CCNA Database Security Questions

75 of 321 questions · Page 3/5 · Database Security · Answers revealed

151
Multi-Selecthard

Which THREE practices should be implemented to secure an Amazon DynamoDB table that stores personally identifiable information (PII)? (Select THREE.)

Select 3 answers
A.Use a VPC endpoint to access the table.
B.Enable encryption at rest using an AWS KMS customer-managed key.
C.Use an IAM policy to restrict who can access the table.
D.Enable AWS CloudTrail to log all DynamoDB API calls.
E.Enable encryption in transit using SSL/TLS.
AnswersB, C, D

Encryption at rest protects data.

Why this answer

Using IAM policies to restrict access is a security best practice. Encrypting the table at rest with a KMS key protects data. Monitoring with CloudTrail provides audit trail.

VPC endpoints help but are not a security practice for the table itself. Encryption in transit is done by DynamoDB automatically via HTTPS. Fine-grained access control can be achieved with IAM conditions, not attribute-based access control on the table itself.

152
Multi-Selecthard

A company uses Amazon DynamoDB with a global secondary index (GSI). The security team requires that only specific IAM users can query the GSI. Which THREE conditions must be met to restrict access to the GSI?

Select 3 answers
A.The policy must include a condition 'dynamodb:IndexName' with the index name.
B.The policy must include a condition key 'dynamodb:Attributes' to restrict which attributes are returned.
C.The user must have permission to query the base table as well.
D.The policy must allow the 'dynamodb:Query' action on the index.
E.The IAM policy must specify the index ARN in the Resource element.
AnswersC, D, E

Querying a GSI requires access to the base table.

Why this answer

Options A, B, and D are correct. Option C is wrong because a condition with 'dynamodb:Attributes' does not restrict access to the GSI itself; it restricts projection of attributes. Option E is wrong because the index name must be specified in the resource ARN, not by a condition key.

153
MCQmedium

A company wants to enforce encryption in transit for all connections to their ElastiCache for Redis cluster. Which security measure should they implement?

A.Set a parameter group with 'require_secure_transport' to ON.
B.Enable Encryption in-transit when creating the cluster.
C.Use VPC Flow Logs to monitor connections.
D.Enable encryption at rest using KMS.
AnswerB

This enforces TLS for all connections.

Why this answer

Option B is correct because ElastiCache for Redis enforces encryption in transit by enabling the feature at cluster creation time. This uses TLS to encrypt data moving between clients and the Redis nodes, ensuring that all connections are secured against eavesdropping or man-in-the-middle attacks. The setting cannot be changed after the cluster is provisioned, so it must be enabled during the initial setup.

Exam trap

The trap here is that candidates confuse the 'require_secure_transport' parameter from RDS with ElastiCache, or assume that encryption in transit can be enabled after cluster creation via a parameter group change, when in fact it is a one-time setting at launch.

How to eliminate wrong answers

Option A is wrong because ElastiCache for Redis does not support a 'require_secure_transport' parameter; that parameter exists in Amazon RDS for MySQL/MariaDB, not in ElastiCache. Option C is wrong because VPC Flow Logs capture metadata about network traffic (source/destination IPs, ports, protocols) but do not enforce or enable encryption in transit; they are a monitoring tool, not a security control for encryption. Option D is wrong because encryption at rest using KMS protects data stored on disk, not data in transit over the network; it addresses a different threat model.

154
MCQhard

A company is using Amazon DynamoDB with server-side encryption enabled. They need to ensure that all access to the table is audited. Which service should be used to capture data-plane API calls?

A.VPC Flow Logs
B.AWS Config
C.Amazon CloudWatch Logs
D.AWS CloudTrail
AnswerD

CloudTrail can log data events for DynamoDB, including GetItem, PutItem, etc., when configured.

Why this answer

Option C is correct because CloudTrail can record data-plane events for DynamoDB (e.g., GetItem, PutItem) when data events are enabled. Option A is wrong because CloudWatch Logs can store logs but does not capture API calls directly. Option B is wrong because VPC Flow Logs capture network traffic, not API calls.

Option D is wrong because Config records configuration changes, not data-plane API calls.

155
MCQmedium

An IAM policy is attached to an IAM user. The user wants to connect to an RDS MySQL database using IAM database authentication. What does this policy allow?

A.Allows the user to connect to any database on the RDS instance as any user.
B.Allows the user to manage the RDS instance.
C.Allows the user to connect to the RDS instance with the database user name 'db_user1'.
D.Allows the user to connect to the RDS instance with any database user name.
AnswerC

The resource specifies the database user.

Why this answer

Option A is correct. The policy allows the user to connect to the specified database as user 'db_user1'. Option B is wrong because it only allows connecting to one database user.

Option C is wrong because it allows only one database user. Option D is wrong because the resource is specific to a database instance and user.

156
Multi-Selecthard

A company uses Amazon RDS for SQL Server with Multi-AZ deployment. The security team wants to ensure that all database connections use SSL/TLS encryption. Which TWO actions should the database specialist take to enforce SSL connections? (Choose two.)

Select 2 answers
A.Use the RDS Console to enable 'Force SSL' on the DB instance.
B.Modify the DB parameter group to set 'require_secure_transport' to ON.
C.Create a server-level trigger that requires SSL for all logins.
D.Add an inbound rule to the security group that only allows traffic on port 1433 from IP addresses that use SSL.
E.Set the 'rds.force_ssl' parameter to 1 in the DB parameter group.
AnswersC, E

A trigger can enforce SSL by checking the session's protocol and denying non-SSL connections.

Why this answer

Option C is correct because SQL Server allows you to create a server-level DDL trigger that checks the login event and enforces SSL by examining the `@@OPTIONS` or `encrypt_option` in `sys.dm_exec_connections`. This is a supported method to force SSL for all connections to an RDS for SQL Server instance. Option E is correct because setting the `rds.force_ssl` parameter to 1 in the DB parameter group is the native RDS mechanism to enforce SSL/TLS for all connections to the DB instance.

Exam trap

The trap here is that candidates confuse MySQL-specific parameters (like `require_secure_transport`) with SQL Server parameters, or assume that security group rules can enforce encryption at the transport layer, when in fact they only control network access, not the encryption state of the connection.

157
MCQhard

A company is using Amazon DynamoDB with encryption at rest using an AWS managed key. The security team now requires that the encryption key be rotated every 90 days. What should they do?

A.Enable automatic key rotation in AWS KMS for the default DynamoDB key.
B.Create a new customer managed key and enable automatic rotation every 90 days.
C.Disable encryption at rest and implement client-side encryption.
D.Use a customer managed key and manually rotate it every 90 days by creating a new key and updating the DynamoDB table.
AnswerD

Manual rotation is required to achieve a 90-day rotation schedule.

Why this answer

DynamoDB encryption at rest using AWS managed key does not support customer-controlled rotation. Option C is correct. Option A is wrong because AWS managed keys rotate automatically every year, not on customer schedule.

Option B is wrong because KMS automatic rotation is annual and cannot be set to 90 days. Option D is wrong because disabling encryption is not a valid option.

158
MCQmedium

A company uses Amazon ElastiCache for Redis to cache session data. The security team requires that all data in transit be encrypted. The Redis cluster currently does not have encryption in transit enabled. The database specialist needs to enable encryption in transit with minimal downtime. Which action should the specialist take?

A.Create a new Redis cluster with encryption in transit enabled, and migrate the data from the existing cluster.
B.Update the Redis parameter group to enable the 'encryption-in-transit' parameter and reboot the cluster.
C.Use a security group to enforce encrypted connections by allowing only TLS traffic.
D.Modify the existing Redis cluster to enable encryption in transit using the AWS CLI.
E.Enable encryption in transit on the existing cluster by using the AWS Management Console.
AnswerA

Encryption in transit can only be enabled at cluster creation time.

Why this answer

Encryption in transit for ElastiCache for Redis can only be enabled at cluster creation time; it cannot be added to an existing cluster. Therefore, the correct approach is to create a new Redis cluster with encryption in transit enabled, migrate the session data from the existing cluster (e.g., using replication or a manual export/import), and then redirect application traffic to the new cluster. This ensures minimal downtime if the migration is performed during a maintenance window or using a blue/green deployment strategy.

Exam trap

The trap here is that candidates assume encryption in transit can be toggled on an existing cluster, similar to enabling encryption at rest, but AWS enforces it as a creation-time-only setting for ElastiCache for Redis.

How to eliminate wrong answers

Option B is wrong because there is no 'encryption-in-transit' parameter in a Redis parameter group; encryption in transit is a cluster-level setting that cannot be changed via parameter groups. Option C is wrong because security groups control network access at the IP/port level but cannot enforce TLS encryption; they do not enable encryption in transit on the Redis cluster itself. Option D is wrong because the AWS CLI cannot modify an existing cluster to enable encryption in transit; this setting is immutable after creation.

Option E is wrong because the AWS Management Console does not allow enabling encryption in transit on an existing cluster; it must be set at launch time.

159
MCQmedium

A company is migrating its on-premises Oracle database to Amazon RDS for Oracle. The security team requires that all data at rest be encrypted using a customer-managed key stored in AWS KMS, and that the key be rotated automatically every year. The company also needs to ensure that only specific IAM roles can access the key. Which combination of steps should the database administrator take to meet these requirements?

A.Create the RDS instance without encryption, then use the AWS Console to enable encryption after creation using a customer-managed key.
B.Create the RDS instance with encryption using the default AWS managed service key, and set up automatic key rotation in KMS.
C.Use AWS CloudHSM to generate and store the encryption key, and configure RDS to use the CloudHSM key for encryption.
D.Create the RDS instance with encryption enabled using a customer-managed KMS key, and configure the key policy to restrict access to the required IAM roles.
AnswerD

This meets encryption, key rotation, and access control requirements.

Why this answer

Option B is correct because enabling encryption on the RDS instance with a customer-managed KMS key allows rotation and access control via KMS key policies. Option A is wrong because RDS does not support manual encryption after creation. Option C is wrong because default service key does not allow custom rotation.

Option D is wrong because CloudHSM is not needed for this scenario.

160
MCQeasy

A snapshot of an Amazon RDS DB instance is shown in the exhibit. What does the output indicate?

A.The snapshot creation is still in progress.
B.The snapshot is encrypted and the encryption process is complete.
C.The snapshot is not encrypted.
D.The snapshot is in the process of being encrypted.
AnswerB

The status 'encrypted' means the snapshot is encrypted.

Why this answer

Option D is correct because the snapshot is encrypted (Encrypted: true) and the status is 'encrypted', meaning the snapshot encryption is complete. Option A is wrong because the snapshot exists and is encrypted. Option B is wrong because the snapshot is encrypted.

Option C is wrong because the status is not 'creating'.

161
Multi-Selecteasy

A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The security team requires that all data be encrypted at rest using a customer-managed KMS key. Additionally, the database should be accessible only from a specific VPC. Which THREE steps should the database specialist take to meet these requirements? (Choose three.)

Select 3 answers
A.Configure the security group for the RDS instance to allow inbound traffic only from the application security group.
B.Launch the RDS instance in a private subnet of the VPC.
C.Create a VPC endpoint for RDS and associate it with the DB instance.
D.Store the encryption key in Amazon S3 and configure RDS to use it.
E.Enable encryption at rest using a customer-managed KMS key when creating the RDS instance.
AnswersA, B, E

This restricts access to the application's security group.

Why this answer

Option A is correct because security groups act as a virtual firewall for RDS instances. By configuring the security group to allow inbound traffic only from the application security group, you restrict database access to specific application servers, meeting the requirement that the database be accessible only from a specific VPC.

Exam trap

The trap here is that candidates often confuse VPC endpoints with network access control, thinking a VPC endpoint restricts access to the database, when in fact it only provides a private connection path without limiting which resources can connect.

162
MCQhard

A company uses Amazon DynamoDB to store session data. The security team has enabled DynamoDB Accelerator (DAX) for performance. However, they are concerned about data encryption at rest. DAX encrypts data at rest by default. The security team wants to use a customer managed key (CMK) in AWS KMS. How can this be configured?

A.Use an asymmetric customer managed key because it provides better security.
B.DAX does not support encryption at rest with a customer managed key; only AWS managed keys are supported.
C.Enable encryption at rest on the DAX cluster after creation by modifying the cluster settings.
D.Create a DAX cluster and specify the KMS key ID of a symmetric customer managed key during creation.
AnswerD

DAX allows specifying a symmetric CMK during cluster creation.

Why this answer

Option B is correct because DAX supports specifying a KMS key at cluster creation, and it must be a symmetric CMK. Option A is wrong because DAX does support encryption at rest, and it can use a CMK. Option C is wrong because DAX uses KMS for encryption, not S3.

Option D is wrong because the KMS key must be a symmetric CMK; asymmetric CMKs are not supported for DAX encryption.

163
MCQhard

A company uses Amazon DynamoDB with a table that stores sensitive customer data. The security team requires that all data at rest be encrypted using a customer-managed AWS KMS key (CMK). Additionally, the company needs to ensure that only specific IAM roles can access the table. Which solution meets these requirements with the least operational overhead?

A.Enable encryption at rest using AWS KMS with a CMK and use column-level encryption with AWS KMS to restrict access.
B.Attach a resource-based policy to the DynamoDB table that grants access only to the specific IAM roles.
C.Use a DynamoDB Accelerator (DAX) cluster with encryption at rest using a CMK, and attach a resource-based policy to the table.
D.Configure the DynamoDB table to use AWS KMS encryption with a CMK. Create an IAM role with a policy that grants access to the table and includes a condition that the encryption context matches the CMK.
E.Configure the DynamoDB table to use AWS KMS encryption with a CMK, and attach a key policy to the CMK that allows only the specific IAM roles.
AnswerD

This ensures encryption with a CMK and restricts access using IAM conditions on the encryption context.

Why this answer

Option D is correct because it combines DynamoDB encryption at rest with a customer-managed KMS CMK and uses an IAM role policy with an encryption context condition. This ensures that only specific IAM roles can access the table, and the encryption context condition ties the KMS key usage to the table, providing fine-grained access control with minimal operational overhead. The encryption context is automatically set by DynamoDB to the table ARN, so the condition key `kms:EncryptionContext:aws:dynamodb:tableName` can be used to restrict decryption to that specific table.

Exam trap

The trap here is that candidates often confuse key policies with IAM policies, thinking that a key policy alone can restrict table access, or they incorrectly assume DynamoDB supports resource-based policies like S3 bucket policies.

How to eliminate wrong answers

Option A is wrong because column-level encryption is not a feature of DynamoDB; it would require application-level encryption, adding operational overhead and not directly restricting IAM role access to the table. Option B is wrong because DynamoDB does not support resource-based policies; it uses IAM policies for access control, and attaching a resource-based policy is not possible. Option C is wrong because DAX is a caching layer, not a security mechanism; it does not enforce table-level access control, and attaching a resource-based policy to the table is still not supported.

Option E is wrong because a key policy on the CMK controls who can use the key for encryption/decryption, but it does not directly control access to the DynamoDB table itself; IAM policies are needed for table access.

164
Multi-Selecteasy

A company uses an Amazon RDS for MySQL DB instance that needs to be accessed by a Lambda function. Which TWO steps should be taken to ensure secure access?

Select 2 answers
A.Create an IAM role for the Lambda function with permissions to use RDS IAM database authentication.
B.Place the Lambda function in the same VPC as the RDS instance to avoid traversing the internet.
C.Store the database credentials in the Lambda environment variables.
D.Use the database master user account for the Lambda function.
E.Attach a NAT gateway to the Lambda function's VPC for outbound internet access.
AnswersA, B

IAM database authentication allows passwordless access using IAM roles.

Why this answer

Options B and D are correct. Placing the Lambda function in the same VPC and using an IAM role with least privilege are security best practices. Option A is wrong because storing credentials in Lambda environment variables is not secure.

Option C is wrong because using the database master user for Lambda is insecure. Option E is wrong because a NAT gateway is not needed for RDS access within the same VPC.

165
MCQeasy

A company wants to encrypt data at rest for an existing Amazon RDS for MySQL DB instance. The database is currently unencrypted. What is the most efficient way to enable encryption?

A.Enable encryption on the existing DB instance by modifying the parameter group.
B.Create a snapshot of the DB instance, copy the snapshot with encryption enabled, and restore the DB instance from the encrypted snapshot.
C.Use AWS KMS to automatically encrypt the DB instance.
D.Modify the DB instance and enable encryption from the RDS console.
AnswerB

This is the standard procedure to encrypt an unencrypted RDS instance.

Why this answer

Option B is correct because RDS does not support enabling encryption on an existing unencrypted DB instance directly. You must create a snapshot, copy it with encryption enabled, and restore from that encrypted snapshot. Option A is incorrect because you cannot modify the DB instance to enable encryption.

Option C is incorrect because AWS KMS does not automatically encrypt the DB instance. Option D is incorrect because you cannot directly configure encryption on the existing instance.

166
Matchingmedium

Match each AWS database migration tool/service to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Migrates databases to AWS with minimal downtime

Converts database schema and code to target engine

Physical device for large-scale data transfer

Continuous replication for ongoing changes

ETL service for preparing and transforming data

Why these pairings

Tools for migrating and transforming database workloads.

167
MCQmedium

An RDS DB instance has two security groups attached. Security group sg-12345678 allows inbound traffic on port 3306 from 0.0.0.0/0. Security group sg-87654321 allows inbound traffic on port 3306 from 10.0.0.0/16. What is the effective inbound access to the DB instance?

A.No IP addresses are allowed because the rules conflict.
B.Only the 0.0.0.0/0 range is allowed because sg-12345678 is more permissive.
C.Only the 10.0.0.0/16 range is allowed because sg-87654321 is more restrictive.
D.All IP addresses (0.0.0.0/0) are allowed to connect.
AnswerD

Since sg-12345678 allows all traffic, any IP can connect.

Why this answer

Option C is correct. Security group rules are evaluated together; the most permissive rule applies. Since sg-12345678 allows all IPs, the effective access is from 0.0.0.0/0.

Option A is wrong because both groups apply. Option B is wrong because the more permissive rule dominates. Option D is wrong because there is no override of the more permissive rule.

168
MCQeasy

A security auditor reviews the output of a DynamoDB table description command as shown in the exhibit. Which statement accurately describes the encryption configuration of the Users table?

A.The table is encrypted using an AWS managed KMS key.
B.The table uses server-side encryption with an S3 managed key.
C.The table is not encrypted at rest.
D.The table is encrypted using a customer managed KMS key.
AnswerD

The output shows a specific KMS key ARN, indicating a customer managed key.

Why this answer

Option B is correct. The output shows SSEDescription with Status ENABLED, SSEType KMS, and a KMSMasterKeyArn, indicating that the table is encrypted using a customer-managed KMS key. Option A is incorrect because the key ARN is a customer managed key, not an AWS managed key.

Option C is incorrect because the status is ENABLED. Option D is incorrect because the table is encrypted.

169
MCQeasy

A company is designing a multi-tier application that uses Amazon RDS for PostgreSQL. The application must encrypt data at rest and in transit. Which combination of steps should be taken to meet these requirements? (Choose the single best answer.)

A.Use client-side encryption for data before sending to RDS, and enable encryption at rest after the instance is created.
B.Enable encryption at rest when launching the RDS instance, and configure the DB parameter group to require SSL connections.
C.Launch the RDS instance without encryption, then enable encryption at rest using the AWS Console.
D.Use AWS KMS to encrypt the connection between the application and RDS.
AnswerB

Encryption at rest is enabled at creation; SSL enforcement ensures encryption in transit.

Why this answer

Option B is correct because Amazon RDS for PostgreSQL supports encryption at rest only when enabled at instance launch, and SSL/TLS encryption in transit is enforced by configuring the DB parameter group to require SSL connections (e.g., setting `rds.force_ssl=1`). Encryption at rest cannot be added after creation, and SSL ensures data is encrypted between the application and the database.

Exam trap

The trap here is that candidates assume encryption at rest can be enabled after launch (like modifying an EBS volume) or that KMS alone handles in-transit encryption, but RDS requires upfront planning for at-rest encryption and explicit SSL configuration for transit.

How to eliminate wrong answers

Option A is wrong because client-side encryption does not protect data in transit between the application and RDS, and encryption at rest cannot be enabled after the instance is created—it must be specified at launch. Option C is wrong because encryption at rest cannot be enabled on an existing unencrypted RDS instance; you must migrate to a new encrypted instance. Option D is wrong because AWS KMS is used for managing encryption keys, not for encrypting network connections; SSL/TLS is the correct mechanism for encryption in transit.

170
MCQeasy

A developer needs to grant an IAM user the ability to perform all operations on an Amazon RDS DB instance except the ability to delete it. Which IAM policy action should be explicitly denied?

A.rds:RebootDBInstance
B.rds:StopDBInstance
C.rds:ModifyDBInstance
D.rds:DeleteDBInstance
AnswerD

Explicitly denying this action prevents deletion.

Why this answer

To prevent deletion, you must explicitly deny the rds:DeleteDBInstance action. Option A is wrong because rds:ModifyDBInstance does not delete. Option C is wrong because rds:StopDBInstance does not delete.

Option D is wrong because rds:RebootDBInstance does not delete.

171
MCQmedium

A company is using Amazon DynamoDB with a global table. The security team requires that all data be encrypted at rest using a customer-managed KMS key. The table was originally created with AWS managed key encryption. The company wants to switch to a customer-managed key without downtime. What should they do?

A.Use the UpdateTable API to change the KMS key to the customer-managed key.
B.Enable DynamoDB Streams on the old table and use a Lambda function to copy data to a new table with the customer-managed key.
C.Create a new replica in the global table with the customer-managed key and then delete the old replica.
D.Create a new table with the customer-managed key, export the data from the old table using AWS Data Pipeline, and import into the new table.
AnswerD

This avoids downtime if done carefully, but there is no direct migration tool; however, it is the only way.

Why this answer

Option C is correct because you cannot modify the encryption key of an existing DynamoDB table. You must create a new table with the desired key and migrate data. Option A is not possible.

Option B does not work for global tables? Actually, for global tables, you can update the encryption key? No, it's not supported. Option D is the correct process.

172
MCQhard

A company wants to enforce that all new Amazon RDS DB instances are created with encryption at rest enabled. Which approach should be taken?

A.Use an IAM policy that denies the rds:CreateDBInstance action unless rds:StorageEncrypted is set to true.
B.Use AWS CloudTrail to detect unencrypted instance creation and automatically delete them.
C.Use AWS Config rules to mark unencrypted instances as noncompliant.
D.Enable encryption by default in the RDS console.
AnswerA

This preventive control enforces encryption at creation time via IAM conditions.

Why this answer

Option B is correct because an IAM policy with a condition on rds:StorageEncrypted can deny creation of unencrypted instances. Option A is wrong because CloudWatch Events can trigger a remediation Lambda but does not prevent creation. Option C is wrong because AWS Config can detect noncompliant instances but does not enforce at creation time.

Option D is wrong because RDS does not have a default encryption setting at the account level.

173
MCQhard

A company is designing a multi-tenant application using Amazon Aurora MySQL. Each tenant's data must be isolated from others. They need to encrypt data at rest with a unique AWS KMS key per tenant. How can this be achieved?

A.Create separate databases within the same Aurora cluster and assign a different KMS key to each database.
B.Use client-side encryption with different KMS keys per tenant before inserting data into the database.
C.Use a single Aurora cluster with row-level encryption using different KMS keys per tenant.
D.Launch separate Aurora clusters for each tenant, each with its own KMS key for encryption at rest.
AnswerD

Each Aurora cluster can be encrypted with a different KMS key, providing per-tenant encryption at rest.

Why this answer

Option C is correct because Aurora MySQL does not support per-table or per-database encryption keys; encryption at rest is applied to the entire DB cluster using a single KMS key. Option A is wrong because RDS encryption is cluster-wide. Option B is wrong as it describes application-level encryption.

Option D is wrong because using separate clusters per tenant is the only way to have per-tenant KMS keys, though it adds cost.

174
MCQmedium

A company wants to restrict access to an Amazon DynamoDB table so that only requests from a specific VPC endpoint are allowed. Which policy should be attached to the table?

A.A security group rule that allows traffic only from the VPC endpoint.
B.An IAM policy that denies access unless the request comes from the specific VPC.
C.A VPC endpoint policy that allows only the specific VPC endpoint to access the DynamoDB table.
D.An S3 bucket policy that references the DynamoDB table.
AnswerC

VPC endpoint policies can restrict access to specific resources and endpoints.

Why this answer

Option C is correct because a VPC endpoint policy can restrict access based on the source VPC endpoint. Option A is wrong because an IAM policy attached to a user would not restrict the source VPC. Option B is wrong because bucket policies are for S3.

Option D is wrong because security groups are for EC2 and RDS, not DynamoDB.

175
MCQmedium

A company has an Amazon RDS for SQL Server DB instance that stores financial data. The security team requires that all database activity be monitored in real-time for suspicious queries. Which AWS service should be used to meet this requirement?

A.AWS CloudTrail
B.AWS Security Hub
C.Amazon GuardDuty with RDS Protection
D.Amazon Inspector
AnswerC

GuardDuty RDS Protection monitors database activity for threats.

Why this answer

Option A is correct because Amazon GuardDuty with RDS Protection can monitor database activity for threats in real-time. Option B is wrong because AWS CloudTrail captures API calls, not SQL queries. Option C is wrong because Amazon Inspector is for vulnerability assessment.

Option D is wrong because Security Hub aggregates findings from other services.

176
MCQmedium

A company has a production Amazon RDS for SQL Server database that stores financial data. The database administrator wants to audit all access to sensitive columns (e.g., credit card numbers) using the SQL Server Audit feature. The database is part of a Multi-AZ deployment. The administrator has enabled audit logging to the 'DEFAULT' file audit target, but the audit files are being written to the local instance storage and are not being retained after failover. The compliance team requires that audit logs be stored in Amazon S3 for at least 7 years. The administrator has set up an event subscription to send database events to an S3 bucket using AWS DMS, but the audit logs are not being captured. What should the administrator do to meet the compliance requirements?

A.Use RDS event subscriptions to send database audit logs to an S3 bucket.
B.Configure AWS DMS to continuously replicate the audit database to an S3 bucket.
C.Create a new SQL Server Audit target using the Amazon S3 option and configure the audit to write to an S3 bucket.
D.Enable RDS Enhanced Monitoring and configure it to send logs to CloudWatch Logs.
AnswerC

RDS for SQL Server supports custom audit targets to S3, allowing persistent storage of audit logs.

Why this answer

Option C is correct because Amazon RDS for SQL Server supports writing SQL Server Audit logs directly to an Amazon S3 bucket as an audit target. This is the only native method that persists audit logs beyond the instance lifecycle, ensuring they survive Multi-AZ failover and meet the 7-year retention requirement. The DEFAULT file target writes to ephemeral instance storage, which is lost on failover, and RDS event subscriptions or DMS cannot capture SQL Server Audit output.

Exam trap

The trap here is that candidates confuse RDS event subscriptions (which send metadata events) with actual audit log delivery, or assume DMS can replicate arbitrary file output, when in fact only the native S3 audit target persists SQL Server Audit logs in a durable, compliant manner.

How to eliminate wrong answers

Option A is wrong because RDS event subscriptions only send database events (e.g., instance state changes, backups) to S3, not the actual SQL Server Audit log files. Option B is wrong because AWS DMS is a database migration service that replicates tables or schemas, not audit file output; it cannot capture or stream SQL Server Audit binary files to S3. Option D is wrong because RDS Enhanced Monitoring collects OS-level metrics (CPU, memory, I/O) and sends them to CloudWatch Logs, not SQL Server Audit logs.

177
MCQeasy

A company uses Amazon Redshift for its data warehouse. The security team wants to encrypt the data at rest and ensure that only authorized users can access the encryption keys. Which AWS service should be used to manage the encryption keys?

A.AWS CloudHSM
B.AWS Key Management Service (KMS)
C.AWS Secrets Manager
D.AWS Systems Manager Parameter Store
AnswerB

KMS is the integrated key management service for Redshift encryption at rest.

Why this answer

Amazon Redshift uses AWS KMS for encryption at rest. You can use either the default AWS-managed key or a customer-managed CMK. KMS integrates with Redshift to encrypt data in the cluster and allows fine-grained control over key access via IAM policies.

CloudHSM is not directly integrated with Redshift. Secrets Manager and Systems Manager Parameter Store are for secrets, not encryption keys for Redshift.

178
Multi-Selectmedium

Which TWO of the following are methods to control access to an Amazon RDS DB instance? (Select TWO.)

Select 2 answers
A.VPC security groups
B.IAM policies
C.Amazon CloudWatch alarms
D.Database passwords
E.Amazon S3 bucket policies
AnswersA, B

Security groups act as a virtual firewall to control inbound traffic to the DB instance.

Why this answer

Options A and D are correct. Security groups control network access, and IAM policies can control who can perform RDS API actions. Option B is wrong because database passwords are a form of authentication, not access control.

Option C is wrong because CloudWatch alarms monitor metrics, not control access. Option E is wrong because S3 bucket policies do not apply to RDS.

179
MCQmedium

A security engineer is investigating an Amazon RDS for MySQL database that was compromised. The engineer finds that the compromise was due to a SQL injection vulnerability in a web application. The web application uses a database user with full administrative privileges. What is the BEST practice to prevent such incidents in the future?

A.Create dedicated database users with minimal privileges required for each application function.
B.Configure the DB parameter group to use the 'sql_mode' option to reject dangerous queries.
C.Enable RDS audit logs to capture all SQL queries.
D.Place the RDS instance in a private subnet with a security group that restricts inbound traffic.
AnswerA

Least privilege ensures that even if compromised, the attacker has limited access.

Why this answer

Option D is correct because using separate database users with least privilege for each application limits the impact of a compromise. Option A is wrong because database audit logs help detect but not prevent. Option B is wrong because it reduces attack surface but does not address the root cause of excessive privileges.

Option C is wrong because parameter groups do not enforce least privilege.

180
MCQhard

A company has a compliance requirement to encrypt all RDS snapshots at rest using a customer-managed KMS key. The RDS instance is already encrypted with an AWS-managed key. What is the correct procedure to ensure snapshots use the customer-managed key?

A.Create a new RDS instance with the customer-managed KMS key and migrate data using DMS.
B.Take a snapshot of the RDS instance, copy the snapshot specifying the customer-managed KMS key, and restore from the copied snapshot.
C.Change the default KMS key for the AWS account to the customer-managed key.
D.Modify the RDS instance to use the customer-managed KMS key directly.
AnswerB

This is the only way to re-encrypt the database with a new KMS key.

Why this answer

Option C is correct. You cannot change the encryption key of an existing RDS instance; you must create a snapshot, copy it with a new key, and restore. Option A is not possible.

Option B is not possible. Option D is not possible without copying.

181
Multi-Selectmedium

A security administrator is setting up a new Amazon RDS for SQL Server database. The company requires that all data be encrypted at rest and in transit. Additionally, the database must be accessible only from a specific CIDR range. Which TWO actions should the administrator take? (Choose TWO.)

Select 2 answers
A.Enable encryption at rest using AWS KMS.
B.Configure a security group that allows inbound traffic from the specific CIDR range.
C.Enable encryption in transit by modifying the RDS option group to include SSL.
D.Modify the DB parameter group to restrict network access.
E.Use AWS CloudHSM to manage encryption keys for the database.
AnswersA, B

Encryption at rest is a requirement.

Why this answer

Options A and D are correct. Option A: Enabling encryption at rest is a requirement. Option D: Configuring the security group to allow inbound traffic from the specific CIDR range meets the network access restriction.

Option B is wrong because encryption in transit is typically handled by the database engine (SSL/TLS), not by an RDS option. Option C is wrong because the DB parameter group does not control network access. Option E is wrong because encryption at rest uses KMS, not CloudHSM by default.

182
Multi-Selectmedium

A company is using Amazon RDS for MySQL and needs to comply with PCI DSS requirements. Which TWO actions should the company take to secure the database? (Choose TWO.)

Select 2 answers
A.Enable encryption at rest using AWS KMS.
B.Configure the database to write audit logs directly to an S3 bucket.
C.Enable audit logging to track database activities.
D.Enable public accessibility on the RDS instance to allow access from anywhere.
E.Change the default database port to a non-standard port.
AnswersA, C

Encryption at rest is required for data protection.

Why this answer

Options B and D are correct. Enabling encryption at rest protects data on disk, and enabling audit logging helps track access. Option A is wrong because public access should be disabled for security.

Option C is wrong because default port is fine; changing it is not a security requirement. Option E is wrong because S3 is not used for RDS audit logs; CloudWatch Logs is used.

183
Multi-Selecteasy

Which TWO methods can be used to securely connect to an Amazon RDS for PostgreSQL DB instance from an EC2 instance in the same VPC? (Select TWO.)

Select 2 answers
A.Use IAM database authentication.
B.Configure a security group that allows all traffic from the EC2 instance.
C.Use a bastion host to proxy the connection.
D.Connect using SSL/TLS.
E.Set up a VPC peering connection between the EC2 VPC and the RDS VPC.
AnswersA, D

IAM authentication provides secure authentication.

Why this answer

Using SSL/TLS encrypts the connection. Using IAM database authentication provides a secure authentication mechanism. A security group allows traffic but does not encrypt.

A VPC peering connection does not encrypt. A bastion host may add encryption but is not a method itself.

184
MCQmedium

A company is using Amazon Redshift for data warehousing. They need to ensure that data is encrypted at rest using a customer-managed AWS KMS key. The cluster is currently unencrypted. What is the simplest way to enable encryption?

A.Create a new Redshift cluster with encryption enabled and migrate the data.
B.Enable encryption directly on the existing cluster using AWS CLI.
C.Create a snapshot of the existing cluster and restore it to a new encrypted cluster.
D.Modify the existing cluster and enable encryption using the Redshift console.
AnswerA

This is the simplest method; create a new encrypted cluster and copy the data.

Why this answer

Option C is correct because you cannot enable encryption on an existing Redshift cluster. You must create a new cluster with encryption enabled, then copy data from the old cluster to the new one. Option A is wrong because modifying the cluster does not support encryption.

Option B is wrong because you cannot directly encrypt an existing cluster. Option D is wrong because restoring from a snapshot to an encrypted target is possible, but you must first create an unencrypted snapshot and then restore to an encrypted cluster; however, the simplest method is to create a new encrypted cluster and copy data, as restoring a snapshot to a different cluster still requires creating a new cluster.

185
MCQmedium

A company is using DynamoDB with a VPC endpoint. They want to restrict access to only requests originating from their VPC. Which policy condition should be used?

A.'aws:SourceVpce': 'vpce-12345678'
B.'aws:VpcSourceIp': '10.0.0.0/16'
C.'s3:x-amz-server-side-encryption': 'AES256'
D.'aws:SourceVpc': 'vpc-12345678'
AnswerA

This condition ensures requests come only from the specified VPC endpoint.

Why this answer

Option A is correct because the 'aws:SourceVpce' condition key allows you to restrict access to requests originating from a specific VPC endpoint (interface endpoint) in your VPC. This ensures that only traffic coming through that VPC endpoint can access the DynamoDB table, providing a network-level security boundary. The condition must reference the exact VPC endpoint ID (e.g., 'vpce-12345678') to enforce this restriction.

Exam trap

The trap here is that candidates often confuse 'aws:SourceVpc' (which restricts by VPC ID but is not supported for VPC endpoint policies) with 'aws:SourceVpce' (the correct key for endpoint-level restrictions), leading them to pick Option D instead of A.

How to eliminate wrong answers

Option B is wrong because 'aws:VpcSourceIp' is not a valid AWS condition key; the correct key for restricting by source IP is 'aws:SourceIp', but that would not restrict to VPC-originated traffic specifically. Option C is wrong because 's3:x-amz-server-side-encryption' is an S3-specific condition key for encryption headers, irrelevant to DynamoDB VPC endpoint access control. Option D is wrong because 'aws:SourceVpc' restricts based on the VPC ID, but it does not work for VPC endpoint policies; the correct key for VPC endpoint restrictions is 'aws:SourceVpce' (the endpoint ID), not the VPC ID.

186
MCQmedium

A company is using Amazon RDS for PostgreSQL with a read replica. The security team wants to ensure that data in transit between the primary DB instance and the read replica is encrypted. What should be done?

A.Set up a VPN connection between the primary and the replica.
B.Configure the read replica to use a different KMS key.
C.Enable SSL/TLS on the read replica and configure the primary to use it.
D.Enable encryption at rest on the primary DB instance using AWS KMS.
AnswerD

Encrypted replication is automatically enabled when the primary is encrypted.

Why this answer

Option A is correct because enabling encryption at rest on the primary instance automatically encrypts the replication traffic. Option B is wrong because encryption in transit between primary and replica is automatically encrypted if the primary is encrypted. Option C is wrong because SSL/TLS is for client connections, not replication.

Option D is wrong because a VPN is not needed.

187
MCQeasy

A company wants to ensure that an Amazon RDS for MySQL database is automatically backed up daily and backups are encrypted. What should they do?

A.Take manual snapshots daily and enable encryption on the snapshot copy.
B.Use Amazon CloudWatch Events to trigger a Lambda function that exports the database to S3 with encryption.
C.Enable automated backups and encryption at rest on the RDS instance.
D.Configure AWS Backup to back up the RDS instance to an S3 bucket with default encryption.
AnswerC

Automated backups are encrypted if encryption at rest is enabled.

Why this answer

Automated backups with encryption at rest ensure backups are encrypted. Option A is correct. Option B is wrong because manual snapshots are not automatic.

Option C is wrong because backups are stored in S3 but encryption is controlled by KMS. Option D is wrong because CloudWatch does not manage backups.

188
MCQmedium

A company has an Amazon RDS for PostgreSQL DB instance that needs to be accessed by an application running on an Amazon EC2 instance. Both resources are in the same VPC. The security team insists that all traffic between the application and the database be encrypted in transit. Which configuration ensures this?

A.Add a security group rule that allows traffic only from the EC2 instance's private IP.
B.Create an AWS Site-to-Site VPN connection between the EC2 instance and the RDS instance.
C.Enable SSL/TLS on the RDS instance and configure the application to connect using SSL.
D.Set up VPC peering between the EC2 instance's VPC and the RDS instance's VPC.
AnswerC

SSL/TLS encrypts the database connection.

Why this answer

Option B is correct because enabling SSL/TLS on the RDS instance and configuring the application to use SSL ensures encryption in transit. Option A is wrong because security group rules control access, not encryption. Option C is wrong because VPC peering is for inter-VPC communication.

Option D is wrong because a VPN is not needed for same-VPC communication.

189
Multi-Selecteasy

A company is setting up an Amazon Aurora MySQL-compatible database. The security policy requires that all traffic between the application and database be encrypted in transit. Which TWO steps should be taken?

Select 2 answers
A.Use a Network Load Balancer with a TLS listener in front of the Aurora cluster.
B.Place the Aurora cluster in a private subnet with a VPN connection.
C.Set the 'require_secure_transport' parameter to 'ON' in the DB cluster parameter group.
D.Configure the application connection string to use the SSL-enabled endpoint (port 3306 with SSL).
E.Enable encryption at rest using AWS KMS.
AnswersC, D

This enforces SSL connections from clients.

Why this answer

To encrypt in transit, you need to enforce SSL on the server side (Option A) and have the application use the SSL endpoint (Option B). Option C is not necessary because Aurora uses a cluster endpoint. Option D is about network-level encryption, which is not required if SSL is used.

Option E is about data at rest, not in transit.

190
Multi-Selecthard

A company is deploying an Amazon DynamoDB table with server-side encryption using a customer-managed AWS KMS key. The security team requires that the key be automatically rotated every year and that access to the key be logged. Which THREE steps should be taken?

Select 3 answers
A.Enable automatic key rotation for the KMS key.
B.Use AWS CloudHSM to store the key and manage rotation.
C.Enable AWS CloudTrail to log KMS API calls.
D.Create a KMS key policy that allows only specific IAM roles to use the key.
E.Configure the DynamoDB table to use client-side encryption.
AnswersA, C, D

KMS supports automatic rotation yearly.

Why this answer

To meet the requirements, enable automatic key rotation (Option A), enable CloudTrail logging (Option B), and create a KMS key policy that restricts usage (Option C). Option D is wrong because CloudHSM is not used here. Option E is wrong because DynamoDB encryption is managed by KMS, not by the application.

191
MCQhard

A company uses Amazon DynamoDB with fine-grained access control using IAM policies. A developer reports that an application role can read and write to the 'orders' table but cannot perform a Scan operation on a Global Secondary Index (GSI). The IAM policy attached to the role includes 'dynamodb:Scan' and the resource ARN for the table. What is the likely reason for this failure?

A.The policy has a condition that restricts Scan operations based on the time of day.
B.The role does not have permission to read from the base table.
C.The IAM policy does not include the GSI's ARN in the resource statement.
D.The IAM policy does not allow the 'dynamodb:Scan' action on the table.
AnswerC

GSIs have separate ARNs that must be explicitly allowed.

Why this answer

Option B is correct because DynamoDB GSIs have separate ARNs, and the policy must include the GSI ARN. Option A is wrong because the Scan action is allowed on the table, but the GSI requires its own resource. Option C is wrong because condition keys are not relevant if the action is denied.

Option D is wrong because the role is allowed to read and write, but Scan is a read action.

192
MCQhard

A company is using Amazon Redshift for data warehousing. The security team requires column-level access control so that certain users cannot view specific columns containing PII. Which approach should the data engineer implement?

A.Create views that exclude the sensitive columns and grant SELECT on the views to the users.
B.Implement row-level security policies using CREATE ROW LEVEL SECURITY POLICY.
C.Use GRANT SELECT ON table (col1, col2) TO user.
D.Encrypt the sensitive columns using AWS KMS and decrypt in the application.
AnswerA

Views can restrict column access.

Why this answer

Option D is correct because Redshift supports column-level security via views that restrict columns, and you grant access to the view instead of the table. Option A is wrong because Redshift does not support column-level GRANT. Option B is wrong because row-level security does not restrict columns.

Option C is wrong because column-level encryption is not natively supported in Redshift and would require application changes.

193
MCQmedium

A company uses Amazon RDS for MySQL with encryption at rest enabled. The security team mandates that all access to the database must be authenticated using IAM database authentication. The database administrator has created a user 'app_user' and granted appropriate privileges. However, when the application tries to connect using an IAM authentication token, it receives an 'Access denied' error. Which action should be taken to resolve this issue?

A.Create a password for 'app_user' and use that password in the connection string.
B.Modify the security group to allow inbound traffic on port 3306 from the application's IP address.
C.Ensure the IAM role used by the application has a name that matches the database user 'app_user' and has the necessary policy attached.
D.Download the latest Amazon RDS CA certificate and add it to the application trust store.
AnswerC

IAM database authentication requires the database user name to match the IAM user or role name (or a mapped DB user) that has been granted the rds_iam role.

Why this answer

Option C is correct because IAM database authentication for RDS MySQL requires that the database user name matches the IAM role or user name used to generate the authentication token. The IAM role must have a policy that allows the `rds-db:connect` action with a resource ARN specifying the database user. Without this exact match, the authentication token is rejected, resulting in an 'Access denied' error.

Exam trap

The trap here is that candidates often confuse IAM database authentication with network-level security (security groups) or TLS certificate management, when the core requirement is the exact name match between the database user and the IAM principal (role or user) used to generate the token.

How to eliminate wrong answers

Option A is wrong because IAM database authentication does not use a static password; it relies on a temporary authentication token generated via the AWS CLI or SDK, and creating a password would bypass the mandated IAM authentication. Option B is wrong because the 'Access denied' error is an authentication failure, not a network connectivity issue; security group rules control network access, not IAM token validation. Option D is wrong because the CA certificate is used for TLS/SSL encryption of the connection, not for IAM authentication; the error is unrelated to certificate trust.

194
MCQeasy

A company wants to audit all SQL statements executed on their Amazon Aurora MySQL database for compliance. Which AWS feature should be enabled?

A.Database Activity Streams
B.VPC Flow Logs
C.Amazon CloudWatch Logs
D.AWS CloudTrail
AnswerA

This feature streams database activity to CloudWatch Logs or Kinesis.

Why this answer

Option A is correct because Database Activity Streams provide a stream of database activities including SQL queries. Option B is wrong because CloudTrail logs API calls, not SQL statements. Option C is wrong because VPC Flow Logs capture network traffic.

Option D is wrong because CloudWatch Logs can store logs but the source should be Database Activity Streams.

195
MCQhard

A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The security team requires that all network traffic between the application servers and the database be encrypted using TLS. The application servers are in a different VPC connected via VPC Peering. What is the simplest way to enforce encryption in transit?

A.Modify the security group for the RDS instance to only allow traffic on port 443.
B.Enable the rds.force_ssl parameter in the DB parameter group and configure the application to use SSL connections.
C.Use a default DB parameter group, as it already enforces SSL.
D.Set up a VPN connection between the two VPCs and route all traffic through it.
AnswerB

This enforces SSL at the database level, and the client can connect using SSL certificates.

Why this answer

Option A is correct because enabling the rds.force_ssl parameter ensures that Oracle connections require SSL, and using SSL certificates on the client side establishes encrypted connections. Option B is wrong because a VPN adds complexity and is not necessary. Option C is wrong because the default parameter group may not have SSL enabled.

Option D is wrong because the security group does not enforce encryption.

196
MCQmedium

A company uses Amazon Aurora MySQL-Compatible Edition and needs to audit all SQL statements executed by database users. Which feature should be enabled?

A.Enable the database engine audit logs (advanced auditing).
B.Enable AWS CloudTrail data events for the DB instance.
C.Enable database activity streams.
D.Enable RDS Enhanced Monitoring.
AnswerA

Aurora MySQL can log SQL statements using the audit plugin.

Why this answer

Option A is correct because Aurora MySQL supports advanced auditing through database engine audit logs. Option B is wrong because CloudTrail logs API calls, not SQL queries. Option C is wrong because RDS Enhanced Monitoring provides OS metrics, not SQL audit.

Option D is wrong because database activity streams capture activity in near real-time but are designed for monitoring and not primarily for SQL audit logging; however, they can be used, but the most direct answer is advanced auditing.

197
MCQmedium

A company is running an Amazon RDS for MySQL DB instance in a VPC. The security team requires that all connections to the database use SSL/TLS. The DBA has enabled 'require_secure_transport' parameter in the DB parameter group. However, after applying the change and rebooting, some applications that were previously connecting successfully are now failing. What is the most likely cause?

A.The security group inbound rule for the database port is missing.
B.The option group does not have the SSL option enabled.
C.The application is not configured to connect using SSL/TLS.
D.The DB subnet group does not include the application's subnet.
AnswerC

require_secure_transport rejects non-SSL connections.

Why this answer

Option C is correct because enabling require_secure_transport forces the server to accept only SSL connections. If the application does not use SSL, the connection will be rejected. Option A is wrong because the DB subnet group does not affect SSL enforcement.

Option B is wrong because the security group controls network access, not SSL. Option D is wrong because the option group is irrelevant for this setting.

198
MCQhard

A database administrator has the IAM policy shown above attached to their user. When they try to run the AWS CLI command `aws rds describe-db-instances --region us-west-2`, they receive an access denied error. Why does this fail?

A.The user must use multi-factor authentication (MFA) to perform the describe action.
B.The user does not have permission to describe DB instances in any region.
C.The policy includes a condition key that denies access when the region is not us-east-1.
D.The policy explicitly restricts the resource to a specific DB instance ARN in us-east-1, and the command specifies a different region.
AnswerD

The resource ARN includes region us-east-1, so it does not apply to us-west-2.

