Domain 1.3: Data Security

A financial institution needs to store regulatory records in Amazon S3. The records must not be deleted or overwritten by any user, including the AWS account root user, for a period of 7 years. Which S3 feature meets this requirement?

A company requires that all data stored in Amazon EBS volumes be encrypted at rest. The company also requires the ability to automatically rotate the encryption keys every year. Which AWS KMS key type should be used?

A company has an application that connects to an Amazon RDS database. The company wants to store the database credentials securely and automatically rotate them every 30 days without modifying the application code. Which TWO AWS services can be used together to achieve this? (Select TWO.)

A solutions architect wants to ensure that all new Amazon EBS volumes created in a specific AWS Region are encrypted by default. How can this be achieved with the LEAST operational overhead?

A company has an unencrypted Amazon RDS for MySQL database. The security team has mandated that the database must be encrypted at rest using AWS KMS. What is the MOST efficient way to encrypt the existing database?

A company wants to store sensitive documents in Amazon S3. The security policy requires that the data is encrypted at rest. The company wants AWS to manage the encryption keys, but they also need an audit trail showing when the keys were used and by whom. Which TWO encryption options meet these requirements? (Select TWO.)

A company is storing highly sensitive data in an Amazon S3 bucket. The security team requires that the data is encrypted at rest using keys managed by the company, and that all API calls to the keys are logged. Which TWO actions should a solutions architect take? (Select TWO.)

A company needs to store database credentials securely. The credentials must be automatically rotated every 30 days. Which AWS service should be used?

A financial institution requires a dedicated, single-tenant hardware security module (HSM) to manage their cryptographic keys due to strict regulatory compliance. Which AWS service meets this requirement?

A company needs to automatically discover, classify, and protect sensitive data, such as Personally Identifiable Information (PII), stored in Amazon S3. Which AWS service should be used?

A company must store financial records in Amazon S3 for 7 years. During this time, the records cannot be deleted or modified by anyone, including the root user. Which S3 feature should be used?

A developer accidentally created an unencrypted Amazon RDS MySQL database. The security team requires the database to be encrypted at rest. How can a solutions architect achieve this with the LEAST downtime?

A company is migrating a NoSQL database to Amazon DynamoDB. The security team mandates that all data must be encrypted at rest using an AWS managed key. How should the solutions architect configure this?

A company needs to encrypt data at rest in Amazon RDS and manage database credentials securely. The solution must automatically rotate credentials every 30 days. Which TWO services should be used? (Select TWO.)

A healthcare company stores petabytes of patient records in Amazon S3. The compliance team needs to automatically discover and classify Personally Identifiable Information (PII) and Protected Health Information (PHI) across all buckets. Which service should be used?

A company wants to share an encrypted Amazon RDS snapshot with another AWS account. The snapshot is encrypted using a customer managed AWS KMS key. Which TWO steps must the solutions architect take to share the snapshot? (Select TWO.)

A financial institution must store compliance records in Amazon S3 for 7 years. The records must not be deleted or modified by anyone, including the AWS account root user, during this period. Which S3 feature meets this requirement?

A developer needs to encrypt a 5 GB file before uploading it to Amazon S3. The company policy mandates the use of AWS KMS. How should the solutions architect implement this?

A company requires that all data stored in Amazon S3 must be encrypted at rest using keys managed by the company. The company wants to maintain full control over the key rotation and auditing of key usage. <br/><br/>Which encryption option meets these requirements?

A financial institution needs to store highly sensitive documents in Amazon S3. Compliance regulations require that the documents cannot be deleted or modified by anyone, including the AWS account root user, for a period of 7 years. <br/><br/>Which TWO actions should the solutions architect take to meet this requirement? (Select TWO.)

A company is migrating a legacy application to AWS. The application hardcodes database credentials in its configuration files. The security team mandates that credentials must be encrypted at rest, rotated automatically every 30 days, and retrieved dynamically by the application at runtime. <br/><br/>Which AWS service should be used to meet these requirements?

A company wants to ensure that all Amazon EBS volumes created in its AWS account are encrypted by default. <br/><br/>How can a solutions architect achieve this with the LEAST operational overhead?

A company is using AWS Key Management Service (AWS KMS) to manage encryption keys. The security policy requires that all cryptographic material be generated and stored in a single-tenant hardware appliance that is under the company's exclusive control. <br/><br/>Which AWS service should the company use?

