AWS Certified Data Engineer Associate DEA-C01 Practice Question
An e-commerce company stores customer PII in an Amazon S3 data lake, transforms it with AWS Glue, and loads the results into Amazon Redshift. Compliance states that data at rest must be encrypted with a customer-managed KMS key and that traffic between Glue, S3, and Redshift must be protected with TLS. The team wants the simplest solution that avoids code changes. Which approach meets these requirements?
Keep the S3 bucket unencrypted, let the Glue job encrypt output files before writing to Redshift, and control traffic with network ACLs instead of TLS.
Turn on SSE-S3 on the bucket, keep the default Glue settings, encrypt Redshift with the AWS-managed key, and rely on VPC endpoints for traffic.
Enable SSE-KMS with a customer CMK on the S3 bucket, create a Glue security configuration that uses the CMK, encrypt the Redshift cluster with the same CMK, and set require_SSL=true.
Use the Amazon S3 Encryption Client for client-side encryption with a customer key, configure Glue to decrypt objects, and enable SSL to an unencrypted Redshift cluster.
Using SSE-KMS with a customer-managed CMK on the S3 bucket fulfills the requirement for company-controlled encryption at rest without altering application code. An AWS Glue security configuration that references the same CMK lets Glue read and write the encrypted objects transparently. Launching the Redshift cluster encrypted with that CMK meets the warehouse's at-rest control, and setting the require_SSL parameter to true forces all JDBC or ODBC connections-including those from Glue-to use TLS, meeting the in-transit control. The other options fail a control: client-side encryption adds code changes and leaves Redshift unencrypted; SSE-S3 and an AWS-managed key don't use a customer-managed key; and relying on network ACLs or VPC endpoints does not guarantee TLS encryption.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is SSE-KMS and how does it differ from SSE-S3?
Open an interactive chat with Bash
What is the role of require_SSL in Redshift?
Open an interactive chat with Bash
How does an AWS Glue security configuration work with a customer-managed CMK?
Open an interactive chat with Bash
AWS Certified Data Engineer Associate DEA-C01
Data Security and Governance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .