CCNA Db Security Questions

75 of 321 questions · Page 1/5 · Db Security topic · Answers revealed

1
MCQeasy

A developer needs to allow an application running on an EC2 instance to connect to an Amazon RDS for MySQL DB instance securely. Which combination of steps should the developer take?

A.Store the database password in the application code.
B.Open the RDS security group to allow traffic from 0.0.0.0/0.
C.Store the credentials in an S3 bucket and download them at runtime.
D.Attach an IAM role to the EC2 instance with permissions to use RDS IAM authentication, and configure the database to use an authentication token.
AnswerD

This avoids storing credentials and uses temporary tokens.

Why this answer

Option B is correct because using IAM roles for EC2 and IAM database authentication for RDS is the most secure approach. Option A is wrong because hardcoding credentials in the application is insecure. Option C is wrong because opening the database to the world is insecure.

Option D is wrong because storing credentials in S3 without encryption is insecure.

2
MCQhard

A company uses Amazon DynamoDB for its critical application. The security team requires that all access to DynamoDB tables be logged and monitored for suspicious activity. The company also needs to be alerted when a user deletes a table. Which combination of AWS services should be used?

A.AWS CloudTrail and Amazon DynamoDB Streams.
B.AWS Config and Amazon Simple Notification Service (SNS).
C.AWS CloudTrail and Amazon CloudWatch Events.
D.Amazon VPC Flow Logs and Amazon CloudWatch Logs.
AnswerC

CloudTrail logs API calls, and CloudWatch Events can create rules to match DeleteTable events and trigger alerts.

Why this answer

Option B is correct because CloudTrail logs all DynamoDB API calls, and CloudWatch Events can trigger alerts. Option A is wrong because DynamoDB Streams captures item-level changes, not API calls. Option C is wrong because VPC Flow Logs capture network traffic, not API calls.

Option D is wrong because Config records resource changes but not API calls directly for alerting.

3
Multi-Selecthard

A company uses Amazon DynamoDB to store session data for a web application. The security team discovers that an IAM user has been performing unauthorized scans on the table. They need to implement controls to detect and prevent such unauthorized access in the future. Which THREE actions should the security team take? (Choose THREE.)

Select 3 answers
A.Enable AWS CloudTrail logging and create a metric filter for Scan API calls.
B.Use fine-grained access control with IAM conditions to restrict access to specific items or attributes.
C.Disable the Scan operation on the DynamoDB table.
D.Create an IAM policy that denies the 'Scan' action for unauthorized users using a condition key.
E.Enable VPC Flow Logs to monitor traffic to DynamoDB.
AnswersA, B, D

CloudTrail logs API calls, and metric filters can trigger alarms on unauthorized scans.

Why this answer

Options A, B, and E are correct. Option A: Using CloudTrail logs to detect unauthorized scans helps with detective controls. Option B: Implementing a resource-based policy with a condition key 'dynamodb:Scan' to deny access is a preventive control.

Option E: Using fine-grained access control with IAM conditions like 'dynamodb:Attributes' can restrict scans to specific attributes. Option C is wrong because VPC Flow Logs capture network traffic, not DynamoDB operations. Option D is wrong because disabling scan operations is not practical; many use cases require scans.

4
Multi-Selecteasy

A company is using Amazon RDS for MySQL and wants to implement database activity monitoring to detect suspicious queries. Which TWO AWS services can be used together to achieve this?

Select 2 answers
A.AWS Lambda
B.AWS CloudTrail
C.AWS Systems Manager Patch Manager
D.Amazon Inspector
E.Amazon CloudWatch Logs
AnswersA, E

Can process CloudWatch Logs and detect patterns.

Why this answer

Options A and D are correct. RDS can publish logs to CloudWatch Logs, and CloudWatch Logs can trigger a Lambda function to analyze logs in real-time. Option B is for vulnerability scanning.

Option C is for patching. Option E is for auditing API calls, not database queries.

5
Multi-Selecteasy

A company is using Amazon DynamoDB and wants to restrict access to a specific table so that only users in a particular IAM group can perform read and write operations. Which THREE steps should be taken to achieve this?

Select 3 answers
A.Create an IAM policy that allows dynamodb:GetItem, dynamodb:PutItem, etc. on the specific table ARN.
B.Attach the IAM policy to an IAM group.
C.Attach a resource-based policy to the DynamoDB table allowing access from the group.
D.Add the users to the IAM group.
E.Create an IAM role and assign it to the table.
AnswersA, B, D

This defines the allowed actions on the table.

Why this answer

Options A, B, and D are correct. You create an IAM policy that grants DynamoDB actions on the specific table (A). You attach that policy to the IAM group (B).

You then add users to that group (D). Option C is wrong because the policy should be attached to the group, not the table. Option E is wrong because resource-based policies on the table are not the primary method; IAM policies are used.

6
MCQhard

The security team reports that the database 'mydb' is not encrypted. However, the CLI output shows 'StorageEncrypted' is true. What is the MOST likely reason for the security team's concern?

A.The database is using a default AWS managed key instead of a customer-managed key.
B.The KMS key specified may have been disabled or deleted, causing the database to be inaccessible or not encrypted.
C.The 'StorageEncrypted' field is false, but the CLI output shows true.
D.The database is not using a KMS key and is instead using a CloudHSM key.
AnswerB

If the KMS key is disabled or deleted, the database may not be able to encrypt/decrypt data, leading to security concerns.

Why this answer

Option C is correct. The KMS key ID is in the output, but the security team might be concerned about the key being disabled or deleted. Option A is wrong because 'StorageEncrypted' is true.

Option B is wrong because there is no HSM requirement. Option D is wrong because the key is specified.

7
MCQhard

A security engineer runs the commands shown in the exhibit for an RDS MySQL DB instance. The engineer wants to enforce SSL connections to the database. What should the engineer do?

A.Modify the default.mysql8.0 parameter group to set require_secure_transport to ON and reboot the instance.
B.Run the modify-db-instance command with --require-ssl-transport.
C.Create a custom DB parameter group with require_secure_transport set to ON, associate it with the DB instance, and reboot the instance.
D.Modify the DB instance and set the --enable-iam-database-authentication flag.
AnswerC

This is the correct method to enforce SSL.

Why this answer

Option B is correct because the default parameter group is not modifiable; a custom parameter group must be created, require_secure_transport set to ON, and then associated with the DB instance, followed by a reboot. Option A is wrong because modifying the default parameter group is not allowed. Option C is wrong because modifying the DB instance directly does not change parameter group parameters.

Option D is wrong because require_secure_transport is a MySQL-specific parameter, not an RDS API setting.

8
Multi-Selectmedium

A company runs an Amazon RDS for MySQL DB instance in a VPC. Security requirements mandate that only specific EC2 instances in the same VPC can connect to the database. The security group attached to the RDS instance currently allows inbound traffic on port 3306 from 0.0.0.0/0. Which combination of steps should a database specialist take to meet the security requirement without impacting existing application connectivity? (Choose two.)

Select 2 answers
A.Modify the network ACL for the DB subnet to allow inbound port 3306 from the EC2 instance's private IP.
B.Remove the inbound rule for 0.0.0.0/0 on the RDS security group.
C.Add an inbound rule to the RDS security group referencing the security group ID of the EC2 instances.
D.Modify the DB subnet group to place the RDS instance in a public subnet with a route to the EC2 instance.
E.Add an inbound rule to the RDS security group allowing traffic from the VPC CIDR on port 3306.
AnswersB, C

Removing the overly permissive rule is necessary to restrict access.

Why this answer

Option B is correct because removing the overly permissive inbound rule for 0.0.0.0/0 on the RDS security group eliminates unrestricted access, which is a direct violation of the security requirement. Option C is correct because adding an inbound rule that references the security group ID of the EC2 instances allows traffic only from those instances, leveraging security group referencing for granular, stateful access control within the same VPC.

Exam trap

The trap here is that candidates often confuse network ACLs with security groups, thinking that modifying the NACL at the subnet level is sufficient, but they overlook that NACLs are stateless and less granular, while security group referencing provides precise, stateful control for instance-to-instance communication.

9
MCQmedium

A company is using Amazon Aurora MySQL and needs to audit all database logins, including failed attempts, and store the audit logs for one year for compliance. The logs must be immutable and accessible only by the security team. Which solution should the company implement?

A.Enable VPC Flow Logs to capture network connections to the database endpoint.
B.Enable AWS CloudTrail to log database login events.
C.Enable RDS for Aurora database activity streams, stream to CloudWatch Logs, and export to S3 with S3 Object Lock enabled.
D.Enable the standard MySQL audit log plugin and store logs in a database table with restricted access.
AnswerC

Activity streams provide immutable audit logs.

Why this answer

The correct answer is B because RDS for Aurora supports advanced audit with database activity streams, which streams audit logs to CloudWatch Logs and then can be exported to S3 with object lock for immutability. Option A is incorrect because the standard MySQL audit log stored in a DB cluster table is not immutable and can be modified. Option C is incorrect because VPC Flow Logs do not capture database-level login events.

Option D is incorrect because CloudTrail captures API calls, not database login events.

10
MCQeasy

A small business runs a web application on a single Amazon RDS for MySQL DB instance. The application uses a master user account for all database operations. The security team is concerned about the risk of SQL injection and wants to implement the principle of least privilege. They want to create separate database users for read-only and read-write operations. The application currently uses a single connection string. The developer needs to modify the application to use two separate users. What is the correct approach to implement this securely?

