CCNA Db Security Questions

75 of 321 questions · Page 2/5 · Db Security topic · Answers revealed

76
MCQhard

A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The database contains personally identifiable information (PII). The security team requires that all PII columns be transparently encrypted and that the encryption keys be stored in AWS CloudHSM. Which solution meets these requirements?

A.Enable Amazon RDS encryption at rest using a KMS key and rely on that encryption.
B.Modify the Oracle database to use AWS KMS for column-level encryption.
C.Use Oracle Data Pump to export data with encryption and store the encryption key in AWS Secrets Manager.
D.Use Oracle Transparent Data Encryption (TDE) with AWS CloudHSM as the key store.
AnswerD

Oracle TDE provides transparent column encryption, and CloudHSM can serve as the hardware security module for key storage.

Why this answer

Option D is correct because Oracle TDE with CloudHSM integration allows transparent encryption and stores keys in CloudHSM. Option A is wrong because RDS Encryption uses KMS, not CloudHSM. Option B is wrong because Oracle Data Pump does not encrypt columns.

Option C is wrong because RDS does not support custom encryption at the column level natively.

77
MCQmedium

A company runs an e-commerce platform on AWS using an Amazon Aurora MySQL database. The database is accessed by multiple microservices, each using a separate database user. The security team recently discovered that a developer accidentally committed database credentials to a public GitHub repository. The credentials were for a user that had write access to the database. The team immediately revoked the credentials and rotated them. However, they want to prevent such incidents from happening again. They need a solution that ensures credentials are not hardcoded in application code, are rotated automatically, and are accessible only to authorized microservices. What should they do?

A.Use IAM database authentication for Aurora and eliminate the use of database passwords.
B.Use AWS Systems Manager Parameter Store to store the credentials and grant access via IAM roles.
C.Use AWS Secrets Manager to store the credentials, configure automatic rotation, and attach a resource-based policy to allow access only from the microservices' IAM roles.
D.Store the credentials in an encrypted S3 bucket and grant access to the microservices via bucket policies.
AnswerC

Secrets Manager provides automatic rotation and fine-grained access control.

Why this answer

Option B is correct. AWS Secrets Manager allows storing credentials, automatic rotation, and fine-grained access control via IAM policies. Each microservice can assume an IAM role that grants access to Secrets Manager.

Option A is wrong because Systems Manager Parameter Store does not support automatic rotation for RDS credentials. Option C is wrong because IAM database authentication does not eliminate the need for secrets; it uses IAM roles for authentication, but the microservices still need to obtain temporary credentials. Option D is wrong because storing secrets in S3 with encryption does not provide automatic rotation or easy access control.

78
Multi-Selecthard

A company is using Amazon Redshift and needs to comply with regulatory requirements that mandate encryption of all data at rest and control of the encryption keys. Which THREE steps should be taken? (Choose THREE.)

Select 3 answers
A.Enable automatic key rotation for the KMS key.
B.Configure the cluster to use a customer-managed KMS key.
C.Use AWS CloudHSM to generate and manage encryption keys.
D.Enable encryption on the cluster after creation by modifying the cluster.
E.Create the cluster with encryption enabled using a KMS key.
AnswersA, B, E

Automatic rotation helps meet compliance requirements.

Why this answer

Option A is correct because encrypting the cluster at creation with a KMS key is required. Option C is correct because enabling KMS automatic key rotation meets key control requirements. Option D is correct because configuring the cluster to use a customer-managed key provides key control.

Option B is wrong because CloudHSM is not required. Option E is wrong because encryption at rest cannot be enabled after cluster creation without restoring from a snapshot.

79
MCQeasy

A company is using Amazon DynamoDB and wants to ensure that all data is automatically encrypted at rest. What is the default encryption status for a new DynamoDB table?

A.Encryption is optional and can be enabled during table creation.
B.Encryption is disabled by default and must be enabled manually.
C.Encryption is enabled by default using an AWS-owned key.
D.Encryption is enabled by default using a customer-managed key.
AnswerC

Default encryption uses AWS-owned KMS keys.

Why this answer

Option B is correct because all new DynamoDB tables are encrypted at rest by default using an AWS-owned key. Option A is wrong because encryption is enabled by default. Option C is wrong because the default key is AWS-owned, not a customer-managed key.

Option D is wrong because encryption is not optional; it is always enabled.

80
MCQeasy

A company wants to store database credentials for an Amazon RDS instance securely. Which AWS service should be used to rotate the credentials automatically?

A.AWS Secrets Manager
B.AWS CloudHSM
C.AWS Systems Manager Parameter Store
D.AWS IAM roles
AnswerA

Secrets Manager supports automatic rotation for RDS databases.

Why this answer

Option B is correct because AWS Secrets Manager can automatically rotate database credentials. Option A is wrong because Systems Manager Parameter Store stores parameters but does not natively rotate RDS credentials. Option C is wrong because IAM roles are for authentication, not for storing credentials.

Option D is wrong because CloudHSM is for encryption keys, not credential storage.

81
MCQhard

A company has an Amazon DynamoDB table with a global secondary index (GSI). The security team wants to ensure that only certain attributes are returned in query results based on the IAM policy of the calling user. What is the most secure and scalable approach?

A.Use an AWS Lambda function as a middleware to filter attributes before returning results.
B.Create multiple global secondary indexes that include only the allowed attributes for each user group.
C.Use IAM condition keys with 'dynamodb:Attributes' to restrict access to specific attributes.
D.Create a VPC endpoint for DynamoDB and attach a bucket policy that limits attribute access.
AnswerC

IAM policies can limit which attributes are returned in query results.

Why this answer

Option C is correct. Using IAM condition keys with 'dynamodb:Attributes' allows fine-grained access control at the attribute level. This is the recommended way to restrict access to specific attributes.

Option A is incorrect because attribute-level IAM policies can be applied without VPC endpoints. Option B is incorrect because DynamoDB does not support column-level security through Lambda. Option D is incorrect because modifying the GSI to include only allowed attributes would require multiple GSIs and is not scalable.

82
Multi-Selectmedium

A security engineer needs to restrict access to an Amazon DynamoDB table so that only users from a specific AWS account can read and write data. Which of the following can be used to achieve this? (Choose TWO.)

Select 2 answers
A.Use a VPC endpoint policy for DynamoDB.
B.Use a resource-based policy on the DynamoDB table.
C.Use an IAM policy with a condition key such as 'aws:SourceAccount'.
D.Use a security group to restrict access to the DynamoDB table.
E.Use an S3 bucket policy to allow access to the DynamoDB table.
AnswersA, C

VPC endpoint policies can restrict access to DynamoDB resources.

Why this answer

Options B and D are correct. An IAM policy with a condition that checks the 'aws:SourceAccount' or 'aws:SourceArn' can restrict access to requests coming from a specific account. Also, a VPC endpoint policy for DynamoDB can restrict access to specific tables and source accounts.

