryption is not equal to 'aws:kms'), and the upload is denied. Option A is wrong because default encryption is not enabled.

Option C is wrong because SSE-S3 is also denied. Option D is wrong because the policy does not allow unencrypted uploads.

34
MCQhard

Refer to the exhibit. A user named John encrypts a file using the AWS CLI. John then tries to decrypt the file but receives an AccessDenied error. John has full administrator permissions in IAM. What is the most likely cause?

A.The ciphertext blob is malformed because it was not base64-decoded before decryption.
B.John's IAM policy denies the kms:Decrypt action.
C.The KMS key policy does not grant John the kms:Decrypt permission.
D.The key ID used for encryption is different from the key used for decryption.
AnswerC

Key policy must explicitly allow decrypt for the user.

Why this answer

Option B is correct because the key policy controls access to the KMS key. Even with full admin permissions in IAM, if the key policy does not grant the user decrypt permission, the request fails. Option A is wrong because the ciphertext is not malformed; the encryption succeeded.

Option C is wrong because IAM permissions are not enough; key policy must allow. Option D is wrong because the error is about decrypt, not about key existence.

35
MCQeasy

An application running on Amazon EC2 needs to access an S3 bucket containing sensitive data. The security team wants to avoid storing long-term AWS credentials on the instance. How should the EC2 instance be configured to access S3 securely?

A.Assign an IAM role with S3 permissions to the EC2 instance via an instance profile.
B.Store IAM user access keys in the instance's user data.
C.Attach a KMS key policy that allows the instance to decrypt S3 objects.
D.Generate S3 pre-signed URLs for all objects the instance needs to access.
AnswerA

IAM roles provide temporary credentials automatically rotated.

Why this answer

Option A is correct because using an IAM role with an instance profile is the recommended method to grant EC2 instances temporary credentials. Option B is incorrect because storing access keys on the instance is insecure. Option C is incorrect because S3 pre-signed URLs are for granting temporary access to specific objects, not for general instance access.

Option D is incorrect because EC2 does not support KMS key-based direct access to S3.

36
MCQmedium

A company uses AWS KMS to encrypt data in Amazon RDS. They need to ensure that the key material is automatically rotated every year. Which key type should they use?

A.Custom key store
B.Customer managed key
C.AWS owned key
D.AWS managed key
AnswerD

AWS managed keys for RDS rotate automatically annually.

Why this answer

AWS managed keys (D) are automatically rotated every year by AWS without any action required from the customer. For Amazon RDS encryption using AWS KMS, the default key (aws/rds) is an AWS managed key that supports automatic annual rotation, meeting the requirement exactly. Customer managed keys (B) also support automatic rotation, but the question specifies 'every year' and AWS managed keys are the simplest choice that satisfies this, as they are automatically rotated annually by default.

Exam trap

The trap here is that candidates often confuse 'AWS managed key' with 'customer managed key' because both can be rotated, but the question tests whether you know that AWS managed keys are the default, automatically rotated keys used by services like RDS, and that customer managed keys require manual configuration for rotation.

How to eliminate wrong answers

Option A is wrong because a custom key store uses a CloudHSM cluster to store key material, and automatic key rotation is not supported for keys in a custom key store; rotation must be manually managed. Option B is wrong because while customer managed keys can be configured for automatic annual rotation, the question does not specify a need for customer control over the key, and AWS managed keys are the default, simpler option that also rotates annually. Option C is wrong because AWS owned keys are not visible to customers and are used by AWS services internally; they cannot be selected or managed by the customer for RDS encryption, and their rotation policy is not under customer control.

37
MCQhard

A company is migrating its on-premises data warehouse to AWS. The data includes highly sensitive customer financial information. The company has the following requirements: 1) All data must be encrypted at rest using a key that is managed by the company's internal security team. 2) The encryption keys must be rotated every 90 days. 3) The data warehouse must support SQL queries and be highly available across multiple Availability Zones. 4) The solution must minimize the administrative overhead of managing keys. The security team has chosen Amazon Redshift as the data warehouse. They have enabled encryption using AWS KMS with a customer-managed key (CMK). They have set the key rotation period to 90 days using automatic key rotation. However, during a security review, an auditor points out that the key material is still stored in AWS KMS, and the company wants the key material to be stored in a hardware security module (HSM) that they control. Which of the following is the BEST course of action to meet the auditor's requirement while maintaining the other requirements?

A.Use AWS CloudHSM directly to generate and manage the encryption keys, and configure Redshift to use those keys via the CloudHSM client.
B.Create a custom key store in AWS KMS backed by an AWS CloudHSM cluster, and use a KMS key in that custom key store to encrypt the Redshift cluster.
C.Switch to using Amazon S3 server-side encryption with customer-provided keys (SSE-C) and use Redshift Spectrum to query the data.
D.Generate the key material on-premises and import it into KMS as a customer-managed key, then use that key for Redshift encryption.
AnswerB

This allows the company to control the HSM and store key material in it, while Redshift uses KMS for encryption.

Why this answer

Option C is correct because using a custom key store backed by AWS CloudHSM allows the company to store key material in their own HSM, and automatic key rotation can still be used (though manual rotation may be needed depending on the HSM). Redshift supports encryption with KMS, including custom key stores. Option A is wrong because SSE-C is for S3, not Redshift.

Option B is wrong because Redshift does not support CloudHSM directly; it requires KMS custom key store. Option D is wrong because importing key material does not allow the company to control the HSM; the key material is still stored in KMS.

38
MCQhard

Refer to the exhibit. An IAM policy allows kms:Decrypt on a specific KMS key only when the encryption context includes department=finance. A user attempts to decrypt an S3 object that was encrypted with the same KMS key but with encryption context department=hr. Will the decryption succeed?

A.No, because the encryption context does not match.
B.No, because the key policy does not allow the user to decrypt.
C.Yes, because the user has kms:Decrypt permission on the key.
D.Yes, if the user also has kms:DescribeKey permission.
AnswerA

The condition requires encryption context department=finance; department=hr does not satisfy it.

Why this answer

Option B is correct. The condition requires the encryption context to be department=finance, but the object was encrypted with department=hr, so the decryption fails. Option A is wrong because the condition is not satisfied.

Option C is wrong because the user does not have kms:DescribeKey permission. Option D is wrong because the condition is not about the key policy.

39
Multi-Selecthard

A company uses Amazon Redshift with encryption at rest using AWS KMS. They want to ensure that automated snapshots are encrypted with the same key and that cross-account snapshot sharing is secured. Which THREE steps should be taken?

Select 3 answers
A.Enable encryption on the Redshift cluster at creation time.
B.Create a new KMS key for snapshot encryption to isolate from the cluster key.
C.Modify the KMS key policy to allow the target AWS account to decrypt.
D.Create a snapshot copy grant for the target account to use the KMS key.
E.Enable AWS Config rule to detect unencrypted snapshots.
AnswersA, C, D

Encrypted clusters automatically encrypt snapshots.

Why this answer

Option A is correct because Redshift automatically encrypts snapshots if the cluster is encrypted. Option C is correct because to share snapshots cross-account, the KMS key must allow the target account to decrypt. Option D is correct because Redshift uses a snapshot copy grant to authorize the destination account to use the key.

Option B is wrong because separate key is not required; same key can be used if permissions allow. Option E is wrong because AWS Config rule doesn't enforce cross-account sharing security.

40
MCQmedium

A company uses S3 to store sensitive customer data. They want to ensure that all S3 buckets have encryption enabled at rest. Which S3 feature should be used to automatically enforce encryption on all newly created objects?

A.S3 Block Public Access
B.S3 Object Lock
C.S3 Bucket Policy with a condition requiring server-side encryption
D.S3 Inventory
AnswerC

A bucket policy with a condition such as 'aws:SecureTransport' or 's3:x-amz-server-side-encryption' can deny uploads without encryption.

Why this answer

Option D is correct because S3 Bucket Policies can be used to deny uploads of unencrypted objects. Option A is incorrect because S3 Block Public Access does not enforce encryption. Option B is incorrect because S3 Inventory only provides metadata, not enforcement.

Option C is incorrect because S3 Object Lock is for retention, not encryption.

41
MCQeasy

A company is migrating sensitive data to Amazon S3. They need to ensure that data is encrypted at rest using an AWS KMS customer managed key (CMK). The security team wants to enforce encryption for all new objects uploaded to an S3 bucket. Which policy should be attached to the bucket?

A.A bucket policy that allows s3:PutObject only if the user has KMS permissions
B.An S3 bucket default encryption setting with AES256
C.An S3 Lifecycle policy to transition objects to Glacier after 30 days
D.A bucket policy with a condition that denies s3:PutObject unless the request includes the x-amz-server-side-encryption-aws:kms header
AnswerD

Denies unencrypted uploads.

Why this answer

Option A uses a condition to deny PutObject if encryption is not set, which enforces encryption. Option B only audits, C is too permissive, D allows unencrypted uploads.

42
MCQhard

A security engineer is reviewing the configuration of an S3 bucket. What is a security concern with the current configuration?

A.Versioning is enabled, which increases storage costs
B.The lifecycle rule will permanently delete current versions after 30 days
C.MFA Delete is enabled, which blocks legitimate administrative actions
D.The bucket policy grants public read access to all objects
AnswerD

Principal: * allows anyone to read objects.

Why this answer

Option B is correct because the bucket policy allows public read access to all objects. Option A is wrong because MFA Delete is enabled, which is good. Option C is wrong because lifecycle policy does not delete current versions.

Option D is wrong because versioning is enabled.

43
MCQmedium

A company is designing a data protection strategy for its Amazon RDS for MySQL database. The database contains sensitive data that must be encrypted at rest. The company also needs to manage the encryption keys using its own HSM. Which solution should be used?

