Practice DBS-C01 Database Security questions with full explanations on every answer.
Start practicing
Database Security — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A company runs an Amazon RDS for MySQL DB instance in a VPC. Security requirements mandate that only specific EC2 instances in the same VPC can connect to the database. The security group attached to the RDS instance currently allows inbound traffic on port 3306 from 0.0.0.0/0. Which combination of steps should a database specialist take to meet the security requirement without impacting existing application connectivity? (Choose two.)
2A company uses Amazon DynamoDB with a table that stores sensitive customer data. The security team requires that all data at rest be encrypted using a customer-managed AWS KMS key (CMK). Additionally, the company needs to ensure that only specific IAM roles can access the table. Which solution meets these requirements with the least operational overhead?
3A database specialist is troubleshooting a connectivity issue with an Amazon RDS for PostgreSQL instance. The instance is in a VPC with a public subnet. The security group allows inbound traffic on port 5432 from the application server's IP address. The application server is in the same VPC but in a private subnet. Despite the security group configuration, the application cannot connect. Which action should the specialist take to resolve the issue?
4A company stores financial data in an Amazon Aurora MySQL DB cluster. The security team requires that database audit logs be stored in Amazon CloudWatch Logs and encrypted at rest using a customer-managed KMS key. The database specialist enables audit log publishing to CloudWatch Logs and specifies a KMS key for log encryption. However, the audit logs are not appearing in CloudWatch Logs. What is the most likely cause?
5A company uses Amazon ElastiCache for Redis to cache session data. The security team requires that all data in transit be encrypted. The Redis cluster currently does not have encryption in transit enabled. The database specialist needs to enable encryption in transit with minimal downtime. Which action should the specialist take?
6A company uses Amazon RDS for SQL Server with Multi-AZ deployment. The security team wants to ensure that all database connections use SSL/TLS encryption. Which TWO actions should the database specialist take to enforce SSL connections? (Choose two.)
7A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The security team requires that all data be encrypted at rest using a customer-managed KMS key. Additionally, the database should be accessible only from a specific VPC. Which THREE steps should the database specialist take to meet these requirements? (Choose three.)
8A company uses Amazon RDS for MySQL with encryption at rest enabled. The security team mandates that all access to the database must be authenticated using IAM database authentication. The database administrator has created a user 'app_user' and granted appropriate privileges. However, when the application tries to connect using an IAM authentication token, it receives an 'Access denied' error. Which action should be taken to resolve this issue?
9A company is designing a multi-tier application that uses Amazon RDS for PostgreSQL. The application must encrypt data at rest and in transit. Which combination of steps should be taken to meet these requirements? (Choose the single best answer.)
10A financial services company uses Amazon DynamoDB to store sensitive customer data. The security team requires that all data at rest be encrypted using a customer-managed AWS KMS key (CMK) with automatic rotation enabled. The DynamoDB table was created with the default AWS-managed key. Which steps are necessary to transition to a customer-managed CMK while minimizing downtime and data loss?
11A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The compliance team requires that all database connections use SSL/TLS and that users authenticate using IAM database authentication. The database migration is completed, but the application team reports that connections using IAM authentication are failing. The company has already enabled IAM database authentication on the RDS instance. What is the most likely cause of the failure?
12A company is using Amazon RDS for MySQL with Multi-AZ deployment. The security team wants to ensure that database administrators cannot view sensitive data. Which TWO actions should be taken to achieve this goal?
13A company is designing a disaster recovery strategy for an Amazon Aurora MySQL database. The database stores sensitive data that must be encrypted at rest. The primary region is us-east-1, and the secondary region is us-west-2. Which THREE steps are required to set up cross-region replication with encryption at rest?
14A security engineer is troubleshooting an issue where an application using IAM role 'app-role' with a trust policy to assume the 'app-user' user is unable to decrypt an RDS database that uses a customer-managed KMS key. The above key policy is attached to the KMS key. What is the likely cause of the failure?
15A company has a production Amazon RDS for SQL Server database that stores financial data. The database administrator wants to audit all access to sensitive columns (e.g., credit card numbers) using the SQL Server Audit feature. The database is part of a Multi-AZ deployment. The administrator has enabled audit logging to the 'DEFAULT' file audit target, but the audit files are being written to the local instance storage and are not being retained after failover. The compliance team requires that audit logs be stored in Amazon S3 for at least 7 years. The administrator has set up an event subscription to send database events to an S3 bucket using AWS DMS, but the audit logs are not being captured. What should the administrator do to meet the compliance requirements?
16A financial services company runs a critical application on Amazon RDS for PostgreSQL with Multi-AZ and automated backups enabled. The database stores sensitive customer data, and the security team recently audited the environment and found that the database master user password is stored in plain text in a configuration file on the application server. Additionally, the security team noted that the database security group allows inbound traffic from 0.0.0.0/0 on port 5432. The company needs to remediate these issues immediately without downtime and must ensure that access to the database is restricted to only the application servers, and that password management follows AWS best practices. The application connects to the database using the master user credentials. What should the database specialist do to meet these requirements?
17A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The security team requires that all connections to the database be encrypted in transit. Which TWO steps should be taken to enforce this requirement?
18Refer to the exhibit. A security engineer has applied this key policy to a customer managed KMS key used to encrypt a Secrets Manager secret containing database credentials. An application running on an Amazon EC2 instance in the same account and region is unable to decrypt the secret. What is the MOST likely cause?
19A company runs an e-commerce application on AWS using an Aurora MySQL database cluster. The security team mandates that all database audit logs must be stored in Amazon S3 for at least one year for compliance. The database is currently configured to publish audit logs to Amazon CloudWatch Logs. The security team wants to use AWS Database Migration Service (DMS) to migrate the database to a new Aurora MySQL cluster, and during the migration, the audit logs must continue to be captured uninterrupted. Which solution meets these requirements with the LEAST operational overhead?
20Arrange the steps to troubleshoot a connection timeout issue from an EC2 instance to an Amazon RDS for SQL Server DB instance in the correct order.
21Arrange the steps to restore an Amazon RDS for MySQL DB instance to a new instance from a manual snapshot in the correct order.
22Match each DynamoDB concept to its definition.
23Match each AWS database migration tool/service to its function.
24A company is using an RDS for MySQL DB instance encrypted at rest with AWS KMS. The security team requires that all access to the database be logged, including queries that fail due to authentication errors. Which configuration meets this requirement?
25A developer needs to allow an application running on an EC2 instance to read and write data to a DynamoDB table named 'Orders'. The EC2 instance is configured with an IAM role. Which IAM policy should be attached to the role?
26A company's security team wants to encrypt data at rest for an existing RDS for PostgreSQL DB instance. The instance is currently unencrypted. Which steps should the team take to enable encryption with minimal downtime?
27A company uses Amazon Redshift for data warehousing. The security team requires that all data loaded into the cluster be encrypted at rest using a customer-managed KMS key. The cluster is currently unencrypted. What is the most efficient way to achieve this requirement with minimal data loss?
28A company has an RDS for SQL Server DB instance that stores sensitive data. The database administrator needs to ensure that all connections to the database use SSL/TLS encryption. What should the administrator do?
29A company uses Amazon DynamoDB with AWS KMS customer managed keys for encryption at rest. The security team wants to audit who is using the KMS key to encrypt and decrypt data. Which AWS service should be used?
30A company has a multi-AZ RDS for PostgreSQL DB instance. The security team wants to ensure that database audit logs are stored in CloudWatch Logs for real-time monitoring. The team enabled the 'pgaudit.log' parameter and set 'log_destination' to 'csvlog'. However, logs are not appearing in CloudWatch. What is the most likely cause?
31A developer is writing an AWS Lambda function that needs to access a Secrets Manager secret to retrieve database credentials. The Lambda function has an IAM role. Which action must be allowed in the IAM policy?
32A company is using Amazon Aurora MySQL-Compatible Edition. The database administrator wants to restrict a specific user to only execute SELECT statements on a specific database. Which SQL command should the administrator use?
33Which TWO actions should be taken to protect sensitive data in an Amazon RDS for Oracle DB instance? (Choose two.)
34Which THREE methods can be used to authenticate users to an Amazon RDS for MySQL DB instance? (Choose three.)
35Which TWO AWS services can be used to centrally manage database credentials securely? (Choose two.)
36A database administrator runs the AWS CLI command shown in the exhibit. The administrator wants to enable encryption at rest for the RDS instance. What should the administrator do?
37A security engineer creates the IAM policy shown in the exhibit and attaches it to an IAM user. What is the effect of this policy?
38A developer runs the AWS CLI command shown in the exhibit. What is the output indicating?
39A company is using Amazon RDS for MySQL with encryption at rest enabled. The security team requires that all access to the database be authenticated using IAM database authentication. Which combination of steps must the company take to meet this requirement?
40A financial services company runs a critical application on Amazon RDS for PostgreSQL. They must ensure that database activity logs are sent to Amazon CloudWatch Logs for real-time monitoring. The logs must include all SQL queries, including SELECT statements. Which configuration will meet these requirements?
41A company wants to encrypt data at rest for an existing Amazon RDS for Oracle DB instance. The database is currently unencrypted. What is the simplest way to enable encryption with minimal downtime?
42A company is using Amazon Aurora MySQL-Compatible Edition. The security team wants to ensure that database credentials are not stored in application configuration files. They decide to use AWS Secrets Manager to manage credentials. The application is hosted on Amazon EC2 instances that have an IAM role attached. What is the most secure way to grant the application access to the secret?
43A company is using Amazon DynamoDB to store sensitive customer data. They need to ensure that all data is encrypted at rest using a customer-managed AWS KMS key. The company also wants to rotate the KMS key every year. What is the simplest way to achieve key rotation?
44A company uses Amazon RDS for SQL Server with Multi-AZ deployment. The security team has mandated that all connections to the database must use SSL/TLS. The database is accessed by multiple applications running on EC2 instances. Which configuration ensures that all connections use SSL/TLS?
45A company is using Amazon Redshift for data warehousing. They need to ensure that data is encrypted at rest using a customer-managed AWS KMS key. The cluster is currently unencrypted. What is the simplest way to enable encryption?
46A company is using Amazon RDS for MySQL. They want to audit all database logins and failed login attempts. Which option should they enable?
47A company uses Amazon DynamoDB with a global secondary index (GSI) on a table that contains sensitive data. The security team requires that the GSI be encrypted with a different AWS KMS key than the base table. Can this be achieved, and if so, how?
48A company is deploying a new application on Amazon RDS for PostgreSQL. The security policy requires that all data be encrypted at rest and in transit. Which TWO actions should the company take to meet these requirements?
49A company uses Amazon Aurora MySQL-Compatible Edition. The security team wants to implement database activity streams to monitor database activity. Which THREE statements are true about Aurora database activity streams?
50A company is using Amazon DynamoDB and wants to restrict access to a specific table so that only users in a particular IAM group can perform read and write operations. Which THREE steps should be taken to achieve this?
51A company is migrating its on-premises Oracle database to Amazon RDS for Oracle. The security team requires that all data at rest be encrypted using a customer-managed key stored in AWS KMS, and that the key be rotated automatically every year. The company also needs to ensure that only specific IAM roles can access the key. Which combination of steps should the database administrator take to meet these requirements?
52A company has an Amazon RDS for MySQL Multi-AZ DB instance that stores sensitive financial data. The security team has enabled encryption at rest using a KMS key. They also need to ensure that database audit logs are encrypted and stored in an S3 bucket. The logs must be accessible only by the security team via a VPC endpoint. The log data must be retained for 7 years. Which solution meets these requirements with the LEAST operational overhead?
53A company is using Amazon RDS for PostgreSQL. The security team wants to ensure that all connections to the database are encrypted in transit. Currently, applications connect using the PostgreSQL native encryption (SSL/TLS). What is the MOST secure way to enforce encrypted connections?
54A company is using Amazon DynamoDB to store customer session data. The security team requires that all data is encrypted at rest using a customer-managed KMS key, and that access to the key is restricted to specific IAM roles. The company also wants to ensure that DynamoDB Accelerator (DAX) cluster is encrypted. Which steps should be taken to meet these requirements?
55A company has an Amazon RDS for SQL Server Multi-AZ DB instance with a standby replica in a different AWS Region. The database is encrypted with a KMS key. The company needs to implement automated backups that are also encrypted and stored in a cross-region S3 bucket. The backups must be retained for 3 years. Which solution meets these requirements with the LEAST administrative effort?
56A company is using Amazon Redshift for data warehousing. The security team requires that all data is encrypted at rest using a hardware security module (HSM). Additionally, the team wants to ensure that only specific IAM roles can access the database. Which configuration will meet these requirements?
57A company is using Amazon Aurora MySQL-Compatible Edition. The security team wants to audit all database login attempts and store the logs in Amazon S3 for 90 days. Which solution meets these requirements with the LEAST operational overhead?
58A company has an Amazon DynamoDB table with global secondary indexes (GSIs) that store personally identifiable information (PII). The security team requires that all PII is encrypted at rest using a customer-managed KMS key. The table already exists and is encrypted with the default AWS managed key. What is the MOST efficient way to change the encryption to a customer-managed key?
59A company is using Amazon RDS for PostgreSQL and needs to implement column-level encryption for sensitive data. The application must be able to encrypt and decrypt data transparently. Which approach should be taken?
60A company is using Amazon RDS for MySQL and needs to comply with PCI DSS requirements. Which TWO actions should the company take to secure the database? (Choose TWO.)
61A company is designing a security architecture for Amazon DynamoDB. They need to ensure that only authorized applications can access the data, and that data in transit is encrypted. Which THREE steps should be taken? (Choose THREE.)
62A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The security team requires that all database connections use SSL and that the database is encrypted at rest. Which THREE steps are required to meet these requirements? (Choose THREE.)
63An IAM policy is attached to a role used by an RDS instance. The RDS instance is in VPC with a VPC endpoint to KMS. What is the effect of this policy?
64The security team reports that the database 'mydb' is not encrypted. However, the CLI output shows 'StorageEncrypted' is true. What is the MOST likely reason for the security team's concern?
65An IAM policy is attached to an IAM user. The user wants to connect to an RDS MySQL database using IAM database authentication. What does this policy allow?
66A company is migrating its on-premises Oracle database to Amazon RDS for Oracle. As part of the migration, they need to ensure that all sensitive data is encrypted at rest using AWS Key Management Service (AWS KMS). Which configuration step is required to achieve this?
