AWS Certified Security - Specialty · Domain 5 · 18% of exam

Data Protection

Drill 20 practice questions focused entirely on Data Protection for the AWS SCS-C02 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.

Verified answer20 questions
Question 1 of 20

A security team runs a public-facing web application behind an Application Load Balancer (ALB) that terminates TLS using a certificate provisioned by AWS Certificate Manager (ACM). A PCI DSS audit requires that the application no longer negotiate TLS 1.0 or TLS 1.1 and must reject weak ciphers, while still supporting modern browsers. What is the MOST appropriate action to enforce this requirement?

Reviewed for accuracy · Report an issue
Question 2 of 20

A media company hosts a static website in an S3 bucket served through a CloudFront distribution. The web team, which operates primarily in the eu-west-1 Region, requests an ACM certificate for their custom domain so that the distribution can serve HTTPS traffic. They created a public certificate in ACM in eu-west-1, validated it via DNS, and confirmed its status is 'Issued'. However, the certificate does not appear as a selectable option when they attempt to associate it with the CloudFront distribution. What is the cause and correct remediation?

Reviewed for accuracy · Report an issue
Question 3 of 20

A company runs a public-facing application behind an Application Load Balancer. The security team uses an SSL/TLS certificate that was issued by the company's existing third-party certificate authority and then imported into AWS Certificate Manager (ACM). During an audit, the team is concerned about a repeat of a past incident where the certificate expired and caused an outage. Which approach ensures they are proactively warned before this imported certificate expires?

Reviewed for accuracy · Report an issue
Question 4 of 20

A company runs a public-facing REST API behind an Application Load Balancer (ALB). Security requires that the TLS private key used to terminate connections is never exportable or accessible to administrators, and that certificate renewal happens automatically without operator intervention. The team currently uses a certificate issued by a public third-party certificate authority that they trust. Which approach best meets all requirements?

Reviewed for accuracy · Report an issue
Question 5 of 20

A financial services company runs a fleet of internal microservices on EC2 instances behind internal Application Load Balancers within a private VPC. Security policy requires mutual TLS between all internal services using X.509 certificates issued by a certificate authority the company controls. The certificates must be short-lived and automatically renewed, and the CA's root must NOT be publicly trusted. Which solution best meets these requirements?

Reviewed for accuracy · Report an issue
Question 6 of 20

A financial services company must implement a data classification strategy for a data lake in Amazon S3 containing millions of objects. Objects classified as 'Restricted' (containing PII) must be encrypted with a dedicated customer managed KMS key and retained for 7 years, while 'Internal' objects can use SSE-S3 and transition to cheaper storage after 90 days. The security team wants classification to drive these downstream controls automatically as new objects arrive, with minimal ongoing manual effort. Which approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 7 of 20

A financial services company stores sensitive customer transaction records in an Amazon DynamoDB table. A compliance requirement mandates that the encryption key used for data at rest must be under the company's direct control, allowing them to define key policies, audit key usage in CloudTrail, and disable the key immediately if a breach is suspected. The security team wants to minimize operational overhead while still meeting these controls. Which DynamoDB encryption-at-rest configuration should they choose?

Reviewed for accuracy · Report an issue
Question 8 of 20

A security engineer discovers that several EC2 instances in a production account were launched with unencrypted EBS root and data volumes before an encryption policy was enforced. The engineer has already enabled EBS encryption by default at the account and Region level to protect future volumes. What is the correct approach to bring the EXISTING unencrypted volumes into compliance with the encryption-at-rest requirement while minimizing data loss?

Reviewed for accuracy · Report an issue
Question 9 of 20

A financial services company must digitally sign outbound payment files so that external partners can cryptographically verify the files came from the company and were not altered. Partners do not have AWS accounts and must be able to verify signatures using standard tooling without contacting AWS. The signing private key must never leave AWS and must be protected by FIPS 140-2 validated hardware. Which approach meets these requirements?

Reviewed for accuracy · Report an issue
Question 10 of 20

A company's production account (Account A) encrypts EBS snapshots with a customer managed KMS key. The DR team in a separate account (Account B) needs to copy these shared snapshots and restore volumes from them in Account B. The security team has already shared the snapshots with Account B via the snapshot sharing feature. However, when Account B attempts to copy the snapshot, the operation fails with an access denied error. What must the security team configure to allow Account B to successfully copy and restore the encrypted snapshots while following least privilege?

Reviewed for accuracy · Report an issue
Question 11 of 20

A financial services company must meet a regulatory requirement that all cryptographic key material used to encrypt customer data at rest be stored in single-tenant, FIPS 140-2 Level 3 validated hardware that the company controls, while still using AWS KMS APIs for envelope encryption across services such as S3 and EBS. Which approach satisfies this requirement with the least custom integration effort?

Reviewed for accuracy · Report an issue
Question 12 of 20

A media company must encrypt very large video files (several GB each) on-premises before uploading them to Amazon S3. Compliance requires that the plaintext data key never leave the application and that encryption happen entirely client-side using a customer managed KMS key. The team wants to avoid sending the multi-GB payloads to KMS. Which approach correctly meets these requirements?

Reviewed for accuracy · Report an issue
Question 13 of 20

A security engineer is designing envelope encryption for a multi-tenant SaaS application. Each tenant's data is encrypted with a shared AWS KMS customer managed key. The engineer wants to ensure that ciphertext encrypted for one tenant cannot be decrypted while claiming a different tenant's identity, without creating a separate KMS key per tenant. Which approach best achieves this cryptographic binding?

Reviewed for accuracy · Report an issue
Question 14 of 20

A company runs a data-processing Lambda function that must decrypt objects protected by a customer managed KMS key only during a nightly batch job. The security team wants to grant the Lambda execution role temporary, least-privilege decrypt access without modifying the key policy each time and without leaving standing permissions that must be manually removed. The key policy already delegates permissions management to IAM. Which approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 15 of 20

A financial services company must retain full control over the cryptographic material used to encrypt sensitive data in Amazon S3. To meet compliance, they create a KMS key with an origin of EXTERNAL and import their own 256-bit key material, setting it to expire after 90 days. As the expiration date approaches, the security team wants to ensure encrypted objects remain decryptable without disruption. Which action correctly extends the ability to use this key?

Reviewed for accuracy · Report an issue
Question 16 of 20

A security engineer accidentally scheduled deletion of a customer managed KMS key that is used to encrypt production RDS snapshots and several S3 objects. The deletion was scheduled with the default waiting period. The team realizes the mistake two days later and is worried about permanently losing the ability to decrypt data. What is the correct action to prevent data loss?

Reviewed for accuracy · Report an issue
Question 17 of 20

A security engineer manages a single KMS customer managed key used by multiple project teams. The compliance team requires that each team can only use the key to encrypt/decrypt data associated with their own project, distinguished by a request tag. The engineer wants to control this authorization through the KMS key policy without creating a separate key per team. Which approach correctly enforces per-team access using KMS cryptographic operations?

Reviewed for accuracy · Report an issue
Question 18 of 20

A financial services company stores sensitive customer records in an Amazon RDS database encrypted with a customer managed KMS key. The security team wants to enforce a data classification policy that guarantees the KMS key used to encrypt this data can ONLY be used to protect data at rest and is never used for signing or MAC operations, regardless of any future key policy changes. Which approach BEST enforces this constraint at the KMS layer?

Reviewed for accuracy · Report an issue
Question 19 of 20

A financial services company stores customer records in an S3 bucket encrypted with a customer managed KMS key in Account A. A partner analytics firm operating in Account B must be able to decrypt and read these objects, but must NOT be able to schedule deletion of the key, change the key policy, or create grants on the key. The security team wants to grant the minimum access using the KMS key policy while allowing Account B's own IAM administrators to delegate the decrypt permission to specific roles. Which approach meets these requirements?

Reviewed for accuracy · Report an issue
Question 20 of 20

A company encrypts objects in an S3 bucket in Account A using a customer managed KMS key. A data-analytics application running under an IAM role in Account B must be able to read and decrypt these objects. The security team wants to grant the minimum access required and follow AWS best practices for cross-account KMS access. Which combination of configuration steps correctly enables Account B to decrypt the objects?

Reviewed for accuracy · Report an issue

More SCS-C02 practice

Keep going with the other AWS Certified Security - Specialty domains, or take a full timed mock exam.

← Back to SCS-C02 overview