CCNA Database Security Questions

75 of 321 questions · Page 4/5 · Database Security · Answers revealed

226
MCQeasy

A company has an Amazon Redshift cluster that contains sensitive data. The security team wants to ensure that all data is encrypted at rest and that the encryption keys are managed by AWS. Which configuration should be used?

A.Use AWS CloudHSM to generate and store encryption keys.
B.Use server-side encryption with S3-managed keys (SSE-S3) for the Redshift cluster.
C.Enable encryption at rest using the default AWS-managed KMS key for Redshift.
D.Use client-side encryption with the AWS Encryption SDK.
AnswerC

This encryption is managed by AWS and uses KMS.

Why this answer

Amazon Redshift supports encryption at rest using AWS KMS. When you enable encryption, you can choose to use the default AWS-managed key (aws/redshift) or a customer-managed key. The default key is managed by AWS, meeting the requirement that keys are managed by AWS.

Option A is client-side, not server-side. Option C is wrong because HSM does not automatically rotate. Option D is wrong because Redshift does not use S3-managed keys for its own storage.

227
Multi-Selecteasy

Which TWO of the following are methods to encrypt data at rest for an Amazon RDS for Oracle DB instance? (Select TWO.)

Select 2 answers
A.Enable encryption at rest using AWS KMS when creating the DB instance.
B.Use Oracle Transparent Data Encryption (TDE) with the Oracle wallet.
C.Enable SSL/TLS for the DB instance.
D.Configure Amazon S3 server-side encryption on the DB instance's storage.
E.Use client-side encryption in the application before sending data to RDS.
AnswersA, B

RDS can be launched with KMS encryption.

Why this answer

Options B and D are correct. RDS Oracle supports both Transparent Data Encryption (TDE) using Oracle native encryption and encryption using AWS KMS. Option A (SSL) is for data in transit.

Option C (client-side encryption) is not supported natively by RDS. Option E (S3 SSE) applies to S3, not RDS.

228
MCQhard

A company is using an Amazon RDS for MySQL database and needs to audit all database login events. The audit logs must be stored in Amazon S3 for long-term retention. Which steps should be taken to accomplish this?

A.Enable the 'general_log' parameter and set 'log_output' to 'FILE', then copy the log file to S3 manually.
B.Enable CloudTrail data events for RDS to capture login events and store in S3.
C.Enable the 'audit_log' plugin and configure RDS to publish logs to an S3 bucket.
D.Enable the 'audit_log' plugin, publish logs to CloudWatch Logs, and create an export task to S3.
AnswerD

This is the standard method to get audit logs into S3.

Why this answer

Option C is correct because RDS for MySQL supports audit logs via the 'audit_log' plugin, which can be published to CloudWatch Logs, and then exported to S3. Option A is wrong because RDS does not natively publish logs directly to S3. Option B is wrong because CloudTrail does not capture database login events.

Option D is wrong because the general log is not the same as audit log and may not capture all login events as required.

229
Multi-Selecteasy

A company uses Amazon DynamoDB and wants to audit access to a table. Which TWO services can be used together to log and monitor data plane operations? (Choose TWO.)

Select 2 answers
A.Amazon CloudWatch Logs
B.S3 access logs
C.AWS CloudTrail
D.VPC Flow Logs
E.AWS Config
AnswersA, C

CloudWatch Logs can store and monitor CloudTrail logs.

Why this answer

Option B is correct because CloudTrail logs data events for DynamoDB. Option C is correct because Amazon CloudWatch Logs can be used to store and monitor the logs. Option A is wrong because VPC Flow Logs capture network traffic.

Option D is wrong because AWS Config records configuration changes. Option E is wrong because S3 access logs log access to S3, not DynamoDB.

230
MCQeasy

A developer wants to grant an IAM user read-only access to an Amazon DynamoDB table named 'Orders' in the 'us-east-1' region. Which IAM policy should be attached to the user?

A.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["dynamodb:GetItem","dynamodb:Query","dynamodb:Scan"],"Resource":"arn:aws:dynamodb:us-east-1:123456789012:table/Orders"}]}
B.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["dynamodb:*"],"Resource":"arn:aws:dynamodb:us-east-1:123456789012:table/Orders"}]}
C.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["dynamodb:GetItem","dynamodb:PutItem","dynamodb:UpdateItem"],"Resource":"arn:aws:dynamodb:us-east-1:123456789012:table/Orders"}]}
D.{"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":["dynamodb:PutItem","dynamodb:UpdateItem","dynamodb:DeleteItem"],"Resource":"arn:aws:dynamodb:us-east-1:123456789012:table/Orders"}]}
AnswerA

This allows read-only actions on the table.

Why this answer

Option B is correct because it allows only Scan, Query, and GetItem on the specified table. Option A is wrong because it uses a 'Deny' effect for write operations but allows all DynamoDB actions by default. Option C is wrong because it grants full access to the table.

Option D is wrong because it includes PutItem and UpdateItem.

231
MCQeasy

A company has an Amazon RDS for MySQL database that contains sensitive data. The security team requires that all data be encrypted at rest using a customer-managed key stored in AWS KMS. Which action should be taken to meet this requirement?

A.Enable encryption on the existing RDS instance by modifying the instance.
B.Create a new RDS instance with encryption enabled using the KMS key, migrate data, and delete the old instance.
C.Configure the DB parameter group to require encryption at rest.
D.Create a snapshot of the unencrypted database and restore it as an encrypted database.
AnswerB

This is the only way to achieve encryption at rest with a customer-managed KMS key for an existing database.

Why this answer

Option D is correct because RDS encryption at rest with a customer-managed KMS key is enabled at launch time and cannot be enabled after creation. Option A is wrong because enabling encryption on an existing unencrypted instance is not supported. Option B is wrong because you cannot modify an existing instance to add encryption.

Option C is wrong because encryption is set at launch, not by modifying the DB parameter group.

232
MCQhard

A company has an Amazon Redshift cluster that stores sensitive financial data. The security team requires that all data be encrypted at rest and that the encryption keys be rotated annually. Which solution meets these requirements?

A.Use AWS KMS with automatic key rotation to encrypt the Redshift cluster.
B.Create the cluster with AWS CloudHSM-backed encryption and rotate the key annually.
C.Enable encryption on the existing cluster by modifying the cluster settings.
D.Create a new encrypted cluster with a KMS key and configure automatic key rotation.
AnswerA

AWS KMS supports automatic annual key rotation, and Redshift can use KMS keys for encryption.

Why this answer

Option D is correct because Redshift supports encryption at rest with AWS KMS, and KMS keys can be rotated automatically or manually yearly. Option A is wrong because Redshift does not allow you to change the encryption key type after the cluster is created. Option B is wrong because enabling encryption on an existing unencrypted cluster is not possible without a snapshot restore.

Option C is wrong because CloudHSM is not required and does not provide automatic key rotation.

233
MCQeasy

A database specialist is troubleshooting a connectivity issue with an Amazon RDS for PostgreSQL instance. The instance is in a VPC with a public subnet. The security group allows inbound traffic on port 5432 from the application server's IP address. The application server is in the same VPC but in a private subnet. Despite the security group configuration, the application cannot connect. Which action should the specialist take to resolve the issue?

A.Launch the RDS instance in the default VPC.
B.Change the DB subnet group to include the application server's subnet.
C.Add a network ACL rule allowing inbound traffic on port 5432 from the application server's public IP.
D.Modify the RDS instance to be publicly accessible.
E.Update the security group inbound rule to allow traffic from the application server's private IP address.
AnswerE

The application connects from its private IP within the VPC, so the security group should allow that private IP.

Why this answer

Option E is correct because the application server is in a private subnet, so it communicates with the RDS instance using its private IP address. The security group inbound rule must allow traffic from the application server's private IP (or the security group of the application server) on port 5432. The current rule only allows the application server's public IP, which is not used for traffic within the VPC, causing the connection failure.

Exam trap

The trap here is that candidates may confuse public and private IP addressing within a VPC, assuming that allowing the application server's public IP in the security group is sufficient, when in fact traffic between instances in the same VPC always uses private IPs.

How to eliminate wrong answers

Option A is wrong because launching the RDS instance in the default VPC does not resolve the IP mismatch; the application server's private IP would still need to be allowed in the security group. Option B is wrong because the DB subnet group defines which subnets the RDS instance can be placed in, not which subnets can connect to it; the application server's subnet is irrelevant for connectivity rules. Option C is wrong because network ACLs are stateless and apply at the subnet level, but the issue is that the security group is allowing the wrong IP (public instead of private); additionally, the application server's public IP is not used for VPC-internal traffic.

Option D is wrong because making the RDS instance publicly accessible would expose it to the internet, which is unnecessary and less secure; the application server is in the same VPC, so private connectivity should be used.

234
Multi-Selectmedium

A company is deploying a new application on Amazon RDS for PostgreSQL. The security policy requires that all data be encrypted at rest and in transit. Which TWO actions should the company take to meet these requirements?

Select 2 answers
A.Use a client-side encryption library to encrypt data before sending to the database.
B.Enable encryption for automated backups separately.
C.Enable encryption at rest by specifying a KMS key when creating the DB instance.
D.Create an encrypted read replica and promote it to master.
E.Set the parameter rds.force_ssl to 1 in the DB parameter group.
AnswersC, E

This encrypts the data at rest.

Why this answer

Options A and D are correct. To encrypt data at rest, you must enable encryption when creating the DB instance (Option A). To encrypt data in transit, you must enforce SSL/TLS connections by setting the parameter rds.force_ssl to 1 (Option D).

Option B is wrong because using a client-side encryption library is not necessary if you use RDS encryption and SSL. Option C is wrong because RDS automatically encrypts automated backups if the instance is encrypted. Option E is wrong because enabling encryption on a read replica does not encrypt the master.

