CCNA Data Protection Questions

75 of 303 questions · Page 4/5 · Data Protection topic · Answers revealed

226
Multi-Selectmedium

A security engineer is designing a data protection strategy for a healthcare application that stores Protected Health Information (PHI) in an S3 bucket. The bucket is accessed by multiple AWS services, including Athena and SageMaker. Which TWO actions should the engineer take to ensure encryption at rest and in transit? (Choose two.)

Select 2 answers
A.Enable default encryption on the S3 bucket using SSE-S3.
B.Enable S3 bucket default encryption using AES-256.
C.Use AWS CloudHSM to generate and store encryption keys for S3.
D.Set up Kinesis Data Firehose to encrypt data before writing to S3.
E.Configure a bucket policy that denies requests not using aws:SecureTransport.
AnswersB, E

AES-256 encryption (SSE-S3) encrypts data at rest.

Why this answer

Option A is wrong because while default encryption provides at-rest encryption, it does not enforce encryption in transit. Option B is correct because a bucket policy that denies requests without HTTPS ensures encryption in transit. Option C is correct because enabling bucket default encryption with SSE-S3 or SSE-KMS ensures encryption at rest.

Option D (CloudHSM) is not necessary for S3 encryption and adds complexity. Option E is wrong because Kinesis Data Firehose is not directly relevant to S3 encryption.

227
MCQmedium

A company wants to securely share an Amazon S3 object with an external partner. The partner needs to download the object using an HTTP GET request. The object must be accessible for only 24 hours. What is the most secure way to grant access?

A.Create a new IAM user with read access to the object and share the access key and secret key.
B.Make the object publicly readable and share the object URL.
C.Generate a presigned URL for the object with an expiration of 24 hours.
D.Create a new IAM user with read access to the object, then generate a presigned URL for the object.
AnswerC

Presigned URLs grant temporary access without exposing credentials.

Why this answer

Option A is correct because presigned URLs provide time-limited access to specific S3 objects without sharing AWS credentials. Option B is wrong because making the object public violates security. Option C is wrong because sharing the access key/secret is insecure.

Option D is wrong because presigned URLs already handle access; creating a new user is unnecessary and less secure.

228
MCQmedium

A company uses AWS CloudHSM to store encryption keys. The security team wants to ensure that keys stored in CloudHSM are backed up and can be restored in another AWS Region. What is the BEST approach?

A.Enable automatic cross-region replication on the CloudHSM cluster
B.Copy the HSM user credentials and use them in the new region
C.Use AWS Backup to back up the CloudHSM cluster and restore in another region
D.Export the security domain from the source cluster and import it into a new cluster in the target region
AnswerD

Correct: Exporting and importing the security domain allows key recovery.

Why this answer

Option C is correct because CloudHSM allows you to export the cluster’s security domain and then use it to restore the cluster in another region. Option A is wrong because CloudHSM does not automatically replicate across regions. Option B is wrong because copying HSM credentials is insufficient to restore keys.

Option D is wrong because there is no direct integration with S3 for backup.

229
MCQmedium

A financial services company runs a web application on Amazon EC2 instances behind an Application Load Balancer. The application processes credit card numbers and stores them in an Amazon RDS for PostgreSQL database. The database is encrypted at rest using AWS KMS. The security team is concerned about data in transit between the ALB and EC2 instances, and between EC2 and RDS. They also want to ensure that the application never logs the full credit card number. The current setup: ALB terminates SSL using a certificate from AWS Certificate Manager (ACM). EC2 instances are in a private subnet. RDS is in a private subnet. The application logs to CloudWatch Logs. The security team reviews the logs and finds full credit card numbers in the logs. Which of the following actions should the security engineer take to address the data protection issues?

A.Create a CloudWatch Logs subscription filter to redact credit card numbers from the logs after they are sent to CloudWatch
B.Enable RDS encryption with a new KMS key and enforce that all connections to RDS use SSL
C.Modify the application to use TLS when connecting to RDS and update the application code to mask or truncate credit card numbers before logging
D.Enable encryption in transit between the ALB and EC2 by using HTTPS listeners and configure the ALB to re-encrypt traffic to EC2 using a self-signed certificate on each instance
AnswerC

Addresses both encryption in transit and data leakage via logs.

Why this answer

Option D is the best because it addresses both encryption in transit (using TLS between EC2 and RDS) and logging (masking credit cards in application code). Option A only adds encryption in transit but does not fix logging. Option B is about retention, not protection.

Option C is about encryption at rest, not in transit or logging.

230
Multi-Selectmedium

A company stores sensitive data in Amazon S3. The security team needs to ensure that data is encrypted at rest and that access is logged. Which TWO actions meet these requirements?

Select 2 answers
A.Enable VPC Flow Logs for the VPC
B.Enable S3 server access logs
C.Enable AWS CloudTrail to log data events
D.Enable default encryption on the S3 bucket
E.Enable AWS IAM Access Analyzer
AnswersB, D

Server access logs record requests to the bucket.

Why this answer

Option A (Enable default encryption on the bucket) and Option D (Enable S3 server access logs) are correct. Default encryption ensures data is encrypted at rest. Server access logs record requests to the bucket.

Option B is wrong because CloudTrail is for API calls, not data events by default. Option C is wrong because VPC Flow Logs capture network traffic, not S3 access. Option E is wrong because IAM Access Analyzer is for analyzing resource policies, not logging access.

231
MCQmedium

A company is designing a data protection strategy for Amazon EBS volumes. They want to automate the creation of point-in-time snapshots for all production volumes and retain them for 90 days. Which solution meets these requirements with the least operational overhead?

A.Write a script using the AWS CLI that creates snapshots and runs on a schedule via cron on an EC2 instance
B.Use Amazon Data Lifecycle Manager (DLM) to create a policy that takes snapshots daily and retains them for 90 days
C.Use an AWS Lambda function triggered by CloudWatch Events to create snapshots and delete old ones
D.Use AWS Backup to create a backup plan for EBS volumes with a 90-day retention
AnswerB

Automated, native solution.

Why this answer

Amazon Data Lifecycle Manager (DLM) is designed to automate EBS snapshot creation and retention. Option A is correct. Option B is manual, C is for backups (though DLM also works), D is third-party overhead.

232
MCQhard

A company uses AWS KMS to encrypt data in Amazon S3. Security team wants to ensure that only specific IAM roles can decrypt objects. Which KMS key policy configuration should be used?

A.Attach an IAM policy to the role that allows kms:Decrypt, and leave the KMS key policy with default settings.
B.In the key policy, use a Principal element specifying the role ARN, and allow kms:Decrypt.
C.Use a grant for the role to allow kms:Decrypt for S3 operations.
D.In the key policy, use a Condition block with kms:ViaService set to s3.<region>.amazonaws.com and allow kms:Decrypt for the role.
AnswerD

This restricts decryption requests to come via S3 service, meeting the requirement.

Why this answer

Option C is correct because using kms:ViaService condition restricts key usage to requests coming from S3, and the IAM role's permissions to decrypt are granted via the key policy, not just IAM policy. Option A is wrong because without the key policy granting decrypt, the IAM policy alone is insufficient. Option B is wrong because it grants blanket access to the role without the S3 service restriction.

Option D is wrong because it doesn't restrict to a specific role.

233
MCQmedium

A company stores sensitive data in Amazon S3 and wants to ensure that all objects are encrypted at rest. The security team has enabled default encryption on the S3 bucket using SSE-S3. However, an audit reveals that some objects are stored with SSE-KMS. How can the company enforce that only SSE-S3 is used for all future uploads, while still allowing existing SSE-KMS objects to be read?

A.Configure a bucket policy that denies s3:PutObject with s3:x-amz-server-side-encryption-aws:kms.
B.Use an S3 Lifecycle policy to transition existing SSE-KMS objects to SSE-S3.
C.Apply a bucket policy that denies s3:PutObject unless the x-amz-server-side-encryption header is AES256.
D.Disable SSE-KMS in the AWS KMS key policy to prevent its use.
AnswerC

This policy enforces SSE-S3 for uploads without affecting reads of existing objects.

Why this answer

Option C is correct because it uses a bucket policy to deny s3:PutObject unless the x-amz-server-side-encryption header is set to AES256, which is the value for SSE-S3. This enforces that all future uploads use SSE-S3, while existing SSE-KMS objects remain readable because the policy only applies to write operations. The condition key s3:x-amz-server-side-encryption checks the encryption header value, and the Deny effect overrides any Allow, ensuring compliance.

Exam trap

The trap here is that candidates confuse the condition key s3:x-amz-server-side-encryption with s3:x-amz-server-side-encryption-aws:kms, or think that default encryption can be overridden by a bucket policy without explicitly denying non-compliant uploads.

How to eliminate wrong answers

Option A is wrong because it denies s3:PutObject with s3:x-amz-server-side-encryption-aws:kms, but the correct condition key is s3:x-amz-server-side-encryption (not -aws:kms), and the value for SSE-KMS is 'aws:kms', not 'aws:kms' as a header value; also, this would block SSE-KMS uploads but does not enforce SSE-S3, leaving the bucket open to unencrypted uploads. Option B is wrong because S3 Lifecycle policies cannot change the encryption type of existing objects; they can only transition objects to different storage classes or expire them, not re-encrypt them. Option D is wrong because disabling SSE-KMS in the KMS key policy would prevent reading existing SSE-KMS objects (since decryption requires the key), and it does not enforce SSE-S3 for future uploads.

234
Multi-Selecteasy

Which TWO AWS services provide key management for encryption at rest? (Choose 2.)

Select 2 answers
A.AWS Systems Manager Parameter Store
B.AWS CloudHSM
C.AWS Certificate Manager (ACM)
D.AWS Key Management Service (KMS)
E.AWS Secrets Manager
AnswersB, D

Dedicated HSM for key management.

Why this answer

AWS Key Management Service (KMS) is a managed service that makes it easy to create and control customer master keys (CMKs) used for encrypting data at rest across AWS services like S3, EBS, and RDS. AWS CloudHSM provides dedicated hardware security modules (HSMs) that allow you to manage your own encryption keys in a tamper-resistant hardware appliance, meeting FIPS 140-2 Level 3 compliance for key storage and cryptographic operations. Both services directly provide key management for encryption at rest, with KMS offering integrated key rotation and auditing via AWS CloudTrail, while CloudHSM gives you full control over the HSM appliance and keys.

Exam trap

The trap here is that candidates often confuse AWS Secrets Manager or Systems Manager Parameter Store as key management services because they store encrypted secrets, but they are secret storage services that rely on KMS for encryption and do not provide independent key management for encryption at rest.

235
MCQmedium

A company stores sensitive data in an S3 bucket with default encryption (SSE-S3) enabled. A security audit reveals that objects are being accessed by users from unexpected IP addresses. The company wants to enforce that only objects encrypted with a specific KMS key (managed by the security team) can be accessed. Which combination of actions should be taken?

A.Use SSE-C and distribute the customer key to authorized users only.
B.Modify the bucket policy to deny PutObject and GetObject unless the request includes the specific KMS key ID in the 'x-amz-server-side-encryption-aws-kms-key-id' header.
C.Enable S3 Block Public Access and use AWS WAF to filter IP addresses.
D.Apply an S3 Lifecycle policy to transition objects to Glacier after 30 days.
AnswerB

This enforces use of the specific KMS key for all operations.

Why this answer

Option C is correct because using a bucket policy to deny access unless the request includes the specific KMS key via the 's3:x-amz-server-side-encryption-aws-kms-key-id' condition key enforces the requirement. Option A is wrong because SSE-S3 does not allow key-level control. Option B is wrong because SSE-C is not auditable in the same way.

Option D is wrong because it does not restrict access based on encryption key.

236
MCQeasy

A company is migrating sensitive customer data to Amazon RDS for MySQL. The security team requires that data be encrypted at rest and in transit. The database will be accessed by a web application running on Amazon EC2 instances in the same VPC. The RDS instance is launched with encryption enabled using an AWS managed KMS key. The security team also enables SSL/TLS for connections. Which additional step is necessary to ensure that the web application uses encrypted connections?

A.Enable encryption at rest on the EC2 instance's EBS volumes.
B.Create an SCP to enforce SSL connections to RDS.
C.Configure the web application's database connection string to use SSL/TLS.
D.Grant the EC2 instance's IAM role permission to use the KMS key for decrypting RDS connections.
AnswerC

The client must explicitly request an SSL connection; otherwise, the connection may be unencrypted.

Why this answer

Option A is correct because even though SSL/TLS is enabled on the RDS instance, the client application must be configured to use SSL when connecting. Option B is wrong because enabling encryption at rest does not affect in-transit encryption. Option C is wrong because an SCP does not enforce application-level settings.

Option D is wrong because the RDS instance already uses a managed KMS key; no additional KMS permissions are needed for SSL/TLS.

237
MCQhard

A financial company uses AWS KMS to encrypt sensitive data. The security team notices that a KMS key has been deleted, but the encrypted data is still needed for a short period. What is the fastest way to make the data decryptable again?

A.Contact AWS Support to recover the key material
B.Cancel the key deletion within the waiting period
C.Restore the key from a CloudHSM backup
D.Re-encrypt the data with a new KMS key
AnswerB

KMS allows cancelling deletion during the waiting period.

Why this answer

Option A is correct because KMS has a waiting period of 7-30 days during which the key can be cancelled. Option B is wrong because once deleted, the key cannot be recovered after the waiting period. Option C is wrong because re-encrypting requires the original key.

Option D is wrong because the previous key material is gone.

238
Multi-Selectmedium

A company needs to encrypt data at rest for an Amazon RDS for Oracle database. The database is deployed in a Multi-AZ configuration. The company also wants to encrypt automated backups and snapshots. Which TWO steps should the security team take?

Select 2 answers
A.Enable encryption at rest when launching the RDS instance.
B.Modify the DB instance to enable encryption after creation.
C.Ensure that the 'Encryption at rest' setting also encrypts automated backups and snapshots.
D.Enable encryption at rest on the existing RDS instance via a modification.
E.Specify a KMS key after the instance is launched.
AnswersA, C

Encryption must be enabled at launch.

Why this answer

Option A is correct because encryption must be enabled at launch; it cannot be added later. Option C is correct because enabling encryption at rest automatically encrypts backups and snapshots. Option B is wrong because encryption cannot be enabled on an existing unencrypted instance.

Option D is wrong because encryption must be enabled at launch, not after. Option E is wrong because KMS key must be specified at launch; can be changed later only for certain engines.

239
Multi-Selectmedium

Which TWO of the following are valid methods to protect data in transit between an on-premises data center and AWS? (Choose two.)

Select 2 answers
A.Amazon CloudFront with HTTPS-only viewer protocol policy
B.AWS Site-to-Site VPN
C.VPC Peering
D.S3 Transfer Acceleration
E.AWS Direct Connect with encryption (MACsec)
AnswersB, E

Site-to-Site VPN uses IPSec to encrypt all traffic between on-premises and AWS.

Why this answer

Options B and C are correct. AWS VPN creates an encrypted tunnel over the internet. Direct Connect with encryption (MACsec or IPSec) provides a private connection with encryption.

Option A is wrong because VPC Peering does not encrypt traffic. Option D is wrong because S3 Transfer Acceleration only speeds up transfers, does not encrypt. Option E is wrong because CloudFront uses HTTPS for edge, but the origin connection may not be encrypted unless configured.

240
MCQhard

A security engineer examines the above output. The company requires automatic yearly key rotation. What should the engineer do?

A.Run 'aws kms enable-key-rotation --key-id 1234abcd-12ab-34cd-56ef-1234567890ab'
B.Use AWS CloudHSM to generate a new key and rotate manually.
C.Replace the key with an AWS managed key.
D.Import a key material and enable automatic rotation.
AnswerA

This enables automatic yearly rotation for a customer managed key.

Why this answer

Option A is correct because the key is a customer managed key (KeyRotationEnabled: false indicates it's not an AWS managed key). Enabling automatic rotation is done via the enable-key-rotation command. Option B is incorrect because AWS managed keys have rotation enabled by default.

Option C is incorrect because using a CloudHSM is not necessary. Option D is incorrect because importing a key does not enable rotation.

241
MCQeasy

A company uses Amazon S3 to store confidential documents. The security team wants to ensure that all objects are encrypted at rest using server-side encryption with AES-256. Which S3 encryption option should be used?

A.SSE-C
B.SSE-KMS
C.SSE-S3
D.Client-side encryption
AnswerC

SSE-S3 uses AES-256 encryption.

Why this answer

Server-Side Encryption with S3-Managed Keys (SSE-S3) uses AES-256. Option A is correct. SSE-C uses customer-provided keys, SSE-KMS uses KMS keys, and client-side encryption is done by the customer.

242
MCQmedium

Refer to the exhibit. An S3 bucket policy is shown. An administrator uploads an object to 'example-bucket' without specifying any encryption header. What is the outcome?

A.The upload fails with an Access Denied error
B.The object is uploaded and encrypted with the bucket's default encryption settings
C.The object is encrypted with SSE-KMS automatically
D.The object is uploaded without encryption
AnswerA

The condition denies PutObject when encryption is not AES256.

Why this answer

Option B is correct because the condition denies uploads if the encryption header is not 'AES256'. Since no header is specified, the condition evaluates to 'StringNotEquals' true, and the request is denied. Option A is wrong because the upload fails.

Option C is wrong because SSE-KMS is not mentioned. Option D is wrong because the condition checks the header, not the bucket default encryption.

243
MCQeasy

A company runs a workload on Amazon EC2 that needs to access an Amazon S3 bucket to store sensitive data. The security team wants to ensure that the data is encrypted at rest in S3 without requiring any changes to the application. The application currently uses the AWS SDK to upload objects. Which solution meets the requirement with the LEAST operational overhead?

A.Configure an S3 bucket policy that denies uploads without encryption.
B.Modify the application to use client-side encryption with KMS.
C.Enable S3 default encryption on the bucket using SSE-S3.
D.Use a KMS key policy to require encryption for the bucket.
AnswerC

Default encryption encrypts all objects automatically without application changes.

Why this answer

Option A is correct. Enabling S3 default encryption ensures all objects are encrypted at rest without application changes. Option B is wrong because client-side encryption requires application changes.

Option C is wrong because bucket policies do not enforce encryption; they only allow you to deny unencrypted uploads, but the application would need to include encryption headers. Option D is wrong because KMS key policy is not a direct solution for encryption.

244
MCQhard

A security engineer is designing a data encryption solution for a multi-region application that uses Amazon S3. The solution must use envelope encryption with a key hierarchy that allows the application to encrypt data locally using a data key, while the data key is protected by a master key stored in AWS KMS. The application should be able to decrypt data even if connectivity to AWS KMS is temporarily lost. Which approach meets these requirements?

A.Use the KMS GenerateDataKey API to get a plaintext data key and encrypted data key. Store both; for decryption, call KMS Decrypt to get the plaintext key.
B.Use KMS GenerateDataKeyWithoutPlaintext to get only the encrypted data key. Store it; for decryption, call KMS Decrypt.
C.Use an AWS managed key to encrypt data directly without a data key.
D.Use KMS GenerateDataKey to obtain a plaintext data key and encrypted data key. Cache the plaintext key in memory; for decryption, use the cached key. If cache miss, call KMS Decrypt.
AnswerD

Caching allows decryption without KMS; meets requirement.

Why this answer

Option D is correct because by caching the plaintext data key, the application can decrypt locally without calling KMS. Option A would require KMS for decryption. Option B does not allow decryption without KMS.

Option C uses the wrong key type.

245
MCQhard

A company uses Amazon DynamoDB with client-side encryption using AWS KMS. The application is experiencing high latency on write operations. Which change is most likely to reduce latency?

A.Switch to server-side encryption with KMS
B.Increase the provisioned write capacity of the table
C.Use DynamoDB Accelerator (DAX)
D.Cache the data key locally and reuse it for multiple items
AnswerD

Reduces KMS API calls.

Why this answer

Option D is correct because client-side encryption with AWS KMS typically involves calling the KMS GenerateDataKey API to obtain a data key, which is then used to encrypt items locally. Each KMS API call adds network latency. By caching the data key locally and reusing it for multiple items, you eliminate repeated KMS round trips, significantly reducing per-write latency.

This is a well-known optimization for client-side encryption patterns.

Exam trap

The trap here is that candidates often confuse throughput capacity (Option B) with latency, or assume DAX (Option C) can accelerate writes, when in fact DAX only caches reads and does not affect write path latency.

How to eliminate wrong answers

Option A is wrong because switching to server-side encryption with KMS does not reduce write latency; it offloads encryption to DynamoDB but still incurs KMS overhead for each table write, and the latency issue is not caused by the encryption method itself. Option B is wrong because increasing provisioned write capacity addresses throughput throttling (e.g., ProvisionedThroughputExceededException), not the latency introduced by client-side encryption calls to KMS. Option C is wrong because DynamoDB Accelerator (DAX) is an in-memory cache for read operations only; it does not accelerate write operations or reduce encryption-related latency.

246
MCQeasy

A company stores sensitive customer data in an S3 bucket. The security team wants to ensure that all data is encrypted at rest using server-side encryption with AWS KMS (SSE-KMS). Which bucket policy statement should be added to deny uploads that do not use SSE-KMS?

A.{"Effect":"Deny","Principal":"*","Action":"s3:PutObject","Resource":"arn:aws:s3:::bucket-name/*"}
B.{"Effect":"Deny","Principal":"*","Action":"s3:PutObject","Resource":"arn:aws:s3:::bucket-name/*","Condition":{"StringNotEquals":{"s3:x-amz-server-side-encryption":"aws:kms"}}}
C.{"Effect":"Deny","Principal":"*","Action":"s3:PutObject","Resource":"arn:aws:s3:::bucket-name/*","Condition":{"StringNotEquals":{"s3:x-amz-server-side-encryption":"AES256"}}}
D.{"Effect":"Deny","Principal":"*","Action":"s3:PutObject","Resource":"arn:aws:s3:::bucket-name/*","Condition":{"StringNotEquals":{"s3:x-amz-server-side-encryption":"aws:kms"},"Null":{"s3:x-amz-server-side-encryption-aws-kms-key-id":"true"}}}
AnswerD

Correct condition keys and values to enforce SSE-KMS.

Why this answer

Option A is correct because it uses the 's3:x-amz-server-side-encryption' condition key set to 'aws:kms' to enforce SSE-KMS, and the 'Null' condition for the encryption key to require that a KMS key is specified. Options B, C, and D use incorrect condition keys or values.

247
Multi-Selectmedium

Which TWO of the following are best practices for protecting data in transit? (Choose TWO.)

Select 2 answers
A.Use a VPN for all traffic
B.Use HTTP for internal traffic
C.Enforce HTTPS for web traffic
D.Use SSL/TLS for all data transfers
E.Use encryption at rest
AnswersC, D

HTTPS uses TLS to encrypt web traffic.

Why this answer

Using TLS and enforcing HTTPS are best practices. Option B is wrong because encryption at rest does not protect in transit. Option C is wrong because VPN is not always needed.

Option E is wrong because HTTP is not secure.

248
MCQmedium

A company is designing a data lake on Amazon S3. The data contains personally identifiable information (PII). The security team requires that all data be encrypted at rest and that access to the data is logged for auditing. Additionally, the team wants to ensure that if an object is accidentally deleted, it can be recovered within 30 days. Which combination of S3 features should be enabled?

A.Enable SSE-C, S3 Lifecycle policies, and CloudWatch Logs.
B.Enable SSE-KMS, S3 Versioning with MFA Delete, and S3 Inventory.
C.Enable SSE-KMS, S3 Versioning, and S3 Server Access Logs.
D.Enable default encryption (SSE-S3), S3 Versioning, and AWS CloudTrail.
AnswerC

SSE-KMS provides encryption and audit via CloudTrail; Versioning allows recovery; Access Logs record access.

Why this answer

Option A is correct because server-side encryption with KMS (SSE-KMS) provides encryption at rest with audit trails via CloudTrail, S3 Versioning allows recovery of deleted objects, and S3 Server Access Logs record access. Option B is wrong because default encryption does not provide key-specific audit. Option C is wrong because MFA Delete is not required for recovery.

Option D is wrong because lifecycle policies do not help with recovery.

249
MCQhard

A company is migrating on-premises data to AWS using AWS Snowball Edge. The data must be encrypted in transit and at rest. Which combination of steps should be taken?

A.Encrypt the data with a client-side tool before copying to Snowball Edge.
B.Set up a VPN connection to AWS and transfer data over the VPN.
C.Use AWS KMS to generate a key and apply it to the Snowball Edge device.
D.Use Snowball Edge with default encryption settings; data is encrypted at rest and in transit.
AnswerD

Snowball Edge uses AES-256 for at-rest encryption and TLS for in-transit encryption by default.

Why this answer

Option A is correct because Snowball Edge automatically encrypts data at rest using AES-256 and uses TLS for transfer. Option B is incorrect because VPN is not used with Snowball. Option C is incorrect because KMS is not directly used for Snowball encryption.

Option D is incorrect because client-side encryption is not required by default.

250
MCQmedium

A company uses Amazon RDS for MySQL with encryption at rest enabled. The security team needs to ensure that automated backups are also encrypted. How can this be achieved?

A.Manually encrypt each backup using AWS KMS before storing in S3
B.Enable encryption at rest on the RDS instance; backups are automatically encrypted
C.Use RDS Copy-on-Write to encrypt backups
D.Create an encrypted S3 bucket and store backups there
AnswerB

Encrypted RDS instances have encrypted backups.

Why this answer

Option C is correct because enabling encryption at rest on the RDS instance automatically encrypts backups. Option A is wrong because manual encryption of backups is not required. Option B is wrong because you cannot encrypt backups separately from the instance.

Option D is wrong because RDS does not support that feature.

251
MCQeasy

A company needs to encrypt data in transit between an on-premises data center and Amazon S3. Which solution should they use?

A.Use AWS KMS to encrypt the data before transmission.
B.Use an S3 VPC endpoint.
C.Use HTTPS endpoints for S3 API calls.
D.Use S3 Transfer Acceleration.
AnswerC

HTTPS provides encryption in transit.

Why this answer

Option C is correct because HTTPS (HTTP over TLS) encrypts data in transit between the on-premises data center and Amazon S3 by using TLS 1.2/1.3 to secure the API calls. This ensures that all data transmitted over the network is encrypted end-to-end, protecting it from eavesdropping and man-in-the-middle attacks. AWS S3 enforces HTTPS for all API requests when using the default endpoint, and customers can also configure bucket policies to deny HTTP requests.

Exam trap

The trap here is that candidates often confuse encryption at rest (KMS) with encryption in transit, or assume that network-level features like VPC endpoints or Transfer Acceleration inherently provide encryption, when in fact they do not add transport-layer security beyond what HTTPS already provides.

How to eliminate wrong answers

Option A is wrong because AWS KMS is a key management service for encrypting data at rest, not for encrypting data in transit; it does not provide transport-layer encryption during transmission. Option B is wrong because an S3 VPC endpoint (Gateway or Interface type) provides private connectivity to S3 over the AWS network but does not inherently encrypt data in transit; encryption must still be applied at the application layer (e.g., HTTPS). Option D is wrong because S3 Transfer Acceleration optimizes transfer speed by using AWS edge locations and the AWS global network, but it does not add encryption; it relies on the same HTTPS/TLS encryption used by standard S3 endpoints.

252
MCQhard

Refer to the exhibit. A security engineer configures the above KMS key policy. The DataAccess role is used by an application that runs on EC2 instances in the us-east-1 region. The application needs to read encrypted objects from an S3 bucket in the same region. Which of the following is true about this configuration?

A.The role can use the key for any S3 operation in any region.
B.The role cannot use the key for any operation because the condition is invalid.
C.The role can only encrypt data, not decrypt it.
D.The role can decrypt objects in S3, but cannot use the key outside of S3.
AnswerD

The condition restricts use to S3 service in us-east-1.

Why this answer

Option A is correct. The condition 'kms:ViaService' restricts the use of the key to requests that originate from S3 in us-east-1. This means the role can only use the key when the request comes through S3 (e.g., S3 GetObject with SSE-KMS).

Option B is wrong because the role can still encrypt data via S3 PutObject (GenerateDataKey). Option C is wrong because the condition allows usage via S3. Option D is wrong because the role does not have kms:Encrypt but has kms:GenerateDataKey, which is sufficient for S3 PutObject.

253
MCQmedium

A security engineer is tasked with ensuring that all data stored in an RDS DB instance is encrypted at rest. The database is already running and contains data. What should the engineer do?

A.Change the KMS key associated with the DB instance
B.Modify the DB instance to use an encrypted storage type
C.Create a snapshot of the DB instance, copy it with encryption, and restore the encrypted snapshot
D.Enable encryption at rest in the RDS console for the existing DB instance
AnswerC

This is the recommended method to enable encryption on an existing DB instance.

Why this answer

RDS does not support enabling encryption at rest on an existing DB instance. The correct approach is to create a snapshot, copy it with encryption, and restore. Option B is correct.

Option A is incorrect because encryption cannot be enabled directly. Option C is incorrect because modifying the DB instance does not add encryption. Option D is incorrect because KMS key modification does not enable encryption.

254
MCQmedium

A company needs to encrypt data at rest in Amazon Redshift. They want to use an AWS KMS customer managed key. What is the correct procedure to enable encryption for an existing Redshift cluster?

A.Enable encryption using the Redshift console by selecting the KMS key.
B.Use the AWS CLI command 'aws redshift modify-cluster' with --encrypted flag.
C.Modify the cluster and enable encryption with the KMS key.
D.Take a snapshot of the cluster, restore it to a new cluster with encryption enabled, and point applications to the new cluster.
AnswerD

Snapshots can be restored to encrypted clusters.

Why this answer

Amazon Redshift does not support enabling encryption on an existing cluster directly. The only way to transition an unencrypted cluster to an encrypted one is to take a snapshot of the cluster, restore it to a new cluster with encryption enabled using a KMS customer managed key, and then redirect applications to the new cluster. This is because encryption settings are immutable after cluster creation.

Exam trap

The trap here is that candidates assume encryption can be toggled on an existing cluster via console or CLI commands, similar to services like RDS or EBS, but Redshift enforces encryption as a cluster-level immutable property.

How to eliminate wrong answers

Option A is wrong because the Redshift console does not allow enabling encryption on an existing cluster; encryption can only be specified at cluster creation or during a restore from snapshot. Option B is wrong because the 'aws redshift modify-cluster' command does not support the --encrypted flag; encryption cannot be modified on a running cluster. Option C is wrong because modifying the cluster to enable encryption with a KMS key is not a supported operation; encryption settings are immutable after creation.

255
Multi-Selecteasy

A security engineer is designing a data protection strategy for an S3 bucket that contains sensitive data. The data must be encrypted at rest and the key material must be stored in a hardware security module (HSM) that is FIPS 140-2 Level 3 validated. Which TWO services can be used to meet these requirements?

Select 2 answers
A.S3 server-side encryption with customer-provided keys (SSE-C)
B.S3 server-side encryption with S3 managed keys (SSE-S3)
C.AWS CloudHSM
D.AWS KMS with custom key store backed by CloudHSM
E.AWS KMS with default key store
AnswersC, D

CloudHSM provides dedicated HSMs that are FIPS 140-2 Level 3 validated.

Why this answer

Options A and B are correct. AWS CloudHSM provides dedicated HSMs with FIPS 140-2 Level 3 validation. AWS KMS with a custom key store backed by CloudHSM allows using KMS with CloudHSM keys.

Option C is incorrect because default KMS keys are not backed by dedicated HSMs with Level 3. Option D is incorrect because SSE-S3 uses S3-managed keys, not HSM. Option E is incorrect because SSE-C uses customer-provided keys, not HSM.

256
Multi-Selecthard

A company is using AWS Key Management Service (KMS) with a customer managed key. The security team needs to ensure that the key can be rotated automatically every year. Which TWO steps are required?

Select 2 answers
A.Enable AWS CloudTrail for the KMS key.
B.Enable automatic key rotation in the KMS console or API.
C.Ensure the key material is generated by AWS KMS, not imported.
D.Grant the KMS service principal permission to rotate the key.
E.Create the key as a customer managed key (CMK).
AnswersB, E

This enables yearly rotation.

Why this answer

The correct answers are A and C. Option A: Automatic key rotation can be enabled on the KMS key. Option C: The key must be a customer managed key because automatic rotation is not available for AWS managed keys.

Option B: IAM permissions are not required for rotation. Option D: Imported key material cannot be automatically rotated. Option E: CloudTrail logging is not a prerequisite for rotation.

257
MCQmedium

Refer to the exhibit. An administrator applies this bucket policy to an S3 bucket. Which of the following statements describes the effect of this policy?

A.The policy denies all PutObject requests that do not specify SSE-KMS.
B.The policy allows uploads without encryption but denies uploads with SSE-KMS.
C.The policy allows unencrypted uploads but denies uploads with SSE-KMS.
D.The policy allows uploads with SSE-S3 but denies uploads with SSE-KMS.
AnswerA

Both statements ensure that only SSE-KMS uploads succeed.

Why this answer

Option B is correct. The first statement denies PutObject if the encryption header is not 'aws:kms'. The second statement denies PutObject if the encryption header is null (absent).

Together, they enforce that all uploads must use SSE-KMS. Option A is wrong because the policy does not allow unencrypted uploads. Option C is wrong because the policy does not allow SSE-S3.

Option D is wrong because the policy does not allow no encryption.

258
MCQhard

A healthcare company runs a HIPAA-compliant application on AWS. The application uses Amazon S3 to store Protected Health Information (PHI). The company has implemented the following controls: (1) All S3 buckets are configured with default encryption using SSE-S3. (2) Bucket policies restrict access to only authorized IAM roles. (3) S3 access logs are enabled and sent to a centralized logging account. (4) MFA Delete is enabled on all buckets. (5) Object lock is not enabled. Recently, an internal auditor discovered that when an authorized user deletes an object, the object is permanently deleted and cannot be recovered. The company's data retention policy requires that deleted PHI be recoverable for at least 30 days after deletion. A review of the IAM policies shows that users have s3:DeleteObject permission. The auditor also notes that the bucket versioning is not enabled. The security team needs to implement a solution that allows authorized users to delete objects but ensures that deleted objects can be recovered within 30 days. Which of the following is the MOST effective course of action?

A.Enable S3 Object Lock in Governance mode with a retention period of 30 days.
B.Enable S3 Versioning on the buckets and ensure that the IAM policies include s3:DeleteObjectVersion where appropriate.
C.Remove the s3:DeleteObject permission from all IAM policies and use S3 Lifecycle policies to expire objects after 30 days.
D.Change the default encryption from SSE-S3 to SSE-C and use a separate key for each object.
AnswerB

Versioning allows recovery of deleted objects via delete markers or version restoration.

Why this answer

Enabling S3 Versioning is the most effective solution because it preserves all object versions, including deleted objects (which become delete markers). With versioning enabled, authorized users can still use s3:DeleteObject to delete the current version, but the previous versions remain recoverable. Since the requirement is to recover deleted PHI within 30 days, versioning combined with a lifecycle policy to permanently delete old versions after 30 days would meet the retention policy without blocking immediate deletion.

Exam trap

The trap here is that candidates may think S3 Object Lock (Option A) is the only way to prevent deletion, but they overlook that versioning allows deletion with recoverability, which directly satisfies the requirement for authorized users to delete objects while retaining the ability to recover them within 30 days.

How to eliminate wrong answers

Option A is wrong because S3 Object Lock in Governance mode prevents any deletion (including overwrites) until the retention period expires, which conflicts with the requirement that authorized users can delete objects immediately. Option C is wrong because removing s3:DeleteObject permission and relying solely on lifecycle policies would prevent users from deleting objects on demand, violating the requirement that authorized users can delete objects. Option D is wrong because changing encryption to SSE-C has no effect on object deletion or recovery; encryption protects data at rest but does not provide versioning or retention capabilities.

259
MCQmedium

A company is using AWS KMS to encrypt data at rest in Amazon S3. The security team wants to ensure that only a specific IAM role can decrypt objects in a particular S3 bucket. Which policy configuration should be used?

A.Use an S3 access point policy to restrict access
B.Attach an IAM policy to the role that allows kms:Decrypt with a condition on the source IP
C.Create a KMS grant for the IAM role with Decrypt permission
D.Add a bucket policy with a condition that the kms:ViaService is s3.amazonaws.com
AnswerD

This condition ensures decryption requests go through S3, and the IAM role can be the principal.

Why this answer

Option A (S3 bucket policy with a condition that requires the kms:ViaService condition key) is correct because it restricts decryption to requests coming through S3. Option B is wrong because a KMS grant is not the best practice for this scenario. Option C is wrong because a KMS key policy alone cannot restrict based on the IAM role's source IP.

Option D is wrong because S3 bucket policies can include conditions referencing KMS keys.

260
MCQeasy

A company stores sensitive documents in an S3 bucket. The security team wants to ensure that any object uploaded to the bucket is automatically encrypted using server-side encryption with AWS KMS. Which S3 bucket feature should be configured?

A.Default encryption
B.Versioning
C.Bucket policy
D.Lifecycle policy
AnswerA

Default encryption applies server-side encryption to all objects uploaded.

Why this answer

Option B is correct because the default encryption setting on an S3 bucket can enforce SSE-KMS. Option A is incorrect because bucket policies enforce access, not encryption. Option C is incorrect because lifecycle policies manage object lifecycle.

Option D is incorrect because versioning does not enforce encryption.

261
Multi-Selectmedium

A company wants to protect sensitive data in Amazon S3 from unauthorized access. Which TWO AWS services can be used to detect and alert on suspicious access patterns?

Select 2 answers
A.AWS CloudTrail
B.AWS Config
C.Amazon CloudWatch Logs
D.Amazon GuardDuty
E.Amazon Macie
AnswersA, E

Logs S3 API calls for analysis.

Why this answer

Options A and C are correct. Amazon Macie uses machine learning to discover and protect sensitive data, and AWS CloudTrail logs API calls for monitoring. Option B is wrong because GuardDuty is for threat detection across accounts, not specifically for S3 data access.

Option D is wrong because Config is for compliance. Option E is wrong because CloudWatch Logs can store logs but not analyze access patterns without additional services.

262
MCQeasy

A company is using Amazon S3 to store sensitive customer data. They need to ensure that data is encrypted at rest and that the encryption keys are managed by the company, not AWS. Which S3 encryption option should they use?

A.SSE-C
B.Client-side encryption
C.SSE-KMS
D.SSE-S3
AnswerA

SSE-C allows the customer to provide their own encryption keys, which are managed by the customer.

Why this answer

Option C is correct because SSE-C allows the customer to provide their own encryption keys and manage them. Option A is wrong because SSE-S3 uses AWS-managed keys. Option B is wrong because SSE-KMS uses AWS-managed KMS keys.

Option D is wrong because client-side encryption is not an S3 server-side encryption option.

263
MCQmedium

A company uses AWS Organizations and wants to enforce that all S3 buckets created in any account within the organization have default encryption enabled. Which policy should be used?

A.Use a bucket policy on each bucket to enforce encryption
B.Use a service control policy (SCP) to deny creation of buckets without default encryption
C.Use an IAM policy to require encryption on all bucket creation actions
D.Use AWS Config rules to automatically enable encryption on new buckets
AnswerB

SCPs can enforce rules across all accounts in the organization.

