DBS-C01 · topic practice

Database Security practice questions

Practise AWS Certified Database Specialty DBS-C01 Database Security practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Database Security

What the exam tests

What to know about Database Security

Database Security questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Database Security exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Database Security questions

20 questions · select your answer, then reveal the explanation

Question 1mediummulti select
Read the full NAT/PAT explanation →

A company runs an Amazon RDS for MySQL DB instance in a VPC. Security requirements mandate that only specific EC2 instances in the same VPC can connect to the database. The security group attached to the RDS instance currently allows inbound traffic on port 3306 from 0.0.0.0/0. Which combination of steps should a database specialist take to meet the security requirement without impacting existing application connectivity? (Choose two.)

A company uses Amazon DynamoDB with a table that stores sensitive customer data. The security team requires that all data at rest be encrypted using a customer-managed AWS KMS key (CMK). Additionally, the company needs to ensure that only specific IAM roles can access the table. Which solution meets these requirements with the least operational overhead?

Question 3easymultiple choice
Review the full subnetting walkthrough →

A database specialist is troubleshooting a connectivity issue with an Amazon RDS for PostgreSQL instance. The instance is in a VPC with a public subnet. The security group allows inbound traffic on port 5432 from the application server's IP address. The application server is in the same VPC but in a private subnet. Despite the security group configuration, the application cannot connect. Which action should the specialist take to resolve the issue?

A company stores financial data in an Amazon Aurora MySQL DB cluster. The security team requires that database audit logs be stored in Amazon CloudWatch Logs and encrypted at rest using a customer-managed KMS key. The database specialist enables audit log publishing to CloudWatch Logs and specifies a KMS key for log encryption. However, the audit logs are not appearing in CloudWatch Logs. What is the most likely cause?

A company uses Amazon ElastiCache for Redis to cache session data. The security team requires that all data in transit be encrypted. The Redis cluster currently does not have encryption in transit enabled. The database specialist needs to enable encryption in transit with minimal downtime. Which action should the specialist take?

A company uses Amazon RDS for SQL Server with Multi-AZ deployment. The security team wants to ensure that all database connections use SSL/TLS encryption. Which TWO actions should the database specialist take to enforce SSL connections? (Choose two.)

A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The security team requires that all data be encrypted at rest using a customer-managed KMS key. Additionally, the database should be accessible only from a specific VPC. Which THREE steps should the database specialist take to meet these requirements? (Choose three.)

A company uses Amazon RDS for MySQL with encryption at rest enabled. The security team mandates that all access to the database must be authenticated using IAM database authentication. The database administrator has created a user 'app_user' and granted appropriate privileges. However, when the application tries to connect using an IAM authentication token, it receives an 'Access denied' error. Which action should be taken to resolve this issue?

Question 9easymultiple choice
Read the full NAT/PAT explanation →

A company is designing a multi-tier application that uses Amazon RDS for PostgreSQL. The application must encrypt data at rest and in transit. Which combination of steps should be taken to meet these requirements? (Choose the single best answer.)

A financial services company uses Amazon DynamoDB to store sensitive customer data. The security team requires that all data at rest be encrypted using a customer-managed AWS KMS key (CMK) with automatic rotation enabled. The DynamoDB table was created with the default AWS-managed key. Which steps are necessary to transition to a customer-managed CMK while minimizing downtime and data loss?

Question 11mediummultiple choice
Read the full Database Security explanation →

A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The compliance team requires that all database connections use SSL/TLS and that users authenticate using IAM database authentication. The database migration is completed, but the application team reports that connections using IAM authentication are failing. The company has already enabled IAM database authentication on the RDS instance. What is the most likely cause of the failure?

A company is using Amazon RDS for MySQL with Multi-AZ deployment. The security team wants to ensure that database administrators cannot view sensitive data. Which TWO actions should be taken to achieve this goal?

A company is designing a disaster recovery strategy for an Amazon Aurora MySQL database. The database stores sensitive data that must be encrypted at rest. The primary region is us-east-1, and the secondary region is us-west-2. Which THREE steps are required to set up cross-region replication with encryption at rest?

A security engineer is troubleshooting an issue where an application using IAM role 'app-role' with a trust policy to assume the 'app-user' user is unable to decrypt an RDS database that uses a customer-managed KMS key. The above key policy is attached to the KMS key. What is the likely cause of the failure?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowRoot",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "AllowAppUser",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:user/app-user"
      },
      "Action": [
        "kms:Decrypt",
        "kms:GenerateDataKey"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "kms:ViaService": "rds.us-east-1.amazonaws.com"
        }
      }
    }
  ]
}
Question 15mediummultiple choice
Read the full Database Security explanation →

A company has a production Amazon RDS for SQL Server database that stores financial data. The database administrator wants to audit all access to sensitive columns (e.g., credit card numbers) using the SQL Server Audit feature. The database is part of a Multi-AZ deployment. The administrator has enabled audit logging to the 'DEFAULT' file audit target, but the audit files are being written to the local instance storage and are not being retained after failover. The compliance team requires that audit logs be stored in Amazon S3 for at least 7 years. The administrator has set up an event subscription to send database events to an S3 bucket using AWS DMS, but the audit logs are not being captured. What should the administrator do to meet the compliance requirements?

A financial services company runs a critical application on Amazon RDS for PostgreSQL with Multi-AZ and automated backups enabled. The database stores sensitive customer data, and the security team recently audited the environment and found that the database master user password is stored in plain text in a configuration file on the application server. Additionally, the security team noted that the database security group allows inbound traffic from 0.0.0.0/0 on port 5432. The company needs to remediate these issues immediately without downtime and must ensure that access to the database is restricted to only the application servers, and that password management follows AWS best practices. The application connects to the database using the master user credentials. What should the database specialist do to meet these requirements?

A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The security team requires that all connections to the database be encrypted in transit. Which TWO steps should be taken to enforce this requirement?

Refer to the exhibit. A security engineer has applied this key policy to a customer managed KMS key used to encrypt a Secrets Manager secret containing database credentials. An application running on an Amazon EC2 instance in the same account and region is unable to decrypt the secret. What is the MOST likely cause?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "kms:Decrypt",
      "Resource": "arn:aws:kms:us-east-1:123456789012:key/abc12345-...",
      "Condition": {
        "StringEquals": {
          "kms:ViaService": "secretsmanager.us-east-1.amazonaws.com",
          "kms:CallerAccount": "123456789012"
        }
      }
    }
  ]
}

A company runs an e-commerce application on AWS using an Aurora MySQL database cluster. The security team mandates that all database audit logs must be stored in Amazon S3 for at least one year for compliance. The database is currently configured to publish audit logs to Amazon CloudWatch Logs. The security team wants to use AWS Database Migration Service (DMS) to migrate the database to a new Aurora MySQL cluster, and during the migration, the audit logs must continue to be captured uninterrupted. Which solution meets these requirements with the LEAST operational overhead?

Arrange the steps to troubleshoot a connection timeout issue from an EC2 instance to an Amazon RDS for SQL Server DB instance in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Database Security sessions

Start a Database Security only practice session

Every question in these sessions is drawn from the Database Security domain — nothing else.

Related practice questions

Related DBS-C01 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the DBS-C01 exam test about Database Security?
Database Security questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Database Security questions in a focused session?
Yes — the session launcher on this page draws every question from the Database Security domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other DBS-C01 topics?
Use the topic links above to move to related areas, or go back to the DBS-C01 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the DBS-C01 exam covers. They are not copied from any real exam or dump site.