Try 10 focused AWS SCS-C03 questions on Data Protection, with explanations, then continue with IT Mastery.
Open the matching IT Mastery practice page for timed mocks, topic drills, progress tracking, explanations, and full practice.
| Field | Detail |
|---|---|
| Exam route | AWS SCS-C03 |
| Topic area | Data Protection |
| Blueprint weight | 18% |
| Page purpose | Focused sample questions before returning to mixed practice |
Use this page to isolate Data Protection for AWS SCS-C03. Work through the 10 questions first, then review the explanations and return to mixed practice in IT Mastery.
| Pass | What to do | What to record |
|---|---|---|
| First attempt | Answer without checking the explanation first. | The fact, rule, calculation, or judgment point that controlled your answer. |
| Review | Read the explanation even when you were correct. | Why the best answer is stronger than the closest distractor. |
| Repair | Repeat only missed or uncertain items after a short break. | The pattern behind misses, not the answer letter. |
| Transfer | Return to mixed practice once the topic feels stable. | Whether the same skill holds up when the topic is no longer obvious. |
Blueprint context: 18% of the practice outline. A focused topic score can overstate readiness if you recognize the pattern too quickly, so use it as repair work before timed mixed sets.
These original IT Mastery practice questions are aligned to this topic area. Use them for self-assessment, scope review, and deciding what to drill next.
Topic: Data Protection
A security engineer reviews an audit note for an application that uses Amazon CloudFront in front of an Application Load Balancer (ALB). The company requires TLS for users connecting to the application and encryption in transit between application services.
Audit note:
CloudFront viewer protocol policy: Redirect HTTP to HTTPS
CloudFront origin protocol policy: HTTP only
ALB listener: port 80 HTTP
ALB target group protocol: HTTP
Which interpretation is best supported by this evidence?
Options:
A. The main gap is missing encryption at rest for the ALB.
B. User TLS is enforced, but service-to-service encryption is not.
C. All application traffic is encrypted end to end.
D. The audit note proves users can connect only over HTTP.
Best answer: B
Explanation: TLS requirements can apply to different communication paths. In this evidence, the CloudFront viewer protocol policy redirects users from HTTP to HTTPS, so the user-to-service requirement is addressed at the CloudFront edge. However, CloudFront connects to the origin by HTTP only, the ALB listens on HTTP, and the target group uses HTTP. Those facts indicate plaintext service-to-service or service-to-backend hops. If the policy requires encryption in transit between application services, the next design focus is enabling HTTPS/TLS on the origin and backend paths, not assuming viewer TLS covers every hop. The key distinction is between client-facing TLS and encryption for inter-resource communications.
Topic: Data Protection
A company runs a customer portal behind an Application Load Balancer. A new compliance requirement says that external users must connect over TLS and must present client certificates issued by the company’s private CA before any request reaches the application. The application team does not want to implement certificate validation in application code.
Which control best satisfies this requirement?
Options:
A. Attach an AWS WAF rule that checks for a certificate header
B. Issue an ACM public certificate for the ALB domain only
C. Encrypt the application database with an AWS KMS key
D. Configure an ALB HTTPS listener with mutual TLS verify mode
Best answer: D
Explanation: Mutual TLS is the right data-in-transit control when both the server and the client must prove identity with certificates during the TLS handshake. For an application behind an Application Load Balancer, an HTTPS listener can use an ACM server certificate for the portal domain and mutual TLS in verify mode with a trust store that contains the issuing CA certificates. This enforces client certificate validation at the load balancer layer before traffic is forwarded to targets, so the application does not need to perform the certificate validation itself. A normal server certificate protects user-to-ALB encryption but does not authenticate client certificates.
Topic: Data Protection
A security team must configure encryption at rest for a new Amazon S3 bucket that stores regulated documents. The solution must allow the team to restrict decrypt permissions to specific application roles, audit key usage in AWS CloudTrail, and quickly suspend access to the encrypted data if a key is compromised. Application code changes should be avoided. Which configuration best meets these requirements?
