Crucial Exams

AWS Certified Data Engineer Associate DEA-C01 Practice Question

A data engineering team uses an AWS Glue ETL job to write daily Parquet files to an Amazon S3 bucket. A new compliance rule mandates that the encryption key protecting these files must rotate automatically every 90 days without exposing plaintext key material or requiring code changes. How should the team meet this requirement?

  • Continue using SSE-KMS with the AWS managed key (aws/s3) since AWS automatically rotates that key.

  • Enable SSE-S3 on the bucket and rotate the IAM access keys used by the Glue job every 90 days.

  • Configure S3 default encryption with SSE-KMS using a customer-managed KMS key and set the key's RotationPeriodInDays to 90; reference the same key in the Glue job.

  • Add client-side encryption to the Glue script with the AWS Encryption SDK, generate a new data key every 90 days, and store it in AWS Secrets Manager.

AWS Certified Data Engineer Associate DEA-C01
Data Security and Governance
Your Score:
Settings & Objectives
Random Mixed
Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.
Rotate by Objective
Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Check or uncheck an objective to set which questions you will receive.

Wipe Score
Bash, the Crucial Exams Chat Bot
AI Bot