AWS Certified Data Engineer - Associate · Domain 4 · 18% of exam

Data Security and Governance

Drill 20 practice questions focused entirely on Data Security and Governance for the AWS DEA-C01 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.

Verified answer20 questions
Question 1 of 20

A data engineering team runs ad hoc Athena queries against a data lake containing regulated financial data. A compliance requirement states that all Athena query result sets written to Amazon S3 must be encrypted with a customer-managed KMS key, and this encryption must be enforced consistently for every analyst regardless of individual query settings. What is the most effective way to satisfy this requirement?

Reviewed for accuracy · Report an issue
Question 2 of 20

A financial services company must produce an audit trail showing every individual GetObject and PutObject API call made against a specific S3 bucket that stores regulated customer data. Their existing CloudTrail trail already captures management events across all regions, but auditors report they cannot see object-level read and write activity for the bucket. What is the most appropriate way to meet this requirement?

Reviewed for accuracy · Report an issue
Question 3 of 20

A financial services company runs a data lake on Amazon S3 governed by AWS Lake Formation, with the Glue Data Catalog holding table definitions. Compliance auditors require a complete, queryable record of every user and role that has read specific sensitive tables, including which columns were accessed and when. The data engineering team needs to enable this auditing with the least custom development. Which approach satisfies the requirement?

Reviewed for accuracy · Report an issue
Question 4 of 20

A data engineering team stores JDBC connection definitions in the AWS Glue Data Catalog to allow Glue jobs to reach an on-premises database. A security audit requires that the database credentials embedded in these connections not be stored in plaintext within Glue, and that any encryption keys be centrally managed and auditable. Which action best satisfies this requirement?

Reviewed for accuracy · Report an issue
Question 5 of 20

A company runs a central Glue Data Catalog in a shared services account. A data science team in a separate AWS account needs to run Athena queries against several databases and tables registered in that central catalog. The security team requires that access be granted at the Data Catalog level without duplicating table definitions and without using Lake Formation. Which approach should the data engineer implement to enable the cross-account access?

Reviewed for accuracy · Report an issue
Question 6 of 20

A financial services company allows senior data engineers to create IAM roles for their own Glue jobs and Lambda functions. The security team is concerned that engineers could create roles with broader permissions than intended (for example, granting full S3 or KMS access to production buckets). The team wants to guarantee that any role an engineer creates can never exceed a defined maximum set of permissions, regardless of the policies the engineer attaches. Which approach meets this requirement?

Reviewed for accuracy · Report an issue
Question 7 of 20

A data engineering team runs a pipeline that streams financial transaction records from an on-premises system into an Amazon Kinesis Data Stream, then delivers them to Amazon S3 via Amazon Data Firehose. Compliance requires that the data be encrypted both in transit and at rest throughout the pipeline, and that all encryption keys be centrally managed and auditable. Which combination of measures satisfies these requirements with the least custom code?

Reviewed for accuracy · Report an issue
Question 8 of 20

A data engineering team runs a Glue ETL job under an IAM role that must decrypt objects in an S3 bucket encrypted with a customer managed KMS key. The KMS key is owned by a separate security team who manages the key policy centrally and refuses to add every new consumer role directly into the key policy. The security team wants to allow the Glue role to perform decrypt operations while retaining full control over the key and enabling the permission to be revoked programmatically at any time without editing the key policy. Which approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 9 of 20

A data engineering team ingests customer records into an S3-based data lake. A compliance auditor requires that the data be protected both while moving between the on-premises source and AWS, and while stored in S3, using customer-managed keys where feasible. The team currently uploads files over the public internet using the AWS CLI with default S3 settings. Which combination of actions BEST satisfies both the in-transit and at-rest encryption requirements?

Reviewed for accuracy · Report an issue
Question 10 of 20

A data engineering team in Account A runs a Glue job that must read Parquet files stored in an S3 bucket owned by Account B. The objects in Account B are encrypted with a customer-managed KMS key (also in Account B). The bucket policy already grants Account A's Glue role s3:GetObject. However, the Glue job fails with an AccessDenied error when attempting to decrypt objects. What is the MOST appropriate action to resolve this while following least-privilege principles?