Option A is incorrect because DynamoDB does not support resource-based policies. Option C is incorrect because an S3 bucket policy does not apply to DynamoDB. Option E is incorrect because a security group does not control DynamoDB access at the account level.

83
MCQeasy

A company is using Amazon DynamoDB to store user session data. The security team requires that all access to the table be authenticated and authorized using AWS IAM. Which mechanism should the developer use to achieve this?

A.Create a VPC endpoint for DynamoDB and allow only traffic from the VPC.
B.Use Amazon Cognito identity pools to grant access to the DynamoDB table.
C.Use IAM policies to grant permissions to the DynamoDB table.
D.Use a DynamoDB resource-based policy to restrict access.
AnswerC

IAM is the native authentication/authorization for DynamoDB.

Why this answer

Option A is correct because DynamoDB is integrated with IAM for authentication and authorization. Option B is wrong because Cognito is for user authentication, not for direct DynamoDB access. Option C is wrong because VPC endpoints provide network isolation but not authentication.

Option D is wrong because resource-based policies are not supported for DynamoDB tables.

84
Multi-Selectmedium

A company is using Amazon Aurora MySQL and needs to audit database logins. Which of the following can be used to capture login events? (Choose TWO.)

Select 2 answers
A.VPC Flow Logs
B.Database Activity Streams
C.Enhanced Monitoring
D.AWS CloudTrail
E.Aurora MySQL audit plugin
AnswersB, E

DAS captures database activity including logins.

Why this answer

Options B and C are correct. Database activity streams (DAS) in Aurora capture login events and other activities. Additionally, you can enable the audit plugin in Aurora MySQL to log connections.

Option A is incorrect because CloudTrail does not capture database login events. Option D is incorrect because Enhanced Monitoring captures OS metrics. Option E is incorrect because VPC Flow Logs capture network traffic, not database logins.

85
MCQmedium

A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The security policy requires that all connections to the database use SSL/TLS. What should the database administrator do to meet this requirement?

A.Download the RDS certificate bundle and set the 'rds.force_ssl' parameter to 1 in the DB parameter group.
B.Enable IAM database authentication for the DB instance.
C.Modify the DB instance security group to only allow traffic on port 443.
D.Set the DB instance to be publicly accessible and use a VPN connection.
AnswerA

This enforces SSL connections to the database.

Why this answer

Option C is correct. To enforce SSL/TLS connections to RDS for Oracle, you must download the RDS certificate bundle and configure the DB instance to require SSL by setting the 'rds.force_ssl' parameter to 1 in the DB parameter group. Clients must then connect using SSL.

Option A is incorrect because modifying the security group does not enforce SSL at the database level. Option B is incorrect because enabling IAM authentication does not enforce SSL. Option D is incorrect because setting the DB instance to publicly accessible is not secure and does not enforce SSL.

86
MCQhard

A company uses Amazon DynamoDB with a global secondary index (GSI) and client-side encryption using the AWS Encryption SDK. The security team requires that the partition key and sort key be searchable by the application but not stored in plaintext in the table. Which approach should be taken?

A.Encrypt the entire item client-side and use a secondary index on the encrypted keys.
B.Use server-side encryption with a KMS key and enable DynamoDB Streams to decrypt on read.
C.Use client-side encryption to encrypt only the non-key attributes, leaving the partition and sort keys in plaintext.
D.Use DynamoDB encryption at rest with a customer-managed KMS key.
AnswerC

This allows querying on keys while encrypting sensitive data.

Why this answer

Client-side encryption can encrypt certain attributes while leaving the key attributes in plaintext for querying. Option A is wrong because DynamoDB encryption at rest encrypts entire table, not selectively. Option B is wrong because making the table encrypted at rest does not allow search on encrypted keys.

Option D is wrong because using a KMS key with DynamoDB encryption at rest still encrypts the whole table, not selectively.

87
MCQeasy

A database administrator needs to audit all SQL statements executed on an Amazon RDS for PostgreSQL DB instance. Which service should be used to capture and log the SQL statements?

A.AWS CloudTrail
B.AWS Config
C.Amazon Inspector
D.Amazon RDS for PostgreSQL database activity streams
AnswerD

Database activity streams provide a near real-time stream of database activities including SQL statements.

Why this answer

Option D is correct. Amazon RDS for PostgreSQL supports database activity streams, which can be integrated with services like Amazon CloudWatch and AWS CloudTrail to provide a near real-time stream of database activities. The other options do not capture SQL statements: CloudTrail records API calls to RDS, Config records resource configuration changes, and Inspector is for vulnerability assessment.

88
MCQeasy

A company is using Amazon RDS for MySQL with encryption at rest enabled. The security team wants to ensure that the database backups stored in Amazon S3 are also encrypted using a customer-managed KMS key. What should be done to meet this requirement?

A.Create a new KMS key and specify it when creating the DB instance to encrypt backups differently.
B.No additional action is required; RDS automatically uses the same KMS key for backups.
C.Modify the DB instance to enable backup encryption using a new KMS key.
D.Enable default encryption on the S3 bucket where backups are stored.
AnswerB

RDS automatically encrypts backups with the same key.

Why this answer

The correct answer is A because RDS automatically encrypts automated backups, snapshots, and read replicas with the same KMS key used for the DB instance. Option B is incorrect because RDS does not support a separate KMS key for backups; it inherits the key from the DB instance. Option C is incorrect because RDS automatically encrypts backups at rest with the same key.

Option D is incorrect because enabling S3 default encryption is not applicable to RDS backup storage.

89
MCQhard

A financial services company uses Amazon DynamoDB to store sensitive customer data. The security team requires that all data at rest be encrypted using a customer-managed AWS KMS key (CMK) with automatic rotation enabled. The DynamoDB table was created with the default AWS-managed key. Which steps are necessary to transition to a customer-managed CMK while minimizing downtime and data loss?

A.Modify the DynamoDB table to update the encryption key to the new CMK using the AWS Console.
B.Export the table data to Amazon S3, create a new DynamoDB table with the new CMK, import the data, and update the application to use the new table.
C.Disable encryption at rest, then re-enable it with the new CMK.
D.Update the KMS key policy to grant DynamoDB access to the new CMK, then rotate the key.
AnswerB

This is the only way to change the encryption key, as DynamoDB does not allow in-place key changes.

Why this answer

Option B is correct because DynamoDB does not support in-place modification of the encryption key for an existing table. To transition from an AWS-managed key to a customer-managed CMK, you must export the table data to Amazon S3, create a new DynamoDB table configured with the new CMK, import the data, and update the application to point to the new table. This approach minimizes downtime by allowing the original table to serve reads/writes during the export and import process, and avoids data loss by using DynamoDB's native export and import features.

