AWS Certified Security - Specialty · Domain 5 · 18% of exam

Data Protection

Drill 20 practice questions focused entirely on Data Protection for the AWS SCS-C03 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.

Verified answer20 questions
Question 1 of 20

A company runs an internal microservices platform on EC2 behind an internal Application Load Balancer. Security requires all service-to-service traffic to use TLS with certificates that automatically renew, are trusted only within the corporate network, and never need to be publicly resolvable or validated through DNS/email challenges. The solution must minimize operational overhead for certificate issuance and rotation. What should the security engineer implement?

Reviewed for accuracy · Report an issue
Question 2 of 20

A healthcare company must ensure that its RDS, EFS, and DynamoDB backups cannot be deleted or shortened in retention by anyone—including the AWS account root user and administrators—for a regulatory retention period of 7 years. The security team also wants backups copied to a separate, dedicated backup account to protect against a compromised production account. Which approach meets these requirements?

Reviewed for accuracy · Report an issue
Question 3 of 20

A financial services company stores sensitive transaction records in an Amazon DynamoDB table. Compliance requires that the company be able to prove exactly when the encryption key was used, control key rotation on its own schedule, and be able to immediately deny all access to the data by disabling the key without deleting the table. The team currently uses the default AWS owned key for the table. Which change should the security engineer make to meet all of these requirements?

Reviewed for accuracy · Report an issue
Question 4 of 20

A healthcare company stores patient records on an Amazon EFS file system mounted by EC2 instances in a private subnet. A compliance audit requires that all data transferred between the EC2 instances and the EFS file system be encrypted in transit, and that the requirement be technically enforced rather than reliant on documentation. The file system already has encryption at rest enabled with a customer managed KMS key. Which approach BEST meets the in-transit encryption requirement?

Reviewed for accuracy · Report an issue
Question 5 of 20

A security engineer manages a single AWS KMS customer managed key used by multiple project teams in the same account. Compliance requires that a principal be allowed to call kms:Decrypt only when the data key was originally encrypted for that principal's own project, without creating a separate KMS key per team. Each project's EC2 instances assume a role tagged with Project=<name>, and applications pass an encryption context of {"project":"<name>"} on every Encrypt call. Which approach enforces this requirement using one shared KMS key?

Reviewed for accuracy · Report an issue
Question 6 of 20

A software distribution team needs to digitally sign firmware images so that customers and IoT devices can verify authenticity offline. The signing operation must occur inside AWS with the private key never leaving AWS, while the public key must be freely distributable to devices for verification without any AWS API calls. Which AWS KMS configuration meets these requirements?

Reviewed for accuracy · Report an issue
Question 7 of 20

A financial services company encrypts sensitive customer records in Amazon S3 using a customer managed AWS KMS key (symmetric). To satisfy a new compliance mandate, the security team enables automatic key rotation on the KMS key. An auditor asks whether previously encrypted objects must be re-encrypted after rotation occurs, and how AWS KMS is able to decrypt objects that were encrypted before the rotation. Which statement correctly describes the behavior of automatic key rotation for this symmetric customer managed key?

Reviewed for accuracy · Report an issue
Question 8 of 20

A security engineer is designing envelope encryption for an application that stores sensitive customer records in Amazon S3 using SSE-KMS with a customer managed key. Compliance requires that a decryption request only succeeds if it is tied to the same logical tenant that performed the encryption, so that a valid ciphertext for one tenant cannot be decrypted in the context of a different tenant. The engineer wants to enforce this cryptographically without creating a separate KMS key per tenant. Which approach BEST meets this requirement?

Reviewed for accuracy · Report an issue
Question 9 of 20

A financial services company has a regulatory requirement to control and supply its own cryptographic key material for encrypting sensitive data in Amazon S3 and Amazon EBS. The security team creates a KMS key with imported key material (EXTERNAL origin) and imports a 256-bit key with a set expiration date. Several months later, an auditor asks how the team ensures this key is rotated on a regular schedule. What is the correct statement the security team should provide?

Reviewed for accuracy · Report an issue
Question 10 of 20

A security engineer discovers that a customer managed KMS key used to encrypt an S3 bucket containing critical audit archives was accidentally scheduled for deletion by an administrator. The deletion is set to occur in 7 days. Several thousand objects in the bucket are encrypted with SSE-KMS using this key. The engineer must ensure no data becomes permanently inaccessible while the incident is investigated. What is the correct action to take?

