Security and Compliance — AWS Certified Cloud Practitioner Practice Questions

Learning

Loading practice session...

Loading certificate…

Ready to learn

Sample questions — Security and Compliance

1. A company stores sensitive customer records in Amazon S3 and wants AWS to manage the encryption keys automatically without any additional configuration. Which S3 encryption option best meets this requirement?

A.SSE-S3, where Amazon S3 manages encryption keys entirely on your behalf using AES-256.✓ Correct
B.SSE-KMS, where AWS Key Management Service manages a customer master key for encryption.
C.Client-side encryption, where the application encrypts data before uploading it to S3.
D.SSE-C, where the customer provides their own encryption keys with each API request.

Explanation

SSE-S3 is the simplest option: S3 manages all key creation, rotation, and storage automatically using AES-256, requiring zero additional configuration from the customer.

2. A financial firm requires full audit trails for every encryption key usage event in Amazon S3, including who accessed a key and when. Which encryption method provides this level of key activity logging?

A.SSE-S3, which encrypts objects automatically.
B.SSE-KMS, which integrates with AWS CloudTrail to log every use of the customer master key.✓ Correct
C.Client-side encryption using an on-premises HSM outside of AWS logging infrastructure.
D.Amazon S3 server access logging, which records HTTP requests.

Explanation

SSE-KMS uses AWS KMS customer master keys whose every usage is logged in AWS CloudTrail, giving full auditability of who used which key and when.

3. An application transmits personally identifiable information (PII) between a web browser and an Amazon EC2-hosted API. Which AWS-recommended mechanism protects this data while it travels over the network?

A.Enabling Amazon S3 server-side encryption to protect data stored in transit buckets.
B.Using AWS Shield Standard to absorb DDoS traffic before it reaches the application.
C.Enforcing HTTPS using SSL/TLS certificates so data is encrypted during network transmission.✓ Correct
D.Placing the EC2 instance inside a private subnet to restrict inbound internet traffic.

Explanation

SSL/TLS (HTTPS) encrypts data in transit between clients and servers, preventing eavesdropping and man-in-the-middle attacks on network communications.

4. A developer needs to create and control the lifecycle of cryptographic keys used to encrypt data across multiple AWS services. Which AWS service is designed specifically for this purpose?

A.AWS Certificate Manager, which provisions and manages SSL/TLS certificates for web endpoints.
B.AWS Key Management Service (KMS), which creates and controls customer master keys for encryption.✓ Correct
C.AWS Secrets Manager, which stores and rotates database credentials and API keys securely.
D.AWS CloudHSM, which provides dedicated single-tenant hardware security modules for key storage.

Explanation

AWS KMS is the managed service purpose-built to create, store, rotate, and control access to customer master keys (CMKs) used for encryption across AWS services.

5. A security team wants to use their own cryptographic key material imported into AWS KMS rather than having AWS generate the key. What does AWS KMS support to enable this?

A.Customer-managed CMKs with imported key material, allowing the customer to supply their own key bytes.✓ Correct
B.AWS-managed CMKs, which are automatically created and rotated entirely by AWS without import options.
C.AWS CloudTrail key pairs, which store externally generated keys inside CloudTrail log groups.
D.IAM access keys, which authenticate API calls and can double as encryption key material in KMS.

Explanation

AWS KMS supports customer-managed CMKs with imported key material, letting customers supply their own cryptographic key bytes while still using KMS for key management operations.

Practice all 62+ questions in this domain

Start free practice →

Frequently asked questions

How many AWS Certified Cloud Practitioner practice questions are there for Security and Compliance?↓

AnyCert has 62 AWS Certified Cloud Practitioner practice questions specifically for the Security and Compliance domain, each with a detailed AI-tutored explanation.

Is Security and Compliance heavily tested on the AWS Certified Cloud Practitioner exam?↓

Security and Compliance is one of the core domains in the AWS Certified Cloud Practitioner exam blueprint. Mastering this domain is essential for passing. AnyCert's practice questions cover the full scope of testable topics in this domain.

How should I study the Security and Compliance domain for AWS Certified Cloud Practitioner?↓

Practice all 62 Security and Compliance questions in AnyCert, review every explanation for missed answers, and use the AI tutor to clarify any concept. Focus on understanding the reasoning behind each answer, not just memorizing the correct choice.

Sample questions — Security and Compliance

A.SSE-S3, where Amazon S3 manages encryption keys entirely on your behalf using AES-256.✓ Correct
B.SSE-KMS, where AWS Key Management Service manages a customer master key for encryption.
C.Client-side encryption, where the application encrypts data before uploading it to S3.
D.SSE-C, where the customer provides their own encryption keys with each API request.

Explanation

SSE-S3 is the simplest option: S3 manages all key creation, rotation, and storage automatically using AES-256, requiring zero additional configuration from the customer.

A.SSE-S3, which encrypts objects automatically.
B.SSE-KMS, which integrates with AWS CloudTrail to log every use of the customer master key.✓ Correct
C.Client-side encryption using an on-premises HSM outside of AWS logging infrastructure.
D.Amazon S3 server access logging, which records HTTP requests.

Explanation

SSE-KMS uses AWS KMS customer master keys whose every usage is logged in AWS CloudTrail, giving full auditability of who used which key and when.

A.Enabling Amazon S3 server-side encryption to protect data stored in transit buckets.
B.Using AWS Shield Standard to absorb DDoS traffic before it reaches the application.
C.Enforcing HTTPS using SSL/TLS certificates so data is encrypted during network transmission.✓ Correct
D.Placing the EC2 instance inside a private subnet to restrict inbound internet traffic.

Explanation

SSL/TLS (HTTPS) encrypts data in transit between clients and servers, preventing eavesdropping and man-in-the-middle attacks on network communications.

4. A developer needs to create and control the lifecycle of cryptographic keys used to encrypt data across multiple AWS services. Which AWS service is designed specifically for this purpose?

A.AWS Certificate Manager, which provisions and manages SSL/TLS certificates for web endpoints.
B.AWS Key Management Service (KMS), which creates and controls customer master keys for encryption.✓ Correct
C.AWS Secrets Manager, which stores and rotates database credentials and API keys securely.
D.AWS CloudHSM, which provides dedicated single-tenant hardware security modules for key storage.

Explanation

AWS KMS is the managed service purpose-built to create, store, rotate, and control access to customer master keys (CMKs) used for encryption across AWS services.

5. A security team wants to use their own cryptographic key material imported into AWS KMS rather than having AWS generate the key. What does AWS KMS support to enable this?

A.Customer-managed CMKs with imported key material, allowing the customer to supply their own key bytes.✓ Correct
B.AWS-managed CMKs, which are automatically created and rotated entirely by AWS without import options.
C.AWS CloudTrail key pairs, which store externally generated keys inside CloudTrail log groups.
D.IAM access keys, which authenticate API calls and can double as encryption key material in KMS.

Explanation

AWS KMS supports customer-managed CMKs with imported key material, letting customers supply their own cryptographic key bytes while still using KMS for key management operations.

Practice all 62+ questions in this domain

Start free practice →

Frequently asked questions

How many AWS Certified Cloud Practitioner practice questions are there for Security and Compliance?↓

AnyCert has 62 AWS Certified Cloud Practitioner practice questions specifically for the Security and Compliance domain, each with a detailed AI-tutored explanation.

Is Security and Compliance heavily tested on the AWS Certified Cloud Practitioner exam?↓

How should I study the Security and Compliance domain for AWS Certified Cloud Practitioner?↓