67A company uses Amazon DynamoDB with AWS KMS-managed encryption at rest. The security team requires that all access to a particular DynamoDB table be logged for audit purposes. Which solution meets this requirement?
68A company is using Amazon RDS for MySQL and needs to restrict access to the database to only specific Amazon EC2 instances in the same VPC. Which security mechanism should be used?
69A company has an Amazon Redshift cluster that stores sensitive financial data. The security team requires that all data be encrypted at rest and that the encryption keys be rotated annually. Which solution meets these requirements?
70A company uses Amazon Aurora MySQL-Compatible Edition and needs to audit all SQL statements executed by database users. Which feature should be enabled?
71A company is using Amazon DynamoDB and wants to ensure that only authorized users can access a specific table. Which AWS service should be used to manage access control?
72A company is using Amazon RDS for PostgreSQL with automated backups. The security team requires that backups be encrypted at rest. The DB instance is currently unencrypted. What is the most efficient way to enable encryption for future backups?
73A company uses Amazon ElastiCache for Redis and needs to encrypt data in transit between the application and the cache cluster. Which feature should be enabled?
74A company is using Amazon DynamoDB and wants to ensure that all data is automatically encrypted at rest. What is the default encryption status for a new DynamoDB table?
75A company is designing a security strategy for Amazon RDS for SQL Server. Which TWO actions should be taken to encrypt data at rest? (Choose TWO.)
76A company is using Amazon Redshift and needs to comply with regulatory requirements that mandate encryption of all data at rest and control of the encryption keys. Which THREE steps should be taken? (Choose THREE.)
77A company uses Amazon DynamoDB and wants to audit access to a table. Which TWO services can be used together to log and monitor data plane operations? (Choose TWO.)
78A company is running an Amazon RDS for MySQL DB instance in a VPC. The security team requires that all connections to the database use SSL/TLS. The DBA has enabled 'require_secure_transport' parameter in the DB parameter group. However, after applying the change and rebooting, some applications that were previously connecting successfully are now failing. What is the most likely cause?
79A financial services company is using Amazon DynamoDB to store customer transaction data. The compliance team requires that all data be encrypted at rest using a customer-managed AWS KMS key, and that access to the key be auditable via AWS CloudTrail. Additionally, the security team wants to ensure that DynamoDB can only be accessed from within the VPC using a VPC endpoint. Which combination of steps should the company take to meet these requirements?
80A developer needs to securely store database credentials for an application that runs on Amazon EC2 and connects to an Amazon RDS for PostgreSQL database. The credentials must be automatically rotated every 90 days. Which AWS service should the developer use to meet these requirements?
81A company has an Amazon RDS for Oracle DB instance that stores sensitive data. The security team wants to audit all SQL queries that read or modify specific columns containing personally identifiable information (PII). The audit logs must be stored for 5 years. Which solution should the database specialist implement?
82A company is using Amazon Redshift for data warehousing. The security team requires that all data be encrypted at rest using a customer-managed AWS KMS key. Additionally, the team wants to ensure that the key must be used only for this specific Redshift cluster. Which configuration should be applied?
83A company is migrating its on-premises Oracle database to Amazon RDS for Oracle. The database contains sensitive data that must be encrypted at rest and in transit. The security team also requires that the encryption keys be rotated every year. The DBA has enabled encryption at rest using a customer-managed KMS key and SSL/TLS for in-transit encryption. What additional step is needed to meet the key rotation requirement?
84A company is using Amazon DynamoDB to store user session data. The security team requires that all access to the table be authenticated and authorized using AWS IAM. Which mechanism should the developer use to achieve this?
85A company is using Amazon RDS for SQL Server with Multi-AZ deployment. The security team requires that all database activity be monitored for suspicious queries. The database specialist enabled RDS Database Activity Streams and configured AWS Lambda to process the stream. However, the Lambda function fails to process some events when the database fails over to the standby instance. What is the most likely cause?
86A company is using Amazon Aurora MySQL-Compatible Edition. The security team wants to restrict access to the database so that only specific applications running on Amazon EC2 instances can connect. The EC2 instances are in the same VPC as the Aurora cluster. Which combination of steps should be taken to enforce this restriction?
87A company is using Amazon DynamoDB with encryption at rest using a customer-managed KMS key. The security team wants to audit every use of this KMS key. Which TWO steps should be taken to meet this requirement?
88A company is migrating an on-premises MongoDB database to Amazon DocumentDB (with MongoDB compatibility). The security team requires that data be encrypted at rest and in transit. Additionally, the team wants to use IAM roles to authenticate applications. Which THREE steps should the database specialist take to meet these requirements?
89A company is using Amazon RDS for MySQL to host a web application. The security team has identified that the application is vulnerable to SQL injection attacks. The team wants to implement a defense-in-depth strategy to protect the database. Which THREE measures should be taken to mitigate SQL injection risks?
90A company has an Amazon RDS for MySQL DB instance that stores sensitive customer data. The security team requires that all data at rest be encrypted using a customer-managed AWS KMS key. The DB instance was originally launched without encryption. Which combination of steps will meet the requirement with the least downtime?
91A company uses Amazon DynamoDB to store user session data. The security team requires that all data be encrypted at rest using a customer-managed AWS KMS key. The DynamoDB table is already configured with AWS managed KMS encryption. How can the company meet the encryption requirement without recreating the table?
92A database administrator needs to audit all SQL statements executed on an Amazon RDS for PostgreSQL DB instance. Which service should be used to capture and log the SQL statements?
93A company has a requirement to automatically rotate the password for an Amazon RDS for MySQL DB instance every 90 days. The password is stored in AWS Secrets Manager. Which combination of steps will meet this requirement?
94A company is using Amazon DynamoDB with a global table that replicates data across two AWS Regions. The security team requires that all data be encrypted at rest with a customer-managed AWS KMS key. How should the company configure the KMS keys to meet this requirement?
95A company has an Amazon Redshift cluster that contains sensitive data. The security team requires that data be encrypted at rest using a customer-managed AWS KMS key. The cluster was initially launched without encryption. How can the company enable encryption with minimal downtime?
96A company wants to ensure that only specific IAM users can perform certain operations on an Amazon RDS DB instance, such as creating snapshots or modifying the instance. Which AWS feature should be used to define these permissions?
97A company is using Amazon Aurora MySQL-Compatible Edition. The security team requires that all connections to the database use SSL/TLS. The application currently connects using a standard JDBC connection string without SSL. What changes are needed to enforce SSL connections?
98A company stores sensitive data in an Amazon S3 bucket that is accessed by an Amazon Redshift cluster. The security team requires that the data in transit between Redshift and S3 be encrypted. Which configuration ensures this?
99Which TWO of the following are valid methods to control network access to an Amazon RDS DB instance? (Select TWO.)
100Which THREE of the following are best practices for securing an Amazon DynamoDB table? (Select THREE.)
101Which TWO of the following are methods to encrypt data at rest for an Amazon RDS for Oracle DB instance? (Select TWO.)
102An IAM policy is attached to a role used by an application to access an Amazon RDS for MySQL DB instance. The DB instance is encrypted with a customer-managed KMS key. The application is unable to create a snapshot of the encrypted DB instance. Which missing permission is the most likely cause?