235
Multi-Selectmedium

A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The security team requires that all connections to the database be encrypted in transit. Which TWO steps should be taken to enforce this requirement?

Select 2 answers
A.Set the rds.force_ssl parameter to 1 in the DB parameter group.
B.Configure the database to require a client-side SSL/TLS certificate.
C.Enable Oracle native network encryption (NNE) in the sqlnet.ora file.
D.Use AWS Secrets Manager to store database credentials and enable Kerberos authentication.
E.Use AWS Direct Connect or a VPN to connect to the VPC.
AnswersA, B

Option D is correct: Setting rds.force_ssl=1 forces all connections to use SSL/TLS.

Why this answer

Setting the rds.force_ssl parameter to 1 in the DB parameter group forces all connections to the Oracle RDS instance to use SSL/TLS encryption. This is the direct method to enforce encryption in transit for Amazon RDS for Oracle, as it rejects any non-SSL connections at the database level.

Exam trap

The trap here is that candidates may confuse Oracle Native Network Encryption (NNE) with SSL/TLS, but RDS for Oracle does not support NNE; only SSL/TLS is available for encryption in transit.

236
MCQhard

A company has an Amazon RDS for MySQL Multi-AZ DB instance that stores sensitive financial data. The security team has enabled encryption at rest using a KMS key. They also need to ensure that database audit logs are encrypted and stored in an S3 bucket. The logs must be accessible only by the security team via a VPC endpoint. The log data must be retained for 7 years. Which solution meets these requirements with the LEAST operational overhead?

A.Configure RDS to publish audit logs directly to an S3 bucket with a bucket policy that restricts access to the security team's IAM roles.
B.Install a custom audit plugin on the RDS instance that writes logs to a separate RDS table, then use AWS Lambda to export the table to S3 periodically.
C.Enable MySQL audit logs and publish them to Amazon CloudWatch Logs. Use a CloudWatch Logs subscription filter to stream logs to an S3 bucket encrypted with KMS, with a bucket policy that restricts access via VPC endpoint.
D.Enable RDS audit logs and send them to Amazon Kinesis Data Firehose, which writes to an S3 bucket with encryption and VPC endpoint restrictions.
AnswerC

This uses managed services with minimal custom code.

Why this answer

Option C is correct because enabling MySQL audit logs, pushing them to CloudWatch Logs, and using CloudWatch subscription filter to S3 with bucket policies restricting access via VPC endpoint and encryption with KMS is the least overhead. Option A is wrong because RDS doesn't directly push audit logs to S3. Option B is wrong because RDS for MySQL does not support sending audit logs to Firehose directly.

Option D is wrong because it requires custom Lambda code and operational overhead.

237
MCQeasy

A developer accidentally exposed an Amazon RDS snapshot to the public. What is the quickest way to remediate this issue?

A.Delete the snapshot and create a new one from the source DB instance.
B.Copy the snapshot to a new snapshot and delete the original.
C.Share the snapshot with only the required AWS account.
D.Modify the snapshot permissions to set it to private.
AnswerD

This immediately revokes public access.

Why this answer

The quickest remediation is to modify the snapshot and set it to private. Option A is incorrect because deleting the snapshot may cause data loss. Option C is incorrect because copying a public snapshot still results in a public snapshot.

Option D is incorrect because sharing with a specific account does not revoke public access.

238
MCQeasy

A security audit reveals that an Amazon RDS for MySQL DB instance is accessible from the internet. The security team requires that the database be accessible only from a specific set of application servers within the same VPC. Which solution should be implemented?

A.Modify the DB instance's security group to allow inbound traffic only from the application servers' security group.
B.Apply a network ACL that denies inbound traffic from 0.0.0.0/0 and allows from the application servers' IP range.
C.Enable encryption at rest on the DB instance to prevent unauthorized access.
D.Move the DB instance to a private subnet and configure a bastion host for access.
AnswerA

Security group references allow traffic from instances with that security group.

Why this answer

Option B is correct because a security group with an inbound rule that references the application servers' security group restricts access to only those instances. Option A is wrong because network ACLs are stateless and block all traffic if not correctly configured, but security groups are more appropriate for instance-level access. Option C is wrong because changing the subnet to private and using a bastion host is unnecessary if the app servers are in the same VPC.

Option D is wrong because enabling encryption does not restrict network access.

239
MCQeasy

A company needs to rotate the master user password for an Amazon RDS for MySQL DB instance. What is the recommended way to do this without downtime?

A.Modify the DB instance and set a new password, which will cause a reboot for the change to take effect.
B.Update the DB parameter group with the new password.
C.Use the AWS Management Console, CLI, or API to modify the DB instance with a new master password.
D.Delete the DB instance and launch a new one with the new password.
AnswerC

The password change is applied immediately without requiring a reboot.

Why this answer

Option D is correct because modifying the DB instance and setting a new password in the console triggers a password update without reboot. Option A is wrong because it causes a reboot. Option B is wrong because you can update the password without deleting the instance.

Option C is wrong because updating the DB parameter group does not change the master password.

240
MCQhard

A company uses Amazon Redshift for data warehousing. The security team requires that all data loaded into the cluster be encrypted at rest using a customer-managed KMS key. The cluster is currently unencrypted. What is the most efficient way to achieve this requirement with minimal data loss?

A.Unload the data from the existing cluster to S3, create a new encrypted cluster using the KMS key, and reload the data from S3.
B.Change the cluster parameter group to enable encryption.
C.Modify the cluster and enable encryption in the Redshift console.
D.Take a snapshot of the cluster, copy the snapshot with encryption, and restore from the encrypted snapshot.
AnswerA

This is the recommended approach to migrate data to an encrypted cluster.

Why this answer

Option B is correct because you cannot enable encryption on an existing Redshift cluster. You must unload data from the existing cluster, create a new encrypted cluster, and reload the data. Option A is wrong because encryption can only be set at cluster creation.

Option C is wrong because modifying the cluster does not enable encryption. Option D is wrong because Redshift does not support enabling encryption via parameter groups.

241
MCQhard

A company uses an Amazon RDS for PostgreSQL database with Multi-AZ deployment. The security team wants to audit all SQL queries executed against the database for compliance purposes. Which solution should be implemented to capture and store the queries?

A.Use AWS CloudTrail to capture SQL queries.
B.Enable Performance Insights and store the data in CloudWatch Logs.
C.Enable RDS event notifications for database queries.
D.Enable PostgreSQL query logging and publish logs to Amazon CloudWatch Logs.
AnswerD

PostgreSQL can log all queries, and those logs can be sent to CloudWatch Logs for storage and analysis.

Why this answer

Option C is correct because RDS for PostgreSQL supports log export to CloudWatch Logs, and enabling query logging captures SQL queries. Option A is wrong because RDS events do not contain SQL query details. Option B is wrong because RDS Performance Insights focuses on performance, not query auditing.

Option D is wrong because CloudTrail captures API calls, not SQL queries.

242
MCQeasy

A developer accidentally deleted an RDS database. Which action will allow the database to be restored with the least data loss?

A.Restore from the latest automated backup using point-in-time recovery.
B.Use the 'Recycle Bin' feature to recover the RDS instance.
C.Restore from the latest manual snapshot.
D.Create a new RDS instance and hope for the best.
AnswerA

Automated backups allow restoration to any point within the retention period, minimizing data loss.

Why this answer

Point-in-time recovery (PITR) allows you to restore an RDS DB instance to any second within the automated backup retention period, typically up to the last five minutes. This minimizes data loss because it replays transaction logs from the latest automated backup to the specified time, recovering changes made right up to the deletion moment. Automated backups are enabled by default with a 7-day retention, making PITR the most granular recovery option.

Exam trap

The trap here is that candidates may assume manual snapshots are the safest recovery method, but they lack the transaction log replay capability of PITR, leading to greater data loss than using automated backups with point-in-time recovery.

How to eliminate wrong answers

Option B is wrong because the Recycle Bin feature is available for Amazon RDS only in certain AWS Regions and for specific instance types, and it retains deleted instances for a limited time (default 1 day) but does not recover transaction logs, so data loss can be greater than PITR. Option C is wrong because manual snapshots capture the database at a specific point in time and do not include transaction logs for replay, so you lose all changes made after the snapshot was taken. Option D is wrong because creating a new RDS instance without restoring from a backup results in a blank database, losing all data entirely.

243
MCQhard

A company has an Amazon RDS for SQL Server Multi-AZ DB instance with a standby replica in a different AWS Region. The database is encrypted with a KMS key. The company needs to implement automated backups that are also encrypted and stored in a cross-region S3 bucket. The backups must be retained for 3 years. Which solution meets these requirements with the LEAST administrative effort?

A.Configure RDS to send automated backups directly to the cross-region S3 bucket using the AWS Backup service.
B.Enable automated backups on the RDS instance, configure cross-Region backup copy to a destination Region, and store the backups in an S3 bucket with S3 Object Lock enabled for retention.
C.Use AWS Database Migration Service (DMS) to continuously replicate the database to an S3 bucket in the target region.
D.Create manual snapshots of the RDS instance, copy them to the cross-region S3 bucket using AWS CLI, and set a lifecycle policy for retention.
AnswerB

RDS supports cross-Region automated backup copy and S3 Object Lock can enforce retention.

Why this answer

Option D is correct because enabling automated backups with cross-region copy to an S3 bucket with S3 Object Lock (which supports retention) is the least effort. Option A is wrong because RDS does not directly back up to S3. Option B is wrong because manual backups require operational overhead.

Option C is wrong because DMS is not designed for this purpose.

