CCNA Data Protection Questions

75 of 303 questions · Page 3/5 · Data Protection topic · Answers revealed

151
MCQeasy

A company uses AWS KMS to encrypt data at rest in Amazon S3. The security team wants to ensure that only users with a specific IAM role can decrypt objects. What is the MOST secure way to achieve this?

A.Use a customer managed KMS key with a key policy that grants kms:Decrypt only to the specific IAM role, and configure the S3 bucket policy to allow only that role to access the bucket.
B.Enable automatic key rotation in KMS and assign the key to the IAM role.
C.Configure an S3 bucket policy that denies all users except the specific IAM role.
D.Use S3 default encryption with an AWS managed key and trust the IAM role.
AnswerA

Key policy controls who can decrypt, bucket policy controls access to the object.

Why this answer

Option C is correct because using a KMS key with a key policy that grants decrypt only to the specific IAM role ensures that only that role can decrypt, while the bucket policy restricts who can access the bucket. Option A is wrong because the bucket policy alone cannot control decryption. Option B is wrong because S3 default encryption does not restrict decryption.

Option D is wrong because KMS automatic key rotation does not control access.

152
MCQmedium

A company runs a web application on Amazon EC2 behind an Application Load Balancer (ALB). The application handles payment card information (PCI) and must comply with PCI DSS. The security team wants to ensure that all data in transit between the client and the ALB is encrypted using TLS 1.2 or higher. The ALB currently uses a default certificate from AWS Certificate Manager (ACM) that was issued by Amazon. The compliance team has flagged that the certificate must be issued by a public Certificate Authority (CA) that is trusted by major browsers. The company wants to minimize operational overhead. What should the security team do?

A.Use AWS CloudHSM to generate a certificate and import it into ACM
B.Configure CloudFront in front of the ALB and use a CloudFront default certificate
C.Generate a self-signed certificate on the EC2 instance and upload it to ACM, then associate it with the ALB
D.Request a public certificate from ACM and associate it with the ALB
AnswerD

ACM public certificates are issued by trusted CAs and automatically renewed.

Why this answer

Option B is correct because ACM can issue public certificates from trusted CAs at no cost, and they can be automatically renewed. Option A is wrong because importing a certificate requires manual renewal. Option C is wrong because CloudHSM is not needed for this.

Option D is wrong because CloudFront is unnecessary overhead.

153
Multi-Selectmedium

A security engineer is configuring a new AWS KMS customer managed key. Which THREE of the following are required components of a KMS key policy?

Select 3 answers
A.A statement that grants key usage permissions to specific IAM users or roles
B.A statement that defines the key alias
C.A statement that grants key administration permissions to specific IAM roles
D.A statement that gives the AWS account (root) access to the key
E.A statement that enables automatic key rotation
AnswersA, C, D

Defines who can use the key.

Why this answer

A KMS key policy must have a statement that allows the AWS account to use IAM policies for access (Option A), and typically specifies key administrators (Option B) and key users (Option C). Option D is optional for automatic rotation, E is for aliases not required.

154
MCQmedium

A security engineer needs to audit all access to a KMS customer managed key. Which AWS service should be used?

A.AWS Config
B.VPC Flow Logs
C.Amazon CloudWatch Logs
D.AWS CloudTrail
AnswerD

CloudTrail logs all KMS API calls for auditing.

Why this answer

AWS CloudTrail logs all KMS API calls. Option B is correct. Option A is incorrect because CloudWatch Logs can store logs but does not generate them.

Option C is incorrect because AWS Config tracks resource configuration, not API calls. Option D is incorrect because VPC Flow Logs capture network traffic, not KMS operations.

155
MCQeasy

A company wants to automate the detection of sensitive data in an S3 bucket. Which AWS service should be used?

A.Amazon Macie
B.AWS Artifact
C.Amazon Inspector
D.Amazon GuardDuty
AnswerA

Macie automatically discovers and classifies sensitive data.

Why this answer

Amazon Macie uses machine learning to discover and classify sensitive data. Option B is correct. Option A is incorrect because GuardDuty is for threat detection.

Option C is incorrect because Inspector is for vulnerability assessment. Option D is incorrect because Artifact provides compliance reports.

156
MCQeasy

A company is designing a disaster recovery plan for its Amazon RDS for MySQL database. The database must be encrypted at rest. Which approach ensures that the database is encrypted and can be restored in another AWS Region?

A.Enable encryption on the existing DB instance
B.Export the database to Amazon S3 and use S3 cross-Region replication
C.Create a manual snapshot and copy it to another Region with encryption
D.Create a cross-Region read replica with encryption enabled
AnswerD

Cross-Region read replicas provide DR and can be encrypted.

Why this answer

Option C (Use a cross-Region read replica with encryption enabled) is correct because it replicates data to another Region and encryption can be enabled. Option A is wrong because enabling encryption on an existing unencrypted DB instance is not supported. Option B is wrong because a snapshot copy with encryption can be restored but does not provide continuous replication.

Option D is wrong because S3 is not used for RDS backups directly.

157
MCQmedium

A security engineer is configuring a new Amazon RDS for MySQL database. The compliance team requires that all database connections be encrypted in transit. Which configuration ensures this requirement is met?

A.Enable encryption at rest using KMS
B.Enable IAM database authentication
C.Set the 'ssl' parameter to '1' in the DB parameter group
D.Enable the 'require_secure_transport' parameter in the DB parameter group
AnswerD

This forces all connections to use SSL.

Why this answer

Option D is correct because setting the 'require_secure_transport' parameter to '1' in the DB parameter group forces all connections to the RDS for MySQL instance to use TLS/SSL encryption. This ensures that data in transit is encrypted, meeting the compliance requirement. The parameter enforces that only encrypted connections are accepted, rejecting any unencrypted attempts.

Exam trap

The trap here is that candidates often confuse enabling SSL support (the 'ssl' parameter) with requiring SSL (the 'require_secure_transport' parameter), thinking that simply enabling SSL on the server forces all clients to use it, but in reality, the server will accept both encrypted and unencrypted connections unless the requirement is explicitly enforced.

How to eliminate wrong answers

Option A is wrong because encryption at rest using KMS protects data stored on disk, not data transmitted over the network, so it does not address encryption in transit. Option B is wrong because IAM database authentication provides authentication using IAM credentials, but it does not enforce or provide encryption of the connection itself; it can be used with or without SSL. Option C is wrong because setting the 'ssl' parameter to '1' enables SSL support on the server, but it does not require clients to use SSL; clients can still connect without encryption, so it does not guarantee all connections are encrypted.

158
MCQhard

A company has an S3 bucket with versioning and MFA Delete enabled. A user attempts to delete an object version using the AWS CLI without MFA. What will happen?

A.The object version is marked for deletion and will be deleted after 30 days.
B.The request fails with an AccessDenied error.
C.The object version is deleted and a delete marker is created.
D.The object version is deleted but not permanently.
AnswerB

MFA Delete requires MFA for version deletion.

Why this answer

Option C is correct. With MFA Delete enabled, deleting an object version requires MFA in the request. Since the user did not provide MFA, the request will be denied with an AccessDenied error.

Option A is wrong because the object version is not deleted. Option B is wrong because the object version is not marked for deletion. Option D is wrong because lifecycle rules do not apply to manual delete requests.

159
MCQmedium

Refer to the exhibit. A security engineer applies the bucket policy shown to an S3 bucket. A developer attempts to upload an object with the header x-amz-server-side-encryption: AES256. What will happen?

A.The upload succeeds because the policy only denies unencrypted uploads.
B.The upload succeeds because the policy allows all encryption methods.
C.The upload succeeds because the object is encrypted with AES256.
D.The upload fails with an AccessDenied error.
AnswerD

The Deny statement matches and blocks the upload.

Why this answer

The policy denies PutObject if the encryption header is not equal to 'aws:kms'. Since the developer uses AES256, the condition StringNotEquals evaluates to true, so the Deny applies. Upload fails.

Option B is correct. Option A is wrong because AES256 is not allowed. Option C is wrong because the request is denied.

Option D is wrong because there is no policy that allows only SSE-KMS; the Deny applies.

160
Multi-Selectmedium

A company uses AWS KMS to encrypt data. The security team wants to ensure that KMS keys are not used outside of the company's AWS account. Which TWO measures would help achieve this? (Choose TWO.)

Select 2 answers
A.Tag the KMS key with the account ID.
B.Enable automatic key rotation.
C.Add a key policy that denies kms:* operations for principals from other AWS accounts.
D.Disable automatic key rotation.
E.Use key policies to allow only specific IAM roles in the account to use the key.
AnswersC, E

This explicitly blocks cross-account access.