103A database administrator is troubleshooting connectivity to an Amazon RDS for MySQL DB instance. The application is running on an EC2 instance in the same VPC and security group. The application can connect using the endpoint shown in the exhibit. However, the security team requires that all connections be encrypted using SSL. The DBA has enabled SSL on the DB instance and modified the parameter group to set require_secure_transport to ON. The application is now failing to connect. What is the most likely cause?
104A security auditor reviews the output of a DynamoDB table description command as shown in the exhibit. Which statement accurately describes the encryption configuration of the Users table?
105A company is running an Amazon RDS for MySQL DB instance in a VPC. The security team requires that all connections to the database use SSL/TLS. Which combination of steps should be taken to enforce this? (Choose two.)
106A financial services company stores sensitive data in an Amazon DynamoDB table. The security team requires that all data at rest be encrypted with a customer-managed key that is rotated automatically every 12 months. The company also needs to audit key usage. Which solution meets these requirements?
107A company uses Amazon Redshift for its data warehouse. The security team wants to encrypt the data at rest and ensure that only authorized users can access the encryption keys. Which AWS service should be used to manage the encryption keys?
108A company has an Amazon RDS for Oracle DB instance that stores Personally Identifiable Information (PII). The security team requires that the data be transparently encrypted at rest using a key stored in AWS CloudHSM. What should the database administrator do to meet this requirement?
109A company uses Amazon DynamoDB with fine-grained access control based on user identity. The IAM policy for a user includes a condition that restricts access to items where the 'department' attribute equals 'engineering'. However, the user is receiving an 'AccessDeniedException' when trying to query items. What is the most likely cause?
110A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The database contains sensitive data that must be encrypted at rest. Which action should the company take to enable encryption on the RDS instance?
111A company uses Amazon RDS for PostgreSQL to store customer data. The security team wants to audit all SQL queries executed against the database, including SELECT statements. Which TWO actions should be taken to achieve this?
112A company is designing a disaster recovery strategy for an Amazon RDS for SQL Server DB instance that contains sensitive financial data. The database must be encrypted at rest using a customer-managed AWS KMS key. The recovery point objective (RPO) is 5 minutes, and the recovery time objective (RTO) is 1 hour. Which THREE steps should be taken to meet these requirements?
113A company is setting up an Amazon Aurora MySQL-compatible database. The security policy requires that all traffic between the application and database be encrypted in transit. Which TWO steps should be taken?
114Refer to the exhibit. A company has attached this IAM policy to an IAM role used by an application running on Amazon EC2. The application needs to decrypt data in an S3 bucket that is encrypted with the specified KMS key. However, the application is receiving access denied errors. What is the most likely cause?
115Refer to the exhibit. A database administrator is reviewing the output of 'SHOW FULL PROCESSLIST' on an Amazon RDS for MySQL DB instance. The company's security policy requires that all database users access only the minimum necessary data. Which user's activity should be investigated further?
116Refer to the exhibit. A database administrator has this IAM policy attached to their user. They are trying to authorize ingress to a DB security group named 'my-security-group' in the us-east-1 region. The operation fails. What is the most likely reason?
117A company is using Amazon RDS for MySQL and wants to restrict access to the database based on the source IP address. Which AWS feature should be used to achieve this?
118A company is deploying an Amazon DynamoDB table with server-side encryption using a customer-managed AWS KMS key. The security team requires that the key be automatically rotated every year and that access to the key be logged. Which THREE steps should be taken?
119A company has an Amazon Redshift cluster that contains sensitive data. The security team wants to ensure that all data is encrypted at rest and that the encryption keys are managed by AWS. Which configuration should be used?
120A company has an Amazon RDS for MySQL database that contains sensitive data. The security team requires that all data be encrypted at rest using a customer-managed key stored in AWS KMS. Which action should be taken to meet this requirement?
121A development team is building a serverless application that uses Amazon DynamoDB. The team needs to ensure that only the application's Lambda function can read and write data to a specific DynamoDB table. The Lambda function uses an IAM role. How should the team configure access?
122A company uses an Amazon RDS for PostgreSQL database with Multi-AZ deployment. The security team wants to audit all SQL queries executed against the database for compliance purposes. Which solution should be implemented to capture and store the queries?
123A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The security team requires that all connections to the database use SSL/TLS encryption. Which step is necessary to enforce SSL connections?
124A security engineer is investigating an Amazon RDS for MySQL database that was compromised. The engineer finds that the compromise was due to a SQL injection vulnerability in a web application. The web application uses a database user with full administrative privileges. What is the BEST practice to prevent such incidents in the future?
125A company uses Amazon DynamoDB for its critical application. The security team requires that all access to DynamoDB tables be logged and monitored for suspicious activity. The company also needs to be alerted when a user deletes a table. Which combination of AWS services should be used?
126A company stores sensitive customer data in an Amazon S3 bucket. The data is accessed by an Amazon Redshift cluster using the COPY command. The security team wants to ensure that data is encrypted in transit between S3 and Redshift. Which configuration should be used?
127A company is using an Amazon RDS for MySQL database and needs to audit all database login events. The audit logs must be stored in Amazon S3 for long-term retention. Which steps should be taken to accomplish this?
128A company's security policy requires that all database passwords be rotated every 90 days. The company uses AWS Secrets Manager to store database credentials for Amazon RDS. Which feature can be used to automate password rotation?
129A security administrator is setting up a new Amazon RDS for SQL Server database. The company requires that all data be encrypted at rest and in transit. Additionally, the database must be accessible only from a specific CIDR range. Which TWO actions should the administrator take? (Choose TWO.)
130A company uses Amazon DynamoDB to store session data for a web application. The security team discovers that an IAM user has been performing unauthorized scans on the table. They need to implement controls to detect and prevent such unauthorized access in the future. Which THREE actions should the security team take? (Choose THREE.)
131A company is deploying a new Amazon RDS for MySQL database in a VPC. The database must be accessible only from an application server running in the same VPC. The security team also wants to ensure that the database is not accessible from the internet. Which TWO configurations are required? (Choose TWO.)
132A company is using an Amazon RDS for PostgreSQL database to store sensitive customer data. The security team requires that all data be encrypted at rest and in transit, and that access to the database is restricted to only specific applications. Currently, the database is encrypted at rest using AWS KMS, and connections are made over SSL. However, the security team wants to ensure that even if the database credentials are compromised, an attacker cannot access the database from unauthorized IP addresses. What should be done to meet this requirement?
133A company is using Amazon DynamoDB to store financial transactions. The security team requires that all access to the table be logged for auditing, and that any unauthorized access attempts trigger an immediate alert. The company has enabled AWS CloudTrail to log all DynamoDB API calls. However, the security team is concerned that CloudTrail logs may not capture all access patterns, such as queries that return no results. Which additional step should the company take to ensure comprehensive auditing and alerting?
134A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The database contains personally identifiable information (PII). The security team requires that the data be encrypted at rest using a customer-managed key stored in AWS KMS. Additionally, the team wants to ensure that the key can be rotated automatically every year. What should the company do to meet these requirements?
135A company uses Amazon Redshift for data warehousing. The security team has implemented column-level security using Redshift's column-level access controls. However, during a security audit, it is discovered that a user with SELECT privilege on a table can still see the content of a column that should be restricted. The column is defined with a GRANT statement that only allows SELECT on certain columns to specific users. What is the most likely cause of this issue?