244
MCQhard

A company is using Amazon DynamoDB with client-side encryption using the DynamoDB Encryption Client. The encryption keys are stored in AWS KMS. The security team wants to ensure that the encryption keys can be used only by authorized applications. What should be done?

A.Store the encryption keys in AWS CloudHSM instead of KMS.
B.Use AWS Secrets Manager to store the encryption keys and rotate them automatically.
C.Use an IAM policy that denies access to the DynamoDB table unless the request includes the correct key.
D.Use a KMS key policy that grants access only to the specific IAM roles used by the applications.
AnswerD

KMS key policies can restrict which principals can use the key.

Why this answer

Option A is correct because using a KMS key policy to restrict which IAM roles can use the key ensures only authorized applications can decrypt. Option B is wrong because IAM policies cannot restrict key usage alone; key policies are also needed. Option C is wrong because CloudHSM is a different key store.

Option D is wrong because Secrets Manager is for secrets, not key management.

245
MCQeasy

Refer to the exhibit. A developer created an IAM policy with the above command and attached it to a user. What is the security implication of this policy?

A.The policy restricts access to only one specific DB instance.
B.The policy allows only actions in the us-east-1 region.
C.The policy grants full administrative access to all RDS resources in the account.
D.The policy only allows read-only access to RDS.
AnswerC

This is the security risk.

Why this answer

The policy allows all RDS actions on all resources. This gives the user full administrative access to all RDS resources in the account, which is overly permissive and violates least privilege. Option A is wrong because the policy does not restrict to a specific region.

Option C is wrong because it does allow modifying instances. Option D is wrong because it does not restrict to specific instances.

246
Multi-Selectmedium

Which TWO actions should a company take to secure an Amazon RDS for MySQL database that is accessible from the internet? (Choose two.)

Select 2 answers
A.Use a security group that restricts inbound traffic to only the required IP addresses.
B.Disable encryption at rest to reduce latency.
C.Use the default VPC with a public subnet and a network ACL that allows all traffic.
D.Launch the DB instance in a public subnet with a public IP address.
E.Place the DB instance in a private subnet without a public IP address.
AnswersA, E

Security groups act as a virtual firewall to control inbound traffic.

Why this answer

Options B and E are correct. Option B: Placing the DB instance in a private subnet with no direct internet access is a fundamental security measure. Option E: Using security groups to restrict inbound traffic to specific IP addresses limits exposure.

Option A is wrong because disabling encryption reduces security. Option C is wrong because using a public subnet increases exposure. Option D is wrong because using the default VPC with a public subnet is insecure.

247
MCQeasy

A company wants to centrally manage database user credentials and rotate them automatically. The database is an Amazon RDS for MySQL instance. Which AWS service should be used?

A.AWS Secrets Manager
B.AWS CloudHSM
C.AWS Identity and Access Management (IAM)
D.AWS Systems Manager Parameter Store
AnswerA

Secrets Manager supports automatic rotation for RDS.

Why this answer

Option C is correct because AWS Secrets Manager can rotate RDS database credentials automatically. Option A is wrong because Systems Manager Parameter Store can store secrets but does not automatically rotate RDS credentials. Option B is wrong because IAM controls access to AWS services, not database users.

Option D is wrong because CloudHSM is for hardware-based key storage, not credential rotation.

248
Multi-Selectmedium

Which TWO of the following are valid methods to control network access to an Amazon RDS DB instance? (Select TWO.)

Select 2 answers
A.VPC security groups
B.DB subnet groups
C.AWS WAF
D.IAM policies
E.DB parameter groups
AnswersA, B

Security groups act as a virtual firewall for your DB instance to control inbound and outbound traffic.

Why this answer

Options B and D are correct. Security groups control inbound and outbound traffic to RDS instances. DB subnet groups define which subnets the DB instance can be placed in, but they indirectly control network access.

Option A (IAM policies) control API-level permissions, not network access. Option C (DB parameter groups) control database engine settings. Option E (AWS WAF) is for web application firewalls, not network-level access to RDS.

249
Multi-Selectmedium

A company is migrating its Oracle database to Amazon RDS for Oracle. The security team requires that all data be encrypted at rest using a customer-managed AWS KMS key. Which TWO steps are necessary to achieve this?

Select 2 answers
A.Migrate the data using Oracle Data Pump to the new encrypted instance.
B.Modify the DB instance to enable encryption using a KMS key.
C.Create a new DB instance and specify the KMS key for encryption.
D.Enable encryption at rest on the existing RDS instance by modifying the DB instance.
E.Use the default RDS encryption key (aws/rds) to encrypt the instance.
AnswersA, C

Data must be migrated to the new encrypted instance.

Why this answer

Options B and C are correct. Option A is wrong because encryption must be enabled at creation time; you cannot add it later without a snapshot. Option D is wrong because the default RDS encryption key is AWS managed, not customer managed.

Option E is wrong because modifying the DB instance after creation does not enable encryption.

250
Multi-Selectmedium

A security engineer is designing a disaster recovery plan for an Amazon DynamoDB table that contains sensitive data. The table is encrypted using an AWS KMS customer managed key (CMK). The engineer needs to ensure that the table can be restored in a different AWS Region. Which TWO actions must be taken to enable cross-region restores with the same encryption? (Choose TWO.)

Select 2 answers
A.Enable point-in-time recovery (PITR) on the table.
B.Enable DynamoDB global tables.
C.Export the table to S3 and copy the S3 objects to the destination Region.
D.Create a multi-Region KMS key in the source and replicate it to the destination Region.
E.Create a CloudHSM key and use it for encryption.
AnswersA, D

PITR is required for cross-region restores.

Why this answer

Option B and D are correct. DynamoDB cross-region restores require the KMS key to be available in the destination region, which means creating a replica key. The table must also have point-in-time recovery (PITR) enabled.

Option A is wrong because cross-region replication is for live data, not backups. Option C is wrong because CloudHSM keys are not supported for DynamoDB encryption. Option E is wrong because the key must be in the destination region.

251
MCQhard

A financial services company runs a critical application on Amazon RDS for PostgreSQL with Multi-AZ and automated backups enabled. The database stores sensitive customer data, and the security team recently audited the environment and found that the database master user password is stored in plain text in a configuration file on the application server. Additionally, the security team noted that the database security group allows inbound traffic from 0.0.0.0/0 on port 5432. The company needs to remediate these issues immediately without downtime and must ensure that access to the database is restricted to only the application servers, and that password management follows AWS best practices. The application connects to the database using the master user credentials. What should the database specialist do to meet these requirements?

A.Modify the security group to allow inbound traffic on port 5432 only from the private IP address of the application server. Store the database password in AWS Secrets Manager and configure automatic rotation. Update the application to retrieve the password from Secrets Manager.
B.Modify the security group to allow inbound traffic on port 5432 only from the public IP address of the application server. Rotate the password using the AWS CLI and store the new password in an encrypted file on the application server. Update the application to read the password from the encrypted file.
C.Modify the security group to allow inbound traffic on port 5432 only from the private IP address of the application server. Rotate the master password by modifying the DB instance and store the new password in AWS Systems Manager Parameter Store as a SecureString. Update the application to retrieve the password from Parameter Store.
D.Modify the security group to allow inbound traffic on port 5432 only from the private IP address of the application server. Rotate the password using the AWS CLI and store the new password in an encrypted file on the application server. Update the application to read the password from the encrypted file.
AnswerA

Option A is correct because it addresses both the security group exposure and password management using AWS best practices (Secrets Manager with automatic rotation).

Why this answer

Option A is correct because it restricts inbound traffic to the application server's private IP address, which is the secure approach for traffic within AWS, and it uses AWS Secrets Manager to store the master password with automatic rotation, following AWS best practices for secrets management. This eliminates the plain-text password exposure and ensures no downtime by updating the application to retrieve credentials dynamically from Secrets Manager.

Exam trap

The trap here is that candidates may confuse AWS Systems Manager Parameter Store SecureString with Secrets Manager, not realizing that Parameter Store lacks native automatic rotation for RDS master passwords, which is a key requirement for this scenario.

How to eliminate wrong answers

Option B is wrong because using the public IP address of the application server is insecure and unnecessary within AWS; traffic should use private IPs over the AWS network, and storing the password in an encrypted file on the application server still requires key management and does not provide automatic rotation or centralized access control. Option C is wrong because while it uses private IP and Parameter Store SecureString, it does not enable automatic rotation of the password; AWS Systems Manager Parameter Store does not natively support automatic rotation for RDS credentials, whereas Secrets Manager does. Option D is wrong because it stores the password in an encrypted file on the application server, which still relies on local key management and lacks automatic rotation, centralized auditing, and the ability to easily revoke access.

252
MCQmedium

An application uses an Amazon RDS for MySQL database. The security team requires that all traffic to the database be encrypted in transit. Which configuration ensures this?

A.Use the default RDS parameter group.
B.Create a custom DB parameter group with the require_secure_transport parameter set to ON.
C.Configure the security group to allow only port 3306 from the application.
D.Use a network ACL to restrict inbound traffic to port 3306.
AnswerB

This enforces that all connections use SSL/TLS.

Why this answer

Option C is correct because enforcing SSL/TLS via parameter groups ensures all connections use encryption. Option A is wrong because security groups control network access, not encryption. Option B is wrong because the default RDS parameter group does not enforce SSL.

Option D is wrong because NACLs are stateless and do not enforce encryption.

253
MCQhard

A company is using Amazon DynamoDB with a global table that replicates data across two AWS Regions. The security team requires that all data be encrypted at rest with a customer-managed AWS KMS key. How should the company configure the KMS keys to meet this requirement?

A.Create a single KMS key in the primary region and use it for both replicas.
B.Use AWS managed encryption as DynamoDB does not support customer managed KMS keys for global tables.
C.Create a separate KMS key in each region and assign each replica table its regional KMS key.
D.Create a multi-Region KMS key and use it for both replicas.
AnswerC

Each replica table can use its own regional KMS key.

Why this answer

Option C is correct. For DynamoDB global tables, each replica table can use a different KMS key. You must create a KMS key in each region and configure the table to use the regional key.

Option A is incorrect because a single KMS key cannot be used across regions; KMS keys are region-specific. Option B is incorrect because using the same key across regions is not possible. Option D is incorrect because DynamoDB global tables support encryption with customer managed keys.

254
Multi-Selecteasy

Which TWO AWS services can be used to monitor and alert on suspicious database access patterns in Amazon RDS? (Choose 2.)

Select 2 answers
A.Amazon Inspector
B.Amazon CloudWatch
C.AWS Trusted Advisor
D.AWS Config
E.Amazon GuardDuty
AnswersB, E

CloudWatch alarms can be set on database metrics and logs.

Why this answer

Amazon GuardDuty and Amazon CloudWatch can both be used to monitor and alert on suspicious access. Option A is wrong because AWS Config is for configuration monitoring. Option C is wrong because AWS Trusted Advisor provides best practices.

Option E is wrong because Amazon Inspector is for vulnerability assessment.

255
Multi-Selecthard

A company is using Amazon RDS for MySQL to host a web application. The security team has identified that the application is vulnerable to SQL injection attacks. The team wants to implement a defense-in-depth strategy to protect the database. Which THREE measures should be taken to mitigate SQL injection risks?

Select 3 answers
A.Grant the minimum required permissions to the database user used by the application.
B.Move all SQL logic into stored procedures.
C.Use parameterized queries or prepared statements in the application code.
D.Enable encryption at rest for the RDS instance.
E.Deploy AWS WAF in front of the web application to filter malicious requests.
AnswersA, C, E

Least privilege limits damage if injection occurs.

Why this answer

Options A, B, and D are correct. Prepared statements prevent SQL injection; least privilege reduces impact; WAF filters malicious input. Option C is wrong because stored procedures do not inherently prevent injection if not used with parameters.

Option E is wrong because encryption does not prevent injection.

256
MCQmedium

A company has an Amazon RDS for Oracle DB instance that stores sensitive data. The security team wants to audit all SQL queries that read or modify specific columns containing personally identifiable information (PII). The audit logs must be stored for 5 years. Which solution should the database specialist implement?

A.Use Oracle fine-grained auditing to create an audit policy on the specific columns and store logs in a custom table.
B.Enable database activity streams and send logs to Amazon CloudWatch Logs with a retention of 5 years.
C.Enable RDS Enhanced Monitoring and enable SQL auditing in the parameter group.
D.Enable Oracle Audit Vault and Database Firewall.
AnswerA

Fine-grained auditing allows column-level auditing.

Why this answer

Option C is correct because Amazon RDS for Oracle supports fine-grained auditing using the AUDIT policy for specific columns. Option A is wrong because RDS does not support Oracle Audit Vault. Option B is wrong because database activity streams capture all activities but do not filter by column; also they are stored in CloudWatch Logs, not for 5 years by default.

Option D is wrong because RDS Enhanced Monitoring is for OS metrics, not SQL auditing.

257
MCQmedium

A database administrator runs the command shown in the exhibit. The security team requires that the database be encrypted at rest. What should the administrator do to enable encryption?

A.Enable encryption at the table level using MySQL's built-in encryption.
B.Create a snapshot of the DB instance, copy the snapshot with encryption, and restore from the encrypted snapshot.
C.Modify the DB instance and set StorageEncrypted to true.
D.The instance is already encrypted because the output shows 'StorageEncrypted' as false.
AnswerB

This is the standard method to enable encryption on an existing instance.

Why this answer

Option B is correct because encryption cannot be enabled on an existing unencrypted instance; you must create a snapshot, copy it with encryption, and restore. Option A is wrong because modifying the instance does not add encryption. Option C is wrong because encryption is at the storage level, not table level.

Option D is wrong because the command shows StorageEncrypted is false, so it is not encrypted.

258
Multi-Selecthard

A company is designing a disaster recovery strategy for an Amazon Aurora MySQL database. The database stores sensitive data that must be encrypted at rest. The primary region is us-east-1, and the secondary region is us-west-2. Which THREE steps are required to set up cross-region replication with encryption at rest?

Select 3 answers
A.Use a multi-Region KMS key to encrypt the Aurora cluster in the primary region.
B.Ensure the DB cluster parameter group is the same in both regions.
C.Create a cross-Region read replica in the secondary region.
D.Create a KMS key in the secondary region (us-west-2) and grant the Aurora service permission to use it.
E.Enable cross-Region replication on the Aurora cluster in the primary region.
AnswersA, D, E

A multi-Region key allows the replica to be encrypted in the secondary region using the same key material.

Why this answer

Option A is correct because using a multi-Region KMS key allows the Aurora cluster in the primary region to be encrypted at rest with a key that can be replicated to the secondary region, ensuring that the cross-region read replica can decrypt the data without needing to re-encrypt it. This key is replicated automatically by AWS KMS to the secondary region, maintaining the same key material for encryption and decryption across regions.

Exam trap

The trap here is that candidates often confuse the steps required for setting up cross-region replication with encryption at rest with the general steps for creating a cross-region read replica, leading them to select Option C as a required step when it is actually an outcome of enabling replication, not a separate configuration step.

259
MCQeasy

A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The database contains personally identifiable information (PII). The security team requires that the data be encrypted at rest using a customer-managed key stored in AWS KMS. Additionally, the team wants to ensure that the key can be rotated automatically every year. What should the company do to meet these requirements?

A.Enable encryption on the RDS instance using the default RDS encryption and use AWS Secrets Manager to store the key.
B.Create a customer-managed key in AWS KMS, enable automatic rotation, and enable encryption on the RDS instance using that key.
C.Create a customer-managed key in AWS KMS without automatic rotation, and manually rotate the key using the RDS console.
D.Use an AWS managed key for RDS and create an AWS Lambda function to rotate the key manually each year.
AnswerB

Customer-managed KMS keys support automatic annual rotation.

Why this answer

Option A is correct because RDS supports encryption at rest using a KMS key, and customer-managed keys can be rotated automatically. Option B is not possible. Option C does not cover encryption at rest.

Option D does not provide automatic rotation.

260
MCQhard

A company has a multi-account AWS environment using AWS Organizations. The security team wants to centrally manage database encryption keys for all Amazon RDS instances across accounts. They require that the keys be stored in a single account, and that each account can use the key to encrypt its RDS instances. Additionally, they want to automatically rotate the keys every year. Which solution should they implement?

A.Copy the KMS key from the central account to each account using the KMS key replication feature.
B.Use AWS CloudHSM to create a key and share the HSM partition with each account.
C.Create a multi-Region customer managed KMS key in the central account and replicate it to each account.
D.Create a customer managed KMS key in the central account and grant the RDS service in each account permission to use the key.
AnswerD

KMS supports cross-account key usage for RDS encryption.

Why this answer

Option C is correct. AWS KMS supports multi-Region keys but not cross-account key sharing for RDS encryption. Instead, they can create a customer managed key in each account and use AWS CloudFormation StackSets to deploy the same key policy across accounts.

However, the requirement is to store keys in a single account. Actually, the correct approach is to create a KMS key in the central account and grant cross-account access to the RDS service principal in each account. Then each account can use that key for RDS encryption.

Option A is wrong because multi-Region keys are for cross-Region, not cross-account. Option B is wrong because CloudHSM is not integrated with RDS for encryption. Option D is wrong because copying keys to each account defeats central management.

261
MCQhard

A company is using Amazon DynamoDB with fine-grained access control using IAM policies. The security team wants to ensure that a specific IAM role can only read items from a table where the 'status' attribute equals 'active'. The table is named 'Orders'. Which IAM policy statement should be used?

A.Condition: { 'ForAllValues:StringEquals': { 'dynamodb:Attributes': ['active'] } }
B.Condition: { 'ForAllValues:StringEquals': { 'dynamodb:Attributes': ['status'] } }
C.Condition: { 'ForAllValues:StringEquals': { 'dynamodb:ReturnValues': 'ALL_OLD' } }
D.Condition: { 'StringEquals': { 'dynamodb:Select': 'SPECIFIC_ATTRIBUTES' } }
AnswerA

Actually, this is incorrect; but in exam context, this might be considered correct for attribute-level condition. However, the correct answer should be based on partition key. I'll go with C as it is closest.

Why this answer

Option C is correct because DynamoDB fine-grained access control uses Condition keys like 'dynamodb:LeadingKeys' or 'dynamodb:Attributes' with a policy variable. The correct condition for row-level security is 'dynamodb:LeadingKeys' if the partition key is 'status', but typically 'dynamodb:Attributes' is used for attribute-level. However, the question asks for item-level access based on attribute value, which is not directly supported; instead, use a condition with the partition key.

Option C uses 'ForAllValues:StringEquals' with 'dynamodb:Attributes' to restrict to specific attributes only, not values. Actually, to restrict based on attribute value, you need to use a condition with the key 'dynamodb:LeadingKeys' if the partition key is 'status'. But since the question says 'read items from a table where the 'status' attribute equals 'active'', the correct approach is to use a condition with the partition key.

None of the options are perfect; however, Option D is closest because it restricts the partition key value. But the correct answer is none? Let's re-evaluate. In DynamoDB, you can use 'dynamodb:LeadingKeys' to restrict the partition key value.

So if 'status' is the partition key, the policy should use 'dynamodb:LeadingKeys' with condition 'StringEquals'. Option D uses 'dynamodb:Select' which is not a valid condition key. Option B uses 'dynamodb:Attributes' which is for attribute-level access, not item-level based on value.

Option C uses 'dynamodb:Attributes' correctly for read access to specific attributes, but not value. Option A uses 'dynamodb:ReturnValues', which is not relevant. The correct answer should be a condition on 'dynamodb:LeadingKeys' but not listed.

However, Option B is about restricting to specific attributes, which is attribute-level, not item-level. The question might be flawed, but as per exam, Option C is often considered correct for fine-grained access control to items based on attributes. Actually, the correct answer is Option C because it uses 'ForAllValues:StringEquals' with 'dynamodb:Attributes' to restrict read access to only items that have the 'status' attribute set to 'active'? No, 'dynamodb:Attributes' condition checks the attributes that are requested or returned, not their values.

For value-based access, you need to use 'dynamodb:LeadingKeys' with the condition on the partition key. Since the question does not specify that 'status' is the partition key, Option C is the best among given.

262
MCQhard

A financial services company runs a critical application on Amazon RDS for PostgreSQL. They must ensure that database activity logs are sent to Amazon CloudWatch Logs for real-time monitoring. The logs must include all SQL queries, including SELECT statements. Which configuration will meet these requirements?

A.Set log_statement = 'all' and log_min_duration_statement = 0 in the DB parameter group. Enable CloudWatch Logs export.
B.Install the pgAudit extension and configure it to log all statements. Enable CloudWatch Logs export in the RDS console.
C.Set the parameter log_statement = 'ddl' in the DB parameter group. Enable CloudWatch Logs export.
D.Set log_min_duration_statement = -1 in the DB parameter group. Enable CloudWatch Logs export.
AnswerA

log_statement = 'all' logs all statements, and log_min_duration_statement = 0 ensures all durations are logged, so all queries appear in the logs.

Why this answer

Option D is correct because to log all SQL queries including SELECT statements, you need to set the RDS parameter group parameters log_statement = 'all' and log_min_duration_statement = 0, and then enable exporting logs to CloudWatch Logs in the RDS console. Option A is wrong because pgAudit is needed if you want audit logs, but the requirement is for general query logs. Option B is wrong because setting log_statement = 'ddl' only logs DDL statements, not SELECT.

Option C is wrong because log_min_duration_statement = -1 disables logging of all statements.

263
MCQeasy

A developer needs to allow an application running on an EC2 instance to read and write data to a DynamoDB table named 'Orders'. The EC2 instance is configured with an IAM role. Which IAM policy should be attached to the role?

A.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "dynamodb:*", "Resource": "*" } ] }
B.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:*", "Resource": "*" } ] }
C.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:GetItem", "dynamodb:PutItem" ], "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Orders" } ] }
D.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:*", "Resource": "arn:aws:s3:::example-bucket/*" } ] }
AnswerC

Correctly grants read/write to the specific table.

Why this answer

Option B is correct because the policy grants dynamodb:GetItem and dynamodb:PutItem on the specified table. Option A is wrong because 'Allow' is misspelled as 'Allow' (typo) but also DynamoDB actions are not 'Ec2:*'. Option C is wrong because it grants full DynamoDB access to all tables.

Option D is wrong because it uses s3:* instead of DynamoDB.

264
MCQhard

A company has an Amazon DynamoDB table that stores sensitive user data. The security team requires that all data is encrypted at rest using a customer-managed AWS KMS key. Additionally, they want to ensure that the table can only be accessed by a specific IAM role. Which combination of steps should be taken to meet these requirements? (Select TWO.)

A.Enable server-side encryption with S3-managed keys (SSE-S3) on the DynamoDB table.
B.Attach a bucket policy to restrict access to the DynamoDB table.
C.Specify a customer-managed KMS key in the DynamoDB table creation.
D.Modify the existing DynamoDB table to enable encryption at rest.
E.Create an IAM policy that allows dynamodb:GetItem and dynamodb:PutItem only when the request is made by the specific IAM role.
AnswerC, E

DynamoDB supports encryption with a customer-managed KMS key at table creation.

Why this answer

Options A and B are correct. Option A: You can specify a customer-managed KMS key when creating the table. Option B: To restrict access to a specific IAM role, you should use an IAM policy that denies access unless the request comes from that role.

Option C is wrong because SSE-C is for S3, not DynamoDB. Option D is wrong because encryption cannot be enabled after table creation without recreating the table. Option E is wrong because bucket policies are for S3, not DynamoDB.

265
MCQmedium

A company is using Amazon RDS for MySQL to power a web application. The database contains sensitive data, and the security team requires that all connections to the database use SSL/TLS. The team has enabled 'require_secure_transport' parameter in the DB parameter group. However, a developer reports that they are able to connect to the database using a MySQL client without specifying SSL options. What could be the reason?

A.The RDS instance is configured to accept both SSL and non-SSL connections by default.
B.The MySQL client automatically upgrades to SSL when the server requires it.
C.The 'require_secure_transport' parameter is not set to '1' in the DB parameter group.
D.The developer is connecting from an EC2 instance in the same VPC, which bypasses SSL enforcement.
AnswerC

The parameter must be set to '1' to enforce SSL; otherwise, non-SSL connections are allowed.

Why this answer

Option B is correct because RDS offers a '--ssl-mode' option in the MySQL client; if not specified, the client may use SSL by default if the server requires it. But the developer might be using an older client that defaults to non-SSL. The 'require_secure_transport' parameter in RDS forces SSL only for new connections; however, if the client does not request SSL, the server may still accept non-SSL if the parameter is not set correctly.

Actually, the correct answer is that the parameter might not be set to '1'. Option B is the most plausible.

266
MCQeasy

A company wants to audit all API calls made to its Amazon RDS DB instances. Which AWS service should be used to capture these API calls?

A.AWS CloudTrail
B.AWS Config
C.Amazon GuardDuty
D.Amazon Inspector
AnswerA

CloudTrail records API calls for auditing.

Why this answer

Option A is correct. AWS CloudTrail records API calls made to AWS services, including RDS. It captures details such as who made the call, when, and from which IP address.

Option B is incorrect because Amazon GuardDuty is a threat detection service, not an audit trail. Option C is incorrect because Amazon Inspector is for vulnerability assessment. Option D is incorrect because AWS Config tracks resource configuration changes, not API calls.

267
MCQmedium

A retail company uses Amazon DynamoDB to store product catalog data. The security team wants to ensure that only authorized applications can read and write to the table. The applications are running on Amazon EC2 instances. The current setup uses an IAM role attached to the EC2 instance with a policy that grants dynamodb:* on the specific table. However, during a security audit, it was discovered that any process on the EC2 instance can access the table because the instance has access to the temporary credentials from the instance metadata service. The security team requires that only specific processes (the application) can access the credentials, and that the credentials cannot be extracted from the instance. What should be done to meet these requirements?

A.Create a VPC endpoint for DynamoDB with a policy that restricts access to the specific IAM role, and configure the EC2 instance to use IMDSv2 with a hop limit.
B.Modify the security group to only allow traffic from the EC2 instance's private IP.
C.Store AWS access keys on the EC2 instance and use them in the application.
D.Attach a resource-based policy to the DynamoDB table allowing only the EC2 instance's IAM role.
AnswerA

VPC endpoint policy and IMDSv2 enhance security.

Why this answer

Option D is correct because using a VPC endpoint with a policy that restricts access to the specific IAM role ARN ensures that only requests from that role are allowed, and using IMDSv2 with hop limit prevents credential theft. Option A is wrong because restricting to VPC does not enforce role usage. Option B is wrong because attaching a resource-based policy is not supported for DynamoDB.

Option C is wrong because using an access key on the instance is less secure.

268
MCQmedium

A company is using Amazon RDS for PostgreSQL and needs to audit login attempts. Which configuration is required?

A.Set rds.log_connections to 1 in the DB parameter group.
B.Enable AWS CloudTrail for the RDS instance.
C.Modify the security group to log all inbound traffic on port 5432.
D.Enable RDS Enhanced Monitoring.
AnswerA

This parameter enables logging of all connection attempts.

Why this answer

Setting the rds.log_connections parameter to 1 logs login attempts. Option A is correct. Option B is wrong because Enhanced Monitoring provides OS metrics.

Option C is wrong because CloudTrail logs API calls. Option D is wrong because security groups do not log connections.

269
MCQmedium

A company is using an Amazon RDS for PostgreSQL database to store sensitive customer data. The security team requires that all data be encrypted at rest and in transit, and that access to the database is restricted to only specific applications. Currently, the database is encrypted at rest using AWS KMS, and connections are made over SSL. However, the security team wants to ensure that even if the database credentials are compromised, an attacker cannot access the database from unauthorized IP addresses. What should be done to meet this requirement?

A.Attach a resource-based policy to the RDS instance to allow only specific IAM roles.
B.Create a new RDS instance in a VPC with a network ACL that allows inbound traffic only from specific IP ranges, and migrate the data.
C.Modify the security group associated with the RDS instance to allow inbound traffic only from the application's IP addresses.
D.Enable IAM database authentication for the RDS instance.
AnswerC

Security groups act as a virtual firewall and can restrict inbound traffic based on IP addresses.

Why this answer

Option D is correct because a security group can restrict inbound traffic to the RDS instance based on source IP addresses. Option A does not restrict network access. Option B is about permissions, not network.

Option C creates a separate cluster but does not restrict access to the existing one.

270
MCQeasy

A company is using Amazon RDS for MySQL and needs to restrict access to the database to only specific Amazon EC2 instances in the same VPC. Which security mechanism should be used?

A.Configure a DB security group that allows inbound traffic from the EC2 security groups.
B.Create an IAM policy that allows the EC2 instances to connect to the RDS instance.
C.Create a DB subnet group that includes only the subnets where the EC2 instances reside.
D.Modify the network ACL for the DB subnet to allow traffic from the EC2 instances' IP addresses.
AnswerA

RDS security groups can reference source security groups for fine-grained access.

Why this answer

Option A is correct because RDS security groups control inbound traffic at the instance level and can reference EC2 security groups. Option B is wrong because network ACLs are stateless and apply to subnets, not individual instances. Option C is wrong because IAM policies control API access, not network traffic.

Option D is wrong because the DB subnet group defines subnet availability, not access control.

271
MCQmedium

A company is using Amazon RDS for PostgreSQL and needs to implement column-level encryption for sensitive data. The application must be able to encrypt and decrypt data transparently. Which approach should be taken?

A.Enable RDS encryption at rest using a KMS key, which will automatically encrypt all columns.
B.Use AWS Lambda to encrypt data before writing to the database and decrypt after reading.
C.Use the AWS KMS Encrypt and Decrypt APIs directly in the application code.
D.Install the pgcrypto extension on the RDS instance and use its functions to encrypt data at the column level.
AnswerD

pgcrypto provides transparent column-level encryption.

Why this answer

Option A is correct because pgcrypto is a PostgreSQL extension that provides column-level encryption functions. Option B is wrong because RDS encryption is at rest, not column-level. Option C is wrong because Lambda would require application changes.

Option D is wrong because KMS is not directly used for column-level encryption in RDS.

272
MCQmedium

A company is using Amazon DynamoDB with a TTL attribute to automatically delete expired items. The security team is concerned that deleted items might still be recoverable from backups. They need to ensure that once an item is deleted by TTL, it is not included in future on-demand backups. Additionally, they want to ensure that the TTL deletion itself is logged for audit purposes. What should they do?

A.Disable TTL and implement a custom deletion process that logs deletions before removing items.
B.Enable DynamoDB Streams on the table and use a Lambda function to log TTL deletion events to CloudWatch Logs.
C.Use AWS CloudTrail to log the UpdateTimeToLive API call.
D.Enable AWS CloudTrail data events for DynamoDB to capture TTL deletions.
AnswerB

Streams capture TTL deletions as REMOVE events.

Why this answer

Option A is correct. DynamoDB Streams can capture TTL deletions as 'REMOVE' events. By streaming these events to CloudWatch Logs via Lambda, they can audit the deletions.

On-demand backups capture the current state of the table, so TTL-deleted items will not be included if the backup is taken after the deletion. Option B is wrong because CloudTrail does not capture data plane events like TTL deletions. Option C is wrong because point-in-time recovery can restore to any point, including before TTL deletion, but the question is about future backups.

Option D is wrong because TTL deletions are not captured in CloudTrail.

273
MCQhard

A company has an Amazon RDS for SQL Server DB instance that stores financial data. The security team requires that the data be encrypted at rest using a customer-managed key stored in AWS KMS. Additionally, they want to ensure that the key cannot be deleted without authorization. What should be done?

A.Create a customer-managed KMS key, enable key rotation, and set a deletion protection policy.
B.Enable encryption on the RDS instance and use the default KMS key.
C.Use AWS CloudHSM to generate and store the encryption key, and associate it with the RDS instance.
D.Enable AWS CloudTrail to log key deletion attempts.
AnswerA

KMS supports customer-managed keys with rotation and deletion protection.

Why this answer

Option D is correct because enabling key rotation and deletion protection on the KMS key provides the required controls. Option A is wrong because enabling encryption on RDS does not by itself protect the key from deletion. Option B is wrong because CloudHSM keys are not managed through KMS.

Option C is wrong because CloudTrail only logs actions, it does not prevent deletion.

274
MCQmedium

A company has a requirement to automatically rotate the password for an Amazon RDS for MySQL DB instance every 90 days. The password is stored in AWS Secrets Manager. Which combination of steps will meet this requirement?

A.Enable IAM database authentication for the RDS instance and rotate the IAM keys every 90 days.
B.Store the password in AWS Systems Manager Parameter Store and configure a scheduled AWS Lambda function to update the parameter and the RDS password.
C.Store the password in Secrets Manager and configure automatic rotation with a Lambda function that updates the RDS password every 90 days.
D.Use an AWS Lambda function to manually update the RDS password and store the new password in Secrets Manager, triggered by a CloudWatch Events rule every 90 days.
AnswerC

Secrets Manager supports automatic rotation for RDS with a custom Lambda rotation function.

Why this answer

Option A is correct. Secrets Manager can automatically rotate secrets for RDS databases using a Lambda rotation function. You can configure the rotation interval to 90 days.

Option B is incorrect because Systems Manager Parameter Store does not have built-in rotation for RDS passwords. Option C is incorrect because manual rotation does not meet the automatic requirement. Option D is incorrect because IAM database authentication does not rotate passwords; it uses IAM credentials.

275
MCQeasy

A developer needs to securely store database credentials for an application that runs on Amazon EC2 and connects to an Amazon RDS for PostgreSQL database. The credentials must be automatically rotated every 90 days. Which AWS service should the developer use to meet these requirements?

A.AWS Systems Manager Parameter Store
B.AWS CloudHSM
C.AWS Identity and Access Management (IAM) roles
D.AWS Secrets Manager
AnswerD

Supports automatic rotation of database credentials.

Why this answer

Option B is correct because AWS Secrets Manager supports automatic rotation of database credentials. Option A is wrong because SSM Parameter Store can store secrets but does not natively rotate RDS credentials. Option C is wrong because CloudHSM is for hardware security modules, not credential storage.

Option D is wrong because IAM Roles can be used for EC2 to access RDS but do not store credentials; also RDS PostgreSQL does not support IAM authentication by default.

276
Multi-Selectmedium

A security team needs to audit all SQL statements executed against an Amazon Aurora MySQL DB cluster. Which combination of actions should be taken to achieve this? (Choose TWO.)

Select 2 answers
A.Enable AWS CloudTrail for the Aurora DB cluster.
B.Enable Enhanced Monitoring for the DB cluster.
C.Enable RDS event subscription for the DB cluster.
D.Set the server_audit_logging parameter to 1 in the DB cluster parameter group.
E.Configure the DB cluster to publish audit logs to Amazon CloudWatch Logs.
AnswersD, E

This enables the audit plugin for Aurora MySQL.

Why this answer

Options B and C are correct. To audit SQL statements in Aurora MySQL, you need to enable advanced audit (database activity streams) or use the Aurora MySQL audit plugin. Enabling the audit plugin is done by setting the server_audit_logging parameter to 1 in the DB cluster parameter group.

Then you can publish the audit logs to Amazon CloudWatch Logs for analysis. Option A is incorrect because RDS event subscription does not capture SQL statements. Option D is incorrect because CloudTrail captures API calls, not database-level SQL.

Option E is incorrect because Enhanced Monitoring captures OS metrics, not SQL.

277
MCQmedium

A security engineer creates the IAM policy shown in the exhibit and attaches it to an IAM user. What is the effect of this policy?

A.The user can delete any database except 'prod-db'.
B.The user can describe all databases except 'prod-db'.
C.The user can modify 'prod-db' but cannot delete it.
D.The user can modify any database except 'prod-db'.
AnswerC

Modify allowed, delete explicitly denied.

Why this answer

Option D is correct because the policy allows DescribeDBInstances and ModifyDBInstance on all resources, but explicitly denies DeleteDBInstance on the specific database 'prod-db'. Since an explicit deny overrides any allow, the user cannot delete that database. However, the user can modify all databases including 'prod-db'.

Option A is wrong because the deny is only for DeleteDBInstance. Option B is wrong because the user can modify all databases. Option C is wrong because the user can describe all databases.

278
MCQeasy

A company has an RDS for SQL Server DB instance that stores sensitive data. The database administrator needs to ensure that all connections to the database use SSL/TLS encryption. What should the administrator do?

A.Configure the security group to only allow traffic from specific IP addresses.
B.Set the 'rds.force_ssl' parameter to 1 in the DB parameter group.
C.Enable AWS CloudTrail to monitor connections.
D.Delete the DB instance and create a new one with encryption enabled.
AnswerB

This forces all connections to use SSL.

Why this answer

Option C is correct because the 'rds.force_ssl' parameter forces all connections to use SSL. Option A is wrong because CloudTrail logs API calls, not connections. Option B is wrong because the security group controls network access, not encryption.

Option D is wrong because deleting the DB instance is drastic.

279
Multi-Selectmedium

A company is designing a security strategy for an Amazon RDS for MySQL instance that stores Personally Identifiable Information (PII). Which TWO measures should be implemented to protect the data at rest?

Select 2 answers
A.Enable automatic backups with encryption.
B.Enable Amazon GuardDuty to monitor for suspicious activity.
C.Enable deletion protection on the DB instance.
D.Enable encryption at rest using AWS KMS.
E.Enable encryption in transit using SSL/TLS.
AnswersA, D

Backups should also be encrypted to protect data at rest.

Why this answer

Options A and D are correct. Option A: Enabling encryption at rest using KMS encrypts the underlying storage. Option D: Enabling automatic backups ensures that backup data is also encrypted.

Option B is wrong because encryption in transit is about data in motion, not at rest. Option C is wrong because Amazon GuardDuty is a threat detection service, not for data at rest protection. Option E is wrong because enabling deletion protection prevents accidental deletion but does not protect data at rest.

280
MCQhard

A company is using Amazon Aurora MySQL-Compatible Edition. The security team requires that all connections to the database use SSL/TLS. The application currently connects using a standard JDBC connection string without SSL. What changes are needed to enforce SSL connections?

A.Modify the DB cluster parameter group to set require_secure_transport to ON.
B.Modify the DB cluster parameter group to set require_secure_transport to ON and update the application connection string to use SSL parameters.
C.Modify the security group to only allow traffic on port 3306 with the SSL flag.
D.Create an IAM role that requires SSL for database access and assign it to the application.
AnswerB

This enforces SSL and ensures the application uses it.

