AWS Certified Data Engineer Associate DEA-C01 Practice Question
Your AWS Glue Spark job transforms sensitive PII and writes the results to an S3 data lake. Compliance requires that objects written to S3 and the job's CloudWatch logs use server-side encryption with a customer-managed KMS key, and that the job's bookmark state is encrypted client-side with the same key. Which Glue security configuration settings satisfy these controls?
Enable S3 encryption with SSE-KMS, enable CloudWatch logs encryption with the same CMK, and turn on job bookmark encryption (CSE-KMS).
Enable S3 encryption with SSE-S3, enable CloudWatch logs encryption with SSE-KMS, and leave job bookmark encryption disabled.
Enable S3 and CloudWatch logs encryption with CSE-KMS, and configure job bookmarks with SSE-KMS.
Encrypt the Glue Data Catalog with the CMK and rely on the default SSE-S3 settings for S3, CloudWatch logs, and job bookmarks.
AWS Glue security configurations let you set separate encryption modes for S3 output, CloudWatch logs, and job bookmarks. Server-side encryption with a KMS key (SSE-KMS) meets the requirement for data written to S3 and for CloudWatch logs. Bookmark files are encrypted before they leave the job runtime, so the correct control is to enable bookmark encryption, which uses client-side encryption with KMS keys (CSE-KMS). The other options either leave bookmarks unencrypted, apply SSE-S3 (which does not use the customer key), switch the modes around, or only encrypt the Data Catalog-none of which meet every stated requirement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the difference between SSE-KMS and CSE-KMS in AWS Glue?
Open an interactive chat with Bash
How do job bookmarks work in AWS Glue, and why is their encryption important?
Open an interactive chat with Bash
Why is SSE-S3 insufficient for meeting the encryption requirements in this scenario?
Open an interactive chat with Bash
What is the difference between SSE-KMS and CSE-KMS?
Open an interactive chat with Bash
Why is SSE-S3 not sufficient for compliance in this case?
Open an interactive chat with Bash
Why must Glue job bookmarks use CSE-KMS instead of SSE-KMS?
Open an interactive chat with Bash
AWS Certified Data Engineer Associate DEA-C01
Data Security and Governance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .