CCNA Data Protection Questions

75 of 303 questions · Page 2/5 · Data Protection topic · Answers revealed

76
Multi-Selecthard

A company needs to protect data in Amazon S3 by ensuring that only authorized users can access objects, and all access is logged. Which TWO services should be used together? (Choose TWO.)

Select 2 answers
A.AWS Identity and Access Management (IAM)
B.AWS CloudTrail
C.AWS KMS
D.AWS WAF
E.Amazon CloudWatch
AnswersA, B

IAM policies define who can access S3 objects.

Why this answer

AWS Identity and Access Management (IAM) is correct because it enables you to define granular permissions for S3 objects, ensuring that only authorized users or roles can access them via IAM policies or S3 bucket policies. AWS CloudTrail is correct because it logs all API calls made to S3, including object-level operations like GetObject and PutObject, providing an audit trail for access. Together, they satisfy the requirement of controlling access and logging all access.

Exam trap

The trap here is that candidates often confuse AWS KMS with access control because encryption is related to data protection, but KMS does not authorize user access or log access events, which are the core requirements in this question.

77
MCQeasy

A company wants to encrypt data stored in Amazon S3 using server-side encryption with customer-provided keys (SSE-C). Which statement is correct regarding SSE-C?

A.The customer provides the encryption key in each request to S3.
B.AWS manages the encryption keys.
C.The same encryption key is used for all objects in the bucket.
D.The encryption key is stored in AWS KMS.
AnswerA

With SSE-C, you must include the encryption key in each request to upload or download an object.

Why this answer

SSE-C requires the customer to provide the encryption key and its MD5 digest in every PUT or GET request to Amazon S3. S3 uses the key to encrypt the object at rest and then discards the key; it is never stored by AWS. This ensures the customer retains full control over the encryption key material.

Exam trap

The trap here is that candidates confuse SSE-C with SSE-S3 or SSE-KMS, assuming AWS manages the keys or that keys are stored in KMS, when in fact SSE-C requires the customer to supply the key with every request and AWS never retains it.

How to eliminate wrong answers

Option B is wrong because SSE-C explicitly does not involve AWS managing the keys; the customer provides and manages the key. Option C is wrong because SSE-C requires a unique encryption key per request; the same key is not reused for all objects in the bucket unless the customer deliberately sends the same key each time. Option D is wrong because the encryption key is not stored in AWS KMS; SSE-C keys are provided by the customer in each request and are not persisted by AWS.

78
MCQeasy

A company needs to encrypt data at rest in its Amazon EBS volumes. The company wants to use an encryption key that is automatically rotated every year without any manual intervention. Which key type should be used?

A.Imported key material in a customer managed key
B.AWS managed key for EBS
C.Customer managed key with manual rotation
D.Default EBS encryption using an AWS managed key
AnswerB

AWS managed keys are automatically rotated annually.

Why this answer

AWS managed keys are automatically rotated annually. Customer managed keys can have automatic rotation enabled, but the question implies a managed solution. Option B is correct.

Option A is incorrect because customer managed keys require enabling automatic rotation. Option C is incorrect because imported keys do not support automatic rotation. Option D is incorrect because the default EBS encryption uses an AWS managed key, but the question asks for the key type.

79
MCQeasy

A company needs to ensure that data in transit between an on-premises data center and Amazon S3 is encrypted. Which AWS service should be used to establish a dedicated encrypted connection?

A.AWS Transit Gateway
B.AWS Site-to-Site VPN
C.AWS Direct Connect with VPN
D.AWS Client VPN
AnswerC

Dedicated private connection with encryption.

Why this answer

AWS Direct Connect provides a dedicated, private network connection from an on-premises data center to AWS, but it does not inherently encrypt data in transit. By combining Direct Connect with a VPN (IPsec tunnel), you get both a dedicated connection and encryption of all traffic between the on-premises network and Amazon S3. This ensures data in transit is protected while avoiding the public internet.

Exam trap

The trap here is that candidates often assume Direct Connect alone provides encryption, but it does not—it only provides a private, dedicated physical link; encryption must be added via a VPN overlay, which is why the combination is the correct answer.

How to eliminate wrong answers

Option A is wrong because AWS Transit Gateway is a network transit hub that connects VPCs and on-premises networks, but it does not itself provide encryption or a dedicated connection; it can route traffic over VPN or Direct Connect but is not the service that establishes the encrypted link. Option B is wrong because AWS Site-to-Site VPN uses the public internet to create an encrypted tunnel, which does not provide a dedicated connection; it relies on internet routing and can suffer from variable latency and bandwidth. Option D is wrong because AWS Client VPN is a managed remote access VPN service for individual clients (e.g., laptops) to connect to AWS, not for establishing a dedicated encrypted connection between an entire on-premises data center and S3.

80
MCQeasy

A company is migrating sensitive data to Amazon S3. The data must be encrypted at rest using keys managed by the company. The company also requires an audit trail of key usage. Which solution meets these requirements?

A.Use SSE-S3 with default encryption.
B.Use SSE-C and store the keys in AWS Secrets Manager.
C.Use SSE-KMS with a customer-managed key and enable CloudTrail for KMS.
D.Use AWS CloudHSM to generate and store keys, and use Amazon S3 with SSE-KMS.
AnswerC

Customer-managed KMS keys provide audit via CloudTrail.

Why this answer

Option B is correct because AWS KMS with a customer-managed key provides encryption at rest and integrates with AWS CloudTrail to log every use of the key. Option A is wrong because SSE-S3 uses Amazon-managed keys; no customer control or audit. Option C is wrong because SSE-C does not provide key usage auditing.

Option D is wrong because CloudHSM can be used but requires more effort for audit; KMS is simpler.

81
MCQmedium

A company needs to encrypt data at rest in Amazon S3 using customer-provided encryption keys. The keys must be stored securely and rotated automatically every 90 days. Which solution meets these requirements?

A.Use SSE-C and upload new keys to S3 every 90 days.
B.Use AWS KMS with a customer-managed key (CMK) and enable automatic key rotation.
C.Use SSE-S3 and enable automatic key rotation in the S3 bucket properties.
D.Use AWS CloudHSM and generate a new key every 90 days via a custom script.
AnswerB

KMS CMKs support automatic rotation every 90 days (or yearly).

Why this answer

Option C is correct because AWS KMS with customer-managed keys (CMK) allows automatic key rotation every 90 days (or yearly if managed by KMS). Option A is wrong because SSE-S3 uses Amazon-managed keys with automatic rotation of 90 days, but the keys are not customer-provided. Option B is wrong because SSE-C requires customers to provide keys but does not offer automatic rotation.

Option D is wrong because CloudHSM requires manual key rotation.

82
Multi-Selectmedium

Which TWO of the following are valid ways to enforce encryption at rest for data in Amazon S3? (Choose TWO.)

Select 2 answers
A.Use SSL/TLS
B.Use IAM policies
C.Use AWS CloudTrail
D.Use SSE-KMS
E.Use SSE-C
AnswersD, E

SSE-KMS uses KMS keys for encryption.

Why this answer

SSE-KMS and SSE-C are both methods for encrypting objects at rest. Option C is wrong because SSL/TLS is for in transit. Option D is wrong because IAM policies control access, not encryption.

Option E is wrong because CloudTrail is logging.

83
Multi-Selectmedium

A company is using Amazon RDS for PostgreSQL with encryption at rest using AWS KMS. The security team wants to ensure that only a specific set of IAM roles can manage the KMS key used for encryption. Which TWO steps should the team take?

Select 2 answers
A.Attach an IAM policy to the IAM roles that grants kms:Encrypt and kms:Decrypt
B.Modify the KMS key policy to allow the specific IAM roles to use the key
C.Attach an IAM policy to the IAM roles that grants kms:Decrypt only
D.Create an S3 bucket policy to restrict access to the KMS key
E.Use a VPC endpoint policy to restrict access to the KMS key
AnswersA, B

IAM policies can grant permissions if the key policy allows it.

Why this answer

Option B (Modify the KMS key policy to allow specific IAM roles to use the key) and Option C (Attach an IAM policy to the roles granting kms:Encrypt and kms:Decrypt) are correct. KMS key policies control who can use the key, and IAM policies grant permissions to roles. Option A is wrong because RDS does not use an S3 bucket policy.

Option D is wrong because only the key policy can grant kms:Decrypt; IAM policies alone cannot if the key policy restricts. Option E is wrong because VPC endpoints are for network access, not permissions.

84
MCQeasy

Refer to the exhibit. A security engineer runs the above AWS CLI command to encrypt a secret file. The command succeeds and returns a base64-encoded ciphertext. Which of the following statements is correct?

A.The command returns a plaintext data key and an encrypted copy.
B.The command will fail because fileb:// is not a valid prefix.
C.The command returns a base64-encoded ciphertext that can be decrypted with the same KMS key.
D.The command will fail because encryption context is required.
AnswerC

The encrypt API returns base64-encoded ciphertext.

Why this answer

Option C is correct. The command encrypts the plaintext file using the specified KMS key and returns the ciphertext as base64-encoded output. Option A is wrong because the command does not specify an encryption context; it's optional.

Option B is wrong because the command uses fileb:// which reads binary data; it will succeed if the file exists. Option D is wrong because the output is the ciphertext, not a data key.

85
MCQmedium

A company uses AWS Secrets Manager to rotate database credentials automatically. The security team wants to ensure that while the secret is being rotated, applications can always retrieve a valid credential. Which rotation strategy should be used?