136A company has an Amazon S3 bucket that stores database backup files. The backups are encrypted using server-side encryption with AWS KMS (SSE-KMS). The security team wants to ensure that only a specific IAM role can decrypt the backups when restoring the database. Which policy should be attached to the KMS key to achieve this?
137A company is using Amazon RDS for MySQL to power a web application. The database contains sensitive data, and the security team requires that all connections to the database use SSL/TLS. The team has enabled 'require_secure_transport' parameter in the DB parameter group. However, a developer reports that they are able to connect to the database using a MySQL client without specifying SSL options. What could be the reason?
138A company is using Amazon DynamoDB with fine-grained access control using IAM policies. The security team wants to ensure that a specific IAM role can only read items from a table where the 'status' attribute equals 'active'. The table is named 'Orders'. Which IAM policy statement should be used?
139A company is using Amazon RDS for SQL Server with Multi-AZ deployment. The security team wants to ensure that database audit logs are stored in a secure S3 bucket for long-term retention. The audit logs are currently stored on the RDS instance. Which approach should be used to export the audit logs to S3?
140A company is using Amazon DynamoDB with a global table. The security team requires that all data be encrypted at rest using a customer-managed KMS key. The table was originally created with AWS managed key encryption. The company wants to switch to a customer-managed key without downtime. What should they do?
141A company is using Amazon RDS for PostgreSQL and wants to implement encryption in transit for all client connections. The security team has identified that some connections are not using SSL. Which TWO actions should the company take to enforce SSL for all connections?
142A company is using Amazon Redshift for analytics. The security team wants to audit all SQL queries executed against the database, including the actual query text, for compliance. They also want to ensure that the audit logs are stored in a secure, immutable location. Which THREE services or features should they use together to meet these requirements?
143A company is using Amazon RDS for MySQL and wants to implement database activity monitoring to detect suspicious queries. Which TWO AWS services can be used together to achieve this?
144A company has an Amazon DynamoDB table that stores user sessions. The security team wants to ensure that only authorized applications can read and write to the table, and that all access is logged. Which THREE steps should the company take to meet these requirements?
145A company runs an e-commerce platform on AWS. The application uses an Amazon RDS for MySQL Multi-AZ database instance. The security team recently conducted an audit and found that the database is accessible from the internet because the public accessibility setting is enabled. The security team has disabled public accessibility and updated the security group to allow inbound traffic only from the application's security group. However, after these changes, the application can no longer connect to the database. The application is running on EC2 instances in the same VPC. The RDS instance is also in the same VPC. The security group for the RDS instance allows inbound MySQL traffic (port 3306) from the application's security group. The application's security group allows all outbound traffic. The application's EC2 instances have a public IP address and are in a public subnet. The RDS instance is in a private subnet. The VPC has an internet gateway attached. What is the most likely cause of the connection failure?
146A company is using Amazon DocumentDB (with MongoDB compatibility) for a content management system. The security team requires that all data be encrypted at rest and in transit. The DocumentDB cluster is already encrypted at rest using AWS KMS. To enforce encryption in transit, the security team wants to ensure that all client connections use TLS. The team has enabled the 'tls' parameter in the cluster parameter group. However, a developer reports that they can still connect to the cluster without specifying TLS options using the mongo shell. The developer is connecting from an EC2 instance in the same VPC. The security group for the DocumentDB cluster allows inbound traffic on port 27017 from the EC2 instance's security group. What is the most likely reason the developer can connect without TLS?
147A company is using an Amazon RDS for MySQL DB instance. The security team requires that all database connections be encrypted in transit. Which configuration step ensures this requirement is met?
148A company uses Amazon DynamoDB to store sensitive user data. The security team wants to ensure that all data is encrypted at rest using a customer-managed AWS KMS key. The DynamoDB table was created with the default AWS managed key. What is the required action to change the encryption key?
149A developer is configuring an Amazon RDS for PostgreSQL DB instance. The application connects using IAM database authentication. Which setting must be enabled on the DB instance for IAM authentication to work?
150A company is using Amazon Redshift for data warehousing. The security team requires column-level access control so that certain users cannot view specific columns containing PII. Which approach should the data engineer implement?
151A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The security team requires that all data be encrypted at rest using a key stored in AWS CloudHSM. What must be done to meet this requirement?
152A security engineer is designing access controls for an Amazon DynamoDB table containing customer data. Which TWO actions enforce least privilege access?
153A company uses Amazon RDS for MySQL with Multi-AZ deployment. The security team wants to audit all database logins and queries. Which TWO actions should be taken to enable auditing?
154A company is using Amazon Redshift and needs to encrypt data at rest with a customer-managed key. Which THREE steps are required to enable encryption with a customer-managed AWS KMS key?
155A database administrator is troubleshooting why Amazon RDS Enhanced Monitoring is not displaying metrics for a DB instance. The IAM role attached to the instance has the policy shown in the exhibit. What is the likely cause?
156A security auditor notices that the DynamoDB table 'UserData' is encrypted with a KMS key (exhibit). The company policy requires that all DynamoDB tables use an AWS managed key for encryption. What must be done to comply with the policy?
157A developer is checking the encryption status of an RDS MySQL instance. The CLI output shows StorageEncrypted is true. What does this indicate?
158A financial services company runs a critical application on Amazon RDS for PostgreSQL. The database stores sensitive customer financial data. The security team has mandated that all access to the database must be through IAM database authentication to eliminate the need for passwords. The application currently uses a master user password stored in AWS Secrets Manager. The DBA needs to implement IAM authentication without downtime. The application is deployed on Amazon ECS and connects to the database using a connection string. The DBA has already created an IAM role for the ECS task with a policy that allows rds-db:connect. The DBA has also modified the DB instance to require SSL. However, after making these changes, the application cannot connect. The error message indicates 'IAM authentication is not enabled for this user'. What step did the DBA miss?
159A retail company uses Amazon DynamoDB to store product catalog data. The security team wants to ensure that only authorized applications can read and write to the table. The applications are running on Amazon EC2 instances. The current setup uses an IAM role attached to the EC2 instance with a policy that grants dynamodb:* on the specific table. However, during a security audit, it was discovered that any process on the EC2 instance can access the table because the instance has access to the temporary credentials from the instance metadata service. The security team requires that only specific processes (the application) can access the credentials, and that the credentials cannot be extracted from the instance. What should be done to meet these requirements?
160A small business runs a web application on a single Amazon RDS for MySQL DB instance. The application uses a master user account for all database operations. The security team is concerned about the risk of SQL injection and wants to implement the principle of least privilege. They want to create separate database users for read-only and read-write operations. The application currently uses a single connection string. The developer needs to modify the application to use two separate users. What is the correct approach to implement this securely?
161A healthcare company is migrating its patient records database to Amazon RDS for SQL Server. The database contains Protected Health Information (PHI). The compliance team requires that all PHI data be encrypted at rest and that the encryption keys be stored in a dedicated AWS CloudHSM cluster. Additionally, the database must be replicated to a second AWS region for disaster recovery. The DBA has enabled RDS encryption at rest using a KMS key, but the compliance team insists on using CloudHSM. What should the DBA do to meet the compliance requirement while maintaining disaster recovery?
162A security engineer reviews the IAM policy attached to a user. The user is unable to modify any RDS DB instance, even when MFA is enabled. What is the most likely cause?
