Data Protection — AWS Certified Security Specialty Practice Questions

Learning

Loading practice session...

Loading certificate…

Ready to learn

Sample questions — Data Protection

1. A security architect needs to encrypt large datasets in S3 using AWS KMS. The design must minimize calls to KMS and avoid sending large payloads to the KMS API. Which envelope encryption approach is correct?

A.Generate a data key via KMS, use it locally to encrypt the data, then store only the encrypted data key alongside the ciphertext — not the plaintext data key.✓ Correct
B.Send the entire dataset directly to AWS KMS for encryption using the Customer Master Key, which can handle payloads of any size.
C.Use the Customer Master Key to encrypt the data key and also encrypt the data directly, storing both encrypted objects in S3.
D.Store the plaintext data key in AWS Secrets Manager alongside the encrypted data so it can be retrieved for decryption at any time.

Explanation

Envelope encryption uses KMS to generate a data key, encrypts data locally with it, then discards the plaintext key — only the encrypted data key is kept. KMS CMKs cannot directly encrypt large payloads (4KB limit), making options B and C incorrect.

2. During decryption, an application retrieves an encrypted data key stored alongside a ciphertext blob in S3. What is the correct next step to decrypt the data?

A.Call KMS Decrypt with the encrypted data key to retrieve the plaintext data key, then use it to decrypt the ciphertext locally in memory.✓ Correct
B.Call KMS GenerateDataKey again to create a new plaintext data key, which will automatically match the original key used for encryption.
C.Pass the encrypted ciphertext blob directly to KMS Decrypt, which will identify the correct CMK and return the plaintext data.
D.Use AWS Secrets Manager to look up the original plaintext data key that was stored at encryption time, then apply it to the ciphertext.

Explanation

To decrypt, you call KMS Decrypt on the encrypted data key to get the plaintext data key, then decrypt locally. KMS cannot directly decrypt large ciphertexts (B is wrong), and the plaintext key must never be stored persistently (D is wrong).

3. A team is building a containerized microservice that encrypts data and passes the encrypted data key to a separate decryption service. The encryption container should never hold a plaintext key in memory. Which KMS API call should the encryption container use?

A.Call GenerateDataKeyWithoutPlaintext to receive only the encrypted data key, deferring all plaintext key handling to the authorized decryption service.✓ Correct
B.Call GenerateDataKey to get both the plaintext and encrypted data key, then immediately delete the plaintext key variable after use.
C.Call CreateKey to generate a new CMK for each container instance and use it directly to encrypt data without creating a data key.
D.Call Encrypt with the raw data payload to use the CMK directly, avoiding the need for any data key generation in the container.

Explanation

GenerateDataKeyWithoutPlaintext returns only an encrypted data key — the container never sees plaintext, eliminating in-memory key exposure risk. GenerateDataKey (B) returns plaintext which defeats the purpose; direct CMK encryption (D) is limited to 4KB.

4. In a distributed pipeline, Worker A encrypts data using GenerateDataKeyWithoutPlaintext and stores the encrypted data key alongside the ciphertext. Worker B must decrypt the data later. What must Worker B have to successfully decrypt?

A.Worker B needs KMS Decrypt permission on the CMK used by Worker A to unwrap the encrypted data key and obtain the plaintext key for decryption.✓ Correct
B.Worker B must regenerate the data key using GenerateDataKey with the same CMK, which will reproduce an identical key for decryption.
C.Worker B needs access to the S3 bucket containing the ciphertext but does not require any KMS permissions because the data key handles decryption.
D.Worker B must have the same IAM role as Worker A so that KMS will recognize it as the original encryptor and return the plaintext key automatically.

Explanation

Worker B must call KMS Decrypt on the encrypted data key, requiring kms:Decrypt permission on the specific CMK. KMS does not reproduce the same data key (B is wrong); S3 access alone is insufficient without KMS permissions (C is wrong).

5. A compliance officer requires full audit trails of all KMS key usage, the ability to set custom key rotation schedules, and the option to disable keys immediately if a breach is detected. Which CMK type meets all these requirements?

A.Customer managed CMKs, which provide full control over key policies, rotation schedules, enabling/disabling, and detailed CloudTrail logging of every API call.✓ Correct
B.AWS managed CMKs, which are automatically created by AWS services and allow customers to set custom rotation policies and disable keys on demand.
C.AWS owned CMKs, which are managed entirely by AWS and provide the highest level of customer visibility through AWS Config and CloudTrail.
D.AWS managed CMKs, which give customers complete key policy control and allow immediate key deletion with a configurable waiting period of 0 days.