A.Use AWS IAM database authentication instead.
B.Use a single user rotation with immediate update.
C.Disable automatic rotation and manually update credentials.
D.Use the alternating users rotation strategy.
AnswerD

This strategy maintains two sets of credentials ensuring availability during rotation.

Why this answer

Option B is correct because the alternating users strategy creates two sets of credentials, so during rotation, one set remains valid. Option A is wrong because it may cause downtime if the single credential is updated. Option C is wrong because disabling rotation defeats the purpose.

Option D is wrong because IAM database authentication doesn't use secrets managed by Secrets Manager.

86
MCQhard

A financial services company uses AWS KMS to encrypt sensitive data. The security team has a requirement to rotate the CMK every 90 days and to maintain a record of all previous key versions for decryption of historical data. The team creates a new CMK every 90 days and manually updates applications to use the new key. This process is error-prone and causes downtime. What is the MOST operationally efficient solution that meets the requirements?

A.Enable automatic key rotation on the existing CMK.
B.Create a new CMK every 90 days and update the alias to point to the new key. Applications reference the alias.
C.Use a CMK with imported key material and rotate the material every 90 days.
D.Continue creating new CMKs but use a script to update the application configuration files.
AnswerB

Alias updates are immediate and do not require application changes; old keys remain available for decryption.

Why this answer

Option B is correct because it uses aliases to decouple the key identifier from the application configuration. By creating a new CMK every 90 days and updating the alias to point to the new key, applications that reference the alias automatically use the new key without code changes, eliminating downtime. AWS KMS aliases are mutable pointers that can be reassigned to different CMKs, and the old key versions remain available for decryption of historical data.

Exam trap

The trap here is that candidates often confuse automatic key rotation (which only rotates backing keys within the same CMK) with creating a new CMK and using aliases, failing to recognize that automatic rotation does not meet a 90-day schedule and does not create a separate CMK for audit or compliance purposes.

How to eliminate wrong answers

Option A is wrong because automatic key rotation on an existing CMK creates new backing key versions every year (not 90 days) and does not create a new CMK; it only rotates the cryptographic material within the same CMK, which does not meet the 90-day rotation requirement. Option C is wrong because using a CMK with imported key material and rotating the material every 90 days still does not create a new CMK; it only replaces the key material within the same CMK, and the old key material is deleted, preventing decryption of historical data. Option D is wrong because it continues the error-prone manual process of updating application configuration files, which causes downtime and operational overhead, and does not leverage AWS KMS aliases for a seamless transition.

87
MCQhard

A financial services company must ensure that all data written to Amazon S3 is encrypted at rest and that the encryption keys are rotated every 90 days. The company also needs to maintain an audit trail of when keys were used. Which solution meets these requirements with the least operational overhead?

A.Use SSE-S3 with default encryption enabled
B.Use SSE-C with customer-provided keys and rotate keys using a Lambda function
C.Use SSE-KMS with a customer managed key and enable automatic key rotation
D.Use client-side encryption with the AWS Encryption SDK
AnswerC

KMS allows automatic yearly rotation and CloudTrail logs key usage.

Why this answer

Option B (SSE-KMS with a customer managed key and automatic key rotation) is correct because it provides encryption, automatic rotation every 365 days (the maximum allowed), and CloudTrail logs for auditing. Option A is wrong because SSE-S3 does not provide key rotation control. Option C is wrong because SSE-C requires manual key management.

Option D is wrong because client-side encryption adds overhead and does not leverage AWS key rotation.

88
MCQeasy

A startup is building a web application on AWS and needs to protect sensitive customer data at rest in an Amazon RDS for MySQL database. The compliance team requires that the encryption keys be managed by the company's on-premises hardware security module (HSM) and be rotated every 6 months. Which solution should the startup use?

A.Use AWS CloudHSM to store the encryption keys and enable RDS encryption with CloudHSM.
B.Use AWS KMS with a customer master key (CMK) and import key material from the on-premises HSM.
C.Store the encryption keys in AWS Secrets Manager and use them to encrypt the database.
D.Use AWS KMS with a custom key store backed by AWS CloudHSM.
AnswerA

CloudHSM provides a dedicated HSM that you control, and RDS can be encrypted using keys from CloudHSM.

Why this answer

AWS CloudHSM provides a dedicated hardware security module (HSM) that allows you to manage encryption keys on-premises-style, meeting the requirement for key management on the company's own HSM. When you enable Amazon RDS for MySQL encryption with CloudHSM, the database encryption keys are stored and managed in the CloudHSM cluster, and you can rotate them every 6 months as required. This solution directly satisfies the compliance team's mandate for on-premises HSM key management and periodic rotation.

Exam trap

The trap here is that candidates confuse AWS CloudHSM (a dedicated HSM service where you manage keys directly) with AWS KMS custom key stores (which also use CloudHSM but are managed through KMS), leading them to choose option D, which does not allow the company to manage keys on their own on-premises HSM.

How to eliminate wrong answers

Option B is wrong because AWS KMS with imported key material does not allow the key to be managed by the company's on-premises HSM; the key material is imported into KMS, but the HSM is not used for ongoing key operations or rotation. Option C is wrong because AWS Secrets Manager is a service for storing secrets, not for managing encryption keys for RDS encryption, and it does not integrate with an on-premises HSM for key management. Option D is wrong because a custom key store backed by AWS CloudHSM uses CloudHSM as the key store, but the keys are still managed by AWS KMS, not directly by the company's on-premises HSM, and the compliance team requires the keys to be managed by their own on-premises HSM, not an AWS-managed CloudHSM.

89
MCQmedium

A company uses AWS KMS to encrypt data in Amazon S3. The security team needs to ensure that only a specific IAM role can decrypt objects in a particular S3 bucket. What is the most secure way to enforce this restriction?

A.Apply an S3 bucket policy that denies all principals except the IAM role
B.Set a KMS key policy that grants kms:Decrypt only to the IAM role
C.Use S3 access logs to monitor unauthorized decryption attempts
D.Attach an IAM policy to the role granting kms:Decrypt permission
AnswerB

Key policy directly controls who can use the key.

Why this answer

Option D is correct because using a KMS key policy with a condition for the IAM role provides fine-grained access control. Option A is wrong because bucket policies alone do not control KMS decryption. Option B is wrong because IAM policies alone can be attached to many principals.

Option C is wrong because S3 access logs do not enforce permissions.

90
MCQmedium

A company wants to encrypt data at rest in Amazon S3 using server-side encryption. They must manage the encryption keys themselves and rotate them annually. Which S3 encryption option should they use?

A.SSE-S3
B.SSE-KMS with AWS managed key
C.SSE-C
D.Client-side encryption
AnswerC

SSE-C allows customer to provide and manage their own encryption keys, including rotation.

Why this answer

SSE-C allows customers to provide their own encryption keys and manage rotation. SSE-S3 uses AWS-managed keys (no customer control). SSE-KMS uses KMS keys but AWS manages rotation unless using customer-managed keys with automatic rotation.

Option C is correct because SSE-C gives full control over key management and rotation.

91
MCQeasy

Refer to the exhibit. An AWS KMS key policy includes the statement shown. The AdminRole tries to decrypt a ciphertext that was encrypted using the same KMS key with encryption context 'department=engineering'. What will happen?

A.The decrypt operation succeeds because the role has kms:Decrypt permission.
B.The decrypt operation succeeds because the encryption context is ignored during decryption.
C.The decrypt operation fails because the policy does not allow kms:Decrypt without matching context.
D.The decrypt operation fails because the encryption context does not match the condition.
AnswerD

The condition 'department=finance' is not met, so access is denied.

Why this answer

Option D is correct because the KMS key policy includes a condition that requires the encryption context to match 'department=engineering'. When the AdminRole attempts to decrypt the ciphertext, the encryption context used during decryption must exactly match the context used during encryption. Since the policy enforces this condition with a kms:EncryptionContextKeys condition key, the decrypt operation fails if the context does not match, even though the role has kms:Decrypt permission.

Exam trap

The trap here is that candidates assume kms:Decrypt permission alone is sufficient for decryption, overlooking that encryption context conditions in the key policy can override the permission and cause a failure even when the IAM role has the correct action allowed.

How to eliminate wrong answers

Option A is wrong because having kms:Decrypt permission alone is insufficient; the policy also includes a condition that restricts decryption to requests with a matching encryption context. Option B is wrong because the encryption context is not ignored during decryption; AWS KMS requires the same encryption context to be provided for decryption as was used during encryption, and the policy enforces this with a condition. Option C is wrong because the policy does allow kms:Decrypt, but only when the encryption context matches; the failure is due to the context mismatch, not a lack of permission.

92
Multi-Selecthard

A company is designing a data protection strategy for Amazon EFS file systems. The security team requires encryption at rest and in transit. Additionally, the team needs to control which KMS keys can be used to encrypt the file system. Which THREE steps should the team take?

Select 3 answers
A.Configure a KMS key policy that allows the EFS service to use the key.
B.Enable encryption at rest using a customer-managed KMS key when creating the EFS file system.
C.Enable default encryption on the EFS file system using SSE-S3.
D.Use an IAM policy to restrict which users can create encrypted file systems.
E.Enable encryption of data in transit using the mount helper's tls option on the client.
AnswersA, B, E

Key policy must grant EFS permissions to use the key.

Why this answer

Option A is correct because EFS supports encryption at rest using a KMS key. Option B is correct because enabling encryption of data in transit using TLS is a separate setting. Option D is correct because a KMS key policy can restrict which keys can be used for EFS.

Option C is wrong because EFS does not support SSE-S3. Option E is wrong because IAM policies for users can restrict KMS actions, but key policy is more direct.