Reviewed for accuracy · Report an issue
Question 11 of 20

A security engineer manages a KMS customer managed key used by multiple applications to encrypt sensitive financial records. Compliance requires that (1) the key can only be used over encrypted connections and (2) applications must supply a specific encryption context tag so decrypt operations can be scoped and audited. Which combination of key policy conditions enforces both requirements on Decrypt operations?

Reviewed for accuracy · Report an issue
Question 12 of 20

A security engineer creates a new customer managed KMS key using the AWS CLI and specifies a custom key policy. The policy grants a specific application role permission to encrypt and decrypt, but omits any statement referencing the account root principal or the IAM administrators. Shortly after, the administrators discover that no one can manage the key — including updating the key policy itself — and they cannot delete or schedule deletion of the key from the console. What is the root cause and the recommended way to prevent this situation in the future?

Reviewed for accuracy · Report an issue
Question 13 of 20

A company encrypts objects in an S3 bucket in Account A using a customer managed KMS key. A data-processing application running under an IAM role in Account B must be able to decrypt these objects. The security team wants to grant this access following least privilege, allow the permission to be temporary, and enable it to be programmatically revoked when the processing job completes — without editing the KMS key policy or the S3 bucket policy each time. Which approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 14 of 20

A security engineer manages a customer managed KMS key used to encrypt data in a shared analytics pipeline. A short-lived Lambda function, running under a role that is created dynamically for each batch job, must be granted temporary permission to decrypt data with the key. The engineer wants to avoid editing the key policy or IAM policies for every ephemeral role, and wants the permission to be easily and programmatically revocable when the job finishes. Which approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 15 of 20

A financial services company stores encrypted backups in Amazon S3 in us-east-1 using SSE-KMS with a customer managed key. For disaster recovery, they replicate these backups to a bucket in eu-west-1 using S3 Cross-Region Replication. The DR requirement states that in a regional outage of us-east-1, the eu-west-1 team must be able to decrypt the replicated objects without any dependency on us-east-1 resources. Which KMS approach meets this requirement with the least operational overhead?

Reviewed for accuracy · Report an issue
Question 16 of 20

A financial services company stores millions of documents in Amazon S3 across dozens of buckets. The compliance team must automatically discover and classify buckets that contain personally identifiable information (PII) such as credit card numbers and Social Security numbers, and receive ongoing alerts when new sensitive data appears. They also want to verify that buckets holding sensitive data are encrypted and not publicly accessible. Which approach best meets these data classification requirements with the least custom development?

Reviewed for accuracy · Report an issue
Question 17 of 20

A company runs an encrypted Amazon RDS MySQL database in a production account. The database uses a customer managed AWS KMS key. The security team must share an encrypted automated snapshot with a separate auditing account so that auditors can restore a copy of the database for review. When the security engineer attempts to share the snapshot, the auditing account cannot restore it. What must the engineer do to allow the auditing account to successfully restore the shared encrypted snapshot?

Reviewed for accuracy · Report an issue
Question 18 of 20

A company has an S3 bucket containing 40 TB of existing objects, most of which are currently unencrypted or encrypted with SSE-S3. A new data classification policy requires that all objects—both new and existing—be encrypted with a specific customer managed AWS KMS key. Enabling default bucket encryption with the KMS key has already ensured that newly uploaded objects are encrypted correctly, but the security team confirms the existing objects remain unchanged. Which approach re-encrypts the existing objects with the required KMS key with the least operational effort?

Reviewed for accuracy · Report an issue
Question 19 of 20

A company stores millions of objects daily in an S3 bucket that is configured for default encryption using SSE-KMS with a customer managed key. The finance team reports a sharp increase in AWS KMS charges, and CloudTrail shows a very high volume of GenerateDataKey and Decrypt API calls against the KMS key. Security must reduce KMS request costs while keeping all objects encrypted with the same customer managed key. What should the team do?

Reviewed for accuracy · Report an issue
Question 20 of 20

A financial services company must retain quarterly audit backup files for exactly 7 years to satisfy a regulator. The backups are archived to an Amazon S3 Glacier vault. Security policy requires that no administrator—including the account root user—be able to delete or shorten the retention of these archives once the retention rule is finalized. Which approach meets this requirement?

Reviewed for accuracy · Report an issue

More SCS-C03 practice

Keep going with the other AWS Certified Security - Specialty domains, or take a full timed mock exam.

← Back to SCS-C03 overview