A.Use stored procedures for all database operations and grant execute only to the master user.
B.Keep using the master user but restrict its IP address.
C.Enable IAM database authentication and use a single IAM role.
D.Create a read-only user and a read-write user in the database, grant minimal privileges, and modify the application to use the appropriate user for each operation.
AnswerD

Enforces least privilege.

Why this answer

Option C is correct because creating two users with appropriate grants and modifying the application to use them based on the operation reduces risk. Option A is wrong because using a single user does not enforce least privilege. Option B is wrong because IAM database authentication is a different mechanism but does not solve the user separation issue.

Option D is wrong because stored procedures do not eliminate the need for separate users.

11
MCQhard

A company is using Amazon DynamoDB with AWS Lambda to process data. The Lambda function needs to read and write items to a DynamoDB table. The security team wants to follow the principle of least privilege. Which IAM policy statement should be attached to the Lambda execution role?

A.{"Effect":"Allow","Action":"dynamodb:*","Resource":"*"}
B.{"Effect":"Allow","Action":["dynamodb:DescribeTable","dynamodb:ListTables"],"Resource":"*"}
C.{"Effect":"Allow","Action":["dynamodb:GetItem","dynamodb:PutItem","dynamodb:UpdateItem","dynamodb:DeleteItem"],"Resource":"arn:aws:dynamodb:us-east-1:123456789012:table/MyTable"}
D.{"Effect":"Allow","Action":"dynamodb:*","Resource":"arn:aws:dynamodb:us-east-1:123456789012:table/MyTable"}
AnswerC

This grants only the required actions on the specific table.

Why this answer

Option C is correct because it grants only the necessary DynamoDB actions (GetItem, PutItem, UpdateItem, DeleteItem) on the specific table. Option A is wrong because it grants DynamoDB full access, which is too permissive. Option B is wrong because it allows all actions on all tables.

Option D is wrong because it is overly restrictive; it only allows DescribeTable and ListTables, which are insufficient for read/write.

12
MCQhard

A company is using an RDS for MySQL DB instance encrypted at rest with AWS KMS. The security team requires that all access to the database be logged, including queries that fail due to authentication errors. Which configuration meets this requirement?

A.Enable the RDS audit log by setting the 'audit_log_enabled' parameter to 1 in the DB parameter group and export logs to CloudWatch Logs.
B.Enable RDS Enhanced Monitoring and publish metrics to CloudWatch.
C.Enable AWS CloudTrail for the RDS instance and store logs in S3.
D.Use S3 server access logs to capture database connection attempts.
AnswerA

Audit logs capture authentication failures and queries; exporting to CloudWatch allows monitoring.

Why this answer

Option C is correct because enabling RDS Enhanced Monitoring does not log queries; RDS does not have native query logging for authentication failures. The correct approach is to enable RDS audit logs by setting the 'audit_log_enabled' parameter to 1 in the DB parameter group, and enabling log exports to CloudWatch Logs. However, for MySQL, audit logs capture connection attempts and queries.

But none of the options directly mention that. The best answer is to use AWS CloudTrail for RDS API calls and RDS audit logs for database-level logs. Option C enables audit logs and exports to CloudWatch Logs, which captures authentication failures.

Option A is wrong because CloudTrail logs only control plane operations, not data plane queries. Option B is wrong because Enhanced Monitoring provides OS metrics, not query logs. Option D is wrong because storing logs in S3 requires enabling audit logs and exporting them.

The correct answer is not listed perfectly, but C is closest.

13
Multi-Selectmedium

A company is designing a security strategy for Amazon RDS for SQL Server. Which TWO actions should be taken to encrypt data at rest? (Choose TWO.)

Select 2 answers
A.Enable Amazon EBS encryption on the underlying volumes.
B.Enable Transparent Data Encryption (TDE) on the SQL Server database.
C.Use AWS CloudHSM to store encryption keys.
D.Enable SSL/TLS for connections.
E.Enable RDS encryption at rest using AWS KMS.
AnswersB, E

TDE encrypts data at rest within the database.

Why this answer

Option A is correct because enabling RDS encryption at rest uses KMS. Option C is correct because Transparent Data Encryption (TDE) is supported by SQL Server and can be used. Option B is wrong because SSL encrypts in transit.

Option D is wrong because EBS encryption is not applicable to RDS instances (RDS manages storage). Option E is wrong because CloudHSM is not required for RDS encryption.

14
MCQhard

A security auditor notices that the DynamoDB table 'UserData' is encrypted with a KMS key (exhibit). The company policy requires that all DynamoDB tables use an AWS managed key for encryption. What must be done to comply with the policy?

A.Create a new DynamoDB table with SSE enabled using the AWS managed key, then export data from the existing table and import into the new table.
B.Delete the customer managed KMS key and recreate it as an AWS managed key.
C.Modify the table's SSE configuration to use the AWS managed key.
D.Use the UpdateTable API to change the KMS key to the AWS managed key.
AnswerA

Key can only be set at creation.

Why this answer

Option A is correct because you cannot change the encryption key of an existing table; you must create a new table with the AWS managed key and migrate data. Option B is wrong because you cannot change the key on an existing table. Option C is wrong because deleting the key would break access.

Option D is wrong because the table is already encrypted, just not with the required key.

15
Matchingmedium

Match each DynamoDB concept to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Single attribute used to distribute data across partitions

Attribute that determines order within a partition

Index with a different partition and sort key for alternate query patterns

Index with the same partition key but different sort key

Time-ordered sequence of item-level changes in a table

Why these pairings

Core DynamoDB concepts for data modeling and querying.

16
MCQmedium

Refer to the exhibit. A company has attached this IAM policy to an IAM role used by an application running on Amazon EC2. The application needs to decrypt data in an S3 bucket that is encrypted with the specified KMS key. However, the application is receiving access denied errors. What is the most likely cause?

A.The policy does not include 'kms:Decrypt' for the specific key.
B.The application is decrypting the data by calling KMS directly instead of using S3's server-side decryption.
C.The policy is missing a 'Principal' element.
D.The IAM role does not have a trust policy that allows EC2 to assume it.
AnswerB

The 'kms:ViaService' condition requires that the call be made via S3, not directly to KMS.

Why this answer

The policy condition 'kms:ViaService' restricts KMS operations to only when they are made through S3. However, the condition also includes 'kms:CallerAccount' which is redundant but not harmful. The error likely occurs because the EC2 instance does not have the correct IAM role, or the policy is missing 'kms:Decrypt' for the specific ciphertext.

But the most common mistake is that the application is not using the S3 service to decrypt; if the application reads the encrypted object and then calls KMS directly to decrypt, the 'kms:ViaService' condition will fail because the call is not via S3. Option B addresses this. Option A is wrong because the condition is present.

Option C is wrong because the role is not explicitly denied. Option D is wrong because the policy allows KMS actions.

17
MCQhard

An IAM policy is attached to a user. Which of the following actions will be allowed?

A.Delete a DB instance named 'prod-db'.
B.Create a new DB instance named 'prod-db'.
C.Delete a DB instance named 'test-db'.
D.Delete a DB instance named 'dev-db'.
AnswerB

CreateDBInstance is allowed by the Allow statement.

Why this answer

Option D is correct. The policy allows DescribeDBInstances and CreateDBInstance on all resources. The Deny statement only denies DeleteDBInstance on databases with the prefix 'prod-'.

Therefore, creating a new DB instance named 'prod-db' is allowed because the Deny only applies to DeleteDBInstance, not CreateDBInstance. Option A is incorrect because deleting any database with prefix 'prod-' is denied. Option B is incorrect because deleting 'test-db' is allowed (no deny), but the question asks for an action that is allowed.

Option C is incorrect because deleting 'dev-db' is allowed, but again the question expects a specific allowed action. Option D is correct because CreateDBInstance is allowed.

18
MCQmedium

A company is running an RDS for MySQL database and needs to ensure that all connections to the database use SSL encryption. Which configuration step is required?

A.Set 'require_secure_transport' to ON in the DB parameter group.
B.Enable 'Enable SSL' in the RDS console.
C.Set 'rds.force_ssl' to 1 in the DB parameter group.
D.Set 'ssl' to 'require' in the DB parameter group.
AnswerA

This forces all connections to use SSL.

Why this answer

Option A is correct because setting 'require_secure_transport' to ON in the DB parameter group forces all connections to the RDS for MySQL database to use SSL/TLS encryption. This parameter is supported in MySQL 5.7 and later, and when enabled, the server rejects non-encrypted connections, ensuring compliance with security policies.

Exam trap

The trap here is that candidates confuse the MySQL-specific parameter 'require_secure_transport' with the PostgreSQL-specific parameter 'rds.force_ssl', or assume a generic 'Enable SSL' console option exists, leading them to pick incorrect answers.

How to eliminate wrong answers

Option B is wrong because there is no 'Enable SSL' toggle in the RDS console; SSL is always available for RDS MySQL, but enforcement requires a parameter group change. Option C is wrong because 'rds.force_ssl' is not a valid parameter for RDS MySQL; this parameter exists for RDS for PostgreSQL, not MySQL. Option D is wrong because setting 'ssl' to 'require' is not a valid parameter in the MySQL DB parameter group; the correct parameter is 'require_secure_transport'.

