Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsDBS-C01DomainsDatabase Security
DBS-C01Free — No Signup

Database Security

Practice DBS-C01 Database Security questions with full explanations on every answer.

321questions

Start practicing

Database Security — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

DBS-C01 Domains

Workload-Specific Database DesignDeployment and MigrationManagement and OperationsMonitoring and TroubleshootingDatabase Security

Practice Database Security questions

10Q20Q30Q50Q

DBS-C01 Database Security questions (showing 300 of 321)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A company runs an Amazon RDS for MySQL DB instance in a VPC. Security requirements mandate that only specific EC2 instances in the same VPC can connect to the database. The security group attached to the RDS instance currently allows inbound traffic on port 3306 from 0.0.0.0/0. Which combination of steps should a database specialist take to meet the security requirement without impacting existing application connectivity? (Choose two.)

2

A company uses Amazon DynamoDB with a table that stores sensitive customer data. The security team requires that all data at rest be encrypted using a customer-managed AWS KMS key (CMK). Additionally, the company needs to ensure that only specific IAM roles can access the table. Which solution meets these requirements with the least operational overhead?

3

A database specialist is troubleshooting a connectivity issue with an Amazon RDS for PostgreSQL instance. The instance is in a VPC with a public subnet. The security group allows inbound traffic on port 5432 from the application server's IP address. The application server is in the same VPC but in a private subnet. Despite the security group configuration, the application cannot connect. Which action should the specialist take to resolve the issue?

4

A company stores financial data in an Amazon Aurora MySQL DB cluster. The security team requires that database audit logs be stored in Amazon CloudWatch Logs and encrypted at rest using a customer-managed KMS key. The database specialist enables audit log publishing to CloudWatch Logs and specifies a KMS key for log encryption. However, the audit logs are not appearing in CloudWatch Logs. What is the most likely cause?

5

A company uses Amazon ElastiCache for Redis to cache session data. The security team requires that all data in transit be encrypted. The Redis cluster currently does not have encryption in transit enabled. The database specialist needs to enable encryption in transit with minimal downtime. Which action should the specialist take?

6

A company uses Amazon RDS for SQL Server with Multi-AZ deployment. The security team wants to ensure that all database connections use SSL/TLS encryption. Which TWO actions should the database specialist take to enforce SSL connections? (Choose two.)

7

A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The security team requires that all data be encrypted at rest using a customer-managed KMS key. Additionally, the database should be accessible only from a specific VPC. Which THREE steps should the database specialist take to meet these requirements? (Choose three.)

8

A company uses Amazon RDS for MySQL with encryption at rest enabled. The security team mandates that all access to the database must be authenticated using IAM database authentication. The database administrator has created a user 'app_user' and granted appropriate privileges. However, when the application tries to connect using an IAM authentication token, it receives an 'Access denied' error. Which action should be taken to resolve this issue?

9

A company is designing a multi-tier application that uses Amazon RDS for PostgreSQL. The application must encrypt data at rest and in transit. Which combination of steps should be taken to meet these requirements? (Choose the single best answer.)

10

A financial services company uses Amazon DynamoDB to store sensitive customer data. The security team requires that all data at rest be encrypted using a customer-managed AWS KMS key (CMK) with automatic rotation enabled. The DynamoDB table was created with the default AWS-managed key. Which steps are necessary to transition to a customer-managed CMK while minimizing downtime and data loss?

11

A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The compliance team requires that all database connections use SSL/TLS and that users authenticate using IAM database authentication. The database migration is completed, but the application team reports that connections using IAM authentication are failing. The company has already enabled IAM database authentication on the RDS instance. What is the most likely cause of the failure?

12

A company is using Amazon RDS for MySQL with Multi-AZ deployment. The security team wants to ensure that database administrators cannot view sensitive data. Which TWO actions should be taken to achieve this goal?

13

A company is designing a disaster recovery strategy for an Amazon Aurora MySQL database. The database stores sensitive data that must be encrypted at rest. The primary region is us-east-1, and the secondary region is us-west-2. Which THREE steps are required to set up cross-region replication with encryption at rest?

14

A security engineer is troubleshooting an issue where an application using IAM role 'app-role' with a trust policy to assume the 'app-user' user is unable to decrypt an RDS database that uses a customer-managed KMS key. The above key policy is attached to the KMS key. What is the likely cause of the failure?

15

A company has a production Amazon RDS for SQL Server database that stores financial data. The database administrator wants to audit all access to sensitive columns (e.g., credit card numbers) using the SQL Server Audit feature. The database is part of a Multi-AZ deployment. The administrator has enabled audit logging to the 'DEFAULT' file audit target, but the audit files are being written to the local instance storage and are not being retained after failover. The compliance team requires that audit logs be stored in Amazon S3 for at least 7 years. The administrator has set up an event subscription to send database events to an S3 bucket using AWS DMS, but the audit logs are not being captured. What should the administrator do to meet the compliance requirements?

16

A financial services company runs a critical application on Amazon RDS for PostgreSQL with Multi-AZ and automated backups enabled. The database stores sensitive customer data, and the security team recently audited the environment and found that the database master user password is stored in plain text in a configuration file on the application server. Additionally, the security team noted that the database security group allows inbound traffic from 0.0.0.0/0 on port 5432. The company needs to remediate these issues immediately without downtime and must ensure that access to the database is restricted to only the application servers, and that password management follows AWS best practices. The application connects to the database using the master user credentials. What should the database specialist do to meet these requirements?

17

A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The security team requires that all connections to the database be encrypted in transit. Which TWO steps should be taken to enforce this requirement?

18

Refer to the exhibit. A security engineer has applied this key policy to a customer managed KMS key used to encrypt a Secrets Manager secret containing database credentials. An application running on an Amazon EC2 instance in the same account and region is unable to decrypt the secret. What is the MOST likely cause?

19

A company runs an e-commerce application on AWS using an Aurora MySQL database cluster. The security team mandates that all database audit logs must be stored in Amazon S3 for at least one year for compliance. The database is currently configured to publish audit logs to Amazon CloudWatch Logs. The security team wants to use AWS Database Migration Service (DMS) to migrate the database to a new Aurora MySQL cluster, and during the migration, the audit logs must continue to be captured uninterrupted. Which solution meets these requirements with the LEAST operational overhead?

20

Arrange the steps to troubleshoot a connection timeout issue from an EC2 instance to an Amazon RDS for SQL Server DB instance in the correct order.

21

Arrange the steps to restore an Amazon RDS for MySQL DB instance to a new instance from a manual snapshot in the correct order.

22

Match each DynamoDB concept to its definition.

23

Match each AWS database migration tool/service to its function.

24

A company is using an RDS for MySQL DB instance encrypted at rest with AWS KMS. The security team requires that all access to the database be logged, including queries that fail due to authentication errors. Which configuration meets this requirement?

25

A developer needs to allow an application running on an EC2 instance to read and write data to a DynamoDB table named 'Orders'. The EC2 instance is configured with an IAM role. Which IAM policy should be attached to the role?

26

A company's security team wants to encrypt data at rest for an existing RDS for PostgreSQL DB instance. The instance is currently unencrypted. Which steps should the team take to enable encryption with minimal downtime?

27

A company uses Amazon Redshift for data warehousing. The security team requires that all data loaded into the cluster be encrypted at rest using a customer-managed KMS key. The cluster is currently unencrypted. What is the most efficient way to achieve this requirement with minimal data loss?

28

A company has an RDS for SQL Server DB instance that stores sensitive data. The database administrator needs to ensure that all connections to the database use SSL/TLS encryption. What should the administrator do?

29

A company uses Amazon DynamoDB with AWS KMS customer managed keys for encryption at rest. The security team wants to audit who is using the KMS key to encrypt and decrypt data. Which AWS service should be used?

30

A company has a multi-AZ RDS for PostgreSQL DB instance. The security team wants to ensure that database audit logs are stored in CloudWatch Logs for real-time monitoring. The team enabled the 'pgaudit.log' parameter and set 'log_destination' to 'csvlog'. However, logs are not appearing in CloudWatch. What is the most likely cause?

31

A developer is writing an AWS Lambda function that needs to access a Secrets Manager secret to retrieve database credentials. The Lambda function has an IAM role. Which action must be allowed in the IAM policy?

32

A company is using Amazon Aurora MySQL-Compatible Edition. The database administrator wants to restrict a specific user to only execute SELECT statements on a specific database. Which SQL command should the administrator use?

33

Which TWO actions should be taken to protect sensitive data in an Amazon RDS for Oracle DB instance? (Choose two.)

34

Which THREE methods can be used to authenticate users to an Amazon RDS for MySQL DB instance? (Choose three.)

35

Which TWO AWS services can be used to centrally manage database credentials securely? (Choose two.)

36

A database administrator runs the AWS CLI command shown in the exhibit. The administrator wants to enable encryption at rest for the RDS instance. What should the administrator do?

37

A security engineer creates the IAM policy shown in the exhibit and attaches it to an IAM user. What is the effect of this policy?

38

A developer runs the AWS CLI command shown in the exhibit. What is the output indicating?

39

A company is using Amazon RDS for MySQL with encryption at rest enabled. The security team requires that all access to the database be authenticated using IAM database authentication. Which combination of steps must the company take to meet this requirement?

40

A financial services company runs a critical application on Amazon RDS for PostgreSQL. They must ensure that database activity logs are sent to Amazon CloudWatch Logs for real-time monitoring. The logs must include all SQL queries, including SELECT statements. Which configuration will meet these requirements?

41

A company wants to encrypt data at rest for an existing Amazon RDS for Oracle DB instance. The database is currently unencrypted. What is the simplest way to enable encryption with minimal downtime?

42

A company is using Amazon Aurora MySQL-Compatible Edition. The security team wants to ensure that database credentials are not stored in application configuration files. They decide to use AWS Secrets Manager to manage credentials. The application is hosted on Amazon EC2 instances that have an IAM role attached. What is the most secure way to grant the application access to the secret?

43

A company is using Amazon DynamoDB to store sensitive customer data. They need to ensure that all data is encrypted at rest using a customer-managed AWS KMS key. The company also wants to rotate the KMS key every year. What is the simplest way to achieve key rotation?

44

A company uses Amazon RDS for SQL Server with Multi-AZ deployment. The security team has mandated that all connections to the database must use SSL/TLS. The database is accessed by multiple applications running on EC2 instances. Which configuration ensures that all connections use SSL/TLS?

45

A company is using Amazon Redshift for data warehousing. They need to ensure that data is encrypted at rest using a customer-managed AWS KMS key. The cluster is currently unencrypted. What is the simplest way to enable encryption?

46

A company is using Amazon RDS for MySQL. They want to audit all database logins and failed login attempts. Which option should they enable?

47

A company uses Amazon DynamoDB with a global secondary index (GSI) on a table that contains sensitive data. The security team requires that the GSI be encrypted with a different AWS KMS key than the base table. Can this be achieved, and if so, how?

48

A company is deploying a new application on Amazon RDS for PostgreSQL. The security policy requires that all data be encrypted at rest and in transit. Which TWO actions should the company take to meet these requirements?

49

A company uses Amazon Aurora MySQL-Compatible Edition. The security team wants to implement database activity streams to monitor database activity. Which THREE statements are true about Aurora database activity streams?

50

A company is using Amazon DynamoDB and wants to restrict access to a specific table so that only users in a particular IAM group can perform read and write operations. Which THREE steps should be taken to achieve this?

51

A company is migrating its on-premises Oracle database to Amazon RDS for Oracle. The security team requires that all data at rest be encrypted using a customer-managed key stored in AWS KMS, and that the key be rotated automatically every year. The company also needs to ensure that only specific IAM roles can access the key. Which combination of steps should the database administrator take to meet these requirements?

52

A company has an Amazon RDS for MySQL Multi-AZ DB instance that stores sensitive financial data. The security team has enabled encryption at rest using a KMS key. They also need to ensure that database audit logs are encrypted and stored in an S3 bucket. The logs must be accessible only by the security team via a VPC endpoint. The log data must be retained for 7 years. Which solution meets these requirements with the LEAST operational overhead?

53

A company is using Amazon RDS for PostgreSQL. The security team wants to ensure that all connections to the database are encrypted in transit. Currently, applications connect using the PostgreSQL native encryption (SSL/TLS). What is the MOST secure way to enforce encrypted connections?

54

A company is using Amazon DynamoDB to store customer session data. The security team requires that all data is encrypted at rest using a customer-managed KMS key, and that access to the key is restricted to specific IAM roles. The company also wants to ensure that DynamoDB Accelerator (DAX) cluster is encrypted. Which steps should be taken to meet these requirements?

55

A company has an Amazon RDS for SQL Server Multi-AZ DB instance with a standby replica in a different AWS Region. The database is encrypted with a KMS key. The company needs to implement automated backups that are also encrypted and stored in a cross-region S3 bucket. The backups must be retained for 3 years. Which solution meets these requirements with the LEAST administrative effort?

56

A company is using Amazon Redshift for data warehousing. The security team requires that all data is encrypted at rest using a hardware security module (HSM). Additionally, the team wants to ensure that only specific IAM roles can access the database. Which configuration will meet these requirements?

57

A company is using Amazon Aurora MySQL-Compatible Edition. The security team wants to audit all database login attempts and store the logs in Amazon S3 for 90 days. Which solution meets these requirements with the LEAST operational overhead?

58

A company has an Amazon DynamoDB table with global secondary indexes (GSIs) that store personally identifiable information (PII). The security team requires that all PII is encrypted at rest using a customer-managed KMS key. The table already exists and is encrypted with the default AWS managed key. What is the MOST efficient way to change the encryption to a customer-managed key?

59

A company is using Amazon RDS for PostgreSQL and needs to implement column-level encryption for sensitive data. The application must be able to encrypt and decrypt data transparently. Which approach should be taken?

60

A company is using Amazon RDS for MySQL and needs to comply with PCI DSS requirements. Which TWO actions should the company take to secure the database? (Choose TWO.)

61

A company is designing a security architecture for Amazon DynamoDB. They need to ensure that only authorized applications can access the data, and that data in transit is encrypted. Which THREE steps should be taken? (Choose THREE.)

62

A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The security team requires that all database connections use SSL and that the database is encrypted at rest. Which THREE steps are required to meet these requirements? (Choose THREE.)

63

An IAM policy is attached to a role used by an RDS instance. The RDS instance is in VPC with a VPC endpoint to KMS. What is the effect of this policy?

64

The security team reports that the database 'mydb' is not encrypted. However, the CLI output shows 'StorageEncrypted' is true. What is the MOST likely reason for the security team's concern?

65

An IAM policy is attached to an IAM user. The user wants to connect to an RDS MySQL database using IAM database authentication. What does this policy allow?

