Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsDBS-C01TopicsDatabase Security
Free · No Signup RequiredAmazon Web Services · DBS-C01

DBS-C01 Database Security Practice Questions

20+ practice questions focused on Database Security — one of the most tested topics on the AWS Certified Database Specialty DBS-C01 exam. Each question includes a detailed explanation so you learn why the right answer is correct.

Start Database Security Practice

Exam Domains

Workload-Specific Database DesignDeployment and MigrationManagement and OperationsMonitoring and TroubleshootingDatabase SecurityAll domains →

Study Tools

Practice TestMock ExamFlashcardsAll Topics

Sample Database Security Questions

Practice all 20+ →
1.

A company runs an Amazon RDS for MySQL DB instance in a VPC. Security requirements mandate that only specific EC2 instances in the same VPC can connect to the database. The security group attached to the RDS instance currently allows inbound traffic on port 3306 from 0.0.0.0/0. Which combination of steps should a database specialist take to meet the security requirement without impacting existing application connectivity? (Choose two.)

A.Modify the network ACL for the DB subnet to allow inbound port 3306 from the EC2 instance's private IP.
B.Remove the inbound rule for 0.0.0.0/0 on the RDS security group.
C.Add an inbound rule to the RDS security group referencing the security group ID of the EC2 instances.
D.Modify the DB subnet group to place the RDS instance in a public subnet with a route to the EC2 instance.

Explanation: Option B is correct because removing the overly permissive inbound rule for 0.0.0.0/0 on the RDS security group eliminates unrestricted access, which is a direct violation of the security requirement. Option C is correct because adding an inbound rule that references the security group ID of the EC2 instances allows traffic only from those instances, leveraging security group referencing for granular, stateful access control within the same VPC.

2.

A company uses Amazon DynamoDB with a table that stores sensitive customer data. The security team requires that all data at rest be encrypted using a customer-managed AWS KMS key (CMK). Additionally, the company needs to ensure that only specific IAM roles can access the table. Which solution meets these requirements with the least operational overhead?

A.Enable encryption at rest using AWS KMS with a CMK and use column-level encryption with AWS KMS to restrict access.
B.Attach a resource-based policy to the DynamoDB table that grants access only to the specific IAM roles.
C.Use a DynamoDB Accelerator (DAX) cluster with encryption at rest using a CMK, and attach a resource-based policy to the table.
D.Configure the DynamoDB table to use AWS KMS encryption with a CMK. Create an IAM role with a policy that grants access to the table and includes a condition that the encryption context matches the CMK.

Explanation: Option D is correct because it combines DynamoDB encryption at rest with a customer-managed KMS CMK and uses an IAM role policy with an encryption context condition. This ensures that only specific IAM roles can access the table, and the encryption context condition ties the KMS key usage to the table, providing fine-grained access control with minimal operational overhead. The encryption context is automatically set by DynamoDB to the table ARN, so the condition key `kms:EncryptionContext:aws:dynamodb:tableName` can be used to restrict decryption to that specific table.

3.

A database specialist is troubleshooting a connectivity issue with an Amazon RDS for PostgreSQL instance. The instance is in a VPC with a public subnet. The security group allows inbound traffic on port 5432 from the application server's IP address. The application server is in the same VPC but in a private subnet. Despite the security group configuration, the application cannot connect. Which action should the specialist take to resolve the issue?

A.Launch the RDS instance in the default VPC.
B.Change the DB subnet group to include the application server's subnet.
C.Add a network ACL rule allowing inbound traffic on port 5432 from the application server's public IP.
D.Modify the RDS instance to be publicly accessible.

Explanation: Option E is correct because the application server is in a private subnet, so it communicates with the RDS instance using its private IP address. The security group inbound rule must allow traffic from the application server's private IP (or the security group of the application server) on port 5432. The current rule only allows the application server's public IP, which is not used for traffic within the VPC, causing the connection failure.

4.

A company stores financial data in an Amazon Aurora MySQL DB cluster. The security team requires that database audit logs be stored in Amazon CloudWatch Logs and encrypted at rest using a customer-managed KMS key. The database specialist enables audit log publishing to CloudWatch Logs and specifies a KMS key for log encryption. However, the audit logs are not appearing in CloudWatch Logs. What is the most likely cause?

A.The CloudWatch Logs log group does not exist and RDS cannot create it automatically.
B.The DB cluster is not configured to export error logs, only audit logs.
C.The IAM role used for publishing logs does not have the necessary permissions to use the KMS key for CloudWatch Logs.
D.CloudWatch Logs does not support encryption with customer-managed KMS keys for audit logs.

Explanation: When publishing database audit logs to CloudWatch Logs with a customer-managed KMS key, the IAM role used by RDS must have explicit permissions for the `kms:Encrypt` and `kms:Decrypt` actions on the KMS key. Without these permissions, RDS cannot encrypt the log stream, and the logs will not appear. Option C correctly identifies this missing permission as the most likely cause.

5.

A company uses Amazon ElastiCache for Redis to cache session data. The security team requires that all data in transit be encrypted. The Redis cluster currently does not have encryption in transit enabled. The database specialist needs to enable encryption in transit with minimal downtime. Which action should the specialist take?

A.Create a new Redis cluster with encryption in transit enabled, and migrate the data from the existing cluster.
B.Update the Redis parameter group to enable the 'encryption-in-transit' parameter and reboot the cluster.
C.Use a security group to enforce encrypted connections by allowing only TLS traffic.
D.Modify the existing Redis cluster to enable encryption in transit using the AWS CLI.

Explanation: Encryption in transit for ElastiCache for Redis can only be enabled at cluster creation time; it cannot be added to an existing cluster. Therefore, the correct approach is to create a new Redis cluster with encryption in transit enabled, migrate the session data from the existing cluster (e.g., using replication or a manual export/import), and then redirect application traffic to the new cluster. This ensures minimal downtime if the migration is performed during a maintenance window or using a blue/green deployment strategy.

+15 more Database Security questions available

Practice all Database Security questions

How to master Database Security for DBS-C01

1. Baseline your knowledge

Start with 10 questions to gauge your current understanding of Database Security. This tells you whether you need a concept refresher or just practice.

2. Review every explanation

For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.

3. Focus on exam traps

Database Security questions on the DBS-C01 frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.

4. Reach 80% consistently

Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.

Frequently asked questions

How many DBS-C01 Database Security questions are on the real exam?

The exact number varies per candidate. Database Security is tested as part of the AWS Certified Database Specialty DBS-C01 blueprint. Practicing with targeted Database Security questions ensures you can handle any format or difficulty that appears.

Are these DBS-C01 Database Security practice questions free?

Yes. Courseiva provides free DBS-C01 practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.

Is Database Security one of the harder DBS-C01 topics?

Difficulty is subjective, but Database Security is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.

Ready to practice?

Launch a full Database Security practice session with instant scoring and detailed explanations.

Start Database Security Practice →

Topic Info

Topic

Database Security

Exam

DBS-C01

Questions available

20+