19
MCQhard

A company is using Amazon RDS for SQL Server with Multi-AZ deployment. The security team requires that all database activity be monitored for suspicious queries. The database specialist enabled RDS Database Activity Streams and configured AWS Lambda to process the stream. However, the Lambda function fails to process some events when the database fails over to the standby instance. What is the most likely cause?

A.The security group does not allow the Lambda function to connect to the new primary instance.
B.The Lambda function does not re-establish the stream session after a failover event.
C.The parameter group for the standby instance does not have the activity stream enabled.
D.The KMS key used to encrypt the activity stream is not available in the standby instance's Region.
AnswerB

Activity streams require reconnection after failover.

Why this answer

Option D is correct because after failover, the stream session may be interrupted and the application must reconnect. Option A is wrong because the KMS key is used for encryption, not for connectivity. Option B is wrong because the security group applies to the RDS endpoint, which remains the same after failover.

Option C is wrong because the parameter group is applied to both instances.

20
MCQmedium

A company is using Amazon RDS for MySQL and wants to restrict access to a specific database so that an application user can only perform SELECT and INSERT operations on tables within that database. The application user already exists. Which SQL statement should be executed?

A.GRANT SELECT ON app_db.* TO 'app_user'@'%';
B.GRANT CREATE, ALTER, SELECT, INSERT ON app_db.* TO 'app_user'@'%';
C.GRANT SELECT, INSERT ON app_db.* TO 'app_user'@'%';
D.GRANT ALL PRIVILEGES ON app_db.* TO 'app_user'@'%';
AnswerC

This grants exactly the required permissions.

Why this answer

Option D is correct because the GRANT statement with specific privileges (SELECT, INSERT) on the database name and wildcard tables (*) will grant the required permissions. Option A is wrong because it grants all privileges, which is too permissive. Option B is wrong because it grants DDL privileges (CREATE, ALTER).

Option C is wrong because it only grants SELECT, not INSERT.

21
MCQmedium

A company is running an Amazon RDS for SQL Server instance with Multi-AZ deployment. The security team requires that all data at rest be encrypted. The instance was originally launched without encryption. What is the most efficient way to enable encryption at rest for this existing instance?

A.Modify the DB instance and set the encryption attribute to true.
B.Use AWS Database Migration Service (DMS) to migrate the data to a new encrypted RDS instance.
C.Take a snapshot of the DB instance, copy the snapshot with encryption enabled, and restore the encrypted snapshot to a new DB instance.
D.Create a read replica with encryption enabled and promote it to become the primary instance.
AnswerC

This is the standard process to enable encryption on an existing RDS instance.

Why this answer

Option C is correct because you cannot directly enable encryption on an existing unencrypted RDS instance; you must create a snapshot, copy it with encryption, and restore the encrypted snapshot to a new instance. Option A is wrong because modifying the DB instance does not support enabling encryption. Option B is wrong because enabling encryption requires a snapshot copy, not just creating an encrypted read replica.

Option D is wrong because while you could migrate data manually, it is less efficient than snapshot restoration.

22
MCQhard

A security engineer is troubleshooting an issue where an application using IAM role 'app-role' with a trust policy to assume the 'app-user' user is unable to decrypt an RDS database that uses a customer-managed KMS key. The above key policy is attached to the KMS key. What is the likely cause of the failure?

A.The 'kms:ViaService' condition requires the request to come from RDS, but the application is making KMS API calls directly.
B.The policy has a missing 'Effect': 'Deny' statement that is blocking access.
C.The principal in the policy is 'app-user', but the application uses an IAM role that does not have the necessary permissions.
D.The condition 'kms:ViaService' restricts the key to be used only with RDS, but the application is using a different service.
AnswerC

The policy grants permissions to the user 'app-user', but the application uses a role. The role needs to be added to the key policy.

Why this answer

Option C is correct because the KMS key policy specifies the principal as 'app-user', which is an IAM user. However, the application uses an IAM role 'app-role' to make the decryption requests. Since the principal in the key policy does not include the role or its associated permissions, the KMS key policy denies access to the role, causing the decryption failure.

The trust policy on the role allows the user to assume it, but that does not grant the role any KMS permissions unless explicitly added.

Exam trap

The trap here is that candidates often confuse the trust policy of an IAM role with the permissions granted to the role, assuming that if a user can assume a role, the role inherits the user's KMS permissions, when in fact the role must be explicitly authorized in the key policy or via an IAM policy.

How to eliminate wrong answers

Option A is wrong because the 'kms:ViaService' condition in the key policy allows requests coming via RDS, not that the request must come from RDS; the application making direct KMS API calls would still be allowed if the principal matches, so this is not the cause. Option B is wrong because the policy does not have a missing 'Deny' statement; the issue is that the principal is incorrect, not that a Deny is needed. Option D is wrong because the 'kms:ViaService' condition is set to 'rds.amazonaws.com', which permits RDS to use the key, but the application is not using RDS to make the decryption call; however, the primary failure is the principal mismatch, not the service condition.

23
MCQhard

A security team is auditing IAM policies for Amazon RDS. They want to ensure that all RDS snapshots shared with other AWS accounts are encrypted. Which IAM policy condition key should be used to enforce this?

A.rds:Encrypted
B.rds:SnapshotEncrypted
C.rds:StorageEncrypted
D.s3:x-amz-server-side-encryption
AnswerA

This condition key checks whether the snapshot is encrypted.

Why this answer

Option C is correct because rds:Encrypted is a condition key that checks whether a snapshot is encrypted. Option A is wrong because rds:SnapshotEncrypted is not a valid condition key. Option B is wrong because s3:x-amz-server-side-encryption is for S3.

Option D is wrong because rds:StorageEncrypted is for DB instances, not snapshots.

24
MCQmedium

A company is launching a new application that requires an Amazon RDS for PostgreSQL database. The database will store highly sensitive data, and the security team mandates that all data at rest must be encrypted. The company also requires that the encryption keys be managed by the security team using AWS CloudHSM. What is the MOST efficient way to meet these requirements?

A.Enable EBS encryption on the RDS instance's underlying volumes using a KMS key.
B.Enable Transparent Data Encryption (TDE) using a CloudHSM key in the RDS instance.
C.Use AWS KMS with a customer-managed key (CMK) for RDS encryption.
D.Implement client-side encryption in the application before writing data to the database.
AnswerB

RDS for PostgreSQL supports TDE with CloudHSM.

Why this answer

Option C is correct because RDS for PostgreSQL supports TDE with CloudHSM, allowing the security team to manage keys while encrypting data at rest. Option A is wrong because EBS encryption is not supported for RDS instances. Option B is wrong because KMS does not allow customer-managed HSMs.

Option D is wrong because client-side encryption requires application changes and does not protect data at rest in the database.

25
Multi-Selectmedium

Which TWO AWS services can be used to monitor database security events in real time? (Choose 2.)

Select 2 answers
A.AWS WAF
B.Amazon GuardDuty
C.Amazon RDS Performance Insights
D.Amazon CloudWatch Logs
E.AWS CloudTrail
AnswersB, D

GuardDuty can detect threats based on database activity.

Why this answer

Amazon GuardDuty (Option B) is a threat detection service that continuously monitors for malicious activity and unauthorized behavior, including database security events such as suspicious API calls or potential credential compromise. It uses machine learning, anomaly detection, and integrated threat intelligence to analyze AWS CloudTrail logs, VPC Flow Logs, and DNS logs in real time, making it suitable for monitoring database security events.

Exam trap

AWS often tests the distinction between services that provide real-time security monitoring (GuardDuty, CloudWatch Logs with metric filters) versus those that offer historical auditing (CloudTrail) or performance monitoring (Performance Insights), leading candidates to mistakenly select CloudTrail for real-time needs.

26
MCQmedium

A security engineer is designing a solution to encrypt data at rest for an Amazon Redshift cluster. The company requires that the encryption key be rotated automatically every year. Which solution meets these requirements?

A.Use a Lambda function to rotate the encryption key manually every year.
B.Enable encryption for the Redshift cluster using an AWS KMS key with automatic rotation.
C.Use a CloudHSM key to encrypt the Redshift cluster and configure automatic rotation in CloudHSM.
D.Store the Redshift cluster data in an S3 bucket with server-side encryption enabled.
AnswerB

Redshift supports KMS encryption with automatic key rotation.

Why this answer

Option B is correct. Amazon Redshift supports encryption at rest using AWS KMS with automatic key rotation. When you enable encryption for a Redshift cluster, you can choose a KMS key with automatic rotation enabled.

Option A is incorrect because Redshift does not support CloudHSM for encryption at rest; it uses KMS. Option C is incorrect because Redshift does not support S3 server-side encryption for the cluster itself. Option D is incorrect because manual rotation using a Lambda function is not the recommended approach when automatic rotation is available.

27
Multi-Selecteasy

A company is using Amazon RDS for MySQL with Multi-AZ deployment. The security team wants to ensure that database administrators cannot view sensitive data. Which TWO actions should be taken to achieve this goal?

Select 2 answers
A.Use IAM database authentication for application access.
B.Enable audit logging to capture all data access.
C.Store database credentials in AWS Secrets Manager and enforce automatic rotation.
D.Enable encryption at rest using a customer-managed KMS key.
E.Disable query logging to prevent sensitive data from being written to logs.
AnswersA, C

IAM database authentication allows applications to connect without passwords, reducing the need for DBAs to handle credentials.