Why this answer

Option B is correct. The resource statement in the first Allow explicitly limits access to the specific DB instance ARN in us-east-1. The second Allow allows rds:DescribeDBInstances on any resource, but the explicit resource restriction in the first statement does not grant access to resources in other regions.

Since the command specifies us-west-2, the instance is not in that region, and the policy does not allow DescribeDBInstances on any resource in us-west-2. Option A is wrong because DescribeDBInstances is allowed on the specific resource, but not in us-west-2. Option C is wrong because there is no condition.

Option D is wrong because the policy does not require MFA.

199
MCQmedium

A database administrator is troubleshooting why Amazon RDS Enhanced Monitoring is not displaying metrics for a DB instance. The IAM role attached to the instance has the policy shown in the exhibit. What is the likely cause?

A.The policy denies the 'rds:DescribeDBInstances' action.
B.The policy is missing the 'rds:CreateDBInstance' action.
C.The policy does not include 'monitoring:ListMetrics'.
D.The resource is set to '*' instead of the specific DB instance ARN.
AnswerB

Enhanced Monitoring requires this permission.

Why this answer

Option D is correct because Enhanced Monitoring requires the 'rds:CreateDBInstance' permission for the monitoring role, which is missing. Option A is wrong because the actions listed are valid. Option B is wrong because the resource is '*' which includes all.

Option C is wrong because the actions are allowed, not denied.

200
Multi-Selectmedium

A security engineer is designing access controls for an Amazon DynamoDB table containing customer data. Which TWO actions enforce least privilege access?

Select 2 answers
A.Use IAM conditions to restrict access to specific attributes.
B.Grant dynamodb:* action to all users.
C.Implement fine-grained access control using IAM policy conditions.
D.Use a resource-based policy on the DynamoDB table.
E.Attach a VPC endpoint policy that allows all actions.
AnswersA, C

Conditions can limit access to specific attributes.

Why this answer

Options B and D are correct. Using IAM conditions to restrict access to specific attributes (B) and using fine-grained access control with IAM (D) enforce least privilege. Option A is wrong because wildcard actions grant full access.

Option C is wrong because DynamoDB does not have VPC endpoints that limit table access. Option E is wrong because resource-based policies are not supported for DynamoDB tables.

201
MCQhard

A company is using Amazon RDS for PostgreSQL with automated backups. The security team requires that backups be encrypted at rest. The DB instance is currently unencrypted. What is the most efficient way to enable encryption for future backups?

A.Enable encryption by setting the 'backup_encryption' parameter in the DB parameter group.
B.Modify the DB instance to enable encryption.
C.Enable encryption on the S3 bucket where backups are stored.
D.Create a snapshot of the DB instance, copy the snapshot with encryption enabled, and restore the encrypted snapshot to a new DB instance.
AnswerD

This is the standard method to migrate an unencrypted RDS instance to an encrypted one.

Why this answer

Option C is correct because you cannot enable encryption on an existing unencrypted RDS instance directly; you must take a snapshot, copy it with encryption, and restore to a new encrypted instance. Option A is wrong because modifying the instance does not allow enabling encryption. Option B is wrong because enabling encryption on the backup destination (S3) does not encrypt the backup data itself if the source is unencrypted.

Option D is wrong because you cannot enable encryption on an existing instance.

202
MCQeasy

A company wants to encrypt data at rest for an existing Amazon RDS for Oracle DB instance. The database is currently unencrypted. What is the simplest way to enable encryption with minimal downtime?

A.Create an encrypted read replica and promote it to a standalone instance.
B.Modify the DB instance and enable encryption using the RDS console.
C.Create a snapshot of the DB instance, copy the snapshot with encryption enabled, and restore the encrypted snapshot to a new DB instance.
D.Enable encryption directly on the existing DB instance by modifying the DB instance settings.
AnswerC

This is the standard method to migrate an unencrypted RDS instance to an encrypted one with minimal downtime.

Why this answer

Option B is correct because you cannot directly enable encryption on an existing unencrypted RDS instance. You must create a snapshot, copy it with encryption enabled, and then restore the snapshot to a new encrypted instance. You then redirect traffic to the new instance.

Option A is wrong because modifying the DB instance does not support enabling encryption. Option C is wrong because enabling encryption on an existing instance is not supported. Option D is wrong because creating a read replica does not encrypt the master instance, and the replica can only be encrypted if the master is already encrypted.

203
MCQeasy

A company wants to restrict access to an Amazon DynamoDB table so that only specific IAM users can read and write data. What is the BEST way to achieve this?

A.Use a resource-based policy on the DynamoDB table.
B.Create an IAM policy that grants access to the DynamoDB table and attach it to the specific IAM users.
C.Use DynamoDB Accelerator (DAX) with IAM authentication.
D.Create a VPC endpoint for DynamoDB and allow only traffic from that VPC.
AnswerB

IAM policies are the standard way to control access to DynamoDB.

Why this answer

Using an IAM policy with conditions to allow only specific users is the most precise method. Option A is correct. Option B is wrong because VPC endpoints do not restrict which users can access the table.

Option C is wrong because resource-based policies are not supported for DynamoDB. Option D is wrong because DynamoDB Accelerator does not provide access control.

204
MCQhard

A company runs an e-commerce platform on AWS. The application uses an Amazon RDS for MySQL Multi-AZ database instance. The security team recently conducted an audit and found that the database is accessible from the internet because the public accessibility setting is enabled. The security team has disabled public accessibility and updated the security group to allow inbound traffic only from the application's security group. However, after these changes, the application can no longer connect to the database. The application is running on EC2 instances in the same VPC. The RDS instance is also in the same VPC. The security group for the RDS instance allows inbound MySQL traffic (port 3306) from the application's security group. The application's security group allows all outbound traffic. The application's EC2 instances have a public IP address and are in a public subnet. The RDS instance is in a private subnet. The VPC has an internet gateway attached. What is the most likely cause of the connection failure?

A.The RDS instance is in a private subnet and cannot receive inbound traffic from the public subnet EC2 instances without a VPC peering or VPN.
B.The security group for the RDS instance still allows traffic from the public IP addresses of the EC2 instances, but the EC2 instances now have different public IPs.
C.The application is using the RDS public DNS name, which no longer resolves after disabling public accessibility.
D.The EC2 instances need a NAT gateway to communicate with the RDS instance in the private subnet.
AnswerC

After disabling public accessibility, the public DNS name may still resolve to the private IP, but the application might be using the public endpoint. Actually, the RDS DNS name changes? Typically, the endpoint remains the same but becomes private. The application might be using the public DNS name which now resolves to a private IP, but that should work. However, if the application is configured to use the public endpoint, it might fail if the security group does not allow traffic from the application's security group? I'm leaning towards Option D as the most common issue.

Why this answer

Option C is correct. When public accessibility is disabled, RDS removes the public IP address. The application's EC2 instances are in a public subnet with public IPs, but they need to communicate with the RDS instance in a private subnet.

Since public accessibility is disabled, the RDS instance has only a private IP. The EC2 instances can reach the private IP if they are in the same VPC. However, the issue might be that the security group rule referencing the application's security group is not working because the application's security group is not correctly associated, or there is a network ACL issue.

Actually, the most common cause is that the RDS instance's security group is not allowing traffic from the application's security group, but the question says it does allow. Another cause could be that the application is trying to connect using the public DNS name which now resolves to a private IP, but the EC2 instances might not have a route to the private subnet? Wait, they are in the same VPC, so they can reach. The likely cause is that the security group rule is configured with the application's security group ID, but the application's security group is not correctly associated with the EC2 instances, or there is a misconfiguration in the security group rules.

Option A is wrong because disabling public accessibility does not change the security group. Option B is wrong because you don't need a NAT gateway for same VPC traffic. Option D is wrong because the RDS instance does not need an internet gateway.

The correct answer is that the security group rule might be incorrectly set up, but the question states it allows. Maybe the application is using the public DNS name which after disabling public accessibility, the DNS name still resolves to the private IP? That should work. The most likely is that the security group for the RDS instance is not allowing traffic from the application's security group because the application's security group is in a different region? No.

I think the intended answer is Option A: the security group is still configured to allow traffic from the public IP of the EC2 instances, not from the application's security group. But the question says it allows from the application's security group. Actually, the answer might be Option C: the RDS instance is in a private subnet and requires a NAT gateway for outbound traffic, but not for inbound.

Inbound traffic from the same VPC does not require a NAT gateway. So Option C is plausible if the application's EC2 instances are in a public subnet and the RDS is in a private subnet, they can still communicate if the security group allows. Perhaps the issue is that the application's EC2 instances have a public IP and are trying to connect via the public endpoint, which is no longer available.

The correct action is to ensure the application uses the private DNS name. But the question asks for the most likely cause. I'll go with Option C: The RDS instance is in a private subnet and requires a NAT gateway for inbound connections from the internet, but since the application is in the same VPC, it doesn't.

Actually, the answer is likely that the security group for the RDS instance is still referencing the old public IPs, but the question says it references the application's security group. Hmm.

205
MCQmedium

A company is using Amazon Redshift for data warehousing. The security team requires that all data is encrypted at rest using a hardware security module (HSM). Additionally, the team wants to ensure that only specific IAM roles can access the database. Which configuration will meet these requirements?

A.Create the Redshift cluster with encryption enabled using a KMS key, and configure the cluster to use an HSM for key storage.
B.Create the Redshift cluster with encryption enabled using an HSM, and attach an IAM role to the cluster to control access.
C.Create the Redshift cluster without encryption, then use the AWS CLI to enable encryption using a KMS key.
D.Create the Redshift cluster with encryption using a KMS key, and then import the HSM certificate into the cluster.
AnswerB

HSM provides hardware-based encryption and IAM roles can be used for access control.