Why this answer

Option D is correct. To enforce SSL for all connections, you must configure the DB cluster parameter group to set require_secure_transport to ON and update the application connection string to use SSL parameters. Option A is incomplete because modifying the parameter group alone does not enforce SSL for existing connections.

Option B is incorrect because modifying the security group does not enforce SSL. Option C is incorrect because using an IAM role does not enforce SSL.

281
MCQmedium

A company is using Amazon DynamoDB to store customer session data. The security team requires that all data is encrypted at rest using a customer-managed KMS key, and that access to the key is restricted to specific IAM roles. The company also wants to ensure that DynamoDB Accelerator (DAX) cluster is encrypted. Which steps should be taken to meet these requirements?

A.Create the DynamoDB table with encryption using a customer-managed KMS key. Create the DAX cluster and enable encryption at rest using the same KMS key.
B.Create the DynamoDB table without encryption, then use the AWS CLI to enable encryption after creation.
C.Create the DynamoDB table with default encryption, and create the DAX cluster with a separate customer-managed KMS key.
D.Create the DynamoDB table with encryption using a customer-managed key, and enable encryption in transit on the DAX cluster using TLS.
AnswerA

Both DynamoDB and DAX support encryption with customer-managed KMS keys.

Why this answer

Option A is correct because DynamoDB tables are encrypted by default with KMS, and you can specify a customer-managed key. DAX clusters also support encryption using the same KMS key. Option B is wrong because DAX does not support encryption at rest with a different key.

Option C is wrong because DAX does not support encryption in transit separately. Option D is wrong because DynamoDB encryption cannot be enabled after table creation.

282
Multi-Selectmedium

A company is running an Amazon RDS for MySQL DB instance in a VPC. The security team requires that all connections to the database use SSL/TLS. Which combination of steps should be taken to enforce this? (Choose two.)

Select 2 answers
A.Create a new DB subnet group that isolates the DB instance in a private subnet without internet access.
B.Update the security group for the DB instance to deny inbound traffic on port 3306 from sources that do not have SSL.
C.Require database users to connect using the --ssl-ca parameter with the RDS certificate.
D.Modify the DB parameter group associated with the DB instance, setting the 'rds.force_ssl' parameter to 1.
E.Modify the DB option group associated with the DB instance, enabling the SSL option.
AnswersC, D

This ensures the client verifies the server certificate, which is necessary for SSL connections.

Why this answer

To enforce SSL on RDS MySQL, you set the rds.force_ssl parameter to 1 in the DB parameter group and require users to connect using the --ssl-ca option. The option group is for features like Oracle TDE, not SSL enforcement. Security group rules control network access, not encryption enforcement.

Option E is unnecessary if you set the parameter.

283
MCQeasy

A developer is configuring an Amazon RDS for PostgreSQL DB instance. The application connects using IAM database authentication. Which setting must be enabled on the DB instance for IAM authentication to work?

A.Set the database port to 5432.
B.Set the 'rds.force_ssl' parameter to 1.
C.Ensure the DB instance is publicly accessible.
D.Change the master username to 'iam_user'.
AnswerB

IAM authentication requires SSL connections.

Why this answer

Option B is correct because IAM database authentication requires the 'rds.force_ssl' parameter to be set to 1 to enforce TLS connections. Option A is wrong because IAM authentication does not require the database port to be changed. Option C is wrong because the master username is still used for IAM authentication.

Option D is wrong because the DB instance can be in a VPC; IAM authentication works within a VPC.

284
MCQeasy

A company is using Amazon RDS for MySQL. They want to audit all database logins and failed login attempts. Which option should they enable?

A.Set the parameter log_queries_not_using_indexes = 'ON' in the DB parameter group.
B.Set the parameter audit_log = 'ON' in the DB parameter group.
C.Set the parameter general_log = 'ON' in the DB parameter group.
D.Set the parameter slow_query_log = 'ON' in the DB parameter group.
AnswerB

The audit log captures connection events, including successful and failed logins.

Why this answer

Option A is correct because setting the parameter audit_log = 'ON' enables audit logging for MySQL, which logs connections and disconnections, including failed login attempts. Option B is wrong because general_log logs all queries, not just logins. Option C is wrong because slow_query_log logs only slow queries.

Option D is wrong because log_queries_not_using_indexes logs queries that do not use indexes, not login attempts.

285
MCQeasy

A company is using Amazon RDS for Oracle and wants to integrate with AWS CloudTrail to log database API calls. Which action is necessary?

A.Enable CloudTrail for the RDS instance.
B.Create a VPC endpoint for CloudTrail.
C.Configure Oracle Fine-Grained Auditing (FGA).
D.Install the pgAudit extension.
AnswerA

CloudTrail already logs RDS API calls; no special setup needed.

Why this answer

AWS CloudTrail is the service that logs API calls made to AWS services, including Amazon RDS. To capture database API calls (e.g., CreateDBInstance, ModifyDBInstance) for an RDS for Oracle instance, you must enable CloudTrail for the RDS instance by creating a trail that covers the RDS service. This logs management events at the AWS control plane level, not the database engine level.

Exam trap

The trap here is confusing AWS-level API logging (CloudTrail) with database engine-level auditing (FGA, pgAudit), leading candidates to select database-specific auditing tools instead of the correct AWS service for logging control plane API calls.

How to eliminate wrong answers

Option B is wrong because a VPC endpoint for CloudTrail is used to privately connect your VPC to CloudTrail without using the public internet, but it is not required to log RDS API calls; CloudTrail works over the public AWS API endpoints by default. Option C is wrong because Oracle Fine-Grained Auditing (FGA) is a database-level auditing feature that logs SQL operations within the Oracle database engine, not AWS API calls to the RDS service. Option D is wrong because the pgAudit extension is used for PostgreSQL databases to log database-level activity, not for Oracle RDS instances or AWS API logging.

286
MCQmedium

Refer to the exhibit. An IAM policy is attached to a user. The user attempts to delete a DB instance named 'prod-db'. What will happen?

A.The delete will succeed because the Allow statement grants modify permission.
B.The delete will succeed because the resource is 'prod-db' which does not match the deny pattern.
C.The delete will fail because of the explicit Deny statement.
D.The delete will succeed only if the user has MFA enabled.
AnswerC

Explicit deny overrides any allow.

Why this answer

The Deny statement explicitly denies delete on any instance matching 'prod-*'. Since an explicit deny overrides any allow, the delete will fail. Option B is correct.

Option A is wrong because the deny overrides. Option C is wrong because the policy does not require MFA. Option D is wrong because the user cannot delete the instance.

287
MCQeasy

A company is using Amazon DynamoDB and wants to ensure that only authorized users can access a specific table. Which AWS service should be used to manage access control?

A.AWS CloudHSM.
B.AWS Key Management Service (KMS).
C.Amazon VPC security groups.
D.AWS Identity and Access Management (IAM).
AnswerD

IAM policies define who can access DynamoDB tables.

Why this answer

Option B is correct because IAM is used to manage access to DynamoDB tables through policies. Option A is wrong because security groups control network traffic, not database access. Option C is wrong because CloudHSM is for encryption keys, not access control.

Option D is wrong because KMS is for encryption, not access control.

288
Multi-Selecthard

A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The database contains sensitive personally identifiable information (PII). The security team requires that the data be encrypted in transit between the application and the RDS instance, and also encrypted at rest using a key managed by the company. Which THREE actions should the company take? (Choose THREE.)

Select 3 answers
A.Configure the RDS instance to require SSL/TLS connections.
B.Modify the DB parameter group to set the 'rds.force_ssl' parameter to 1.
C.Enable encryption at rest for the RDS instance at launch time.
D.Enable Transparent Data Encryption (TDE) using CloudHSM.
E.Create a customer managed key (CMK) in AWS KMS.
AnswersA, C, E

SSL/TLS encrypts data in transit.

Why this answer

Options A, C, and D are correct. Option A: enabling SSL/TLS encrypts data in transit. Option C: KMS customer managed key allows the company to manage the key for at-rest encryption.

Option D: RDS encryption must be enabled at launch. Option B is wrong because RDS does not support TDE with CloudHSM for Oracle. Option E is wrong because forcing SSL is a parameter, not an option group level action.

289
MCQhard

A financial company uses Amazon DynamoDB to store customer transaction data. The compliance team requires that all data be encrypted at rest using a customer-managed AWS KMS key. Additionally, they need to ensure that the key is used only for DynamoDB and no other AWS service. How can the company meet these requirements?

A.Use a KMS key with no key policy, and rely on IAM policies to restrict access to only DynamoDB.
B.Use an AWS Organizations service control policy (SCP) to deny all AWS services except DynamoDB from using the KMS key.
C.Create a KMS key with a key policy that includes a condition such as "kms:ViaService": "dynamodb.amazonaws.com" to restrict usage to DynamoDB.
D.Create a KMS key with a key policy that allows DynamoDB to use the key, and attach an IAM policy to deny all other services.
AnswerC

This condition ensures the key can only be used through DynamoDB, preventing other services.

Why this answer

Option D is correct because a KMS key policy with a condition that restricts usage to DynamoDB and prevents other services is the proper way. Option A is wrong because SCPs do not control KMS key permissions. Option B is wrong because IAM policies alone cannot restrict the key usage; the key policy must also enforce it.

Option C is wrong because you cannot prevent other services from using the key via IAM if the key policy allows them.

290
MCQeasy

A company is using Amazon RDS for PostgreSQL to store application data. The security team wants to ensure that database audit logs are stored securely and cannot be modified after creation. Which AWS service should be used to meet this requirement?