Why this answer

Option A is correct because IAM database authentication allows you to authenticate to your RDS MySQL instance using an IAM user or role instead of a traditional database password. This eliminates the need for database administrators to know or manage database credentials, as they can only access the database through IAM policies that grant specific, auditable permissions. By using IAM authentication, you enforce a separation of duties where DBAs cannot view sensitive data unless explicitly authorized by IAM policies.

Exam trap

The trap here is that candidates often confuse encryption at rest (which protects data on disk) with access control (which protects data from being queried), leading them to select encryption options when the real requirement is to prevent DBAs from viewing data through database connections.

28
MCQmedium

A security engineer runs the AWS CLI command shown in the exhibit. The engineer wants to ensure that all RDS DB instances in the account are encrypted at rest. What should the engineer do to remediate the unencrypted read replica?

A.Modify the read replica by setting the StorageEncrypted parameter to true.
B.Delete the unencrypted read replica and create a new read replica from the encrypted source, enabling encryption on the new replica.
C.Enable encryption on the source DB instance and the read replica will automatically become encrypted.
D.Create a snapshot of the read replica, encrypt the snapshot, and restore it as a new instance.
AnswerB

This ensures the new read replica is encrypted, and the source is already encrypted.

Why this answer

Option D is correct because the read replica is unencrypted, and to encrypt it, you must create a new encrypted read replica from the encrypted source. Option A is wrong because modifying the replica directly does not support enabling encryption. Option B is wrong because you cannot encrypt an existing read replica in place.

Option C is wrong because the source is encrypted, so the new replica can be encrypted.

29
MCQeasy

A developer runs the AWS CLI command shown in the exhibit. What is the output indicating?

A.The secret value is not accessible.
B.The secret is not encrypted.
C.The secret has been rotated.
D.The secret contains a username and password in JSON format.
AnswerD

The SecretString shows the credentials.

Why this answer

Option B is correct because the JSON in SecretString contains the username and password. Option A is wrong because the secret is encrypted at rest by default. Option C is wrong because the secret version is shown, not rotation.

Option D is wrong because the output includes the secret value.

30
MCQeasy

A company is storing sensitive customer data in an Amazon RDS for MySQL DB instance. They need to ensure that data is encrypted at rest. What is the simplest way to achieve this?

A.Enable encryption on the existing DB instance by modifying the DB instance settings.
B.Enable Transparent Data Encryption (TDE) on the MySQL instance.
C.Launch a new encrypted DB instance and migrate the data.
D.Use client-side encryption with AWS KMS to encrypt data before inserting into the database.
AnswerC

Launching a new RDS instance with encryption enabled is the simplest method, as encryption is specified at launch time.

Why this answer

Option B is correct because enabling encryption at rest on a new RDS instance is straightforward. Option A is wrong because enabling encryption on an existing unencrypted DB instance requires a snapshot and restore. Option C is wrong because client-side encryption is more complex and not the simplest.

Option D is wrong because RDS does not natively support Transparent Data Encryption (TDE) for MySQL.

31
Multi-Selectmedium

A company uses Amazon RDS for PostgreSQL and wants to audit all database login attempts. Which TWO services can be used together to achieve this?

Select 1 answer
A.Enable AWS CloudTrail.
B.Enable VPC Flow Logs.
C.Enable S3 access logs to capture API calls.
D.Enable RDS Enhanced Monitoring.
E.Enable RDS for PostgreSQL to log to CloudWatch Logs.
AnswersE

Database logs can be sent to CloudWatch Logs.

Why this answer

Options A and D are correct. Option B is wrong because CloudTrail does not capture database login events; it captures management events. Option C is wrong because VPC Flow Logs capture network traffic, not database login attempts.

Option E is wrong because S3 Access Logs are for object access, not database logins.

32
MCQmedium

A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The compliance team requires that all database connections use SSL/TLS and that users authenticate using IAM database authentication. The database migration is completed, but the application team reports that connections using IAM authentication are failing. The company has already enabled IAM database authentication on the RDS instance. What is the most likely cause of the failure?

A.The application is using an outdated root CA certificate for SSL.
B.The Security Group does not allow inbound traffic from the application.
C.The database user has not been granted the necessary privileges for IAM authentication.
D.The RDS instance is using a different KMS key for encryption.
AnswerC

Database users must be created with 'IDENTIFIED WITH AWS_AUTHENTICATION' and granted 'rds_iam' role to use IAM authentication.

Why this answer

Option C is correct because IAM database authentication requires that the database user be created with the `IDENTIFIED WITH AWS_AUTHENTICATION` clause in Oracle. Without this privilege, the RDS instance will reject IAM-authenticated connections even if IAM authentication is enabled at the instance level. The application team must ensure the database user has been granted the `AWS_ORACLE_EXTENSIONS` role and that the user is mapped to an IAM policy allowing `rds-db:connect`.

Exam trap

The trap here is that candidates often assume enabling IAM authentication on the RDS instance is sufficient, overlooking the mandatory step of creating the database user with the `IDENTIFIED WITH AWS_AUTHENTICATION` clause and granting the necessary privileges.

How to eliminate wrong answers

Option A is wrong because an outdated root CA certificate would cause SSL/TLS handshake failures, not IAM authentication failures; IAM authentication relies on a valid authentication token, not the CA certificate chain. Option B is wrong because security group inbound rules control network-layer access, not authentication; if the security group blocked traffic, the application would receive a timeout or connection refused error, not an IAM authentication failure. Option D is wrong because the KMS key used for encryption at rest is unrelated to IAM authentication; IAM authentication uses the AWS Signature Version 4 signing process and does not involve KMS keys.

33
MCQeasy

An IAM policy is attached to a user. What does this policy allow the user to do?

A.Update an item in the Orders table.
B.Scan the entire Orders table and return all attributes.
C.Delete an item from the Orders table.
D.Get an item from the Orders table but only return the order_id, customer_id, and status attributes.
AnswerD

The policy allows GetItem with attribute restriction.

Why this answer

Option B is correct. The policy allows the GetItem action on the Orders table, but only returns the specified attributes (order_id, customer_id, status) due to the condition. Option A is incorrect because the policy does not allow Scan.

Option C is incorrect because the policy only allows GetItem, not PutItem. Option D is incorrect because the policy does not allow deleting items.

34
MCQhard

A company runs a production Amazon DynamoDB table with on-demand capacity. The security team requires that all access to the table be logged for compliance. What is the most cost-effective way to log every DynamoDB API call?

A.Enable DynamoDB Streams on the table and process the stream with AWS Lambda.
B.Enable Amazon CloudWatch Logs to capture DynamoDB API calls.
C.Enable VPC Flow Logs and analyze them with Amazon Athena.
D.Enable AWS CloudTrail and create a trail that delivers logs to Amazon CloudWatch Logs.
AnswerD

CloudTrail logs all DynamoDB API calls.

Why this answer

Option D is correct because CloudTrail logs all API calls and can be delivered to CloudWatch Logs for monitoring. Option A is wrong because DynamoDB Streams capture data changes, not API calls. Option B is wrong because VPC Flow Logs capture network traffic.

Option C is wrong because CloudWatch Logs does not capture API calls directly.

35
MCQhard

A company has a multi-AZ RDS for PostgreSQL DB instance. The security team wants to ensure that database audit logs are stored in CloudWatch Logs for real-time monitoring. The team enabled the 'pgaudit.log' parameter and set 'log_destination' to 'csvlog'. However, logs are not appearing in CloudWatch. What is the most likely cause?

A.The DB instance is multi-AZ, which prevents log delivery to CloudWatch.
B.AWS CloudTrail is not enabled for the RDS instance.
C.The DB parameter group is not associated with the DB instance.
D.The 'rds.logs_to_cloudwatch' parameter is not set to 1.
AnswerD

This parameter must be enabled for logs to be published to CloudWatch.

Why this answer

Option D is correct because RDS publishes logs to CloudWatch only if the 'rds.logs_to_cloudwatch' parameter is set to 1. Option A is wrong because the instance is multi-AZ, which does not affect log delivery. Option B is wrong because the parameter group is associated; the issue is the missing parameter.

Option C is wrong because CloudTrail is not involved.

36
MCQmedium

A company has an Amazon RDS for MySQL DB instance that stores sensitive customer data. The security team requires that all data at rest be encrypted using a customer-managed AWS KMS key. The DB instance was originally launched without encryption. Which combination of steps will meet the requirement with the least downtime?

A.Create a read replica of the DB instance with encryption enabled, and then promote the read replica to become the primary instance.
B.Modify the DB instance and enable encryption using the AWS Management Console.
C.Take a snapshot of the DB instance, copy the snapshot with encryption enabled using the desired KMS key, and restore the encrypted snapshot to a new DB instance.
D.Take a snapshot of the DB instance, copy the snapshot with encryption enabled, and restore the encrypted snapshot to the same DB instance ID.
AnswerC

This is the standard procedure to enable encryption on an existing unencrypted RDS instance.

Why this answer

Option D is correct because you must create a snapshot of the unencrypted DB instance, copy the snapshot with encryption enabled using the desired KMS key, and then restore the encrypted snapshot to a new DB instance. This process results in some downtime but is the standard method for enabling encryption on an existing unencrypted RDS instance. Option A is incorrect because modifying the DB instance directly does not support enabling encryption.

Option B is incorrect because enabling encryption on a snapshot copy is the correct approach, but you cannot restore an encrypted snapshot to the same instance; you must create a new instance. Option C is incorrect because RDS does not support enabling encryption via a read replica.