A.Use client-side encryption with a key from CloudHSM
B.Use AWS CloudHSM to generate a key and import it into RDS
C.Enable encryption at rest using the default AWS KMS key
D.Use AWS KMS with a custom key store backed by AWS CloudHSM
AnswerD

Custom key store allows using own HSM.

Why this answer

RDS supports encryption at rest using KMS. To use a customer-managed HSM, you can use AWS CloudHSM with a custom key store in KMS. Option C is correct.

Option A is incorrect because RDS does not directly integrate with CloudHSM. Option B is incorrect because the default key is AWS managed. Option D is incorrect because RDS does not support client-side encryption for at-rest data.

44
MCQhard

A company uses AWS KMS to encrypt data in Amazon S3. The security team receives an alert that an IAM user is attempting to decrypt data using a key that they do not have access to. Which AWS service can be used to monitor and alert on such unauthorized KMS API calls?

A.Amazon GuardDuty
B.AWS Config
C.AWS CloudTrail with CloudWatch Alarms
D.Amazon Inspector
AnswerC

CloudTrail logs KMS actions; alarms can be set on specific events.

Why this answer

Option B is correct because CloudTrail logs all KMS API calls, and CloudWatch Alarms can trigger alerts on specific events. Option A is wrong because GuardDuty focuses on threat detection, not specific API calls. Option C is wrong because Config monitors resource configurations, not API calls.

Option D is wrong because Inspector is for vulnerability assessment.

45
MCQhard

A company stores data in Amazon S3 and uses AWS KMS with Customer Master Keys (CMKs) for encryption. The security team wants to audit when the CMK is used to decrypt data. Which of the following will provide this information?

A.AWS Config
B.Amazon CloudWatch Logs
C.AWS CloudTrail
D.S3 server access logs
AnswerC

CloudTrail records KMS Decrypt events.

Why this answer

Option D is correct because AWS CloudTrail logs all KMS Decrypt API calls. Option A is wrong because S3 server access logs record requests to S3, not the KMS decryption calls. Option B is wrong because CloudWatch Logs can store logs but does not generate them.

Option C is wrong because AWS Config records configuration changes, not API calls.

46
Multi-Selecthard

Which THREE of the following are required to use client-side encryption with Amazon S3 using AWS KMS? (Choose three.)

Select 3 answers
A.An S3 bucket policy that forces encryption.
B.The encrypted data key is stored as metadata with the S3 object.
C.A KMS key policy that allows the S3 service to decrypt.
D.Permissions for the IAM user or role to call kms:GenerateDataKey.
E.The AWS SDK Encryption Client library.
AnswersB, D, E

The encrypted data key is stored alongside the object for later decryption.

Why this answer

Options B, C, and D are correct. The AWS SDK Encryption Client (B) handles client-side encryption. The client must call KMS to generate a data key (C).

The encrypted data key is stored with the object (D). Option A is wrong because the KMS key policy is not required for client-side encryption; the client needs IAM permissions. Option E is wrong because the S3 bucket policy is not required for client-side encryption.

47
MCQmedium

A company wants to protect sensitive data stored in Amazon S3 by enforcing encryption in transit. Which policy should be used to deny requests that do not use HTTPS?

A.{"Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": "*", "Condition": {"Bool": {"aws:SecureTransport": "true"}}}
B.{"Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": "*", "Condition": {"Bool": {"aws:SecureTransport": "false"}}}
C.{"Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": "*", "Condition": {"Null": {"s3:x-amz-server-side-encryption": "true"}}}
D.{"Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": "*"}
AnswerB

This policy denies requests where SecureTransport is false (non-HTTPS).

Why this answer

A bucket policy with a condition on aws:SecureTransport denies non-HTTPS requests. Option A is wrong because it refers to encryption at rest. Option C is wrong because it denies all requests.

Option D is wrong because it denies HTTPS traffic, which is the opposite.

48
MCQhard

A company stores sensitive data in an S3 bucket with versioning enabled. They want to ensure that objects are encrypted at rest using SSE-KMS. A security audit reveals that some older object versions are encrypted with SSE-S3. What is the MOST efficient way to re-encrypt those older versions with SSE-KMS?

A.Create a lifecycle policy to transition objects to a new storage class
B.Use the AWS CLI s3 sync command with the --sse aws:kms option
C.Use S3 Batch Operations to copy objects with SSE-KMS encryption
D.Manually re-upload the objects via the S3 console
AnswerC

Batch Operations can re-encrypt objects in place.

Why this answer

Option A is correct because S3 Batch Operations can copy objects in place, preserving versions and applying new encryption. Option B is wrong because lifecycle policies do not re-encrypt. Option C is wrong because S3 sync does not handle versioning.

Option D is wrong because the S3 console does not have a bulk re-encrypt feature for versions.

49
MCQhard

A company stores sensitive customer data in Amazon S3. The security team has enabled default encryption with SSE-S3 on the bucket. The compliance team requires that all access to the bucket be logged and that any unauthorized access attempts be detected in real time. The company has AWS CloudTrail enabled. Which additional steps should the security team take to meet the compliance requirements?

A.Enable S3 server access logs and enable Amazon GuardDuty with S3 protection
B.Enable AWS Config rules to detect unauthorized access
C.Enable CloudTrail data events for the S3 bucket and use Amazon Detective
D.Enable VPC Flow Logs and use Amazon Athena to analyze logs
AnswerA

Server access logs provide detailed logging; GuardDuty provides real-time threat detection.

Why this answer

Option C is correct because enabling S3 server access logs captures all requests, and Amazon GuardDuty can detect suspicious activity in real time. Option A is wrong because CloudTrail management events do not log data events by default. Option B is wrong because VPC Flow Logs do not log S3 access.

Option D is wrong because AWS Config is for configuration changes, not real-time threat detection.

50
MCQhard

A company uses AWS CloudHSM to generate and store encryption keys for a custom database. The security team needs to back up the keys to another AWS Region for disaster recovery. What is the most secure and efficient way to achieve this?

A.Create a backup of the source CloudHSM cluster and copy the backup to the destination Region.
B.Export the keys from the source CloudHSM cluster and import them into a destination cluster in the other Region.
C.Enable cross-Region replication on the CloudHSM cluster.
D.Use the key_mgmt_util command-line tool to copy the keys to an on-premises HSM, then upload to the destination Region.
AnswerA

CloudHSM backups can be copied across regions for disaster recovery.

Why this answer

Option C is correct because CloudHSM supports copying backups across regions using the AWS CLI or console, which is secure and efficient. Option A is incorrect because exporting keys directly is not supported; backups are used. Option B is incorrect because manual copy (e.g., scp) is not supported.

Option D is incorrect because cross-region replication does not apply to CloudHSM backups.

51
MCQmedium

A company stores sensitive customer data in Amazon S3. To comply with data protection regulations, they need to automatically prevent any new objects from being made publicly accessible. Which S3 feature should they configure?

A.Enable S3 Block Public Access at the account level.
B.Configure a bucket policy that denies s3:PutObject with a condition for public access.
C.Use S3 default encryption with SSE-S3.
D.Enable S3 Object Lock in governance mode.
AnswerA

Block Public Access provides a centralized way to prevent any public access to buckets and objects.

Why this answer

Option B is correct because S3 Block Public Access settings at the account or bucket level can enforce that no new objects or ACLs grant public access. Option A is wrong because bucket policies can be circumvented if not enforced; Block Public Access is a preventative guardrail. Option C is wrong because Object Lock prevents deletion/overwrite but doesn't control public access.

Option D is wrong because default encryption only encrypts data at rest.

52
MCQmedium

A company runs a web application on Amazon EC2 instances behind an Application Load Balancer. The application uses an Amazon RDS for MySQL database. The security team requires that all data in transit between the EC2 instances and the database be encrypted. The database is in a private subnet. The EC2 instances are in a public subnet. The security team also wants to minimize latency. What should be done to meet these requirements?

A.Use AWS Certificate Manager to issue a certificate for the RDS endpoint
B.Set up a VPN connection between the EC2 instances and the RDS instance using an IPsec VPN
C.Place the EC2 instances and RDS in the same subnet and use a NAT gateway
D.Enable SSL/TLS on the RDS instance and configure the application to use encrypted connections
AnswerD

This encrypts data in transit with minimal latency.

Why this answer

Option B is correct because enabling SSL/TLS on the RDS instance and requiring encrypted connections from the application encrypts data in transit. Option A is wrong because RDS does not natively support IPsec VPN. Option C is wrong because using a NAT gateway adds latency and does not encrypt the database connection.

Option D is wrong because AWS Certificate Manager is for load balancers and CloudFront, not for database connections.

53
MCQeasy

Refer to the exhibit. A security engineer reviews the bucket policy for an S3 bucket. The engineer attempts to upload an object to the bucket using the AWS CLI without the --ssl flag (HTTP). What is the outcome?

A.The upload succeeds because the policy allows all actions.
B.The upload fails because the policy denies requests that are not using HTTPS.
C.The upload succeeds because the bucket has default encryption enabled.
D.The upload fails because the policy denies s3:PutObject only.
AnswerB

Condition denies if SecureTransport is false (HTTP).

Why this answer

Option C is correct because the bucket policy denies all s3 actions if the request is not using HTTPS (SecureTransport is false). Since the engineer uses HTTP (no SSL), the condition matches and the upload is denied. Option A is wrong because the bucket does not have a default encryption setting.

Option B is wrong because the policy denies all actions, not just put. Option D is wrong because the policy denies, not allows.

54
MCQmedium

A company uses AWS KMS with a custom key store backed by AWS CloudHSM. The security team wants to ensure that the key material never leaves the HSM and that all cryptographic operations are performed within the HSM. Which of the following actions should the team take?

A.Create the KMS key as an asymmetric key in a custom key store and set the key usage to 'SIGN_VERIFY'.
B.Enable the 'Prevent key material export' option in the KMS key policy.
C.Create the KMS key as a symmetric key in the default key store.
D.Create the KMS key in a custom key store and set the key usage to 'ENCRYPT_DECRYPT'.
AnswerD

Custom key store with symmetric keys ensures key material stays in the HSM.

Why this answer

Option A is correct because using a custom key store with CloudHSM ensures that KMS operations are performed in the HSM and key material is not exportable. Option B is wrong because symmetric keys do not leave the HSM, but the question asks to ensure it never leaves; custom key store already ensures that. Option C is wrong because asymmetric keys can be exported if the HSM allows.

Option D is wrong because disabling key export in KMS is not a direct setting; it's inherent in custom key stores.

55
MCQeasy

A company needs to encrypt data in transit between an EC2 instance and an RDS database. Which option should be used?

A.Enable encryption at rest for the RDS instance
B.Configure the database to use SSL/TLS connections
C.Use an AWS KMS key to encrypt the connection
D.Enable EBS encryption on the EC2 instance
AnswerB

SSL/TLS encrypts data in transit.

Why this answer

Option B is correct because encrypting data in transit between an EC2 instance and an RDS database requires the use of SSL/TLS protocols to secure the communication channel. AWS RDS supports SSL/TLS connections by enabling the `require_secure_transport` parameter or using a certificate bundle on the client side, ensuring that all data transmitted over the network is encrypted and protected from eavesdropping or man-in-the-middle attacks.

Exam trap

The trap here is that candidates often confuse encryption at rest (EBS or RDS encryption) with encryption in transit, or mistakenly think that KMS keys can be directly applied to network connections, when in fact SSL/TLS is the correct mechanism for securing data in motion.

How to eliminate wrong answers

Option A is wrong because encryption at rest protects data stored on disk, not data transmitted over the network between EC2 and RDS. Option C is wrong because AWS KMS is used to manage encryption keys for data at rest or envelope encryption, not to directly encrypt network connections; SSL/TLS uses certificates and cipher suites, not KMS keys. Option D is wrong because EBS encryption protects data at rest on the EC2 instance's volumes, not data in transit between the instance and the RDS database.

56
MCQeasy

A company wants to protect data in transit between an on-premises application and Amazon S3. Which solution provides the highest security?

A.Use an AWS PrivateLink endpoint for S3.
B.Use a site-to-site VPN connection to the VPC and then access S3 via a VPC endpoint.
C.Use AWS Direct Connect without additional encryption.
D.Access S3 over HTTPS from the on-premises application.
AnswerA

PrivateLink keeps traffic within the AWS network, not over the internet.

Why this answer

Option A is correct because AWS PrivateLink connects via private IPs within the AWS network, avoiding the public internet. Option B is wrong because VPN encrypts but still traverses the internet or VPN connection. Option C is wrong because HTTPS over internet uses encryption but is exposed to internet threats.

Option D is wrong because Direct Connect provides a private connection but without encryption; additional encryption is needed.

57
MCQhard

Refer to the exhibit. A user receives the above error when trying to decrypt a file using AWS KMS. The key policy is shown below: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:role/AdminRole" }, "Action": "kms:Decrypt", "Resource": "*" } ] } What is the likely cause of the error?

A.The ciphertext was encrypted with a different KMS key
B.The KMS key does not exist
C.The command syntax is incorrect
D.The IAM user 'john' is not granted kms:Decrypt in the key policy
AnswerD

Correct: The key policy only allows the AdminRole, not the user.

Why this answer

Option A is correct because the key policy only allows the AdminRole to decrypt, not the user 'john'. Option B is wrong because the key exists and the ARN is valid. Option C is wrong because the wrong key ID would result in a different error.

Option D is wrong because the ciphertext is provided and the CLI command is correct.

58
Multi-Selectmedium

Which TWO actions can help protect data at rest in Amazon EBS volumes? (Choose 2.)

Select 2 answers
A.Enable automatic encryption of EBS snapshots by default.
B.Use an instance type that supports encryption at rest.
C.Configure the operating system to use encrypted file systems.
D.Enable EBS encryption by default in the AWS Account settings.
E.Use encrypted EBS volumes with AWS KMS customer-managed keys.
AnswersD, E

This encrypts all new EBS volumes.

Why this answer

Options A and C are correct. A: Enabling EBS encryption by default ensures new volumes are encrypted. C: Using EBS encryption with KMS encrypts the volume at rest.

Option B is wrong because data on EBS is not automatically encrypted; the OS must be configured. Option D is wrong because EBS snapshots are not automatically encrypted; they can be encrypted during copy. Option E is wrong because EBS encryption is independent of instance type.

59
MCQhard

A company uses AWS KMS to encrypt data in Amazon S3. The security team needs to audit all KMS key usage, including who used the key, when, and what operation was performed. Which AWS service should be used to meet this requirement?