66

A company is migrating its on-premises Oracle database to Amazon RDS for Oracle. As part of the migration, they need to ensure that all sensitive data is encrypted at rest using AWS Key Management Service (AWS KMS). Which configuration step is required to achieve this?

67

A company uses Amazon DynamoDB with AWS KMS-managed encryption at rest. The security team requires that all access to a particular DynamoDB table be logged for audit purposes. Which solution meets this requirement?

68

A company is using Amazon RDS for MySQL and needs to restrict access to the database to only specific Amazon EC2 instances in the same VPC. Which security mechanism should be used?

69

A company has an Amazon Redshift cluster that stores sensitive financial data. The security team requires that all data be encrypted at rest and that the encryption keys be rotated annually. Which solution meets these requirements?

70

A company uses Amazon Aurora MySQL-Compatible Edition and needs to audit all SQL statements executed by database users. Which feature should be enabled?

71

A company is using Amazon DynamoDB and wants to ensure that only authorized users can access a specific table. Which AWS service should be used to manage access control?

72

A company is using Amazon RDS for PostgreSQL with automated backups. The security team requires that backups be encrypted at rest. The DB instance is currently unencrypted. What is the most efficient way to enable encryption for future backups?

73

A company uses Amazon ElastiCache for Redis and needs to encrypt data in transit between the application and the cache cluster. Which feature should be enabled?

74

A company is using Amazon DynamoDB and wants to ensure that all data is automatically encrypted at rest. What is the default encryption status for a new DynamoDB table?

75

A company is designing a security strategy for Amazon RDS for SQL Server. Which TWO actions should be taken to encrypt data at rest? (Choose TWO.)

76

A company is using Amazon Redshift and needs to comply with regulatory requirements that mandate encryption of all data at rest and control of the encryption keys. Which THREE steps should be taken? (Choose THREE.)

77

A company uses Amazon DynamoDB and wants to audit access to a table. Which TWO services can be used together to log and monitor data plane operations? (Choose TWO.)

78

A company is running an Amazon RDS for MySQL DB instance in a VPC. The security team requires that all connections to the database use SSL/TLS. The DBA has enabled 'require_secure_transport' parameter in the DB parameter group. However, after applying the change and rebooting, some applications that were previously connecting successfully are now failing. What is the most likely cause?

79

A financial services company is using Amazon DynamoDB to store customer transaction data. The compliance team requires that all data be encrypted at rest using a customer-managed AWS KMS key, and that access to the key be auditable via AWS CloudTrail. Additionally, the security team wants to ensure that DynamoDB can only be accessed from within the VPC using a VPC endpoint. Which combination of steps should the company take to meet these requirements?

80

A developer needs to securely store database credentials for an application that runs on Amazon EC2 and connects to an Amazon RDS for PostgreSQL database. The credentials must be automatically rotated every 90 days. Which AWS service should the developer use to meet these requirements?

81

A company has an Amazon RDS for Oracle DB instance that stores sensitive data. The security team wants to audit all SQL queries that read or modify specific columns containing personally identifiable information (PII). The audit logs must be stored for 5 years. Which solution should the database specialist implement?

82

A company is using Amazon Redshift for data warehousing. The security team requires that all data be encrypted at rest using a customer-managed AWS KMS key. Additionally, the team wants to ensure that the key must be used only for this specific Redshift cluster. Which configuration should be applied?

83

A company is migrating its on-premises Oracle database to Amazon RDS for Oracle. The database contains sensitive data that must be encrypted at rest and in transit. The security team also requires that the encryption keys be rotated every year. The DBA has enabled encryption at rest using a customer-managed KMS key and SSL/TLS for in-transit encryption. What additional step is needed to meet the key rotation requirement?

84

A company is using Amazon DynamoDB to store user session data. The security team requires that all access to the table be authenticated and authorized using AWS IAM. Which mechanism should the developer use to achieve this?

85

A company is using Amazon RDS for SQL Server with Multi-AZ deployment. The security team requires that all database activity be monitored for suspicious queries. The database specialist enabled RDS Database Activity Streams and configured AWS Lambda to process the stream. However, the Lambda function fails to process some events when the database fails over to the standby instance. What is the most likely cause?

86

A company is using Amazon Aurora MySQL-Compatible Edition. The security team wants to restrict access to the database so that only specific applications running on Amazon EC2 instances can connect. The EC2 instances are in the same VPC as the Aurora cluster. Which combination of steps should be taken to enforce this restriction?

87

A company is using Amazon DynamoDB with encryption at rest using a customer-managed KMS key. The security team wants to audit every use of this KMS key. Which TWO steps should be taken to meet this requirement?

88

A company is migrating an on-premises MongoDB database to Amazon DocumentDB (with MongoDB compatibility). The security team requires that data be encrypted at rest and in transit. Additionally, the team wants to use IAM roles to authenticate applications. Which THREE steps should the database specialist take to meet these requirements?

89

A company is using Amazon RDS for MySQL to host a web application. The security team has identified that the application is vulnerable to SQL injection attacks. The team wants to implement a defense-in-depth strategy to protect the database. Which THREE measures should be taken to mitigate SQL injection risks?

90

A company has an Amazon RDS for MySQL DB instance that stores sensitive customer data. The security team requires that all data at rest be encrypted using a customer-managed AWS KMS key. The DB instance was originally launched without encryption. Which combination of steps will meet the requirement with the least downtime?

91

A company uses Amazon DynamoDB to store user session data. The security team requires that all data be encrypted at rest using a customer-managed AWS KMS key. The DynamoDB table is already configured with AWS managed KMS encryption. How can the company meet the encryption requirement without recreating the table?

92

A database administrator needs to audit all SQL statements executed on an Amazon RDS for PostgreSQL DB instance. Which service should be used to capture and log the SQL statements?

93

A company has a requirement to automatically rotate the password for an Amazon RDS for MySQL DB instance every 90 days. The password is stored in AWS Secrets Manager. Which combination of steps will meet this requirement?

94

A company is using Amazon DynamoDB with a global table that replicates data across two AWS Regions. The security team requires that all data be encrypted at rest with a customer-managed AWS KMS key. How should the company configure the KMS keys to meet this requirement?

95

A company has an Amazon Redshift cluster that contains sensitive data. The security team requires that data be encrypted at rest using a customer-managed AWS KMS key. The cluster was initially launched without encryption. How can the company enable encryption with minimal downtime?

96

A company wants to ensure that only specific IAM users can perform certain operations on an Amazon RDS DB instance, such as creating snapshots or modifying the instance. Which AWS feature should be used to define these permissions?

97

A company is using Amazon Aurora MySQL-Compatible Edition. The security team requires that all connections to the database use SSL/TLS. The application currently connects using a standard JDBC connection string without SSL. What changes are needed to enforce SSL connections?

98

A company stores sensitive data in an Amazon S3 bucket that is accessed by an Amazon Redshift cluster. The security team requires that the data in transit between Redshift and S3 be encrypted. Which configuration ensures this?

99

Which TWO of the following are valid methods to control network access to an Amazon RDS DB instance? (Select TWO.)

100

Which THREE of the following are best practices for securing an Amazon DynamoDB table? (Select THREE.)

101

Which TWO of the following are methods to encrypt data at rest for an Amazon RDS for Oracle DB instance? (Select TWO.)

102

An IAM policy is attached to a role used by an application to access an Amazon RDS for MySQL DB instance. The DB instance is encrypted with a customer-managed KMS key. The application is unable to create a snapshot of the encrypted DB instance. Which missing permission is the most likely cause?

103

A database administrator is troubleshooting connectivity to an Amazon RDS for MySQL DB instance. The application is running on an EC2 instance in the same VPC and security group. The application can connect using the endpoint shown in the exhibit. However, the security team requires that all connections be encrypted using SSL. The DBA has enabled SSL on the DB instance and modified the parameter group to set require_secure_transport to ON. The application is now failing to connect. What is the most likely cause?

104

A security auditor reviews the output of a DynamoDB table description command as shown in the exhibit. Which statement accurately describes the encryption configuration of the Users table?

105

A company is running an Amazon RDS for MySQL DB instance in a VPC. The security team requires that all connections to the database use SSL/TLS. Which combination of steps should be taken to enforce this? (Choose two.)

106

A financial services company stores sensitive data in an Amazon DynamoDB table. The security team requires that all data at rest be encrypted with a customer-managed key that is rotated automatically every 12 months. The company also needs to audit key usage. Which solution meets these requirements?

107

A company uses Amazon Redshift for its data warehouse. The security team wants to encrypt the data at rest and ensure that only authorized users can access the encryption keys. Which AWS service should be used to manage the encryption keys?

108

A company has an Amazon RDS for Oracle DB instance that stores Personally Identifiable Information (PII). The security team requires that the data be transparently encrypted at rest using a key stored in AWS CloudHSM. What should the database administrator do to meet this requirement?

109

A company uses Amazon DynamoDB with fine-grained access control based on user identity. The IAM policy for a user includes a condition that restricts access to items where the 'department' attribute equals 'engineering'. However, the user is receiving an 'AccessDeniedException' when trying to query items. What is the most likely cause?

110

A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The database contains sensitive data that must be encrypted at rest. Which action should the company take to enable encryption on the RDS instance?

111

A company uses Amazon RDS for PostgreSQL to store customer data. The security team wants to audit all SQL queries executed against the database, including SELECT statements. Which TWO actions should be taken to achieve this?

112

A company is designing a disaster recovery strategy for an Amazon RDS for SQL Server DB instance that contains sensitive financial data. The database must be encrypted at rest using a customer-managed AWS KMS key. The recovery point objective (RPO) is 5 minutes, and the recovery time objective (RTO) is 1 hour. Which THREE steps should be taken to meet these requirements?

113

A company is setting up an Amazon Aurora MySQL-compatible database. The security policy requires that all traffic between the application and database be encrypted in transit. Which TWO steps should be taken?

114

Refer to the exhibit. A company has attached this IAM policy to an IAM role used by an application running on Amazon EC2. The application needs to decrypt data in an S3 bucket that is encrypted with the specified KMS key. However, the application is receiving access denied errors. What is the most likely cause?

115

Refer to the exhibit. A database administrator is reviewing the output of 'SHOW FULL PROCESSLIST' on an Amazon RDS for MySQL DB instance. The company's security policy requires that all database users access only the minimum necessary data. Which user's activity should be investigated further?

116

Refer to the exhibit. A database administrator has this IAM policy attached to their user. They are trying to authorize ingress to a DB security group named 'my-security-group' in the us-east-1 region. The operation fails. What is the most likely reason?

117

A company is using Amazon RDS for MySQL and wants to restrict access to the database based on the source IP address. Which AWS feature should be used to achieve this?

118

A company is deploying an Amazon DynamoDB table with server-side encryption using a customer-managed AWS KMS key. The security team requires that the key be automatically rotated every year and that access to the key be logged. Which THREE steps should be taken?

119

A company has an Amazon Redshift cluster that contains sensitive data. The security team wants to ensure that all data is encrypted at rest and that the encryption keys are managed by AWS. Which configuration should be used?

120

A company has an Amazon RDS for MySQL database that contains sensitive data. The security team requires that all data be encrypted at rest using a customer-managed key stored in AWS KMS. Which action should be taken to meet this requirement?

121

A development team is building a serverless application that uses Amazon DynamoDB. The team needs to ensure that only the application's Lambda function can read and write data to a specific DynamoDB table. The Lambda function uses an IAM role. How should the team configure access?

122

A company uses an Amazon RDS for PostgreSQL database with Multi-AZ deployment. The security team wants to audit all SQL queries executed against the database for compliance purposes. Which solution should be implemented to capture and store the queries?

123

A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The security team requires that all connections to the database use SSL/TLS encryption. Which step is necessary to enforce SSL connections?

124

A security engineer is investigating an Amazon RDS for MySQL database that was compromised. The engineer finds that the compromise was due to a SQL injection vulnerability in a web application. The web application uses a database user with full administrative privileges. What is the BEST practice to prevent such incidents in the future?

125

A company uses Amazon DynamoDB for its critical application. The security team requires that all access to DynamoDB tables be logged and monitored for suspicious activity. The company also needs to be alerted when a user deletes a table. Which combination of AWS services should be used?

126

A company stores sensitive customer data in an Amazon S3 bucket. The data is accessed by an Amazon Redshift cluster using the COPY command. The security team wants to ensure that data is encrypted in transit between S3 and Redshift. Which configuration should be used?

127

A company is using an Amazon RDS for MySQL database and needs to audit all database login events. The audit logs must be stored in Amazon S3 for long-term retention. Which steps should be taken to accomplish this?

128

A company's security policy requires that all database passwords be rotated every 90 days. The company uses AWS Secrets Manager to store database credentials for Amazon RDS. Which feature can be used to automate password rotation?

129

A security administrator is setting up a new Amazon RDS for SQL Server database. The company requires that all data be encrypted at rest and in transit. Additionally, the database must be accessible only from a specific CIDR range. Which TWO actions should the administrator take? (Choose TWO.)

130

A company uses Amazon DynamoDB to store session data for a web application. The security team discovers that an IAM user has been performing unauthorized scans on the table. They need to implement controls to detect and prevent such unauthorized access in the future. Which THREE actions should the security team take? (Choose THREE.)

131

A company is deploying a new Amazon RDS for MySQL database in a VPC. The database must be accessible only from an application server running in the same VPC. The security team also wants to ensure that the database is not accessible from the internet. Which TWO configurations are required? (Choose TWO.)

132

A company is using an Amazon RDS for PostgreSQL database to store sensitive customer data. The security team requires that all data be encrypted at rest and in transit, and that access to the database is restricted to only specific applications. Currently, the database is encrypted at rest using AWS KMS, and connections are made over SSL. However, the security team wants to ensure that even if the database credentials are compromised, an attacker cannot access the database from unauthorized IP addresses. What should be done to meet this requirement?

133

A company is using Amazon DynamoDB to store financial transactions. The security team requires that all access to the table be logged for auditing, and that any unauthorized access attempts trigger an immediate alert. The company has enabled AWS CloudTrail to log all DynamoDB API calls. However, the security team is concerned that CloudTrail logs may not capture all access patterns, such as queries that return no results. Which additional step should the company take to ensure comprehensive auditing and alerting?

134

A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The database contains personally identifiable information (PII). The security team requires that the data be encrypted at rest using a customer-managed key stored in AWS KMS. Additionally, the team wants to ensure that the key can be rotated automatically every year. What should the company do to meet these requirements?

135

A company uses Amazon Redshift for data warehousing. The security team has implemented column-level security using Redshift's column-level access controls. However, during a security audit, it is discovered that a user with SELECT privilege on a table can still see the content of a column that should be restricted. The column is defined with a GRANT statement that only allows SELECT on certain columns to specific users. What is the most likely cause of this issue?

136

A company has an Amazon S3 bucket that stores database backup files. The backups are encrypted using server-side encryption with AWS KMS (SSE-KMS). The security team wants to ensure that only a specific IAM role can decrypt the backups when restoring the database. Which policy should be attached to the KMS key to achieve this?

137

A company is using Amazon RDS for MySQL to power a web application. The database contains sensitive data, and the security team requires that all connections to the database use SSL/TLS. The team has enabled 'require_secure_transport' parameter in the DB parameter group. However, a developer reports that they are able to connect to the database using a MySQL client without specifying SSL options. What could be the reason?

138

A company is using Amazon DynamoDB with fine-grained access control using IAM policies. The security team wants to ensure that a specific IAM role can only read items from a table where the 'status' attribute equals 'active'. The table is named 'Orders'. Which IAM policy statement should be used?

139

A company is using Amazon RDS for SQL Server with Multi-AZ deployment. The security team wants to ensure that database audit logs are stored in a secure S3 bucket for long-term retention. The audit logs are currently stored on the RDS instance. Which approach should be used to export the audit logs to S3?

140

A company is using Amazon DynamoDB with a global table. The security team requires that all data be encrypted at rest using a customer-managed KMS key. The table was originally created with AWS managed key encryption. The company wants to switch to a customer-managed key without downtime. What should they do?

141

A company is using Amazon RDS for PostgreSQL and wants to implement encryption in transit for all client connections. The security team has identified that some connections are not using SSL. Which TWO actions should the company take to enforce SSL for all connections?

142

A company is using Amazon Redshift for analytics. The security team wants to audit all SQL queries executed against the database, including the actual query text, for compliance. They also want to ensure that the audit logs are stored in a secure, immutable location. Which THREE services or features should they use together to meet these requirements?

143

A company is using Amazon RDS for MySQL and wants to implement database activity monitoring to detect suspicious queries. Which TWO AWS services can be used together to achieve this?

144

A company has an Amazon DynamoDB table that stores user sessions. The security team wants to ensure that only authorized applications can read and write to the table, and that all access is logged. Which THREE steps should the company take to meet these requirements?

145

A company runs an e-commerce platform on AWS. The application uses an Amazon RDS for MySQL Multi-AZ database instance. The security team recently conducted an audit and found that the database is accessible from the internet because the public accessibility setting is enabled. The security team has disabled public accessibility and updated the security group to allow inbound traffic only from the application's security group. However, after these changes, the application can no longer connect to the database. The application is running on EC2 instances in the same VPC. The RDS instance is also in the same VPC. The security group for the RDS instance allows inbound MySQL traffic (port 3306) from the application's security group. The application's security group allows all outbound traffic. The application's EC2 instances have a public IP address and are in a public subnet. The RDS instance is in a private subnet. The VPC has an internet gateway attached. What is the most likely cause of the connection failure?

146

A company is using Amazon DocumentDB (with MongoDB compatibility) for a content management system. The security team requires that all data be encrypted at rest and in transit. The DocumentDB cluster is already encrypted at rest using AWS KMS. To enforce encryption in transit, the security team wants to ensure that all client connections use TLS. The team has enabled the 'tls' parameter in the cluster parameter group. However, a developer reports that they can still connect to the cluster without specifying TLS options using the mongo shell. The developer is connecting from an EC2 instance in the same VPC. The security group for the DocumentDB cluster allows inbound traffic on port 27017 from the EC2 instance's security group. What is the most likely reason the developer can connect without TLS?

147

A company is using an Amazon RDS for MySQL DB instance. The security team requires that all database connections be encrypted in transit. Which configuration step ensures this requirement is met?

148

A company uses Amazon DynamoDB to store sensitive user data. The security team wants to ensure that all data is encrypted at rest using a customer-managed AWS KMS key. The DynamoDB table was created with the default AWS managed key. What is the required action to change the encryption key?

149

A developer is configuring an Amazon RDS for PostgreSQL DB instance. The application connects using IAM database authentication. Which setting must be enabled on the DB instance for IAM authentication to work?

150

A company is using Amazon Redshift for data warehousing. The security team requires column-level access control so that certain users cannot view specific columns containing PII. Which approach should the data engineer implement?

151

A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The security team requires that all data be encrypted at rest using a key stored in AWS CloudHSM. What must be done to meet this requirement?

152

A security engineer is designing access controls for an Amazon DynamoDB table containing customer data. Which TWO actions enforce least privilege access?

153

A company uses Amazon RDS for MySQL with Multi-AZ deployment. The security team wants to audit all database logins and queries. Which TWO actions should be taken to enable auditing?

154

A company is using Amazon Redshift and needs to encrypt data at rest with a customer-managed key. Which THREE steps are required to enable encryption with a customer-managed AWS KMS key?

155

A database administrator is troubleshooting why Amazon RDS Enhanced Monitoring is not displaying metrics for a DB instance. The IAM role attached to the instance has the policy shown in the exhibit. What is the likely cause?

156

A security auditor notices that the DynamoDB table 'UserData' is encrypted with a KMS key (exhibit). The company policy requires that all DynamoDB tables use an AWS managed key for encryption. What must be done to comply with the policy?

157

A developer is checking the encryption status of an RDS MySQL instance. The CLI output shows StorageEncrypted is true. What does this indicate?

158

A financial services company runs a critical application on Amazon RDS for PostgreSQL. The database stores sensitive customer financial data. The security team has mandated that all access to the database must be through IAM database authentication to eliminate the need for passwords. The application currently uses a master user password stored in AWS Secrets Manager. The DBA needs to implement IAM authentication without downtime. The application is deployed on Amazon ECS and connects to the database using a connection string. The DBA has already created an IAM role for the ECS task with a policy that allows rds-db:connect. The DBA has also modified the DB instance to require SSL. However, after making these changes, the application cannot connect. The error message indicates 'IAM authentication is not enabled for this user'. What step did the DBA miss?

159

A retail company uses Amazon DynamoDB to store product catalog data. The security team wants to ensure that only authorized applications can read and write to the table. The applications are running on Amazon EC2 instances. The current setup uses an IAM role attached to the EC2 instance with a policy that grants dynamodb:* on the specific table. However, during a security audit, it was discovered that any process on the EC2 instance can access the table because the instance has access to the temporary credentials from the instance metadata service. The security team requires that only specific processes (the application) can access the credentials, and that the credentials cannot be extracted from the instance. What should be done to meet these requirements?

160

A small business runs a web application on a single Amazon RDS for MySQL DB instance. The application uses a master user account for all database operations. The security team is concerned about the risk of SQL injection and wants to implement the principle of least privilege. They want to create separate database users for read-only and read-write operations. The application currently uses a single connection string. The developer needs to modify the application to use two separate users. What is the correct approach to implement this securely?

161

A healthcare company is migrating its patient records database to Amazon RDS for SQL Server. The database contains Protected Health Information (PHI). The compliance team requires that all PHI data be encrypted at rest and that the encryption keys be stored in a dedicated AWS CloudHSM cluster. Additionally, the database must be replicated to a second AWS region for disaster recovery. The DBA has enabled RDS encryption at rest using a KMS key, but the compliance team insists on using CloudHSM. What should the DBA do to meet the compliance requirement while maintaining disaster recovery?

162

A security engineer reviews the IAM policy attached to a user. The user is unable to modify any RDS DB instance, even when MFA is enabled. What is the most likely cause?

163

A company stores sensitive data in an Amazon RDS for PostgreSQL DB instance. The security team requires that all data at rest be encrypted. The instance is currently unencrypted. What is the simplest way to enable encryption with minimal downtime?