163A company stores sensitive data in an Amazon RDS for PostgreSQL DB instance. The security team requires that all data at rest be encrypted. The instance is currently unencrypted. What is the simplest way to enable encryption with minimal downtime?
164A company uses an Amazon RDS for MySQL DB instance that needs to be accessed by a Lambda function. Which TWO steps should be taken to ensure secure access?
165A company is designing a secure strategy for managing Amazon RDS for Oracle encryption keys. They want to use AWS KMS with Customer Master Keys (CMKs) for encryption at rest. Which THREE best practices should they follow?
166A security engineer runs the AWS CLI command shown in the exhibit. The engineer wants to ensure that all RDS DB instances in the account are encrypted at rest. What should the engineer do to remediate the unencrypted read replica?
167A financial company uses Amazon DynamoDB to store customer transaction data. The compliance team requires that all data be encrypted at rest using a customer-managed AWS KMS key. Additionally, they need to ensure that the key is used only for DynamoDB and no other AWS service. How can the company meet these requirements?
168A developer needs to allow an application running on an EC2 instance to connect to an Amazon RDS for MySQL DB instance securely. Which combination of steps should the developer take?
169A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The security team requires that all network traffic between the application servers and the database be encrypted using TLS. The application servers are in a different VPC connected via VPC Peering. What is the simplest way to enforce encryption in transit?
170A company is running an RDS for MySQL database and needs to ensure that all connections to the database use SSL encryption. Which configuration step is required?
171A security engineer is designing a VPC with an RDS instance. The database must not be accessible from the internet, but EC2 instances in a private subnet must connect. Which security group configuration is MOST secure?
172A company wants to audit all SQL statements executed on their RDS for PostgreSQL database. Which AWS service should they use?
173A company is using DynamoDB with a VPC endpoint. They want to restrict access to only requests originating from their VPC. Which policy condition should be used?
174A company has a compliance requirement to encrypt all RDS snapshots at rest using a customer-managed KMS key. The RDS instance is already encrypted with an AWS-managed key. What is the correct procedure to ensure snapshots use the customer-managed key?
175A developer accidentally deleted an RDS database. Which action will allow the database to be restored with the least data loss?
176A company wants to enforce encryption in transit for all connections to their ElastiCache for Redis cluster. Which security measure should they implement?
177A security team needs to grant an IAM user permission to modify only the 'db_secrets' secret in AWS Secrets Manager. Which IAM policy statement is correct?
178A company is using Amazon RDS for Oracle and wants to integrate with AWS CloudTrail to log database API calls. Which action is necessary?
179Which TWO actions can help protect an RDS database from SQL injection attacks? (Choose 2.)
180Which THREE are valid methods to encrypt data at rest in Amazon DynamoDB? (Choose 3.)
181Which TWO AWS services can be used to monitor database security events in real time? (Choose 2.)
182A database administrator has the IAM policy shown in the exhibit. Which action will be allowed by this policy?
183A developer needs to connect to the RDS instance from an EC2 instance in the same VPC. The EC2 instance's security group allows outbound traffic to 0.0.0.0/0. The RDS security group inbound rules currently allow traffic from 0.0.0.0/0 on port 3306. After a security review, the company decides to restrict inbound traffic to the VPC only. Which inbound rule should be added to the RDS security group?
184A developer retrieved a database secret using the AWS CLI as shown. What is the MOST secure way to store and rotate this secret?
185A company is storing sensitive customer data in an Amazon RDS for MySQL DB instance. They need to ensure that data is encrypted at rest. What is the simplest way to achieve this?
186A company uses Amazon RDS for PostgreSQL and needs to ensure that only specific IP addresses can connect to the database. Which configuration should be used?
187A company is designing a multi-tenant application using Amazon Aurora MySQL. Each tenant's data must be isolated from others. They need to encrypt data at rest with a unique AWS KMS key per tenant. How can this be achieved?
188A security team is auditing an Amazon RDS for SQL Server DB instance. They notice that SSL connections are not enforced. Which configuration change will enforce SSL for all connections?
189A developer needs to grant an IAM user permission to perform automated backups of an Amazon RDS DB instance. Which IAM action should be allowed?
190A company is using Amazon DynamoDB with server-side encryption enabled. They need to ensure that all access to the table is audited. Which service should be used to capture data-plane API calls?
191A company has an Amazon RDS for Oracle DB instance that is publicly accessible. They want to restrict access to only a specific CIDR block. Which two actions must be taken together?
192A company needs to rotate the master user password for an Amazon RDS for MySQL DB instance. What is the recommended way to do this without downtime?
193A security engineer needs to ensure that all access to an Amazon DynamoDB table is encrypted in transit. Which configuration achieves this?
194Which TWO of the following are methods to control access to an Amazon RDS DB instance? (Select TWO.)
195Which THREE of the following are best practices for securing an Amazon Aurora MySQL database? (Select THREE.)
196Which TWO of the following are valid ways to encrypt data at rest in Amazon DynamoDB? (Select TWO.)
197An IAM policy is attached to a user. What is the effect of this policy on the user's ability to delete the DB instance named prod-db?
198An RDS DB instance has two security groups attached. Security group sg-12345678 allows inbound traffic on port 3306 from 0.0.0.0/0. Security group sg-87654321 allows inbound traffic on port 3306 from 10.0.0.0/16. What is the effective inbound access to the DB instance?
199A KMS key has the grant shown. An IAM role named AdminRole is the grantee. What additional permission does this grant provide to AdminRole beyond what the role's IAM policy allows?
200A company is using an Amazon RDS for MySQL DB instance to store sensitive customer data. A security audit reveals that all database traffic between the application and the database is transmitted in plaintext. Which configuration change would encrypt data in transit for new connections?
201A financial services company uses Amazon DynamoDB to store transaction records. The security team requires that all items be encrypted at rest using a customer-managed AWS KMS key. Additionally, the company must be able to audit key usage and rotation. What is the MOST secure and auditable approach?
202A developer needs to grant an IAM user the ability to perform all operations on an Amazon RDS DB instance except the ability to delete it. Which IAM policy action should be explicitly denied?
203A company uses Amazon RDS for PostgreSQL with Multi-AZ deployment. The security team wants to ensure that any access to the database is logged, including SELECT queries. What should be done to capture these logs?
204A company runs an Amazon Aurora MySQL-compatible database cluster. The security team requires that all database credentials be rotated automatically every 30 days. Which combination of AWS services can meet this requirement with minimal operational overhead?
205A developer accidentally exposed an Amazon RDS snapshot to the public. What is the quickest way to remediate this issue?
206A company uses Amazon DynamoDB with a global secondary index (GSI) and client-side encryption using the AWS Encryption SDK. The security team requires that the partition key and sort key be searchable by the application but not stored in plaintext in the table. Which approach should be taken?
207A company uses Amazon Redshift for data warehousing. The security team requires that all data be encrypted at rest with a customer-managed key, and that the key be rotated every year. Which configuration meets these requirements?
208A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The security team requires that all connections to the database use Oracle Native Network Encryption (NNE). How should this be configured?
209Which TWO actions will help protect an Amazon RDS for MySQL database from a SQL injection attack? (Select TWO.)
210Which THREE practices should be implemented to secure an Amazon DynamoDB table that stores personally identifiable information (PII)? (Select THREE.)