93
MCQhard

A company uses AWS CloudHSM to generate and store encryption keys for a custom application. The application runs on Amazon EC2 instances and uses the PKCS#11 interface to interact with the HSM. The security team recently discovered that a former employee may have obtained a copy of the cryptographic materials from the HSM. What should the security team do to minimize the impact?

A.Use AWS KMS to create a new key and re-encrypt all data. Then revoke the old key.
B.Delete the CloudHSM backup from the backup service. Then rotate all keys that were stored in the HSM.
C.Change the HSM administrator password and the crypto user passwords.
D.Delete the HSM cluster and create a new one. Restore the backup from a known good time.
AnswerB

Deleting the backup prevents restoration of the compromised material; rotating keys invalidates the copied material.

Why this answer

Option C is correct because CloudHSM backup contains the cryptographic material; deleting the backup ensures the former employee cannot restore the HSM's contents. Option A is wrong because deleting the HSM cluster does not delete the backup automatically. Option B is wrong because changing the HSM credentials does not invalidate the copied material.

Option D is wrong because KMS cannot revoke keys stored in CloudHSM.

94
MCQhard

A company uses Amazon SQS to decouple its microservices. The messages contain personally identifiable information (PII). The security team requires that all messages be encrypted at rest. Currently, SQS is configured with SSE enabled using a customer managed KMS key. However, the team discovers that some messages are still being stored in plaintext in the dead-letter queue (DLQ) after the maximum receives are exceeded. The DLQ is also an SQS queue. What is the MOST likely reason?

A.The source queue's SSE is configured with AWS managed KMS key, which does not support cross-account DLQ.
B.The DLQ does not have SSE enabled, so messages are stored in plaintext.
C.The source queue's SSE configuration uses a different KMS key than the DLQ, causing decryption failure.
D.The KMS key policy does not allow the SQS service to decrypt the messages before moving them to the DLQ.
AnswerB

If the DLQ does not have SSE, messages will be stored unencrypted.

Why this answer

Option D is correct. If the DLQ does not have SSE enabled, or if it uses a different KMS key that is not accessible, messages may be stored in plaintext. Option A is wrong because KMS key policy does not affect encryption of the source queue if the DLQ is not encrypted.

Option B is wrong because the DLQ is a separate queue; the source queue's encryption does not apply to it. Option C is wrong because the source queue is already encrypted; the issue is the DLQ.

95
MCQhard

A company uses AWS KMS to encrypt data in Amazon RDS. The security team discovers that a developer accidentally deleted a customer master key (CMK) used for RDS encryption. What is the impact on the RDS instances that were encrypted with that key?

A.The RDS instances will become inaccessible and data will be lost
B.The key deletion can be reversed within 30 days
C.The RDS instances will be automatically re-encrypted with a new key
D.The RDS instances will continue to operate normally
AnswerA

Without the key, the encrypted data cannot be decrypted.

Why this answer

Option C is correct because deleting a KMS key renders encrypted RDS instances unrecoverable. Option A is wrong because the data is permanently inaccessible. Option B is wrong because you cannot simply re-encrypt without the original key.

Option D is wrong because the key deletion is not automatically reversible after the scheduled deletion period.

96
MCQmedium

A company uses AWS KMS to encrypt data in Amazon S3. The security team wants to ensure that if a KMS key is disabled, all subsequent attempts to decrypt data encrypted with that key fail. What is the BEST way to achieve this?

A.Rotate the KMS key immediately.
B.Revoke all grants associated with the KMS key.
C.Disable the KMS key.
D.Delete the KMS key.
AnswerC

Disabling a key prevents all cryptographic operations, including decryption, until re-enabled.

Why this answer

Option B is correct because disabling a KMS key immediately prevents use of that key for decryption. Option A is wrong because deleting a key is irreversible and may cause permanent data loss. Option C is wrong because key rotation does not affect access to the key.

Option D is wrong because revoking grants does not affect the key's ability to decrypt data encrypted with the key itself.

97
MCQhard

A financial services company uses AWS KMS to encrypt sensitive data in S3 and RDS. The security team requires a centralized audit trail of all KMS key usage, including key creation, deletion, and cryptographic operations. The audit logs must be stored in a separate AWS account for compliance. The team has enabled CloudTrail in the management account and configured a trail that logs to an S3 bucket in the audit account. However, they notice that KMS events such as Decrypt and GenerateDataKey are not appearing in the CloudTrail logs. The KMS key policy includes the following statement: {"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::management-account:root"},"Action":"kms:*","Resource":"*"}. What is the MOST likely reason for the missing KMS events?

A.The S3 bucket in the audit account does not have a bucket policy allowing writes from CloudTrail.
B.CloudTrail is not configured to log KMS data events.
C.CloudTrail does not log KMS Decrypt and GenerateDataKey events.
D.The KMS key policy does not grant CloudTrail permission to log events.
AnswerB

KMS data events are not logged by default; they must be explicitly enabled in the trail settings.

Why this answer

Option A is wrong because CloudTrail does log KMS events by default, but they are data events and must be explicitly enabled. Option B is correct because KMS data events (like Decrypt and GenerateDataKey) are not logged unless CloudTrail is configured to capture them. Option C is wrong because the key policy grants full access to the management account, so it is sufficient.

Option D is wrong because cross-account access is not the issue; the trail is logging to an S3 bucket in the audit account, but that does not affect which events are logged.

98
MCQmedium

A company is using AWS KMS to encrypt S3 objects. The security team wants to ensure that only a specific IAM role can decrypt objects in a particular S3 bucket. Which KMS key policy configuration should be used?

A.Add a condition that allows decrypt only when kms:ViaService is s3.amazonaws.com and the caller role matches the specific role ARN.
B.Use an S3 bucket policy that denies decrypt for all principals except the specific IAM user.
C.Configure the IAM role with a policy that allows kms:Decrypt for the specific KMS key.
D.Attach a resource-based policy to the S3 bucket that grants decrypt permission to the IAM role.
AnswerA

Correctly restricts decrypt to the role via S3.

Why this answer

Option A is correct because using kms:ViaService condition restricts key usage to requests originating from S3, and kms:CallerRole can be used to restrict to a specific role. Option B is wrong because it grants blanket decrypt to the role without conditions. Option C is wrong because it grants decrypt to all roles.

Option D is wrong because it restricts to a specific user, not role.

99
MCQhard

A company uses Amazon S3 to store sensitive documents. They must ensure that all objects are encrypted at rest and that any attempt to upload an unencrypted object is denied. Which S3 bucket policy statement achieves this?

A.Deny s3:PutObject unless the request includes x-amz-server-side-encryption: AES256.
B.Deny s3:PutObject for all principals.
C.Deny s3:PutObject unless the request includes x-amz-server-side-encryption: AES256 AND the encryption is SSE-S3.
D.Allow s3:PutObject only when x-amz-server-side-encryption: AES256 is present.
AnswerC

Correctly denies unencrypted uploads by requiring the SSE header.

Why this answer

Option B is correct because it denies PutObject if the request does not include the x-amz-server-side-encryption header with value AES256. Option A is wrong because it only denies if the header is missing, but allows other values. Option C is wrong because it allows only AES256 but does not deny unencrypted.

Option D is wrong because it denies all PutObject requests.

100
MCQeasy

A company has an S3 bucket that stores financial records. The security team wants to ensure that any object uploaded to the bucket is automatically encrypted with a specific AWS KMS key. The team creates a bucket policy that denies s3:PutObject unless the request includes the correct encryption header. However, some users who upload objects using the AWS Management Console report that their uploads fail. What is the most likely cause?

A.The console uses multipart uploads, which require encryption headers on each part.
B.The KMS key policy does not allow the s3:PutObject operation.
C.The console does not support server-side encryption.
D.S3 Transfer Acceleration is enabled, which bypasses the bucket policy.
AnswerA

Multipart uploads have different API calls; the bucket policy condition must account for them.

Why this answer

Option A is correct because the AWS Management Console uses multipart uploads for large objects, and multipart uploads require the encryption header to be specified in each part upload. Option B is wrong because the bucket policy can enforce encryption; a KMS key policy is separate. Option C is wrong because S3 Transfer Acceleration does not affect encryption.

Option D is wrong because the console respects bucket policies.

101
MCQmedium

A company uses Amazon S3 to store sensitive documents. The security policy requires that all objects in the bucket are encrypted at rest. The bucket currently has default encryption configured with SSE-S3. A new requirement mandates that all objects must be encrypted with SSE-KMS using a specific customer-managed key. What is the MOST efficient way to enforce this without re-uploading existing objects?

A.Use S3 Inventory to list objects and a script to copy each object to itself with new encryption
B.Use S3 Lifecycle policy to transition objects and re-encrypt them
C.Update the bucket default encryption to SSE-KMS and enable automatic re-encryption
D.Update the bucket default encryption to SSE-KMS and use S3 Batch Operations to re-encrypt existing objects
AnswerD

Correct: S3 Batch Operations can copy objects with new encryption settings.

Why this answer

Option C is correct because you can update the default encryption configuration to use SSE-KMS, and then use S3 Batch Operations to re-encrypt existing objects. Option A is wrong because changing the default encryption does not automatically re-encrypt existing objects. Option B is wrong because S3 Lifecycle policies do not re-encrypt objects.

Option D is wrong because you cannot change encryption of existing objects by copying them in place; you need to copy to a new location.