Why this answer

Options A and C are correct. Option A: Setting a key policy that denies use by external accounts prevents cross-account usage. Option C: Using key policies to restrict usage to specific IAM roles within the account ensures only authorized roles can use the key.

Option B is wrong because disabling key rotation does not prevent cross-account use. Option D is wrong because enabling automatic rotation does not restrict usage. Option E is wrong because tagging keys does not prevent usage.

161
MCQeasy

A company uses Amazon S3 to store sensitive documents. The security team wants to ensure that all objects are encrypted at rest using server-side encryption. Additionally, any attempt to upload an unencrypted object must be denied. What should the security team do?

A.Enable default encryption on the S3 bucket using SSE-S3.
B.Add an S3 bucket policy that requires encryption using the 's3:x-amz-server-side-encryption' condition key.
C.Add an S3 bucket policy that denies PutObject if the object is not encrypted using SSE-S3 or SSE-KMS.
D.Create an AWS Config rule to detect unencrypted objects and trigger a Lambda function to encrypt them.
AnswerC

Denying unencrypted uploads enforces encryption at upload time.

Why this answer

Option D is correct because an S3 bucket policy that denies PutObject if the object is not encrypted ensures that only encrypted objects can be uploaded. Option A is wrong because enabling default encryption does not prevent unencrypted uploads if the request explicitly sets encryption to none. Option B is wrong because AWS Config can detect but not deny the upload.

Option C is wrong because S3 does not have an 'encryption required' bucket policy; the correct approach is to deny unencrypted uploads.

162
MCQmedium

A company uses AWS KMS to encrypt data at rest in Amazon S3. The security team requires that all encryption keys be automatically rotated every year. Which solution meets this requirement?

A.Use an AWS managed key and enable automatic rotation.
B.Use a customer managed key with imported key material and enable automatic rotation.
C.Use a customer managed key and enable automatic rotation with a yearly rotation period.
D.Use an AWS managed key and manually rotate it every year.
AnswerC

Customer managed keys support automatic rotation with a configurable period (yearly).

Why this answer

Option C is correct because customer managed keys (CMKs) in AWS KMS support automatic rotation with a customizable rotation period, which can be set to 365 days (one year) to meet the security team's requirement. AWS managed keys, on the other hand, have a fixed automatic rotation period of every three years (1095 days) and cannot be adjusted, making them unsuitable for a yearly rotation mandate. By using a CMK with automatic rotation enabled and specifying a rotation period of one year, the company ensures that the encryption key material is rotated annually without manual intervention.

Exam trap

The trap here is that candidates often assume AWS managed keys can be configured for automatic rotation with a custom period, but in reality, AWS managed keys have a fixed three-year rotation schedule and cannot be adjusted, making customer managed keys the only option for yearly rotation.

How to eliminate wrong answers

Option A is wrong because AWS managed keys have a fixed automatic rotation period of approximately three years (1095 days) and do not allow customization to a yearly rotation period. Option B is wrong because customer managed keys with imported key material do not support automatic rotation; AWS KMS cannot rotate key material that was imported from an external source, so the security team would need to manually rotate the key. Option D is wrong because AWS managed keys cannot be manually rotated; they are managed entirely by AWS and do not provide a manual rotation capability, and even if manual rotation were possible, it would not meet the 'automatically rotated' requirement.

163
MCQeasy

A company stores sensitive data in an Amazon S3 bucket. The security team requires that all data in transit between the company's on-premises data center and S3 be encrypted. Which solution meets this requirement?

A.Set up an IPsec VPN connection between the data center and AWS, and access S3 through the VPN.
B.Enable S3 Transfer Acceleration on the bucket.
C.Use HTTPS (TLS) endpoints when uploading objects to S3.
D.Use AWS PrivateLink to create a VPC endpoint for S3.
AnswerC

HTTPS encrypts data in transit between client and S3.

Why this answer

Option B is correct because using HTTPS (TLS) encrypts data in transit between the client and S3. Option A is wrong because S3 does not support IPsec VPN directly for object uploads. Option C is wrong because VPC endpoints encrypt traffic within AWS, but not the on-premises connection.

Option D is wrong because S3 Transfer Acceleration speeds up transfers but does not provide encryption; HTTPS is still needed.

164
Multi-Selecteasy

A company wants to protect sensitive data in Amazon S3 by ensuring that all objects are encrypted at rest. Which TWO options meet this requirement? (Choose TWO.)

Select 2 answers
A.Use server-side encryption with S3 managed keys (SSE-S3)
B.Use SSL/TLS for data in transit
C.Use client-side encryption with the AWS Encryption SDK
D.Use server-side encryption with AWS KMS (SSE-KMS)
E.Use Amazon Macie to classify and mask data
AnswersA, D

S3 encrypts objects with S3 managed keys.

Why this answer

Options A and C are correct encryption methods provided by S3. Option B is for client-side, but not S3's own encryption. Option D is for data in transit.

Option E is for masking, not encryption.

165
Multi-Selecthard

A company uses AWS KMS to encrypt data in Amazon S3. The security team wants to ensure that only users from a specific AWS account can decrypt objects. Which TWO steps should be taken to achieve this?

Select 2 answers
A.Add a bucket policy that denies decrypt for all users except those from the target account.
B.Configure the KMS key policy to allow the target AWS account to use the key for decrypt.
C.Use a different KMS key for each object to isolate permissions.
D.Create an IAM policy in the target account that allows the kms:Decrypt action.
E.Enable S3 default encryption with the KMS key.
AnswersB, D

Key policy must grant decrypt to the target account.

Why this answer

Options A and D are correct. A key policy that grants decrypt permission to a specific account (option A) and an IAM policy in the target account that allows the user to call KMS Decrypt (option D) are both required. Option B is wrong because an S3 bucket policy does not control KMS decryption.

Option C is wrong because S3 default encryption only sets server-side encryption, not cross-account restrictions. Option E is wrong because using a different KMS key for each object is unnecessary and complex.

166
MCQhard

A company is using AWS KMS to encrypt data in Amazon Redshift. They need to rotate the KMS key annually. Which approach meets the requirement with minimal operational impact?

A.Create a new KMS key each year and update the Redshift cluster to use the new key
B.Use an AWS Lambda function to rotate the key every year
C.Enable automatic key rotation on the KMS key
D.Rotate the key by re-importing key material into an existing KMS key
AnswerC

Automated annual rotation.

Why this answer

Option C is correct because AWS KMS supports automatic annual key rotation for customer-managed KMS keys. Enabling this feature automatically rotates the key material once per year with no manual intervention, minimal operational overhead, and no impact on the Redshift cluster, which continues to use the same key ID.

Exam trap

The trap here is that candidates may think automatic rotation is not available for KMS keys or that they must manually rotate keys using Lambda or by creating new keys, when in fact KMS provides a simple toggle for annual automatic rotation that requires no additional resources.

How to eliminate wrong answers

Option A is wrong because creating a new KMS key each year and updating the Redshift cluster requires manual re-encryption of all data and reconfiguration of the cluster, causing significant operational impact and potential downtime. Option B is wrong because AWS Lambda is unnecessary and adds complexity; KMS already provides built-in automatic rotation that does not require custom code or scheduling. Option D is wrong because re-importing key material into an existing KMS key is only applicable to imported key material (not AWS-generated keys) and does not meet the requirement for annual rotation of an AWS KMS key; it also requires manual steps and does not automate the rotation schedule.

167
Multi-Selectmedium

A company uses AWS KMS to encrypt sensitive data. The security team wants to ensure that KMS keys are not used by unauthorized principals. Which TWO measures should be implemented? (Choose TWO.)

Select 2 answers
A.Define a key policy that grants kms:Encrypt and kms:Decrypt only to specific IAM roles.
B.Delete any KMS keys that are not used for more than 90 days.
C.Create aliases for frequently used keys.
D.Grant kms:* permissions to all IAM users in the account.
E.Enable automatic key rotation for all customer managed keys.
AnswersA, E

Key policies are the primary way to control access to KMS keys.

Why this answer

Using key policies to restrict which IAM roles can use the key (Option A) and enabling key rotation to limit the window of compromise (Option D) are effective. Granting broad access (Option B) is not recommended. Deleting unused keys (Option C) does not prevent unauthorized use of remaining keys.

Using aliases (Option E) does not control access.

168
Multi-Selectmedium

A company wants to protect sensitive data stored in Amazon S3. Which TWO actions should the company take to meet this goal? (Choose TWO.)

Select 2 answers
A.Enable S3 Transfer Acceleration.
B.Configure S3 event notifications to send events to Amazon SNS.
C.Enable S3 Block Public Access.
D.Enable S3 Object Lock.
E.Enable default encryption on the bucket.
AnswersC, E

Block Public Access prevents public access to data.

Why this answer

Options B and D are correct. Option B: Enabling default encryption ensures that new objects are automatically encrypted. Option D: Using S3 Block Public Access prevents accidental public exposure.

Option A is wrong because S3 Transfer Acceleration is for speed, not security. Option C is wrong because S3 event notifications are for automation, not protection. Option E is wrong because S3 Object Lock prevents deletion/modification, not unauthorized access.

169
MCQhard

A company wants to share an encrypted Amazon Machine Image (AMI) with another AWS account. The AMI uses an EBS snapshot encrypted with a customer managed key in KMS. What is the correct procedure to allow the other account to launch an EC2 instance from this AMI?

A.Export the snapshot as an unencrypted snapshot and share it.
B.Share the AMI and have the target account create a new KMS key to encrypt the snapshot.
C.Share only the AMI; the snapshot permissions are inherited from the AMI.
D.Share the AMI, share the snapshot, and grant the target account decrypt permissions on the KMS key.
AnswerD

The target account needs access to the encrypted snapshot and the key to decrypt it.

Why this answer

Option A is correct because to share an encrypted AMI, you must share the AMI, the snapshot, and the KMS key with the target account. Option B is incorrect because the target account cannot use its own KMS key to decrypt a snapshot encrypted with a different key. Option C is incorrect because sharing the AMI alone is insufficient.

Option D is incorrect because the source account must grant decrypt permissions; the target account does not need to create a snapshot.

170
Multi-Selecthard

A company is implementing a data protection strategy for its Amazon S3 bucket that contains sensitive data. The company requires that all objects be encrypted at rest using server-side encryption with a customer managed key (SSE-KMS). Additionally, the company wants to ensure that only a specific IAM role can decrypt objects. Which THREE actions should the company take?

Select 3 answers
A.Attach an IAM policy to the specific role that grants kms:Decrypt on the customer managed key
B.Create a bucket policy that denies s3:PutObject unless the request includes the x-amz-server-side-encryption header with value aws:kms
C.Use the default S3-managed key (SSE-S3) for encryption
D.Modify the KMS key policy to allow the specific IAM role to use the key for decryption
E.Use client-side encryption with a customer managed key
AnswersA, B, D

Allows decryption by that role.

Why this answer

To enforce SSE-KMS, use a bucket policy that denies PutObject without the x-amz-server-side-encryption header set to aws:kms and a specific key. To control decryption, grant kms:Decrypt to the specific role. Option A, C, and D are correct.

Option B is incorrect because using SSE-S3 does not meet the requirement. Option E is incorrect because client-side encryption is not S3 server-side encryption.

171
MCQmedium

A company is designing a data protection solution for Amazon S3 that must prevent any user from accidentally deleting objects. Which combination of S3 features should be used?

A.Use S3 Cross-Region Replication to another bucket.
B.Enable S3 Object Lock with governance mode.
C.Configure S3 default encryption with SSE-KMS.
D.Enable S3 Versioning and MFA Delete.
AnswerD

Versioning preserves objects and MFA Delete requires multi-factor authentication to delete versions.

Why this answer

Option A is correct because MFA Delete adds an extra factor for deletions, and versioning allows recovery of deleted objects. Option B is wrong because Object Lock prevents overwrites/deletion only if retention period is set, but doesn't prevent deletion of the bucket. Option C is wrong because replication doesn't protect against deletion.

Option D is wrong because default encryption doesn't prevent deletion.

172
Matchingmedium

Match each AWS security-related acronym to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Center for Internet Security

Payment Card Industry Data Security Standard

Health Insurance Portability and Accountability Act

System and Organization Controls

International standard for information security management

Why these pairings

Common compliance frameworks and standards.

173
MCQmedium

A company uses AWS KMS to encrypt data in Amazon S3. The security team wants to ensure that when an object is retrieved, it is automatically decrypted. They have configured the S3 bucket to use SSE-KMS with a customer managed key. However, when a user downloads an object using the AWS CLI, the object is still encrypted. The IAM policy for the user includes kms:Decrypt permission. What is the MOST likely reason for this issue?

A.The KMS key policy does not allow the user to decrypt.
B.The user is using SSE-C instead of SSE-KMS.
C.The user does not have s3:GetObject permission.
D.The user is not specifying the correct encryption context in the request.
AnswerD

For SSE-KMS, the encryption context must match; otherwise, decryption fails.

Why this answer

Option A is correct because if the user does not include the --sse-customer-key parameter or the correct encryption context, S3 may not decrypt. However, for SSE-KMS, S3 automatically decrypts if the user has kms:Decrypt permission. The issue might be that the user is using a different tool or not specifying the correct headers.

Option B is wrong because SSE-KMS does not require a customer key. Option C is wrong because S3 handles decryption transparently. Option D is wrong because the user has the decrypt permission.

174
MCQeasy

A company is using Amazon S3 to store sensitive data. They want to ensure that all objects uploaded to a specific bucket are encrypted using server-side encryption with AWS KMS. Which bucket policy condition should be used to enforce this?

A.Condition: 's3:x-amz-server-side-encryption-customer-algorithm': 'AES256'
B.Condition: 's3:x-amz-server-side-encryption': 'aws:kms'
C.Condition: 's3:x-amz-server-side-encryption-aws-kms-key-id': 'arn:aws:kms:...'
D.Condition: 's3:x-amz-server-side-encryption': 'AES256'
AnswerB

This enforces that the request includes the header for SSE-KMS.

Why this answer

Option D is correct because using 's3:x-amz-server-side-encryption' condition with 'aws:kms' enforces that server-side encryption with KMS is used. Option A is wrong because it enforces SSE-S3. Option B is wrong because it enforces SSE-C.

Option C is wrong because it checks the KMS key ID but not the encryption method.

175
MCQmedium

A company stores sensitive data in Amazon S3 and requires that objects are automatically encrypted using server-side encryption with AWS KMS. The bucket policy must deny any PUT request that does not include the x-amz-server-side-encryption header with value aws:kms. Which bucket policy condition key should be used?

A.s3:x-amz-server-side-encryption
B.aws:SourceIp
C.aws:RequestedRegion
D.kms:EncryptionContext
AnswerA

This condition key evaluates the encryption header in PUT requests.

Why this answer

The condition key s3:x-amz-server-side-encryption can be used to check the header value. Condition key aws:SourceIp is for source IP; aws:RequestedRegion is for region; kms:EncryptionContext is for KMS encryption context. Option A is correct.

176
MCQhard

A company is implementing a data loss prevention (DLP) solution for data stored in Amazon S3. The data includes personally identifiable information (PII). The company wants to automatically identify and classify PII objects, then apply encryption using AWS KMS with a customer-managed key. Which AWS service should be used to identify PII?

A.AWS CloudTrail
B.Amazon Macie
C.Amazon GuardDuty
D.AWS Config
AnswerB

Macie is designed to discover and classify sensitive data in S3.

Why this answer

Option D is correct because Amazon Macie uses machine learning and pattern matching to discover sensitive data such as PII in S3. Option A is wrong because AWS Config evaluates resource configurations, not data content. Option B is wrong because Amazon GuardDuty detects threats, not PII.

Option C is wrong because AWS CloudTrail logs API calls, not data content.

177
MCQhard

A company's security policy requires that all data stored in Amazon S3 be encrypted using envelope encryption with a key hierarchy. The master key must be stored in a hardware security module (HSM) that is FIPS 140-2 Level 3 validated. Which solution should the company implement?

A.Use AWS KMS with a custom key store backed by AWS CloudHSM.
B.Use AWS KMS with the default KMS key store.
C.Use Amazon S3 with SSE-S3 and enable default encryption.
D.Use AWS CloudHSM to generate a master key and implement envelope encryption in the application.
AnswerA

Custom key store provides Level 3 HSMs and envelope encryption via KMS.

Why this answer

Option C is correct because AWS KMS uses envelope encryption and supports custom key stores backed by CloudHSM, which is FIPS 140-2 Level 3 validated. Option A is wrong because KMS default key store uses FIPS 140-2 Level 2 validated HSMs. Option B is wrong because CloudHSM alone does not provide envelope encryption; you would need to implement it yourself.

Option D is wrong because S3 does not have a built-in envelope encryption feature.

178
MCQmedium

A company uses AWS KMS to encrypt EBS volumes. The security team wants to ensure that when an EC2 instance is launched, the attached EBS volumes are always encrypted using a specific customer managed key. Which action will enforce this?

A.Use a service control policy (SCP) to deny ec2:RunInstances if the volume encryption key is not the required key
B.Create an IAM role that requires the ec2:RunInstances action to include the kms:KeyId condition
C.Configure the KMS key policy to allow only the specific key for EBS encryption
D.Enable encryption by default for EBS volumes in the account
AnswerA

SCPs can enforce key usage across the account.