Why this answer

Option B is correct because Redshift supports HSM for encryption at rest, and IAM roles can be attached to the cluster for access control. Option A is wrong because HSM and KMS are mutually exclusive. Option C is wrong because KMS does not meet the HSM requirement.

Option D is wrong because encryption cannot be enabled after cluster creation.

206
Multi-Selecteasy

Which TWO AWS services can be used to centrally manage database credentials and automate rotation for Amazon RDS? (Choose two.)

Select 2 answers
A.AWS Secrets Manager
B.AWS Key Management Service (KMS)
C.IAM database authentication
D.AWS Systems Manager Parameter Store
E.AWS CloudHSM
AnswersA, D

Secrets Manager can store and automatically rotate RDS credentials.

Why this answer

Options A and D are correct. AWS Secrets Manager and AWS Systems Manager Parameter Store (SecureString) can both store RDS credentials, but Secrets Manager has built-in rotation for RDS. Option B is wrong because IAM database authentication eliminates the need for credentials but does not store them.

Option C is wrong because KMS manages encryption keys, not secrets. Option E is wrong because CloudHSM provides hardware security modules, not secret management.

207
MCQmedium

A company needs to audit access to an Amazon DynamoDB table. The audit should capture which IAM user or role performed each action. Which AWS service should be used?

A.VPC Flow Logs
B.AWS CloudTrail
C.Amazon GuardDuty
D.AWS Config
AnswerB

CloudTrail logs all API calls and identifies the principal making the call.

Why this answer

Option A is correct because AWS CloudTrail records API calls including the identity of the caller. Option B is wrong because VPC Flow Logs capture network traffic, not API calls. Option C is wrong because Amazon GuardDuty is a threat detection service.

Option D is wrong because AWS Config tracks resource configuration changes, not API calls.

208
MCQhard

A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The security team requires that all connections to the database use Oracle Native Network Encryption (NNE). How should this be configured?

A.Enable IAM database authentication.
B.Modify the sqlnet.ora file on the RDS instance to require encryption.
C.Create a custom DB parameter group with the encryption parameters set to REQUIRED.
D.Enable encryption at rest using Oracle TDE.
AnswerC

This configures NNE through parameter group.

Why this answer

RDS for Oracle supports NNE by modifying the custom DB parameter group to set the SQLNET.ENCRYPTION_SERVER and SQLNET.ENCRYPTION_TYPES parameters. Option A is wrong because enabling encryption at rest does not affect network encryption. Option B is wrong because RDS does not allow direct modification of sqlnet.ora files; you must use parameter groups.

Option C is wrong because IAM database authentication does not encrypt the connection.

209
MCQhard

Refer to the exhibit. A security engineer has applied this key policy to a customer managed KMS key used to encrypt a Secrets Manager secret containing database credentials. An application running on an Amazon EC2 instance in the same account and region is unable to decrypt the secret. What is the MOST likely cause?

A.The condition kms:ViaService restricts the decryption to requests made via Secrets Manager, but the application is calling KMS directly.
B.The KMS key ARN in the resource field is incorrect.
C.The policy is missing an encryption context that matches the secret's encryption context.
D.The policy only allows Decrypt, but the application needs Encrypt permission.
AnswerA

Option B is correct: The condition kms:ViaService requires the request to come via Secrets Manager, but the application likely decrypts directly using the KMS API.

Why this answer

The condition `kms:ViaService` in the key policy restricts the `Decrypt` permission to requests that originate specifically from the AWS Secrets Manager service. When the application on the EC2 instance calls KMS directly (e.g., via the `Decrypt` API) to decrypt the secret, the request does not come through Secrets Manager, so the condition is not satisfied and the request is denied. This is the most likely cause of the decryption failure.

Exam trap

The trap here is that candidates often overlook the `kms:ViaService` condition and assume the policy is correct, focusing instead on encryption contexts or permissions, when the real issue is that the condition restricts the source of the request to a specific AWS service.

How to eliminate wrong answers

Option B is wrong because the KMS key ARN in the `Resource` field is used to identify the key itself, and if it were incorrect, the policy would not apply to the key at all, but the issue is a conditional denial, not a misidentification. Option C is wrong because encryption contexts are used in cryptographic operations (e.g., `kms:EncryptionContext:context_name`) and are not required in the key policy unless explicitly enforced via a condition; the policy shown does not include an encryption context condition, so missing one would not cause a denial. Option D is wrong because the application is trying to decrypt the secret, not encrypt it; the `Decrypt` permission is exactly what is needed, and the error is due to the `kms:ViaService` condition, not a missing `Encrypt` permission.

210
MCQeasy

A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The security team requires that all connections to the database use SSL/TLS encryption. Which step is necessary to enforce SSL connections?

A.Configure the security group to only allow traffic on port 443.
B.Modify the DB subnet group to use a private subnet.
C.Add the SSL option to the option group.
D.Set the 'rds.force_ssl' parameter to 1 in the DB parameter group.
AnswerD

This parameter forces SSL connections to the Oracle database.

Why this answer

Option A is correct because RDS for Oracle supports SSL/TLS, and you can set a parameter in the DB parameter group to require SSL. Option B is wrong because security groups control network access, not encryption. Option C is wrong because the option group defines features like timezone, not SSL enforcement.

Option D is wrong because the subnet group defines networking, not encryption.

211
Multi-Selectmedium

Which TWO of the following are valid ways to encrypt data at rest in Amazon DynamoDB? (Select TWO.)

Select 2 answers
A.Use AWS owned CMK for server-side encryption.
B.Enable Transparent Data Encryption (TDE).
C.Enable EBS encryption on the underlying storage.
D.Implement client-side encryption before sending data to DynamoDB.
E.Use a customer managed CMK from AWS KMS.
AnswersA, E

DynamoDB encrypts at rest by default using AWS owned keys.

Why this answer

Options C and D are correct. Option A is wrong because DynamoDB does not use EBS volumes. Option B is wrong because DynamoDB does not support TDE.

Option E is wrong because client-side encryption is not encryption at rest of the DynamoDB service.

212
MCQeasy

A company needs to encrypt an existing unencrypted Amazon RDS for Oracle DB instance. Which set of steps should be followed?

A.Enable encryption using the AWS Management Console by selecting the instance and choosing 'Enable Encryption'.
B.Modify the DB instance and set the KMS key ID to enable encryption.
C.Copy the snapshot to an encrypted snapshot and then restore.
D.Take a snapshot of the instance, copy the snapshot with encryption enabled, and restore from the encrypted snapshot.
AnswerD

This is the standard method.

Why this answer

Option C is correct. Option A is wrong because encryption cannot be enabled by modifying the instance. Option B is wrong because you cannot add a KMS key to an existing instance.

Option D is wrong because you need to restore from an encrypted snapshot, not just copy it.

213
Multi-Selecteasy

A company is deploying a new Amazon RDS for MySQL database in a VPC. The database must be accessible only from an application server running in the same VPC. The security team also wants to ensure that the database is not accessible from the internet. Which TWO configurations are required? (Choose TWO.)

Select 2 answers
A.Place the DB instance in a public subnet.
B.Modify the DB parameter group to restrict network access.
C.Configure the security group to allow inbound traffic only from the application server's security group.
D.Set the DB instance to be not publicly accessible.
E.Configure a network ACL to deny inbound traffic from 0.0.0.0/0.
AnswersC, D

This restricts access to the specific application server.

Why this answer

Options B and D are correct. Option B: Making the DB instance not publicly accessible ensures it cannot be reached from the internet. Option D: Configuring the security group to allow inbound traffic only from the application server's security group limits access.

Option A is wrong because a public subnet does not prevent internet access; it enables it. Option C is wrong because a network ACL is stateless and less specific than security groups. Option E is wrong because the parameter group does not control network access.

214
MCQhard

A financial services company uses Amazon DynamoDB to store transaction data. The table is encrypted with an AWS managed KMS key. The compliance team requires that the encryption key be rotated every 90 days. The current key was created 6 months ago and has not been rotated. The company also needs to ensure that all access to the table is logged for audit purposes. The security engineer proposes to enable DynamoDB Streams and AWS CloudTrail. However, the compliance team notes that CloudTrail only logs management plane events (e.g., CreateTable) and not data plane events (e.g., GetItem, PutItem). What should the engineer do to meet both requirements?

A.Use AWS CloudTrail data events to capture DynamoDB data plane operations and store the logs in S3.
B.Switch to an AWS managed KMS key and enable automatic rotation.
C.Enable DynamoDB Streams and stream write events to CloudWatch Logs for auditing.
D.Create a customer managed KMS key, enable automatic key rotation, and configure CloudTrail to log data events for the DynamoDB table.
AnswerD

Customer managed keys support rotation; CloudTrail data events log data plane operations.

Why this answer

Option C is correct. DynamoDB can use a customer managed KMS key, which allows the customer to enable automatic key rotation (every year) or manual rotation. However, automatic rotation is not every 90 days; the engineer can create a new key every 90 days and update the table to use it.

Additionally, to log data plane events, they must enable Amazon CloudWatch Logs for DynamoDB or use AWS CloudTrail data events. Option A is wrong because AWS managed keys do not support rotation. Option B is wrong because CloudTrail can log data events if configured.

Option D is wrong because streaming logs to CloudWatch does not log data plane events.

215
MCQhard

A company has an Amazon DynamoDB table with global secondary indexes (GSIs) that store personally identifiable information (PII). The security team requires that all PII is encrypted at rest using a customer-managed KMS key. The table already exists and is encrypted with the default AWS managed key. What is the MOST efficient way to change the encryption to a customer-managed key?

A.Create a backup of the table, restore the backup to a new table, and specify the customer-managed key during restoration.
B.Use the AWS Management Console to modify the table and select the customer-managed key.
C.Create a new DynamoDB table with the customer-managed key, use AWS Glue to copy the data from the old table to the new table, and then delete the old table.
D.Use the AWS CLI 'update-table' command with the --sse-specification parameter to change the key.
AnswerC

This is the only way to change encryption key.

Why this answer

Option C is correct because you must create a new table with the desired encryption, copy the data, and then delete the old table. DynamoDB does not support updating encryption on an existing table. Option A is wrong because DynamoDB does not support in-place encryption update.

Option B is wrong because restoring a backup does not allow changing the encryption key. Option D is wrong because you cannot change encryption after table creation.

216
MCQhard

A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The database contains sensitive data that must be encrypted at rest using a customer-managed KMS key. The company also needs to ensure that the database is automatically patched by AWS. Which DB instance configuration should be used?

A.Single-AZ, encryption at rest enabled with a customer-managed KMS key, auto minor version upgrade disabled.
B.Multi-AZ, encryption at rest enabled with a customer-managed KMS key, auto minor version upgrade enabled.
C.Single-AZ, encryption at rest enabled with a customer-managed KMS key, auto minor version upgrade enabled.
D.Multi-AZ, encryption at rest enabled with an AWS-managed KMS key, auto minor version upgrade enabled.
AnswerB

Meets all requirements.

Why this answer

The correct answer is C because a Multi-AZ deployment with encryption at rest using a customer-managed KMS key satisfies the encryption requirement, and enabling auto minor version upgrade ensures automatic patching. Option A is incorrect because a Single-AZ deployment with encryption at rest does not provide high availability. Option B is incorrect because a Multi-AZ deployment without encryption does not meet the encryption requirement.

Option D is incorrect because a Single-AZ deployment with encryption at rest but without auto minor version upgrade would not automatically apply patches.

217
MCQhard

A database administrator runs the AWS CLI command shown in the exhibit. The administrator wants to enable encryption at rest for the RDS instance. What should the administrator do?

A.Modify the DB instance and set StorageEncrypted to true.
B.Create a new KMS key and associate it with the DB instance.
C.Create a new DB parameter group with encryption enabled.
D.Take a snapshot of the DB instance, copy the snapshot with encryption enabled, and restore a new instance.
AnswerD

Standard method to encrypt an existing instance.

Why this answer

Option C is correct because the output shows the instance is unencrypted. To enable encryption, you must create a snapshot, copy it with encryption, and restore a new encrypted instance. Option A is wrong because encryption cannot be enabled on an existing instance.

Option B is wrong because modifying the instance does not allow encryption. Option D is wrong because the KMS key is null, but that's because encryption is not enabled.

218
Multi-Selectmedium

Which TWO actions should be taken to protect sensitive data in an Amazon RDS for Oracle DB instance? (Choose two.)

Select 2 answers
A.Store database credentials in the application configuration file.
B.Disable automated backups to reduce storage costs.
C.Use Oracle Transparent Data Encryption (TDE) for sensitive columns.
D.Assign a public IP address to the DB instance for easier access.
E.Enable encryption at rest using AWS KMS.
AnswersC, E

TDE provides column-level encryption.

Why this answer

Options B and D are correct. Enabling encryption at rest protects data on disk, and enabling Transparent Data Encryption (TDE) provides additional encryption for specific columns. Option A is wrong because disabling automatic backups does not enhance security.

Option C is wrong because setting a public IP address increases exposure. Option E is wrong because storing credentials in the application code is insecure.

219
Multi-Selecteasy

A company is using Amazon DynamoDB with encryption at rest using a customer-managed KMS key. The security team wants to audit every use of this KMS key. Which TWO steps should be taken to meet this requirement?

Select 2 answers
A.Send KMS audit logs to Amazon CloudWatch Logs.
B.Turn on KMS key auditing in the key's advanced configuration.
C.Enable AWS Config to record KMS key configuration changes.
D.Enable AWS CloudTrail to log all KMS API calls.
E.Enable VPC Flow Logs for the DynamoDB VPC endpoint.
AnswersB, D

KMS keys have an option to enable CloudTrail logging.

Why this answer

Option A and D are correct. CloudTrail logs all KMS API calls; enabling CloudTrail and KMS key auditing (via CloudTrail) provides the audit. Option B is wrong because CloudWatch Logs is for log storage, not for enabling KMS audit.

Option C is wrong because Config records resource changes, not API calls. Option E is wrong because VPC Flow Logs capture network traffic, not KMS usage.

220
Multi-Selecthard

Which THREE methods can be used to authenticate users to an Amazon RDS for MySQL DB instance? (Choose three.)

Select 3 answers
A.AWS Managed Microsoft AD authentication.
B.MySQL native password authentication.
C.AWS Lambda function authentication.
D.Kerberos authentication.
E.IAM database authentication.
AnswersB, D, E

Standard MySQL authentication.

Why this answer

Options A, B, and D are correct. MySQL native password authentication is standard. IAM database authentication allows IAM users and roles to authenticate.

Kerberos authentication is supported for RDS for MySQL. Option C is wrong because RDS does not support Active Directory directly for MySQL (it is supported for SQL Server and Oracle). Option E is wrong because Lambda cannot be used for authentication.

221
MCQhard

A company uses Amazon DynamoDB with AWS KMS-managed encryption at rest. The security team requires that all access to a particular DynamoDB table be logged for audit purposes. Which solution meets this requirement?

A.Enable VPC Flow Logs for the VPC where the DynamoDB endpoint is accessed.
B.Enable AWS Config rules for DynamoDB.
C.Enable CloudTrail data events for the DynamoDB table.
D.Enable Amazon GuardDuty with DynamoDB protection.
AnswerC

CloudTrail data events log DynamoDB data plane operations.

Why this answer

Option B is correct because AWS CloudTrail logs all DynamoDB API calls, including data plane operations, when data events are enabled. Option A is wrong because VPC Flow Logs capture network traffic, not API calls. Option C is wrong because Amazon GuardDuty is a threat detection service, not a logging service.

Option D is wrong because AWS Config records resource configuration changes, not API calls.

222
MCQmedium

A company stores sensitive data in an Amazon RDS for PostgreSQL DB instance. The security team requires that all data at rest be encrypted. The instance is currently unencrypted. What is the simplest way to enable encryption with minimal downtime?

A.Create a snapshot of the DB instance, copy the snapshot with encryption enabled, and restore the snapshot to a new encrypted DB instance.
B.Use the AWS CLI to modify the DB instance and enable encryption.
C.Migrate the data to an Amazon RDS for PostgreSQL DB instance using RDS Custom.
D.Modify the DB instance and enable encryption in the console.
AnswerA

This is the standard procedure to enable encryption with minimal downtime.

Why this answer

Option C is correct because creating a snapshot, copying it with encryption, and restoring a new encrypted instance is the standard approach. Option A is wrong because enabling encryption on an existing instance is not supported. Option B is wrong because moving to RDS Custom is unnecessary.

Option D is wrong because you cannot modify an existing instance to enable encryption directly.

223
MCQmedium

An IAM policy is attached to a role used by an RDS instance. The RDS instance is in VPC with a VPC endpoint to KMS. What is the effect of this policy?

A.Allows all KMS actions on the key only when the request comes from RDS.
B.Allows all KMS actions on the specified key from any source.
C.Allows the specified KMS actions on all KMS keys in the account.
D.Allows only the specified KMS actions on the key when the request originates from the RDS service via the specific VPC endpoint.
AnswerD

The policy has conditions limiting to RDS and VPC endpoint.

Why this answer

Option B is correct. The policy allows the specified KMS actions only when the request comes through the specified VPC endpoint and via the RDS service. Option A is wrong because it only allows through VPC endpoint.

Option C is wrong because it does not allow all KMS actions. Option D is wrong because it does not allow all resources.

224
MCQhard

A company has an Amazon RDS for Oracle DB instance that needs to be encrypted at rest. The instance currently uses Oracle Transparent Data Encryption (TDE) with a key stored in the database. The company wants to use AWS KMS for key management. What is the correct migration path?

A.Take a snapshot of the DB instance, copy the snapshot with KMS encryption, and restore from the encrypted snapshot.
B.Enable KMS encryption directly on the existing DB instance using the AWS CLI.
C.Create a read replica with KMS encryption.
D.Modify the DB instance and select the KMS key.
AnswerA

This is the standard method to change encryption keys for an RDS instance.

Why this answer

Option D is correct because to change the encryption key from Oracle TDE to KMS, you must take a snapshot, copy it with encryption (using KMS key), and restore. Option A is wrong because you cannot modify the encryption key in place. Option B is wrong because creating a read replica does not allow changing the encryption key.

Option C is wrong because you cannot directly enable KMS on an existing TDE instance.

225
MCQeasy

A developer is troubleshooting an issue where an IAM user cannot perform a 'DescribeTable' action on a DynamoDB table. The IAM policy attached to the user is: {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["dynamodb:GetItem","dynamodb:PutItem"],"Resource":"*"}]}. What is the most likely reason for the failure?

A.The policy uses lowercase 'dynamodb' but the action is case-sensitive.
B.There is an implicit Deny for DescribeTable due to a service control policy.
C.The policy does not include the 'dynamodb:DescribeTable' action.
D.The resource specified in the policy is '*' which does not include the table.
AnswerC

The policy only allows GetItem and PutItem.

Why this answer

Option B is correct because the policy only allows GetItem and PutItem, not DescribeTable. Option A is wrong because the resource is '*' which covers all tables. Option C is wrong because DynamoDB actions are case-sensitive, but the policy uses correct casing.

Option D is wrong because there is no explicit Deny in the policy.

← PreviousPage 3 of 5 · 321 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Database Security questions.