37
MCQhard

A CloudFormation template is used to create an RDS DB instance with encryption, as shown in the exhibit. The stack creation fails because the DB instance creation fails. What is the most likely cause?

A.The DB instance has StorageEncrypted set to true but KmsKeyId is not a valid ARN.
B.The KMS key policy does not grant permissions to the RDS service principal.
C.The KmsKeyId property requires the key ARN, not a reference.
D.The DB instance depends on the KMS key, but there is no DependsOn clause to ensure the key is created first.
AnswerD

Without DependsOn, the DB instance may be created before the key.

Why this answer

Option D is correct because KMS key creation must be completed before the DB instance can use it; CloudFormation does not automatically order creation unless dependencies are defined. Option A is wrong because the KMS key policy allows the account root full access. Option B is wrong because the KMS key ID is passed correctly via !Ref.

Option C is wrong because encryption is set to true and the KMS key is provided.

38
MCQmedium

A user is unable to list the contents of the S3 bucket 'my-db-backups' using the AWS CLI. The IAM policy attached to the user is shown in the exhibit. What is the likely cause?

A.The user is using the wrong bucket name.
B.The policy does not grant 's3:ListBucket' permission.
C.The resource ARN is missing the bucket-level ARN needed for listing.
D.The policy has a syntax error.
AnswerB

ListBucket is required to list objects.

Why this answer

Option A is correct because the policy does not include 's3:ListBucket' action. Option B is wrong because the resource includes the bucket. Option C is wrong because the policy is valid JSON.

Option D is wrong because the bucket name is correct.

39
MCQmedium

A company needs to enforce that all new Amazon RDS DB instances are automatically encrypted at rest. What is the most efficient way to achieve this?

A.Create an IAM policy that denies rds:CreateDBInstance unless encryption is enabled, and attach it to all users.
B.Enable the 'encryption at rest' default in each AWS account's RDS console.
C.Use an AWS Organizations service control policy (SCP) to deny creation of unencrypted RDS instances.
D.Use AWS CloudFormation StackSets to deploy a template that creates encrypted instances in every account.
AnswerC

SCPs can enforce encryption at the organizational level.

Why this answer

Option B is correct because enabling the 'RDS_DB_INSTANCE_ENCRYPTION' SCP at the AWS Organizations level will enforce encryption for all new RDS instances. Option A is wrong because an IAM policy with a condition key only applies to users and roles, not to all accounts. Option C is wrong because a CloudFormation StackSet would require manual deployment.

Option D is wrong because enabling encryption in each account manually is not efficient.

40
MCQmedium

A company is using Amazon DocumentDB (with MongoDB compatibility) for a content management system. The security team requires that all data be encrypted at rest and in transit. The DocumentDB cluster is already encrypted at rest using AWS KMS. To enforce encryption in transit, the security team wants to ensure that all client connections use TLS. The team has enabled the 'tls' parameter in the cluster parameter group. However, a developer reports that they can still connect to the cluster without specifying TLS options using the mongo shell. The developer is connecting from an EC2 instance in the same VPC. The security group for the DocumentDB cluster allows inbound traffic on port 27017 from the EC2 instance's security group. What is the most likely reason the developer can connect without TLS?

A.DocumentDB does not support TLS; it only supports SSL.
B.The EC2 instance is in the same VPC, so TLS is not enforced for intra-VPC traffic.
C.The developer is using an older version of the mongo shell that does not support TLS.
D.The 'tls' parameter was not applied to the cluster because the parameter group was not associated with the cluster or the cluster was not rebooted.
AnswerD

Parameter group changes require a reboot to take effect.

Why this answer

Option B is correct. DocumentDB supports both TLS and non-TLS connections on the same port. Enabling the 'tls' parameter in the parameter group only affects new connections if the client requests TLS; it does not force TLS.

To enforce TLS, you must modify the cluster's security group to block non-TLS traffic, or use a different port for TLS. However, DocumentDB does not have a separate port for TLS; the same port can accept both. The parameter 'tls' when set to 'enabled' actually forces TLS for all connections? Actually, in DocumentDB, setting the cluster parameter 'tls' to 'enabled' does enforce TLS; but the developer might be using an older client that does not support TLS.

But the question says the developer can connect without specifying TLS options. That suggests that the parameter might not be applied or the cluster was not rebooted. Option A is possible but less likely.

Option C is incorrect because TLS is supported. Option D is incorrect because the same VPC does not bypass TLS.

41
MCQmedium

Refer to the exhibit. A database administrator is reviewing the output of 'SHOW FULL PROCESSLIST' on an Amazon RDS for MySQL DB instance. The company's security policy requires that all database users access only the minimum necessary data. Which user's activity should be investigated further?

A.Both users, because they are both accessing the credit_cards table.
B.The admin user, because the query is selecting all columns from the credit_cards table.
C.The app_user, because the query is selecting card_number which is sensitive.
D.Neither user, because the queries are normal for their roles.
AnswerB

This violates the principle of least privilege; the admin should not be selecting all columns.

Why this answer

The admin user is executing a full scan of the credit_cards table, which is a security concern because it could be accessing unnecessary data. The app_user is querying a specific column with a condition, which is more appropriate. The admin user should have a more restrictive query.

Option B is correct. Option A is wrong because the admin user's query is broad. Option C is wrong because the app_user's query is specific.

Option D is wrong because both queries are selecting data, but the admin's is more concerning.

42
Multi-Selecthard

A company uses Amazon DynamoDB with DAX and wants to implement fine-grained access control using IAM. Which THREE conditions can be used in an IAM policy to restrict access to specific items based on the primary key?

Select 3 answers
A.dynamodb:Attributes
B.dynamodb:ReturnValues
C.dynamodb:TableName
D.dynamodb:LeadingKeys
E.dynamodb:Select
AnswersA, D, E

Restricts access to specific attributes (columns).

Why this answer

Options A, B, and D are correct. DynamoDB supports IAM conditions for fine-grained access control using dynamodb:LeadingKeys, dynamodb:Attributes, and dynamodb:Select. Option C is wrong because dynamodb:TableName identifies the table, not items.

Option E is wrong because dynamodb:ReturnValues is a parameter for write operations, not a condition for access control.

43
MCQeasy

A company's security policy requires that all database passwords be rotated every 90 days. The company uses AWS Secrets Manager to store database credentials for Amazon RDS. Which feature can be used to automate password rotation?

A.Configure automatic rotation in Secrets Manager with a rotation interval of 90 days.
B.Use an AWS Lambda function triggered by Amazon CloudWatch Events every 90 days to rotate the password.
C.Use IAM Access Analyzer to detect unused passwords and rotate them.
D.Store the password in AWS Systems Manager Parameter Store and use automatic rotation.
AnswerA

Secrets Manager can automatically rotate RDS credentials on a schedule.

Why this answer

Option A is correct because Secrets Manager has built-in rotation support for RDS databases. Option B is wrong because Lambda can be used but is not a feature of Secrets Manager itself; the managed rotation is the simplest. Option C is wrong because IAM Access Analyzer is for analyzing resource policies, not password rotation.

Option D is wrong because Systems Manager Parameter Store does not have built-in rotation for RDS.

44
MCQmedium

A company is using Amazon Aurora MySQL-Compatible Edition. The security team wants to restrict access to the database so that only specific applications running on Amazon EC2 instances can connect. The EC2 instances are in the same VPC as the Aurora cluster. Which combination of steps should be taken to enforce this restriction?

A.Enable IAM database authentication and create database users for each application.
B.Modify the DB subnet group to include only subnets where the EC2 instances reside.
C.Use a network ACL to allow traffic only from the EC2 instances' IP addresses.
D.Configure the Aurora cluster's security group to allow inbound traffic from the EC2 instances' security group.
AnswerD

Security group rules can reference other security groups.

Why this answer

Option A is correct because security groups can be used to allow traffic only from specific security groups (e.g., EC2 security group). Option B is wrong because IAM database authentication controls user authentication, not network access. Option C is wrong because NACLs are stateless and less granular.

Option D is wrong because subnet group does not restrict access.

45
MCQmedium

A security team is investigating a potential data breach in an Amazon RDS for SQL Server database. They need to determine which user executed a specific DELETE statement at a particular time. What should they do?

A.Enable AWS CloudTrail for the RDS instance.
B.Enable audit logs for the RDS instance and send them to CloudWatch Logs.
C.Enable VPC Flow Logs for the database subnet.
D.Enable AWS Trusted Advisor.
AnswerB

Audit logs record SQL statements and can be analyzed.

Why this answer

Enabling RDS Enhanced Monitoring and audit logs captures SQL statements. Option C is correct. Option A is wrong because CloudTrail logs API calls, not SQL commands.

Option B is wrong because VPC Flow Logs capture network traffic. Option D is wrong because AWS Trusted Advisor provides best practice checks, not auditing.

46
MCQmedium

A company has an Amazon RDS for MySQL DB instance that is publicly accessible. The security team wants to restrict access to only specific IP addresses. Which configuration should be used?

A.Create a VPC endpoint for RDS and attach a policy that allows only the specific IP addresses.
B.Use an IAM policy with a condition that restricts the source IP address.
C.Configure a security group associated with the RDS instance to allow inbound traffic only from the specific IP addresses.
D.Configure a network ACL to allow inbound traffic from the specific IP addresses.
AnswerC

Security groups can restrict inbound traffic by IP address.