A.AWS CloudTrail
B.Amazon GuardDuty
C.AWS Config
D.AWS CloudHSM
AnswerA

CloudTrail logs KMS API calls for auditing.

Why this answer

AWS CloudTrail is the correct service because it records all AWS KMS API calls as events, including who made the request, the source IP address, the time of the request, and the specific operation performed (e.g., Encrypt, Decrypt, GenerateDataKey). These audit logs are stored in an S3 bucket and can be analyzed to meet the security team's requirement for full key usage auditing.

Exam trap

The trap here is that candidates often confuse AWS Config's compliance monitoring with CloudTrail's API auditing, or assume GuardDuty's threat detection includes detailed usage logs, when in fact only CloudTrail provides the granular, user-specific API call records required for auditing KMS key usage.

How to eliminate wrong answers

Option B (Amazon GuardDuty) is wrong because it is a threat detection service that monitors for malicious activity using anomaly detection and threat intelligence, not a service that records detailed API-level audit logs of KMS key usage. Option C (AWS Config) is wrong because it evaluates resource configurations and compliance rules (e.g., whether KMS keys have automatic rotation enabled), but it does not capture who performed KMS operations or when they occurred. Option D (AWS CloudHSM) is wrong because it provides dedicated hardware security modules for key generation and storage, but it does not generate audit logs of API calls; CloudHSM logs are limited to HSM-level events and require separate integration with CloudTrail for API auditing.

60
MCQmedium

A company is using Amazon S3 to store backup files that must be retained for 7 years. The files are accessed infrequently but must be available within minutes when needed. The company wants to minimize storage costs while ensuring data is encrypted at rest. Which storage class and encryption combination is most cost-effective?

A.S3 Glacier Instant Retrieval with SSE-S3
B.S3 Glacier Deep Archive with SSE-S3
C.S3 Glacier Flexible Retrieval with SSE-KMS
D.S3 Standard-IA with SSE-KMS
AnswerA

Instant retrieval and cost-effective.

Why this answer

S3 Glacier Deep Archive is the lowest-cost storage class for long-term retention but has retrieval times of 12 hours, which does not meet the 'minutes' requirement. S3 Glacier Instant Retrieval provides milliseconds retrieval and is cost-effective for infrequent access. Option B is correct.

SSE-S3 provides encryption at no additional cost. Options A and C have longer retrieval times. Option D is more expensive.

61
MCQhard

A company uses Amazon EBS volumes for EC2 instances. The security team requires that all EBS volumes be encrypted at rest. The team creates an AWS Config rule to check whether EBS volumes are encrypted. However, some volumes are non-compliant even though they have encryption enabled. What is the most likely reason?

A.The volumes were created from unencrypted snapshots.
B.The volumes are encrypted with a different KMS key than the one specified in the Config rule.
C.The volumes are not encrypted at the time of creation, even though encryption is enabled later.
D.The Config rule is configured to check for a specific KMS key alias.
AnswerC

The Config rule checks the volume's encryption attribute; if a volume was created unencrypted and then encrypted via a snapshot, the volume remains non-compliant if the encryption attribute is not set.

Why this answer

Option D is correct because the AWS Config managed rule 'encrypted-volumes' checks if EBS volumes are encrypted, but it does not check the default encryption setting for the account; it only checks the volumes themselves. Option A is wrong because Config rules check the configuration, not the encryption key. Option B is wrong because the rule checks volumes, not snapshots.

Option C is wrong because the rule does not check encryption keys.

62
MCQeasy

A company uses S3 to store sensitive customer data. Which AWS service can automatically discover and classify this data to help meet compliance requirements?

A.Amazon GuardDuty
B.AWS Config
C.Amazon CloudWatch
D.Amazon Macie
AnswerD

Amazon Macie automatically discovers and classifies sensitive data.

Why this answer

Amazon Macie uses machine learning to automatically discover, classify, and protect sensitive data in AWS. Option B is correct because Macie is designed for data discovery and classification. Option A is incorrect because AWS Config tracks resource configuration changes.

Option C is incorrect because CloudWatch monitors performance and logs. Option D is incorrect because GuardDuty focuses on threat detection.

63
MCQhard

Refer to the exhibit. A security engineer is reviewing the bucket encryption configuration. The bucket is used to store sensitive data. The company policy requires that all objects be encrypted using AWS KMS with a customer managed key. What should the engineer do to meet the policy?

A.Enable the bucket key and set SSEAlgorithm to AES256
B.Use client-side encryption with a KMS key
C.Update the bucket encryption configuration to use SSEAlgorithm: aws:kms and specify a KMS key ID
D.Add a bucket policy that requires kms:Encrypt permission for all PutObject requests
AnswerC

Changes default encryption to SSE-KMS.

Why this answer

The current configuration uses SSE-S3 (AES256). To use SSE-KMS, the engineer should modify the bucket encryption configuration to use aws:kms and specify a key ID. Option A is correct.

Option B is incorrect because specifying a KMS key in the bucket policy does not enforce encryption. Option C is incorrect because enabling default encryption with SSE-S3 does not change the algorithm. Option D is incorrect because client-side encryption is not server-side.

64
Multi-Selecthard

A company is migrating on-premises file servers to Amazon EFS. The data must be encrypted at rest and in transit. Which THREE steps should the company take to meet these requirements?

Select 3 answers
A.Use a KMS customer managed key for encryption at rest
B.Use AWS Certificate Manager to issue a certificate
C.Install an SSL certificate on the EFS file system
D.Mount the EFS file system using TLS
E.Enable encryption at rest on the EFS file system
AnswersA, D, E

Customer managed keys allow control and rotation.

Why this answer

Option A (Enable encryption at rest on the EFS file system), Option B (Mount the EFS file system using TLS), and Option D (Use a KMS customer managed key for encryption) are correct. Encryption at rest is enabled on the file system. Encryption in transit is achieved by using TLS when mounting.

Using a customer managed key provides control over the encryption key. Option C is wrong because EFS does not use SSL certificates. Option E is wrong because AWS Certificate Manager is for other services, not EFS mount encryption.

65
Multi-Selecthard

A company is using AWS KMS to encrypt data in Amazon S3 and Amazon RDS. Which THREE practices should be followed to ensure the security of the KMS keys?

Select 3 answers
A.Enable automatic key rotation for the KMS keys.
B.Disable automatic key rotation to maintain control over the key material.
C.Share the KMS key across multiple AWS accounts using cross-account access.
D.Use IAM policies and key policies to restrict access to the KMS key to only required principals.
E.Enable CloudTrail to log all KMS API calls.
AnswersA, D, E

Rotates backing keys annually.

Why this answer

Options A, C, and E are correct. Key rotation is a security best practice. Granting least privilege access limits exposure.

Using CloudTrail provides audit trail. Option B is wrong because sharing keys across accounts increases risk. Option D is wrong because disabling automatic rotation may be necessary but is not a security best practice.

66
MCQhard

A security engineer is troubleshooting an issue where an Amazon RDS for MySQL DB instance is not encrypting data at rest. The DB instance was created without encryption. The engineer needs to enable encryption without significant downtime. What is the MOST effective approach?

A.Take a snapshot of the DB instance and enable encryption on the snapshot
B.Take a snapshot, copy it with encryption enabled, and restore a new DB instance from the encrypted snapshot
C.Modify the DB instance and enable encryption in the console
D.Create a read replica with encryption and promote it
AnswerB

Correct: This is the standard procedure to encrypt an unencrypted RDS instance.

Why this answer

Option D is correct because the only way to enable encryption on an unencrypted RDS instance is to create a snapshot, copy it with encryption, and restore a new encrypted instance. Option A is wrong because RDS does not support enabling encryption on existing instances. Option B is wrong because modifying the DB instance does not allow encryption.

Option C is wrong because you cannot enable encryption on a snapshot; you must copy it.

67
MCQhard

A company uses AWS KMS to encrypt EBS volumes attached to EC2 instances. The security team wants to ensure that when an EC2 instance is terminated, the associated EBS volume is automatically deleted and the data is unrecoverable. However, the team also needs to retain the volume's data for 90 days for compliance purposes. What is the most secure and cost-effective approach?

A.Use Amazon Data Lifecycle Manager to create a snapshot and delete the volume after termination.
B.Before termination, create a snapshot of the volume, copy the snapshot encrypted with a new KMS key, then delete the volume and the original snapshot after 90 days.
C.Disable the KMS key used to encrypt the volume, then terminate the instance.
D.Configure the EC2 instance with 'DeleteOnTermination' attribute set to true and enable termination protection.
AnswerB

The snapshot copy with a new key ensures data is retained independently of the original volume and key.

Why this answer

Option D is correct because taking a snapshot of the volume before deletion, encrypting it with a different KMS key, and then deleting the volume ensures the data is retained for 90 days and the original volume is unrecoverable. Option A is wrong because disabling the key does not prevent data recovery if a snapshot exists. Option B is wrong because lifecycle manager does not handle deletion.

Option C is wrong because it does not preserve data.

68
MCQeasy

A company uses Amazon RDS for MySQL to store customer data. The security team wants to ensure that the database is encrypted at rest. The database is already running and contains production data. The team needs to enable encryption at rest with minimal downtime. What should they do?

A.Create a read replica with encryption enabled, promote it to a standalone instance, and update the application connection string
B.Attach an encrypted EBS volume to the RDS instance
C.Take a snapshot of the database, copy the snapshot with encryption enabled, and restore the encrypted snapshot to a new instance
D.Modify the existing DB instance and enable encryption using the AWS CLI
AnswerA

Creating an encrypted read replica allows migration with minimal downtime.

Why this answer

Option A is correct because you cannot enable encryption on an existing RDS instance; you must create a new encrypted instance and migrate. Option B is wrong because you cannot modify the existing instance to add encryption. Option C is wrong because snapshots can be encrypted, but you still need to restore to a new instance.