102
MCQeasy

A startup is building a serverless application using AWS Lambda to process user-uploaded images. The images are stored in an S3 bucket with server-side encryption (SSE-S3) enabled. The Lambda function reads the images, performs transformations, and writes the results to a different S3 bucket. The security engineer wants to ensure that data is encrypted at rest and in transit throughout the pipeline. The Lambda function is configured with an IAM role that has permissions to read from the source bucket and write to the destination bucket. Which additional configuration is REQUIRED to ensure end-to-end encryption?

A.Add a bucket policy to the source bucket that denies requests not using aws:SecureTransport.
B.No additional configuration is required; Lambda uses HTTPS by default to call S3.
C.Grant the Lambda function's IAM role permission to call KMS Decrypt and Encrypt.
D.Enable VPC endpoints for S3 and configure Lambda to use them.
AnswerB

Lambda's SDK uses HTTPS endpoints, ensuring encryption in transit. SSE-S3 provides encryption at rest.

Why this answer

Option A is correct because Lambda functions use HTTPS endpoints by default when calling S3 API operations. Option B is wrong because Lambda does not need to call KMS; SSE-S3 is server-side and Lambda can read encrypted objects without additional permissions. Option C is wrong because Lambda already uses HTTPS to communicate with S3.

Option D is wrong because while an S3 bucket policy can enforce HTTPS, it is not required for end-to-end encryption; Lambda's default HTTPS connection already provides encryption in transit.

103
MCQhard

A company has an Amazon S3 bucket with versioning enabled. They want to ensure that all objects in the bucket are encrypted at rest using server-side encryption with AWS KMS (SSE-KMS). They also want to prevent any future uploads that are not encrypted with SSE-KMS. Which combination of actions should they take?

A.Add a bucket policy that denies s3:PutObject if s3:x-amz-server-side-encryption is not aws:kms. Use S3 Inventory to report encryption status of existing objects.
B.Use AWS Config rule s3-bucket-server-side-encryption-enabled to check compliance.
C.Use S3 Object Lock with governance mode.
D.Enable default encryption with SSE-KMS on the bucket. Use S3 Inventory to report encryption status.
AnswerA

Deny policy enforces for future uploads; inventory audits existing objects.

Why this answer

Option A is correct because a bucket policy denying PutObject without SSE-KMS prevents non-compliant uploads, and S3 Inventory reports encryption status. Option B only checks compliance, does not enforce. Option C does not enforce encryption.

Option D does not enforce.

104
MCQeasy

A company is storing sensitive data in Amazon S3 buckets. They want to ensure that all uploaded objects are encrypted at rest using server-side encryption with AWS KMS (SSE-KMS). Which bucket policy statement will enforce this?

A.{"Effect": "Deny", "Principal": "*", "Action": "s3:PutObject", "Resource": "arn:aws:s3:::bucket/*", "Condition": {"StringNotEquals": {"s3:x-amz-server-side-encryption": "aws:kms"}}}
B.{"Effect": "Deny", "Principal": "*", "Action": "s3:PutObject", "Resource": "arn:aws:s3:::bucket/*", "Condition": {"StringNotEquals": {"s3:x-amz-server-side-encryption": "AES256"}}}
C.{"Effect": "Allow", "Principal": "*", "Action": "s3:PutObject", "Resource": "arn:aws:s3:::bucket/*", "Condition": {"StringEquals": {"s3:x-amz-server-side-encryption": "aws:kms"}}}
D.{"Effect": "Deny", "Principal": "*", "Action": "s3:PutObject", "Resource": "arn:aws:s3:::bucket/*", "Condition": {"StringNotEquals": {"s3:x-amz-server-side-encryption": "AES256"}}}
AnswerA

Requires SSE-KMS encryption.

Why this answer

Option A is correct because it uses a Deny effect with a StringNotEquals condition on the s3:x-amz-server-side-encryption header set to 'aws:kms'. This ensures that any PutObject request that does not include the header specifying SSE-KMS is denied, effectively enforcing that all uploaded objects must be encrypted with AWS KMS. The Deny effect overrides any Allow, making this policy robust against accidental or malicious uploads without the required encryption.

Exam trap

The trap here is that candidates often choose an Allow policy (Option C) thinking it enforces encryption, but without a Deny, requests that omit the encryption header are still allowed by default, making the policy ineffective.

How to eliminate wrong answers

Option B is wrong because it enforces SSE-S3 (AES256) instead of SSE-KMS, which does not meet the requirement for server-side encryption with AWS KMS. Option C is wrong because an Allow effect with a StringEquals condition is insufficient; it does not block uploads that lack the encryption header, as the default behavior (no explicit Deny) would allow them. Option D is wrong because it enforces SSE-S3 (AES256) via a Deny, which again is not SSE-KMS and would incorrectly block valid SSE-KMS uploads while allowing non-compliant ones.

105
MCQeasy

A company needs to share an encrypted Amazon S3 object with another AWS account. The object is encrypted with an AWS KMS customer managed key. Which steps are required?

A.Use an object ACL to grant the other account read access.
B.Update both the bucket policy and the KMS key policy to grant cross-account access.
C.Update the bucket policy to allow the other account to access the object.
D.Update the KMS key policy to allow the other account to decrypt.
AnswerB

Both policies must allow the external account to access the object and decrypt it.

Why this answer

Option D is correct because both bucket policy and key policy need to grant cross-account access. Option A is wrong because only bucket policy is not enough; the key policy must also allow. Option B is wrong because key policy alone is insufficient; the bucket policy must allow s3:GetObject.

Option C is wrong because object ACLs cannot grant cross-account access when KMS encryption is used.

106
MCQhard

A company uses AWS CloudHSM to store encryption keys for a custom database encryption application. The application runs on Amazon EC2 instances and uses the PKCS#11 library to communicate with the HSM. Recently, the application started failing with 'CKR_SESSION_HANDLE_INVALID' errors. Which of the following is the most likely cause?

A.The client certificate used for mutual TLS authentication has expired
B.The security group for the HSM does not allow inbound traffic from the EC2 instance
C.The application is not closing sessions properly, causing the HSM to reach the maximum number of open sessions
D.The HSM's firmware version is incompatible with the PKCS#11 library
AnswerC

Exhausting sessions causes invalid handle errors.

Why this answer

CloudHSM partitions have a limit on the number of open sessions. If the application does not properly close sessions, it can exhaust the limit, causing invalid session handle errors. Option C identifies this.

Option A would cause different errors, B is about connectivity, D is about certificates.

107
MCQhard

A company is using AWS CloudHSM to store encryption keys for a custom application. The application needs high availability across two AWS Regions. What is the MOST secure and cost-effective approach to synchronize key material between the HSMs in each Region?

A.Use AWS KMS multi-Region keys with custom key store backed by CloudHSM
B.Create a backup of the source HSM and restore it to the target HSM in the second region
C.Export the key material from the source HSM using the encrypt/decrypt API and import into the target HSM
D.Use the AWS CloudHSM client to replicate the key material automatically across regions
AnswerB

Backup and restore is the recommended method for cross-region key synchronization.

Why this answer

CloudHSM does not automatically sync key material across clusters. The best practice is to back up the HSM from one Region and restore to the other using the same backup. Option C is correct because backup and restore in the same account provides secure key synchronization.

Option A is incorrect because CloudHSM does not support cross-region replication natively. Option B is incorrect because manual key export via API introduces security risks. Option D is incorrect because KMS does not directly integrate with CloudHSM for key sync across regions.

108
MCQhard

A company uses AWS KMS to encrypt data in Amazon S3. The security team notices that a KMS key has been deleted accidentally, causing data loss. The company wants to implement a solution to prevent accidental key deletion and enable recovery. What should the security team do?

A.Enable the key's 'Disable key' option and set a deletion waiting period of 7 days.
B.Enable automatic key rotation for the KMS key.
C.Create a multi-Region key and enable automatic key rotation.
D.Use AWS CloudHSM to store the key material and create a backup in another Region.
AnswerC

Multi-Region keys provide a replica in another region for recovery, and automatic rotation improves security.

Why this answer

Option C is correct because enabling key rotation does not prevent deletion; however, the correct answer is to enable multi-Region keys? Actually, to prevent deletion, you should use a multi-Region key? Wait, the best practice is to enable automatic key rotation and also use a backup key. But the correct answer here is to use CloudHSM? No. The correct answer is to create a backup of the key material and enable key rotation.

However, among options, D is correct because KMS supports key material import and you can have a backup. But the best answer is to enable automatic key rotation and create a multi-Region key? Let's think: Option D is correct because you can create a multi-Region key with a replica in another region, and enable automatic key rotation. Option A is wrong because disabling deletion does not prevent accidental deletion; you can still delete after disabling.

Option B is wrong because CloudHSM does not integrate with S3 SSE-KMS directly. Option C is wrong because key rotation does not prevent deletion; it only creates new backing keys. Option D is correct because using multi-Region keys with a replica provides a backup, and automatic key rotation helps with key hygiene but not deletion prevention.

Actually, the best answer is to use key policies to prevent deletion via IAM? But the question says to prevent accidental deletion and enable recovery. The correct AWS best practice is to create a multi-Region key so that if one Region's key is deleted, the other Region's key can be used. Also, enable automatic key rotation to ensure that the key material is rotated, but deletion prevention is not achieved by rotation.

The correct answer is D: Create a multi-Region key and enable automatic key rotation. This provides a backup in another region and the key material is rotated. Option A is wrong because disabling key deletion is not a direct KMS feature; you can only set a waiting period.

Option B is wrong because CloudHSM does not support S3 SSE-KMS. Option C is wrong because key rotation does not prevent deletion. So D is correct.

109
MCQeasy

A company wants to protect data in transit between an on-premises data center and AWS over the internet. Which AWS service should they use to create a dedicated, encrypted connection?

A.AWS Direct Connect
B.AWS Transit Gateway
C.AWS Site-to-Site VPN
D.AWS Client VPN
AnswerC

Site-to-Site VPN uses IPsec to encrypt data in transit over the internet.

Why this answer

AWS Site-to-Site VPN provides an encrypted tunnel over the internet between on-premises and AWS. AWS Direct Connect provides a dedicated connection but is not encrypted by default; IPsec can be added. AWS Transit Gateway is a network transit hub, not a connection type.

AWS Client VPN is for individual clients. Option B is correct.

110
MCQmedium

A company is migrating its on-premises file server to Amazon EFS. The data includes sensitive financial records. The security team requires encryption at rest and in transit. The team plans to mount the EFS file system on EC2 instances using the NFS client. They have enabled encryption at rest on the EFS file system. However, they are unsure how to enforce encryption in transit. What should they do to ensure all data transferred between the EC2 instance and EFS is encrypted?

A.Mount the EFS file system using the `mount -t nfs4 -o tls` command on the EC2 instance.
B.Enable encryption in transit in the EFS file system policy and rely on the default NFS client behavior.
C.Set up a VPN connection between the VPC and the on-premises network to encrypt all traffic.
D.Use AWS Certificate Manager to issue a certificate for the EFS file system.
AnswerA

The tls option forces the NFS client to use TLS for encryption in transit.

Why this answer

Option B is correct. To enforce encryption in transit for EFS, you must use the `mount` command with the `tls` option. This ensures the NFS client uses TLS encryption.

Option A is wrong because enabling encryption in transit in the EFS console only allows it, but the client must also request it. Option C is wrong because VPC Peering does not encrypt traffic. Option D is wrong because AWS Certificate Manager is not used for EFS encryption in transit.

111
MCQmedium

A company is storing sensitive customer data in Amazon S3. The security team requires that all data be encrypted at rest using a key that is rotated automatically every year. Which solution meets these requirements with the LEAST operational overhead?

A.Use SSE-C with an AWS-managed key
B.Use SSE-S3
C.Use SSE-KMS with automatic key rotation
D.Use client-side encryption with a custom key
AnswerB

SSE-S3 automatically rotates keys with no customer effort.

Why this answer

Option D is correct because SSE-S3 uses Amazon S3-managed keys that are automatically rotated. Option A is wrong because SSE-KMS requires manual key rotation or enabling automatic key rotation. Option B is wrong because client-side encryption adds operational overhead.

Option C is wrong because SSE-C requires the customer to manage keys.

112
MCQhard

A company uses Amazon S3 to store sensitive documents. The security policy requires that all objects be encrypted using server-side encryption with customer-provided keys (SSE-C). An application fails when trying to read an object with the error 'The request includes an invalid header.' What is the MOST likely cause?

A.The application did not specify an encryption context in the request.
B.The KMS key used for encryption has been disabled.
C.The application did not include the x-amz-server-side-encryption-customer-key header in the GET request.
D.The S3 bucket does not have versioning enabled.
AnswerC

SSE-C requires the customer-provided key in every request.

Why this answer

Option A is correct because SSE-C requires the encryption key to be provided in the request headers; if the key is missing or incorrect, the request fails with an invalid header error. Option B is wrong because SSE-C does not involve KMS keys. Option C is wrong because SSE-C does not require an encryption context.

Option D is wrong because SSE-C does not require bucket versioning.

113
Multi-Selecthard

A company uses AWS KMS to encrypt data in Amazon S3. The security team wants to detect any attempts to use a KMS key that has been disabled. Which THREE steps should the team take to achieve this? (Select THREE.)

Select 3 answers
A.Enable AWS CloudTrail trails for the account to log KMS events.
B.Configure the CloudWatch Events rule to send a notification to an SNS topic.
C.Configure automatic KMS key rotation to generate daily events.
D.Create a CloudWatch Events rule that matches the 'DisableKey' event from KMS.
E.Disable key rotation to prevent key material changes.
AnswersA, B, D

CloudTrail logs all KMS API calls, including attempts to use a disabled key.

Why this answer

Options A, D, and E are correct. Enabling CloudTrail trails (A) captures KMS API calls. Creating a CloudWatch Events rule for 'KMS KeyDisabled' (D) triggers on the event.

Configuring an SNS notification (E) sends alerts. Option B is wrong because KMS key rotation does not generate an event. Option C is wrong because disabling key rotation does not detect key usage.

114
Multi-Selecthard

A company is migrating a legacy application to AWS. The application stores sensitive data and must comply with PCI DSS. The security team needs to ensure that data is encrypted at rest using keys that are rotated every 12 months. Which THREE steps should the team take?

Select 3 answers
A.Enable AWS CloudTrail to log all KMS key usage
B.Ensure the application uses envelope encryption to encrypt data with a data key
C.Use AWS CloudHSM to generate and store keys, and manually rotate them every 12 months
D.Use AWS KMS customer managed keys with automatic rotation enabled
E.Use S3 bucket policy to enforce SSE-C3 encryption
AnswersA, B, D

CloudTrail provides audit logs required for compliance.

Why this answer

Options A, C, and D are correct. Using AWS KMS with automatic annual rotation (A) meets the requirement. Ensuring the application uses envelope encryption (C) is a best practice.

Configuring CloudTrail (D) provides audit trail for key usage. Option B is incorrect because CloudHSM requires manual key rotation. Option E is incorrect because SSE-C3 is not a valid encryption type; SSE-C uses customer-provided keys, which do not rotate automatically.

115
MCQhard

A company has an S3 bucket with versioning enabled. They want to ensure that all deleted objects are retained for 90 days before permanent deletion. Which S3 feature should be used?

A.S3 Lifecycle policy with NoncurrentVersionExpiration
B.S3 Replication
C.S3 Object Lock
D.MFA Delete
AnswerA

This action deletes noncurrent versions after a specified number of days, effectively retaining deleted objects for that period.

Why this answer

S3 Object Lock with retention mode Compliance or Governance can protect objects from deletion, but the question asks for a retention period after deletion. S3 Lifecycle policies can expire current versions after a period, but for deleted objects (noncurrent versions), a lifecycle rule with NoncurrentVersionExpiration can delete them after a specified number of days. Option B is correct.

S3 Replication is for copying objects; MFA Delete adds an extra layer but does not set a retention period.

116
MCQmedium

A security engineer needs to protect data in transit between an EC2 instance and an RDS database. The RDS database uses SSL/TLS certificates. What is the MOST secure way to ensure that the connection is encrypted?

A.Configure the EC2 instance to use a self-signed certificate for SSL connections.
B.Enable encryption at rest on the RDS instance to automatically encrypt in-transit traffic.
C.Download the RDS CA certificate to the EC2 instance and configure the database client to use SSL and verify the certificate.
D.Create an IAM policy that requires SSL connections to the RDS endpoint.
AnswerC

This provides strong encryption and server identity verification.

Why this answer

Option B is correct because downloading the RDS CA certificate and requiring SSL on the client side ensures the connection is encrypted and verifies the server identity. Option A is wrong because using a self-signed certificate without verification can lead to MITM attacks. Option C is wrong because encryption in transit is not automatic; the client must initiate SSL.

Option D is wrong because an IAM policy cannot enforce SSL on the database connection.

117
MCQmedium

A company uses AWS KMS to encrypt data in Amazon S3. The security team notices that some KMS key usage is not being logged in AWS CloudTrail. What is the most likely reason for this?

A.CloudTrail is not enabled in the region where the KMS key is used.
B.The KMS key has automatic rotation enabled.
C.CloudTrail log file validation is disabled.
D.Only successful KMS operations are logged.
AnswerA

CloudTrail must be enabled in each region to record events in that region.

Why this answer

Option A is correct because CloudTrail does not log KMS key usage if the key is used in an AWS region where CloudTrail is not enabled. Option B is wrong because CloudTrail logs KMS operations regardless of whether they succeed. Option C is wrong because KMS key rotation generates new backing keys but does not affect logging.

Option D is wrong because disabling CloudTrail log file validation does not stop logging.

118
MCQeasy

A company wants to ensure that data at rest in Amazon EBS volumes is encrypted. What is the simplest way to achieve this?

A.Enable EBS encryption by default in the AWS account.
B.Use AWS KMS to create a custom key and attach it to each volume.
C.Encrypt each volume manually using the AWS Management Console.
D.Use an operating system-level encryption tool like LUKS.
AnswerA

Enabling default encryption ensures all new EBS volumes are encrypted automatically.

Why this answer

Option B is correct because enabling EBS encryption by default in the account encrypts all new volumes. Option A is incorrect because each volume does not need manual encryption. Option C is incorrect because encryption is not applied at the OS level.

Option D is incorrect because KMS is used for key management, but the simplest is to enable default encryption.

119
MCQhard

Refer to the exhibit. A security engineer runs the AWS CLI command shown and receives an AccessDenied error. The IAM user Alice has a policy that grants kms:Decrypt on all resources. What is the most likely cause of the error?

A.The KMS key policy does not grant kms:Decrypt to the IAM user Alice.
B.The IAM user policy does not allow kms:Decrypt.
C.The command uses the wrong key ID.
D.The ciphertext blob is corrupted.
AnswerA

KMS requires both IAM policy and key policy to grant access; key policy may deny.

Why this answer

The KMS key policy likely restricts access to specific principals. Even if IAM allows, the key policy can deny. Option C is correct.

The command syntax (Option A) is correct. The key ID (Option B) is valid. IAM policy (Option D) is not the issue since it grants Decrypt.