Why this answer

Option B is correct because DB security groups (or VPC security groups) can be configured to allow inbound traffic only from specific IP addresses. Option A is wrong because network ACLs are stateless and less granular. Option C is wrong because the RDS instance is publicly accessible, so it has a public endpoint; a VPC endpoint is not needed.

Option D is wrong because IAM policies do not restrict network access.

47
MCQeasy

A security engineer reviews the IAM policy attached to a user. The user is unable to modify any RDS DB instance, even when MFA is enabled. What is the most likely cause?

A.The policy is missing the ec2:ModifyInstance permission.
B.The policy does not include a Deny statement for RDS actions.
C.The user does not have MFA enabled, or the instance name does not match the allowed prefixes.
D.The user is trying to use the RDS console, but the policy only allows API calls.
AnswerC

The policy requires MFA for dev-* instances and only allows prod-* instances. If the user tries to modify an instance not matching these patterns, it fails. Also, if MFA is not enabled, dev-* instances cannot be modified.

Why this answer

Option A is correct because the policy does not grant the rds:ModifyDBInstance action for all instances; it only allows for prod-* without condition and dev-* with MFA, but the user might be trying to modify an instance that doesn't match either pattern, or the user does not have MFA enabled. However, the question states the user cannot modify ANY instance, so the most likely cause is that the user does not have MFA enabled or the instance is not in the allowed patterns. Option B is wrong because the policy is for RDS, not EC2.

Option C is wrong because the policy allows ModifyDBInstance, not just read. Option D is wrong because the policy does have conditions.

48
MCQhard

A company runs an Amazon Aurora MySQL-compatible database cluster. The security team requires that all database credentials be rotated automatically every 30 days. Which combination of AWS services can meet this requirement with minimal operational overhead?

A.Use IAM database authentication and rotate the IAM user keys every 30 days.
B.Store the password in AWS Secrets Manager and enable automatic rotation with a 30-day interval.
C.Use AWS CloudHSM to generate a new password and a Lambda function to update the database.
D.Store the password in AWS Systems Manager Parameter Store and use a scheduled Lambda function to update the password.
AnswerB

Secrets Manager can automatically rotate RDS credentials.

Why this answer

AWS Secrets Manager can automatically rotate secrets for Amazon RDS databases. Option A is wrong because IAM database authentication does not handle password rotation. Option B is wrong because Systems Manager Parameter Store can store secrets but does not have built-in rotation for RDS.

Option D is wrong because CloudHSM does not manage database password rotation.

49
MCQeasy

A developer needs to connect to an Amazon RDS for PostgreSQL DB instance from an EC2 instance in the same VPC. What is the most secure way to authenticate the connection without storing database credentials in the application code?

A.Use a hardcoded password in the application configuration file.
B.Store the database password in AWS Secrets Manager and retrieve it at runtime.
C.Enable IAM database authentication and generate an authentication token.
D.Store the password in AWS Systems Manager Parameter Store as a SecureString.
AnswerC

IAM database authentication eliminates the need for a stored password.

Why this answer

Option D is correct. Using IAM database authentication for RDS PostgreSQL allows the application to connect using an IAM user or role without storing credentials. The authentication token is generated by the AWS SDK and has a 15-minute validity.

Option A is incorrect because storing credentials in Secrets Manager is secure but still requires the application to retrieve them. Option B is incorrect because a hardcoded password is not secure. Option C is incorrect because a password in the parameter store is similar to Secrets Manager but still requires retrieval.

50
MCQmedium

A security team is auditing an Amazon RDS for SQL Server DB instance. They notice that SSL connections are not enforced. Which configuration change will enforce SSL for all connections?

A.Modify the security group to only allow inbound traffic on port 443.
B.Add the SQL Server SSL option to the option group.
C.Set the 'rds.force_ssl' parameter to 1 in the DB parameter group.
D.Change the DB subnet group to a public subnet.
AnswerC

This parameter forces SSL connections to the SQL Server DB instance.

Why this answer

Option D is correct because for RDS SQL Server, you can enforce SSL by setting the 'rds.force_ssl' parameter to 1 in the DB parameter group. Option A is wrong because security groups allow traffic but do not enforce SSL. Option B is wrong because the option group manages features like TDE, not SSL enforcement.

Option C is wrong because the DB subnet group defines network subnets, not SSL.

51
MCQeasy

A company is using Amazon RDS for MySQL and wants to restrict access to the database based on the source IP address. Which AWS feature should be used to achieve this?

A.DB Parameter Groups
B.VPC Security Groups
C.IAM Database Authentication
D.Network ACLs
AnswerB

Security groups act as a firewall for the DB instance, controlling inbound traffic based on IP or other security groups.

Why this answer

Security groups act as a virtual firewall for RDS instances. You can specify inbound rules that allow traffic only from certain IP addresses or other security groups. Network ACLs are for subnets, not individual instances.

IAM policies control API access, not network traffic. DB parameter groups configure database engine parameters.

52
MCQhard

A financial company uses Amazon RDS for PostgreSQL with a custom parameter group. The security team wants to ensure that all connections to the database are encrypted in transit. Which combination of actions should the database administrator take? (Select TWO.)

A.Attach an IAM role to the RDS instance to authenticate users.
B.Change the database port to 8432 to use a non-standard port.
C.Set 'ssl' to 'off' in the parameter group.
D.Set the parameter 'rds.force_ssl' to 1 in the custom parameter group.
E.Modify the security group to allow inbound traffic only on port 5432 with the '--ssl' option.
AnswerD, E

This forces all connections to use SSL.

Why this answer

Options A and B are correct because setting rds.force_ssl to 1 forces SSL connections, and requiring SSL in the security group allows only encrypted traffic. Option C is wrong because the default PostgreSQL port is 5432, and changing it does not enforce encryption. Option D is wrong because disabling SSL in the parameter group would prevent encrypted connections.

Option E is wrong because IAM roles are for authentication, not transport encryption.

53
MCQmedium

A company has an Amazon RDS for Oracle DB instance that stores Personally Identifiable Information (PII). The security team requires that the data be transparently encrypted at rest using a key stored in AWS CloudHSM. What should the database administrator do to meet this requirement?

A.Use Oracle Data Pump to export the data, encrypt it using CloudHSM, and import it back into RDS.
B.Enable TDE and configure the Oracle wallet to point to the CloudHSM key.
C.Enable TDE and use AWS KMS as the key manager by integrating with the Oracle TDE keystore.
D.Create a custom DB engine using a custom AMI that includes CloudHSM integration.
AnswerC

RDS Oracle TDE supports AWS KMS integrated key management.

Why this answer

Oracle Transparent Data Encryption (TDE) can use an external hardware security module (HSM) via the Oracle Key Vault or direct integration. However, AWS CloudHSM is not directly supported by RDS for Oracle TDE. RDS Oracle supports TDE using the Oracle wallet or AWS KMS (for integrated TDE).

To use CloudHSM, you would need to run Oracle on EC2, not RDS. Option A is not supported; Option B is for KMS; Option D is incorrect because RDS does not allow custom init scripts. The correct approach is to use AWS KMS, which is the only supported method for TDE key management in RDS Oracle.

54
MCQhard

A financial services company stores sensitive data in an Amazon DynamoDB table. The security team requires that all data at rest be encrypted with a customer-managed key that is rotated automatically every 12 months. The company also needs to audit key usage. Which solution meets these requirements?

A.Use server-side encryption with S3-managed keys (SSE-S3) for the DynamoDB table.
B.Use AWS CloudHSM to generate and store the encryption key. Configure the application to encrypt data before writing to DynamoDB.
C.Enable encryption at rest using the default DynamoDB encryption option (AWS owned key). Use AWS CloudTrail to audit key usage.
D.Enable encryption at rest using an AWS KMS customer-managed CMK. Configure automatic key rotation with a 12-month period. Use AWS CloudTrail to audit key usage.
AnswerD

KMS customer-managed CMKs support automatic rotation every 12 months and CloudTrail auditing.

Why this answer

DynamoDB supports encryption at rest with AWS KMS customer-managed CMKs. Automatic key rotation every 12 months is a feature of KMS for CMKs. CloudTrail logs KMS API calls for auditing.

Option B uses the default AWS-managed key, which cannot be rotated manually but rotates automatically every 3 years, not 12 months; also, auditing is possible but the key is not customer-managed. Option C uses SSE-S3, which is for S3, not DynamoDB. Option D uses CloudHSM, which provides HSMs but does not automatically rotate keys every 12 months.

55
MCQhard

Refer to the exhibit. An engineer runs the CLI command to check security groups attached to the RDS instance 'mydb'. The output shows only one security group. The engineer wants to ensure that only traffic from an application server with IP 10.0.1.5 is allowed to the database port 3306. Which security group rule should be added?

A.Add an inbound rule to allow traffic from 10.0.1.5/32 on port 80.
B.Add an inbound rule to allow traffic from 10.0.1.5/32 on port 3306.
C.Add an outbound rule to allow traffic to 10.0.1.5 on port 3306.
D.Add an inbound rule to allow traffic from 0.0.0.0/0 on port 3306.
AnswerB

Correctly restricts access to the specific IP.

Why this answer

To allow only specific IP, an inbound rule for MySQL port 3306 from source 10.0.1.5/32 is needed. Option C is correct. Option A is wrong because outbound rules control egress.