A company wants to ensure that data in transit between their on-premises data center and their Amazon VPC is encrypted. They also require a dedicated, consistent network connection that does not traverse the public internet. <br/><br/>Which TWO services/features should be combined to meet these requirements? (Select TWO.)

A company is storing large amounts of unstructured data in Amazon S3. The compliance team needs to discover and protect Personally Identifiable Information (PII), such as credit card numbers and passport numbers, stored in these buckets. <br/><br/>Which AWS service should the company use?

A company is designing a secure architecture for a web application. They want to store SSL/TLS certificates and automatically deploy them to their Application Load Balancer (ALB) and Amazon CloudFront distribution. <br/><br/>Which TWO AWS services should they use? (Select TWO.)

A financial company requires that all data stored in Amazon S3 is encrypted at rest using keys managed by the company. The keys must be rotated automatically every year. Which TWO actions should the solutions architect take? (Select TWO.)

An application needs to connect to an Amazon RDS database. The database credentials must be encrypted, stored securely, and automatically rotated every 30 days. Which TWO actions should the solutions architect take? (Select TWO.)

A government agency is setting up a hybrid cloud architecture. They require a dedicated network connection from their on-premises data center to AWS. The connection must support native Layer 2 encryption at line rate. Which solution meets these requirements?

A financial institution must store regulatory documents in Amazon S3 for 7 years. During this time, the documents cannot be deleted or modified by anyone, including the AWS account root user. Which S3 feature should be used?

A company wants to automatically discover and classify sensitive data, such as Personally Identifiable Information (PII), stored in their Amazon S3 buckets. Which AWS service should they use?

A company has an unencrypted Amazon RDS MySQL database. A new compliance mandate requires that the database must be encrypted at rest. What is the MOST operationally efficient way to achieve this?

A company uses AWS Certificate Manager (ACM) to provision SSL/TLS certificates for their Application Load Balancers. The security team wants to ensure that certificates are automatically renewed before they expire. What must the solutions architect do to enable this?

An application encrypts data before writing it to a database. The company uses AWS KMS. To improve performance and reduce KMS API call costs, the application needs to encrypt data locally using a data key.<br/><br/>Which KMS API call should the application use to obtain the key?

A financial company must store regulatory documents in Amazon S3. Compliance rules dictate that the documents must be stored in a Write-Once-Read-Many (WORM) model and cannot be deleted or modified by anyone, including the AWS account root user, for exactly 7 years.<br/><br/>Which TWO actions should a solutions architect take? (Select TWO.)

A company wants to ensure that all new Amazon Elastic Block Store (EBS) volumes created in their AWS account are encrypted by default. <br/><br/>How can a solutions architect achieve this with the LEAST operational overhead?

A company has an unencrypted Amazon RDS for PostgreSQL database. The security team mandates that the database must be encrypted at rest using AWS KMS.<br/><br/>What is the MOST operationally efficient way to encrypt the existing database?

A government agency is migrating to AWS. They require dedicated hardware for cryptographic key generation and storage to meet FIPS 140-2 Level 3 compliance. They must have exclusive control over the cryptographic keys.<br/><br/>Which TWO statements about the appropriate AWS service are correct? (Select TWO.)

A developer is creating a new Amazon DynamoDB table and needs to ensure that all data is encrypted at rest. <br/><br/>What action must the developer take to enable encryption at rest for the DynamoDB table?

A healthcare company stores patient records in Amazon S3. Compliance requires that the data must be encrypted at rest using keys managed by the company, and the company must be able to audit the usage of the encryption keys. Which encryption method should be used?

A financial institution needs to store highly sensitive regulatory documents in Amazon S3. The documents must be protected from deletion or modification for exactly 7 years to meet compliance requirements. Which S3 feature should a solutions architect recommend?

A company has a large amount of data stored in Amazon S3. They suspect that some of the buckets contain unencrypted Personally Identifiable Information (PII). They need an automated way to discover and classify this sensitive data. Which AWS service should be used?

A company requires that all EBS volumes attached to new EC2 instances must be encrypted. How can a solutions architect ensure this requirement is met with the LEAST operational overhead? (Select TWO.)

A company uses AWS KMS to manage encryption keys. They have a requirement that the cryptographic key material must be generated and stored in a single-tenant hardware security module (HSM) under their exclusive control. Which AWS service or feature should they use?

A database contains highly sensitive data. The company wants to ensure that if a snapshot of the database is shared with another AWS account, the receiving account cannot access the data unless explicitly authorized by the security team. How should the snapshot be encrypted?