Why this answer

Option D is correct because an SCP can deny ec2:RunInstances if the volume encryption key is not the required key. Option A is wrong because IAM roles do not enforce encryption at launch. Option B is wrong because KMS key policies control who can use the key, not which key is used.

Option C is wrong because default encryption uses the account's default key, not necessarily the required key.

179
MCQmedium

A security engineer runs the command shown in the exhibit. What is the primary purpose of this command?

A.To generate a data key without plaintext.
B.To re-encrypt an existing encrypted file under a new key.
C.To decrypt the file secret.txt using a KMS key.
D.To encrypt the contents of secret.txt using a KMS key and store the result in encrypted_secret.txt.
AnswerD

Encrypts plaintext with KMS and saves ciphertext.

Why this answer

Option B is correct because the command uses KMS to encrypt the contents of secret.txt and writes the base64-decoded ciphertext to a file. Option A is about decrypting. Option C is about generating a data key.

Option D is about re-encrypting.

180
Multi-Selecteasy

A company needs to implement data protection for Amazon EFS file systems. Which TWO features should be configured?

Select 2 answers
A.Configure EFS Block Public Access.
B.Enable EFS versioning.
C.Enable encryption in transit using TLS.
D.Configure EFS lifecycle management to transition files to Infrequent Access.
E.Enable encryption at rest using AWS KMS.
AnswersC, E

Clients can mount using TLS to encrypt data in transit.

Why this answer

Option B is correct because EFS supports encryption at rest using KMS. Option D is correct because encryption in transit can be enforced using a mount option. Option A is wrong because EFS does not support versioning.

Option C is wrong because EFS does not have Block Public Access; it uses security groups. Option E is wrong because EFS does not use lifecycle policies for data protection; they manage storage tiers.

181
Multi-Selecthard

A company has a requirement to automatically rotate encryption keys for S3 objects every 90 days. They are using SSE-KMS with a customer managed key. Which combination of actions will meet the requirement without breaking access to existing objects? (Choose two.)

Select 2 answers
A.Configure an S3 lifecycle policy to re-encrypt objects
B.Use S3 Batch Operations to re-encrypt existing objects with the new key
C.Manually rotate the key every 90 days and re-encrypt all objects
D.Delete the existing key and create a new one each 90 days
E.Enable automatic key rotation in AWS KMS for the customer managed key
AnswersB, E

Batch Operations can re-encrypt objects.

Why this answer

Options A and D are correct because enabling automatic key rotation in KMS rotates the key material annually (but not 90 days), and re-encrypting existing objects with the new key ensures they are encrypted with the latest key. Option B is incorrect because deleting the old key breaks access. Option C is incorrect because S3 does not automatically re-encrypt.

Option E is incorrect because manual rotation every 90 days is not necessary if automatic rotation is enabled, and re-encryption is needed.

182
Multi-Selecteasy

Which TWO of the following are valid options for encrypting data at rest in Amazon S3? (Choose 2.)

Select 2 answers
A.SSL/TLS encryption
B.IAM policy encryption
C.SSE-S3
D.CloudHSM client-side encryption
E.SSE-KMS
AnswersC, E

Correct: Server-side encryption with Amazon S3-managed keys.

Why this answer

SSE-S3 is correct because it provides server-side encryption where Amazon S3 manages the encryption keys entirely. When you upload an object, S3 encrypts it using AES-256 before writing to disk and decrypts it when you access it, with no additional configuration needed beyond enabling the header `x-amz-server-side-encryption: AES256`.

Exam trap

The trap here is confusing encryption at rest with encryption in transit, leading candidates to select SSL/TLS, or misinterpreting IAM policies as an encryption mechanism, or assuming CloudHSM is a native S3 server-side encryption option rather than a client-side tool.

183
MCQhard

A company uses AWS KMS to encrypt data in S3. The security policy requires that keys be rotated every 12 months. Which type of KMS key supports automatic rotation?

A.Customer managed keys with automatic rotation enabled
B.Imported key material
C.Custom key store keys
D.AWS managed keys
AnswerA

Customer managed keys can be configured to rotate automatically every 12 months.

Why this answer

Customer managed keys (CMKs) support optional automatic rotation every year. AWS managed keys rotate automatically every 3 years but cannot be configured. Option B is correct.

Option A is incorrect because AWS managed keys rotate every 3 years, not 12 months. Option C is incorrect because custom key store keys do not support automatic rotation. Option D is incorrect because imported key material does not support automatic rotation.

184
Drag & Dropmedium

Drag and drop the steps to configure a VPC with private subnets and NAT gateway for outbound internet access in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

VPC creation, subnets, internet gateway, NAT gateway, and route table update are required for private subnet internet access.

185
MCQmedium

A company is using AWS KMS to encrypt data in Amazon S3. The security team wants to ensure that KMS keys are rotated automatically every year. Which action should be taken?

A.Enable automatic key rotation on the customer managed key.
B.Create a new key and update the alias to point to the new key every year.
C.Enable automatic key rotation on the AWS managed key.
D.Use an AWS CloudTrail event to trigger a Lambda function that rotates the key.
AnswerA

Automatic rotation can be enabled on customer managed keys to rotate yearly.

Why this answer

Option B is correct because AWS KMS supports automatic key rotation for customer managed keys (CMKs) when enabled. Option A is incorrect because automatic rotation is available for CMKs, not just AWS managed keys. Option C is incorrect because manual rotation is not required.

Option D is incorrect because rotation is independent of CloudTrail.

186
MCQmedium

A company is designing a data encryption solution for its Amazon RDS for PostgreSQL database. The database must be encrypted at rest. What is the simplest way to achieve this?

A.Enable encryption when creating the RDS instance using a KMS key.
B.Enable AWS KMS encryption on the RDS instance after creation.
C.Use application-level encryption before inserting data into the database.
D.Use AWS CloudHSM to encrypt the EBS volumes attached to the RDS instance.
AnswerA

RDS encryption at rest is enabled at launch.

Why this answer

Option A is correct because RDS supports encryption at rest for new databases using AWS KMS. Option B is incorrect because there is no separate encryption layer; RDS uses KMS. Option C is incorrect because application-level encryption is not the simplest.

Option D is incorrect because RDS does not support CloudHSM for encryption at rest.

187
MCQeasy

A company uses AWS Secrets Manager to rotate secrets for an RDS database. The rotation fails with an error indicating that the secret cannot be accessed. What is the most likely cause?

A.The Lambda rotation function lacks IAM permissions to update the secret
B.The KMS key used to encrypt the secret is disabled
C.The secret is not encrypted
D.The secret is not in the same region as the database
AnswerA

The Lambda function needs permissions to read and update the secret.

Why this answer

Option C is correct because the Lambda function needs permissions to read the secret and update the database. Option A is not about rotation. Option B would cause an unrelated error.

Option D is about encryption key permissions, but the error is about accessing the secret.

188
MCQmedium

Refer to the exhibit. A security engineer applies the above bucket policy to an S3 bucket. What is the effect of this policy?

A.The policy has no effect because the condition is invalid
B.Objects without encryption headers are allowed
C.All objects must be encrypted with SSE-KMS
D.All objects must be encrypted with SSE-S3
AnswerD

Correct: The condition requires s3:x-amz-server-side-encryption to be AES256, which is SSE-S3.

Why this answer

Option B is correct. The policy denies PutObject requests that do not include the x-amz-server-side-encryption header with value AES256, thus enforcing SSE-S3 encryption on all uploads. Option A is wrong because it does not enforce SSE-KMS.

Option C is wrong because the condition checks for AES256, not for the absence of encryption. Option D is wrong because the policy denies unencrypted uploads, not allows them.

189
MCQmedium

A company stores sensitive data in an S3 bucket and uses AWS KMS to encrypt the data. The security team wants to ensure that only specific IAM roles can decrypt the data. What should the team do?

A.Use a KMS grant to allow the roles to decrypt the key.
B.Modify the KMS key policy to include a condition that allows kms:Decrypt only for the specific IAM roles.
C.Attach an IAM policy to the roles that allows kms:Decrypt on the key.
D.Add an S3 bucket policy that denies s3:GetObject for all roles except the allowed ones.
AnswerB

Key policy controls who can use the key directly.

Why this answer

Option D is correct because using a KMS key policy that grants kms:Decrypt only to the specific roles ensures that only those roles can decrypt. Option A is wrong because an S3 bucket policy controls access to S3 operations, not KMS decryption. Option B is wrong because an IAM policy that allows kms:Decrypt for all users would not restrict to specific roles.

Option C is wrong because a KMS grant is a temporary permission, not a permanent policy.

190
MCQmedium

A company wants to use client-side encryption for data uploaded to Amazon S3. The encryption keys must be managed by the company and never sent to AWS. Which S3 encryption option supports this requirement?

A.Server-side encryption with AWS KMS (SSE-KMS).
B.Client-side encryption using the Amazon S3 encryption client.
C.Server-side encryption with S3 managed keys (SSE-S3).
D.Server-side encryption with customer-provided keys (SSE-C).
AnswerB

Encryption happens on client side; keys never sent to AWS.

Why this answer

Client-side encryption using the Amazon S3 encryption client is correct because the encryption process occurs entirely on the client side before data is uploaded to S3. The company manages the encryption keys locally and never transmits them to AWS, satisfying the requirement that keys are never sent to AWS.

Exam trap

The trap here is that candidates often confuse SSE-C with client-side encryption, not realizing that SSE-C still transmits the encryption key to AWS over the network, albeit encrypted in transit, which violates the 'never sent to AWS' requirement.

How to eliminate wrong answers

Option A is wrong because SSE-KMS uses AWS KMS to manage encryption keys, and the keys are stored and managed by AWS, not the company. Option C is wrong because SSE-S3 uses S3-managed keys that are fully controlled by AWS, not the customer. Option D is wrong because SSE-C requires the customer to provide an encryption key with each request, but the key is sent to AWS over HTTPS for the encryption operation, violating the requirement that keys never be sent to AWS.

191
MCQhard

A company uses AWS CloudHSM to generate and store encryption keys for a custom application. The security team is concerned about key durability and wants to ensure that keys are not lost if the HSM fails. Which action should be taken?

A.Create a multi-region CloudHSM cluster
B.Store the keys in a file on an encrypted EBS volume
C.Use AWS KMS to import the keys from CloudHSM
D.Regularly back up the HSM to an Amazon S3 bucket and restore to a new cluster if needed
AnswerD

CloudHSM allows backup to S3 and restoration.

Why this answer

Option B is correct because CloudHSM supports backup and restore between clusters. Option A is wrong because CloudHSM is single-region. Option C is wrong because keys are stored in the HSM.

Option D is wrong because KMS does not import keys from CloudHSM automatically.

192
MCQhard

A company uses Amazon RDS for MySQL with encryption at rest enabled using AWS KMS. They need to ensure that automated backups and snapshots are also encrypted. Which configuration is required?

A.No additional configuration is needed; backups are encrypted automatically.
B.Manually encrypt each snapshot with a separate KMS key.
C.Create a new KMS key and assign it to the backup configuration.
D.Enable encryption on the RDS instance after creation.
AnswerA

Encrypted RDS instances automatically encrypt backups and snapshots.

Why this answer

Option C is correct because RDS automatically encrypts snapshots and backups when the source database is encrypted. No additional steps are needed. Option A is wrong because encryption is already inherited.

Option B is wrong because the same KMS key is used by default. Option D is wrong because enabling encryption on a non-encrypted instance requires a snapshot copy with encryption.

193
MCQeasy

A company needs to securely store database credentials that are used by an application running on Amazon EC2. The credentials must be automatically rotated every 90 days. Which AWS service should be used?

A.AWS KMS
B.AWS Secrets Manager
C.AWS IAM roles for EC2
D.AWS Systems Manager Parameter Store
AnswerB

Secrets Manager supports automatic rotation of secrets.

Why this answer

Option C is correct because AWS Secrets Manager securely stores secrets and supports automatic rotation. Option A is wrong because Systems Manager Parameter Store can store secrets but does not automatically rotate them without custom logic. Option B is wrong because IAM roles cannot store database credentials.

Option D is wrong because KMS is a key management service, not a secret store.

194
MCQeasy

A company uses AWS CloudTrail to log data events for S3 buckets. They notice that some S3 object-level API calls are not being logged. Which configuration could be the cause?

A.The trail is not configured to log data events for the S3 bucket.
B.The trail is configured to log management events only.
C.The trail is using a CloudWatch Logs log group for delivery.
D.The trail is configured to log read events only.
AnswerA

Data events must be enabled for S3 object-level logging.

Why this answer

CloudTrail trails must be explicitly configured to log data events for S3 buckets. Data events are high-volume operations (e.g., GetObject, PutObject, DeleteObject) and are not captured by default. If the trail is not configured to log data events for the specific S3 bucket, those object-level API calls will not appear in the CloudTrail logs.

Exam trap

The trap here is that candidates often confuse management events (which are logged by default) with data events (which require explicit configuration), leading them to incorrectly assume that all S3 API calls are automatically captured by CloudTrail.

How to eliminate wrong answers

Option B is wrong because management events (e.g., CreateBucket, DeleteBucket) are logged by default, but they do not include object-level API calls; object-level calls are data events, which require separate configuration. Option C is wrong because delivering logs to a CloudWatch Logs log group is a delivery destination option and does not affect which events are logged; it only changes where logs are sent. Option D is wrong because configuring the trail to log read events only would still capture read data events (e.g., GetObject) but not write data events (e.g., PutObject); the question states that some object-level API calls are not being logged, which could be due to not logging data events at all, not just a read/write filter.

195
MCQhard

A company uses AWS KMS to encrypt data in Amazon S3. They need to audit all KMS key usage for an S3 bucket. Which AWS service should be used to capture KMS Decrypt API calls?

A.Amazon S3 server access logs
B.Amazon VPC Flow Logs
C.AWS CloudTrail
D.AWS CloudWatch Logs
AnswerC

CloudTrail records all KMS API calls, including Decrypt, for auditing.

Why this answer

AWS CloudTrail captures API calls to AWS services, including KMS Decrypt. CloudTrail logs can be delivered to S3 for analysis. Option C is correct.

CloudWatch Logs can receive logs but does not directly capture KMS API calls; S3 server access logs do not include KMS decryption events; VPC Flow Logs capture network traffic, not API calls.

196
MCQmedium

A company is designing a data protection strategy for its Amazon RDS for PostgreSQL database. The database contains sensitive customer data. Compliance requirements mandate that all backups be encrypted at rest and that the encryption keys be rotated annually. Which solution meets these requirements?

A.Create an encrypted read replica of the RDS instance and use the replica for backups.
B.Use S3 server-side encryption with a customer managed key for automated backups. Configure lifecycle policies to rotate the key.
C.Enable encryption at rest on the RDS instance using an AWS managed KMS key. The key will be rotated automatically every year.
D.Enable encryption at rest on the RDS instance using a customer managed KMS key. Enable automatic key rotation in KMS.
AnswerD

Customer managed KMS key allows you to enable automatic annual rotation.

Why this answer

Option A is correct because enabling encryption on the RDS instance uses KMS, and manual snapshots inherit the same KMS key. Key rotation can be enabled in KMS. Option B is wrong because AWS managed keys cannot be rotated on a custom schedule; they rotate automatically every year, but the customer cannot control the rotation.

Option C is wrong because S3 server-side encryption does not apply to RDS backups. Option D is wrong because enabling encryption on a read replica does not encrypt the source instance backups.

197
Multi-Selecthard

A company is using AWS KMS to encrypt data at rest. The security team needs to ensure that keys cannot be deleted before a retention period. Which THREE steps should be taken? (Choose three.)

Select 3 answers
A.Enable AWS CloudTrail to log key deletion events.
B.Set up Amazon CloudWatch alarms to notify on kms:ScheduleKeyDeletion events.
C.Create an IAM policy that denies kms:ScheduleKeyDeletion.
D.Enable automatic key rotation.
E.Schedule key deletion with a waiting period (e.g., 7 days).
AnswersA, B, E

CloudTrail provides audit logs to detect deletion attempts.

Why this answer

Options A, C, and E are correct. Scheduling key deletion with a waiting period, using CloudTrail to monitor deletion attempts, and using CloudWatch to alarm on key deletion actions provide protection. Option B is incorrect because IAM policies can prevent deletion but do not enforce a retention period.

Option D is incorrect because automatic rotation does not prevent deletion.

198
MCQhard

A financial services company stores sensitive customer data in Amazon RDS for MySQL. The compliance team mandates that all database backups must be encrypted at rest. The current configuration uses a customer managed KMS key for encryption. However, during a recent audit, it was discovered that some automated backups are not encrypted. What is the MOST likely cause?

A.The KMS key used for encryption was disabled during the backup window.
B.The automated backups are stored in an unencrypted S3 bucket.
C.The automated backup encryption setting was turned off separately.
D.The DB instance was created without enabling encryption at rest.
AnswerD

If the DB instance is not encrypted, automated backups are not encrypted.

Why this answer

Option B is correct because automated backups inherit the encryption setting from the DB instance; if the DB instance is not encrypted, automated backups will not be encrypted. Option A is wrong because automated backups are stored in S3 but still encrypted with the same KMS key if the DB instance is encrypted. Option C is wrong because RDS automatically manages backup encryption; there is no separate backup encryption toggle.

Option D is wrong because the DB instance would fail to encrypt if the key is disabled.

199
MCQhard

A company uses AWS Secrets Manager to rotate secrets for its RDS database. The rotation fails periodically, and the security team needs to troubleshoot. Which CloudWatch metric should be monitored to detect rotation failures?

A.AWS/KMS: KeyUsage
B.AWS/SecretsManager: SecretRotationSucceeded
C.AWS/Lambda: Invocations
D.AWS/RDS: DatabaseConnections
AnswerB

This metric indicates rotation success or failure.

Why this answer

Option C is correct because Secrets Manager publishes CloudWatch metrics for rotation success and failure. Option A is incorrect because KMS key usage metrics are not specific to rotation. Option B is incorrect because Lambda function invocations may not capture all failures.

Option D is incorrect because RDS metrics do not include Secrets Manager rotation status.

200
MCQmedium

A healthcare company stores sensitive patient data in Amazon S3. The security team has implemented a data protection strategy that includes S3 default encryption using SSE-KMS with a customer managed key. They also use S3 Object Lock to prevent deletion. Recently, an administrator accidentally deleted the KMS key used for encryption. As a result, all objects in the bucket are now inaccessible. The company has a backup of the key material but does not have the original key ID. Which action should the team take to restore access to the data?

A.Use the backup key material directly in an application to decrypt objects without KMS.
B.Import the key material into a new KMS key and re-encrypt all objects using S3 Batch Operations.
C.Create a new KMS key with the same key ID using the backup material.
D.Restore the deleted KMS key from the CloudHSM backup.
AnswerB

You can create a new key and re-encrypt objects, but you need the original key material to decrypt first.

Why this answer

Option C is correct because importing the same key material into a new KMS key with the same key ID is possible if the original key was created with imported key material. However, KMS does not allow you to recreate a key with a specific key ID; you must create a new key and re-encrypt the data. Option A is wrong because you cannot restore a deleted KMS key after the waiting period if it was deleted; you must have disabled it first.

Option B is wrong because you cannot create a key with a specific key ID. Option D is wrong because you need the same key to decrypt; a new key cannot decrypt old data unless re-encryption is done.

201
MCQhard

A security engineer is troubleshooting an issue where an EC2 instance cannot access an S3 bucket via a VPC endpoint. The bucket policy allows access only from the VPC endpoint. The instance has an IAM role that grants s3:GetObject on the bucket. The EC2 instance receives an AccessDenied error. What is the most likely cause?

A.The IAM role does not have sufficient permissions.
B.The bucket policy does not include the aws:SourceVpce condition.
C.The VPC endpoint policy is blocking the request.
D.The EC2 instance's security group does not allow outbound traffic to S3.
AnswerB

Without this condition, the bucket policy that restricts to VPC endpoint may not match the request, causing AccessDenied.

Why this answer

When using a VPC endpoint, the S3 bucket policy must include the condition aws:SourceVpce to allow access from the specific endpoint. If the condition is missing or incorrect, access is denied even if the IAM role allows it. Option C is correct.

The IAM role being incorrect would cause a different error; the endpoint policy might override but the bucket policy is the primary issue; the security group might block network access but the error is AccessDenied from S3, not network timeout.

202
MCQhard

A security engineer is designing a solution to protect sensitive data in an Amazon RDS for MySQL database. The data must be encrypted at rest using a key stored in AWS KMS. Additionally, the database must support automated backups and cross-region disaster recovery. Which architecture meets these requirements?

A.Launch an unencrypted RDS instance, then use AWS DMS to replicate data to an encrypted instance in another region.
B.Launch an unencrypted RDS instance, then enable encryption using the AWS Console after creation.
C.Launch an encrypted RDS instance using the default KMS key, then export the database to S3 and copy to another region.
D.Launch an encrypted RDS instance using a customer-managed KMS key. Enable automated backups and create a cross-region read replica.
AnswerD

Encrypted RDS supports encrypted backups and cross-region replicas.

Why this answer

Option B is correct because enabling encryption at rest for RDS automatically encrypts snapshots and backups, and cross-region read replicas can be created from an encrypted source. Option A is wrong because encrypting after creation is not directly supported; you would need to create a new encrypted instance. Option C is wrong because RDS does not support different KMS keys for the replica; it must use the same key or a replica key in the destination region.

Option D is wrong because enabling encryption after creation is not supported without creating a new instance.

203
MCQhard

A company runs a critical application on Amazon EC2 instances that store sensitive data on EBS volumes. The security team has enabled EBS encryption by default for the region. However, after a recent security audit, it was discovered that some EBS volumes are not encrypted. The team finds that these volumes were created before the default encryption setting was enabled. The company's security policy mandates that all EBS volumes must be encrypted at rest, and the process must minimize downtime. The application cannot tolerate more than 5 minutes of downtime. The EC2 instances are running production workloads. What should the security engineer do to remediate the unencrypted volumes?

A.Enable encryption on the existing EBS volumes directly from the console
B.Create a new encrypted EBS volume, detach the unencrypted volume, and attach the new encrypted volume to the instance. Then copy data from a backup.
C.Stop the instance, create an encrypted snapshot of the unencrypted volume, restore a new encrypted volume from the snapshot, and start the instance
D.Launch a new EC2 instance with an encrypted EBS volume, migrate the application to the new instance, and terminate the old instance
AnswerB

Correct: This minimizes downtime and achieves encryption.

Why this answer

Option B is correct because it allows creating a new encrypted volume and attaching it to the instance without significant downtime (a few minutes for detachment/attachment). Option A is wrong because enabling encryption on an existing volume is not supported. Option C is wrong because stopping the instance and creating an encrypted snapshot/volume would cause more downtime (stop/start).

Option D is wrong because migrating to a new instance would require additional setup and likely more downtime.

204
MCQeasy

Refer to the exhibit. A KMS key policy is shown. An IAM role named 'DataProcessor' in account 123456789012 is trying to encrypt data using this key. The role also has an IAM policy that allows kms:Encrypt on the key. Will the encryption succeed?

A.Yes, because the IAM policy alone is sufficient
B.Yes, because the key policy allows the role and the IAM policy also allows
C.No, because the key policy must include a condition for the role
D.No, because the role is in a different account
AnswerB

Both policies grant permission.

Why this answer

Option A is correct because the key policy allows the role to encrypt, and the IAM policy also allows. Option B is wrong because the key policy does not require additional conditions. Option C is wrong because the role is in the same account, and the key policy allows it.

Option D is wrong because the key policy is sufficient.

205
MCQhard

A company has a critical application that stores sensitive data in Amazon DynamoDB. The security team requires that all data stored in DynamoDB is encrypted at rest using a customer-managed KMS key. Additionally, they want to ensure that the key can be rotated automatically every year. Which combination of actions should be taken?

A.Use a CloudHSM key store and enable automatic rotation
B.Use a customer-managed KMS key and enable automatic key rotation
C.Use an AWS managed KMS key and enable automatic key rotation
D.Enable encryption on the existing DynamoDB table and use a customer-managed KMS key
AnswerB

Correct: DynamoDB supports customer-managed KMS keys and KMS automatic rotation.

Why this answer

Option B is correct because DynamoDB supports encryption at rest with a customer-managed KMS key, and KMS supports automatic annual rotation for customer-managed keys. Option A is wrong because DynamoDB does not use CloudHSM. Option C is wrong because automatic rotation is not available for AWS managed keys (which DynamoDB uses by default).

Option D is wrong because you cannot enable encryption on a table created without encryption except by recreating it.

206
Multi-Selecteasy

A company is designing a data protection strategy for Amazon S3. Which TWO of the following are valid methods to protect data at rest in S3?

Select 2 answers
A.S3 Versioning
B.S3 bucket policies
C.MFA Delete
D.Server-side encryption with S3-managed keys (SSE-S3)
E.Server-side encryption with AWS KMS (SSE-KMS)
AnswersD, E

Encrypts data at rest.

Why this answer

Server-side encryption with S3-managed keys (SSE-S3) encrypts data at rest using AES-256, with Amazon S3 managing the encryption/decryption process and key rotation automatically. This is a valid method to protect data at rest in S3 because it ensures objects are encrypted before being written to disk and decrypted when accessed, without requiring any additional client-side logic or key management overhead.

Exam trap

The trap here is that candidates often confuse data protection features like versioning or access controls (bucket policies, MFA Delete) with encryption mechanisms, assuming they provide data-at-rest protection when they do not.

207
MCQeasy

A company stores data in Amazon S3 and wants to ensure that objects are encrypted at rest. The security team decides to use server-side encryption with AWS KMS (SSE-KMS). Which additional benefit does SSE-KMS provide over SSE-S3?

A.Faster encryption and decryption
B.Lower cost per object
C.Separate permissions for key usage and audit of key usage
D.Stronger encryption algorithm
AnswerC

KMS provides granular control and logging.

Why this answer

Option B is correct because SSE-KMS provides separate permissions for key usage and audit trails. Option A is wrong because both provide encryption. Option C is wrong because SSE-KMS can have additional cost.

Option D is wrong because SSE-S3 also provides strong encryption.

208
MCQhard

A company uses AWS CloudTrail to log API activity. The security team wants to ensure that log files are encrypted at rest and that any tampering with logs is detectable. Which combination of services should be used?

A.Enable CloudTrail and configure S3 bucket to use default encryption and enable S3 server access logs.
B.Enable CloudTrail log file SSE-KMS encryption and enable CloudTrail log file integrity validation.
C.Use AWS CloudHSM to generate keys and encrypt CloudTrail logs at the application layer.
D.Enable CloudTrail log file encryption using SSE-S3 and store logs in CloudWatch Logs.
AnswerB

SSE-KMS encrypts logs; integrity validation detects tampering.

Why this answer

Option C is correct because CloudTrail can be configured to use SSE-KMS for encryption, and log file integrity validation provides tamper detection. Option A is wrong because CloudWatch Logs does not provide integrity validation. Option B is wrong because S3 server access logs are not for CloudTrail.

Option D is wrong because CloudHSM does not integrate directly with CloudTrail.

209
MCQeasy

A company needs to encrypt data at rest in Amazon EBS volumes. They want to use an AWS managed key that is automatically rotated. Which encryption option should they choose?

A.Use SSE-S3.
B.Enable EBS encryption by default using the AWS managed key for Amazon EBS.
C.Use a customer-managed KMS key with automatic rotation enabled.
D.Use client-side encryption.
AnswerB

The AWS managed key for EBS is automatically rotated by AWS.

Why this answer

Option B is correct because enabling EBS encryption by default using the AWS managed key for Amazon EBS (alias `aws/ebs`) ensures data at rest is encrypted with a key that is automatically rotated on an annual basis, as required. This key is managed by AWS and requires no manual intervention for rotation, meeting the company's need for a managed, automatically rotated key.

Exam trap

The trap here is that candidates often confuse 'AWS managed key' with 'customer-managed KMS key with automatic rotation enabled,' but the key distinction is that a customer-managed key is not an AWS managed key—it is managed by the customer, even if rotation is automated.

How to eliminate wrong answers

Option A is wrong because SSE-S3 is an encryption option for Amazon S3, not for Amazon EBS volumes; it uses S3-managed keys and is irrelevant to EBS encryption. Option C is wrong because while a customer-managed KMS key can have automatic rotation enabled, it is not an AWS managed key—it is customer-managed, meaning the customer retains control and responsibility, which does not satisfy the requirement for an AWS managed key. Option D is wrong because client-side encryption occurs before data reaches AWS and does not use an AWS managed key; it requires the customer to manage encryption keys locally, contradicting the need for an AWS managed, automatically rotated key.

210
MCQhard

Refer to the exhibit. A security engineer is reviewing the CloudWatch Logs configuration for a Lambda function. The log group is encrypted with a customer managed key. The engineer needs to ensure that only the Lambda service can write logs to this log group and that only a specific IAM role can read logs. Which additional configuration is required?

A.Attach a resource-based policy to the log group that allows only the Lambda service to write logs
B.Create an S3 bucket policy to allow only Lambda to write to the log group
C.Assign an IAM role to the log group that has permission to write logs
D.Add a condition to the KMS key policy that uses kms:ViaService to restrict encryption/decryption to logs.amazonaws.com and a condition that the Lambda function is the source
AnswerD

Allows log service only when Lambda is the source.

Why this answer

CloudWatch Logs uses a service-linked role to write logs. To restrict writing to the Lambda service, you need to add a condition to the key policy that allows the logs service only when the request comes from Lambda. Option C is correct.

Option A is incorrect because a bucket policy is for S3. Option B is incorrect because resource-based policies on log groups are for cross-account access, not to restrict write access. Option D is incorrect because IAM roles cannot be assigned to log groups.

211
MCQeasy

A company wants to protect sensitive data stored in an Amazon EBS volume. The volume is attached to an EC2 instance. Which action should be taken to ensure data at rest is encrypted?

A.Enable encryption on the existing EBS volume
B.Use an instance store volume that supports encryption
C.Encrypt the data at the application layer before writing to the volume
D.Enable EBS encryption by default for the region and create a new encrypted volume
AnswerD

Correct: Enabling EBS encryption by default encrypts new volumes.

Why this answer

Option D is correct because you can enable EBS encryption by default for the region, which automatically encrypts new volumes. Option A is wrong because you cannot encrypt an existing volume directly; you must create a snapshot and restore. Option B is wrong because encryption at the application layer is not a storage encryption method.

Option C is wrong because instance store volumes are not persistent and encryption is not managed by EBS.

212
MCQhard

A company stores sensitive data in Amazon DynamoDB and uses AWS KMS with a customer managed key for encryption. The security team wants to ensure that only specific applications can access the table data. Which policy configuration should be used?

A.In the KMS key policy, allow the application role to perform kms:Decrypt.
B.In the KMS key policy, allow the role to decrypt with a condition kms:ViaService = dynamodb.<region>.amazonaws.com.
C.Use a KMS grant to allow the application to use the key.
D.Attach an IAM policy to the application role allowing dynamodb:GetItem and kms:Decrypt.
AnswerB

This restricts key usage to requests coming from DynamoDB.

Why this answer

Option C is correct because using kms:ViaService restricts key usage to DynamoDB, and the key policy grants decrypt to the role. Option A is wrong because IAM policy alone is insufficient; the key policy must allow. Option B is wrong because it doesn't restrict to DynamoDB.

Option D is wrong because grants are not typically used for service-level restrictions.

213
MCQeasy

The above CLI output shows the encryption configuration for an S3 bucket. What type of encryption is enabled by default?

A.SSE-C
B.Client-side encryption
C.SSE-KMS
D.SSE-S3
AnswerD

SSE-S3 uses AES256 encryption.

Why this answer

Option B is correct because AES256 refers to SSE-S3 encryption. Option A is incorrect because SSE-KMS uses 'aws:kms'. Option C is incorrect because SSE-C is not set by default.

Option D is incorrect because client-side encryption is not a server-side feature.

214
Multi-Selecteasy

A company wants to protect data stored in Amazon S3 Glacier. The data must be encrypted at rest and the encryption keys must be rotated annually. Which TWO options meet these requirements?

Select 2 answers
A.Use SSE-KMS with a customer-managed key that has automatic key rotation enabled.
B.Use AWS CloudHSM to generate a key and encrypt data before uploading to Glacier.
C.Use client-side encryption with the Amazon S3 encryption client.
D.Use SSE-C with keys stored in AWS Secrets Manager and rotate keys annually.
E.Use the default encryption provided by S3 Glacier (SSE-S3).
AnswersA, E

KMS CMK with automatic rotation meets the requirement.

Why this answer

Option A is correct because Glacier automatically encrypts data at rest using SSE-S3 with keys rotated annually by AWS. Option C is correct because SSE-KMS with automatic key rotation also meets the requirement. Option B is wrong because SSE-C does not provide automatic rotation.

Option D is wrong because CloudHSM requires manual rotation. Option E is wrong because client-side encryption does not use S3's server-side encryption.

215
Multi-Selectmedium

A security engineer is designing a data protection strategy for an S3 bucket that contains sensitive documents. The bucket is accessed by multiple IAM users and roles. Which TWO actions will help protect the data at rest and in transit?

Select 2 answers
A.Enable S3 Access Logs and send them to a separate account
B.Add a bucket policy that denies requests without aws:SecureTransport
C.Enable MFA Delete on the S3 bucket
D.Enable default encryption on the S3 bucket using SSE-S3 or SSE-KMS
E.Use pre-signed URLs for all access
AnswersB, D

This enforces HTTPS for data in transit.

Why this answer

Options A and C are correct. Enabling default encryption (A) ensures data at rest is encrypted. Enforcing HTTPS (C) protects data in transit.

Option B is incorrect because MFA delete does not protect data in transit or at rest. Option D is incorrect because S3 Access Logs are for auditing, not protection. Option E is incorrect because pre-signed URLs still use HTTPS if enforced, but they do not protect data at rest.

216
MCQhard

A company uses AWS KMS to encrypt secrets stored in AWS Secrets Manager. The security team wants to audit all KMS key usage, including attempts to use the key without proper authorization. Which AWS service should the team use to meet this requirement?

A.Amazon GuardDuty
B.AWS Config
C.AWS CloudTrail
D.Amazon CloudWatch Logs
AnswerC

CloudTrail records all KMS API operations for auditing.

Why this answer

Option B is correct because AWS CloudTrail logs all KMS API calls, including Decrypt, Encrypt, GenerateDataKey, and any authorization failures. Option A is wrong because CloudWatch Logs is for monitoring log data, not for capturing API calls. Option C is wrong because Amazon GuardDuty is a threat detection service that does not log KMS API calls.

Option D is wrong because AWS Config tracks resource configuration changes, not API calls.

217
MCQmedium

A company uses AWS KMS to encrypt data in Amazon S3. The security team wants to enforce that all S3 PUT requests include an encryption context that matches a specific key-value pair. Which S3 bucket policy condition key should be used?

A.kms:EncryptionContextKeys
B.kms:ViaService
C.s3:x-amz-server-side-encryption
D.s3:PutObjectEncryption
AnswerA

This condition key enforces that the encryption context includes specific key-value pairs.

Why this answer

Option C is correct because kms:EncryptionContextKeys is the condition key that allows you to require a specific encryption context in KMS operations. Option A is wrong because s3:x-amz-server-side-encryption is for requiring SSE. Option B is wrong because kms:ViaService is for restricting KMS usage to a specific AWS service.

Option D is wrong because s3:PutObjectEncryption is not a valid condition key.

218
MCQeasy

Refer to the exhibit. A security engineer runs the command shown and gets the output. What does this output indicate about the bucket's encryption configuration?

A.The bucket does not allow unencrypted objects.
B.The bucket has default encryption enabled using SSE-KMS.
C.The bucket requires all objects to be encrypted with SSE-KMS.
D.The bucket has default encryption enabled using SSE-S3.
AnswerD

AES256 indicates SSE-S3.

Why this answer

The output shows default encryption is set to SSE-S3 (AES256). This means new objects will be encrypted with SSE-S3 unless a different encryption header is provided. Option A is correct.

Option B is wrong because it's SSE-S3, not SSE-KMS. Option C is wrong because default encryption does not prevent client-side encryption. Option D is wrong because the bucket does not enforce SSE-KMS.

219
MCQmedium

A company uses AWS KMS to encrypt data in Amazon DynamoDB. The table has a TTL attribute that triggers automatic deletion of expired items. The security team is concerned that deleted items may still be recoverable. What should the team do to ensure that deleted items are cryptographically erased and cannot be recovered?

A.Delete the KMS customer master key (CMK) used to encrypt the table after verifying no other data depends on it.
B.Disable the KMS key to prevent decryption of deleted items.
C.Configure DynamoDB TTL to encrypt the items before deletion.
D.Create a backup of the table and then delete the table.
AnswerA

Deleting the CMK renders the encrypted data unrecoverable, providing cryptographic erasure.

Why this answer

Option A is correct. To cryptographically erase data, you must delete the KMS key that was used to encrypt it. However, deleting a KMS key is irreversible and may affect other data.

Option B is wrong because disabling the key prevents decryption, but the encrypted data still exists. Option C is wrong because the TTL deletion does not encrypt the data. Option D is wrong because DynamoDB backups are separate; you need to delete the key or the data.

220
MCQeasy

A security engineer needs to ensure that an Amazon RDS for MySQL database is encrypted at rest. Which action should be taken?

A.Use a client-side encryption tool to encrypt data before writing to the database.
B.Use AWS KMS to encrypt individual databases within the instance.
C.Enable encryption on an existing unencrypted DB instance.
D.Create a new DB instance with encryption enabled.
AnswerD

RDS encryption is enabled at creation time; it encrypts the underlying storage.

Why this answer

Option B is correct because enabling encryption on the DB instance at creation time encrypts the database at rest. Option A is incorrect because encryption cannot be enabled on an existing unencrypted DB instance. Option C is incorrect because encryption is not applied per database.

Option D is incorrect because RDS encryption does not require a client-side tool.

221
MCQeasy

A company wants to protect data at rest for an Amazon RDS for PostgreSQL database. Which AWS service should be used to manage the encryption keys?

A.AWS CloudHSM
B.AWS Key Management Service (KMS)
C.AWS Certificate Manager (ACM)
D.AWS Secrets Manager
AnswerB

KMS manages keys for RDS encryption.

Why this answer

Amazon RDS for PostgreSQL integrates with AWS Key Management Service (KMS) to enable encryption at rest. When you enable encryption for an RDS DB instance, KMS manages the customer master keys (CMKs) that encrypt the data keys used by the storage layer. This is the standard, fully managed key management service for RDS encryption, supporting automatic key rotation and fine-grained access control.

Exam trap

The trap here is that candidates confuse AWS Secrets Manager (which manages secrets like passwords) with KMS (which manages encryption keys), leading them to select Secrets Manager for key management instead of the correct service for RDS encryption at rest.

How to eliminate wrong answers

Option A is wrong because AWS CloudHSM provides hardware security modules for key generation and storage but does not integrate directly with RDS for encryption at rest; RDS relies on KMS for key management, not CloudHSM. Option C is wrong because AWS Certificate Manager (ACM) handles SSL/TLS certificates for securing data in transit, not encryption keys for data at rest. Option D is wrong because AWS Secrets Manager is designed to rotate and manage database credentials and other secrets, not to manage the encryption keys used for RDS storage encryption.

222
MCQhard

Refer to the exhibit. An administrator is investigating why an application that uses KMS for encryption is failing. The IAM role used by the application has the following policy attached: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "kms:Decrypt", "Resource": "arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" } ] }. What is the most likely cause of the failure?

A.The KMS key has been deleted
B.The IAM policy does not specify the correct key ARN
C.The IAM policy does not allow the kms:Decrypt action
D.The KMS key is disabled
AnswerD

A disabled key cannot be used for decryption.

Why this answer

Option B is correct because the key is disabled, so decryption fails. Option A is wrong because the policy allows decrypt. Option C is wrong because the policy specifies the correct key ARN.

Option D is wrong because the key exists.

223
MCQmedium

A company is using AWS KMS to encrypt data in Amazon S3. The security team wants to ensure that only a specific IAM role can decrypt the data. What is the MOST secure way to enforce this?

A.Attach an IAM policy to the role granting kms:Decrypt
B.Configure the KMS key policy with a condition that allows only the role to decrypt
C.Disable the KMS key and re-enable it only when the role needs to decrypt
D.Configure an S3 bucket policy that denies all principals except the role
AnswerB

Key policy can restrict decryption to a specific role.

Why this answer

Using a key policy with a condition that allows only the specified role is the most secure way. Option A is wrong because a bucket policy alone does not control KMS key usage. Option B is wrong because IAM policies can be attached to any user/role, not restrictive enough.

Option D is wrong because disabling the key is too restrictive.

224
MCQmedium

A company uses AWS KMS to encrypt data at rest in Amazon S3. The security team requires that all encryption keys be automatically rotated every year. Which key type meets this requirement?

A.AWS managed key (aws/s3)
B.Customer managed key with manual rotation
C.Asymmetric customer managed key
D.Imported key material in a customer managed key
AnswerA

AWS managed keys are automatically rotated annually.

Why this answer

AWS managed keys (aws/s3) are automatically rotated every year. Customer managed keys (CMKs) can be rotated manually or automatically, but the question specifies automatic rotation. Option B is correct because AWS managed keys are automatically rotated.

Option A is incorrect because customer managed keys require manual rotation or enabling automatic rotation. Option C is incorrect because imported key material does not support automatic rotation. Option D is incorrect because asymmetric keys are not automatically rotated.

225
MCQhard

A company uses Amazon EBS volumes for EC2 instances. Security policy requires that all EBS volumes be encrypted at rest. The company already has a default KMS key for EBS encryption. However, some new volumes are created without encryption. What is the most efficient way to enforce encryption for all new EBS volumes?

A.Use AWS CloudTrail to monitor volume creation and send alerts
B.Create an AWS Config rule to detect unencrypted volumes and trigger a Lambda function to encrypt them
C.Use a custom AMI that enforces encryption
D.Enable EBS encryption by default in the EC2 console or via the API
AnswerD

This setting ensures all new volumes are encrypted automatically.

Why this answer

Option B (Set the EBS encryption by default flag at the account level) is correct because it forces all new volumes to be encrypted using the default KMS key. Option A is wrong because it requires manual intervention. Option C is wrong because it requires creating a custom volume type.

Option D is wrong because CloudWatch alarms are reactive, not preventive.

← PreviousPage 3 of 5 · 303 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Data Protection questions.