164

A company uses an Amazon RDS for MySQL DB instance that needs to be accessed by a Lambda function. Which TWO steps should be taken to ensure secure access?

165

A company is designing a secure strategy for managing Amazon RDS for Oracle encryption keys. They want to use AWS KMS with Customer Master Keys (CMKs) for encryption at rest. Which THREE best practices should they follow?

166

A security engineer runs the AWS CLI command shown in the exhibit. The engineer wants to ensure that all RDS DB instances in the account are encrypted at rest. What should the engineer do to remediate the unencrypted read replica?

167

A financial company uses Amazon DynamoDB to store customer transaction data. The compliance team requires that all data be encrypted at rest using a customer-managed AWS KMS key. Additionally, they need to ensure that the key is used only for DynamoDB and no other AWS service. How can the company meet these requirements?

168

A developer needs to allow an application running on an EC2 instance to connect to an Amazon RDS for MySQL DB instance securely. Which combination of steps should the developer take?

169

A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The security team requires that all network traffic between the application servers and the database be encrypted using TLS. The application servers are in a different VPC connected via VPC Peering. What is the simplest way to enforce encryption in transit?

170

A company is running an RDS for MySQL database and needs to ensure that all connections to the database use SSL encryption. Which configuration step is required?

171

A security engineer is designing a VPC with an RDS instance. The database must not be accessible from the internet, but EC2 instances in a private subnet must connect. Which security group configuration is MOST secure?

172

A company wants to audit all SQL statements executed on their RDS for PostgreSQL database. Which AWS service should they use?

173

A company is using DynamoDB with a VPC endpoint. They want to restrict access to only requests originating from their VPC. Which policy condition should be used?

174

A company has a compliance requirement to encrypt all RDS snapshots at rest using a customer-managed KMS key. The RDS instance is already encrypted with an AWS-managed key. What is the correct procedure to ensure snapshots use the customer-managed key?

175

A developer accidentally deleted an RDS database. Which action will allow the database to be restored with the least data loss?

176

A company wants to enforce encryption in transit for all connections to their ElastiCache for Redis cluster. Which security measure should they implement?

177

A security team needs to grant an IAM user permission to modify only the 'db_secrets' secret in AWS Secrets Manager. Which IAM policy statement is correct?

178

A company is using Amazon RDS for Oracle and wants to integrate with AWS CloudTrail to log database API calls. Which action is necessary?

179

Which TWO actions can help protect an RDS database from SQL injection attacks? (Choose 2.)

180

Which THREE are valid methods to encrypt data at rest in Amazon DynamoDB? (Choose 3.)

181

Which TWO AWS services can be used to monitor database security events in real time? (Choose 2.)

182

A database administrator has the IAM policy shown in the exhibit. Which action will be allowed by this policy?

183

A developer needs to connect to the RDS instance from an EC2 instance in the same VPC. The EC2 instance's security group allows outbound traffic to 0.0.0.0/0. The RDS security group inbound rules currently allow traffic from 0.0.0.0/0 on port 3306. After a security review, the company decides to restrict inbound traffic to the VPC only. Which inbound rule should be added to the RDS security group?

184

A developer retrieved a database secret using the AWS CLI as shown. What is the MOST secure way to store and rotate this secret?

185

A company is storing sensitive customer data in an Amazon RDS for MySQL DB instance. They need to ensure that data is encrypted at rest. What is the simplest way to achieve this?

186

A company uses Amazon RDS for PostgreSQL and needs to ensure that only specific IP addresses can connect to the database. Which configuration should be used?

187

A company is designing a multi-tenant application using Amazon Aurora MySQL. Each tenant's data must be isolated from others. They need to encrypt data at rest with a unique AWS KMS key per tenant. How can this be achieved?

188

A security team is auditing an Amazon RDS for SQL Server DB instance. They notice that SSL connections are not enforced. Which configuration change will enforce SSL for all connections?

189

A developer needs to grant an IAM user permission to perform automated backups of an Amazon RDS DB instance. Which IAM action should be allowed?

190

A company is using Amazon DynamoDB with server-side encryption enabled. They need to ensure that all access to the table is audited. Which service should be used to capture data-plane API calls?

191

A company has an Amazon RDS for Oracle DB instance that is publicly accessible. They want to restrict access to only a specific CIDR block. Which two actions must be taken together?

192

A company needs to rotate the master user password for an Amazon RDS for MySQL DB instance. What is the recommended way to do this without downtime?

193

A security engineer needs to ensure that all access to an Amazon DynamoDB table is encrypted in transit. Which configuration achieves this?

194

Which TWO of the following are methods to control access to an Amazon RDS DB instance? (Select TWO.)

195

Which THREE of the following are best practices for securing an Amazon Aurora MySQL database? (Select THREE.)

196

Which TWO of the following are valid ways to encrypt data at rest in Amazon DynamoDB? (Select TWO.)

197

An IAM policy is attached to a user. What is the effect of this policy on the user's ability to delete the DB instance named prod-db?

198

An RDS DB instance has two security groups attached. Security group sg-12345678 allows inbound traffic on port 3306 from 0.0.0.0/0. Security group sg-87654321 allows inbound traffic on port 3306 from 10.0.0.0/16. What is the effective inbound access to the DB instance?

199

A KMS key has the grant shown. An IAM role named AdminRole is the grantee. What additional permission does this grant provide to AdminRole beyond what the role's IAM policy allows?

200

A company is using an Amazon RDS for MySQL DB instance to store sensitive customer data. A security audit reveals that all database traffic between the application and the database is transmitted in plaintext. Which configuration change would encrypt data in transit for new connections?

201

A financial services company uses Amazon DynamoDB to store transaction records. The security team requires that all items be encrypted at rest using a customer-managed AWS KMS key. Additionally, the company must be able to audit key usage and rotation. What is the MOST secure and auditable approach?

202

A developer needs to grant an IAM user the ability to perform all operations on an Amazon RDS DB instance except the ability to delete it. Which IAM policy action should be explicitly denied?

203

A company uses Amazon RDS for PostgreSQL with Multi-AZ deployment. The security team wants to ensure that any access to the database is logged, including SELECT queries. What should be done to capture these logs?

204

A company runs an Amazon Aurora MySQL-compatible database cluster. The security team requires that all database credentials be rotated automatically every 30 days. Which combination of AWS services can meet this requirement with minimal operational overhead?

205

A developer accidentally exposed an Amazon RDS snapshot to the public. What is the quickest way to remediate this issue?

206

A company uses Amazon DynamoDB with a global secondary index (GSI) and client-side encryption using the AWS Encryption SDK. The security team requires that the partition key and sort key be searchable by the application but not stored in plaintext in the table. Which approach should be taken?

207

A company uses Amazon Redshift for data warehousing. The security team requires that all data be encrypted at rest with a customer-managed key, and that the key be rotated every year. Which configuration meets these requirements?

208

A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The security team requires that all connections to the database use Oracle Native Network Encryption (NNE). How should this be configured?

209

Which TWO actions will help protect an Amazon RDS for MySQL database from a SQL injection attack? (Select TWO.)

210

Which THREE practices should be implemented to secure an Amazon DynamoDB table that stores personally identifiable information (PII)? (Select THREE.)

211

Which TWO methods can be used to securely connect to an Amazon RDS for PostgreSQL DB instance from an EC2 instance in the same VPC? (Select TWO.)

212

Refer to the exhibit. An IAM policy is attached to a user. What is the effect when the user attempts to delete the RDS DB instance named 'prod-db'?

213

Refer to the exhibit. The output is from the AWS CLI for an RDS instance. The security team suspects that the encryption key used for this DB instance has been compromised. What is the required action to re-encrypt the instance with a new key?

214

Refer to the exhibit. A developer created an IAM policy with the above command and attached it to a user. What is the security implication of this policy?

215

A company wants to encrypt data at rest for an existing Amazon RDS for MySQL DB instance. The database is currently unencrypted. What is the most efficient way to enable encryption?

216

A security team needs to audit all SQL statements executed against an Amazon Aurora MySQL DB cluster. Which combination of actions should be taken to achieve this? (Choose TWO.)

217

A company has an Amazon DynamoDB table with a global secondary index (GSI). The security team wants to ensure that only certain attributes are returned in query results based on the IAM policy of the calling user. What is the most secure and scalable approach?

218

A developer needs to connect to an Amazon RDS for PostgreSQL DB instance from an EC2 instance in the same VPC. What is the most secure way to authenticate the connection without storing database credentials in the application code?

219

A security engineer is designing a solution to encrypt data at rest for an Amazon Redshift cluster. The company requires that the encryption key be rotated automatically every year. Which solution meets these requirements?

220

A company is using an Amazon DynamoDB table with a global table configuration across two AWS regions. The security team wants to ensure that all data is encrypted in transit between the regions. What should the team do?

221

A company wants to audit all API calls made to its Amazon RDS DB instances. Which AWS service should be used to capture these API calls?

222

A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The security policy requires that all connections to the database use SSL/TLS. What should the database administrator do to meet this requirement?

223

A company is using Amazon DynamoDB Accelerator (DAX) for caching. The security team is concerned about data in transit between the application and DAX. What should the team do to ensure that all traffic to DAX is encrypted?

224

A security engineer needs to restrict access to an Amazon DynamoDB table so that only users from a specific AWS account can read and write data. Which of the following can be used to achieve this? (Choose TWO.)

225

A company is running an Amazon RDS for SQL Server DB instance with Multi-AZ deployment. The security team wants to ensure that all data at rest is encrypted using a customer-managed key stored in AWS KMS. Which steps must be taken to achieve this? (Choose THREE.)

226

A company is using Amazon Aurora MySQL and needs to audit database logins. Which of the following can be used to capture login events? (Choose TWO.)

227

An IAM policy is attached to a user. What does this policy allow the user to do?

228

A database administrator runs the described command. What does the output indicate about the RDS instance?

229

An IAM policy is attached to a user. Which of the following actions will be allowed?

230

A company is migrating an Oracle database to Amazon RDS for Oracle. Security policy requires that all database connections be encrypted in transit. The security team wants to enforce that clients must use TLS 1.2 or higher. How can this be achieved?

231

A financial services company uses Amazon RDS for MySQL to store sensitive customer data. The compliance team requires that all database administrators (DBAs) must authenticate using IAM database authentication, and no static database passwords should be used. A junior DBA has been granted the rds_iam role in the database. However, the junior DBA is unable to connect using the AWS CLI command: aws rds generate-db-auth-token --hostname mydb.xyz.us-east-1.rds.amazonaws.com --port 3306 --username jdba. The error message says 'Access denied'. What is the most likely cause?

232

A company is using Amazon RDS for PostgreSQL to store application data. The security team wants to ensure that database audit logs are stored securely and cannot be modified after creation. Which AWS service should be used to meet this requirement?

233

A company is running an Amazon RDS for SQL Server instance with Multi-AZ deployment. The security team requires that all data at rest be encrypted. The instance was originally launched without encryption. What is the most efficient way to enable encryption at rest for this existing instance?

234

A company uses Amazon DynamoDB to store session data. The security team has enabled DynamoDB Accelerator (DAX) for performance. However, they are concerned about data encryption at rest. DAX encrypts data at rest by default. The security team wants to use a customer managed key (CMK) in AWS KMS. How can this be configured?

235

A company is using Amazon Aurora MySQL and needs to audit all database logins and query activity. Which feature should be enabled to meet this requirement?

236

A company is using Amazon RDS for MySQL and wants to restrict access to a specific database so that an application user can only perform SELECT and INSERT operations on tables within that database. The application user already exists. Which SQL statement should be executed?

237

A company is using Amazon DynamoDB with AWS Lambda to process data. The Lambda function needs to read and write items to a DynamoDB table. The security team wants to follow the principle of least privilege. Which IAM policy statement should be attached to the Lambda execution role?

238

A company is using Amazon RDS for PostgreSQL and needs to ensure that all connections to the database use encryption in transit. The database is accessible over the internet. Which configuration is required?

239

A company is designing a security strategy for an Amazon RDS for MySQL instance that stores Personally Identifiable Information (PII). Which TWO measures should be implemented to protect the data at rest?

240

A company uses Amazon DynamoDB with DAX and wants to implement fine-grained access control using IAM. Which THREE conditions can be used in an IAM policy to restrict access to specific items based on the primary key?

241

A company is using Amazon RDS for Oracle and needs to comply with regulatory requirements that mandate encryption of all data at rest and in transit. Which TWO actions should be taken to meet these requirements?

242

A company wants to ensure that an Amazon RDS for MySQL DB instance is encrypted at rest. Which action should be taken to enable encryption for the first time?

243

A database administrator needs to audit all SQL statements executed on an Amazon Aurora MySQL DB cluster, including SELECT queries. Which AWS service should be used to capture and store these logs?

244

A company has an Amazon DynamoDB table that stores sensitive user data. The security team requires that all data is encrypted at rest using a customer-managed AWS KMS key. Additionally, they want to ensure that the table can only be accessed by a specific IAM role. Which combination of steps should be taken to meet these requirements? (Select TWO.)

245

A company needs to enforce that all new Amazon RDS DB instances are automatically encrypted at rest. What is the most efficient way to achieve this?

246

A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The database contains personally identifiable information (PII). The security team requires that all PII columns be transparently encrypted and that the encryption keys be stored in AWS CloudHSM. Which solution meets these requirements?

247

A company has an Amazon RDS for PostgreSQL DB instance that needs to be accessed by an application running on an Amazon EC2 instance. Both resources are in the same VPC. The security team insists that all traffic between the application and the database be encrypted in transit. Which configuration ensures this?

248

A company wants to store database credentials for an Amazon RDS instance securely. Which AWS service should be used to rotate the credentials automatically?

249

A company needs to audit access to an Amazon DynamoDB table. The audit should capture which IAM user or role performed each action. Which AWS service should be used?

250

A company has an Amazon RDS for SQL Server DB instance that stores financial data. The security team requires that the data be encrypted at rest using a customer-managed key stored in AWS KMS. Additionally, they want to ensure that the key cannot be deleted without authorization. What should be done?

251

A company wants to restrict access to an Amazon DynamoDB table so that only requests from a specific VPC endpoint are allowed. Which policy should be attached to the table?

252

A company is using Amazon RDS for PostgreSQL with a read replica. The security team wants to ensure that data in transit between the primary DB instance and the read replica is encrypted. What should be done?

253

A company needs to comply with PCI DSS requirements for an Amazon RDS for Oracle DB instance. The requirements include encryption of sensitive data at rest and in transit, and automated key rotation. Which combination of services and configurations should be used? (Select THREE.)

254

A company has an Amazon DynamoDB table with a global secondary index (GSI). The security team wants to ensure that the table and the GSI are encrypted at rest. How can this be achieved?