Explanation

Customer managed CMKs give full control: custom policies, configurable rotation (or manual rotation), enable/disable, and full CloudTrail visibility. AWS managed CMKs rotate automatically but cannot be disabled or have custom policies; AWS owned CMKs are invisible to customers.

Practice all 56+ questions in this domain

Start free practice →

Frequently asked questions

How many AWS Certified Security Specialty practice questions are there for Data Protection?↓

AnyCert has 56 AWS Certified Security Specialty practice questions specifically for the Data Protection domain, each with a detailed AI-tutored explanation.

Is Data Protection heavily tested on the AWS Certified Security Specialty exam?↓

Data Protection is one of the core domains in the AWS Certified Security Specialty exam blueprint. Mastering this domain is essential for passing. AnyCert's practice questions cover the full scope of testable topics in this domain.

How should I study the Data Protection domain for AWS Certified Security Specialty?↓

Practice all 56 Data Protection questions in AnyCert, review every explanation for missed answers, and use the AI tutor to clarify any concept. Focus on understanding the reasoning behind each answer, not just memorizing the correct choice.

Sample questions — Data Protection

A.Generate a data key via KMS, use it locally to encrypt the data, then store only the encrypted data key alongside the ciphertext — not the plaintext data key.✓ Correct
B.Send the entire dataset directly to AWS KMS for encryption using the Customer Master Key, which can handle payloads of any size.
C.Use the Customer Master Key to encrypt the data key and also encrypt the data directly, storing both encrypted objects in S3.
D.Store the plaintext data key in AWS Secrets Manager alongside the encrypted data so it can be retrieved for decryption at any time.

Explanation

2. During decryption, an application retrieves an encrypted data key stored alongside a ciphertext blob in S3. What is the correct next step to decrypt the data?

A.Call KMS Decrypt with the encrypted data key to retrieve the plaintext data key, then use it to decrypt the ciphertext locally in memory.✓ Correct
B.Call KMS GenerateDataKey again to create a new plaintext data key, which will automatically match the original key used for encryption.
C.Pass the encrypted ciphertext blob directly to KMS Decrypt, which will identify the correct CMK and return the plaintext data.
D.Use AWS Secrets Manager to look up the original plaintext data key that was stored at encryption time, then apply it to the ciphertext.

Explanation

A.Call GenerateDataKeyWithoutPlaintext to receive only the encrypted data key, deferring all plaintext key handling to the authorized decryption service.✓ Correct
B.Call GenerateDataKey to get both the plaintext and encrypted data key, then immediately delete the plaintext key variable after use.
C.Call CreateKey to generate a new CMK for each container instance and use it directly to encrypt data without creating a data key.
D.Call Encrypt with the raw data payload to use the CMK directly, avoiding the need for any data key generation in the container.

Explanation

A.Worker B needs KMS Decrypt permission on the CMK used by Worker A to unwrap the encrypted data key and obtain the plaintext key for decryption.✓ Correct
B.Worker B must regenerate the data key using GenerateDataKey with the same CMK, which will reproduce an identical key for decryption.
C.Worker B needs access to the S3 bucket containing the ciphertext but does not require any KMS permissions because the data key handles decryption.
D.Worker B must have the same IAM role as Worker A so that KMS will recognize it as the original encryptor and return the plaintext key automatically.

Explanation

A.Customer managed CMKs, which provide full control over key policies, rotation schedules, enabling/disabling, and detailed CloudTrail logging of every API call.✓ Correct
B.AWS managed CMKs, which are automatically created by AWS services and allow customers to set custom rotation policies and disable keys on demand.
C.AWS owned CMKs, which are managed entirely by AWS and provide the highest level of customer visibility through AWS Config and CloudTrail.
D.AWS managed CMKs, which give customers complete key policy control and allow immediate key deletion with a configurable waiting period of 0 days.

Explanation

Practice all 56+ questions in this domain

Start free practice →

Frequently asked questions

How many AWS Certified Security Specialty practice questions are there for Data Protection?↓

AnyCert has 56 AWS Certified Security Specialty practice questions specifically for the Data Protection domain, each with a detailed AI-tutored explanation.

Is Data Protection heavily tested on the AWS Certified Security Specialty exam?↓

How should I study the Data Protection domain for AWS Certified Security Specialty?↓