Option B is wrong because a rule allowing all traffic (0.0.0.0/0) would be insecure. Option D is wrong because HTTP port is not relevant.

56
MCQeasy

A company needs to securely store and manage the master password for their Amazon RDS for PostgreSQL instance. Which AWS service is purpose-built for managing secrets with automatic rotation?

A.AWS Key Management Service (KMS)
B.AWS Secrets Manager
C.AWS Identity and Access Management (IAM)
D.AWS CloudHSM
AnswerB

Secrets Manager is designed for storing and rotating database credentials.

Why this answer

Option B is correct because AWS Secrets Manager is designed for secret management with built-in rotation. Option A is wrong because KMS is for encryption keys, not secret management. Option C is wrong because CloudHSM provides hardware security modules but not secret rotation.

Option D is wrong because IAM is for identity and access management, not secret storage.

57
MCQmedium

A company is using an Amazon RDS for MySQL DB instance to store sensitive customer data. A security audit reveals that all database traffic between the application and the database is transmitted in plaintext. Which configuration change would encrypt data in transit for new connections?

A.Modify the DB instance to require SSL/TLS connections and update the application connection string to use SSL.
B.Configure the DB instance to be in a VPC with a VPC peering connection to the application's VPC.
C.Enable encryption at rest for the RDS DB instance using AWS KMS.
D.Enable IAM database authentication for the DB instance.
AnswerA

This encrypts data in transit for new connections.

Why this answer

Enabling SSL/TLS for the RDS DB instance encrypts data in transit. Once enabled, clients can connect using SSL/TLS. Option A is incorrect because RDS encryption at rest does not affect data in transit.

Option B is incorrect because VPC peering does not encrypt traffic. Option D is incorrect because enabling IAM database authentication does not encrypt the connection.

58
Multi-Selectmedium

A company is using Amazon RDS for PostgreSQL and wants to implement encryption in transit for all client connections. The security team has identified that some connections are not using SSL. Which TWO actions should the company take to enforce SSL for all connections?

Select 2 answers
A.Set the 'rds.force_ssl' parameter to '1' in the DB parameter group.
B.Install the RDS CA certificate on all client machines.
C.Create a new SSL certificate and associate it with the RDS instance.
D.Configure the application connection string to use 'sslmode=require'.
E.Modify the pg_hba.conf file to require SSL for all users by setting 'hostssl' entries.
AnswersA, E

This parameter forces the PostgreSQL server to reject non-SSL connections.

Why this answer

Options A and C are correct. Setting 'rds.force_ssl=1' in the parameter group forces the server to accept only SSL connections. Revoking non-SSL privileges (or modifying pg_hba.conf) ensures no non-SSL users can connect.

Option B is unnecessary if the server enforces SSL. Option D is for client-side, not server-side. Option E is for client-side.

59
MCQmedium

A company has an Amazon RDS for Oracle DB instance that is publicly accessible. They want to restrict access to only a specific CIDR block. Which two actions must be taken together?

A.Modify the VPC security group to allow inbound traffic on the database port from the specific CIDR, and ensure the DB instance is publicly accessible with the correct security group.
B.Modify the DB subnet group to include only subnets from the allowed CIDR.
C.Add a rule to the network ACL to allow inbound traffic from the CIDR.
D.Set the rds.force_ssl parameter to force encrypted connections from the allowed CIDR.
AnswerA

The security group acts as a firewall for the DB instance, and the PubliclyAccessible setting allows it to have a public IP.

Why this answer

Option C is correct because the security group must allow inbound from the specific CIDR, and the DB instance must be publicly accessible. Option A is wrong because subnet assignment is not directly for access control. Option B is wrong because NACLs are stateless and not typically used for RDS access control.

Option D is wrong because the DB parameter group does not control network access.

60
MCQmedium

A database administrator needs to audit all SQL statements executed on an Amazon Aurora MySQL DB cluster, including SELECT queries. Which AWS service should be used to capture and store these logs?

A.Amazon RDS Database Activity Streams
B.Amazon RDS Enhanced Monitoring
C.Amazon CloudWatch Logs
D.Amazon RDS Performance Insights
AnswerA

Database Activity Streams captures database activity including SQL statements and sends to CloudWatch and Kinesis.

Why this answer

Option C is correct because RDS Database Activity Streams sends database activity to CloudWatch Logs and Kinesis Data Streams for auditing. Option A is wrong because Enhanced Monitoring provides OS-level metrics, not SQL statements. Option B is wrong because RDS Performance Insights monitors performance, not audit SQL.

Option D is wrong because CloudWatch Logs can store logs but does not capture SQL statements directly; it requires a source like Database Activity Streams.

61
MCQeasy

A company has an Amazon DynamoDB table with a global secondary index (GSI). The security team wants to ensure that the table and the GSI are encrypted at rest. How can this be achieved?

A.Nothing; DynamoDB encrypts all data at rest by default.
B.Create the table with encryption disabled to avoid performance impact.
C.Enable encryption at rest on the table and the GSI separately.
D.Enable encryption on the GSI using a KMS key.
AnswerA

DynamoDB tables and GSIs are encrypted at rest by default.

Why this answer

Option A is correct because DynamoDB encrypts all tables and GSIs at rest by default. Option B is wrong because encryption is always on. Option C is wrong because encryption cannot be disabled.

Option D is wrong because GSIs are automatically encrypted with the table.

62
MCQmedium

A company is using Amazon Aurora MySQL-Compatible Edition. The database administrator wants to restrict a specific user to only execute SELECT statements on a specific database. Which SQL command should the administrator use?

A.ALTER USER 'user'@'%' WITH GRANT OPTION;
B.CREATE USER 'user'@'%' IDENTIFIED BY 'password';
C.REVOKE ALL PRIVILEGES ON db_name.* FROM 'user'@'%';
D.GRANT SELECT ON db_name.* TO 'user'@'%';
AnswerD

Grants SELECT on all tables in the database.

Why this answer

Option C is correct because GRANT SELECT ON db_name.* TO user grants SELECT on all tables in the database. Option A is wrong because REVOKE removes privileges. Option B is wrong because CREATE USER creates a user but does not grant privileges.

Option D is wrong because ALTER USER modifies user attributes.

63
MCQhard

A financial services company runs a critical application on Amazon RDS for PostgreSQL. The database stores sensitive customer financial data. The security team has mandated that all access to the database must be through IAM database authentication to eliminate the need for passwords. The application currently uses a master user password stored in AWS Secrets Manager. The DBA needs to implement IAM authentication without downtime. The application is deployed on Amazon ECS and connects to the database using a connection string. The DBA has already created an IAM role for the ECS task with a policy that allows rds-db:connect. The DBA has also modified the DB instance to require SSL. However, after making these changes, the application cannot connect. The error message indicates 'IAM authentication is not enabled for this user'. What step did the DBA miss?

A.The DBA did not create a database user that is set to use IAM authentication.
B.The DBA did not attach the IAM policy to the ECS task role.
C.The DBA did not enable the 'password' authentication method.
D.The DBA did not update the security group to allow traffic on port 5432.
AnswerA

A database user must be created with the rds_iam role.

Why this answer

Option B is correct because IAM database authentication requires that the database user be created with the IAM authentication method (using the CREATEROLE option and granting rds_iam role). Without creating a user that is mapped to the IAM role, authentication fails. Option A is wrong because the IAM role is already created.

Option C is wrong because IAM authentication does not require a password; it uses authentication tokens. Option D is wrong because the port does not need to be changed.

64
Multi-Selecthard

A company uses Amazon RDS for SQL Server with Multi-AZ deployment. The security team wants to ensure that all data at rest is encrypted using a customer-managed KMS key in both the primary and standby instances. Which THREE actions are required?

Select 3 answers
A.Create a separate KMS key for the standby instance.
B.Specify a customer-managed KMS key during creation.
C.Enable Transparent Data Encryption (TDE) on the instance.
D.Enable Multi-AZ with encryption enabled.
E.Enable encryption at rest when creating the DB instance.
AnswersB, D, E

Customer-managed key is required.

Why this answer

Options A, B, and D are correct. Option C is wrong because the standby instance will automatically be encrypted with the same KMS key; no separate key is needed. Option E is wrong because TDE is not used with KMS; RDS encrypts the entire storage.

65
MCQeasy

A developer is writing an AWS Lambda function that needs to access a Secrets Manager secret to retrieve database credentials. The Lambda function has an IAM role. Which action must be allowed in the IAM policy?

A.kms:Decrypt
B.secretsmanager:PutSecretValue
C.secretsmanager:ListSecrets
D.secretsmanager:GetSecretValue
AnswerD

This is required to retrieve the secret.

Why this answer

Option B is correct because 'secretsmanager:GetSecretValue' retrieves the secret. Option A is wrong because 'kms:Decrypt' may be needed if the secret is encrypted with a KMS key, but the primary action is GetSecretValue. Option C is wrong because 'secretsmanager:ListSecrets' only lists secrets, not retrieve values.

Option D is wrong because 'secretsmanager:PutSecretValue' is for updating secrets.

66
Multi-Selectmedium

A company uses Amazon RDS for PostgreSQL to store customer data. The security team wants to audit all SQL queries executed against the database, including SELECT statements. Which TWO actions should be taken to achieve this?

