AWS Certified Cloud Practitioner Practice Questions: Security and Compliance Domain

Correct Answer: A

Explanation: The correct answer is A. Amazon S3 Transfer Acceleration provides secure and fast transfer of files over long distances using Amazon CloudFront's globally distributed edge locations. Enabling S3 Default Encryption with AWS KMS ensures that data is encrypted at rest using customer-managed keys, which is a requirement for many regulatory standards. Option B uses SSE-S3, which is less secure than AWS KMS as it does not allow for customer-managed keys. Option C uses SSE-C, which requires the customer to manage encryption keys, adding complexity and risk. Option D is incorrect because CloudFront does not inherently encrypt data at rest in S3.

Correct Answer: A

Explanation: Option A is correct because AWS Regions are distinct geographical areas that AWS uses to host its infrastructure. By choosing a specific region, you can ensure that your data remains within that geographic location, helping to meet data residency requirements. Option B is incorrect because AWS Availability Zones are isolated locations within a region, providing redundancy and high availability but not controlling geographic location. Option C is incorrect because AWS Edge Locations are part of the AWS Content Delivery Network (CDN) and are used for caching content closer to users, not for data residency. Option D is incorrect because AWS Global Accelerator is used to improve application availability and performance, not to control data location.

Correct Answer: A

Explanation: AWS Key Management Service (KMS) is a managed service that makes it easy to create and control the encryption keys used to encrypt your data. KMS integrates with RDS to allow you to encrypt your databases. Option B, AWS Secrets Manager, is used for managing secrets like database credentials, not encryption keys. Option C, AWS Certificate Manager, is used for managing SSL/TLS certificates, not encryption keys. Option D, Amazon Macie, is a security service that uses machine learning to discover, classify, and protect sensitive data, but it does not manage encryption keys.

Correct Answer: A

Explanation: AWS Config continuously monitors and records AWS resource configurations and can automatically check for compliance against desired configurations, providing remediation actions. Amazon Inspector (B) is used for security assessments, Trusted Advisor (C) offers best practice recommendations, and AWS Shield (D) provides DDoS protection.

Correct Answer: B

Explanation: The correct answer is B. AWS Regions and Availability Zones allow you to choose where your data is stored geographically. By selecting the appropriate AWS Region, you can ensure that your data remains within the specified geographic boundaries required by data sovereignty laws. Option A, AWS Global Accelerator, is used for improving the availability and performance of applications with users globally, but it does not control data storage locations. Option C, AWS Direct Connect, provides dedicated network connections to AWS, but it does not determine data storage locations. Option D, AWS Outposts, extends AWS infrastructure on-premises, but it is not specifically designed for managing data sovereignty across AWS Regions.

Correct Answer: B

Explanation: AWS Key Management Service (KMS) allows you to create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications. By encrypting data, you can help ensure that it remains confidential and secure, which is a critical requirement for GDPR compliance. CloudTrail is for auditing API calls, WAF is for web application firewall protection, and Config is for resource configuration tracking.

Correct Answer: B

Explanation: AWS Key Management Service (KMS) is designed for centralized key management and can be used to encrypt data stored in S3 with customer-managed keys. Secrets Manager (A) is for managing secrets, Certificate Manager (C) handles SSL/TLS certificates, and IAM (D) is for managing user permissions and access.

Correct Answer: D

Explanation: AWS Security Hub is the correct answer as it provides a comprehensive view of your security state in AWS and helps you check your compliance with industry standards and best practices through automated security checks. Option A, AWS Inspector, is primarily used for assessing security vulnerabilities in EC2 instances. Option B, AWS Config, tracks configuration changes but does not provide compliance checks. Option C, AWS Trusted Advisor, offers general best practice recommendations but not detailed compliance assessments.

Correct Answer: B

Explanation: Option B is correct because AWS WAF (Web Application Firewall) helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. Option A is incorrect because AWS Shield is primarily used for DDoS protection. Option C is incorrect because AWS Secrets Manager is used for managing secrets such as database credentials and API keys. Option D is incorrect because AWS CloudWatch is used for monitoring and logging, not for protecting against web exploits.

Correct Answer: A

Explanation: AWS VPN provides secure and encrypted connections between on-premises data centers and AWS. Direct Connect (B) offers a dedicated network connection but does not encrypt data by default. WAF (C) is a web application firewall, and Elastic Load Balancing (D) distributes incoming application traffic but does not handle encryption of data in transit between on-premises and AWS.