Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Database Security practice sets

DBS-C01 Database Security • Complete Question Bank

DBS-C01 Database Security — All Questions With Answers

Complete DBS-C01 Database Security question bank — all 0 questions with answers and detailed explanations.

321
Questions
Free
No signup
Certifications/DBS-C01/Practice Test/Database Security/All Questions
Question 1mediummulti select
Read the full NAT/PAT explanation →

A company runs an Amazon RDS for MySQL DB instance in a VPC. Security requirements mandate that only specific EC2 instances in the same VPC can connect to the database. The security group attached to the RDS instance currently allows inbound traffic on port 3306 from 0.0.0.0/0. Which combination of steps should a database specialist take to meet the security requirement without impacting existing application connectivity? (Choose two.)

Question 2hardmultiple choice
Read the full Database Security explanation →

A company uses Amazon DynamoDB with a table that stores sensitive customer data. The security team requires that all data at rest be encrypted using a customer-managed AWS KMS key (CMK). Additionally, the company needs to ensure that only specific IAM roles can access the table. Which solution meets these requirements with the least operational overhead?

Question 3easymultiple choice
Review the full subnetting walkthrough →

A database specialist is troubleshooting a connectivity issue with an Amazon RDS for PostgreSQL instance. The instance is in a VPC with a public subnet. The security group allows inbound traffic on port 5432 from the application server's IP address. The application server is in the same VPC but in a private subnet. Despite the security group configuration, the application cannot connect. Which action should the specialist take to resolve the issue?

Question 4hardmultiple choice
Read the full Database Security explanation →

A company stores financial data in an Amazon Aurora MySQL DB cluster. The security team requires that database audit logs be stored in Amazon CloudWatch Logs and encrypted at rest using a customer-managed KMS key. The database specialist enables audit log publishing to CloudWatch Logs and specifies a KMS key for log encryption. However, the audit logs are not appearing in CloudWatch Logs. What is the most likely cause?

Question 5mediummultiple choice
Read the full Database Security explanation →

A company uses Amazon ElastiCache for Redis to cache session data. The security team requires that all data in transit be encrypted. The Redis cluster currently does not have encryption in transit enabled. The database specialist needs to enable encryption in transit with minimal downtime. Which action should the specialist take?

Question 6hardmulti select
Read the full Database Security explanation →

A company uses Amazon RDS for SQL Server with Multi-AZ deployment. The security team wants to ensure that all database connections use SSL/TLS encryption. Which TWO actions should the database specialist take to enforce SSL connections? (Choose two.)

Question 7easymulti select
Read the full Database Security explanation →

A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The security team requires that all data be encrypted at rest using a customer-managed KMS key. Additionally, the database should be accessible only from a specific VPC. Which THREE steps should the database specialist take to meet these requirements? (Choose three.)

Question 8mediummultiple choice
Read the full Database Security explanation →

A company uses Amazon RDS for MySQL with encryption at rest enabled. The security team mandates that all access to the database must be authenticated using IAM database authentication. The database administrator has created a user 'app_user' and granted appropriate privileges. However, when the application tries to connect using an IAM authentication token, it receives an 'Access denied' error. Which action should be taken to resolve this issue?

Question 9easymultiple choice
Read the full NAT/PAT explanation →

A company is designing a multi-tier application that uses Amazon RDS for PostgreSQL. The application must encrypt data at rest and in transit. Which combination of steps should be taken to meet these requirements? (Choose the single best answer.)

Question 10hardmultiple choice
Read the full Database Security explanation →

A financial services company uses Amazon DynamoDB to store sensitive customer data. The security team requires that all data at rest be encrypted using a customer-managed AWS KMS key (CMK) with automatic rotation enabled. The DynamoDB table was created with the default AWS-managed key. Which steps are necessary to transition to a customer-managed CMK while minimizing downtime and data loss?

Question 11mediummultiple choice
Read the full Database Security explanation →

A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The compliance team requires that all database connections use SSL/TLS and that users authenticate using IAM database authentication. The database migration is completed, but the application team reports that connections using IAM authentication are failing. The company has already enabled IAM database authentication on the RDS instance. What is the most likely cause of the failure?

Question 12easymulti select
Read the full Database Security explanation →

A company is using Amazon RDS for MySQL with Multi-AZ deployment. The security team wants to ensure that database administrators cannot view sensitive data. Which TWO actions should be taken to achieve this goal?

Question 13hardmulti select
Read the full Database Security explanation →

A company is designing a disaster recovery strategy for an Amazon Aurora MySQL database. The database stores sensitive data that must be encrypted at rest. The primary region is us-east-1, and the secondary region is us-west-2. Which THREE steps are required to set up cross-region replication with encryption at rest?

Question 14hardmultiple choice
Read the full Database Security explanation →

A security engineer is troubleshooting an issue where an application using IAM role 'app-role' with a trust policy to assume the 'app-user' user is unable to decrypt an RDS database that uses a customer-managed KMS key. The above key policy is attached to the KMS key. What is the likely cause of the failure?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowRoot",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "AllowAppUser",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:user/app-user"
      },
      "Action": [
        "kms:Decrypt",
        "kms:GenerateDataKey"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "kms:ViaService": "rds.us-east-1.amazonaws.com"
        }
      }
    }
  ]
}
Question 15mediummultiple choice
Read the full Database Security explanation →

A company has a production Amazon RDS for SQL Server database that stores financial data. The database administrator wants to audit all access to sensitive columns (e.g., credit card numbers) using the SQL Server Audit feature. The database is part of a Multi-AZ deployment. The administrator has enabled audit logging to the 'DEFAULT' file audit target, but the audit files are being written to the local instance storage and are not being retained after failover. The compliance team requires that audit logs be stored in Amazon S3 for at least 7 years. The administrator has set up an event subscription to send database events to an S3 bucket using AWS DMS, but the audit logs are not being captured. What should the administrator do to meet the compliance requirements?

Question 16hardmultiple choice
Read the full Database Security explanation →

A financial services company runs a critical application on Amazon RDS for PostgreSQL with Multi-AZ and automated backups enabled. The database stores sensitive customer data, and the security team recently audited the environment and found that the database master user password is stored in plain text in a configuration file on the application server. Additionally, the security team noted that the database security group allows inbound traffic from 0.0.0.0/0 on port 5432. The company needs to remediate these issues immediately without downtime and must ensure that access to the database is restricted to only the application servers, and that password management follows AWS best practices. The application connects to the database using the master user credentials. What should the database specialist do to meet these requirements?

Question 17mediummulti select
Read the full Database Security explanation →

A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The security team requires that all connections to the database be encrypted in transit. Which TWO steps should be taken to enforce this requirement?

Question 18hardmultiple choice
Read the full Database Security explanation →

Refer to the exhibit. A security engineer has applied this key policy to a customer managed KMS key used to encrypt a Secrets Manager secret containing database credentials. An application running on an Amazon EC2 instance in the same account and region is unable to decrypt the secret. What is the MOST likely cause?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "kms:Decrypt",
      "Resource": "arn:aws:kms:us-east-1:123456789012:key/abc12345-...",
      "Condition": {
        "StringEquals": {
          "kms:ViaService": "secretsmanager.us-east-1.amazonaws.com",
          "kms:CallerAccount": "123456789012"
        }
      }
    }
  ]
}
Question 19easymultiple choice
Read the full Database Security explanation →

A company runs an e-commerce application on AWS using an Aurora MySQL database cluster. The security team mandates that all database audit logs must be stored in Amazon S3 for at least one year for compliance. The database is currently configured to publish audit logs to Amazon CloudWatch Logs. The security team wants to use AWS Database Migration Service (DMS) to migrate the database to a new Aurora MySQL cluster, and during the migration, the audit logs must continue to be captured uninterrupted. Which solution meets these requirements with the LEAST operational overhead?

Question 20mediumdrag order
Read the full Database Security explanation →

Arrange the steps to troubleshoot a connection timeout issue from an EC2 instance to an Amazon RDS for SQL Server DB instance in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 21mediumdrag order
Read the full Database Security explanation →

Arrange the steps to restore an Amazon RDS for MySQL DB instance to a new instance from a manual snapshot in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 22mediummatching
Read the full Database Security explanation →

Match each DynamoDB concept to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Single attribute used to distribute data across partitions

Attribute that determines order within a partition

Index with a different partition and sort key for alternate query patterns

Index with the same partition key but different sort key

Time-ordered sequence of item-level changes in a table

Question 23mediummatching
Read the full Database Security explanation →

Match each AWS database migration tool/service to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Migrates databases to AWS with minimal downtime

Converts database schema and code to target engine

Physical device for large-scale data transfer

Continuous replication for ongoing changes

ETL service for preparing and transforming data

Question 24hardmultiple choice
Read the full Database Security explanation →

A company is using an RDS for MySQL DB instance encrypted at rest with AWS KMS. The security team requires that all access to the database be logged, including queries that fail due to authentication errors. Which configuration meets this requirement?

Question 25easymultiple choice
Read the full Database Security explanation →

A developer needs to allow an application running on an EC2 instance to read and write data to a DynamoDB table named 'Orders'. The EC2 instance is configured with an IAM role. Which IAM policy should be attached to the role?

Question 26mediummultiple choice
Read the full Database Security explanation →

A company's security team wants to encrypt data at rest for an existing RDS for PostgreSQL DB instance. The instance is currently unencrypted. Which steps should the team take to enable encryption with minimal downtime?

Question 27hardmultiple choice
Read the full Database Security explanation →

A company uses Amazon Redshift for data warehousing. The security team requires that all data loaded into the cluster be encrypted at rest using a customer-managed KMS key. The cluster is currently unencrypted. What is the most efficient way to achieve this requirement with minimal data loss?

Question 28easymultiple choice
Read the full Database Security explanation →

A company has an RDS for SQL Server DB instance that stores sensitive data. The database administrator needs to ensure that all connections to the database use SSL/TLS encryption. What should the administrator do?

Question 29mediummultiple choice
Read the full Database Security explanation →

A company uses Amazon DynamoDB with AWS KMS customer managed keys for encryption at rest. The security team wants to audit who is using the KMS key to encrypt and decrypt data. Which AWS service should be used?

Question 30hardmultiple choice
Read the full NAT/PAT explanation →

A company has a multi-AZ RDS for PostgreSQL DB instance. The security team wants to ensure that database audit logs are stored in CloudWatch Logs for real-time monitoring. The team enabled the 'pgaudit.log' parameter and set 'log_destination' to 'csvlog'. However, logs are not appearing in CloudWatch. What is the most likely cause?

Question 31easymultiple choice
Read the full Database Security explanation →

A developer is writing an AWS Lambda function that needs to access a Secrets Manager secret to retrieve database credentials. The Lambda function has an IAM role. Which action must be allowed in the IAM policy?

Question 32mediummultiple choice
Read the full NAT/PAT explanation →

A company is using Amazon Aurora MySQL-Compatible Edition. The database administrator wants to restrict a specific user to only execute SELECT statements on a specific database. Which SQL command should the administrator use?

Question 33mediummulti select
Read the full Database Security explanation →

Which TWO actions should be taken to protect sensitive data in an Amazon RDS for Oracle DB instance? (Choose two.)

Question 34hardmulti select
Read the full Database Security explanation →

Which THREE methods can be used to authenticate users to an Amazon RDS for MySQL DB instance? (Choose three.)

Question 35easymulti select
Read the full Database Security explanation →

Which TWO AWS services can be used to centrally manage database credentials securely? (Choose two.)

Question 36hardmultiple choice
Read the full Database Security explanation →

A database administrator runs the AWS CLI command shown in the exhibit. The administrator wants to enable encryption at rest for the RDS instance. What should the administrator do?

Network Topology
aws rds describe-db-instancesdb-instance-identifier mydbquery 'DBInstances[0].{StorageEncrypted:StorageEncryptedRefer to the exhibit."StorageEncrypted": false,"KmsKeyId": null
Question 37mediummultiple choice
Read the full Database Security explanation →

A security engineer creates the IAM policy shown in the exhibit and attaches it to an IAM user. What is the effect of this policy?

Exhibit

Refer to the exhibit.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "rds:DescribeDBInstances",
                "rds:ModifyDBInstance"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Deny",
            "Action": "rds:DeleteDBInstance",
            "Resource": "arn:aws:rds:us-east-1:123456789012:db:prod-db"
        }
    ]
}
Question 38easymultiple choice
Read the full Database Security explanation →

A developer runs the AWS CLI command shown in the exhibit. What is the output indicating?

Network Topology
aws secretsmanager get-secret-valuesecret-id MyDatabaseSecretRefer to the exhibit."ARN": "arn:aws:secretsmanager:us-east-1:123456789012:secret:MyDatabaseSecret-abc123","Name": "MyDatabaseSecret","SecretString": "{\"username\":\"admin\",\"password\":\"P@ssw0rd\"}","VersionId": "abc123"
Question 39mediummultiple choice
Read the full NAT/PAT explanation →

A company is using Amazon RDS for MySQL with encryption at rest enabled. The security team requires that all access to the database be authenticated using IAM database authentication. Which combination of steps must the company take to meet this requirement?

Question 40hardmultiple choice
Read the full Database Security explanation →

A financial services company runs a critical application on Amazon RDS for PostgreSQL. They must ensure that database activity logs are sent to Amazon CloudWatch Logs for real-time monitoring. The logs must include all SQL queries, including SELECT statements. Which configuration will meet these requirements?

Question 41easymultiple choice
Read the full Database Security explanation →

A company wants to encrypt data at rest for an existing Amazon RDS for Oracle DB instance. The database is currently unencrypted. What is the simplest way to enable encryption with minimal downtime?

Question 42hardmultiple choice
Read the full NAT/PAT explanation →

A company is using Amazon Aurora MySQL-Compatible Edition. The security team wants to ensure that database credentials are not stored in application configuration files. They decide to use AWS Secrets Manager to manage credentials. The application is hosted on Amazon EC2 instances that have an IAM role attached. What is the most secure way to grant the application access to the secret?

Question 43mediummultiple choice
Read the full Database Security explanation →

A company is using Amazon DynamoDB to store sensitive customer data. They need to ensure that all data is encrypted at rest using a customer-managed AWS KMS key. The company also wants to rotate the KMS key every year. What is the simplest way to achieve key rotation?

Question 44hardmultiple choice
Read the full Database Security explanation →

A company uses Amazon RDS for SQL Server with Multi-AZ deployment. The security team has mandated that all connections to the database must use SSL/TLS. The database is accessed by multiple applications running on EC2 instances. Which configuration ensures that all connections use SSL/TLS?

Question 45mediummultiple choice
Read the full Database Security explanation →

A company is using Amazon Redshift for data warehousing. They need to ensure that data is encrypted at rest using a customer-managed AWS KMS key. The cluster is currently unencrypted. What is the simplest way to enable encryption?

Question 46easymultiple choice
Read the full Database Security explanation →

A company is using Amazon RDS for MySQL. They want to audit all database logins and failed login attempts. Which option should they enable?

Question 47hardmultiple choice
Read the full Database Security explanation →

A company uses Amazon DynamoDB with a global secondary index (GSI) on a table that contains sensitive data. The security team requires that the GSI be encrypted with a different AWS KMS key than the base table. Can this be achieved, and if so, how?

Question 48mediummulti select
Read the full Database Security explanation →

A company is deploying a new application on Amazon RDS for PostgreSQL. The security policy requires that all data be encrypted at rest and in transit. Which TWO actions should the company take to meet these requirements?

Question 49hardmulti select
Read the full NAT/PAT explanation →

A company uses Amazon Aurora MySQL-Compatible Edition. The security team wants to implement database activity streams to monitor database activity. Which THREE statements are true about Aurora database activity streams?

Question 50easymulti select
Read the full Database Security explanation →

A company is using Amazon DynamoDB and wants to restrict access to a specific table so that only users in a particular IAM group can perform read and write operations. Which THREE steps should be taken to achieve this?

Question 51mediummultiple choice
Read the full NAT/PAT explanation →

A company is migrating its on-premises Oracle database to Amazon RDS for Oracle. The security team requires that all data at rest be encrypted using a customer-managed key stored in AWS KMS, and that the key be rotated automatically every year. The company also needs to ensure that only specific IAM roles can access the key. Which combination of steps should the database administrator take to meet these requirements?

Question 52hardmultiple choice
Read the full Database Security explanation →

A company has an Amazon RDS for MySQL Multi-AZ DB instance that stores sensitive financial data. The security team has enabled encryption at rest using a KMS key. They also need to ensure that database audit logs are encrypted and stored in an S3 bucket. The logs must be accessible only by the security team via a VPC endpoint. The log data must be retained for 7 years. Which solution meets these requirements with the LEAST operational overhead?

Question 53easymultiple choice
Read the full NAT/PAT explanation →

A company is using Amazon RDS for PostgreSQL. The security team wants to ensure that all connections to the database are encrypted in transit. Currently, applications connect using the PostgreSQL native encryption (SSL/TLS). What is the MOST secure way to enforce encrypted connections?

Question 54mediummultiple choice
Read the full Database Security explanation →

A company is using Amazon DynamoDB to store customer session data. The security team requires that all data is encrypted at rest using a customer-managed KMS key, and that access to the key is restricted to specific IAM roles. The company also wants to ensure that DynamoDB Accelerator (DAX) cluster is encrypted. Which steps should be taken to meet these requirements?

Question 55hardmultiple choice
Read the full Database Security explanation →

A company has an Amazon RDS for SQL Server Multi-AZ DB instance with a standby replica in a different AWS Region. The database is encrypted with a KMS key. The company needs to implement automated backups that are also encrypted and stored in a cross-region S3 bucket. The backups must be retained for 3 years. Which solution meets these requirements with the LEAST administrative effort?

Question 56mediummultiple choice
Read the full Database Security explanation →

A company is using Amazon Redshift for data warehousing. The security team requires that all data is encrypted at rest using a hardware security module (HSM). Additionally, the team wants to ensure that only specific IAM roles can access the database. Which configuration will meet these requirements?

Question 57easymultiple choice
Read the full NAT/PAT explanation →

A company is using Amazon Aurora MySQL-Compatible Edition. The security team wants to audit all database login attempts and store the logs in Amazon S3 for 90 days. Which solution meets these requirements with the LEAST operational overhead?

Question 58hardmultiple choice
Read the full Database Security explanation →

A company has an Amazon DynamoDB table with global secondary indexes (GSIs) that store personally identifiable information (PII). The security team requires that all PII is encrypted at rest using a customer-managed KMS key. The table already exists and is encrypted with the default AWS managed key. What is the MOST efficient way to change the encryption to a customer-managed key?

Question 59mediummultiple choice
Read the full Database Security explanation →

A company is using Amazon RDS for PostgreSQL and needs to implement column-level encryption for sensitive data. The application must be able to encrypt and decrypt data transparently. Which approach should be taken?

Question 60mediummulti select
Read the full Database Security explanation →

A company is using Amazon RDS for MySQL and needs to comply with PCI DSS requirements. Which TWO actions should the company take to secure the database? (Choose TWO.)

Question 61hardmulti select
Read the full Database Security explanation →

A company is designing a security architecture for Amazon DynamoDB. They need to ensure that only authorized applications can access the data, and that data in transit is encrypted. Which THREE steps should be taken? (Choose THREE.)

Question 62hardmulti select
Read the full Database Security explanation →

A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The security team requires that all database connections use SSL and that the database is encrypted at rest. Which THREE steps are required to meet these requirements? (Choose THREE.)

Question 63mediummultiple choice
Read the full Database Security explanation →

An IAM policy is attached to a role used by an RDS instance. The RDS instance is in VPC with a VPC endpoint to KMS. What is the effect of this policy?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "kms:Decrypt",
        "kms:Encrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab",
      "Condition": {
        "StringEquals": {
          "kms:ViaService": "rds.us-east-1.amazonaws.com",
          "aws:SourceVpce": "vpce-12345678"
        }
      }
    }
  ]
}
Question 64hardmultiple choice
Read the full Database Security explanation →

The security team reports that the database 'mydb' is not encrypted. However, the CLI output shows 'StorageEncrypted' is true. What is the MOST likely reason for the security team's concern?

Network Topology
$ aws rds describe-db-instancesdb-instance-identifier mydbRefer to the exhibit."DBInstances": ["DBInstanceIdentifier": "mydb","DBInstanceClass": "db.m5.large","Engine": "mysql","DBInstanceStatus": "available","MasterUsername": "admin","Endpoint": {"Address": "mydb.123456789012.us-east-1.rds.amazonaws.com","Port": 3306,"HostedZoneId": "Z1R2S3V4"},"StorageEncrypted": true,"KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab","DBSecurityGroups": [],"VpcSecurityGroups": ["VpcSecurityGroupId": "sg-12345678","Status": "active"],"DBParameterGroups": ["DBParameterGroupName": "default.mysql8.0","ParameterApplyStatus": "in-sync""PubliclyAccessible": false,"IAMDatabaseAuthenticationEnabled": false
Question 65mediummultiple choice
Read the full Database Security explanation →

An IAM policy is attached to an IAM user. The user wants to connect to an RDS MySQL database using IAM database authentication. What does this policy allow?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "rds-db:connect"
      ],
      "Resource": [
        "arn:aws:rds-db:us-east-1:123456789012:dbuser:db-ABCDEFGHIJKL01234/db_user1"
      ]
    }
  ]
}
Question 66mediummultiple choice
Read the full Database Security explanation →

A company is migrating its on-premises Oracle database to Amazon RDS for Oracle. As part of the migration, they need to ensure that all sensitive data is encrypted at rest using AWS Key Management Service (AWS KMS). Which configuration step is required to achieve this?

Question 67hardmultiple choice
Read the full Database Security explanation →

A company uses Amazon DynamoDB with AWS KMS-managed encryption at rest. The security team requires that all access to a particular DynamoDB table be logged for audit purposes. Which solution meets this requirement?

Question 68easymultiple choice
Read the full Database Security explanation →

A company is using Amazon RDS for MySQL and needs to restrict access to the database to only specific Amazon EC2 instances in the same VPC. Which security mechanism should be used?

Question 69hardmultiple choice
Read the full Database Security explanation →

A company has an Amazon Redshift cluster that stores sensitive financial data. The security team requires that all data be encrypted at rest and that the encryption keys be rotated annually. Which solution meets these requirements?

Question 70mediummultiple choice
Read the full NAT/PAT explanation →

A company uses Amazon Aurora MySQL-Compatible Edition and needs to audit all SQL statements executed by database users. Which feature should be enabled?

Question 71easymultiple choice
Read the full Database Security explanation →

A company is using Amazon DynamoDB and wants to ensure that only authorized users can access a specific table. Which AWS service should be used to manage access control?

Question 72hardmultiple choice
Read the full Database Security explanation →

A company is using Amazon RDS for PostgreSQL with automated backups. The security team requires that backups be encrypted at rest. The DB instance is currently unencrypted. What is the most efficient way to enable encryption for future backups?

Question 73mediummultiple choice
Read the full Database Security explanation →

A company uses Amazon ElastiCache for Redis and needs to encrypt data in transit between the application and the cache cluster. Which feature should be enabled?

Question 74easymultiple choice
Read the full Database Security explanation →

A company is using Amazon DynamoDB and wants to ensure that all data is automatically encrypted at rest. What is the default encryption status for a new DynamoDB table?

Question 75mediummulti select
Read the full Database Security explanation →

A company is designing a security strategy for Amazon RDS for SQL Server. Which TWO actions should be taken to encrypt data at rest? (Choose TWO.)

Question 76hardmulti select
Read the full Database Security explanation →

A company is using Amazon Redshift and needs to comply with regulatory requirements that mandate encryption of all data at rest and control of the encryption keys. Which THREE steps should be taken? (Choose THREE.)

Question 77easymulti select
Read the full Database Security explanation →

A company uses Amazon DynamoDB and wants to audit access to a table. Which TWO services can be used together to log and monitor data plane operations? (Choose TWO.)

Question 78mediummultiple choice
Read the full Database Security explanation →

A company is running an Amazon RDS for MySQL DB instance in a VPC. The security team requires that all connections to the database use SSL/TLS. The DBA has enabled 'require_secure_transport' parameter in the DB parameter group. However, after applying the change and rebooting, some applications that were previously connecting successfully are now failing. What is the most likely cause?

Question 79hardmultiple choice
Read the full NAT/PAT explanation →

A financial services company is using Amazon DynamoDB to store customer transaction data. The compliance team requires that all data be encrypted at rest using a customer-managed AWS KMS key, and that access to the key be auditable via AWS CloudTrail. Additionally, the security team wants to ensure that DynamoDB can only be accessed from within the VPC using a VPC endpoint. Which combination of steps should the company take to meet these requirements?

Question 80easymultiple choice
Read the full Database Security explanation →

A developer needs to securely store database credentials for an application that runs on Amazon EC2 and connects to an Amazon RDS for PostgreSQL database. The credentials must be automatically rotated every 90 days. Which AWS service should the developer use to meet these requirements?

Question 81mediummultiple choice
Read the full Database Security explanation →

A company has an Amazon RDS for Oracle DB instance that stores sensitive data. The security team wants to audit all SQL queries that read or modify specific columns containing personally identifiable information (PII). The audit logs must be stored for 5 years. Which solution should the database specialist implement?

Question 82mediummultiple choice
Read the full Database Security explanation →

A company is using Amazon Redshift for data warehousing. The security team requires that all data be encrypted at rest using a customer-managed AWS KMS key. Additionally, the team wants to ensure that the key must be used only for this specific Redshift cluster. Which configuration should be applied?

Question 83hardmultiple choice
Read the full Database Security explanation →

A company is migrating its on-premises Oracle database to Amazon RDS for Oracle. The database contains sensitive data that must be encrypted at rest and in transit. The security team also requires that the encryption keys be rotated every year. The DBA has enabled encryption at rest using a customer-managed KMS key and SSL/TLS for in-transit encryption. What additional step is needed to meet the key rotation requirement?

Question 84easymultiple choice
Read the full Database Security explanation →

A company is using Amazon DynamoDB to store user session data. The security team requires that all access to the table be authenticated and authorized using AWS IAM. Which mechanism should the developer use to achieve this?

Question 85hardmultiple choice
Read the full Database Security explanation →

A company is using Amazon RDS for SQL Server with Multi-AZ deployment. The security team requires that all database activity be monitored for suspicious queries. The database specialist enabled RDS Database Activity Streams and configured AWS Lambda to process the stream. However, the Lambda function fails to process some events when the database fails over to the standby instance. What is the most likely cause?

Question 86mediummultiple choice
Read the full NAT/PAT explanation →

A company is using Amazon Aurora MySQL-Compatible Edition. The security team wants to restrict access to the database so that only specific applications running on Amazon EC2 instances can connect. The EC2 instances are in the same VPC as the Aurora cluster. Which combination of steps should be taken to enforce this restriction?

Question 87easymulti select
Read the full Database Security explanation →

A company is using Amazon DynamoDB with encryption at rest using a customer-managed KMS key. The security team wants to audit every use of this KMS key. Which TWO steps should be taken to meet this requirement?

Question 88mediummulti select
Read the full NAT/PAT explanation →

A company is migrating an on-premises MongoDB database to Amazon DocumentDB (with MongoDB compatibility). The security team requires that data be encrypted at rest and in transit. Additionally, the team wants to use IAM roles to authenticate applications. Which THREE steps should the database specialist take to meet these requirements?

Question 89hardmulti select
Read the full Database Security explanation →

A company is using Amazon RDS for MySQL to host a web application. The security team has identified that the application is vulnerable to SQL injection attacks. The team wants to implement a defense-in-depth strategy to protect the database. Which THREE measures should be taken to mitigate SQL injection risks?

Question 90mediummultiple choice
Read the full NAT/PAT explanation →

A company has an Amazon RDS for MySQL DB instance that stores sensitive customer data. The security team requires that all data at rest be encrypted using a customer-managed AWS KMS key. The DB instance was originally launched without encryption. Which combination of steps will meet the requirement with the least downtime?

Question 91hardmultiple choice
Read the full Database Security explanation →

A company uses Amazon DynamoDB to store user session data. The security team requires that all data be encrypted at rest using a customer-managed AWS KMS key. The DynamoDB table is already configured with AWS managed KMS encryption. How can the company meet the encryption requirement without recreating the table?

Question 92easymultiple choice
Read the full Database Security explanation →

A database administrator needs to audit all SQL statements executed on an Amazon RDS for PostgreSQL DB instance. Which service should be used to capture and log the SQL statements?

Question 93mediummultiple choice
Read the full NAT/PAT explanation →

A company has a requirement to automatically rotate the password for an Amazon RDS for MySQL DB instance every 90 days. The password is stored in AWS Secrets Manager. Which combination of steps will meet this requirement?

Question 94hardmultiple choice
Read the full Database Security explanation →

A company is using Amazon DynamoDB with a global table that replicates data across two AWS Regions. The security team requires that all data be encrypted at rest with a customer-managed AWS KMS key. How should the company configure the KMS keys to meet this requirement?

Question 95mediummultiple choice
Read the full Database Security explanation →

A company has an Amazon Redshift cluster that contains sensitive data. The security team requires that data be encrypted at rest using a customer-managed AWS KMS key. The cluster was initially launched without encryption. How can the company enable encryption with minimal downtime?

Question 96easymultiple choice
Read the full Database Security explanation →

A company wants to ensure that only specific IAM users can perform certain operations on an Amazon RDS DB instance, such as creating snapshots or modifying the instance. Which AWS feature should be used to define these permissions?

Question 97hardmultiple choice
Read the full NAT/PAT explanation →

A company is using Amazon Aurora MySQL-Compatible Edition. The security team requires that all connections to the database use SSL/TLS. The application currently connects using a standard JDBC connection string without SSL. What changes are needed to enforce SSL connections?

Question 98mediummultiple choice
Read the full Database Security explanation →

A company stores sensitive data in an Amazon S3 bucket that is accessed by an Amazon Redshift cluster. The security team requires that the data in transit between Redshift and S3 be encrypted. Which configuration ensures this?

Question 99mediummulti select
Read the full Database Security explanation →

Which TWO of the following are valid methods to control network access to an Amazon RDS DB instance? (Select TWO.)

Question 100hardmulti select
Read the full Database Security explanation →

Which THREE of the following are best practices for securing an Amazon DynamoDB table? (Select THREE.)

Question 101easymulti select
Read the full Database Security explanation →

Which TWO of the following are methods to encrypt data at rest for an Amazon RDS for Oracle DB instance? (Select TWO.)

Question 102mediummultiple choice
Read the full Database Security explanation →

An IAM policy is attached to a role used by an application to access an Amazon RDS for MySQL DB instance. The DB instance is encrypted with a customer-managed KMS key. The application is unable to create a snapshot of the encrypted DB instance. Which missing permission is the most likely cause?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "kms:Decrypt",
        "kms:GenerateDataKey"
      ],
      "Resource": "arn:aws:kms:us-east-1:123456789012:key/abc12345-1234-1234-1234-123456789012"
    },
    {
      "Effect": "Allow",
      "Action": [
        "rds:CreateDBSnapshot",
        "rds:ModifyDBInstance"
      ],
      "Resource": "*"
    }
  ]
}
Question 103hardmultiple choice
Read the full Database Security explanation →

A database administrator is troubleshooting connectivity to an Amazon RDS for MySQL DB instance. The application is running on an EC2 instance in the same VPC and security group. The application can connect using the endpoint shown in the exhibit. However, the security team requires that all connections be encrypted using SSL. The DBA has enabled SSL on the DB instance and modified the parameter group to set require_secure_transport to ON. The application is now failing to connect. What is the most likely cause?

Network Topology
aws rds describe-db-instancesdb-instance-identifier mydbquery 'DBInstances[0].Endpoint'output jsonRefer to the exhibit."Address": "mydb.abcdefghijkl.us-east-1.rds.amazonaws.com","Port": 3306,"HostedZoneId": "Z1R2S3V4O5X6"
Question 104easymultiple choice
Read the full Database Security explanation →

A security auditor reviews the output of a DynamoDB table description command as shown in the exhibit. Which statement accurately describes the encryption configuration of the Users table?

Network Topology
aws dynamodb describe-tabletable-name Usersquery 'Table.SSEDescription'output jsonRefer to the exhibit."Status": "ENABLED","SSEType": "KMS","KMSMasterKeyArn": "arn:aws:kms:us-east-1:123456789012:key/abc12345-1234-1234-1234-123456789012"
Question 105mediummulti select
Read the full NAT/PAT explanation →

A company is running an Amazon RDS for MySQL DB instance in a VPC. The security team requires that all connections to the database use SSL/TLS. Which combination of steps should be taken to enforce this? (Choose two.)

Question 106hardmultiple choice
Read the full Database Security explanation →

A financial services company stores sensitive data in an Amazon DynamoDB table. The security team requires that all data at rest be encrypted with a customer-managed key that is rotated automatically every 12 months. The company also needs to audit key usage. Which solution meets these requirements?

Question 107easymultiple choice
Read the full Database Security explanation →

A company uses Amazon Redshift for its data warehouse. The security team wants to encrypt the data at rest and ensure that only authorized users can access the encryption keys. Which AWS service should be used to manage the encryption keys?

Question 108mediummultiple choice
Read the full Database Security explanation →

A company has an Amazon RDS for Oracle DB instance that stores Personally Identifiable Information (PII). The security team requires that the data be transparently encrypted at rest using a key stored in AWS CloudHSM. What should the database administrator do to meet this requirement?

Question 109hardmultiple choice
Read the full Database Security explanation →

A company uses Amazon DynamoDB with fine-grained access control based on user identity. The IAM policy for a user includes a condition that restricts access to items where the 'department' attribute equals 'engineering'. However, the user is receiving an 'AccessDeniedException' when trying to query items. What is the most likely cause?

Question 110easymultiple choice
Read the full Database Security explanation →

A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The database contains sensitive data that must be encrypted at rest. Which action should the company take to enable encryption on the RDS instance?

Question 111mediummulti select
Read the full Database Security explanation →

A company uses Amazon RDS for PostgreSQL to store customer data. The security team wants to audit all SQL queries executed against the database, including SELECT statements. Which TWO actions should be taken to achieve this?

Question 112hardmulti select
Read the full Database Security explanation →

A company is designing a disaster recovery strategy for an Amazon RDS for SQL Server DB instance that contains sensitive financial data. The database must be encrypted at rest using a customer-managed AWS KMS key. The recovery point objective (RPO) is 5 minutes, and the recovery time objective (RTO) is 1 hour. Which THREE steps should be taken to meet these requirements?

Question 113easymulti select
Read the full NAT/PAT explanation →

A company is setting up an Amazon Aurora MySQL-compatible database. The security policy requires that all traffic between the application and database be encrypted in transit. Which TWO steps should be taken?

Question 114mediummultiple choice
Read the full Database Security explanation →

Refer to the exhibit. A company has attached this IAM policy to an IAM role used by an application running on Amazon EC2. The application needs to decrypt data in an S3 bucket that is encrypted with the specified KMS key. However, the application is receiving access denied errors. What is the most likely cause?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "kms:Decrypt",
        "kms:Encrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*"
      ],
      "Resource": "arn:aws:kms:us-east-1:123456789012:key/abc12345-1234-1234-1234-123456789012",
      "Condition": {
        "StringEquals": {
          "kms:ViaService": "s3.us-east-1.amazonaws.com",
          "kms:CallerAccount": "123456789012"
        }
      }
    }
  ]
}
Question 115mediummultiple choice
Read the full Database Security explanation →

Refer to the exhibit. A database administrator is reviewing the output of 'SHOW FULL PROCESSLIST' on an Amazon RDS for MySQL DB instance. The company's security policy requires that all database users access only the minimum necessary data. Which user's activity should be investigated further?

Exhibit

[
  {
    "user": "admin",
    "host": "10.0.1.5",
    "db": "prod",
    "command": "Query",
    "time": "0",
    "state": "Sending data",
    "info": "SELECT * FROM credit_cards"
  },
  {
    "user": "app_user",
    "host": "10.0.2.10",
    "db": "prod",
    "command": "Query",
    "time": "0",
    "state": "Sending data",
    "info": "SELECT card_number FROM credit_cards WHERE user_id=123"
  }
]
Question 116hardmultiple choice
Read the full Database Security explanation →

Refer to the exhibit. A database administrator has this IAM policy attached to their user. They are trying to authorize ingress to a DB security group named 'my-security-group' in the us-east-1 region. The operation fails. What is the most likely reason?

Exhibit

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "rds:CreateDBSecurityGroup",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "rds:AuthorizeDBSecurityGroupIngress",
        "rds:RevokeDBSecurityGroupIngress"
      ],
      "Resource": "arn:aws:rds:us-east-1:123456789012:secgrp:my-security-group"
    }
  ]
}
Question 117easymultiple choice
Read the full Database Security explanation →

A company is using Amazon RDS for MySQL and wants to restrict access to the database based on the source IP address. Which AWS feature should be used to achieve this?

Question 118hardmulti select
Read the full Database Security explanation →

A company is deploying an Amazon DynamoDB table with server-side encryption using a customer-managed AWS KMS key. The security team requires that the key be automatically rotated every year and that access to the key be logged. Which THREE steps should be taken?

Question 119easymultiple choice
Read the full Database Security explanation →

A company has an Amazon Redshift cluster that contains sensitive data. The security team wants to ensure that all data is encrypted at rest and that the encryption keys are managed by AWS. Which configuration should be used?

Question 120easymultiple choice
Read the full Database Security explanation →

A company has an Amazon RDS for MySQL database that contains sensitive data. The security team requires that all data be encrypted at rest using a customer-managed key stored in AWS KMS. Which action should be taken to meet this requirement?

Question 121mediummultiple choice
Read the full Database Security explanation →

A development team is building a serverless application that uses Amazon DynamoDB. The team needs to ensure that only the application's Lambda function can read and write data to a specific DynamoDB table. The Lambda function uses an IAM role. How should the team configure access?

Question 122hardmultiple choice
Read the full Database Security explanation →

A company uses an Amazon RDS for PostgreSQL database with Multi-AZ deployment. The security team wants to audit all SQL queries executed against the database for compliance purposes. Which solution should be implemented to capture and store the queries?

Question 123easymultiple choice
Read the full Database Security explanation →

A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The security team requires that all connections to the database use SSL/TLS encryption. Which step is necessary to enforce SSL connections?

Question 124mediummultiple choice
Read the full Database Security explanation →

A security engineer is investigating an Amazon RDS for MySQL database that was compromised. The engineer finds that the compromise was due to a SQL injection vulnerability in a web application. The web application uses a database user with full administrative privileges. What is the BEST practice to prevent such incidents in the future?

Question 125hardmultiple choice
Read the full NAT/PAT explanation →

A company uses Amazon DynamoDB for its critical application. The security team requires that all access to DynamoDB tables be logged and monitored for suspicious activity. The company also needs to be alerted when a user deletes a table. Which combination of AWS services should be used?

Question 126mediummultiple choice
Read the full Database Security explanation →

A company stores sensitive customer data in an Amazon S3 bucket. The data is accessed by an Amazon Redshift cluster using the COPY command. The security team wants to ensure that data is encrypted in transit between S3 and Redshift. Which configuration should be used?

Question 127hardmultiple choice
Read the full Database Security explanation →

A company is using an Amazon RDS for MySQL database and needs to audit all database login events. The audit logs must be stored in Amazon S3 for long-term retention. Which steps should be taken to accomplish this?

Question 128easymultiple choice
Read the full Database Security explanation →

A company's security policy requires that all database passwords be rotated every 90 days. The company uses AWS Secrets Manager to store database credentials for Amazon RDS. Which feature can be used to automate password rotation?

Question 129mediummulti select
Review the full subnetting walkthrough →

A security administrator is setting up a new Amazon RDS for SQL Server database. The company requires that all data be encrypted at rest and in transit. Additionally, the database must be accessible only from a specific CIDR range. Which TWO actions should the administrator take? (Choose TWO.)

Question 130hardmulti select
Read the full Database Security explanation →

A company uses Amazon DynamoDB to store session data for a web application. The security team discovers that an IAM user has been performing unauthorized scans on the table. They need to implement controls to detect and prevent such unauthorized access in the future. Which THREE actions should the security team take? (Choose THREE.)

Question 131easymulti select
Read the full Database Security explanation →

A company is deploying a new Amazon RDS for MySQL database in a VPC. The database must be accessible only from an application server running in the same VPC. The security team also wants to ensure that the database is not accessible from the internet. Which TWO configurations are required? (Choose TWO.)

Question 132mediummultiple choice
Read the full Database Security explanation →

A company is using an Amazon RDS for PostgreSQL database to store sensitive customer data. The security team requires that all data be encrypted at rest and in transit, and that access to the database is restricted to only specific applications. Currently, the database is encrypted at rest using AWS KMS, and connections are made over SSL. However, the security team wants to ensure that even if the database credentials are compromised, an attacker cannot access the database from unauthorized IP addresses. What should be done to meet this requirement?

Question 133hardmultiple choice
Read the full NAT/PAT explanation →

A company is using Amazon DynamoDB to store financial transactions. The security team requires that all access to the table be logged for auditing, and that any unauthorized access attempts trigger an immediate alert. The company has enabled AWS CloudTrail to log all DynamoDB API calls. However, the security team is concerned that CloudTrail logs may not capture all access patterns, such as queries that return no results. Which additional step should the company take to ensure comprehensive auditing and alerting?

Question 134easymultiple choice
Read the full Database Security explanation →

A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The database contains personally identifiable information (PII). The security team requires that the data be encrypted at rest using a customer-managed key stored in AWS KMS. Additionally, the team wants to ensure that the key can be rotated automatically every year. What should the company do to meet these requirements?

Question 135hardmultiple choice
Read the full Database Security explanation →

A company uses Amazon Redshift for data warehousing. The security team has implemented column-level security using Redshift's column-level access controls. However, during a security audit, it is discovered that a user with SELECT privilege on a table can still see the content of a column that should be restricted. The column is defined with a GRANT statement that only allows SELECT on certain columns to specific users. What is the most likely cause of this issue?

Question 136easymultiple choice
Read the full Database Security explanation →

A company has an Amazon S3 bucket that stores database backup files. The backups are encrypted using server-side encryption with AWS KMS (SSE-KMS). The security team wants to ensure that only a specific IAM role can decrypt the backups when restoring the database. Which policy should be attached to the KMS key to achieve this?

Question 137mediummultiple choice
Read the full Database Security explanation →

A company is using Amazon RDS for MySQL to power a web application. The database contains sensitive data, and the security team requires that all connections to the database use SSL/TLS. The team has enabled 'require_secure_transport' parameter in the DB parameter group. However, a developer reports that they are able to connect to the database using a MySQL client without specifying SSL options. What could be the reason?

Question 138hardmultiple choice
Read the full Database Security explanation →

A company is using Amazon DynamoDB with fine-grained access control using IAM policies. The security team wants to ensure that a specific IAM role can only read items from a table where the 'status' attribute equals 'active'. The table is named 'Orders'. Which IAM policy statement should be used?

Question 139easymultiple choice
Read the full Database Security explanation →

A company is using Amazon RDS for SQL Server with Multi-AZ deployment. The security team wants to ensure that database audit logs are stored in a secure S3 bucket for long-term retention. The audit logs are currently stored on the RDS instance. Which approach should be used to export the audit logs to S3?

Question 140mediummultiple choice
Read the full Database Security explanation →

A company is using Amazon DynamoDB with a global table. The security team requires that all data be encrypted at rest using a customer-managed KMS key. The table was originally created with AWS managed key encryption. The company wants to switch to a customer-managed key without downtime. What should they do?

Question 141mediummulti select
Read the full Database Security explanation →

A company is using Amazon RDS for PostgreSQL and wants to implement encryption in transit for all client connections. The security team has identified that some connections are not using SSL. Which TWO actions should the company take to enforce SSL for all connections?

Question 142hardmulti select
Read the full Database Security explanation →

A company is using Amazon Redshift for analytics. The security team wants to audit all SQL queries executed against the database, including the actual query text, for compliance. They also want to ensure that the audit logs are stored in a secure, immutable location. Which THREE services or features should they use together to meet these requirements?

Question 143easymulti select
Read the full Database Security explanation →

A company is using Amazon RDS for MySQL and wants to implement database activity monitoring to detect suspicious queries. Which TWO AWS services can be used together to achieve this?

Question 144mediummulti select
Read the full Database Security explanation →

A company has an Amazon DynamoDB table that stores user sessions. The security team wants to ensure that only authorized applications can read and write to the table, and that all access is logged. Which THREE steps should the company take to meet these requirements?

Question 145hardmultiple choice
Review the full subnetting walkthrough →

A company runs an e-commerce platform on AWS. The application uses an Amazon RDS for MySQL Multi-AZ database instance. The security team recently conducted an audit and found that the database is accessible from the internet because the public accessibility setting is enabled. The security team has disabled public accessibility and updated the security group to allow inbound traffic only from the application's security group. However, after these changes, the application can no longer connect to the database. The application is running on EC2 instances in the same VPC. The RDS instance is also in the same VPC. The security group for the RDS instance allows inbound MySQL traffic (port 3306) from the application's security group. The application's security group allows all outbound traffic. The application's EC2 instances have a public IP address and are in a public subnet. The RDS instance is in a private subnet. The VPC has an internet gateway attached. What is the most likely cause of the connection failure?

Question 146mediummultiple choice
Read the full NAT/PAT explanation →

A company is using Amazon DocumentDB (with MongoDB compatibility) for a content management system. The security team requires that all data be encrypted at rest and in transit. The DocumentDB cluster is already encrypted at rest using AWS KMS. To enforce encryption in transit, the security team wants to ensure that all client connections use TLS. The team has enabled the 'tls' parameter in the cluster parameter group. However, a developer reports that they can still connect to the cluster without specifying TLS options using the mongo shell. The developer is connecting from an EC2 instance in the same VPC. The security group for the DocumentDB cluster allows inbound traffic on port 27017 from the EC2 instance's security group. What is the most likely reason the developer can connect without TLS?

Question 147mediummultiple choice
Read the full Database Security explanation →

A company is using an Amazon RDS for MySQL DB instance. The security team requires that all database connections be encrypted in transit. Which configuration step ensures this requirement is met?

Question 148hardmultiple choice
Read the full Database Security explanation →

A company uses Amazon DynamoDB to store sensitive user data. The security team wants to ensure that all data is encrypted at rest using a customer-managed AWS KMS key. The DynamoDB table was created with the default AWS managed key. What is the required action to change the encryption key?

Question 149easymultiple choice
Read the full Database Security explanation →

A developer is configuring an Amazon RDS for PostgreSQL DB instance. The application connects using IAM database authentication. Which setting must be enabled on the DB instance for IAM authentication to work?

Question 150hardmultiple choice
Read the full Database Security explanation →

A company is using Amazon Redshift for data warehousing. The security team requires column-level access control so that certain users cannot view specific columns containing PII. Which approach should the data engineer implement?

Question 151mediummultiple choice
Read the full Database Security explanation →

A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The security team requires that all data be encrypted at rest using a key stored in AWS CloudHSM. What must be done to meet this requirement?

Question 152mediummulti select
Read the full Database Security explanation →

A security engineer is designing access controls for an Amazon DynamoDB table containing customer data. Which TWO actions enforce least privilege access?

Question 153hardmulti select
Read the full Database Security explanation →

A company uses Amazon RDS for MySQL with Multi-AZ deployment. The security team wants to audit all database logins and queries. Which TWO actions should be taken to enable auditing?

Question 154mediummulti select
Read the full Database Security explanation →

A company is using Amazon Redshift and needs to encrypt data at rest with a customer-managed key. Which THREE steps are required to enable encryption with a customer-managed AWS KMS key?

Question 155mediummultiple choice
Read the full Database Security explanation →

A database administrator is troubleshooting why Amazon RDS Enhanced Monitoring is not displaying metrics for a DB instance. The IAM role attached to the instance has the policy shown in the exhibit. What is the likely cause?

Network Topology
aws iam get-role-policyrole-name rds-monitoring-rolepolicy-name rds-monitoring-policyRefer to the exhibit."RoleName": "rds-monitoring-role","PolicyName": "rds-monitoring-policy","PolicyDocument": {"Version": "2012-10-17","Statement": ["Effect": "Allow","Action": ["monitoring:PutMetricData","monitoring:GetMetricData","rds:DescribeDBInstances"],"Resource": "*"
Question 156hardmultiple choice
Read the full Database Security explanation →

A security auditor notices that the DynamoDB table 'UserData' is encrypted with a KMS key (exhibit). The company policy requires that all DynamoDB tables use an AWS managed key for encryption. What must be done to comply with the policy?

Network Topology
aws dynamodb describe-tabletable-name UserDataRefer to the exhibit."Table": {"TableName": "UserData","KeySchema": [{"AttributeName": "UserID", "KeyType": "HASH"}],"AttributeDefinitions": [{"AttributeName": "UserID", "AttributeType": "S"}],"SSEDescription": {"SSEType": "KMS","KMSMasterKeyArn": "arn:aws:kms:us-east-1:123456789012:key/abc123"},"TableStatus": "ACTIVE"
Question 157easymultiple choice
Read the full Database Security explanation →

A developer is checking the encryption status of an RDS MySQL instance. The CLI output shows StorageEncrypted is true. What does this indicate?

Network Topology
aws rds describe-db-instancesdb-instance-identifier mydbRefer to the exhibit."DBInstances": ["DBInstanceIdentifier": "mydb","DBInstanceClass": "db.r5.large","Engine": "mysql","DBInstanceStatus": "available","StorageEncrypted": true,"KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/abc123"
Question 158hardmultiple choice
Read the full NAT/PAT explanation →

A financial services company runs a critical application on Amazon RDS for PostgreSQL. The database stores sensitive customer financial data. The security team has mandated that all access to the database must be through IAM database authentication to eliminate the need for passwords. The application currently uses a master user password stored in AWS Secrets Manager. The DBA needs to implement IAM authentication without downtime. The application is deployed on Amazon ECS and connects to the database using a connection string. The DBA has already created an IAM role for the ECS task with a policy that allows rds-db:connect. The DBA has also modified the DB instance to require SSL. However, after making these changes, the application cannot connect. The error message indicates 'IAM authentication is not enabled for this user'. What step did the DBA miss?

Question 159mediummultiple choice
Read the full Database Security explanation →

A retail company uses Amazon DynamoDB to store product catalog data. The security team wants to ensure that only authorized applications can read and write to the table. The applications are running on Amazon EC2 instances. The current setup uses an IAM role attached to the EC2 instance with a policy that grants dynamodb:* on the specific table. However, during a security audit, it was discovered that any process on the EC2 instance can access the table because the instance has access to the temporary credentials from the instance metadata service. The security team requires that only specific processes (the application) can access the credentials, and that the credentials cannot be extracted from the instance. What should be done to meet these requirements?

Question 160easymultiple choice
Read the full Database Security explanation →

A small business runs a web application on a single Amazon RDS for MySQL DB instance. The application uses a master user account for all database operations. The security team is concerned about the risk of SQL injection and wants to implement the principle of least privilege. They want to create separate database users for read-only and read-write operations. The application currently uses a single connection string. The developer needs to modify the application to use two separate users. What is the correct approach to implement this securely?

Question 161mediummultiple choice
Read the full NAT/PAT explanation →

A healthcare company is migrating its patient records database to Amazon RDS for SQL Server. The database contains Protected Health Information (PHI). The compliance team requires that all PHI data be encrypted at rest and that the encryption keys be stored in a dedicated AWS CloudHSM cluster. Additionally, the database must be replicated to a second AWS region for disaster recovery. The DBA has enabled RDS encryption at rest using a KMS key, but the compliance team insists on using CloudHSM. What should the DBA do to meet the compliance requirement while maintaining disaster recovery?

Question 162easymultiple choice
Read the full Database Security explanation →

A security engineer reviews the IAM policy attached to a user. The user is unable to modify any RDS DB instance, even when MFA is enabled. What is the most likely cause?

Exhibit

Refer to the exhibit.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "rds:ModifyDBInstance",
      "Resource": "arn:aws:rds:us-east-1:123456789012:db:prod-*"
    },
    {
      "Effect": "Allow",
      "Action": "rds:ModifyDBInstance",
      "Resource": "arn:aws:rds:us-east-1:123456789012:db:dev-*",
      "Condition": {
        "Bool": {
          "aws:MultiFactorAuthPresent": "true"
        }
      }
    }
  ]
}
Question 163mediummultiple choice
Read the full Database Security explanation →

A company stores sensitive data in an Amazon RDS for PostgreSQL DB instance. The security team requires that all data at rest be encrypted. The instance is currently unencrypted. What is the simplest way to enable encryption with minimal downtime?

Question 164easymulti select
Read the full Database Security explanation →

A company uses an Amazon RDS for MySQL DB instance that needs to be accessed by a Lambda function. Which TWO steps should be taken to ensure secure access?

Question 165hardmulti select
Read the full Database Security explanation →

A company is designing a secure strategy for managing Amazon RDS for Oracle encryption keys. They want to use AWS KMS with Customer Master Keys (CMKs) for encryption at rest. Which THREE best practices should they follow?

Question 166mediummultiple choice
Read the full Database Security explanation →

A security engineer runs the AWS CLI command shown in the exhibit. The engineer wants to ensure that all RDS DB instances in the account are encrypted at rest. What should the engineer do to remediate the unencrypted read replica?

Network Topology
aws rds describe-db-instancesquery "DBInstances[*].[DBInstanceIdentifieroutput jsonRefer to the exhibit.["mydb", "vpc-12345", true],["mydb-replica", "vpc-12345", false]
Question 167hardmultiple choice
Read the full Database Security explanation →

A financial company uses Amazon DynamoDB to store customer transaction data. The compliance team requires that all data be encrypted at rest using a customer-managed AWS KMS key. Additionally, they need to ensure that the key is used only for DynamoDB and no other AWS service. How can the company meet these requirements?

Question 168easymultiple choice
Read the full NAT/PAT explanation →

A developer needs to allow an application running on an EC2 instance to connect to an Amazon RDS for MySQL DB instance securely. Which combination of steps should the developer take?

Question 169hardmultiple choice
Read the full Database Security explanation →

A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The security team requires that all network traffic between the application servers and the database be encrypted using TLS. The application servers are in a different VPC connected via VPC Peering. What is the simplest way to enforce encryption in transit?

Question 170mediummultiple choice
Read the full Database Security explanation →

A company is running an RDS for MySQL database and needs to ensure that all connections to the database use SSL encryption. Which configuration step is required?

Question 171hardmultiple choice
Review the full subnetting walkthrough →

A security engineer is designing a VPC with an RDS instance. The database must not be accessible from the internet, but EC2 instances in a private subnet must connect. Which security group configuration is MOST secure?

Question 172easymultiple choice
Read the full Database Security explanation →

A company wants to audit all SQL statements executed on their RDS for PostgreSQL database. Which AWS service should they use?

Question 173mediummultiple choice
Read the full NAT/PAT explanation →

A company is using DynamoDB with a VPC endpoint. They want to restrict access to only requests originating from their VPC. Which policy condition should be used?

Question 174hardmultiple choice
Read the full Database Security explanation →

A company has a compliance requirement to encrypt all RDS snapshots at rest using a customer-managed KMS key. The RDS instance is already encrypted with an AWS-managed key. What is the correct procedure to ensure snapshots use the customer-managed key?

Question 175easymultiple choice
Read the full Database Security explanation →

A developer accidentally deleted an RDS database. Which action will allow the database to be restored with the least data loss?

Question 176mediummultiple choice
Read the full Database Security explanation →

A company wants to enforce encryption in transit for all connections to their ElastiCache for Redis cluster. Which security measure should they implement?

Question 177hardmultiple choice
Read the full Database Security explanation →

A security team needs to grant an IAM user permission to modify only the 'db_secrets' secret in AWS Secrets Manager. Which IAM policy statement is correct?

Question 178easymultiple choice
Read the full Database Security explanation →

A company is using Amazon RDS for Oracle and wants to integrate with AWS CloudTrail to log database API calls. Which action is necessary?

Question 179mediummulti select
Read the full Database Security explanation →

Which TWO actions can help protect an RDS database from SQL injection attacks? (Choose 2.)

Question 180hardmulti select
Read the full Database Security explanation →

Which THREE are valid methods to encrypt data at rest in Amazon DynamoDB? (Choose 3.)

Question 181mediummulti select
Read the full Database Security explanation →

Which TWO AWS services can be used to monitor database security events in real time? (Choose 2.)

Question 182hardmultiple choice
Read the full Database Security explanation →

A database administrator has the IAM policy shown in the exhibit. Which action will be allowed by this policy?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "rds:DescribeDBInstances",
        "rds:CreateDBSnapshot"
      ],
      "Resource": "arn:aws:rds:us-east-1:123456789012:db:prod-db"
    },
    {
      "Effect": "Deny",
      "Action": "rds:DeleteDBInstance",
      "Resource": "arn:aws:rds:us-east-1:123456789012:db:prod-db"
    }
  ]
}
Question 183mediummultiple choice
Read the full Database Security explanation →

A developer needs to connect to the RDS instance from an EC2 instance in the same VPC. The EC2 instance's security group allows outbound traffic to 0.0.0.0/0. The RDS security group inbound rules currently allow traffic from 0.0.0.0/0 on port 3306. After a security review, the company decides to restrict inbound traffic to the VPC only. Which inbound rule should be added to the RDS security group?

Network Topology
$ aws rds describe-db-instancesdb-instance-identifier mydbquery 'DBInstances[0].Endpoint'Refer to the exhibit."Address": "mydb.abcdefghijkl.us-east-1.rds.amazonaws.com","Port": 3306,"HostedZoneId": "Z1R2C3D4E5F6G7"
Question 184easymultiple choice
Read the full Database Security explanation →

A developer retrieved a database secret using the AWS CLI as shown. What is the MOST secure way to store and rotate this secret?

Network Topology
$ aws secretsmanager get-secret-valuesecret-id MyDatabaseSecretquery 'SecretString'output textRefer to the exhibit.{"username":"admin","password":"P@ssw0rd123","host":"mydb.xyz.us-east-1.rds.amazonaws.com","port":3306,"dbname":"mydb"}
Question 185easymultiple choice
Read the full Database Security explanation →

A company is storing sensitive customer data in an Amazon RDS for MySQL DB instance. They need to ensure that data is encrypted at rest. What is the simplest way to achieve this?

Question 186mediummultiple choice
Read the full Database Security explanation →

A company uses Amazon RDS for PostgreSQL and needs to ensure that only specific IP addresses can connect to the database. Which configuration should be used?

Question 187hardmultiple choice
Read the full Database Security explanation →

A company is designing a multi-tenant application using Amazon Aurora MySQL. Each tenant's data must be isolated from others. They need to encrypt data at rest with a unique AWS KMS key per tenant. How can this be achieved?

Question 188mediummultiple choice
Read the full Database Security explanation →

A security team is auditing an Amazon RDS for SQL Server DB instance. They notice that SSL connections are not enforced. Which configuration change will enforce SSL for all connections?

Question 189easymultiple choice
Read the full Database Security explanation →

A developer needs to grant an IAM user permission to perform automated backups of an Amazon RDS DB instance. Which IAM action should be allowed?

Question 190hardmultiple choice
Read the full Database Security explanation →

A company is using Amazon DynamoDB with server-side encryption enabled. They need to ensure that all access to the table is audited. Which service should be used to capture data-plane API calls?

Question 191mediummultiple choice
Review the full subnetting walkthrough →

A company has an Amazon RDS for Oracle DB instance that is publicly accessible. They want to restrict access to only a specific CIDR block. Which two actions must be taken together?

Question 192easymultiple choice
Read the full Database Security explanation →

A company needs to rotate the master user password for an Amazon RDS for MySQL DB instance. What is the recommended way to do this without downtime?

Question 193mediummultiple choice
Read the full Database Security explanation →

A security engineer needs to ensure that all access to an Amazon DynamoDB table is encrypted in transit. Which configuration achieves this?

Question 194mediummulti select
Read the full Database Security explanation →

Which TWO of the following are methods to control access to an Amazon RDS DB instance? (Select TWO.)

Question 195hardmulti select
Read the full Database Security explanation →

Which THREE of the following are best practices for securing an Amazon Aurora MySQL database? (Select THREE.)

Question 196mediummulti select
Read the full Database Security explanation →

Which TWO of the following are valid ways to encrypt data at rest in Amazon DynamoDB? (Select TWO.)

Question 197hardmultiple choice
Read the full Database Security explanation →

An IAM policy is attached to a user. What is the effect of this policy on the user's ability to delete the DB instance named prod-db?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "rds:DescribeDBInstances",
        "rds:CreateDBSnapshot",
        "rds:DeleteDBSnapshot"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Deny",
      "Action": "rds:DeleteDBInstance",
      "Resource": "arn:aws:rds:us-east-1:123456789012:db:prod-db"
    }
  ]
}
Question 198mediummultiple choice
Read the full Database Security explanation →

An RDS DB instance has two security groups attached. Security group sg-12345678 allows inbound traffic on port 3306 from 0.0.0.0/0. Security group sg-87654321 allows inbound traffic on port 3306 from 10.0.0.0/16. What is the effective inbound access to the DB instance?

Network Topology
aws rds describe-db-instancesdb-instance-identifier mydbquery 'DBInstances[0].VpcSecurityGroups'Refer to the exhibit.Output:"VpcSecurityGroupId": "sg-12345678","Status": "active"},"VpcSecurityGroupId": "sg-87654321",
Question 199hardmultiple choice
Read the full Database Security explanation →

A KMS key has the grant shown. An IAM role named AdminRole is the grantee. What additional permission does this grant provide to AdminRole beyond what the role's IAM policy allows?

Network Topology
aws kms list-grantskey-id 1234abcd-12ab-34cd-56ef-1234567890abRefer to the exhibit.Output:"Grants": ["KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab","GrantId": "grant1","Grantees": ["arn:aws:iam::123456789012:role/AdminRole"],"Operations": ["Decrypt", "Encrypt"],"Name": ""
Question 200mediummultiple choice
Read the full Database Security explanation →

A company is using an Amazon RDS for MySQL DB instance to store sensitive customer data. A security audit reveals that all database traffic between the application and the database is transmitted in plaintext. Which configuration change would encrypt data in transit for new connections?

Question 201hardmultiple choice
Read the full Database Security explanation →

A financial services company uses Amazon DynamoDB to store transaction records. The security team requires that all items be encrypted at rest using a customer-managed AWS KMS key. Additionally, the company must be able to audit key usage and rotation. What is the MOST secure and auditable approach?

Question 202easymultiple choice
Read the full Database Security explanation →

A developer needs to grant an IAM user the ability to perform all operations on an Amazon RDS DB instance except the ability to delete it. Which IAM policy action should be explicitly denied?

Question 203mediummultiple choice
Read the full Database Security explanation →

A company uses Amazon RDS for PostgreSQL with Multi-AZ deployment. The security team wants to ensure that any access to the database is logged, including SELECT queries. What should be done to capture these logs?

Question 204hardmultiple choice
Read the full NAT/PAT explanation →

A company runs an Amazon Aurora MySQL-compatible database cluster. The security team requires that all database credentials be rotated automatically every 30 days. Which combination of AWS services can meet this requirement with minimal operational overhead?

Question 205easymultiple choice
Read the full Database Security explanation →

A developer accidentally exposed an Amazon RDS snapshot to the public. What is the quickest way to remediate this issue?

Question 206hardmultiple choice
Read the full Database Security explanation →

A company uses Amazon DynamoDB with a global secondary index (GSI) and client-side encryption using the AWS Encryption SDK. The security team requires that the partition key and sort key be searchable by the application but not stored in plaintext in the table. Which approach should be taken?

Question 207mediummultiple choice
Read the full Database Security explanation →

A company uses Amazon Redshift for data warehousing. The security team requires that all data be encrypted at rest with a customer-managed key, and that the key be rotated every year. Which configuration meets these requirements?

Question 208hardmultiple choice
Read the full NAT/PAT explanation →

A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The security team requires that all connections to the database use Oracle Native Network Encryption (NNE). How should this be configured?

Question 209mediummulti select
Read the full Database Security explanation →

Which TWO actions will help protect an Amazon RDS for MySQL database from a SQL injection attack? (Select TWO.)

Question 210hardmulti select
Read the full Database Security explanation →

Which THREE practices should be implemented to secure an Amazon DynamoDB table that stores personally identifiable information (PII)? (Select THREE.)

Question 211easymulti select
Read the full Database Security explanation →

Which TWO methods can be used to securely connect to an Amazon RDS for PostgreSQL DB instance from an EC2 instance in the same VPC? (Select TWO.)

Question 212mediummultiple choice
Read the full Database Security explanation →

Refer to the exhibit. An IAM policy is attached to a user. What is the effect when the user attempts to delete the RDS DB instance named 'prod-db'?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "rds:DescribeDBInstances",
        "rds:CreateDBSnapshot"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Deny",
      "Action": "rds:DeleteDBInstance",
      "Resource": "arn:aws:rds:us-east-1:123456789012:db:prod-db"
    }
  ]
}
Question 213hardmultiple choice
Read the full Database Security explanation →

Refer to the exhibit. The output is from the AWS CLI for an RDS instance. The security team suspects that the encryption key used for this DB instance has been compromised. What is the required action to re-encrypt the instance with a new key?

Network Topology
$ aws rds describe-db-instancesdb-instance-identifier mydbquery 'DBInstances[0].{StorageEncrypted:StorageEncryptedRefer to the exhibit."StorageEncrypted": true,"KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/abc123-..."
Question 214easymultiple choice
Read the full Database Security explanation →

Refer to the exhibit. A developer created an IAM policy with the above command and attached it to a user. What is the security implication of this policy?

Network Topology
aws iam create-policypolicy-name RDSAccesspolicy-document '{Refer to the exhibit."Version": "2012-10-17","Statement": ["Effect": "Allow","Action": "rds:*","Resource": "*"}'
Question 215easymultiple choice
Read the full Database Security explanation →

A company wants to encrypt data at rest for an existing Amazon RDS for MySQL DB instance. The database is currently unencrypted. What is the most efficient way to enable encryption?

Question 216mediummulti select
Read the full NAT/PAT explanation →

A security team needs to audit all SQL statements executed against an Amazon Aurora MySQL DB cluster. Which combination of actions should be taken to achieve this? (Choose TWO.)

Question 217hardmultiple choice
Read the full Database Security explanation →

A company has an Amazon DynamoDB table with a global secondary index (GSI). The security team wants to ensure that only certain attributes are returned in query results based on the IAM policy of the calling user. What is the most secure and scalable approach?

Question 218easymultiple choice
Read the full Database Security explanation →

A developer needs to connect to an Amazon RDS for PostgreSQL DB instance from an EC2 instance in the same VPC. What is the most secure way to authenticate the connection without storing database credentials in the application code?

Question 219mediummultiple choice
Read the full Database Security explanation →

A security engineer is designing a solution to encrypt data at rest for an Amazon Redshift cluster. The company requires that the encryption key be rotated automatically every year. Which solution meets these requirements?

Question 220hardmultiple choice
Read the full Database Security explanation →

A company is using an Amazon DynamoDB table with a global table configuration across two AWS regions. The security team wants to ensure that all data is encrypted in transit between the regions. What should the team do?

Question 221easymultiple choice
Read the full Database Security explanation →

A company wants to audit all API calls made to its Amazon RDS DB instances. Which AWS service should be used to capture these API calls?

Question 222mediummultiple choice
Read the full Database Security explanation →

A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The security policy requires that all connections to the database use SSL/TLS. What should the database administrator do to meet this requirement?

Question 223hardmultiple choice
Read the full Database Security explanation →

A company is using Amazon DynamoDB Accelerator (DAX) for caching. The security team is concerned about data in transit between the application and DAX. What should the team do to ensure that all traffic to DAX is encrypted?

Question 224mediummulti select
Read the full Database Security explanation →

A security engineer needs to restrict access to an Amazon DynamoDB table so that only users from a specific AWS account can read and write data. Which of the following can be used to achieve this? (Choose TWO.)

Question 225hardmulti select
Read the full Database Security explanation →

A company is running an Amazon RDS for SQL Server DB instance with Multi-AZ deployment. The security team wants to ensure that all data at rest is encrypted using a customer-managed key stored in AWS KMS. Which steps must be taken to achieve this? (Choose THREE.)

Question 226mediummulti select
Read the full Database Security explanation →

A company is using Amazon Aurora MySQL and needs to audit database logins. Which of the following can be used to capture login events? (Choose TWO.)

Question 227easymultiple choice
Read the full Database Security explanation →

An IAM policy is attached to a user. What does this policy allow the user to do?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "dynamodb:GetItem",
      "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Orders",
      "Condition": {
        "ForAllValues:StringEquals": {
          "dynamodb:Attributes": ["order_id", "customer_id", "status"]
        }
      }
    }
  ]
}
Question 228mediummultiple choice
Read the full Database Security explanation →

A database administrator runs the described command. What does the output indicate about the RDS instance?

Network Topology
aws rds describe-db-instancesdb-instance-identifier mydbquery "DBInstances[0].{Engine:EngineRefer to the exhibit.Output:"Engine": "mysql","DBInstanceStatus": "available","StorageEncrypted": false,"KmsKeyId": null
Question 229hardmultiple choice
Read the full Database Security explanation →

An IAM policy is attached to a user. Which of the following actions will be allowed?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "rds:DescribeDBInstances",
        "rds:CreateDBInstance"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Deny",
      "Action": "rds:DeleteDBInstance",
      "Resource": "arn:aws:rds:us-east-1:123456789012:db:prod-*"
    }
  ]
}
Question 230mediummultiple choice
Read the full Database Security explanation →

A company is migrating an Oracle database to Amazon RDS for Oracle. Security policy requires that all database connections be encrypted in transit. The security team wants to enforce that clients must use TLS 1.2 or higher. How can this be achieved?

Question 231hardmultiple choice
Read the full Database Security explanation →

A financial services company uses Amazon RDS for MySQL to store sensitive customer data. The compliance team requires that all database administrators (DBAs) must authenticate using IAM database authentication, and no static database passwords should be used. A junior DBA has been granted the rds_iam role in the database. However, the junior DBA is unable to connect using the AWS CLI command: aws rds generate-db-auth-token --hostname mydb.xyz.us-east-1.rds.amazonaws.com --port 3306 --username jdba. The error message says 'Access denied'. What is the most likely cause?

Question 232easymultiple choice
Read the full Database Security explanation →

A company is using Amazon RDS for PostgreSQL to store application data. The security team wants to ensure that database audit logs are stored securely and cannot be modified after creation. Which AWS service should be used to meet this requirement?

Question 233mediummultiple choice
Read the full Database Security explanation →

A company is running an Amazon RDS for SQL Server instance with Multi-AZ deployment. The security team requires that all data at rest be encrypted. The instance was originally launched without encryption. What is the most efficient way to enable encryption at rest for this existing instance?

Question 234hardmultiple choice
Read the full Database Security explanation →

A company uses Amazon DynamoDB to store session data. The security team has enabled DynamoDB Accelerator (DAX) for performance. However, they are concerned about data encryption at rest. DAX encrypts data at rest by default. The security team wants to use a customer managed key (CMK) in AWS KMS. How can this be configured?

Question 235easymultiple choice
Read the full Database Security explanation →

A company is using Amazon Aurora MySQL and needs to audit all database logins and query activity. Which feature should be enabled to meet this requirement?

Question 236mediummultiple choice
Read the full Database Security explanation →

A company is using Amazon RDS for MySQL and wants to restrict access to a specific database so that an application user can only perform SELECT and INSERT operations on tables within that database. The application user already exists. Which SQL statement should be executed?

Question 237hardmultiple choice
Read the full Database Security explanation →

A company is using Amazon DynamoDB with AWS Lambda to process data. The Lambda function needs to read and write items to a DynamoDB table. The security team wants to follow the principle of least privilege. Which IAM policy statement should be attached to the Lambda execution role?

Question 238easymultiple choice
Read the full Database Security explanation →

A company is using Amazon RDS for PostgreSQL and needs to ensure that all connections to the database use encryption in transit. The database is accessible over the internet. Which configuration is required?

Question 239mediummulti select
Read the full Database Security explanation →

A company is designing a security strategy for an Amazon RDS for MySQL instance that stores Personally Identifiable Information (PII). Which TWO measures should be implemented to protect the data at rest?

Question 240hardmulti select
Read the full Database Security explanation →

A company uses Amazon DynamoDB with DAX and wants to implement fine-grained access control using IAM. Which THREE conditions can be used in an IAM policy to restrict access to specific items based on the primary key?

Question 241easymulti select
Read the full Database Security explanation →

A company is using Amazon RDS for Oracle and needs to comply with regulatory requirements that mandate encryption of all data at rest and in transit. Which TWO actions should be taken to meet these requirements?

Question 242easymultiple choice
Read the full Database Security explanation →

A company wants to ensure that an Amazon RDS for MySQL DB instance is encrypted at rest. Which action should be taken to enable encryption for the first time?

Question 243mediummultiple choice
Read the full Database Security explanation →

A database administrator needs to audit all SQL statements executed on an Amazon Aurora MySQL DB cluster, including SELECT queries. Which AWS service should be used to capture and store these logs?

Question 244hardmultiple choice
Read the full NAT/PAT explanation →

A company has an Amazon DynamoDB table that stores sensitive user data. The security team requires that all data is encrypted at rest using a customer-managed AWS KMS key. Additionally, they want to ensure that the table can only be accessed by a specific IAM role. Which combination of steps should be taken to meet these requirements? (Select TWO.)

Question 245mediummultiple choice
Read the full Database Security explanation →

A company needs to enforce that all new Amazon RDS DB instances are automatically encrypted at rest. What is the most efficient way to achieve this?

Question 246hardmultiple choice
Read the full Database Security explanation →

A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The database contains personally identifiable information (PII). The security team requires that all PII columns be transparently encrypted and that the encryption keys be stored in AWS CloudHSM. Which solution meets these requirements?

Question 247mediummultiple choice
Read the full Database Security explanation →

A company has an Amazon RDS for PostgreSQL DB instance that needs to be accessed by an application running on an Amazon EC2 instance. Both resources are in the same VPC. The security team insists that all traffic between the application and the database be encrypted in transit. Which configuration ensures this?

Question 248easymultiple choice
Read the full Database Security explanation →

A company wants to store database credentials for an Amazon RDS instance securely. Which AWS service should be used to rotate the credentials automatically?

Question 249mediummultiple choice
Read the full Database Security explanation →

A company needs to audit access to an Amazon DynamoDB table. The audit should capture which IAM user or role performed each action. Which AWS service should be used?

Question 250hardmultiple choice
Read the full Database Security explanation →

A company has an Amazon RDS for SQL Server DB instance that stores financial data. The security team requires that the data be encrypted at rest using a customer-managed key stored in AWS KMS. Additionally, they want to ensure that the key cannot be deleted without authorization. What should be done?

Question 251mediummultiple choice
Read the full Database Security explanation →

A company wants to restrict access to an Amazon DynamoDB table so that only requests from a specific VPC endpoint are allowed. Which policy should be attached to the table?

Question 252mediummultiple choice
Read the full Database Security explanation →

A company is using Amazon RDS for PostgreSQL with a read replica. The security team wants to ensure that data in transit between the primary DB instance and the read replica is encrypted. What should be done?

Question 253hardmultiple choice
Read the full NAT/PAT explanation →

A company needs to comply with PCI DSS requirements for an Amazon RDS for Oracle DB instance. The requirements include encryption of sensitive data at rest and in transit, and automated key rotation. Which combination of services and configurations should be used? (Select THREE.)

Question 254easymultiple choice
Read the full Database Security explanation →

A company has an Amazon DynamoDB table with a global secondary index (GSI). The security team wants to ensure that the table and the GSI are encrypted at rest. How can this be achieved?

Question 255hardmultiple choice
Read the full Database Security explanation →

A company is designing a security strategy for an Amazon Aurora MySQL database. They need to ensure that database activity is monitored for suspicious behavior and that alerts are sent when anomalies are detected. Which AWS services should be combined to achieve this? (Select TWO.)

Question 256mediummultiple choice
Read the full Database Security explanation →

A company has an Amazon RDS for MySQL DB instance that is publicly accessible. The security team wants to restrict access to only specific IP addresses. Which configuration should be used?

Question 257easymultiple choice
Read the full Database Security explanation →

A company wants to encrypt an existing unencrypted Amazon RDS for PostgreSQL DB instance. What is the correct procedure?

Question 258hardmultiple choice
Read the full Database Security explanation →

A company is using Amazon DynamoDB with client-side encryption using the DynamoDB Encryption Client. The encryption keys are stored in AWS KMS. The security team wants to ensure that the encryption keys can be used only by authorized applications. What should be done?

Question 259mediummultiple choice
Read the full Database Security explanation →

A company is using Amazon RDS for MySQL and needs to encrypt data at rest for an existing DB instance. Which approach meets this requirement with minimal downtime?

Question 260hardmultiple choice
Read the full Database Security explanation →

A security team is auditing IAM policies for Amazon RDS. They want to ensure that all RDS snapshots shared with other AWS accounts are encrypted. Which IAM policy condition key should be used to enforce this?

Question 261easymultiple choice
Read the full Database Security explanation →

A company uses Amazon Aurora MySQL and needs to audit all database logins, including failed attempts. Which feature should be enabled?

Question 262mediummultiple choice
Read the full Database Security explanation →

A developer needs to allow an application running on EC2 to access an Amazon RDS database without storing database credentials in the application code. Which solution is the MOST secure?

Question 263hardmultiple choice
Read the full Database Security explanation →

A company wants to enforce that all new Amazon RDS DB instances are created with encryption at rest enabled. Which approach should be taken?

Question 264easymultiple choice
Read the full Database Security explanation →

A company needs to securely store and manage the master password for their Amazon RDS for PostgreSQL instance. Which AWS service is purpose-built for managing secrets with automatic rotation?

Question 265mediummultiple choice
Read the full Database Security explanation →

An application uses an Amazon RDS for MySQL database. The security team requires that all traffic to the database be encrypted in transit. Which configuration ensures this?

Question 266hardmultiple choice
Read the full NAT/PAT explanation →

A company has an Amazon RDS for Oracle DB instance that needs to be encrypted at rest. The instance currently uses Oracle Transparent Data Encryption (TDE) with a key stored in the database. The company wants to use AWS KMS for key management. What is the correct migration path?

Question 267easymultiple choice
Read the full Database Security explanation →

A company wants to audit all SQL statements executed on their Amazon Aurora MySQL database for compliance. Which AWS feature should be enabled?

Question 268mediummulti select
Read the full Database Security explanation →

Which TWO actions should a company take to secure an Amazon RDS for MySQL database that is accessible from the internet? (Choose two.)

Question 269hardmulti select
Read the full Database Security explanation →

Which THREE components are required to set up IAM database authentication for an Amazon RDS for MySQL DB instance? (Choose three.)

Question 270easymulti select
Read the full Database Security explanation →

Which TWO AWS services can be used to centrally manage database credentials and automate rotation for Amazon RDS? (Choose two.)

Question 271hardmultiple choice
Read the full Database Security explanation →

A security engineer runs the commands shown in the exhibit for an RDS MySQL DB instance. The engineer wants to enforce SSL connections to the database. What should the engineer do?

Network Topology
aws rds describe-db-instancesdb-instance-identifier mydbquery "DBInstances[0].DBParameterGroups[0].ParameterGroupName"aws rds describe-db-parametersdb-parameter-group-name default.mysql8.0query "Parameters[?ParameterName=='require_secure_transport']"Refer to the exhibit.```"ParameterGroupName": "default.mysql8.0""ParameterName": "require_secure_transport","ParameterValue": "OFF","AllowedValues": "OFF,ON","ApplyMethod": "pending-reboot","IsModifiable": true
Question 272mediummultiple choice
Read the full Database Security explanation →

An IAM policy is shown in the exhibit. What is the effect of this policy when a user tries to create an unencrypted RDS DB instance?

Exhibit

Refer to the exhibit.

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "rds:CreateDBInstance",
            "Resource": "*"
        },
        {
            "Effect": "Deny",
            "Action": "rds:CreateDBInstance",
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "rds:StorageEncrypted": "false"
                }
            }
        }
    ]
}
```
Question 273easymultiple choice
Read the full Database Security explanation →

A snapshot of an Amazon RDS DB instance is shown in the exhibit. What does the output indicate?

Network Topology
aws rds describe-db-snapshotsdb-snapshot-identifier my-snapshotquery "DBSnapshots[0].Status"query "DBSnapshots[0].Encrypted"Refer to the exhibit.```"Status": "encrypted""Encrypted": true
Question 274mediummultiple choice
Read the full Database Security explanation →

A company is using Amazon RDS for MySQL with automated backups enabled. The security team requires that all backups be encrypted at rest. Which configuration ensures that new automated backups are encrypted?

Question 275easymultiple choice
Read the full Database Security explanation →

A developer wants to grant an IAM user read-only access to an Amazon DynamoDB table named 'Orders' in the 'us-east-1' region. Which IAM policy should be attached to the user?

Question 276hardmultiple choice
Read the full NAT/PAT explanation →

A financial company uses Amazon RDS for PostgreSQL with a custom parameter group. The security team wants to ensure that all connections to the database are encrypted in transit. Which combination of actions should the database administrator take? (Select TWO.)

Question 277easymultiple choice
Read the full Database Security explanation →

A developer is troubleshooting an issue where an IAM user cannot perform a 'DescribeTable' action on a DynamoDB table. The IAM policy attached to the user is: {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["dynamodb:GetItem","dynamodb:PutItem"],"Resource":"*"}]}. What is the most likely reason for the failure?

Question 278mediummulti select
Read the full Database Security explanation →

A company is migrating its Oracle database to Amazon RDS for Oracle. The security team requires that all data be encrypted at rest using a customer-managed AWS KMS key. Which TWO steps are necessary to achieve this?

Question 279hardmulti select
Read the full Database Security explanation →

A company uses Amazon DynamoDB with a global secondary index (GSI). The security team requires that only specific IAM users can query the GSI. Which THREE conditions must be met to restrict access to the GSI?

Question 280mediummultiple choice
Read the full Database Security explanation →

A database administrator runs the command shown in the exhibit. The security team requires that the database be encrypted at rest. What should the administrator do to enable encryption?

Network Topology
$ aws rds describe-db-instancesdb-instance-identifier mydbRefer to the exhibit.CLI command output:"DBInstances": ["DBInstanceIdentifier": "mydb","Engine": "mysql","DBInstanceStatus": "available","StorageEncrypted": false,"KmsKeyId": null,"VpcSecurityGroups": [{"VpcSecurityGroupId": "sg-12345", "Status": "active"}],"ParameterGroups": [{"DBParameterGroupName": "default.mysql8.0", "ParameterApplyStatus": "in-sync"}
Question 281hardmulti select
Read the full Database Security explanation →

A company uses Amazon RDS for SQL Server with Multi-AZ deployment. The security team wants to ensure that all data at rest is encrypted using a customer-managed KMS key in both the primary and standby instances. Which THREE actions are required?

Question 282easymultiple choice
Read the full Database Security explanation →

A company wants to restrict access to an Amazon RDS for MySQL DB instance so that only applications running in a specific VPC can connect. Which solution should be implemented?

Question 283mediummultiple choice
Read the full Database Security explanation →

A user is unable to list the contents of the S3 bucket 'my-db-backups' using the AWS CLI. The IAM policy attached to the user is shown in the exhibit. What is the likely cause?

Exhibit

Refer to the exhibit.

IAM policy attached to a user:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws:s3:::my-db-backups/*"
        }
    ]
}
Question 284mediummulti select
Read the full Database Security explanation →

A company uses Amazon RDS for PostgreSQL and wants to audit all database login attempts. Which TWO services can be used together to achieve this?

Question 285hardmultiple choice
Read the full Database Security explanation →

A company runs a production Amazon DynamoDB table with on-demand capacity. The security team requires that all access to the table be logged for compliance. What is the most cost-effective way to log every DynamoDB API call?

Question 286easymultiple choice
Read the full Database Security explanation →

A company needs to encrypt an existing unencrypted Amazon RDS for Oracle DB instance. Which set of steps should be followed?

Question 287hardmultiple choice
Read the full Database Security explanation →

A CloudFormation template is used to create an RDS DB instance with encryption, as shown in the exhibit. The stack creation fails because the DB instance creation fails. What is the most likely cause?

Exhibit

Refer to the exhibit.

CloudFormation snippet:
Resources:
  MyDBInstance:
    Type: AWS::RDS::DBInstance
    Properties:
      Engine: mysql
      DBInstanceClass: db.t3.medium
      AllocatedStorage: 100
      StorageEncrypted: true
      KmsKeyId: !Ref MyKMSKey
      MasterUsername: admin
      MasterUserPassword: !Ref DBPassword
  MyKMSKey:
    Type: AWS::KMS::Key
    Properties:
      KeyPolicy:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
            Action: "kms:*"
            Resource: "*"
Question 288mediummultiple choice
Read the full Database Security explanation →

A company uses Amazon RDS for MySQL and wants to ensure that database users are authenticated using IAM database authentication. Which action must be performed to enable this?

Question 289hardmultiple choice
Read the full Database Security explanation →

A company wants to audit all SQL queries made to their Amazon RDS for MySQL database. Which AWS service should they use?

Question 290easymultiple choice
Read the full Database Security explanation →

A company needs to encrypt data at rest for their Amazon Aurora PostgreSQL database. Which solution is the MOST secure and requires the least operational overhead?

Question 291mediummultiple choice
Read the full Database Security explanation →

A security team is investigating a potential data breach in an Amazon RDS for SQL Server database. They need to determine which user executed a specific DELETE statement at a particular time. What should they do?

Question 292easymultiple choice
Read the full Database Security explanation →

A company wants to restrict access to an Amazon DynamoDB table so that only specific IAM users can read and write data. What is the BEST way to achieve this?

Question 293hardmultiple choice
Read the full Database Security explanation →

A company hosts a critical application on Amazon RDS for PostgreSQL. The security team requires that all database connections be encrypted in transit. Which configuration step is necessary?

Question 294mediummultiple choice
Read the full Database Security explanation →

A company is using Amazon RDS for Oracle with Transparent Data Encryption (TDE) enabled. They need to rotate the TDE master key. What is the correct procedure?

Question 295easymultiple choice
Read the full Database Security explanation →

A company wants to ensure that an Amazon RDS for MySQL database is automatically backed up daily and backups are encrypted. What should they do?

Question 296hardmultiple choice
Read the full Database Security explanation →

A company is using Amazon DynamoDB with encryption at rest using an AWS managed key. The security team now requires that the encryption key be rotated every 90 days. What should they do?

Question 297mediummultiple choice
Read the full Database Security explanation →

A company is using Amazon RDS for PostgreSQL and needs to audit login attempts. Which configuration is required?

Question 298hardmulti select
Read the full Database Security explanation →

Which TWO actions can be used to encrypt an existing unencrypted Amazon RDS for MySQL DB instance? (Choose 2.)

Question 299mediummulti select
Read the full Database Security explanation →

Which THREE measures can help protect an Amazon RDS database from a DDoS attack? (Choose 3.)

Question 300easymulti select
Read the full NAT/PAT explanation →

Which TWO AWS services can be used to monitor and alert on suspicious database access patterns in Amazon RDS? (Choose 2.)

Question 301mediummultiple choice
Read the full Database Security explanation →

Refer to the exhibit. An IAM policy is attached to a user. The user attempts to delete a DB instance named 'prod-db'. What will happen?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "rds:DescribeDBInstances",
        "rds:ModifyDBInstance"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Deny",
      "Action": "rds:DeleteDBInstance",
      "Resource": "arn:aws:rds:us-east-1:123456789012:db:prod-*"
    }
  ]
}
Question 302hardmultiple choice
Read the full Database Security explanation →

Refer to the exhibit. An engineer runs the CLI command to check security groups attached to the RDS instance 'mydb'. The output shows only one security group. The engineer wants to ensure that only traffic from an application server with IP 10.0.1.5 is allowed to the database port 3306. Which security group rule should be added?

Network Topology
aws rds describe-db-instancesdb-instance-identifier mydbquery 'DBInstances[0].VpcSecurityGroups'output json"VpcSecurityGroupId": "sg-12345","Status": "active"
Question 303hardmultiple choice
Read the full Database Security explanation →

Refer to the exhibit. A company has an S3 bucket with server-side encryption using AWS KMS. The bucket policy allows access to a user, but the user receives 'Access Denied' when trying to download an object. The IAM policy for the user is shown. What is the MOST likely cause?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "kms:Decrypt",
      "Resource": "arn:aws:kms:us-east-1:123456789012:key/abc123",
      "Condition": {
        "StringEquals": {
          "kms:ViaService": "s3.amazonaws.com"
        }
      }
    }
  ]
}
Question 304mediummultiple choice
Read the full Database Security explanation →

A company is launching a new application that requires an Amazon RDS for PostgreSQL database. The database will store highly sensitive data, and the security team mandates that all data at rest must be encrypted. The company also requires that the encryption keys be managed by the security team using AWS CloudHSM. What is the MOST efficient way to meet these requirements?

Question 305easymultiple choice
Read the full Database Security explanation →

A security audit reveals that an Amazon RDS for MySQL DB instance is accessible from the internet. The security team requires that the database be accessible only from a specific set of application servers within the same VPC. Which solution should be implemented?

Question 306hardmultiple choice
Read the full Database Security explanation →

A company uses Amazon DynamoDB with fine-grained access control using IAM policies. A developer reports that an application role can read and write to the 'orders' table but cannot perform a Scan operation on a Global Secondary Index (GSI). The IAM policy attached to the role includes 'dynamodb:Scan' and the resource ARN for the table. What is the likely reason for this failure?

Question 307easymultiple choice
Read the full Database Security explanation →

A company wants to centrally manage database user credentials and rotate them automatically. The database is an Amazon RDS for MySQL instance. Which AWS service should be used?

Question 308mediummultiple choice
Read the full Database Security explanation →

A database administrator needs to audit all SQL statements executed on an Amazon RDS for Oracle DB instance. The audit logs must be stored in Amazon S3 for long-term retention and analysis with Amazon Athena. Which solution meets these requirements?

Question 309mediummulti select
Read the full Database Security explanation →

A security engineer is designing a disaster recovery plan for an Amazon DynamoDB table that contains sensitive data. The table is encrypted using an AWS KMS customer managed key (CMK). The engineer needs to ensure that the table can be restored in a different AWS Region. Which TWO actions must be taken to enable cross-region restores with the same encryption? (Choose TWO.)

Question 310hardmulti select
Read the full Database Security explanation →

A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The database contains sensitive personally identifiable information (PII). The security team requires that the data be encrypted in transit between the application and the RDS instance, and also encrypted at rest using a key managed by the company. Which THREE actions should the company take? (Choose THREE.)

Question 311easymulti select
Read the full Database Security explanation →

A developer is building a serverless application that uses Amazon DynamoDB. The application needs to access the database from an AWS Lambda function. The security team mandates that the Lambda function should not use long-term AWS credentials. Which TWO steps should be taken to securely grant access? (Choose TWO.)

Question 312hardmultiple choice
Read the full Database Security explanation →

A database administrator has the IAM policy shown above attached to their user. When they try to run the AWS CLI command `aws rds describe-db-instances --region us-west-2`, they receive an access denied error. Why does this fail?

Exhibit

Refer to the exhibit.

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "rds:DescribeDBInstances",
        "rds:ModifyDBInstance"
      ],
      "Resource": "arn:aws:rds:us-east-1:123456789012:db:prod-db"
    },
    {
      "Effect": "Allow",
      "Action": "rds:DescribeDBInstances",
      "Resource": "*"
    }
  ]
}
```
Question 313mediummultiple choice
Read the full Database Security explanation →

A company has an Amazon RDS for SQL Server DB instance that stores financial data. The security team requires that all database activity be monitored in real-time for suspicious queries. Which AWS service should be used to meet this requirement?

Question 314mediummultiple choice
Read the full Database Security explanation →

A company runs an e-commerce platform on AWS using an Amazon Aurora MySQL database. The database is accessed by multiple microservices, each using a separate database user. The security team recently discovered that a developer accidentally committed database credentials to a public GitHub repository. The credentials were for a user that had write access to the database. The team immediately revoked the credentials and rotated them. However, they want to prevent such incidents from happening again. They need a solution that ensures credentials are not hardcoded in application code, are rotated automatically, and are accessible only to authorized microservices. What should they do?

Question 315hardmultiple choice
Read the full Database Security explanation →

A financial services company uses Amazon DynamoDB to store transaction data. The table is encrypted with an AWS managed KMS key. The compliance team requires that the encryption key be rotated every 90 days. The current key was created 6 months ago and has not been rotated. The company also needs to ensure that all access to the table is logged for audit purposes. The security engineer proposes to enable DynamoDB Streams and AWS CloudTrail. However, the compliance team notes that CloudTrail only logs management plane events (e.g., CreateTable) and not data plane events (e.g., GetItem, PutItem). What should the engineer do to meet both requirements?

Question 316easymultiple choice
Read the full Database Security explanation →

A startup is using Amazon RDS for MySQL as its primary database. The database contains user profiles and payment information. The security team wants to ensure that database snapshots are encrypted and that the encryption key is managed by the company. The team also wants to enforce that all future snapshots are encrypted automatically. The current RDS instance is not encrypted. What should they do?

Question 317hardmultiple choice
Read the full Database Security explanation →

A company has a multi-account AWS environment using AWS Organizations. The security team wants to centrally manage database encryption keys for all Amazon RDS instances across accounts. They require that the keys be stored in a single account, and that each account can use the key to encrypt its RDS instances. Additionally, they want to automatically rotate the keys every year. Which solution should they implement?

Question 318mediummultiple choice
Read the full Database Security explanation →

A company is using Amazon DynamoDB with a TTL attribute to automatically delete expired items. The security team is concerned that deleted items might still be recoverable from backups. They need to ensure that once an item is deleted by TTL, it is not included in future on-demand backups. Additionally, they want to ensure that the TTL deletion itself is logged for audit purposes. What should they do?

Question 319easymultiple choice
Read the full Database Security explanation →

A company is using Amazon RDS for MySQL with encryption at rest enabled. The security team wants to ensure that the database backups stored in Amazon S3 are also encrypted using a customer-managed KMS key. What should be done to meet this requirement?

Question 320mediummultiple choice
Read the full Database Security explanation →

A company is using Amazon Aurora MySQL and needs to audit all database logins, including failed attempts, and store the audit logs for one year for compliance. The logs must be immutable and accessible only by the security team. Which solution should the company implement?

Question 321hardmultiple choice
Read the full NAT/PAT explanation →

A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The database contains sensitive data that must be encrypted at rest using a customer-managed KMS key. The company also needs to ensure that the database is automatically patched by AWS. Which DB instance configuration should be used?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

DBS-C01 Practice Test 1 — 10 Questions→DBS-C01 Practice Test 2 — 10 Questions→DBS-C01 Practice Test 3 — 10 Questions→DBS-C01 Practice Test 4 — 10 Questions→DBS-C01 Practice Test 5 — 10 Questions→DBS-C01 Practice Exam 1 — 20 Questions→DBS-C01 Practice Exam 2 — 20 Questions→DBS-C01 Practice Exam 3 — 20 Questions→DBS-C01 Practice Exam 4 — 20 Questions→Free DBS-C01 Practice Test 1 — 30 Questions→Free DBS-C01 Practice Test 2 — 30 Questions→Free DBS-C01 Practice Test 3 — 30 Questions→DBS-C01 Practice Questions 1 — 50 Questions→DBS-C01 Practice Questions 2 — 50 Questions→DBS-C01 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Workload-Specific Database DesignDeployment and MigrationManagement and OperationsMonitoring and TroubleshootingDatabase Security

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Database Security setsAll Database Security questionsDBS-C01 Practice Hub