AWS Certified Cloud Practitioner Practice Questions: Security and Compliance Domain
Test your AWS Certified Cloud Practitioner knowledge with 10 practice questions from the Security and Compliance domain. Includes detailed explanations and answers.
AWS Certified Cloud Practitioner Practice Questions
Master the Security and Compliance Domain
Test your knowledge in the Security and Compliance domain with these 10 practice questions. Each question is designed to help you prepare for the AWS Certified Cloud Practitioner certification exam with detailed explanations to reinforce your learning.
Question 1
Your company is planning to store sensitive customer data in Amazon S3. To comply with regulatory requirements, you need to ensure that data is encrypted both in transit and at rest. Which combination of AWS services and features should you use to meet this requirement effectively?
Show Answer & Explanation
Correct Answer: A
Explanation: The correct answer is A. Amazon S3 Transfer Acceleration provides secure and fast transfer of files over long distances using Amazon CloudFront's globally distributed edge locations. Enabling S3 Default Encryption with AWS KMS ensures that data is encrypted at rest using customer-managed keys, which is a requirement for many regulatory standards. Option B uses SSE-S3, which is less secure than AWS KMS as it does not allow for customer-managed keys. Option C uses SSE-C, which requires the customer to manage encryption keys, adding complexity and risk. Option D is incorrect because CloudFront does not inherently encrypt data at rest in S3.
Question 2
Your organization is planning to migrate its on-premises data center to AWS. To ensure compliance with data residency requirements, you must keep all data within a specific geographic location. Which AWS feature allows you to control the physical location of your data?
Show Answer & Explanation
Correct Answer: A
Explanation: Option A is correct because AWS Regions are distinct geographical areas that AWS uses to host its infrastructure. By choosing a specific region, you can ensure that your data remains within that geographic location, helping to meet data residency requirements. Option B is incorrect because AWS Availability Zones are isolated locations within a region, providing redundancy and high availability but not controlling geographic location. Option C is incorrect because AWS Edge Locations are part of the AWS Content Delivery Network (CDN) and are used for caching content closer to users, not for data residency. Option D is incorrect because AWS Global Accelerator is used to improve application availability and performance, not to control data location.
Question 3
Your company needs to encrypt sensitive data stored in Amazon RDS databases. Which AWS service should you use to manage the encryption keys?
Show Answer & Explanation
Correct Answer: A
Explanation: AWS Key Management Service (KMS) is a managed service that makes it easy to create and control the encryption keys used to encrypt your data. KMS integrates with RDS to allow you to encrypt your databases. Option B, AWS Secrets Manager, is used for managing secrets like database credentials, not encryption keys. Option C, AWS Certificate Manager, is used for managing SSL/TLS certificates, not encryption keys. Option D, Amazon Macie, is a security service that uses machine learning to discover, classify, and protect sensitive data, but it does not manage encryption keys.
Question 4
A financial services company needs to ensure that their AWS infrastructure complies with industry regulations by maintaining a secure configuration baseline. Which AWS service can provide automated compliance checks and remediation?
Show Answer & Explanation
Correct Answer: A
Explanation: AWS Config continuously monitors and records AWS resource configurations and can automatically check for compliance against desired configurations, providing remediation actions. Amazon Inspector (B) is used for security assessments, Trusted Advisor (C) offers best practice recommendations, and AWS Shield (D) provides DDoS protection.
Question 5
Your organization is subject to strict data sovereignty laws, requiring that all customer data remain within a specific geographic region. Which AWS service feature ensures that your data is stored in compliance with these laws?
Show Answer & Explanation
Correct Answer: B
Explanation: The correct answer is B. AWS Regions and Availability Zones allow you to choose where your data is stored geographically. By selecting the appropriate AWS Region, you can ensure that your data remains within the specified geographic boundaries required by data sovereignty laws. Option A, AWS Global Accelerator, is used for improving the availability and performance of applications with users globally, but it does not control data storage locations. Option C, AWS Direct Connect, provides dedicated network connections to AWS, but it does not determine data storage locations. Option D, AWS Outposts, extends AWS infrastructure on-premises, but it is not specifically designed for managing data sovereignty across AWS Regions.
Question 6
Your organization is deploying a new application that requires compliance with the GDPR data protection regulation. Which AWS service can help you manage and encrypt data to meet GDPR requirements?
Show Answer & Explanation
Correct Answer: B
Explanation: AWS Key Management Service (KMS) allows you to create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications. By encrypting data, you can help ensure that it remains confidential and secure, which is a critical requirement for GDPR compliance. CloudTrail is for auditing API calls, WAF is for web application firewall protection, and Config is for resource configuration tracking.
Question 7
Your organization needs to encrypt sensitive data stored in Amazon S3 and manage the encryption keys centrally. Which AWS service is best suited for this purpose?
Show Answer & Explanation
Correct Answer: B
Explanation: AWS Key Management Service (KMS) is designed for centralized key management and can be used to encrypt data stored in S3 with customer-managed keys. Secrets Manager (A) is for managing secrets, Certificate Manager (C) handles SSL/TLS certificates, and IAM (D) is for managing user permissions and access.
Question 8
A company needs to ensure that their AWS workloads are compliant with industry standards and best practices. Which AWS service can provide automated security assessments and compliance checks?
Show Answer & Explanation
Correct Answer: D
Explanation: AWS Security Hub is the correct answer as it provides a comprehensive view of your security state in AWS and helps you check your compliance with industry standards and best practices through automated security checks. Option A, AWS Inspector, is primarily used for assessing security vulnerabilities in EC2 instances. Option B, AWS Config, tracks configuration changes but does not provide compliance checks. Option C, AWS Trusted Advisor, offers general best practice recommendations but not detailed compliance assessments.
Question 9
A company wants to protect its web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. Which AWS service should they implement?
Show Answer & Explanation
Correct Answer: B
Explanation: Option B is correct because AWS WAF (Web Application Firewall) helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. Option A is incorrect because AWS Shield is primarily used for DDoS protection. Option C is incorrect because AWS Secrets Manager is used for managing secrets such as database credentials and API keys. Option D is incorrect because AWS CloudWatch is used for monitoring and logging, not for protecting against web exploits.
Question 10
Your company wants to ensure that all data transferred between their on-premises data center and AWS is encrypted. Which AWS service can help achieve this requirement?
Show Answer & Explanation
Correct Answer: A
Explanation: AWS VPN provides secure and encrypted connections between on-premises data centers and AWS. Direct Connect (B) offers a dedicated network connection but does not encrypt data by default. WAF (C) is a web application firewall, and Elastic Load Balancing (D) distributes incoming application traffic but does not handle encryption of data in transit between on-premises and AWS.
Ready to Accelerate Your AWS Certified Cloud Practitioner Preparation?
Join thousands of professionals who are advancing their careers through expert certification preparation with FlashGenius.
- ✅ Unlimited practice questions across all AWS Certified Cloud Practitioner domains
- ✅ Full-length exam simulations with real-time scoring
- ✅ AI-powered performance tracking and weak area identification
- ✅ Personalized study plans with adaptive learning
- ✅ Mobile-friendly platform for studying anywhere, anytime
- ✅ Expert explanations and study resources
Already have an account? Sign in here
About AWS Certified Cloud Practitioner Certification
The AWS Certified Cloud Practitioner certification validates your expertise in security and compliance and other critical domains. Our comprehensive practice questions are carefully crafted to mirror the actual exam experience and help you identify knowledge gaps before test day.