Data Engineer Associate · 18% of the exam

Data Security and Governance: free practice questions

5 sample questions from our 45-question bank for this domain — answers and explanations included. These are the same scenario-based style as the real AWS exam.

1. A data pipeline writes highly sensitive PII records to Amazon DynamoDB. The security team requires that data is encrypted at rest using a customer-managed key (CMK) so that the company retains full control over key rotation and revocation. Which configuration satisfies this requirement?

  • A. Enable DynamoDB encryption at rest and select AWS owned key (default); DynamoDB manages all key material automatically
  • B. Enable DynamoDB encryption at rest and select AWS managed key (aws/dynamodb); AWS rotates the key automatically each year
  • C. Enable DynamoDB encryption at rest and select a customer-managed KMS key (CMK) created in AWS KMS; configure manual or automatic key rotation as required✓ Correct
  • D. Enable DynamoDB Point-in-Time Recovery (PITR) and configure client-side encryption using the AWS Encryption SDK before writing records
Explanation

Only a customer-managed KMS key (CMK) gives the company full control over key policies, rotation schedules, and the ability to revoke access by disabling the key. Option A (AWS owned key) is managed entirely by AWS and cannot be controlled, rotated, or revoked by the customer. Option B (AWS managed key) is managed by AWS on behalf of the customer—AWS controls rotation, and the customer cannot disable it directly. Option D (client-side encryption with PITR) addresses encryption but does not use KMS-managed server-side encryption; PITR is a backup feature, not an encryption control.

2. A data engineering team uses AWS Lake Formation to manage access to a data lake. A new data scientist needs row-level access to a table so that she can only query rows where the 'region' column equals 'us-east-1'. No other users should be affected by this restriction. Which Lake Formation feature should the data engineer configure?

  • A. Create a Lake Formation data filter with a row filter expression (region = 'us-east-1') and attach it as a grant to the data scientist's IAM user.✓ Correct
  • B. Create a Glue Data Catalog resource policy that includes a Condition block filtering rows where region = 'us-east-1'.
  • C. Create an Amazon Athena named query with a WHERE region = 'us-east-1' clause and restrict the data scientist to only that named query.
  • D. Use AWS IAM condition keys in the data scientist's IAM policy to filter S3 GetObject requests by object metadata tag region=us-east-1.
Explanation

AWS Lake Formation supports row-level and cell-level security through Data Filters. A data filter defines a row filter expression (e.g., `region = 'us-east-1'`) and optionally a column filter. When the data engineer grants table access to the data scientist and attaches this data filter, the data scientist only sees matching rows — other users with their own grants are unaffected. Option B (Glue Data Catalog resource policies) controls access to catalog API operations (e.g., GetTable, GetDatabase) but does not filter data at the row level. Option C (Athena named query) is not an access control mechanism — the data scientist could still run her own queries without the WHERE clause; named queries are just saved queries, not enforced restrictions. Option D (IAM S3 condition keys) can restrict access to specific S3 prefixes or objects by tag, but S3 object tags operate at the object (file) level, not at the row level within a Parquet or ORC file. This would not achieve row-level filtering within a table.

3. A data engineer is designing an IAM permission strategy for a new AWS Glue ETL job that reads raw data from an S3 bucket (`s3://raw-data-bucket`), transforms it, and writes results to a second S3 bucket (`s3://processed-data-bucket`). Following the principle of least privilege, which IAM policy configuration is MOST appropriate for the Glue job's execution role?

  • A. Attach the AWS managed policy `AmazonS3FullAccess` to the Glue role so the job can access any current and future S3 resources it needs.
  • B. Grant `s3:GetObject` and `s3:ListBucket` on `s3://raw-data-bucket` and `s3:PutObject` on `s3://processed-data-bucket`, plus the minimum Glue service permissions required for the job.✓ Correct
  • C. Grant `s3:*` on both buckets and attach the `AWSGlueServiceRole` managed policy to ensure all Glue and S3 operations succeed without permission errors.
  • D. Grant `s3:GetObject`, `s3:PutObject`, `s3:DeleteObject`, and `s3:ListBucket` on both buckets to allow the Glue job full flexibility to read, write, and clean up data.
Explanation

Least privilege mandates granting only the permissions required for the specific task. The Glue job needs to READ from the raw bucket (s3:GetObject, s3:ListBucket) and WRITE to the processed bucket (s3:PutObject). No other S3 permissions are needed. Option A (AmazonS3FullAccess) grants read/write/delete access to all S3 buckets in the account—far exceeding what the job needs and violating least privilege. Option C (s3:* on both buckets) similarly grants excessive permissions including delete, ACL changes, and bucket configuration, and the AWSGlueServiceRole managed policy is designed for the AWS Glue service role, not a scoped job execution role. Option D adds s3:DeleteObject on both buckets, which the job does not need and should not have—especially on the raw data bucket where accidental deletion could be catastrophic.