Options:
A. Enable default SSE-S3 with S3 managed keys
B. Enable EBS encryption by default in the account
C. Use client-side encryption before uploading objects
D. Enable default SSE-KMS with a customer managed KMS key
Best answer: D
Explanation: For S3 object encryption that needs administrative key control, auditability, and no application code changes, server-side encryption with AWS KMS using a customer managed key is the best fit. SSE-KMS lets the security team control which IAM roles can use the key through key policy and IAM permissions, records KMS key usage events in CloudTrail, and allows administrators to disable the key to block future decrypt operations. S3 performs the encryption and decryption integration, so applications can continue to use normal S3 APIs if they have the required permissions. The key point is to choose an encryption control at the S3 object layer with customer-controlled KMS authorization.
Topic: Data Protection
A company serves a public web application at app.example.com through an Amazon CloudFront distribution. The origin is an Application Load Balancer. Security requirements state that internet browsers must validate TLS for app.example.com, and the operations team must avoid handling private keys or manual certificate renewals. Which control best meets these requirements?
Options:
A. Use an ACM public certificate as the CloudFront viewer certificate
B. Issue a private certificate from AWS Private CA for CloudFront
C. Store the certificate in Secrets Manager for Lambda@Edge
D. Attach an ACM certificate only to the origin load balancer
Best answer: A
Explanation: For a public custom domain served by CloudFront, the TLS certificate that browsers validate must be configured on the CloudFront viewer connection. AWS Certificate Manager public certificates are designed for AWS-managed endpoints such as CloudFront, Elastic Load Balancing, and API Gateway, and ACM manages renewal for eligible public certificates. Placing the certificate only on the origin protects the origin connection but does not provide the browser-facing certificate for app.example.com. A private CA certificate is useful for internal trust models, not general public browser trust. The key control is to terminate viewer TLS at the AWS-managed edge endpoint with an ACM public certificate.
Topic: Data Protection
A financial services company stores daily trade-confirmation PDFs in Amazon S3. Regulations require each PDF to be retained in a WORM state for 7 years, even from privileged administrators, while allowing new PDFs to be added every day and transitioned to lower-cost storage after 90 days. What is the BEST security decision?
Options:
A. Enable S3 Object Lock in governance mode with a 7-year retention period
B. Enable S3 Versioning and MFA Delete on the bucket
C. Enable S3 Object Lock in compliance mode with a 7-year retention period and lifecycle transitions
D. Move the PDFs into an S3 Glacier vault and apply a Vault Lock policy
Best answer: C
Explanation: S3 Object Lock is the AWS retention control designed for WORM requirements on S3 objects. Compliance mode prevents object versions from being overwritten or deleted until the retention period expires, including by users with elevated permissions. Because the company must keep accepting new PDFs, the bucket can continue receiving new objects while each object version receives its own 7-year retention. S3 Lifecycle transitions can still move protected objects to lower-cost storage classes after 90 days without violating retention. Governance mode is weaker because authorized users can bypass retention, and Glacier Vault Lock applies to S3 Glacier vault archives rather than ordinary S3 object workflows.
Topic: Data Protection
A financial services company stores regulated records as Amazon S3 objects. A compliance policy requires server-side encryption at rest, CloudTrail-auditable key usage, and key material controlled by the company in an external key manager outside AWS. Application teams must not design or maintain cryptographic algorithms. The company accepts dependency on the external key manager’s availability. Which encryption approach best meets these requirements?
Options:
A. Use SSE-KMS with an AWS KMS external key store key.
B. Use AWS CloudHSM and custom client-side encryption code.
C. Import key material into an AWS KMS customer managed key.
D. Use SSE-S3 with Amazon S3 managed encryption keys.
Best answer: A
Explanation: AWS KMS external key store is the best fit when AWS services need native KMS-integrated encryption but the organization must retain control of key material in an external key manager. With SSE-KMS, Amazon S3 uses envelope encryption through AWS KMS APIs, and key usage is visible in CloudTrail. The external key store pattern avoids requiring application teams to implement encryption algorithms while satisfying the requirement that key operations depend on the company-controlled external system. The availability tradeoff is also aligned with the stem because the company accepts that dependency. The key distinction is control of key material and cryptographic operations, not building a custom encryption scheme.
Topic: Data Protection
A company runs two Amazon ECS services in private subnets. The checkout service calls the payment service through an internal Application Load Balancer. A compliance review found HTTP is used from checkout to the ALB and from the ALB to the payment tasks. The company must protect the payment payload while it moves between these workload components without public exposure. Which control should be implemented?
