20+ practice questions focused on Database Security — one of the most tested topics on the AWS Certified Database Specialty DBS-C01 exam. Each question includes a detailed explanation so you learn why the right answer is correct.
Start Database Security PracticeA company runs an Amazon RDS for MySQL DB instance in a VPC. Security requirements mandate that only specific EC2 instances in the same VPC can connect to the database. The security group attached to the RDS instance currently allows inbound traffic on port 3306 from 0.0.0.0/0. Which combination of steps should a database specialist take to meet the security requirement without impacting existing application connectivity? (Choose two.)
Explanation: Option B is correct because removing the overly permissive inbound rule for 0.0.0.0/0 on the RDS security group eliminates unrestricted access, which is a direct violation of the security requirement. Option C is correct because adding an inbound rule that references the security group ID of the EC2 instances allows traffic only from those instances, leveraging security group referencing for granular, stateful access control within the same VPC.
A company uses Amazon DynamoDB with a table that stores sensitive customer data. The security team requires that all data at rest be encrypted using a customer-managed AWS KMS key (CMK). Additionally, the company needs to ensure that only specific IAM roles can access the table. Which solution meets these requirements with the least operational overhead?
Explanation: Option D is correct because it combines DynamoDB encryption at rest with a customer-managed KMS CMK and uses an IAM role policy with an encryption context condition. This ensures that only specific IAM roles can access the table, and the encryption context condition ties the KMS key usage to the table, providing fine-grained access control with minimal operational overhead. The encryption context is automatically set by DynamoDB to the table ARN, so the condition key `kms:EncryptionContext:aws:dynamodb:tableName` can be used to restrict decryption to that specific table.
A database specialist is troubleshooting a connectivity issue with an Amazon RDS for PostgreSQL instance. The instance is in a VPC with a public subnet. The security group allows inbound traffic on port 5432 from the application server's IP address. The application server is in the same VPC but in a private subnet. Despite the security group configuration, the application cannot connect. Which action should the specialist take to resolve the issue?
Explanation: Option E is correct because the application server is in a private subnet, so it communicates with the RDS instance using its private IP address. The security group inbound rule must allow traffic from the application server's private IP (or the security group of the application server) on port 5432. The current rule only allows the application server's public IP, which is not used for traffic within the VPC, causing the connection failure.
A company stores financial data in an Amazon Aurora MySQL DB cluster. The security team requires that database audit logs be stored in Amazon CloudWatch Logs and encrypted at rest using a customer-managed KMS key. The database specialist enables audit log publishing to CloudWatch Logs and specifies a KMS key for log encryption. However, the audit logs are not appearing in CloudWatch Logs. What is the most likely cause?
Explanation: When publishing database audit logs to CloudWatch Logs with a customer-managed KMS key, the IAM role used by RDS must have explicit permissions for the `kms:Encrypt` and `kms:Decrypt` actions on the KMS key. Without these permissions, RDS cannot encrypt the log stream, and the logs will not appear. Option C correctly identifies this missing permission as the most likely cause.
A company uses Amazon ElastiCache for Redis to cache session data. The security team requires that all data in transit be encrypted. The Redis cluster currently does not have encryption in transit enabled. The database specialist needs to enable encryption in transit with minimal downtime. Which action should the specialist take?
Explanation: Encryption in transit for ElastiCache for Redis can only be enabled at cluster creation time; it cannot be added to an existing cluster. Therefore, the correct approach is to create a new Redis cluster with encryption in transit enabled, migrate the session data from the existing cluster (e.g., using replication or a manual export/import), and then redirect application traffic to the new cluster. This ensures minimal downtime if the migration is performed during a maintenance window or using a blue/green deployment strategy.
+15 more Database Security questions available
Practice all Database Security questions1. Baseline your knowledge
Start with 10 questions to gauge your current understanding of Database Security. This tells you whether you need a concept refresher or just practice.
2. Review every explanation
For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.
3. Focus on exam traps
Database Security questions on the DBS-C01 frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.
4. Reach 80% consistently
Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.
The exact number varies per candidate. Database Security is tested as part of the AWS Certified Database Specialty DBS-C01 blueprint. Practicing with targeted Database Security questions ensures you can handle any format or difficulty that appears.
Yes. Courseiva provides free DBS-C01 practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.
Difficulty is subjective, but Database Security is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.
Launch a full Database Security practice session with instant scoring and detailed explanations.
Start Database Security Practice →