Option D is wrong because you cannot attach encrypted storage.

69
MCQmedium

A company uses AWS KMS to encrypt data in Amazon Redshift. The security team needs to ensure that the KMS key cannot be deleted accidentally. What should be done?

A.Attach a key policy that denies deletion
B.Set a deletion window of at least 7 days
C.Disable the KMS key
D.Enable automatic key rotation
AnswerB

A deletion window provides a waiting period before deletion.

Why this answer

Enable key rotation and set a deletion window. Option A is wrong because disabling the key does not prevent deletion. Option B is wrong because the deletion window is not automatically set.

Option D is wrong because the key policy cannot prevent deletion.

70
MCQhard

A security engineer applies the above S3 bucket policy. An application tries to upload an object with the header "x-amz-server-side-encryption: AES256". What will happen?

A.The upload succeeds because the policy allows SSE-S3.
B.The upload fails because the encryption header does not match 'aws:kms'.
C.The upload succeeds because the object is encrypted.
D.The upload fails because the header is missing.
AnswerB

The first statement denies non-KMS encryption headers.

Why this answer

Option D is correct. The first statement denies PutObject if the encryption header is not "aws:kms". Since the header is "AES256", it does not equal "aws:kms", so the condition StringNotEquals is true, resulting in a deny.

The second statement denies if the header is null; here it is not null, so the second statement does not apply. Thus, the request is denied.

71
MCQmedium

A security engineer is reviewing a KMS key policy. What does this policy accomplish?

A.Allow the SecurityAudit role to decrypt and re-encrypt data only from the same AWS account
B.Deny decryption to the SecurityAudit role
C.Allow the SecurityAudit role to use the key only for specific KMS keys
D.Allow any user from account 123456789012 to use the key
AnswerA

Condition restricts to account 123456789012.

Why this answer

Option B is correct because the policy allows the SecurityAudit role to decrypt and re-encrypt only from the same account. Option A is wrong because it does allow decrypt and re-encrypt. Option C is wrong because the condition restricts to the same account.

Option D is wrong because the policy doesn't restrict key usage to specific resources.

72
MCQeasy

A company needs to ensure that data in transit between an EC2 instance and an RDS database is encrypted. Which solution meets this requirement?

A.Use a VPN connection between the VPC and the database
B.Enable encryption at rest on the RDS instance
C.Enable SSL/TLS on the database connection
D.Use client-side encryption on the application
AnswerC

SSL/TLS encrypts data in transit.

Why this answer

SSL/TLS encrypts data in transit between client and database. Option B is wrong because encryption at rest does not protect data in transit. Option C is wrong because VPN provides encryption but is overkill for direct connect.

Option D is wrong because client-side encryption would require application changes.

73
MCQmedium

A company needs to protect sensitive data in Amazon S3 from accidental deletion or overwriting. The data must be retained for at least 7 years after creation. Which combination of S3 features should be used?

A.Enable S3 Versioning and enable S3 Object Lock in Compliance mode
B.Use S3 Intelligent-Tiering and lifecycle policies
C.Enable S3 Versioning and MFA Delete
D.Enable S3 Object Lock in Governance mode and configure a lifecycle policy to expire objects after 7 years
AnswerD

Governance mode allows some users to bypass lock if needed, and lifecycle expiration can delete after retention period.

Why this answer

Option D is correct because Object Lock with Governance mode prevents deletion, and lifecycle policies can expire objects after 7 years. Option A only prevents deletion, not overwriting. Option B only protects against accidental deletion.

Option C only manages storage classes.

74
MCQhard

A company uses AWS KMS with a customer managed key to encrypt an S3 bucket. The security team notices that the KMS key is being used by an unintended IAM role. What is the MOST effective way to restrict the key usage to only the intended role?

A.Remove the default key policy and attach an IAM policy to the intended role
B.Use an S3 bucket policy to restrict access to the intended role
C.Modify the key policy to allow only the intended role and deny all others
D.Create a new KMS key and attach a new key policy
AnswerC

A key policy can explicitly allow only the intended role.

Why this answer

Using a KMS key policy with a condition on kms:CallerArn is the most effective. Option A is wrong because the key policy already exists and you cannot remove the default key policy. Option B is wrong because the original key policy may have allowed broad access.

Option D is wrong because S3 bucket policy does not control KMS key usage.

75
MCQeasy

A company wants to protect data in transit between an on-premises data center and Amazon S3. Which AWS service should be used to establish a dedicated, encrypted connection?

A.AWS Direct Connect without VPN
B.AWS Transit Gateway
C.AWS Direct Connect with an IPsec VPN
D.AWS Site-to-Site VPN over the internet
AnswerC

Dedicated, encrypted.

Why this answer

AWS Direct Connect with VPN provides a dedicated private connection with encryption. Option A is correct. Option B is for site-to-site VPN over internet, C is for transit, D is private connection without encryption by default.

Page 1 of 5 · 303 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Data Protection questions.