Crucial Exams

AWS Certified Data Engineer Associate DEA-C01 Practice Question

A data engineering team loads customer records that include full U.S. Social Security numbers into an encrypted Amazon Redshift cluster. Business analysts must be able to join tables on the first five digits of the SSN but must never see the entire value. The solution must keep queries in Redshift and require minimal ongoing administration. Which approach satisfies these requirements?

  • Enable KMS encryption and create a view that exposes SUBSTRING(ssn,1,5); grant analysts privileges only on the view and revoke access to the base table.

  • Store the records in Amazon S3 encrypted with SSE-S3, catalog them with AWS Glue, query them from Redshift Spectrum, and use AWS Lake Formation to deny access to the SSN column.

  • Create a dynamic data masking policy that returns SUBSTRING(ssn,1,5) for the analyst role and keep the cluster encrypted with an AWS managed KMS key.

  • Have AWS Database Migration Service apply client-side PKCS#11 encryption to the SSN column before loading into Redshift, distributing decryption keys through AWS Secrets Manager.

AWS Certified Data Engineer Associate DEA-C01
Data Security and Governance
Your Score:
Settings & Objectives
Random Mixed
Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.
Rotate by Objective
Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Check or uncheck an objective to set which questions you will receive.

Wipe Score
Bash, the Crucial Exams Chat Bot
AI Bot