Select 2 answers
A.Install the pgaudit extension in the DB instance.
B.Enable the 'log_connections' and 'log_disconnections' parameters.
C.Set the 'pgaudit.log' parameter to include 'read' and 'write' statements.
D.Set the 'audit_log_enabled' parameter to 1 in the DB parameter group.
E.Enable Database Activity Streams on the DB instance.
AnswersA, C

pgaudit is the standard extension for PostgreSQL audit logging.

Why this answer

To audit SQL queries in RDS PostgreSQL, you can enable the pgaudit extension (Option A) and set the appropriate parameters (Option B). Database Activity Streams (Option C) send events to CloudWatch and Kinesis, but they capture a subset of activities and require additional configuration; they are not the primary method for SQL auditing. Option D is about logging connections, not queries.

Option E is for MySQL, not PostgreSQL.

67
MCQeasy

A company wants to audit all SQL statements executed on their RDS for PostgreSQL database. Which AWS service should they use?

A.AWS Database Migration Service (DMS)
B.VPC Flow Logs
C.Amazon RDS Performance Insights
D.CloudWatch Logs with PostgreSQL audit logs
AnswerD

Enable pgaudit extension and publish logs to CloudWatch Logs.

Why this answer

Option B is correct. Amazon RDS for PostgreSQL integrates with AWS CloudTrail for API calls, but for SQL-level auditing, you must use the database's native audit logging (e.g., pgaudit extension) and log files to CloudWatch Logs. Option A is for VPC flow logs.

Option C is for database activity streams, but that's for Aurora, not RDS PostgreSQL. Option D is for monitoring performance.

68
Multi-Selecthard

Which TWO actions can be used to encrypt an existing unencrypted Amazon RDS for MySQL DB instance? (Choose 2.)

Select 2 answers
A.Create a read replica with encryption enabled.
B.Enable SSL on the DB instance.
C.Create a new encrypted DB instance and migrate data using database dump and restore.
D.Take a snapshot of the DB instance, copy it with encryption enabled, and restore from the encrypted snapshot.
E.Modify the DB instance and enable encryption.
AnswersC, D

Migrating to a new encrypted instance is another valid method.

Why this answer

The only way to encrypt an existing unencrypted RDS instance is to take a snapshot, copy it with encryption, and restore. Options D and E are correct. Option A is wrong because you cannot modify an unencrypted instance to add encryption.

Option B is wrong because enabling encryption at launch only applies to new instances. Option C is wrong because SSL does not encrypt at rest.

69
MCQmedium

A company uses Amazon Redshift for data warehousing. The security team requires that all data be encrypted at rest with a customer-managed key, and that the key be rotated every year. Which configuration meets these requirements?

A.Launch the Redshift cluster without encryption and enable encryption later using AWS CloudHSM.
B.Launch the Redshift cluster with encryption enabled using an S3-managed key.
C.Launch the Redshift cluster with encryption enabled using a customer-managed KMS key with automatic annual rotation.
D.Launch the Redshift cluster with encryption enabled using a KMS key and configure the cluster to use an HSM for key storage.
AnswerC

This meets both requirements.

Why this answer

Amazon Redshift supports encryption at rest using a KMS key. You can enable automatic key rotation on a customer-managed KMS key. Option A is wrong because Redshift does not use S3-managed keys for encryption.

Option B is wrong because HSM is not required for encryption at rest in Redshift. Option D is wrong because CloudHSM is an alternative but requires manual rotation.

70
MCQmedium

An IAM policy is attached to a role used by an application to access an Amazon RDS for MySQL DB instance. The DB instance is encrypted with a customer-managed KMS key. The application is unable to create a snapshot of the encrypted DB instance. Which missing permission is the most likely cause?

A.kms:ReEncrypt
B.kms:DescribeKey
C.kms:CreateGrant
D.kms:Encrypt
AnswerC

RDS needs kms:CreateGrant to authorize RDS to use the KMS key for snapshot operations.

Why this answer

Option D is correct. To create a snapshot of an encrypted RDS instance, the IAM role needs permission to the KMS key for the kms:CreateGrant action. The policy allows kms:Decrypt and kms:GenerateDataKey but not kms:CreateGrant, which is required for RDS to use the KMS key on behalf of the user when creating a snapshot.

Options A, B, and C are not required for snapshot creation.

71
MCQeasy

A company has an Amazon S3 bucket that stores database backup files. The backups are encrypted using server-side encryption with AWS KMS (SSE-KMS). The security team wants to ensure that only a specific IAM role can decrypt the backups when restoring the database. Which policy should be attached to the KMS key to achieve this?

A.An S3 bucket policy that grants kms:Decrypt to the IAM role.
B.An S3 bucket policy that grants s3:GetObject to the IAM role.
C.An IAM policy attached to the role that grants kms:Decrypt.
D.A KMS key policy that grants kms:Decrypt to the IAM role.
AnswerD

The KMS key policy controls who can use the key for decryption.

Why this answer

Option D is correct because a KMS key policy can grant the kms:Decrypt permission to a specific IAM role. Option A does not restrict decryption. Option B is for S3 bucket policy, not KMS.

Option C is for S3, not KMS.

72
MCQhard

A company is using an Amazon DynamoDB table with a global table configuration across two AWS regions. The security team wants to ensure that all data is encrypted in transit between the regions. What should the team do?

A.Configure an Internet gateway in each region and enforce HTTPS for all traffic.
B.Use AWS CloudFront to route traffic between the regions with SSL/TLS termination.
C.Set up a VPC peering connection between the two regions and route DynamoDB traffic through it.
D.No additional action is required; DynamoDB global tables encrypt all replication traffic in transit by default.
AnswerD

Replication traffic between regions is automatically encrypted.

Why this answer

Option B is correct. Global tables for DynamoDB use AWS global infrastructure to replicate data across regions. All replication traffic is automatically encrypted in transit using TLS.

No additional configuration is needed. Option A is incorrect because a VPC peering connection is not required; DynamoDB global tables work over the AWS backbone. Option C is incorrect because an Internet gateway is not used for inter-region replication.

Option D is incorrect because CloudFront does not encrypt DynamoDB replication traffic.

73
MCQeasy

A developer needs to grant an IAM user permission to perform automated backups of an Amazon RDS DB instance. Which IAM action should be allowed?

A.rds:BackupDBInstance
B.rds:CreateDBSnapshot
C.rds:RestoreDBInstanceFromDBSnapshot
D.rds:ModifyDBInstance
AnswerB

This action allows creating a manual DB snapshot, which is a common backup method.

Why this answer

Option B is correct because the action to create a DB snapshot is 'rds:CreateDBSnapshot'. Option A is wrong because that action is for manual snapshots? Actually 'CreateDBSnapshot' is the correct action for manual snapshots; automated backups are controlled by 'rds:ModifyDBInstance' to set backup retention. But the question says 'automated backups' which is enabled via the backup retention period.

However, typically creating a manual snapshot is a backup action. To be precise: automated backups are enabled by setting backup retention period, which requires 'rds:ModifyDBInstance'. But the question likely expects 'rds:CreateDBSnapshot' for manual backups.

Let's adjust: Option B is correct as the action for manual snapshots. But the stem says 'automated backups', which might be a misnomer. We'll go with manual snapshot creation as a common backup task.

Option D is wrong because that action is for restoring, not creating backups.

74
MCQmedium

A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The security team requires that all data be encrypted at rest using a key stored in AWS CloudHSM. What must be done to meet this requirement?

A.Enable RDS encryption at rest using a KMS key backed by CloudHSM.
B.Create an encrypted file system on the RDS instance using CloudHSM.
C.Configure SSL/TLS for the database connection.
D.Use Oracle Transparent Data Encryption (TDE) with CloudHSM as the key store.
AnswerD

RDS Oracle supports TDE with CloudHSM.

Why this answer

Option C is correct because RDS for Oracle supports TDE (Transparent Data Encryption) which can use CloudHSM as the key store. Option A is wrong because RDS at rest encryption uses KMS, not CloudHSM directly. Option B is wrong because RDS does not support custom encryption directly via CloudHSM.

Option D is wrong because SSL is for in-transit, not at rest.

75
MCQhard

A company wants to audit all SQL queries made to their Amazon RDS for MySQL database. Which AWS service should they use?

A.VPC Flow Logs
B.AWS Config
C.AWS CloudTrail
D.Database Activity Streams
AnswerD

Database Activity Streams provide a near-real-time stream of database activities.

Why this answer

Database Activity Streams (D) is the correct choice because it provides a near-real-time stream of database activity, including all SQL queries, directly from the RDS for MySQL engine. This service integrates with AWS services like Amazon Kinesis and third-party monitoring tools to capture and audit every SQL statement, user login, and schema change at the database engine level, which is essential for comprehensive auditing.

Exam trap

The trap here is that candidates often confuse CloudTrail (which logs AWS API calls) with database-level auditing, failing to recognize that CloudTrail does not capture SQL queries executed inside the database engine.

How to eliminate wrong answers

Option A is wrong because VPC Flow Logs capture IP traffic metadata (source/destination IP, ports, protocol) at the network interface level, not SQL query content or database operations. Option B is wrong because AWS Config records resource configuration changes (e.g., DB instance settings, security group rules) and evaluates compliance, but it does not capture SQL query execution or database-level activity. Option C is wrong because AWS CloudTrail logs API calls made to the RDS service (e.g., CreateDBInstance, ModifyDBInstance) but does not capture SQL queries executed within the database session itself.

Page 1 of 5 · 321 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Db Security questions.