211Which TWO methods can be used to securely connect to an Amazon RDS for PostgreSQL DB instance from an EC2 instance in the same VPC? (Select TWO.)
212Refer to the exhibit. An IAM policy is attached to a user. What is the effect when the user attempts to delete the RDS DB instance named 'prod-db'?
213Refer to the exhibit. The output is from the AWS CLI for an RDS instance. The security team suspects that the encryption key used for this DB instance has been compromised. What is the required action to re-encrypt the instance with a new key?
214Refer to the exhibit. A developer created an IAM policy with the above command and attached it to a user. What is the security implication of this policy?
215A company wants to encrypt data at rest for an existing Amazon RDS for MySQL DB instance. The database is currently unencrypted. What is the most efficient way to enable encryption?
216A security team needs to audit all SQL statements executed against an Amazon Aurora MySQL DB cluster. Which combination of actions should be taken to achieve this? (Choose TWO.)
217A company has an Amazon DynamoDB table with a global secondary index (GSI). The security team wants to ensure that only certain attributes are returned in query results based on the IAM policy of the calling user. What is the most secure and scalable approach?
218A developer needs to connect to an Amazon RDS for PostgreSQL DB instance from an EC2 instance in the same VPC. What is the most secure way to authenticate the connection without storing database credentials in the application code?
219A security engineer is designing a solution to encrypt data at rest for an Amazon Redshift cluster. The company requires that the encryption key be rotated automatically every year. Which solution meets these requirements?
220A company is using an Amazon DynamoDB table with a global table configuration across two AWS regions. The security team wants to ensure that all data is encrypted in transit between the regions. What should the team do?
221A company wants to audit all API calls made to its Amazon RDS DB instances. Which AWS service should be used to capture these API calls?
222A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The security policy requires that all connections to the database use SSL/TLS. What should the database administrator do to meet this requirement?
223A company is using Amazon DynamoDB Accelerator (DAX) for caching. The security team is concerned about data in transit between the application and DAX. What should the team do to ensure that all traffic to DAX is encrypted?
224A security engineer needs to restrict access to an Amazon DynamoDB table so that only users from a specific AWS account can read and write data. Which of the following can be used to achieve this? (Choose TWO.)
225A company is running an Amazon RDS for SQL Server DB instance with Multi-AZ deployment. The security team wants to ensure that all data at rest is encrypted using a customer-managed key stored in AWS KMS. Which steps must be taken to achieve this? (Choose THREE.)
226A company is using Amazon Aurora MySQL and needs to audit database logins. Which of the following can be used to capture login events? (Choose TWO.)
227An IAM policy is attached to a user. What does this policy allow the user to do?
228A database administrator runs the described command. What does the output indicate about the RDS instance?
229An IAM policy is attached to a user. Which of the following actions will be allowed?
230A company is migrating an Oracle database to Amazon RDS for Oracle. Security policy requires that all database connections be encrypted in transit. The security team wants to enforce that clients must use TLS 1.2 or higher. How can this be achieved?
231A financial services company uses Amazon RDS for MySQL to store sensitive customer data. The compliance team requires that all database administrators (DBAs) must authenticate using IAM database authentication, and no static database passwords should be used. A junior DBA has been granted the rds_iam role in the database. However, the junior DBA is unable to connect using the AWS CLI command: aws rds generate-db-auth-token --hostname mydb.xyz.us-east-1.rds.amazonaws.com --port 3306 --username jdba. The error message says 'Access denied'. What is the most likely cause?
232A company is using Amazon RDS for PostgreSQL to store application data. The security team wants to ensure that database audit logs are stored securely and cannot be modified after creation. Which AWS service should be used to meet this requirement?
233A company is running an Amazon RDS for SQL Server instance with Multi-AZ deployment. The security team requires that all data at rest be encrypted. The instance was originally launched without encryption. What is the most efficient way to enable encryption at rest for this existing instance?
234A company uses Amazon DynamoDB to store session data. The security team has enabled DynamoDB Accelerator (DAX) for performance. However, they are concerned about data encryption at rest. DAX encrypts data at rest by default. The security team wants to use a customer managed key (CMK) in AWS KMS. How can this be configured?
235A company is using Amazon Aurora MySQL and needs to audit all database logins and query activity. Which feature should be enabled to meet this requirement?
236A company is using Amazon RDS for MySQL and wants to restrict access to a specific database so that an application user can only perform SELECT and INSERT operations on tables within that database. The application user already exists. Which SQL statement should be executed?
237A company is using Amazon DynamoDB with AWS Lambda to process data. The Lambda function needs to read and write items to a DynamoDB table. The security team wants to follow the principle of least privilege. Which IAM policy statement should be attached to the Lambda execution role?
238A company is using Amazon RDS for PostgreSQL and needs to ensure that all connections to the database use encryption in transit. The database is accessible over the internet. Which configuration is required?
239A company is designing a security strategy for an Amazon RDS for MySQL instance that stores Personally Identifiable Information (PII). Which TWO measures should be implemented to protect the data at rest?
240A company uses Amazon DynamoDB with DAX and wants to implement fine-grained access control using IAM. Which THREE conditions can be used in an IAM policy to restrict access to specific items based on the primary key?
241A company is using Amazon RDS for Oracle and needs to comply with regulatory requirements that mandate encryption of all data at rest and in transit. Which TWO actions should be taken to meet these requirements?
242A company wants to ensure that an Amazon RDS for MySQL DB instance is encrypted at rest. Which action should be taken to enable encryption for the first time?
243A database administrator needs to audit all SQL statements executed on an Amazon Aurora MySQL DB cluster, including SELECT queries. Which AWS service should be used to capture and store these logs?
244A company has an Amazon DynamoDB table that stores sensitive user data. The security team requires that all data is encrypted at rest using a customer-managed AWS KMS key. Additionally, they want to ensure that the table can only be accessed by a specific IAM role. Which combination of steps should be taken to meet these requirements? (Select TWO.)
245A company needs to enforce that all new Amazon RDS DB instances are automatically encrypted at rest. What is the most efficient way to achieve this?
246A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The database contains personally identifiable information (PII). The security team requires that all PII columns be transparently encrypted and that the encryption keys be stored in AWS CloudHSM. Which solution meets these requirements?
247A company has an Amazon RDS for PostgreSQL DB instance that needs to be accessed by an application running on an Amazon EC2 instance. Both resources are in the same VPC. The security team insists that all traffic between the application and the database be encrypted in transit. Which configuration ensures this?
248A company wants to store database credentials for an Amazon RDS instance securely. Which AWS service should be used to rotate the credentials automatically?
249A company needs to audit access to an Amazon DynamoDB table. The audit should capture which IAM user or role performed each action. Which AWS service should be used?
250A company has an Amazon RDS for SQL Server DB instance that stores financial data. The security team requires that the data be encrypted at rest using a customer-managed key stored in AWS KMS. Additionally, they want to ensure that the key cannot be deleted without authorization. What should be done?
251A company wants to restrict access to an Amazon DynamoDB table so that only requests from a specific VPC endpoint are allowed. Which policy should be attached to the table?
252A company is using Amazon RDS for PostgreSQL with a read replica. The security team wants to ensure that data in transit between the primary DB instance and the read replica is encrypted. What should be done?
253A company needs to comply with PCI DSS requirements for an Amazon RDS for Oracle DB instance. The requirements include encryption of sensitive data at rest and in transit, and automated key rotation. Which combination of services and configurations should be used? (Select THREE.)
254A company has an Amazon DynamoDB table with a global secondary index (GSI). The security team wants to ensure that the table and the GSI are encrypted at rest. How can this be achieved?
255A company is designing a security strategy for an Amazon Aurora MySQL database. They need to ensure that database activity is monitored for suspicious behavior and that alerts are sent when anomalies are detected. Which AWS services should be combined to achieve this? (Select TWO.)
256A company has an Amazon RDS for MySQL DB instance that is publicly accessible. The security team wants to restrict access to only specific IP addresses. Which configuration should be used?
257A company wants to encrypt an existing unencrypted Amazon RDS for PostgreSQL DB instance. What is the correct procedure?
258A company is using Amazon DynamoDB with client-side encryption using the DynamoDB Encryption Client. The encryption keys are stored in AWS KMS. The security team wants to ensure that the encryption keys can be used only by authorized applications. What should be done?
259A company is using Amazon RDS for MySQL and needs to encrypt data at rest for an existing DB instance. Which approach meets this requirement with minimal downtime?
260A security team is auditing IAM policies for Amazon RDS. They want to ensure that all RDS snapshots shared with other AWS accounts are encrypted. Which IAM policy condition key should be used to enforce this?
261A company uses Amazon Aurora MySQL and needs to audit all database logins, including failed attempts. Which feature should be enabled?
262A developer needs to allow an application running on EC2 to access an Amazon RDS database without storing database credentials in the application code. Which solution is the MOST secure?
263A company wants to enforce that all new Amazon RDS DB instances are created with encryption at rest enabled. Which approach should be taken?
264A company needs to securely store and manage the master password for their Amazon RDS for PostgreSQL instance. Which AWS service is purpose-built for managing secrets with automatic rotation?
265An application uses an Amazon RDS for MySQL database. The security team requires that all traffic to the database be encrypted in transit. Which configuration ensures this?
266A company has an Amazon RDS for Oracle DB instance that needs to be encrypted at rest. The instance currently uses Oracle Transparent Data Encryption (TDE) with a key stored in the database. The company wants to use AWS KMS for key management. What is the correct migration path?
267A company wants to audit all SQL statements executed on their Amazon Aurora MySQL database for compliance. Which AWS feature should be enabled?
268Which TWO actions should a company take to secure an Amazon RDS for MySQL database that is accessible from the internet? (Choose two.)
269Which THREE components are required to set up IAM database authentication for an Amazon RDS for MySQL DB instance? (Choose three.)
270Which TWO AWS services can be used to centrally manage database credentials and automate rotation for Amazon RDS? (Choose two.)
271A security engineer runs the commands shown in the exhibit for an RDS MySQL DB instance. The engineer wants to enforce SSL connections to the database. What should the engineer do?
272An IAM policy is shown in the exhibit. What is the effect of this policy when a user tries to create an unencrypted RDS DB instance?
273A snapshot of an Amazon RDS DB instance is shown in the exhibit. What does the output indicate?
274A company is using Amazon RDS for MySQL with automated backups enabled. The security team requires that all backups be encrypted at rest. Which configuration ensures that new automated backups are encrypted?
275A developer wants to grant an IAM user read-only access to an Amazon DynamoDB table named 'Orders' in the 'us-east-1' region. Which IAM policy should be attached to the user?
276A financial company uses Amazon RDS for PostgreSQL with a custom parameter group. The security team wants to ensure that all connections to the database are encrypted in transit. Which combination of actions should the database administrator take? (Select TWO.)
277A developer is troubleshooting an issue where an IAM user cannot perform a 'DescribeTable' action on a DynamoDB table. The IAM policy attached to the user is: {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["dynamodb:GetItem","dynamodb:PutItem"],"Resource":"*"}]}. What is the most likely reason for the failure?
278A company is migrating its Oracle database to Amazon RDS for Oracle. The security team requires that all data be encrypted at rest using a customer-managed AWS KMS key. Which TWO steps are necessary to achieve this?
279A company uses Amazon DynamoDB with a global secondary index (GSI). The security team requires that only specific IAM users can query the GSI. Which THREE conditions must be met to restrict access to the GSI?
280A database administrator runs the command shown in the exhibit. The security team requires that the database be encrypted at rest. What should the administrator do to enable encryption?
281A company uses Amazon RDS for SQL Server with Multi-AZ deployment. The security team wants to ensure that all data at rest is encrypted using a customer-managed KMS key in both the primary and standby instances. Which THREE actions are required?
282A company wants to restrict access to an Amazon RDS for MySQL DB instance so that only applications running in a specific VPC can connect. Which solution should be implemented?
283A user is unable to list the contents of the S3 bucket 'my-db-backups' using the AWS CLI. The IAM policy attached to the user is shown in the exhibit. What is the likely cause?
284A company uses Amazon RDS for PostgreSQL and wants to audit all database login attempts. Which TWO services can be used together to achieve this?
285A company runs a production Amazon DynamoDB table with on-demand capacity. The security team requires that all access to the table be logged for compliance. What is the most cost-effective way to log every DynamoDB API call?
286A company needs to encrypt an existing unencrypted Amazon RDS for Oracle DB instance. Which set of steps should be followed?
287A CloudFormation template is used to create an RDS DB instance with encryption, as shown in the exhibit. The stack creation fails because the DB instance creation fails. What is the most likely cause?
288A company uses Amazon RDS for MySQL and wants to ensure that database users are authenticated using IAM database authentication. Which action must be performed to enable this?
289A company wants to audit all SQL queries made to their Amazon RDS for MySQL database. Which AWS service should they use?
290A company needs to encrypt data at rest for their Amazon Aurora PostgreSQL database. Which solution is the MOST secure and requires the least operational overhead?
291A security team is investigating a potential data breach in an Amazon RDS for SQL Server database. They need to determine which user executed a specific DELETE statement at a particular time. What should they do?
292A company wants to restrict access to an Amazon DynamoDB table so that only specific IAM users can read and write data. What is the BEST way to achieve this?
293A company hosts a critical application on Amazon RDS for PostgreSQL. The security team requires that all database connections be encrypted in transit. Which configuration step is necessary?
294A company is using Amazon RDS for Oracle with Transparent Data Encryption (TDE) enabled. They need to rotate the TDE master key. What is the correct procedure?
295A company wants to ensure that an Amazon RDS for MySQL database is automatically backed up daily and backups are encrypted. What should they do?
296A company is using Amazon DynamoDB with encryption at rest using an AWS managed key. The security team now requires that the encryption key be rotated every 90 days. What should they do?
297A company is using Amazon RDS for PostgreSQL and needs to audit login attempts. Which configuration is required?
298Which TWO actions can be used to encrypt an existing unencrypted Amazon RDS for MySQL DB instance? (Choose 2.)
299Which THREE measures can help protect an Amazon RDS database from a DDoS attack? (Choose 3.)
300Which TWO AWS services can be used to monitor and alert on suspicious database access patterns in Amazon RDS? (Choose 2.)
The Database Security domain covers the key concepts tested in this area of the DBS-C01 exam blueprint published by Amazon Web Services. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all DBS-C01 domains — no account required.
The Courseiva DBS-C01 question bank contains 300 questions in the Database Security domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Database Security domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included