Options:
A. Enable SSE-KMS on the payment service storage volumes.
B. Use an HTTPS listener and HTTPS target group on the internal ALB.
C. Restrict the ALB security group to the checkout service.
D. Route the service call through an interface VPC endpoint.
Best answer: B
Explanation: Encryption in transit must be applied to the network path where the sensitive payload travels. For an internal Application Load Balancer, this means using HTTPS for the listener that receives traffic from the calling service and HTTPS for the target group that forwards traffic to the backend tasks. Certificates can be managed with AWS Certificate Manager for the ALB, and the service remains private because the ALB is internal and reachable only inside the VPC. Access controls such as security groups are still useful, but they do not encrypt application payloads.
Topic: Data Protection
A security review finds that several production S3 buckets and DynamoDB tables containing regulated customer data use the same AWS KMS customer managed key. Automatic key rotation is disabled, and the key policy allows kms:* to a shared CI/CD role used by multiple workloads. The company must reduce blast radius, meet an annual rotation requirement, and avoid client-side encryption changes. Which security decision is BEST?
Options:
A. Import key material into the existing key and rotate it manually
B. Switch all resources to AWS managed KMS keys
C. Enable S3 Bucket Keys and keep the existing KMS key policy
D. Create scoped KMS keys, enable rotation, and restrict key policies
Best answer: D
Explanation: The core issue is unmanaged KMS key scope combined with weak authorization and missing rotation. For regulated production data, a single broadly usable key increases blast radius because compromise or misuse of one role can affect multiple workloads and data stores. Using separate customer managed keys by workload, environment, or data sensitivity lets the team apply narrower key policies, grants, monitoring, and rotation settings. Enabling automatic rotation on AWS KMS customer managed keys with AWS-generated key material supports the annual rotation requirement without application-side cryptographic changes. The application can continue using server-side encryption with AWS services while the key policy is tightened to specific administrator and workload roles.
Topic: Data Protection
A healthcare company runs an application in a private subnet in Account A that must call a claims-processing API in Account B. The API handles PHI, must not be publicly reachable, and the application should not receive network access to the rest of Account B’s VPC. The security team also wants to avoid managing cross-VPC route tables for this integration. Which service communication pattern is the best security decision?
Options:
A. Route traffic through a NAT gateway to the API endpoint
B. Create VPC peering between the two VPCs
C. Expose the API through AWS PrivateLink with TLS
D. Publish the API through a public ALB with AWS WAF
Best answer: C
Explanation: AWS PrivateLink is the best fit for private service-to-service communication when the consumer should access only a specific service, not an entire VPC. The provider can publish the API as an endpoint service, typically behind a Network Load Balancer, and the consumer can create an interface VPC endpoint in its private subnet. Using TLS protects PHI in transit, while security groups, endpoint policies where applicable, and service acceptance controls reduce exposure. This pattern avoids public IPs, internet routing, and broad transitive network access. VPC peering can be private, but it creates wider network reachability and route-management overhead than the requirement needs.
Topic: Data Protection
A security audit reviewed an application that stores regulated records in Amazon S3, Amazon EBS, and Amazon RDS. The team wants to keep using native AWS service encryption and must not build custom cryptography.
Audit note:
Current: Data encrypted with AWS managed KMS keys
Finding: Key material must be generated and stored in HSMs
Requirement: HSMs must be controlled by the company in AWS
Which encryption approach best addresses the finding?
Options:
A. Use AWS CloudHSM directly for all S3, EBS, and RDS encryption
B. Continue using AWS managed KMS keys for all resources
C. Use AWS KMS custom key stores backed by AWS CloudHSM
D. Encrypt data in the application with a custom AES implementation
Best answer: C
Explanation: The finding requires a data-at-rest encryption approach that keeps AWS service-native encryption while placing key material in HSMs controlled by the company in AWS. AWS KMS custom key stores backed by AWS CloudHSM meet that pattern for supported AWS services: workloads can still use KMS-integrated encryption, while the key material is generated and protected in a CloudHSM cluster the company controls. This avoids designing or maintaining custom cryptographic code. The key distinction is not merely “customer managed key” versus “AWS managed key”; it is where the key material is generated and protected.
Use the AWS SCS-C03 Practice Test page for the full IT Mastery practice bank, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.
Try AWS SCS-C03 on Web View AWS SCS-C03 Practice Test
Use the practice page above for mixed-topic practice, timed mocks, explanations, and app access.