4. A data engineering team is building an ETL pipeline in AWS Glue that connects to an Amazon RDS MySQL database. The pipeline runs on a schedule and must retrieve the database credentials securely at runtime. The credentials must be automatically rotated every 30 days without requiring changes to the Glue job code. Which approach BEST meets these requirements?

  • A. Store the database username and password as AWS Glue job parameters and pass them at job invocation time.
  • B. Encrypt the credentials with an AWS KMS key and store them in an S3 object; have the Glue job read and decrypt the file at runtime.
  • C. Store the credentials in AWS Secrets Manager with automatic rotation enabled, and retrieve them in the Glue job using the Secrets Manager API.✓ Correct
  • D. Create an IAM database authentication token in IAM and use it directly in the Glue connection configuration.
Explanation

AWS Secrets Manager is designed exactly for this use case: it stores credentials securely, supports automatic rotation on a configurable schedule (e.g., every 30 days) using Lambda functions, and provides an API that applications can call at runtime to retrieve the latest secret — requiring no code changes when rotation occurs. Option A (job parameters) exposes credentials in plaintext in logs and the Glue console, is insecure, and does not support automatic rotation. Option B (KMS-encrypted S3 file) adds some encryption protection but still requires a manual process to update the file when credentials rotate, and the file itself is an additional artifact to manage securely. Option D (IAM database authentication) is a valid approach for passwordless RDS access using short-lived tokens, but the question explicitly states credentials that rotate every 30 days, which aligns with Secrets Manager's rotation model; also, IAM DB auth tokens expire in 15 minutes and are not stored — a different mechanism entirely.

5. A company is building a GDPR-compliant data pipeline. When a customer submits a 'right to erasure' request, all records associated with that customer's ID must be deleted from the data lake within 30 days. The data lake stores data in Apache Parquet format partitioned by date in Amazon S3, and is queried via Amazon Athena. Billions of rows exist across thousands of S3 objects. Which approach BEST satisfies the erasure requirement with the LEAST reprocessing overhead?

  • A. On each erasure request, run an Athena CTAS query to recreate the entire dataset excluding the target customer's records, then delete the original S3 objects.
  • B. Implement a record-level deletion approach using Apache Iceberg tables on S3: issue a DELETE statement for the customer's records, which writes delete files without rewriting entire data files, then periodically run compaction to physically remove the records.✓ Correct
  • C. Add the customer ID to a 'deleted customers' DynamoDB table; modify all Athena queries to JOIN against this table and filter out deleted customer IDs at query time.
  • D. Enable S3 Object Lock on the data lake bucket in Governance mode and use the s3:BypassGovernanceRetention permission to delete individual objects containing the customer's data.
Explanation

Apache Iceberg's ACID-compliant DELETE operation is purpose-built for this use case. When you issue a DELETE for a specific customer ID, Iceberg writes positional or equality delete files that logically remove those records immediately — without rewriting the entire underlying Parquet files. Periodic compaction (expire snapshots + rewrite data files) then physically removes the data. This minimizes reprocessing overhead while meeting the 30-day physical deletion window required by GDPR. Option A (Athena CTAS to recreate entire dataset) would work but requires rewriting ALL data across thousands of objects for every erasure request — the compute and storage cost at petabyte scale is prohibitive and is the opposite of 'least reprocessing overhead.' Option C (DynamoDB 'deleted customers' filter at query time) is a soft-delete/suppression pattern. It does NOT physically delete the data, which means the customer's records still exist in S3 in plaintext. GDPR's right to erasure requires actual deletion of the personal data, not just suppression from query results. Option D (S3 Object Lock + Governance bypass for individual objects) fundamentally misunderstands the problem: Object Lock is designed to PREVENT deletion, not facilitate it. Furthermore, customer data is typically spread across many Parquet files that contain records from many customers — you cannot delete individual rows by deleting entire S3 objects without destroying other customers' data.

40 more questions in this domain

Practice the full bank with instant grading, flashcards, and a timed mock exam.

Start practicing free
Data Security and Governance — Free Data Engineer Associate Practice Questions | DataCertPrep — Certification Prep