255

A company is designing a security strategy for an Amazon Aurora MySQL database. They need to ensure that database activity is monitored for suspicious behavior and that alerts are sent when anomalies are detected. Which AWS services should be combined to achieve this? (Select TWO.)

256

A company has an Amazon RDS for MySQL DB instance that is publicly accessible. The security team wants to restrict access to only specific IP addresses. Which configuration should be used?

257

A company wants to encrypt an existing unencrypted Amazon RDS for PostgreSQL DB instance. What is the correct procedure?

258

A company is using Amazon DynamoDB with client-side encryption using the DynamoDB Encryption Client. The encryption keys are stored in AWS KMS. The security team wants to ensure that the encryption keys can be used only by authorized applications. What should be done?

259

A company is using Amazon RDS for MySQL and needs to encrypt data at rest for an existing DB instance. Which approach meets this requirement with minimal downtime?

260

A security team is auditing IAM policies for Amazon RDS. They want to ensure that all RDS snapshots shared with other AWS accounts are encrypted. Which IAM policy condition key should be used to enforce this?

261

A company uses Amazon Aurora MySQL and needs to audit all database logins, including failed attempts. Which feature should be enabled?

262

A developer needs to allow an application running on EC2 to access an Amazon RDS database without storing database credentials in the application code. Which solution is the MOST secure?

263

A company wants to enforce that all new Amazon RDS DB instances are created with encryption at rest enabled. Which approach should be taken?

264

A company needs to securely store and manage the master password for their Amazon RDS for PostgreSQL instance. Which AWS service is purpose-built for managing secrets with automatic rotation?

265

An application uses an Amazon RDS for MySQL database. The security team requires that all traffic to the database be encrypted in transit. Which configuration ensures this?

266

A company has an Amazon RDS for Oracle DB instance that needs to be encrypted at rest. The instance currently uses Oracle Transparent Data Encryption (TDE) with a key stored in the database. The company wants to use AWS KMS for key management. What is the correct migration path?

267

A company wants to audit all SQL statements executed on their Amazon Aurora MySQL database for compliance. Which AWS feature should be enabled?

268

Which TWO actions should a company take to secure an Amazon RDS for MySQL database that is accessible from the internet? (Choose two.)

269

Which THREE components are required to set up IAM database authentication for an Amazon RDS for MySQL DB instance? (Choose three.)

270

Which TWO AWS services can be used to centrally manage database credentials and automate rotation for Amazon RDS? (Choose two.)

271

A security engineer runs the commands shown in the exhibit for an RDS MySQL DB instance. The engineer wants to enforce SSL connections to the database. What should the engineer do?

272

An IAM policy is shown in the exhibit. What is the effect of this policy when a user tries to create an unencrypted RDS DB instance?

273

A snapshot of an Amazon RDS DB instance is shown in the exhibit. What does the output indicate?

274

A company is using Amazon RDS for MySQL with automated backups enabled. The security team requires that all backups be encrypted at rest. Which configuration ensures that new automated backups are encrypted?

275

A developer wants to grant an IAM user read-only access to an Amazon DynamoDB table named 'Orders' in the 'us-east-1' region. Which IAM policy should be attached to the user?

276

A financial company uses Amazon RDS for PostgreSQL with a custom parameter group. The security team wants to ensure that all connections to the database are encrypted in transit. Which combination of actions should the database administrator take? (Select TWO.)

277

A developer is troubleshooting an issue where an IAM user cannot perform a 'DescribeTable' action on a DynamoDB table. The IAM policy attached to the user is: {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["dynamodb:GetItem","dynamodb:PutItem"],"Resource":"*"}]}. What is the most likely reason for the failure?

278

A company is migrating its Oracle database to Amazon RDS for Oracle. The security team requires that all data be encrypted at rest using a customer-managed AWS KMS key. Which TWO steps are necessary to achieve this?

279

A company uses Amazon DynamoDB with a global secondary index (GSI). The security team requires that only specific IAM users can query the GSI. Which THREE conditions must be met to restrict access to the GSI?

280

A database administrator runs the command shown in the exhibit. The security team requires that the database be encrypted at rest. What should the administrator do to enable encryption?

281

A company uses Amazon RDS for SQL Server with Multi-AZ deployment. The security team wants to ensure that all data at rest is encrypted using a customer-managed KMS key in both the primary and standby instances. Which THREE actions are required?

282

A company wants to restrict access to an Amazon RDS for MySQL DB instance so that only applications running in a specific VPC can connect. Which solution should be implemented?

283

A user is unable to list the contents of the S3 bucket 'my-db-backups' using the AWS CLI. The IAM policy attached to the user is shown in the exhibit. What is the likely cause?

284

A company uses Amazon RDS for PostgreSQL and wants to audit all database login attempts. Which TWO services can be used together to achieve this?

285

A company runs a production Amazon DynamoDB table with on-demand capacity. The security team requires that all access to the table be logged for compliance. What is the most cost-effective way to log every DynamoDB API call?

286

A company needs to encrypt an existing unencrypted Amazon RDS for Oracle DB instance. Which set of steps should be followed?

287

A CloudFormation template is used to create an RDS DB instance with encryption, as shown in the exhibit. The stack creation fails because the DB instance creation fails. What is the most likely cause?

288

A company uses Amazon RDS for MySQL and wants to ensure that database users are authenticated using IAM database authentication. Which action must be performed to enable this?

289

A company wants to audit all SQL queries made to their Amazon RDS for MySQL database. Which AWS service should they use?

290

A company needs to encrypt data at rest for their Amazon Aurora PostgreSQL database. Which solution is the MOST secure and requires the least operational overhead?

291

A security team is investigating a potential data breach in an Amazon RDS for SQL Server database. They need to determine which user executed a specific DELETE statement at a particular time. What should they do?

292

A company wants to restrict access to an Amazon DynamoDB table so that only specific IAM users can read and write data. What is the BEST way to achieve this?

293

A company hosts a critical application on Amazon RDS for PostgreSQL. The security team requires that all database connections be encrypted in transit. Which configuration step is necessary?

294

A company is using Amazon RDS for Oracle with Transparent Data Encryption (TDE) enabled. They need to rotate the TDE master key. What is the correct procedure?

295

A company wants to ensure that an Amazon RDS for MySQL database is automatically backed up daily and backups are encrypted. What should they do?

296

A company is using Amazon DynamoDB with encryption at rest using an AWS managed key. The security team now requires that the encryption key be rotated every 90 days. What should they do?

297

A company is using Amazon RDS for PostgreSQL and needs to audit login attempts. Which configuration is required?

298

Which TWO actions can be used to encrypt an existing unencrypted Amazon RDS for MySQL DB instance? (Choose 2.)

299

Which THREE measures can help protect an Amazon RDS database from a DDoS attack? (Choose 3.)

300

Which TWO AWS services can be used to monitor and alert on suspicious database access patterns in Amazon RDS? (Choose 2.)

Practice all 300 Database Security questions

Other DBS-C01 exam domains

Workload-Specific Database DesignDeployment and MigrationManagement and OperationsMonitoring and Troubleshooting

Frequently asked questions

What does the Database Security domain cover on the DBS-C01 exam?

The Database Security domain covers the key concepts tested in this area of the DBS-C01 exam blueprint published by Amazon Web Services. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all DBS-C01 domains — no account required.

How many Database Security questions are in the DBS-C01 question bank?

The Courseiva DBS-C01 question bank contains 300 questions in the Database Security domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Database Security for DBS-C01?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Database Security questions for DBS-C01?

Yes — the session launcher on this page draws questions exclusively from the Database Security domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your DBS-C01 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide