AWS Certified Data Engineer - Associate · Difficulty

Hard DEA-C01 practice questions

Challenge — multi-step scenarios, trade-offs, and subtle distinctions. 15 hard questions available — no sign-up, always free.

Question 1 of 15

A data engineer runs a Glue Spark ETL job that processes a few large, unsplittable gzip files. The job takes several hours and often finishes with the maximum number of DPUs allocated, yet costs are high. In the Glue job metrics (CloudWatch), the engineer observes that only one or two executors show high CPU while glue.driver.aggregate.numCompletedStages stays low and most executors show near-zero activity for long stretches. What is the MOST likely cause and the best corrective action?

Reviewed for accuracy · Report an issue
Question 2 of 15

A data engineer runs a nightly AWS Glue Spark ETL job that has recently started failing after processing about 80% of its input. The CloudWatch job metrics show glue.driver.jvm.heap.usage climbing steadily toward 1.0 and glue.ExecutorAllocationManager.executors.numberMaxNeededExecutors well above the number of allocated executors, while glue.driver.aggregate.shuffleBytesWritten is very high. The job code performs a large groupBy followed by a collect() to build a lookup dictionary on the driver. What is the MOST likely root cause and appropriate fix?

Reviewed for accuracy · Report an issue
Question 3 of 15

A retail company ingests clickstream events into an Amazon Kinesis Data Stream. A data engineer must build a pipeline that continuously reads the stream, removes duplicate events that arrive within a short window (caused by client retries), enriches each event with product metadata stored in a small Amazon DynamoDB table, and writes the results to Amazon S3 in Parquet format for analytics. The solution must be serverless and minimize operational overhead. Which approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 4 of 15

A financial services company allows senior data engineers to create IAM roles for their own Glue jobs and Lambda functions. The security team is concerned that engineers could create roles with broader permissions than intended (for example, granting full S3 or KMS access to production buckets). The team wants to guarantee that any role an engineer creates can never exceed a defined maximum set of permissions, regardless of the policies the engineer attaches. Which approach meets this requirement?

Reviewed for accuracy · Report an issue
Question 5 of 15

A company processes clickstream events using a Kinesis Data Streams stream consumed by an application built with the Kinesis Client Library (KCL) running on EC2 instances. During a deployment, several EC2 instances were terminated mid-batch and the application restarted. The team notices that some records were processed more than once, causing duplicate rows in the downstream analytics database. The team wants to reduce duplicate processing caused by consumer restarts while keeping the KCL-based architecture. What is the MOST appropriate action?

Reviewed for accuracy · Report an issue
Question 6 of 15

A data engineering team runs a Glue ETL job under an IAM role that must decrypt objects in an S3 bucket encrypted with a customer managed KMS key. The KMS key is owned by a separate security team who manages the key policy centrally and refuses to add every new consumer role directly into the key policy. The security team wants to allow the Glue role to perform decrypt operations while retaining full control over the key and enabling the permission to be revoked programmatically at any time without editing the key policy. Which approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 7 of 15

A data engineer registers a new S3 data lake location with AWS Lake Formation and creates several databases and tables in the Glue Data Catalog. The team wants Lake Formation permissions to be the sole mechanism controlling access to these tables. However, after granting fine-grained SELECT permissions to specific analyst roles, they discover that IAM principals with broad Glue and S3 permissions can still access the tables directly. What is the root cause and correct fix?

Reviewed for accuracy · Report an issue
Question 8 of 15

A data engineer grants a data analyst SELECT permission on a Glue Data Catalog table using AWS Lake Formation. The underlying data is stored in an S3 location that Lake Formation manages (the S3 location is registered with Lake Formation). When the analyst runs an Athena query against the table, the query fails with an access-denied error on the S3 objects, even though Lake Formation shows the SELECT grant. The analyst's IAM role has no direct S3 bucket policy or IAM permission granting access to the S3 path. What is the correct explanation and fix?

Reviewed for accuracy · Report an issue
Question 9 of 15

A data engineering team is adopting AWS Lake Formation to govern a data lake stored in Amazon S3. The team's Glue ETL jobs run under an IAM role that already has S3 bucket permissions granted through IAM policies, but analysts querying the same tables through Athena report 'Insufficient Lake Formation permission' errors even though they have been granted SELECT via Lake Formation. What must the team do so that Lake Formation permissions are actually enforced and honored for the S3 data location?

Reviewed for accuracy · Report an issue
Question 10 of 15

A data engineering team has been managing access to their S3-based data lake entirely through IAM policies and S3 bucket policies. As the number of analysts and Glue Data Catalog tables grows, they want to centralize fine-grained (database, table, and column-level) permissions and maintain a single audit trail of who granted access to what. They enable AWS Lake Formation and register the S3 location. However, after granting a data analyst SELECT on a specific table through Lake Formation, the analyst can still query all tables in the S3 location via Athena. What is the MOST likely cause?

Reviewed for accuracy · Report an issue
Question 11 of 15

A data engineering team ingests order events into Amazon MSK using Kafka Connect with a source connector, and serializes messages in Avro using AWS Glue Schema Registry. Downstream consumers include a long-running Flink application that cannot be redeployed frequently. Product teams will soon add several new optional fields to the order event schema. The team must ensure that existing consumers continue reading messages without deserialization failures after producers begin sending the new schema version. Which schema compatibility setting should the team configure in the Glue Schema Registry?

Reviewed for accuracy · Report an issue
Question 12 of 15

A data engineering team runs a nightly Glue ETL job that writes curated sales data to Amazon S3, cataloged in the Glue Data Catalog. Business analysts consume this data through an Amazon QuickSight dashboard built on a direct Athena query dataset (not SPICE). After a recent change, analysts report that the dashboard sometimes shows partial data for the current day, appearing before the nightly job completes. The team wants QuickSight to reliably reflect only fully processed data and to refresh automatically once each night's ETL finishes. Which approach best meets this requirement?

Reviewed for accuracy · Report an issue
Question 13 of 15

A data engineering team is designing a Redshift data warehouse for retail sales analytics. The fact table (sales_transactions) contains over 5 billion rows and grows daily. It is frequently joined against several small dimension tables: dim_store (500 rows), dim_product (50,000 rows), and dim_date (10,000 rows). Queries commonly aggregate sales measures grouped by store, product category, and date. The team wants to minimize data redistribution during joins while keeping large fact data evenly spread across compute node slices. Which distribution strategy should they apply?

Reviewed for accuracy · Report an issue
Question 14 of 15

A data engineering team stores curated datasets in an S3 data lake organized by department prefixes (e.g., s3://corp-lake/finance/, s3://corp-lake/marketing/). The company has thousands of employees synchronized from an external corporate identity provider into IAM Identity Center. Business analysts should be granted read access to only their department's prefix, and access should map directly to their corporate directory group membership. The current approach of editing a single S3 bucket policy has grown unmanageable and is approaching the bucket policy size limit. Which solution provides scalable, identity-based access mapping with the LEAST ongoing policy maintenance?

Reviewed for accuracy · Report an issue
Question 15 of 15

A data engineering team is building an orchestration layer for a high-volume event pipeline. For each incoming clickstream event, a short-lived workflow validates the payload, invokes a Lambda function for enrichment, and writes the result to a Kinesis Data Stream. The pipeline must handle roughly 50,000 workflow executions per second, each completing in under 3 seconds, and the team wants the lowest possible cost while requiring at-least-once execution semantics. Which AWS Step Functions configuration best meets these requirements?

Reviewed for accuracy · Report an issue