Reviewed for accuracy · Report an issue
Question 11 of 20

A data engineering team stores sensitive customer records in an S3 bucket encrypted with a customer managed AWS KMS key (SSE-KMS). A new compliance mandate requires that the encryption key material be rotated automatically every year and that all decryption operations against the key be logged for audit purposes. The team must implement this with the least operational overhead. Which combination of actions meets these requirements?

Reviewed for accuracy · Report an issue
Question 12 of 20

A data engineering team stores encrypted datasets in an S3 bucket in us-east-1 using SSE-KMS with a customer managed key. To meet disaster recovery requirements, they configure S3 Cross-Region Replication to a destination bucket in eu-west-1. After enabling replication, they notice that objects encrypted with the customer managed key fail to replicate, while unencrypted objects replicate successfully. What must the team do to enable replication of the KMS-encrypted objects?

Reviewed for accuracy · Report an issue
Question 13 of 20

A data engineering team manages a central data lake in a producer AWS account, governed by AWS Lake Formation with the Glue Data Catalog. An analytics team in a separate consumer AWS account needs read access to a specific database and several tables in the producer's catalog. The producer team wants to grant access without copying data and while retaining fine-grained control over which tables the consumer can query. What is the recommended approach to enable this cross-account access?

Reviewed for accuracy · Report an issue
Question 14 of 20

A healthcare company stores patient records in an S3 data lake governed by AWS Lake Formation and cataloged in the Glue Data Catalog. Analysts in the research team must be able to query the patients table, but they should only see rows where the consent_flag column equals 'true', and they must not see the ssn or full_name columns. Compliance requires that this restriction be enforced centrally without duplicating or transforming the underlying data. What is the MOST efficient way to meet these requirements?

Reviewed for accuracy · Report an issue
Question 15 of 20

A data engineering team manages a data lake where table metadata is stored in the AWS Glue Data Catalog and underlying files reside in an S3 bucket. They have enabled Lake Formation and granted a business analyst SELECT permission on a specific table through Lake Formation. However, the analyst still cannot query the table in Amazon Athena and receives an access denied error. Upon investigation, the engineer finds that the analyst's IAM identity has no S3 permissions and no Glue permissions attached directly. What is the MOST likely cause of the access failure?

Reviewed for accuracy · Report an issue
Question 16 of 20

A data engineer uses AWS Lake Formation with tag-based access control (LF-TBAC). They assign the LF-Tag 'Classification=Confidential' to a database named 'finance_db'. The database contains 40 tables, none of which have any LF-Tags directly assigned to them. An analyst is granted SELECT permission on resources matching the LF-Tag expression 'Classification=Confidential'. What access will the analyst have to the tables in 'finance_db'?

Reviewed for accuracy · Report an issue
Question 17 of 20

A data engineering team manages a data lake registered with AWS Lake Formation. A compliance auditor needs a complete, centralized record of every principal that has queried or accessed data lake tables and columns over the past 90 days, including which specific columns were read. The team wants to enable this auditing with minimal custom development. Which approach meets the requirement?

Reviewed for accuracy · Report an issue
Question 18 of 20

A data engineer registers a new S3 data lake location with AWS Lake Formation and creates several databases and tables in the Glue Data Catalog. The team wants Lake Formation permissions to be the sole mechanism controlling access to these tables. However, after granting fine-grained SELECT permissions to specific analyst roles, they discover that IAM principals with broad Glue and S3 permissions can still access the tables directly. What is the root cause and correct fix?

Reviewed for accuracy · Report an issue
Question 19 of 20

A data engineering team manages a central data lake registered in AWS Lake Formation. A compliance auditor needs read-only access to the customer_transactions table, but must NOT be able to see the ssn or credit_card_number columns. The team wants a solution that avoids creating duplicate masked tables and can be reused for other auditors added later. Which approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 20 of 20

A data engineer grants a data analyst SELECT permission on a Glue Data Catalog table using AWS Lake Formation. The underlying data is stored in an S3 location that Lake Formation manages (the S3 location is registered with Lake Formation). When the analyst runs an Athena query against the table, the query fails with an access-denied error on the S3 objects, even though Lake Formation shows the SELECT grant. The analyst's IAM role has no direct S3 bucket policy or IAM permission granting access to the S3 path. What is the correct explanation and fix?

Reviewed for accuracy · Report an issue

More DEA-C01 practice

Keep going with the other AWS Certified Data Engineer - Associate domains, or take a full timed mock exam.

← Back to DEA-C01 overview