Why this answer

Option A (SCP) is correct because it can be applied to all accounts to enforce the requirement. Option B is wrong because IAM policies are account-specific. Option C is wrong because service control policies do not configure resources.

Option D is wrong because a bucket policy is per bucket, not preventive.

264
MCQmedium

A company is using AWS KMS to encrypt data at rest in Amazon S3. The security team requires that all encryption keys be automatically rotated every year. However, the current KMS key policy does not allow rotation. Which action should the security team take to meet the requirement?

A.Manually rotate the key by creating a new key and updating the S3 bucket policy.
B.Use an AWS managed key instead of a customer managed key.
C.Create a new customer managed key with imported key material and enable automatic rotation.
D.Enable automatic rotation on the existing customer managed key.
AnswerB

AWS managed keys are automatically rotated annually.

Why this answer

Option C is correct because AWS managed keys (AWS managed) are automatically rotated annually; they cannot be used for customer-managed keys. Option A is wrong because customer managed keys do not support automatic rotation for imported key material; they require manual rotation. Option B is wrong because it suggests enabling automatic rotation for a customer managed key, but the key policy may still prevent it; also the question states the key policy does not allow rotation, so the correct approach is to use an AWS managed key or modify the policy.

Option D is wrong because KMS does not support automatic rotation for keys with imported key material.

265
MCQeasy

A security engineer needs to ensure that all data in transit between an Application Load Balancer and EC2 instances is encrypted using TLS. Which configuration is required?

A.Configure the ALB with an HTTPS listener and the target group with HTTPS protocol.
B.Configure the ALB with an HTTPS listener and the target group with HTTP protocol.
C.Configure the ALB with a TLS listener and the target group with TCP protocol.
D.Configure the ALB with a TCP listener and the target group with HTTP protocol.
AnswerA

HTTPS listener provides encryption to clients; target group HTTPS encrypts traffic to EC2 instances.

Why this answer

The ALB must have a listener with a secure listener protocol (HTTPS) and the target group must specify HTTPS as the protocol to enable encryption between ALB and EC2 instances. Option B is correct.

266
MCQeasy

A security engineer needs to ensure that data at rest in an Amazon RDS for PostgreSQL DB instance is encrypted. Which action should the engineer take?

A.Grant the rds:ModifyDBInstance permission to allow encryption toggling.
B.Modify the existing unencrypted DB instance to enable encryption.
C.Enable encryption automatically by enabling automated backups.
D.Create a new DB instance with encryption enabled using the AWS CLI or Console.
AnswerD

RDS encryption must be enabled at creation time.

Why this answer

Option A is correct because RDS encryption at rest is enabled by specifying the --storage-encrypted flag during creation. Option B is wrong because encryption can only be enabled at creation time; existing unencrypted instances cannot be encrypted without migration. Option C is wrong because encryption at rest is not enabled by default.

Option D is wrong because encryption at rest is independent of KMS key permissions.

267
Multi-Selecthard

A company is designing a data protection solution for Amazon S3. They need to ensure that all objects are encrypted at rest and that any attempt to upload an unencrypted object is denied. Which THREE steps should they take? (Choose THREE.)

Select 2 answers
A.Enable versioning on the bucket.
B.Enable MFA Delete on the bucket.
C.Enable default encryption on the S3 bucket with SSE-S3 or SSE-KMS.
D.Add a bucket policy that denies s3:PutObject if the x-amz-server-side-encryption header is not present.
E.Enable S3 Block Public Access settings.
AnswersC, D

This automatically encrypts objects if no encryption header is provided.

Why this answer

Enabling S3 default encryption (Option A) ensures new objects are encrypted. Using a bucket policy to deny PutObject without encryption headers (Option C) enforces encryption. Enabling S3 Block Public Access (Option B) prevents public access but not unencrypted uploads.

Enabling MFA Delete (Option D) adds authentication for deletes. Enabling versioning (Option E) does not enforce encryption.

268
MCQeasy

A security engineer runs the command shown in the exhibit. What is the outcome?

A.The command fails because AES256 is not a valid algorithm.
B.Default encryption is enabled on the bucket using SSE-S3.
C.Default encryption is enabled on the bucket using SSE-KMS.
D.The command removes default encryption from the bucket.
AnswerB

SSEAlgorithm: AES256 means SSE-S3.

Why this answer

The command `aws s3api put-bucket-encryption --bucket my-bucket --server-side-encryption-configuration '{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"AES256"}}]}'` enables default encryption on the bucket using SSE-S3, because `AES256` is the algorithm identifier for SSE-S3 (Amazon S3-managed keys). The command succeeds and sets the default encryption configuration to use server-side encryption with S3-managed keys, which is the standard SSE-S3 behavior.

Exam trap

The trap here is that candidates confuse `AES256` with an invalid algorithm or assume it refers to SSE-KMS, but AWS specifically uses `AES256` as the identifier for SSE-S3, while `aws:kms` is used for SSE-KMS.

How to eliminate wrong answers

Option A is wrong because AES256 is a valid algorithm identifier for SSE-S3; it is not invalid, and the command does not fail due to algorithm validation. Option C is wrong because the algorithm identifier for SSE-KMS is `aws:kms`, not `AES256`; using `AES256` explicitly sets SSE-S3, not SSE-KMS. Option D is wrong because the command adds or updates default encryption, it does not remove it; removing default encryption requires a different API call (e.g., `delete-bucket-encryption`).

269
MCQeasy

A company uses S3 Server Access Logs to audit access to their S3 buckets. The security team wants to ensure that the log files themselves are encrypted at rest using SSE-KMS. Which configuration step is necessary?

A.Use an S3 bucket policy to deny unencrypted uploads to the source bucket
B.Enable default encryption on the source bucket
C.Add a bucket policy on the destination bucket that grants the S3 log delivery service permission to use the KMS key
D.Configure the destination bucket with a lifecycle policy
AnswerC

Required for SSE-KMS on log delivery.

Why this answer

To encrypt S3 access logs with SSE-KMS, the bucket policy of the destination bucket must allow the S3 log delivery service to use the KMS key. Option A is correct. Option B is about the source bucket, C is unnecessary, D is about server-side encryption for the source bucket.

270
MCQhard

A company is using AWS DMS to migrate data from an on-premises Oracle database to Amazon RDS for PostgreSQL. The data must be encrypted in transit. What should the company do?

A.Use AWS Direct Connect to establish a private connection.
B.Enable SSL on the source and target endpoints in the DMS task.
C.Use AWS KMS to encrypt the data before sending.
D.Set up a VPN connection between the on-premises network and AWS VPC.
AnswerB

DMS supports SSL to encrypt data in transit between endpoints.

Why this answer

Option D is correct because DMS supports SSL/TLS for encrypting data in transit between endpoints. Option A is incorrect because VPN is not required; DMS supports SSL directly. Option B is incorrect because KMS encrypts at rest, not in transit.

Option C is incorrect because Direct Connect provides a private network but does not inherently encrypt traffic; SSL is still needed.

271
MCQeasy

A company is using Amazon S3 to store sensitive data. The security team wants to ensure that all data is encrypted in transit between the company's on-premises data center and AWS. Which solution should be used?

A.Use an AWS Site-to-Site VPN with IPsec to encrypt traffic
B.Use AWS CloudHSM to encrypt the data in transit
C.Enable SSE-S3 on the S3 bucket
D.Use AWS KMS to encrypt the data before transmission
AnswerA

VPN provides encrypted transit.

Why this answer

An AWS Site-to-Site VPN with IPsec is the correct solution because it creates an encrypted tunnel between the on-premises data center and AWS, ensuring all data in transit is protected. IPsec operates at the network layer (Layer 3) and encrypts the entire IP packet, providing confidentiality and integrity for data moving over the public internet. This directly addresses the requirement to encrypt data in transit between the two environments.

Exam trap

The trap here is that candidates often confuse encryption at rest (SSE-S3, KMS) with encryption in transit, and assume that encrypting data before sending it (e.g., with KMS) automatically secures the transmission channel, when in fact a transport-layer encryption mechanism like IPsec or TLS is required to protect data during transit.

How to eliminate wrong answers

Option B is wrong because AWS CloudHSM is a hardware security module used for key storage and cryptographic operations, not for encrypting data in transit; it does not provide network-level encryption between on-premises and AWS. Option C is wrong because SSE-S3 (Server-Side Encryption with S3-Managed Keys) encrypts data at rest in S3, not data in transit; it has no effect on traffic between the on-premises data center and AWS. Option D is wrong because AWS KMS is a key management service that can be used to encrypt data before transmission, but it does not provide a secure tunnel or protocol-level encryption for the data in transit; the data would still be sent over the internet in an unencrypted form unless a transport encryption mechanism like TLS or IPsec is also applied.

272
MCQhard

A company is using AWS KMS to encrypt data in Amazon S3. The security team discovers that an S3 bucket has a bucket policy that allows s3:PutObject without requiring encryption. What is the risk?

A.The KMS key can be used by unauthorized users
B.Data can be downloaded without authentication
C.Data in transit is not encrypted
D.Data can be uploaded without encryption at rest
AnswerD

Without requiring encryption, data may be stored unencrypted.

Why this answer

Data can be uploaded without encryption, potentially exposing sensitive data. Option A is wrong because the data is not encrypted at rest. Option C is wrong because encryption in transit is not related.

Option D is wrong because the risk is about data being stored unencrypted.

273
MCQmedium

A company is using AWS KMS to encrypt data at rest in Amazon S3. The security team wants to ensure that only a specific IAM role can decrypt objects in a particular S3 bucket. Which policy should be attached to the KMS key to enforce this restriction?

A.KMS grant that gives the IAM role decrypt permissions for the key
B.IAM policy attached to the role that allows kms:Decrypt for the key
C.S3 bucket policy that denies decrypt unless the requester is the specific IAM role
D.KMS key policy with a condition that the principal must be the specific IAM role
AnswerD

Correct: KMS key policy can restrict decryption to a specific IAM role.

Why this answer

Option A is correct because a KMS key policy can specify which IAM roles are allowed to use the Decrypt action. Option B is wrong because S3 bucket policies do not control KMS decryption permissions. Option C is wrong because IAM policies alone cannot restrict decryption if the key policy allows broader access.

Option D is wrong because KMS grants are temporary and not the best practice for permanent access control.

274
MCQhard

A company uses AWS KMS to encrypt EBS volumes. They want to ensure that the key used for EBS encryption is not shared across different AWS accounts. Which feature should they use?

A.Use a CloudHSM custom key store.
B.Use the key's alias to restrict access.
C.Enable automatic key rotation.
D.Configure the key policy to deny access to any principal from another AWS account.
AnswerD

Key policy can explicitly deny cross-account access.

Why this answer

Option D is correct because AWS KMS key policies can explicitly deny access to principals from other AWS accounts by using the `aws:SourceAccount` or `aws:SourceArn` condition keys, or by specifying a `Deny` statement with a condition that checks the account ID. This ensures that the KMS key used for EBS encryption cannot be used by any IAM principal or role from a different AWS account, preventing cross-account key sharing.

Exam trap

The trap here is that candidates often confuse key rotation (Option C) or aliases (Option B) with access control, or assume that CloudHSM (Option A) inherently isolates keys across accounts, when in fact only the key policy can enforce account-level restrictions.

How to eliminate wrong answers

Option A is wrong because CloudHSM custom key stores provide a hardware security module (HSM) for key storage but do not inherently restrict cross-account access; the key policy must still be configured to deny other accounts. Option B is wrong because a key's alias is simply a friendly name for the key and does not enforce any access control; aliases are not evaluated in authorization decisions. Option C is wrong because automatic key rotation only changes the cryptographic material of the key over time (typically annually) and has no effect on cross-account access permissions.

275
Multi-Selectmedium

A company needs to enforce encryption in transit for all traffic between an Amazon EC2 instance and an Amazon RDS database. Which TWO steps should be taken?

Select 2 answers
A.Enable TLS on the RDS database and configure the database to require encrypted connections.
B.Configure security groups to allow traffic only on port 3306 (MySQL) or 5432 (PostgreSQL).
C.Set up a VPN connection between the EC2 instance and the RDS database.
D.Enable encryption at rest on the RDS instance.
E.Configure the application to connect using TLS/SSL.
AnswersA, E

Enforces encryption for client connections.

Why this answer

Options C and E are correct. To enforce encryption in transit, you must enable TLS on the RDS instance and require encrypted connections from the client. Option A is wrong because security group rules do not enforce encryption.

Option B is wrong because using a VPN does not enforce encryption at the database layer. Option D is wrong because enabling encryption at rest does not affect transit.

276
Multi-Selecteasy

A company needs to protect data at rest in Amazon S3. Which THREE mechanisms can be used to encrypt objects stored in S3?

Select 3 answers
A.Server-Side Encryption with S3-Managed Keys (SSE-S3)
B.Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS)
C.Client-Side Encryption
D.Server-Side Encryption with IAM-Managed Keys (SSE-IAM)
E.Server-Side Encryption with Customer-Provided Keys (SSE-C)
AnswersA, B, E

S3-managed keys encrypt data at rest.

Why this answer

Options A, B, and E are correct. SSE-S3 (option A) encrypts with S3-managed keys. SSE-C (option B) uses customer-provided keys.

SSE-KMS (option E) uses AWS KMS keys. Option C is wrong because client-side encryption is done by the client before upload, not by S3. Option D is wrong because there is no such option as SSE-IAM.

277
MCQeasy

A company wants to encrypt data in transit between an Application Load Balancer (ALB) and its targets. Which configuration should be used?

A.Configure the ALB with a TCP listener and use Network Load Balancer.
B.Configure the ALB with an HTTPS listener and use HTTPS as the protocol for the target group.
C.Configure the ALB security group to allow only encrypted traffic.
D.Configure the ALB with an HTTP listener and use a security group to enforce encryption.
AnswerB

HTTPS provides encryption in transit between ALB and targets.

Why this answer

Option B is correct because HTTPS listeners on the ALB can terminate TLS and optionally re-encrypt traffic to targets using HTTPS. Option A is wrong because HTTP does not encrypt data. Option C is wrong because TCP listeners do not provide encryption.

Option D is wrong because the security group does not control encryption.

278
MCQhard

A company is designing a data protection strategy for sensitive data stored in Amazon S3. Compliance requirements mandate that all data be encrypted at rest using customer-provided keys (SSE-C). Which solution meets the requirements with minimal operational overhead?

A.Use server-side encryption with Amazon S3 managed keys (SSE-S3) and enable bucket versioning.
B.Use client-side encryption with the AWS Encryption SDK and store keys in the application configuration.
C.Use server-side encryption with customer-provided keys (SSE-C) and store the keys in AWS Secrets Manager.
D.Use server-side encryption with AWS KMS managed keys (SSE-KMS) and enable automatic key rotation.
AnswerC

SSE-C uses customer-provided keys; storing keys in Secrets Manager adds convenience.

Why this answer

Option B is correct because S3 server-side encryption with customer-provided keys (SSE-C) allows the customer to manage encryption keys while AWS handles encryption/decryption, meeting compliance with minimal overhead. Option A is wrong because using KMS with a customer-managed key (SSE-KMS) is not SSE-C. Option C is wrong because client-side encryption requires managing keys outside AWS, increasing overhead.

Option D is wrong because SSE-S3 uses AWS-managed keys, not customer-provided.

279
MCQhard

A multinational corporation uses AWS Organizations to manage multiple accounts. The security team requires that all data in S3 buckets across all accounts be encrypted at rest using customer-managed KMS keys. They have created a Service Control Policy (SCP) to deny creation of S3 buckets without encryption. However, upon testing, they find that a user in a member account can still create an unencrypted bucket. The SCP is attached to the root organizational unit. The SCP statement is: {"Effect":"Deny","Action":"s3:CreateBucket","Resource":"*","Condition":{"Null":{"s3:x-amz-server-side-encryption":"true"}}}. What is the MOST likely reason the SCP is not working?

A.The SCP requires the member account to enable SCP enforcement.
B.The condition key s3:x-amz-server-side-encryption is incorrect; the correct key is s3:x-amz-server-side-encryption-aws-kms-key-id.
C.The SCP is not effective because IAM policies are evaluated before SCPs.
D.The SCP does not apply to the management account where the test was performed.
AnswerD

SCPs do not apply to the management account; they only apply to member accounts.

Why this answer

Option A is correct because SCPs do not affect the management account; they only apply to member accounts. Option B is wrong because SCPs are not evaluated before IAM policies; they are evaluated after but still effective. Option C is wrong because the SCP uses the correct condition key.

Option D is wrong because SCPs do not need to be explicitly enabled by the member account; they are effective automatically when attached.

280
Multi-Selecteasy

A company needs to encrypt data at rest in Amazon RDS for SQL Server. Which TWO methods can be used? (Choose two.)

Select 2 answers
A.Use a client-side encryption library.
B.Use column-level encryption with Always Encrypted.
C.Use SSL/TLS certificates to encrypt the connection.
D.Use SQL Server Transparent Data Encryption (TDE).
E.Enable encryption on the DB instance at launch time.
AnswersD, E

TDE encrypts the database files at rest.

Why this answer

Options A and B are correct. Enabling encryption at launch encrypts the entire instance, and Transparent Data Encryption (TDE) is a SQL Server feature for encryption. Option C is incorrect because column-level encryption is possible but not native to RDS.

Option D is incorrect because SSL/TLS encrypts data in transit, not at rest. Option E is incorrect because client-side encryption is not an RDS feature.

281
MCQmedium

A company uses AWS Shield Advanced to protect its web application against DDoS attacks. The application runs behind an Application Load Balancer (ALB) and uses Amazon CloudFront as a CDN. The security team notices that some requests are bypassing CloudFront and hitting the ALB directly. They want to ensure that all traffic goes through CloudFront to benefit from DDoS protection and to enforce encryption in transit. The ALB has a public DNS name and is accessible from the internet. What should the security team do to restrict direct access to the ALB while allowing CloudFront traffic?

A.Use a network ACL to restrict inbound traffic to only CloudFront's IP addresses.
B.Configure CloudFront to add a custom header to requests, and configure the ALB's security group to allow traffic only from CloudFront's IP addresses and that contains the custom header.
C.Deploy AWS WAF on the ALB with a rule that blocks requests that do not originate from CloudFront.
D.Create a security group rule that allows traffic only from CloudFront's IP addresses and denies all other traffic.
AnswerB

Security groups can allow traffic based on source IP, and CloudFront provides a list of its IP addresses. Adding a custom header provides an additional layer of verification.

Why this answer

Option A is correct because CloudFront can be configured to add a custom header, and the ALB's security group can be set to allow traffic only if that header is present, preventing direct access. Option B is wrong because security groups do not support filtering by header values; they filter by IP, port, and protocol. Option C is wrong because NACLs are stateless and do not support header inspection.

Option D is wrong because WAF rules inspect HTTP requests but are not designed to block direct access at the network level; also, WAF is typically used with CloudFront or ALB, but not to enforce CloudFront-only access.

282
MCQmedium

A company uses AWS KMS to encrypt data in Amazon RDS. The security team needs to ensure that the KMS key cannot be deleted accidentally. Which action should be taken?

A.Create an alias for the key.
B.Enable automatic key rotation.
C.Add a statement to the key policy that denies the kms:ScheduleKeyDeletion action.
D.Use a multi-Region key.
AnswerC

A key policy can explicitly deny the ability to schedule deletion, preventing accidental deletion.

Why this answer

KMS key deletion can be prevented by enabling key rotation (does not prevent deletion), using an alias (does not prevent deletion), or enabling deletion protection via a key policy (not directly; deletion requires a waiting period). The correct approach is to set a deletion window and ensure the key is not scheduled for deletion, but the question asks for accidental deletion prevention. Enabling automatic key rotation does not prevent deletion.

The best answer is to use a multi-Region key? No. Actually, to prevent accidental deletion, you can use a KMS key policy that denies the ScheduleKeyDeletion action. Option D is correct: the key policy should include a Deny statement for kms:ScheduleKeyDeletion.

283
Multi-Selecthard

A company uses AWS CloudTrail to log API calls. They want to ensure that log files are encrypted at rest and that integrity is verified. Which TWO services can be used together to achieve this?

Select 2 answers
A.S3 Inventory
B.AWS CloudHSM
C.CloudTrail log file integrity validation
D.AWS KMS to encrypt the log files
E.S3 MFA Delete
AnswersC, D

Verifies log files have not been tampered.

Why this answer

CloudTrail log file integrity validation (option C) provides a built-in mechanism to verify that log files have not been modified, deleted, or tampered with after delivery. It uses SHA-256 hashing and digital signatures (based on RSA) to create a digest file that can be independently validated. AWS KMS (option D) allows you to encrypt CloudTrail log files at rest using server-side encryption (SSE-KMS), ensuring that the logs are stored in an encrypted format.

Together, they meet both the encryption-at-rest and integrity verification requirements.

Exam trap

The trap here is that candidates often confuse AWS CloudHSM with AWS KMS, thinking CloudHSM can directly encrypt CloudTrail logs, but CloudTrail only supports encryption via S3-managed keys (SSE-S3) or KMS keys (SSE-KMS), not CloudHSM, and integrity validation is a separate built-in feature of CloudTrail itself.

284
MCQeasy

A company needs to ensure that data in transit between an on-premises data center and Amazon S3 is encrypted. The data will be transferred using HTTPS. What additional step should be taken to ensure the encryption is enforced?

A.Use AWS KMS to require encryption in transit
B.Enable S3 Transfer Acceleration
C.Add a bucket policy that denies requests where aws:SecureTransport is false
D.Use Amazon CloudFront with HTTPS only
AnswerC

Correct: This enforces HTTPS for all requests to the bucket.

Why this answer

Option A is correct because an S3 bucket policy with a condition that denies requests not using aws:SecureTransport ensures HTTPS is enforced. Option B is wrong because CloudFront enforces HTTPS but does not replace bucket policy enforcement. Option C is wrong because AWS KMS does not enforce HTTPS.

Option D is wrong because S3 Transfer Acceleration speeds up transfers but does not enforce encryption.

285
MCQhard

A company needs to ensure that data in Amazon S3 is encrypted at rest using envelope encryption. The company wants to rotate the encryption key every 90 days. Which solution meets these requirements with minimal operational overhead?

A.Use SSE-KMS with AWS managed key
B.Use SSE-S3 and enable automatic key rotation
C.Use SSE-C and rotate the customer-provided key every 90 days
D.Use SSE-KMS with a customer managed key and enable automatic key rotation
AnswerD

KMS can automatically rotate customer managed keys annually; for 90-day rotation, manual rotation is needed but still minimal overhead.

Why this answer

Option D is correct because SSE-KMS with a customer managed key (CMK) supports automatic key rotation, which can be configured to rotate the CMK every 90 days (or any custom period between 90 days and 7 years). This satisfies the envelope encryption requirement (SSE-KMS uses envelope encryption by default, where a CMK encrypts a data key that encrypts the S3 object) and the 90-day rotation requirement with minimal operational overhead, as AWS handles the rotation automatically.

Exam trap

The trap here is that candidates confuse AWS managed keys (which have a fixed 365-day rotation) with customer managed keys (which allow custom rotation periods), leading them to incorrectly choose Option A.

How to eliminate wrong answers

Option A is wrong because AWS managed keys (aws/s3) have a mandatory automatic rotation period of 365 days (1 year), not 90 days, and the rotation schedule cannot be customized. Option B is wrong because SSE-S3 uses server-side encryption with Amazon S3-managed keys (SSE-S3), which does not support envelope encryption; it uses a single key for encryption and does not provide customer-controlled key rotation. Option C is wrong because SSE-C requires the customer to provide and manage their own encryption keys, including manual rotation every 90 days, which introduces significant operational overhead compared to the automated rotation in Option D.

286
MCQeasy

A company needs to protect data at rest on Amazon EBS volumes attached to EC2 instances. Which solution provides the most control over the encryption keys?

A.Use a customer managed KMS key with EBS encryption.
B.Encrypt data using client-side encryption before writing to EBS.
C.Use an AWS managed KMS key for EBS encryption.
D.Enable EBS encryption by default in the account.
AnswerA

Customer managed keys give full control over key lifecycle and permissions.

Why this answer

Option A is correct because using a customer managed KMS key allows the customer to control key rotation, policies, and access. Option B is wrong because AWS managed keys do not allow customer control. Option C is wrong because EBS encryption by default uses AWS managed keys unless specified.

Option D is wrong because client-side encryption would require application changes.

287
Multi-Selectmedium

A company uses AWS KMS to encrypt data in Amazon RDS. The security team wants to ensure that the KMS key can be used only by specific IAM roles and that all usage of the key is logged. Which TWO actions should the team take?

Select 2 answers
A.Apply an S3 bucket policy to the RDS automated backup bucket
B.Enable automatic key rotation
C.Enable AWS CloudTrail to log KMS API calls
D.Modify the key policy to grant kms:Encrypt and kms:Decrypt only to the required IAM roles
E.Create a cross-account key policy to allow all IAM roles in the account
AnswersC, D

CloudTrail logs usage.

Why this answer

To restrict key usage, use a key policy that allows only specific IAM roles. To log usage, enable CloudTrail logging. Option A and D are correct.

Option B is incorrect because enabling key rotation does not control access. Option C is incorrect because cross-account access is not needed. Option E is incorrect because S3 bucket policies do not control KMS key usage.

288
MCQeasy

A company is using AWS KMS to encrypt sensitive data in Amazon DynamoDB. The security team wants to ensure that the KMS key can only be used from within the company's VPC and not from the internet. The VPC has an interface VPC endpoint for KMS. What should the security team do to enforce this restriction?

A.Make the KMS key Regional and disable cross-Region access
B.Use security group rules to restrict access to the KMS endpoint
C.Create an S3 bucket policy that restricts access to the KMS key
D.Attach a VPC endpoint policy that denies access from outside the VPC
AnswerD

VPC endpoint policies control access to KMS through the endpoint.

Why this answer

Option A is correct because attaching a policy to the VPC endpoint that denies access from outside the VPC restricts usage. Option B is wrong because a bucket policy is for S3, not KMS. Option C is wrong because security group rules do not apply to KMS operations; they apply to network traffic.

Option D is wrong because making the key regional does not restrict network access.

289
MCQmedium

A company stores sensitive data in an Amazon S3 bucket. They want to ensure that data is encrypted in transit when accessed from the internet. Which policy should they attach to the bucket?

A.{"Effect": "Deny", "Principal": "*", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::bucket/*", "Condition": {"StringNotEquals": {"aws:SourceVpc": "vpc-12345"}}}
B.{"Effect": "Allow", "Principal": "*", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::bucket/*", "Condition": {"Bool": {"aws:SecureTransport": "false"}}}
C.{"Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": "arn:aws:s3:::bucket/*", "Condition": {"Bool": {"aws:SecureTransport": "false"}}}
D.{"Effect": "Deny", "Principal": "*", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::bucket/*", "Condition": {"IpAddress": {"aws:SourceIp": "0.0.0.0/0"}}}
AnswerC

Denies all requests that are not over HTTPS.

Why this answer

Option C is correct because it uses a Deny effect with the aws:SecureTransport condition set to 'false', which explicitly blocks any request that does not use HTTPS/TLS. This ensures that all S3 operations (s3:*) on the bucket objects require encryption in transit, as any HTTP request will be denied. The Deny effect overrides any Allow, making this a robust policy to enforce encrypted access from the internet.

Exam trap

The trap here is that candidates often choose an Allow policy (like Option B) thinking it will permit only encrypted traffic, but they forget that an Allow with a condition does not block unencrypted requests—only a Deny can explicitly block them, and the condition must be inverted (e.g., 'false' to block HTTP).

How to eliminate wrong answers

Option A is wrong because it restricts access based on the source VPC (aws:SourceVpc), which controls network origin but does not enforce encryption in transit; requests from outside the VPC could still use HTTP. Option B is wrong because it uses an Allow effect with aws:SecureTransport set to 'false', which would allow only unencrypted requests (the opposite of the requirement) and also fails to deny encrypted requests. Option D is wrong because it denies requests from all IP addresses (0.0.0.0/0), which would block all internet traffic regardless of encryption, rather than selectively enforcing HTTPS.

290
MCQeasy

A company wants to protect data stored in Amazon S3 by encrypting it at rest using keys managed by the company. Which encryption option should be used?

A.SSE-KMS
B.SSE-C
C.Client-side encryption
D.SSE-S3
AnswerB

Correct: SSE-C allows the customer to provide their own encryption keys.

Why this answer

Option B is correct because SSE-C allows the customer to provide and manage their own encryption keys. Option A is wrong because SSE-S3 uses AWS-managed keys. Option C is wrong because SSE-KMS uses AWS KMS managed keys.

Option D is wrong because client-side encryption is not an S3 server-side encryption option.

291
MCQmedium

A company is using Amazon S3 to store sensitive documents. The security team has implemented a bucket policy that denies access unless the request uses HTTPS. However, a security audit reveals that some objects were accessed over HTTP. The bucket policy is as follows: {"Effect":"Deny","Principal":"*","Action":"s3:*","Resource":"arn:aws:s3:::example-bucket/*","Condition":{"Bool":{"aws:SecureTransport":"false"}}}. The team also enabled S3 Block Public Access at the account level. What is the MOST likely reason that HTTP access was still possible?

A.S3 Block Public Access only blocks public access, not all HTTP access.
B.The requests were made through an S3 Access Point that has its own policy allowing HTTP.
C.The requests were made using pre-signed URLs that bypass bucket policies.
D.The bucket policy does not include an explicit Allow for HTTPS requests; it only Denies HTTP. Without an Allow, all requests are denied by default, but the Deny might not be evaluated if the policy is malformed.
AnswerD

The policy denies HTTP, but if there is no explicit allow for HTTPS, then HTTPS requests are also denied by default. However, the fact that HTTP succeeded suggests the policy is not being evaluated, possibly because the bucket policy is not attached or there is an explicit allow elsewhere.

Why this answer

Option B is correct. The bucket policy denies access when aws:SecureTransport is false, but if the bucket policy does not explicitly allow or deny access, the default is to allow (if the user has IAM permissions). However, the policy as written should deny HTTP requests.

The most likely issue is that the policy is missing a separate Allow statement to allow HTTPS access; otherwise, all requests are denied by default. But the question says HTTP access succeeded. Another possibility is that the policy was not applied correctly.

Option A is wrong because Block Public Access affects public access, not all HTTP access. Option C is wrong because pre-signed URLs can use HTTP, but the policy should still deny them. Option D is wrong because S3 Access Points can bypass bucket policies if not configured.

292
MCQeasy

A company is using Amazon S3 to store confidential documents. They want to ensure that all data is encrypted in transit between the S3 bucket and their on-premises application. Which of the following should be enforced?

A.Add a bucket policy that denies access unless 'aws:SecureTransport' is true.
B.Use Amazon CloudFront with a custom origin pointing to the S3 bucket.
C.Use a VPC endpoint for S3.
D.Enable default encryption (SSE-S3) on the bucket.
AnswerA

This enforces HTTPS for all requests to the bucket.

Why this answer

Option D is correct because 'aws:SecureTransport' condition in a bucket policy enforces HTTPS for all requests. Option A is wrong because SSE only encrypts at rest. Option B is wrong because S3 endpoints use HTTPS by default, but not enforced.

Option C is wrong because CloudFront does not enforce encryption to origin.

293
MCQhard

A company uses Amazon S3 to store sensitive documents. The security engineer notices that an S3 bucket named 'documents-prod' has been configured with a bucket policy that allows s3:PutObject from any principal, but only if the request includes the x-amz-server-side-encryption header set to 'AES256'. The company's security policy requires that all objects be encrypted at rest using server-side encryption with AWS KMS (SSE-KMS). The engineer needs to ensure that any new objects uploaded to the bucket are encrypted with SSE-KMS, and that existing objects remain accessible. What should the engineer do?

A.Create a new bucket with a bucket policy that requires SSE-KMS, and migrate all objects using S3 Batch Operations
B.Modify the bucket's default encryption configuration to use SSE-KMS
C.Update the bucket policy to require the x-amz-server-side-encryption header set to 'aws:kms' and specify the desired KMS key ARN
D.Enable S3 Object Lock on the bucket to prevent overwrites, and use a lifecycle policy to expire objects that are not encrypted with SSE-KMS
AnswerC

This will enforce SSE-KMS for new uploads; existing objects are still valid.

Why this answer

Option C is correct because adding a condition for KMS encryption to the bucket policy will enforce SSE-KMS for future uploads, and existing objects are still decryptable. Option A is wrong because changing default encryption does not enforce the policy. Option B is wrong because it ignores existing objects.

Option D is wrong because it only affects future uploads via a specific encryption key, not the enforcement.

294
MCQhard

A company is designing a data protection strategy for an Amazon RDS for MySQL database. The database is 2 TB in size and stores financial data. The compliance team requires that database snapshots be encrypted at rest and that encryption keys be rotated every year. Which solution meets these requirements with the LEAST operational overhead?

A.Copy each snapshot to a new snapshot encrypted with a new KMS key
B.Export snapshots to S3 and use S3 Batch Operations to re-encrypt them
C.Use a different KMS key for each snapshot and rotate the key manually
D.Enable automatic key rotation in AWS KMS for the KMS key used for RDS encryption
AnswerD

Automatic rotation meets requirement with minimal overhead.

Why this answer

Option C is correct because enabling automatic key rotation in KMS once a year rotates the backing key, and snapshots are encrypted with the key. Option A is wrong because manual snapshot export is complex. Option B is wrong because separate keys for each snapshot add overhead.

Option D is wrong because copying snapshots with a new key is manual and time-consuming.

295
MCQeasy

A company stores sensitive customer data in an S3 bucket. The security team requires that all data be encrypted at rest using a customer-managed KMS key. What should the team configure to enforce this requirement?

A.Add a bucket policy that denies s3:PutObject unless the request includes the x-amz-server-side-encryption-aws:kms header.
B.Enable S3 Block Public Access.
C.Configure S3 Object Lock to require encryption.
D.Enable default encryption on the S3 bucket with AES-256.
AnswerA

This policy condition enforces that all uploads use SSE-KMS.

Why this answer

Option D is correct because using a bucket policy that denies PutObject if the request does not include the correct encryption header (aws:kms) ensures that any upload without KMS encryption is denied. Option A is wrong because enabling default encryption does not prevent unencrypted uploads; it applies encryption server-side but still allows uploads without explicit encryption headers. Option B is wrong because S3 Object Lock is for write-once-read-many protection, not encryption enforcement.

Option C is wrong because enabling S3 Block Public Access does not enforce encryption.

296
MCQhard

A company is using AWS KMS with a customer managed key for encrypting EBS volumes. The security team wants to ensure that only specific IAM roles can use the key for encryption and decryption. What is the best way to achieve this?

A.Attach a resource-based policy (key policy) to the KMS key that allows the specific IAM roles.
B.Create a KMS grant that allows the roles to use the key.
C.Use an SCP to allow only those roles to use the key.
D.Use an IAM policy that grants kms:Encrypt and kms:Decrypt to the roles, and ensure the key policy enables IAM policy access.
AnswerA

A key policy can directly specify the roles as principals.

Why this answer

Option C is correct because KMS key policies can specify IAM roles (or role ARNs) as principals. Option A is incorrect because IAM policies alone are not sufficient if the key policy does not grant access; key policy must allow IAM policies. Option B is incorrect because attaching a policy to the key directly is the recommended approach.

Option D is incorrect because grants are for specific operations, not for broad role-based access.

297
MCQmedium

A company has a requirement to automatically rotate encryption keys for Amazon EBS volumes every 90 days. The EBS volumes are encrypted using AWS KMS. What is the simplest way to meet this requirement?

A.Use AWS Secrets Manager to rotate the KMS key automatically.
B.Create a new KMS key every 90 days and re-encrypt volumes using a script.
C.Switch to client-side encryption and rotate keys manually.
D.Enable automatic key rotation on the existing KMS key.
AnswerB

Manual rotation with new key meets 90-day requirement.

Why this answer

Option B is correct because automatic key rotation in KMS rotates the backing key annually, but for 90-day rotation you must create a new key and update volumes. Option A is wrong because KMS automatic rotation is yearly. Option C is wrong because manual rotation by creating a new key and updating volumes is required.

Option D is wrong because you cannot change key on existing volumes without snapshot/restore.

298
Multi-Selecthard

A company is designing a disaster recovery plan for encrypted Amazon EBS volumes. Which THREE steps are required to ensure that encrypted EBS snapshots can be restored in a different AWS Region?

Select 3 answers
A.Re-encrypt the snapshot with a customer managed key (CMK) in the target region
B.Copy the encrypted snapshot to the target AWS Region
C.Store the encryption key in AWS CloudHSM in the target region
D.Ensure the CMK used for encryption is available in the target region
E.Share the snapshot with the target region using AWS RAM
AnswersA, B, D

Required for cross-region encryption.

Why this answer

Options A, C, and D are correct. The snapshot must be copied to the target region, re-encrypted with a CMK in that region, and the CMK must be accessible. Option B is wrong because EBS encryption uses KMS, not CloudHSM.

Option E is wrong because the snapshot must be shared, but sharing alone doesn't ensure encryption.

299
Multi-Selecthard

Which THREE of the following are valid key management features of AWS KMS? (Choose THREE.)

Select 3 answers
A.Importing key material
B.Key policies
C.SSL certificate management
D.Password generation
E.Automatic key rotation
AnswersA, B, E

KMS supports importing key material for customer managed keys.

Why this answer

AWS KMS allows you to import your own key material (BYOK) for use with KMS keys, which is a valid key management feature. This is done via the 'ImportKeyMaterial' API, enabling you to create a KMS key with no key material and then upload your own symmetric key material. This feature is essential for meeting compliance requirements that mandate control over the key material lifecycle.

Exam trap

The trap here is that candidates may confuse KMS's key management capabilities with other AWS security services, mistakenly thinking KMS handles SSL certificates or password generation, when in reality those are separate services with distinct purposes.

300
Multi-Selecthard

Which THREE actions are required to enforce encryption in transit for an Amazon S3 bucket? (Choose 3.)

Select 3 answers
A.Add a bucket policy that denies requests with aws:SecureTransport set to false.
B.Ensure that the bucket policy does not have any Allow effect with aws:SecureTransport false.
C.Use HTTPS when accessing the bucket.
D.Enable default encryption on the bucket.
E.Use an IAM policy to restrict access to the bucket.
AnswersA, B, C

Denies HTTP requests.

Why this answer

Option A is correct because adding a bucket policy that denies requests with `aws:SecureTransport` set to `false` explicitly blocks any HTTP (non-HTTPS) requests to the S3 bucket. This condition key evaluates the transport protocol used for the request, and when set to deny, it ensures that only encrypted connections (HTTPS) are allowed, enforcing encryption in transit.

Exam trap

The trap here is that candidates often confuse encryption in transit with encryption at rest, selecting 'Enable default encryption on the bucket' (Option D) thinking it secures data during transfer, when it only applies server-side encryption for stored objects.

← PreviousPage 4 of 5 · 303 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Data Protection questions.