120
Multi-Selectmedium

A company is designing a secure data sharing solution with a third party. The company needs to share sensitive files stored in an S3 bucket with the third party, ensuring that the files are encrypted at rest and in transit, and that the third party can only access specific files. The company also wants to rotate the access credentials every 30 days. Which TWO actions should the company take? (Select TWO.)

Select 2 answers
A.Create an IAM role in the company's account that the third party can assume, and attach a policy that grants access to the specific files.
B.Use S3 Cross-Region Replication to replicate the files to a bucket in the third party's account.
C.Configure an S3 bucket policy that denies access unless the request includes a specific KMS key ID.
D.Generate presigned URLs for the specific files and email them to the third party.
E.Use a KMS key policy that grants the third party's AWS account permission to use the key for decrypt operations.
AnswersC, E

Enforces that only objects encrypted with the specified key can be accessed.

Why this answer

Options A and D are correct. Using a KMS key policy to grant decrypt permission to the third party's AWS account allows them to decrypt objects. Using S3 bucket policy with a condition on the KMS key ensures they only access objects encrypted with that key.

Option B is wrong because presigned URLs can be shared, but they don't enforce encryption key control. Option C is wrong because cross-account roles require the third party to assume a role, not rotate credentials every 30 days. Option E is wrong because using a separate bucket with replication does not enforce key-specific access.

121
Multi-Selectmedium

A company is designing a data protection strategy for its Amazon S3 buckets. Which TWO actions can help protect data from accidental deletion or overwrite?

Select 2 answers
A.Enable MFA Delete on the bucket.
B.Enable Cross-Region Replication.
C.Enable default encryption.
D.Enable versioning on the bucket.
E.Set a lifecycle policy to expire objects.
AnswersA, D

Requires multi-factor authentication to delete objects.

Why this answer

The correct answers are A and C. Option A: MFA Delete adds an extra authentication step to delete objects. Option C: Versioning allows recovery of overwritten or deleted objects.

Option B: Cross-Region Replication is for disaster recovery, not deletion protection. Option D: Default encryption protects data at rest, not deletion. Option E: Lifecycle policies can delete objects, not protect them.

122
MCQeasy

A company needs to protect data stored in S3 from accidental deletion by users. Which S3 feature should be used?

A.S3 Lifecycle policies
B.S3 MFA Delete
C.S3 Versioning
D.S3 Block Public Access
AnswerC

Versioning preserves all versions of an object, including deleted or overwritten ones.

Why this answer

Option B is correct because S3 Versioning allows retrieval of overwritten or deleted objects. Option A is incorrect because MFA Delete protects against deletion but is not the primary protection against accidental deletion. Option C is incorrect because S3 Block Public Access prevents public access, not deletion.

Option D is incorrect because S3 Lifecycle policies manage storage classes, not deletion protection.

123
MCQeasy

A company needs to securely store database credentials for a legacy application running on Amazon EC2. The credentials are currently hardcoded in the application code. Which service should be used to rotate and retrieve secrets automatically?

A.AWS Systems Manager Parameter Store with a SecureString parameter.
B.AWS Key Management Service (KMS).
C.AWS Secrets Manager.
D.AWS CloudHSM.
AnswerC

Supports automatic rotation and secure storage.

Why this answer

Option B is correct because AWS Secrets Manager supports automatic rotation of secrets. Option A is wrong because SSM Parameter Store does not natively support automatic rotation. Option C is wrong because KMS is for encryption keys, not secrets management.

Option D is wrong because CloudHSM is for hardware security modules.

124
MCQmedium

A security engineer inspects two KMS keys. Which key can be used for envelope encryption with automatic key rotation?

A.Key 1234abcd-12ab-34cd-56ef-1234567890ab.
B.Key 2345bcde-23bc-45de-67fg-2345678901bc.
C.Neither key supports envelope encryption with automatic rotation.
D.Both keys support envelope encryption with automatic rotation.
AnswerA

Customer-managed key with rotation enabled.

Why this answer

Option A is correct because key 1234abcd has KeyRotationEnabled: true and is a customer-managed key (KeyManager: CUSTOMER) which supports automatic rotation. Key 2345bcde is AWS managed (KeyManager: AWS) but rotation is not enabled. However, AWS managed keys do not support automatic rotation.

Therefore, the only key that can have rotation enabled is key 1234abcd.

125
MCQhard

A company runs a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application processes credit card numbers and must comply with PCI DSS. The security team requires that all credit card numbers be encrypted at rest and in transit. The application stores the encrypted credit card numbers in Amazon RDS for MySQL. The RDS instance is encrypted at rest using AWS KMS. The application decrypts the credit card numbers after retrieval using a KMS key. The security team has noticed that some credit card numbers are being logged in plaintext in Amazon CloudWatch Logs by the application. The developers claim they are not logging the decrypted values. What is the MOST likely cause and solution?

A.Disable RDS audit logging or ensure that the query logs do not contain sensitive data.
B.Use AWS KMS key policies to prevent the application from decrypting the credit card numbers.
C.Modify the application code to encrypt the credit card numbers before logging.
D.Enable SSL/TLS encryption for the connection between the application and RDS.
AnswerA

RDS query logs may capture the plaintext data if it is sent in SQL statements.

Why this answer

Option C is correct. If the RDS query logs (general logs or slow query logs) are enabled and sent to CloudWatch, they may contain the plaintext credit card numbers if the application sends the decrypted values in SQL queries. Disabling query logging or ensuring it does not contain sensitive data solves the problem.

Option A is wrong because SSL/TLS encryption does not affect logging. Option B is wrong because application logging is not the issue; the logs are from RDS. Option D is wrong because KMS audit logs would not contain the plaintext data.

126
MCQeasy

A company uses AWS Secrets Manager to store database credentials. They need to rotate the secrets automatically every 30 days. Which rotation strategy should they use?

A.Use AWS Systems Manager Parameter Store to rotate the secret.
B.Manually update the secret every 30 days.
C.Enable automatic rotation in Secrets Manager and specify a Lambda rotation function.
D.Use an AWS Config rule to trigger rotation.
AnswerC

Secrets Manager rotation uses Lambda to update the secret and the database.

Why this answer

Option C is correct because AWS Secrets Manager natively supports automatic rotation of secrets, and you must specify an AWS Lambda function to perform the rotation logic (e.g., updating the database password and storing the new secret). This ensures the secret is rotated on a schedule (every 30 days) without manual intervention, meeting the requirement for automated rotation.

Exam trap

The trap here is that candidates may confuse AWS Systems Manager Parameter Store with Secrets Manager, thinking Parameter Store can also rotate secrets automatically, or they may incorrectly assume AWS Config rules can schedule rotations, when in fact only Secrets Manager with a Lambda function provides native automatic rotation.

How to eliminate wrong answers

Option A is wrong because AWS Systems Manager Parameter Store does not have built-in automatic rotation capabilities; it is a parameter store, not a secrets rotation service, and would require custom automation to rotate secrets. Option B is wrong because manually updating the secret every 30 days is not automated and defeats the purpose of using Secrets Manager for rotation; it introduces human error and operational overhead. Option D is wrong because AWS Config rules are used for compliance evaluation and remediation, not for scheduling or executing secret rotation; they can trigger a Lambda function for remediation but are not designed as a rotation scheduler.

127
Multi-Selecteasy

A company needs to protect data in transit between an on-premises data center and AWS. Which THREE services can be used to encrypt data in transit?

Select 3 answers
A.AWS Key Management Service (KMS)
B.AWS Shield
D.AWS Site-to-Site VPN
E.AWS Certificate Manager (ACM)
AnswersC, D, E

Encrypts web traffic.

Why this answer

The correct answers are A, C, and E. Option A: TLS certificates encrypt data in transit. Option C: IPsec VPN encrypts network traffic.

Option E: HTTPS encrypts web traffic. Option B: AWS KMS manages encryption keys, not transit. Option D: AWS Shield protects against DDoS attacks, not data encryption.

128
MCQmedium

A security engineer needs to ensure that all data in an S3 bucket is encrypted at rest using AWS KMS. The bucket policy must deny any PutObject request that does not include the x-amz-server-side-encryption header with value aws:kms. Which bucket policy element should be used?

A.Deny with NotPrincipal
B.Deny with condition StringNotEquals for s3:x-amz-server-side-encryption
C.Deny on s3:PutObjectAcl
D.Allow with condition StringEquals for s3:x-amz-server-side-encryption
AnswerB

This denies uploads that do not have the required encryption header.

Why this answer

To enforce encryption, use a bucket policy with a Deny effect on s3:PutObject when the condition aws:SecureTransport or s3:x-amz-server-side-encryption is not set to aws:kms. Option A is correct because it uses a Deny with a condition for the encryption header. Option B is incorrect because Allow with condition does not deny unencrypted requests.

Option C is incorrect because NotPrincipal is used for cross-account, not for encryption enforcement. Option D is incorrect because s3:PutObjectAcl is not relevant.

129
MCQhard

Refer to the exhibit. A security engineer is troubleshooting a decryption failure. The command uses the AWS CLI to decrypt a file. The decryption fails with an 'AccessDeniedException' error. The IAM user has the following policy attached: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "kms:Decrypt", "Resource": "*" } ] } What is the most likely cause of the failure?

A.The KMS key policy does not grant the IAM user decrypt permission
B.The IAM user does not have permission to call kms:Decrypt on the specific key
C.The ciphertext blob is not valid
D.The IAM user is not authorized to use the AWS CLI
AnswerA

Key policies can restrict access even if IAM allows.

Why this answer

Option C is correct because the KMS key policy must explicitly allow the IAM user to decrypt. Even if IAM allows, the key policy can deny. Option A is wrong because the command uses the default KMS key if not specified, but the key policy might not allow the user.

Option B is wrong because the IAM policy grants decrypt on all keys. Option D is wrong because the file contains the ciphertext, not the key ID.

130
MCQhard

A security engineer applies the bucket policy shown in the exhibit to an S3 bucket. What is the effect of this policy?

A.Allows uploads only if they use SSE-S3.
B.Allows uploads without encryption.
C.Allows uploads with any server-side encryption.
D.Allows uploads only if they use SSE-KMS.
AnswerD

Denies non-KMS (first statement) and null header (second statement).

Why this answer

Option B is correct because the second statement denies uploads if the SSE header is null, meaning no encryption specified. Combined with the first statement, only SSE-KMS uploads are allowed. Option A is incorrect because the policy denies non-KMS and no-encryption.

Option C is incorrect because it denies both. Option D is incorrect because it allows SSE-S3? No, it denies.

131
MCQhard

A company has a compliance requirement to encrypt all data in Amazon S3 using keys that are managed by the company's internal security team. The keys must be stored in a hardware security module (HSM) that is FIPS 140-2 Level 3 certified. Which AWS service should be used?

A.AWS Secrets Manager
B.AWS Key Management Service (KMS)
C.Amazon S3 default encryption with SSE-C
D.AWS CloudHSM
AnswerD

CloudHSM provides dedicated HSMs with Level 3 certification.

Why this answer

Option B is correct because CloudHSM provides dedicated HSMs that are FIPS 140-2 Level 3 certified. Option A is wrong because KMS is Level 2 overall (though some regions have Level 3, but not fully). Option C is wrong because S3 does not provide HSM storage.

Option D is wrong because Secrets Manager does not store keys in HSMs.

132
Multi-Selecteasy

Which TWO of the following are valid options for encrypting data at rest in Amazon EBS? (Choose two.)

Select 2 answers
A.Enable EBS encryption by default using the AWS managed key for EBS.
B.Use a customer managed KMS key.
C.Use an encryption script on the EC2 instance to encrypt the volume.
D.Use AWS CloudHSM to generate and store the encryption key.
E.Use S3 server-side encryption to encrypt the EBS snapshot.
AnswersA, B

AWS managed key for EBS is used when no custom key is specified.

Why this answer

Options A and C are correct. EBS encryption can be enabled using KMS (customer managed or AWS managed). Option B is wrong because CloudHSM is not directly used for EBS encryption.

Option D is wrong because EBS encryption is not performed by the EC2 instance. Option E is wrong because S3 is not used for EBS encryption.

133
MCQmedium

Refer to the exhibit. A security engineer is reviewing the key policy for a customer managed key. The engineer notices that a user with the IAM role 'Admin' can encrypt and decrypt data using this key. However, the engineer wants to ensure that only requests coming from the company's VPC (vpc-12345678) can use the key. What should be added to the key policy?

A.Add a condition kms:ViaService with value s3.amazonaws.com
B.Add a condition kms:CallerAccount with value 111122223333
C.Add a condition aws:SourceVpc with value vpc-12345678 to the 'Allow use of the key' statement
D.Add a new statement with Effect: Deny and a condition aws:SourceVpc not equal to vpc-12345678
AnswerC

Restricts access to requests from the specified VPC.

Why this answer

To restrict key usage to a VPC, you need to add a condition to the key policy using the aws:SourceVpc key. Option B is correct. Option A is incorrect because the condition should be added to the existing statements, not a new statement.

Option C is incorrect because kms:ViaService restricts to a service endpoint, not a VPC. Option D is incorrect because kms:CallerAccount is not relevant.

134
MCQhard

A company needs to share an encrypted Amazon Machine Image (AMI) with another AWS account. The AMI was encrypted using a customer managed key (CMK) in AWS KMS. What steps are required to allow the target account to launch an EC2 instance from the shared AMI?

A.Modify the AMI launch permissions to include the target account and add the target account to the KMS key policy
B.Copy the AMI and share the copy; the key is automatically shared
C.Only modify the AMI launch permissions to include the target account
D.Only add the target account to the KMS key policy
AnswerA

Both the AMI and key must be accessible to the target account.

Why this answer

Option A is correct because both the AMI and KMS key must be shared. Option B is wrong because sharing the AMI alone won't allow decryption. Option C is wrong because sharing the KMS key alone won't give AMI access.

Option D is wrong because the key must be shared with the target account.

135
MCQhard

A company uses AWS KMS to encrypt data at rest in Amazon RDS for MySQL. The security team needs to ensure that the RDS instance can only be decrypted by a specific IAM role used by the production application, and not by any other IAM user or role. What is the most secure way to achieve this?

A.Enable key rotation and use a custom key store to isolate the key.
B.Create an IAM policy that denies 'kms:Decrypt' to all principals except the production role, and attach it to the key.
C.Attach the production IAM role to the RDS instance and use a condition in the IAM role's policy to allow decrypt.
D.Modify the KMS key policy to allow 'kms:Decrypt' only for the production role and deny for all other principals.
AnswerD

Key policies directly control access to the KMS key.

Why this answer

Option B is correct because using a KMS key policy that grants decrypt permission only to the production role ensures that only that role can decrypt the RDS instance. Option A is wrong because IAM policies alone cannot restrict decryption if the key policy allows broader access. Option C is wrong because RDS does not support attaching IAM roles at the instance level for this purpose.

Option D is wrong because it makes the key accessible to all users.

136
MCQmedium

A security team wants to audit who accessed an S3 object that contains sensitive data. Which AWS service provides this capability?

A.AWS Config
B.Amazon CloudWatch Logs
C.S3 Server Access Logs
D.AWS CloudTrail
AnswerC

S3 Server Access Logs record all requests made to a bucket, including object-level operations.

Why this answer

Option A is correct because S3 Server Access Logs provide detailed records about requests. Option B is incorrect because CloudTrail logs API calls but not object-level access unless Data Events are enabled. Option C is incorrect because AWS Config tracks resource configuration, not access.

Option D is incorrect because CloudWatch Logs can store logs but does not generate them by default.

137
MCQhard

A financial services company is designing a data protection strategy for its DynamoDB table containing sensitive customer data. The table has a global secondary index (GSI). The company needs to encrypt the data at rest using a customer managed key (CMK) that is rotated annually. Which solution meets these requirements?

A.Create the table with default encryption, then update the table to use a CMK and enable automatic rotation
B.Create the table without encryption, then enable encryption on the table and GSI separately using a CMK
C.Create the table with an AWS managed key and use AWS KMS automatic rotation
D.Create the table with a customer managed key (CMK) and enable automatic key rotation
AnswerD

CMK with auto rotation meets requirements; GSI inherits encryption.

Why this answer

DynamoDB supports encryption at rest using AWS KMS. When a table is created, you can specify a CMK. The GSI inherits the encryption settings from the base table.

Option D is correct because you can specify a CMK at table creation and enable automatic key rotation. Option A is incorrect because you cannot change the encryption key after table creation without recreating the table. Option B is incorrect because using an AWS managed key does not allow customer-controlled rotation.

Option C is incorrect because enabling encryption on the GSI separately is not supported; encryption is inherited from the table.

138
MCQmedium

A company wants to protect data in transit between its on-premises network and Amazon VPC using IPsec VPN. Which AWS service should be used to establish this VPN connection?

A.AWS Client VPN
B.AWS Site-to-Site VPN
C.AWS Transit Gateway
D.AWS Direct Connect
AnswerB

Provides IPsec VPN tunnels.

Why this answer

Option A is correct because AWS Site-to-Site VPN provides IPsec VPN connections between on-premises networks and VPCs. Option B is incorrect because AWS Direct Connect is a dedicated connection, not IPsec VPN. Option C is incorrect because Client VPN is for individual users.

Option D is incorrect because Transit Gateway is used to connect multiple VPCs, but the VPN connection is established using Site-to-Site VPN.

139
MCQhard

A company uses Amazon RDS for PostgreSQL with encryption at rest enabled using AWS KMS. The security team wants to ensure that database backups (automated snapshots) are also encrypted and that the encryption key can be rotated on demand without re-encrypting the data. Which approach should be taken?

A.Use a separate KMS key for backups by enabling 'Copy tags to snapshots' and specifying a different key.
B.Disable the old KMS key and enable a new KMS key for the RDS instance. The old backup will remain encrypted with the old key.
C.Enable automatic key rotation in KMS and import new key material every 90 days.
D.Create a new KMS key and modify the RDS instance to use the new key. The existing backup will be re-encrypted with the new key when the instance is modified.
AnswerD

Modifying the RDS instance to use a new KMS key triggers a re-encryption of the data and backups.

Why this answer

Option B is correct because KMS supports automatic key rotation and manual rotation by creating a new key and updating the RDS instance to use the new key, which re-encrypts the data with the new key. Option A is wrong because RDS does not support importing key material. Option C is wrong because disabling the old key would break access to existing backups.

Option D is wrong because RDS does not support using a different key for backups; backups use the same key as the DB instance.

140
MCQhard

Refer to the exhibit. A security engineer is troubleshooting why an IAM user (Alice) cannot encrypt data using a KMS key. Alice has full S3 and KMS permissions via an IAM policy. The key policy is shown. Which statement explains the issue?

A.The key policy is missing a statement to allow the IAM user to use the key via IAM policies
B.The IAM user does not have the kms:Encrypt permission in their IAM policy
C.The key policy does not include the root account principal
D.The key policy does not allow the IAM user to use the key for any action
AnswerD

Only Admin role gets kms:Put* and kms:Create*, not encrypt.

Why this answer

The key policy only grants kms:Put* and kms:Create* to the Admin role, not to Alice. Since the key policy does not allow Alice's actions, the IAM policy alone is insufficient because KMS requires key policy to grant access unless the key policy allows IAM policies. Option C correctly identifies the missing kms:Encrypt permission.

Option A is incorrect because root is allowed; B is wrong because the key policy is restrictive; D is wrong because Alice has IAM permissions but key policy doesn't allow them.

141
Multi-Selectmedium

A company is designing a data protection strategy for Amazon EBS volumes. Which THREE practices should be implemented? (Choose THREE.)

Select 3 answers
A.Enable encryption by default for new EBS volumes
B.Use S3 Object Lock to prevent deletion of snapshots
C.Enable automated backups for Amazon RDS
D.Take regular snapshots of EBS volumes and store them in a different region
E.Use EBS multi-attach for high availability
AnswersA, D, E

This ensures all new volumes are encrypted.

Why this answer

Options A, B, and C are correct for EBS data protection. Option D is for S3. Option E is for RDS.

142
Multi-Selecthard

A company wants to enforce encryption in transit for all data transferred between its Amazon EC2 instances and an Application Load Balancer (ALB). The company uses AWS Certificate Manager (ACM) to provision TLS certificates. Which TWO actions should the company take? (Choose TWO.)

Select 2 answers
A.Configure the target group to use HTTPS protocol.
B.Enable encryption at rest on the EC2 instances.
C.Use a network load balancer instead of an ALB.
D.Assign a certificate from ACM to the ALB listener.
E.Configure the ALB listener to use HTTPS protocol.
AnswersA, E

HTTPS target group ensures encryption between ALB and EC2.

Why this answer

Option A is correct because configuring the target group to use HTTPS protocol ensures that traffic between the Application Load Balancer (ALB) and the EC2 instances is encrypted in transit. This enforces TLS encryption on the backend connection, meeting the requirement for data-in-transit protection between the ALB and instances.

Exam trap

The trap here is that candidates often assume assigning a certificate to the ALB listener alone (Option D) is sufficient for encryption in transit, overlooking that the target group protocol must also be HTTPS to enforce encryption on the backend connection between the ALB and EC2 instances.

143
Multi-Selectmedium

A company is implementing a data protection strategy for Amazon S3. Which TWO actions should be taken to protect data from accidental deletion or overwrite?

Select 2 answers
A.Enable cross-region replication
B.Enable MFA Delete on the bucket
C.Apply a bucket policy that denies s3:DeleteObject
D.Enable S3 Versioning on the bucket
E.Enable default encryption on the bucket
AnswersB, D

Requires MFA for delete operations.

Why this answer

Options B and D are correct. Enable versioning to preserve previous versions, and enable MFA Delete to require multi-factor authentication for deletions. Option A is wrong because bucket policies alone do not prevent deletion.

Option C is wrong because encryption does not prevent deletion. Option E is wrong because replication does not protect against deletion in the source bucket.

144
Multi-Selectmedium

A company is designing a data protection strategy for sensitive customer data stored in Amazon S3. Which TWO actions should be taken to protect the data from accidental deletion?

Select 2 answers
A.Use S3 Object Lock with retention mode.
B.Enable cross-region replication to another bucket.
C.Configure an S3 bucket policy that denies s3:DeleteObject for all principals.
D.Enable MFA Delete on the S3 bucket.
E.Enable S3 Versioning on the bucket.
AnswersD, E

Requires MFA to delete objects.

Why this answer

Options A and D are correct. MFA Delete adds an extra authentication factor for delete operations. S3 Versioning allows recovery of deleted objects.

Option B is wrong because bucket policies do not prevent deletion by authorized users. Option C is wrong because cross-region replication does not protect against deletion in the source bucket. Option E is wrong because lifecycle policies can delete objects.

145
MCQmedium

A company stores sensitive data in an S3 bucket. The security team wants to ensure that all objects are encrypted at rest using server-side encryption with AWS KMS managed keys (SSE-KMS). An application writes objects to the bucket but sometimes fails because the encryption key is not found. What is the MOST likely cause?

A.The KMS key is in a different AWS Region than the S3 bucket.
B.The bucket policy does not allow SSE-KMS.
C.The KMS key has expired.
D.The KMS key does not have automatic rotation enabled.
AnswerA

SSE-KMS requires the key to be in the same region as the bucket.

Why this answer

Option D is correct because SSE-KMS requires the KMS key to be in the same region as the S3 bucket; cross-region keys are not supported. Option A is wrong because SSE-S3 is not used. Option B is wrong because KMS keys do not expire.

Option C is wrong because SSE-KMS does not require customer master key (CMK) rotation to be enabled.

146
MCQeasy

A company is designing a data lake on Amazon S3 and needs to encrypt data at rest. The compliance team requires that the encryption keys be managed by the company and not by AWS. Which encryption option should be used?

A.SSE-C
B.SSE-S3
C.Client-side encryption
D.SSE-KMS
AnswerA

Customer provides their own keys.

Why this answer

Option C is correct because SSE-C allows the customer to provide their own encryption keys. Option A is wrong because SSE-S3 keys are managed by AWS. Option B is wrong because SSE-KMS keys are managed by AWS.

Option D is wrong because client-side encryption involves more overhead and is not server-side.

147
Multi-Selectmedium

Which TWO AWS services can be used to monitor and audit data access patterns to Amazon S3 buckets? (Choose 2.)

Select 2 answers
A.AWS Config
B.AWS CloudWatch
C.AWS CloudTrail
D.Amazon S3 Server Access Logs
E.AWS Trusted Advisor
AnswersC, D

Logs S3 API calls.

Why this answer

AWS CloudTrail is correct because it records API activity for Amazon S3, including data-level events such as GetObject, PutObject, and DeleteObject. By enabling data events on a trail, you can capture who accessed which object, from which IP address, and when, providing a complete audit trail for data access patterns.

Exam trap

The trap here is that candidates often confuse AWS Config (which checks configuration compliance) with CloudTrail (which records API activity), or they overlook that S3 Server Access Logs are a separate, native logging feature distinct from CloudTrail.

148
MCQmedium

A security engineer created the above IAM policy for an S3 bucket. What does this policy accomplish?

A.It allows uploading objects with any server-side encryption.
B.It denies uploading objects with SSE-S3 encryption.
C.It denies uploading objects unless they are encrypted with AWS KMS.
D.It requires objects to be encrypted with a specific KMS key.
AnswerC

The condition denies PutObject when encryption is not KMS.

Why this answer

Option B is correct. The policy denies PutObject if server-side encryption is not AWS KMS (aws:kms). Option A is incorrect because it allows encryption with any SSE.

Option C is incorrect because it denies SSE-S3. Option D is incorrect because the condition is on encryption, not on KMS key ID.

149
Multi-Selecthard

A company has an AWS Lambda function that processes sensitive data and writes the results to an Amazon S3 bucket. The security team requires that the data is encrypted at rest in S3 and that the Lambda function has the minimum permissions necessary. Which THREE actions should the team take?

Select 3 answers
A.Enable default encryption on the S3 bucket with SSE-KMS
B.Grant the Lambda execution role kms:Encrypt permission
C.Grant the Lambda execution role kms:CreateKey permission
D.Use a KMS key policy that allows the Lambda execution role to use the key
E.Grant the Lambda execution role kms:GenerateDataKey and kms:Decrypt permissions
AnswersA, D, E

Ensures encryption at rest.

Why this answer

Option A (Enable default encryption on the S3 bucket with SSE-KMS), Option C (Grant the Lambda execution role the kms:GenerateDataKey and kms:Decrypt permissions), and Option D (Use a KMS key policy that allows the Lambda execution role to use the key) are correct. Default encryption ensures all objects are encrypted. Lambda needs kms:GenerateDataKey to write and kms:Decrypt to read.

The key policy must allow the execution role. Option B is wrong because kms:Encrypt is not needed; GenerateDataKey is used. Option E is wrong because kms:CreateKey is for key management, not usage.

150
MCQeasy

A company wants to ensure that data stored in Amazon S3 is encrypted at rest using keys managed by AWS. Which encryption option should they choose?

A.Client-side encryption.
B.Server-side encryption with AWS KMS (SSE-KMS).
C.Server-side encryption with customer-provided keys (SSE-C).
D.Server-side encryption with S3 managed keys (SSE-S3).
AnswerD

Keys are managed by AWS.

Why this answer

SSE-S3 uses AES-256 encryption keys managed entirely by AWS, fulfilling the requirement for encryption at rest with AWS-managed keys. When you upload an object, S3 encrypts it before writing to disk and decrypts it when you access it, all without any customer action or key management overhead.

Exam trap

The trap here is that candidates often confuse SSE-KMS as 'AWS-managed' because KMS can use AWS managed keys, but the question specifically requires keys managed solely by AWS without any customer involvement, which only SSE-S3 provides.

How to eliminate wrong answers

Option A is wrong because client-side encryption requires the customer to manage keys and encrypt data before uploading, which does not meet the requirement for AWS-managed keys. Option B is wrong because SSE-KMS uses AWS KMS keys that are customer-managed (or AWS-managed but with customer control over key policies and rotation), not purely AWS-managed keys as specified. Option C is wrong because SSE-C requires the customer to provide and manage their own encryption keys, which contradicts the requirement for keys managed by AWS.

← PreviousPage 2 of 5 · 303 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Data Protection questions.