A.AWS Key Management Service (KMS)
B.AWS CloudTrail
C.Amazon S3
D.Amazon CloudWatch Logs
AnswerD

CloudWatch Logs can store audit logs with encryption and access controls.

Why this answer

Option A is correct because Amazon RDS can publish audit logs to CloudWatch Logs, and CloudWatch Logs can be configured with a retention policy and prevent modification of logs via IAM policies or log group encryption. Option B is wrong because S3 can store logs but requires additional configuration to ensure immutability (e.g., S3 Object Lock). Option C is wrong because CloudTrail is for API auditing, not database audit logs.

Option D is wrong because KMS is used for encryption keys, not for storing logs.

291
MCQeasy

A company is using Amazon RDS for PostgreSQL. The security team wants to ensure that all connections to the database are encrypted in transit. Currently, applications connect using the PostgreSQL native encryption (SSL/TLS). What is the MOST secure way to enforce encrypted connections?

A.Configure the security group to only allow traffic on port 5432 from trusted IP addresses.
B.Enable the 'force_ssl' parameter in the DB parameter group and restart the instance.
C.Use a custom database port that is not commonly used, such as 5433, to avoid unencrypted traffic.
D.Modify the DB parameter group to set 'ssl' to 'on' and 'require_ssl' to 'on', then reboot the instance.
AnswerD

This enforces SSL/TLS for all connections.

Why this answer

Option C is correct because modifying the DB parameter group to set 'ssl' to 'on' and 'require_ssl' to 'on' forces all connections to use SSL. Option A is wrong because just enabling 'force_ssl' in the parameter group is not a valid parameter. Option B is wrong because the default security group does not enforce encryption.

Option D is wrong because the database port does not affect encryption.

292
MCQhard

A company is using Amazon DynamoDB to store financial transactions. The security team requires that all access to the table be logged for auditing, and that any unauthorized access attempts trigger an immediate alert. The company has enabled AWS CloudTrail to log all DynamoDB API calls. However, the security team is concerned that CloudTrail logs may not capture all access patterns, such as queries that return no results. Which additional step should the company take to ensure comprehensive auditing and alerting?

A.Configure Amazon Inspector to assess the DynamoDB table for vulnerabilities.
B.Enable DynamoDB Accelerator (DAX) and configure it to log all read requests.
C.Create a CloudWatch Logs metric filter on the CloudTrail log group to detect unauthorized access attempts and set up a CloudWatch alarm.
D.Enable VPC Flow Logs on the subnet where DynamoDB endpoints are deployed.
AnswerC

CloudWatch Logs can analyze CloudTrail logs and trigger alarms based on patterns.

Why this answer

Option B is correct because CloudWatch Logs can be used to monitor CloudTrail logs and trigger alerts on specific patterns like unauthorized access. Option A only monitors performance, not access. Option C does not monitor access.

Option D may miss some operations.

293
MCQhard

An IAM policy is attached to a user. What is the effect of this policy on the user's ability to delete the DB instance named prod-db?

A.The user can delete the DB instance only after creating a final snapshot.
B.The user can delete the DB instance because the Allow statement grants all actions.
C.The user cannot delete the DB instance because the Deny statement explicitly denies it.
D.The user can delete the DB instance because the Allow statement is broader and applies to all resources.
AnswerC

An explicit Deny always overrides an Allow.

Why this answer

Option B is correct. The Deny statement explicitly denies the DeleteDBInstance action on the specific resource, and an explicit Deny overrides any Allow. Option A is wrong because the Deny overrides.

Option C is wrong because the condition is not based on snapshot existence. Option D is wrong because the policy does not allow deletion.

294
MCQmedium

A company is migrating its on-premises Oracle database to Amazon RDS for Oracle. As part of the migration, they need to ensure that all sensitive data is encrypted at rest using AWS Key Management Service (AWS KMS). Which configuration step is required to achieve this?

A.Modify the existing DB instance to enable encryption.
B.Configure SSL/TLS on the DB instance to encrypt data at rest.
C.Use AWS CloudHSM to generate and store the encryption keys.
D.Create a new encrypted DB instance by enabling encryption and specifying a KMS key.
AnswerD

Creating a new encrypted RDS instance with a KMS key is the correct way to enable encryption at rest.

Why this answer

Option C is correct because Amazon RDS for Oracle supports encryption at rest using AWS KMS by enabling encryption when creating the DB instance. Option A is wrong because enabling encryption on an existing unencrypted DB instance requires a snapshot restore, not a direct modification. Option B is wrong because AWS CloudHSM is not required; AWS KMS is sufficient.

Option D is wrong because SSL/TLS encrypts data in transit, not at rest.

295
Multi-Selecteasy

A developer is building a serverless application that uses Amazon DynamoDB. The application needs to access the database from an AWS Lambda function. The security team mandates that the Lambda function should not use long-term AWS credentials. Which TWO steps should be taken to securely grant access? (Choose TWO.)

Select 2 answers
A.Hardcode the AWS access key ID and secret access key in the Lambda environment variables.
B.Create an IAM role with a policy that allows DynamoDB actions.
C.Configure the Lambda function to access the internet for authentication.
D.Store the database credentials in AWS Secrets Manager and retrieve them in the Lambda function.
E.Attach the IAM role to the Lambda function's execution role.
AnswersB, E

IAM role provides temporary credentials.

Why this answer

Options A and C are correct. Option A: creating an IAM role for Lambda with appropriate permissions allows temporary credentials. Option C: attaching the role to the Lambda function provides access without hardcoding credentials.

Option B is wrong because storing credentials in Secrets Manager still requires handling secrets. Option D is wrong because environment variables are not secure for long-term credentials. Option E is wrong because the Lambda function should not have internet access for security; VPC endpoints are used for private access.

296
Multi-Selecteasy

Which TWO AWS services can be used to centrally manage database credentials securely? (Choose two.)

Select 2 answers
A.AWS Secrets Manager
B.AWS CloudFormation
C.Amazon S3
D.AWS Identity and Access Management (IAM)
E.AWS Systems Manager Parameter Store
AnswersA, E

Managed service for secrets.

Why this answer

Options B and D are correct. AWS Secrets Manager is designed to manage secrets, including database credentials. AWS Systems Manager Parameter Store can also store secrets securely.

Option A is wrong because S3 is not designed for secret management. Option C is wrong because CloudFormation can create resources but not manage secrets centrally. Option E is wrong because IAM manages permissions, not secrets.

297
Multi-Selecthard

A company is designing a secure strategy for managing Amazon RDS for Oracle encryption keys. They want to use AWS KMS with Customer Master Keys (CMKs) for encryption at rest. Which THREE best practices should they follow?

Select 3 answers
A.Grant the RDS service principal (rds.amazonaws.com) only the necessary KMS permissions to use the CMK.
B.Create separate KMS keys for different environments (e.g., production, development).
C.Disable key rotation to maintain consistent encryption across all snapshots.
D.Store the KMS CMK inside the Oracle database for faster encryption.
E.Enable automatic rotation of the KMS CMK annually.
AnswersA, B, E

Least privilege ensures that only RDS can use the key for encryption operations.

Why this answer

Options A, C, and D are correct. Using separate KMS keys for different environments provides isolation, enabling automatic key rotation is a security best practice, and granting least privilege access to KMS keys is fundamental. Option B is wrong because storing the CMK in the database is insecure.

Option E is wrong because disabling key rotation is not recommended.

298
MCQmedium

A company is using an Amazon RDS for MySQL DB instance. The security team requires that all database connections be encrypted in transit. Which configuration step ensures this requirement is met?

A.Enable encryption at rest for the RDS instance.
B.Store the database password in AWS Secrets Manager.
C.Modify the network ACL to only allow traffic on port 3306.
D.Set the 'require_secure_transport' parameter to 1 in the DB parameter group.
AnswerD

This forces TLS connections.

Why this answer

Option A is correct because enabling the 'require_secure_transport' parameter forces clients to use TLS/SSL for connections. Option B is wrong because encryption at rest (RDS encryption) does not enforce in-transit encryption. Option C is wrong because a network ACL controls traffic at the subnet level but does not enforce encryption.

Option D is wrong because storing secrets in AWS Secrets Manager does not enforce encrypted connections.

299
MCQeasy

A company needs to encrypt data at rest for their Amazon Aurora PostgreSQL database. Which solution is the MOST secure and requires the least operational overhead?

A.Enable encryption at rest using AWS KMS when creating the Aurora cluster.
B.Use Amazon EBS encryption on the underlying volumes.
C.Encrypt the database after creation by modifying the DB instance.
D.Use client-side encryption in the application.
AnswerA

This is the recommended approach with minimal overhead.

Why this answer

Enabling encryption at rest using AWS KMS during database creation is the simplest and most secure approach. Option A is correct. Option B is wrong because encrypting after creation requires a manual snapshot and restore.

Option C is wrong because client-side encryption adds complexity. Option D is wrong because EBS encryption does not cover the database engine layer.

300
MCQmedium

A company uses Amazon DynamoDB with AWS KMS customer managed keys for encryption at rest. The security team wants to audit who is using the KMS key to encrypt and decrypt data. Which AWS service should be used?

A.Amazon S3 access logs
B.AWS Config
C.AWS CloudTrail
D.Amazon CloudWatch Logs
AnswerC

CloudTrail records all KMS API operations for auditing.

Why this answer

Option B is correct because CloudTrail logs all KMS API calls, including encrypt and decrypt. Option A is wrong because CloudWatch Logs can store logs but does not capture KMS API calls by itself. Option C is wrong because AWS Config tracks resource configuration changes, not API calls.

Option D is wrong because S3 access logs are for S3.

← PreviousPage 4 of 5 · 321 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Database Security questions.