Study DEA-C01 Encryption, Masking and Cross-Account Protection: key concepts, common traps, and exam decision cues.
Data engineering platforms often move sensitive information across services and accounts. DEA-C01 expects you to protect data in transit and at rest, mask or anonymize sensitive fields when required, and understand how encryption access works across boundaries.
Envelope encryption: Pattern where a data key encrypts the data and a separate key-encryption key protects the data key.
Data masking: Hiding or transforming sensitive fields while preserving some usefulness of the data.
Cross-account protection: Designing encryption and access so data remains protected even when services or consumers sit in different AWS accounts.
AWS wants you to separate:
DEA-C01 often hides the right answer inside generic “security” wording. The real job is to identify whether the stem is about cryptographic protection, value transformation for privacy, or permission design across account boundaries.
| Requirement | Strongest first fit | Why |
|---|---|---|
| manage encryption keys and policies | AWS KMS | KMS is the key-management lane |
| protect data at rest in AWS services | service encryption backed by the right key strategy | DEA-C01 expects the encryption layer to be built into the data path |
| protect data moving between systems | encryption in transit | The risk is on the transport path, not only at rest |
| share protected data across account boundaries safely | cross-account key and permission design | The encryption control must still work across account scope |
| If the stem emphasizes… | Think first | Why this fits |
|---|---|---|
| protecting stored or transmitted data cryptographically | encryption with the right key strategy | The center of gravity is cryptographic protection |
| hiding sensitive values while keeping data useful | masking or anonymization | The requirement is value transformation, not only storage protection |
| deciding who can read the protected data at all | authorization and access control | Access control is not replaced by encryption |
| sharing protected datasets across accounts | cross-account key and permission design | Both key policy and access model still matter |
| If the requirement says… | Strongest first reading |
|---|---|
| hide sensitive fields but still let people analyze the data | masking or anonymization |
| do not reveal raw PII in downstream datasets | field transformation before exposure |
| stop access entirely to the protected dataset | authorization or access control instead of masking alone |
| Question | KMS | Masking / anonymization |
|---|---|---|
| Main job | manage keys and encryption controls | reduce or transform sensitive field exposure |
| Strongest first when | the stem is about protecting data cryptographically | the stem is about obscuring data values for downstream use |
| Common trap | assuming KMS by itself solves every privacy requirement | assuming masking replaces encryption and access control |
flowchart LR
A["Sensitive data requirement"] --> B{"What is the real need?"}
B -->|Protect data at rest or in transit| C["Encryption / KMS strategy"]
B -->|Hide field values for downstream users| D["Masking or anonymization"]
B -->|Control which principals can access data| E["Authorization design"]
C --> F["Cross-account use still needs key and permission design"]
D --> F
E --> F
| Trap | Better reading |
|---|---|
| “The data is encrypted, so any account can use it safely.” | Cross-account use still depends on the right key and permission model. |
| “Masking and encryption are the same thing.” | Encryption protects storage or transport; masking changes the exposed values. |
| “KMS is enough even when fields should be hidden from analysts.” | If the requirement is value obfuscation, masking or anonymization is still needed. |
| “Once transit encryption exists, storage encryption no longer matters.” | DEA-C01 expects both in-transit and at-rest protection thinking. |
When security answers all sound reasonable, use this order:
A company shares analytical datasets across accounts. The data must remain encrypted, and some downstream consumers should only see obfuscated sensitive fields. Which reading is strongest first?
Correct answer: A. DEA-C01 expects you to stack controls: key management and encryption for the protection layer, plus masking or anonymization when the data itself should appear transformed to downstream users.