Exam trap

The trap here is that candidates assume DynamoDB allows in-place encryption key changes (like some other AWS services), but DynamoDB requires a table recreation to change the encryption key, making the export/import workflow necessary.

How to eliminate wrong answers

Option A is wrong because the AWS Console does not allow modifying the encryption key of an existing DynamoDB table; encryption settings can only be set at table creation time. Option C is wrong because DynamoDB does not support disabling encryption at rest on an existing table; encryption is always enabled and cannot be toggled off or changed in place. Option D is wrong because updating the KMS key policy or rotating the key does not change the encryption key used by the table; the table continues to use the originally assigned key, and key rotation only affects future encryption operations, not the key used for existing data.

90
MCQmedium

A database administrator needs to audit all SQL statements executed on an Amazon RDS for Oracle DB instance. The audit logs must be stored in Amazon S3 for long-term retention and analysis with Amazon Athena. Which solution meets these requirements?

A.Enable Enhanced Monitoring on the RDS instance and publish logs to CloudWatch Logs.
B.Configure Oracle's unified auditing and stream audit logs to CloudWatch Logs, then export to S3.
C.Enable AWS CloudTrail to capture RDS API calls and store them in S3.
D.Enable detailed billing reports and configure them to include database queries.
AnswerB

Unified auditing captures SQL statements and can be streamed to S3.

Why this answer

Option D is correct because Oracle's unified auditing can be configured to write logs to S3 via the database activity stream, which integrates with CloudWatch Logs and then to S3. Option A is wrong because RDS Enhanced Monitoring provides OS metrics, not SQL audit. Option B is wrong because CloudTrail does not capture SQL statements.

Option C is wrong because enabling detailed billing does not provide SQL audit.

91
MCQmedium

Refer to the exhibit. An IAM policy is attached to a user. What is the effect when the user attempts to delete the RDS DB instance named 'prod-db'?

A.The user can delete any other instance except 'prod-db'.
B.The user can delete the instance because the Deny statement only applies to snapshots.
C.The user cannot delete the instance because of the explicit Deny statement.
D.The user can delete the instance because of the Allow on DescribeDBInstances.
AnswerC

Explicit Deny overrides Allow.

Why this answer

The policy explicitly denies the rds:DeleteDBInstance action on the specific resource. Even though there is an Allow on other actions, an explicit Deny overrides any Allow. The user cannot delete the instance.

Option A is wrong because the Deny takes precedence. Option B is wrong because the policy explicitly prevents deletion. Option D is wrong because the Deny is on the specific instance.

92
MCQeasy

A company wants to encrypt an existing unencrypted Amazon RDS for PostgreSQL DB instance. What is the correct procedure?

A.Take a snapshot of the instance, create an encrypted copy of the snapshot, and restore the encrypted snapshot to a new DB instance.
B.Take a snapshot of the instance and restore it with encryption enabled.
C.Modify the DB instance and enable encryption in the RDS console.
D.Create a read replica of the instance and enable encryption on the replica.
AnswerA

This is the standard procedure to migrate to an encrypted instance.

Why this answer

Option C is correct because you must create a snapshot, copy it with encryption, and restore to a new encrypted instance. Option A is wrong because you cannot modify an existing instance to enable encryption. Option B is wrong because enabling encryption requires a snapshot copy.

Option D is wrong because creating a read replica does not encrypt the primary.

93
MCQhard

A database administrator has the IAM policy shown in the exhibit. Which action will be allowed by this policy?

A.Modify the prod-db instance.
B.Create a snapshot of the prod-db instance.
C.Delete the prod-db instance.
D.Describe all DB instances in the account.
AnswerB

Explicitly allowed.

Why this answer

Option B is correct. The policy explicitly allows CreateDBSnapshot on the resource. Option A is denied.

Option C is not in the policy. Option D is not in the policy.

94
Multi-Selecthard

A company uses Amazon Aurora MySQL-Compatible Edition. The security team wants to implement database activity streams to monitor database activity. Which THREE statements are true about Aurora database activity streams?

Select 3 answers
A.Activity streams can be started and stopped without restarting the database.
B.Activity streams are encrypted using a KMS key.
C.Activity streams automatically mask sensitive data in the logs.
D.Activity streams only capture DDL statements, not DML or SELECT.
E.Activity streams publish database activity to CloudWatch Logs and Kinesis Firehose.
AnswersA, B, E

Activity streams are started via the RDS console or API and do not require a restart.

Why this answer

Options A, B, and C are correct. Activity streams can be started and stopped without database restart (A). They send logs to Amazon CloudWatch Logs and Amazon Kinesis Firehose (B).

Data is encrypted using a KMS key (C). Option D is wrong because activity streams capture all SQL queries, not just DDL. Option E is wrong because activity streams do not capture data masking; they capture actual queries.

95
MCQhard

A company needs to comply with PCI DSS requirements for an Amazon RDS for Oracle DB instance. The requirements include encryption of sensitive data at rest and in transit, and automated key rotation. Which combination of services and configurations should be used? (Select THREE.)

A.Use AWS CloudHSM to generate and store encryption keys.
B.Enable encryption at rest on the RDS instance using AWS KMS.
C.Use AWS Secrets Manager to automatically rotate database credentials.
D.Enable SSL/TLS for connections to the database.
E.Enable VPC Flow Logs to audit database connections.
AnswerB, C, D

Encryption at rest is required for PCI DSS.

Why this answer

Options A, C, and D are correct. Option A: Enable encryption at rest with KMS. Option C: Enable encrypted replication for read replicas if used.

Option D: Use Secrets Manager for automated credential rotation. Option B is wrong because CloudHSM is not required for key rotation; KMS can rotate keys automatically. Option E is wrong because VPC Flow Logs are for network monitoring, not encryption.

96
MCQhard

A security team needs to grant an IAM user permission to modify only the 'db_secrets' secret in AWS Secrets Manager. Which IAM policy statement is correct?

A.{ 'Effect': 'Allow', 'Action': 'secretsmanager:UpdateSecret', 'Resource': '*' }
B.{ 'Effect': 'Allow', 'Action': 'secretsmanager:*', 'Resource': '*' }
C.{ 'Effect': 'Allow', 'Action': 'secretsmanager:PutSecretValue', 'Resource': 'arn:aws:secretsmanager:us-east-1:123456789012:secret:*' }
D.{ 'Effect': 'Allow', 'Action': 'secretsmanager:PutSecretValue', 'Resource': 'arn:aws:secretsmanager:us-east-1:123456789012:secret:db_secrets-??????' }
AnswerD

This restricts to the specific secret and allows PutSecretValue.

Why this answer

Option D is correct because it restricts to the specific secret ARN. Option A allows all secrets. Option B allows all secrets with 'db_secrets' in name.

Option C allows all secrets.

97
MCQhard

A company uses Amazon RDS for SQL Server with Multi-AZ deployment. The security team has mandated that all connections to the database must use SSL/TLS. The database is accessed by multiple applications running on EC2 instances. Which configuration ensures that all connections use SSL/TLS?

A.Modify the DB instance by enabling the 'Require SSL' option in the RDS console.
B.Set the parameter rds.force_ssl to 1 in the DB parameter group and revoke permissions from users that do not use SSL.
C.Set the parameter rds.force_ssl to 1 in the DB parameter group.
D.Configure the applications to use a certificate from a trusted certificate authority and connect using SSL.
AnswerB

This combination ensures that all connections must use SSL, providing complete enforcement.

Why this answer

Option D is correct because to enforce SSL/TLS for all connections, you need to set the rds.force_ssl parameter to 1 in the RDS parameter group, which forces all connections to use SSL. Additionally, you should revoke non-SSL permissions from the database users. Option A is wrong because modifying the DB instance to require SSL is not a direct setting; the parameter group controls this.

Option B is wrong because using a certificate authority is not required; RDS provides a certificate. Option C is wrong because setting the parameter is the correct method, but you also need to revoke non-SSL permissions to fully enforce.

98
MCQeasy

A developer retrieved a database secret using the AWS CLI as shown. What is the MOST secure way to store and rotate this secret?

A.Store the secret in AWS Secrets Manager and enable automatic rotation with a Lambda function.
B.Store the secret in AWS Systems Manager Parameter Store as a SecureString.
C.Store the secret in a configuration file on the EC2 instance.
D.Use the secret as-is and change it manually every 90 days.
AnswerA

Secrets Manager handles rotation securely.

Why this answer

Option A is correct. Secrets Manager can automatically rotate secrets, and the secret should be retrieved using IAM permissions. Option B is insecure.

Option C is not best practice. Option D is not needed.

99
MCQmedium

A company stores sensitive customer data in an Amazon S3 bucket. The data is accessed by an Amazon Redshift cluster using the COPY command. The security team wants to ensure that data is encrypted in transit between S3 and Redshift. Which configuration should be used?

A.Use a VPC endpoint for S3 with a bucket policy that denies HTTP.
B.Use the 'SSH' option in the COPY command to encrypt the transfer.
C.Use the 'ENCRYPTED' option with the COPY command and ensure the S3 bucket policy requires HTTPS.
D.Enable S3 server-side encryption on the bucket.
AnswerC

The 'ENCRYPTED' option forces the COPY command to use HTTPS encryption in transit.

Why this answer

Option C is correct because the COPY command supports encryption in transit via HTTPS when using the 'ENCRYPTED' option or using an S3 endpoint that enforces HTTPS. Option A is wrong because S3 supports HTTPS, and specifying 'ENCRYPTED' is needed. Option B is wrong because S3 server-side encryption protects data at rest, not in transit.

Option D is wrong because the COPY command does not use SSH; it uses HTTPS.

100
Multi-Selecthard

A company is running an Amazon RDS for SQL Server DB instance with Multi-AZ deployment. The security team wants to ensure that all data at rest is encrypted using a customer-managed key stored in AWS KMS. Which steps must be taken to achieve this? (Choose THREE.)

Select 3 answers
A.Modify the DB instance and enable encryption.
B.Enable Multi-AZ deployment to encrypt data at rest.
C.Copy the snapshot and specify encryption with a KMS key.
D.Create a manual snapshot of the existing DB instance.
E.Restore the DB instance from the encrypted snapshot.
AnswersC, D, E

Copying a snapshot allows you to enable encryption.

Why this answer

Options A, C, and E are correct. To encrypt an existing unencrypted RDS instance, you must create a snapshot, copy the snapshot with encryption using a KMS key, and then restore the DB instance from the encrypted snapshot. Option B is incorrect because you cannot enable encryption on an existing DB instance directly.

Option D is incorrect because Multi-AZ deployment does not automatically encrypt data.

101
MCQhard

A company is using Amazon DynamoDB Accelerator (DAX) for caching. The security team is concerned about data in transit between the application and DAX. What should the team do to ensure that all traffic to DAX is encrypted?

A.Launch the DAX cluster in a private subnet with a VPC endpoint.
B.Enable encryption in transit when creating the DAX cluster.
C.Use AWS Certificate Manager to issue a certificate for the DAX cluster.
D.Use client-side encryption to encrypt data before sending it to DAX.
AnswerB

DAX supports TLS encryption in transit when enabled at cluster creation.

Why this answer

Option B is correct. DAX supports encryption in transit by default when you create a DAX cluster. You must enable encryption in transit at the time of creation by checking the 'Encryption in transit' option.

Option A is incorrect because DAX does not support client-side encryption. Option C is incorrect because DAX does not use AWS Certificate Manager for its cluster; it uses its own encryption. Option D is incorrect because launching DAX in a private subnet does not encrypt traffic.

102
MCQhard

A company stores financial data in an Amazon Aurora MySQL DB cluster. The security team requires that database audit logs be stored in Amazon CloudWatch Logs and encrypted at rest using a customer-managed KMS key. The database specialist enables audit log publishing to CloudWatch Logs and specifies a KMS key for log encryption. However, the audit logs are not appearing in CloudWatch Logs. What is the most likely cause?

A.The CloudWatch Logs log group does not exist and RDS cannot create it automatically.
B.The DB cluster is not configured to export error logs, only audit logs.
C.The IAM role used for publishing logs does not have the necessary permissions to use the KMS key for CloudWatch Logs.
D.CloudWatch Logs does not support encryption with customer-managed KMS keys for audit logs.
E.The audit log parameter is static and requires a DB cluster reboot after modification.
AnswerC

The IAM role must have kms:Encrypt permission on the KMS key to allow log delivery.

Why this answer

When publishing database audit logs to CloudWatch Logs with a customer-managed KMS key, the IAM role used by RDS must have explicit permissions for the `kms:Encrypt` and `kms:Decrypt` actions on the KMS key. Without these permissions, RDS cannot encrypt the log stream, and the logs will not appear. Option C correctly identifies this missing permission as the most likely cause.

Exam trap

The trap here is that candidates often assume the issue is a missing log group or a static parameter, but the exam tests the nuanced requirement that the IAM role must have explicit KMS key permissions for log encryption to work.

How to eliminate wrong answers

Option A is wrong because RDS can automatically create the CloudWatch Logs log group when publishing is enabled; the log group does not need to pre-exist. Option B is wrong because the question specifically states audit logs are enabled, and the issue is that no logs appear at all, not that only error logs are missing. Option D is wrong because CloudWatch Logs fully supports encryption with customer-managed KMS keys for audit logs; this is a supported feature.

Option E is wrong because the audit log parameter (`server_audit_logging`) is dynamic and does not require a reboot; it takes effect immediately after modification.

103
MCQeasy

A company runs an e-commerce application on AWS using an Aurora MySQL database cluster. The security team mandates that all database audit logs must be stored in Amazon S3 for at least one year for compliance. The database is currently configured to publish audit logs to Amazon CloudWatch Logs. The security team wants to use AWS Database Migration Service (DMS) to migrate the database to a new Aurora MySQL cluster, and during the migration, the audit logs must continue to be captured uninterrupted. Which solution meets these requirements with the LEAST operational overhead?

A.Enable Performance Insights on the source cluster and export the data to S3.
B.Create an Aurora MySQL read replica and enable audit logs on the replica, then migrate from the replica.
C.Use AWS CloudTrail to capture SQL queries and deliver them to S3.
D.Enable the Aurora MySQL advanced audit feature with file-based output, and configure the DMS task to use these log files as a source for ongoing replication.
AnswerD

Option B is correct: This captures audit logs in files that DMS can process, ensuring continuity.

Why this answer

Option D is correct because the Aurora MySQL advanced audit feature can output audit logs directly to files on the DB instance, and DMS can be configured to read these files as a source for ongoing replication. This ensures that audit logs are continuously captured and stored in S3 (via file-based output or subsequent upload) without interruption during the migration, minimizing operational overhead by avoiding additional services or manual log forwarding.

Exam trap

The trap here is that candidates may confuse CloudTrail (which logs AWS API calls) with database-level audit logging, or assume that a read replica can seamlessly inherit and forward audit logs from the source, when in fact it only logs its own activity.

How to eliminate wrong answers

Option A is wrong because Performance Insights provides performance metrics, not database audit logs, and cannot export SQL audit data to S3. Option B is wrong because creating a read replica and enabling audit logs on it would not capture audit logs from the source cluster during migration; the replica only logs its own activity, and the migration from the replica would still require uninterrupted audit capture from the source. Option C is wrong because CloudTrail captures AWS API calls (e.g., RDS management actions), not SQL queries or database-level audit logs, so it cannot fulfill the requirement to store database audit logs.

104
MCQeasy

A company wants to restrict access to an Amazon RDS for MySQL DB instance so that only applications running in a specific VPC can connect. Which solution should be implemented?

A.Use an IAM policy to restrict database connections based on source IP.
B.Configure the DB instance's security group to allow inbound traffic only from the application's security group.
C.Configure the subnet's network ACL to allow inbound traffic only from the application's IP range.
D.Attach a security group to the subnet that allows inbound traffic from the application's VPC.
AnswerB

Security groups can reference other security groups.

Why this answer

Option A is correct because a VPC security group controls inbound traffic at the instance level. Option B is wrong because network ACLs are for subnets, not individual instances. Option C is wrong because IAM policies control API access, not network connectivity.

Option D is wrong because security groups are not attached to subnets.

105
MCQhard

A database administrator is troubleshooting connectivity to an Amazon RDS for MySQL DB instance. The application is running on an EC2 instance in the same VPC and security group. The application can connect using the endpoint shown in the exhibit. However, the security team requires that all connections be encrypted using SSL. The DBA has enabled SSL on the DB instance and modified the parameter group to set require_secure_transport to ON. The application is now failing to connect. What is the most likely cause?

A.The DB instance endpoint is not resolving to the correct IP address.
B.The database user account does not have the SSL privilege granted.
C.The application's JDBC connection string does not include SSL parameters such as useSSL=true.
D.The security group does not allow inbound traffic on port 3307, which is used for SSL connections.
AnswerC

The application must explicitly request SSL connections; otherwise, the server rejects the connection.

Why this answer

Option C is correct. When require_secure_transport is set to ON, the database server rejects non-SSL connections. The application must be configured to use SSL by adding the useSSL=true and requireSSL=true parameters to the JDBC connection string.

Option A is incorrect because the security group does not need to allow port 3307; SSL uses the same port. Option B is incorrect because the endpoint is a DNS name, not an IP address. Option D is incorrect because the user account does not need the SSL privilege if the server enforces SSL.

106
MCQmedium

A company uses Amazon RDS for PostgreSQL and needs to ensure that only specific IP addresses can connect to the database. Which configuration should be used?

A.Configure the DB subnet group to allow only specific IP addresses.
B.Set the rds.force_ssl parameter in the DB parameter group.
C.Create an IAM policy that restricts access to the RDS API based on source IP.
D.Modify the VPC security group associated with the DB instance to allow inbound traffic only from specific IP addresses.
AnswerD

Security groups act as a virtual firewall and can restrict inbound traffic based on IP addresses.

Why this answer

Option C is correct because security group rules control inbound traffic based on IP addresses or other security groups. Option A is wrong because DB subnet groups define subnets, not IP filtering. Option B is wrong because parameter groups control database engine parameters, not network access.

Option D is wrong because IAM policies control permissions for AWS actions, not network-level access.

107
Multi-Selecthard

A company is using Amazon Redshift for analytics. The security team wants to audit all SQL queries executed against the database, including the actual query text, for compliance. They also want to ensure that the audit logs are stored in a secure, immutable location. Which THREE services or features should they use together to meet these requirements?

Select 3 answers
A.Redshift Audit Logging
B.VPC Flow Logs
C.Amazon CloudWatch Logs
D.Redshift Spectrum
E.S3 Object Lock
AnswersA, C, E

Captures SQL query logs.

Why this answer

Options A, C, and E are correct. Redshift Audit Logging captures SQL queries. CloudWatch Logs can be used as a destination for audit logs (via streaming).

Then, CloudWatch Logs can export logs to S3, and S3 Object Lock provides immutability. Option B is for performance, not auditing. Option D is for network monitoring.

108
MCQmedium

A company uses Amazon ElastiCache for Redis and needs to encrypt data in transit between the application and the cache cluster. Which feature should be enabled?

A.Enable encryption in transit on the replication group.
B.Enable encryption at rest.
C.Use AWS KMS customer master keys.
D.Configure the VPC security group to allow only HTTPS traffic.
AnswerA

ElastiCache for Redis supports TLS encryption for data in transit.

Why this answer

Option D is correct because ElastiCache for Redis supports encryption in transit using TLS. Option A is wrong because encryption at rest is separate. Option B is wrong because KMS is used for encryption at rest, not transit.

Option C is wrong because security groups control network access, not encryption.

109
MCQhard

A financial services company is using Amazon DynamoDB to store customer transaction data. The compliance team requires that all data be encrypted at rest using a customer-managed AWS KMS key, and that access to the key be auditable via AWS CloudTrail. Additionally, the security team wants to ensure that DynamoDB can only be accessed from within the VPC using a VPC endpoint. Which combination of steps should the company take to meet these requirements?

A.Use a CloudHSM key for encryption and create a VPC peering connection to DynamoDB.
B.Enable server-side encryption with a customer-managed KMS key and route all traffic through a NAT gateway.
C.Enable server-side encryption with a customer-managed KMS key and create an interface VPC endpoint for DynamoDB.
D.Use AWS managed KMS key and a gateway VPC endpoint for DynamoDB.
AnswerC

Customer-managed KMS key provides encryption and auditing; interface endpoint allows private VPC access.

Why this answer

Option D is correct because DynamoDB uses KMS for encryption; an interface VPC endpoint (AWS PrivateLink) is used for private access. Option A is wrong because gateway endpoints are for S3 and DynamoDB, but DynamoDB supports both, however interface endpoint is recommended for private access with security groups. Option B is wrong because using a NAT gateway is not secure and does not enforce VPC-only access.

Option C is wrong because CloudHSM is not needed for encryption; KMS is sufficient.

110
Multi-Selectmedium

A company is using Amazon Redshift and needs to encrypt data at rest with a customer-managed key. Which THREE steps are required to enable encryption with a customer-managed AWS KMS key?

Select 3 answers
A.Create a customer-managed key in AWS KMS.
B.Specify the KMS key when creating the Redshift cluster.
C.Use the AWS CLI to modify the cluster to enable encryption.
D.Configure the Redshift cluster to use an HSM.
E.Request AWS Support to enable encryption.
AnswersA, B, C

You need a customer managed key.

Why this answer

Options A, B, and D are correct. You must create a KMS key (A), specify it during cluster creation (B), and modify the cluster to use encryption if not already encrypted (D). Option C is wrong because Redshift does not use CloudHSM for KMS-based encryption.

Option E is wrong because only the cluster owner can manage encryption; AWS does not manage it.

111
MCQmedium

A company is using Amazon Redshift for data warehousing. The security team requires that all data be encrypted at rest using a customer-managed AWS KMS key. Additionally, the team wants to ensure that the key must be used only for this specific Redshift cluster. Which configuration should be applied?

A.Create a new KMS key and associate it with the Redshift cluster's subnet group.
B.Create a new KMS key with a key policy that grants access only to the Redshift cluster's IAM role.
C.Use the default AWS managed KMS key for Redshift.
D.Use an HSM-backed key from CloudHSM.
AnswerB

KMS key can be restricted to a specific role used by Redshift.

Why this answer

Option D is correct because Redshift uses KMS keys for encryption; a cluster-specific key can be created and used. Option A is wrong because default KMS key is AWS managed, not customer-managed. Option B is wrong because cluster subnet group does not affect encryption.

Option C is wrong because HSM is not used for Redshift encryption.

112
Drag & Dropmedium

Arrange the steps to troubleshoot a connection timeout issue from an EC2 instance to an Amazon RDS for SQL Server DB instance in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Troubleshooting connectivity involves checking security groups, network ACLs, network configuration, and testing with telnet.

113
MCQhard

A financial services company uses Amazon DynamoDB to store transaction records. The security team requires that all items be encrypted at rest using a customer-managed AWS KMS key. Additionally, the company must be able to audit key usage and rotation. What is the MOST secure and auditable approach?

A.Enable default encryption on the DynamoDB table using SSE-S3.
B.Use SSE-KMS with a customer-managed key and manually rotate the key every 90 days.
C.Use SSE-KMS with a customer-managed key, enable automatic key rotation, and enable CloudTrail data events for the key.
D.Use client-side encryption with the AWS Encryption SDK.
AnswerC

This provides encryption control and full audit trail.

Why this answer

Using a customer-managed KMS key with automatic annual rotation and enabling CloudTrail logging of key usage provides encryption control and auditing. Option A is wrong because SSE-S3 does not provide customer control or audit. Option B is wrong because SSE-KMS with automatic rotation is more secure and auditable than manual rotation.

Option D is wrong because default encryption with AES-256 does not allow customer key rotation or detailed audit.

114
MCQhard

A company uses Amazon DynamoDB to store sensitive user data. The security team wants to ensure that all data is encrypted at rest using a customer-managed AWS KMS key. The DynamoDB table was created with the default AWS managed key. What is the required action to change the encryption key?

A.Use the UpdateTable API to specify the new KMS key.
B.Create a new DynamoDB table with the desired KMS key, export data from the old table, and import into the new table.
C.Enable automatic key rotation on the existing KMS key.
D.Delete the default AWS managed key and create a new customer managed key.
AnswerB

Encryption key can only be set at table creation.

Why this answer

Option D is correct because DynamoDB encryption at rest uses KMS and the encryption key can only be changed when creating a new table. You cannot modify the encryption key on an existing table. Option A is wrong because there is no UpdateTable API for encryption key.

Option B is wrong because the default key cannot be deleted if in use. Option C is wrong because KMS key rotation does not change the key material used by DynamoDB.

115
MCQeasy

A startup is using Amazon RDS for MySQL as its primary database. The database contains user profiles and payment information. The security team wants to ensure that database snapshots are encrypted and that the encryption key is managed by the company. The team also wants to enforce that all future snapshots are encrypted automatically. The current RDS instance is not encrypted. What should they do?

A.Enable encryption on the existing RDS instance by modifying the DB instance.
B.Create a new encrypted RDS instance, migrate the data, and point the application to the new instance.
C.Use AWS KMS to encrypt the underlying EBS volumes of the RDS instance.
D.Take a snapshot of the current instance, copy it with encryption enabled, and restore from the encrypted snapshot.
AnswerB

This is the only way to encrypt an existing RDS instance.

Why this answer

Option B is correct. RDS encryption cannot be enabled on an existing unencrypted instance. They must create a new encrypted instance, migrate the data, and delete the old instance.

Option A is wrong because you cannot enable encryption on an existing instance. Option C is wrong because only the AWS managed key is used for encrypting snapshots of unencrypted instances, but that does not encrypt the instance itself. Option D is wrong because RDS does not support encryption at the storage level.

116
MCQmedium

An IAM policy is shown in the exhibit. What is the effect of this policy when a user tries to create an unencrypted RDS DB instance?

A.The user is denied from creating the unencrypted instance because of the Deny statement.
B.The user is allowed to create the unencrypted instance because the Deny statement is not valid.
C.The user is denied from creating any DB instance because of an implicit deny.
D.The user is allowed to create the unencrypted instance because of the Allow statement.
AnswerA

The Deny statement explicitly denies creation when encryption is false.

Why this answer

Option C is correct because the Deny statement with condition rds:StorageEncrypted=false explicitly denies creating unencrypted instances. The Allow statement allows all creates, but the Deny overrides it. Option A is wrong because the Deny takes precedence.

Option B is wrong because the Allow alone would allow it, but the Deny blocks it. Option D is wrong because the Deny is explicit, not implicit.

117
Multi-Selecthard

Which THREE of the following are best practices for securing an Amazon DynamoDB table? (Select THREE.)

Select 3 answers
A.Enable point-in-time recovery (PITR) to protect against accidental writes or deletes.
B.Enable encryption at rest using AWS KMS.
C.Enable public access to the table to allow easy data sharing.
D.Use IAM policies to restrict access to the table based on the principle of least privilege.
E.Limit the maximum item size to 100 KB to reduce storage costs.
AnswersA, B, D

PITR allows restoring to any point within the last 35 days.

Why this answer

Options A, C, and D are correct. IAM policies should be used to grant least privilege. DynamoDB supports encryption at rest with KMS.

Point-in-time recovery (PITR) is a security best practice for data protection. Option B (public access) is not a security best practice; DynamoDB tables are private by default. Option E (limiting item size) is a performance consideration, not a security best practice.

118
MCQhard

A company hosts a critical application on Amazon RDS for PostgreSQL. The security team requires that all database connections be encrypted in transit. Which configuration step is necessary?

A.Create a VPN connection between the application and the database.
B.Set the rds.force_ssl parameter to 1 in the DB parameter group.
C.Modify the security group to allow only port 5432 from the application.
D.Enable encryption at rest using AWS KMS.
AnswerB

This parameter enforces SSL connections to the database.

Why this answer

Enforcing SSL/TLS for connections is required for encryption in transit. Option B is correct. Option A is wrong because enabling encryption at rest does not encrypt data in transit.

Option C is wrong because a VPN encrypts network traffic but does not enforce database-level SSL. Option D is wrong because modifying security group rules does not encrypt connections.

119
Multi-Selecthard

A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The security team requires that all database connections use SSL and that the database is encrypted at rest. Which THREE steps are required to meet these requirements? (Choose THREE.)

Select 3 answers
A.Upload a custom SSL certificate to the RDS instance.
B.Install the SSL certificate on every client machine.
C.Modify the DB parameter group to set 'require_ssl' to 'true'.
D.Download the RDS SSL certificate and configure the application to trust it.
E.Enable encryption at rest when creating the RDS instance.
AnswersC, D, E

This enforces SSL connections.

Why this answer

Options A, B, and D are correct. Enabling encryption at rest is done during instance creation. SSL enforcement requires modifying the parameter group and downloading the certificate.

Option C is wrong because RDS manages the certificate; you don't upload your own. Option E is wrong because you don't need to install the certificate on every client; it's needed on the application side.

120
MCQmedium

A company is using Amazon RDS for MySQL with encryption at rest enabled. The security team requires that all access to the database be authenticated using IAM database authentication. Which combination of steps must the company take to meet this requirement?

A.Create an IAM role with a policy that allows rds:Connect and attach it to the RDS instance.
B.Create a database user with a password and attach an IAM role that allows rds-db:connect to the database user.
C.Enable SSL on the RDS instance and create an IAM policy that allows rds:Connect.
D.Create an IAM policy that allows the rds-db:connect action and map the IAM role to a database user created with the AWSAuthenticationPlugin.
AnswerD

This is the correct procedure for IAM database authentication with RDS MySQL.

Why this answer

Option C is correct because IAM database authentication for RDS MySQL requires creating an IAM role with a policy that allows the rds-db:connect action, then mapping that role to a database user using the CREATE USER statement with the AWSAuthenticationPlugin. Option A is wrong because SSL is not required for IAM auth, though recommended. Option B is wrong because the policy must include rds-db:connect, not rds:connect.

Option D is wrong because the database user must be created with AWSAuthenticationPlugin, not with a password.

121
MCQhard

A company uses Amazon Redshift for data warehousing. The security team has implemented column-level security using Redshift's column-level access controls. However, during a security audit, it is discovered that a user with SELECT privilege on a table can still see the content of a column that should be restricted. The column is defined with a GRANT statement that only allows SELECT on certain columns to specific users. What is the most likely cause of this issue?

A.The column is part of a distribution key that bypasses security controls.
B.The user is accessing the table via a stored procedure that bypasses column-level security.
C.The column-level security is not supported in Redshift; it must be implemented using views.
D.The user was previously granted SELECT on the entire table, and the column-level GRANT did not revoke that broader permission.
AnswerD

Column-level GRANTs are additive; they do not remove existing table-level permissions.

Why this answer

Option C is correct because column-level GRANTs in Redshift do not revoke existing permissions; they only add. If the user already had SELECT on the table, they still have access to all columns. Option A is not relevant.

Option B is about views, not the issue. Option D is unrelated.

122
Multi-Selecthard

Which THREE components are required to set up IAM database authentication for an Amazon RDS for MySQL DB instance? (Choose three.)

Select 3 answers
A.An IAM role that the application can assume.
B.An AWS KMS key to encrypt the authentication token.
C.A database user that is mapped to the IAM role.
D.A DB parameter group with require_secure_transport set to ON.
E.An RDS Proxy to manage connections.
AnswersA, C, D

The application assumes the IAM role to get authentication tokens.

Why this answer

Options A, C, and E are correct. Option A: An IAM role for the application to assume. Option C: A database user mapped to the IAM role.

Option E: A DB parameter group with require_secure_transport set to ON to enforce SSL. Option B is wrong because a KMS key is not required for IAM authentication. Option D is wrong because an RDS proxy is optional, not required.

123
MCQeasy

A company is using Amazon RDS for SQL Server with Multi-AZ deployment. The security team wants to ensure that database audit logs are stored in a secure S3 bucket for long-term retention. The audit logs are currently stored on the RDS instance. Which approach should be used to export the audit logs to S3?

A.Use the Amazon RDS for Oracle 'Audit' feature and specify an S3 bucket as the audit trail destination.
B.Modify the RDS instance to use the 'SQLSERVER_AUDIT' option and specify an S3 bucket as the audit destination.
C.Enable the 'General Log' option in the RDS parameter group and configure the log destination as S3.
D.Configure the RDS instance to publish logs to CloudWatch Logs, and then export CloudWatch Logs to S3 using a subscription filter.
AnswerB

RDS for SQL Server supports this option group for exporting audit logs to S3.

Why this answer

Option D is correct because RDS for SQL Server supports exporting audit logs to S3 via the 'rds_sqlserver_audit' option group or by using the 'mysql' option? Actually, for SQL Server, you can use the 'SQLSERVER_AUDIT' option and specify an S3 bucket. Option A is for general log files. Option B is for Oracle.

Option C is for MySQL.

124
Multi-Selecthard

A company uses Amazon RDS for MySQL with Multi-AZ deployment. The security team wants to audit all database logins and queries. Which TWO actions should be taken to enable auditing?

Select 2 answers
A.Enable AWS CloudTrail data events for RDS.
B.Create an RDS event notification subscription.
C.Publish MySQL logs to Amazon CloudWatch Logs.
D.Set the general_log parameter to 1.
E.Enable Enhanced Monitoring.
AnswersC, D

CloudWatch Logs can store and analyze logs.

Why this answer

Options C and D are correct. Enabling the general_log (C) captures all queries, and exporting logs to CloudWatch Logs (D) allows analysis. Option A is wrong because enhanced monitoring is for performance, not queries.

Option B is wrong because event notifications are for instance events, not queries. Option E is wrong because RDS does not support AWS CloudTrail for database queries.

125
MCQmedium

A security engineer needs to ensure that all access to an Amazon DynamoDB table is encrypted in transit. Which configuration achieves this?

A.Configure a VPC endpoint for DynamoDB and enable encryption.
B.Ensure all client applications use the DynamoDB HTTPS endpoint.
C.Place the DynamoDB table behind Amazon CloudFront.
D.Enable SSL on the DynamoDB table by setting the 'ssl_enabled' parameter.
AnswerB

All DynamoDB requests must be made over HTTPS; this is the only way to encrypt data in transit.

Why this answer

Option B is correct because DynamoDB enforces HTTPS for all API calls, ensuring encryption in transit. Option A is wrong because DynamoDB does not support client-side SSL configuration. Option C is wrong because VPC endpoints use AWS PrivateLink but still require HTTPS.

Option D is wrong because CloudFront is a CDN, not for database access.

126
MCQeasy

A company is using Amazon RDS for PostgreSQL and needs to ensure that all connections to the database use encryption in transit. The database is accessible over the internet. Which configuration is required?

A.Restrict the security group to only allow traffic from trusted IP addresses.
B.Modify the DB instance to use a custom port 443 instead of 5432.
C.Set the rds.force_ssl parameter to 1 and configure the client to use the AWS RDS SSL certificate.
D.Use a self-signed certificate on the server and configure the client to trust it.
AnswerC

This enforces SSL connections.

Why this answer

Option A is correct because to enforce SSL connections, you need to set the rds.force_ssl parameter to 1 in the DB parameter group, and also download and use the RDS SSL certificate on the client side. Option B is wrong because the SSL certificate is provided by AWS, not self-signed. Option C is wrong because the default PostgreSQL port is 5432, not 443.

Option D is wrong because security groups alone cannot enforce encryption.

127
Multi-Selecthard

A company is designing a security architecture for Amazon DynamoDB. They need to ensure that only authorized applications can access the data, and that data in transit is encrypted. Which THREE steps should be taken? (Choose THREE.)

Select 3 answers
A.Use a customer-managed KMS key to encrypt data in transit.
B.Attach an IAM policy that grants access only to specific IAM roles or users.
C.Use an AWS PrivateLink VPC endpoint to access DynamoDB from within a VPC.
D.Configure a security group to restrict inbound traffic to the DynamoDB table.
E.Use HTTPS (TLS) for all API calls to DynamoDB.
AnswersB, C, E

IAM policies control access to DynamoDB.

Why this answer

Options A, B, and D are correct. Using VPC endpoints keeps traffic within AWS network, IAM policies control access, and DynamoDB encrypts data in transit automatically. Option C is wrong because security groups are not used for DynamoDB (they are for VPC endpoints).

Option E is wrong because KMS is for encryption at rest, not in transit.

128
MCQmedium

A company is using Amazon RDS for Oracle with Transparent Data Encryption (TDE) enabled. They need to rotate the TDE master key. What is the correct procedure?

A.Use Oracle's ALTER SYSTEM SET ENCRYPTION KEY command to rotate the key.
B.Use the AWS KMS RotateKey operation to rotate the customer master key (CMK) that is used for TDE.
C.Create a new encrypted RDS instance and migrate the data.
D.Modify the DB instance to use a new KMS key.
AnswerB

KMS key rotation is the supported method for TDE key rotation.

Why this answer

TDE master key rotation is done by calling the AWS KMS RotateKey operation or by using the rds.rds_rotate_tde_key stored procedure. Option A is correct. Option B is wrong because rotating the Oracle master key manually is not recommended and may break TDE.

Option C is wrong because a new DB instance is unnecessary. Option D is wrong because modifying the DB instance does not rotate the TDE key.

129
MCQmedium

A company is migrating an Oracle database to Amazon RDS for Oracle. Security policy requires that all database connections be encrypted in transit. The security team wants to enforce that clients must use TLS 1.2 or higher. How can this be achieved?

A.Modify the DB subnet group to only allow traffic from specific IP ranges.
B.Create an IAM policy that denies access unless the connection uses TLS.
C.Set the require_secure_transport parameter to ON in the DB parameter group.
D.Set the rds.force_ssl parameter to 1 in the DB parameter group.
AnswerD

This parameter forces SSL connections for Oracle RDS instances.

Why this answer

Option B is correct because Amazon RDS for Oracle supports SSL/TLS encryption, and you can set the rds.force_ssl parameter to 1 to require SSL connections, which enforces TLS encryption. Option A is wrong because the rds.force_ssl parameter is specific to Oracle, not a generic parameter for all engines. Option C is wrong because security groups control network access but not encryption requirements.

Option D is wrong because IAM policies cannot enforce encryption in transit at the database level; they can only control authentication and authorization.

130
MCQhard

A KMS key has the grant shown. An IAM role named AdminRole is the grantee. What additional permission does this grant provide to AdminRole beyond what the role's IAM policy allows?

A.The role can use the key to encrypt and decrypt, regardless of its IAM policy.
B.The role can use the key to encrypt and decrypt, but only if its IAM policy also allows it.
C.The role can delete the KMS key.
D.The role can create new grants for this key.
AnswerA

Grants grant permissions directly to the grantee principal.

Why this answer

Option D is correct. A KMS grant allows the grantee to perform specified operations on the KMS key even if the grantee does not have permission in their IAM policy. Option A is wrong because the grant does not allow deletion of the key.

Option B is wrong because the grant does not allow creating grants. Option C is wrong because the grant specifically allows Encrypt and Decrypt operations.

131
MCQmedium

A development team is building a serverless application that uses Amazon DynamoDB. The team needs to ensure that only the application's Lambda function can read and write data to a specific DynamoDB table. The Lambda function uses an IAM role. How should the team configure access?

A.Place the DynamoDB table and Lambda function in the same VPC and use a VPC endpoint to control access.
B.Encrypt the DynamoDB table with an AWS KMS key and grant the Lambda function decryption permissions.
C.Create an IAM role for the Lambda function with DynamoDB access, and configure a resource-based policy on the DynamoDB table that allows only that role.
D.Create an IAM role for the Lambda function with a policy that allows DynamoDB access, and attach the role to the function.
AnswerC

The resource-based policy on DynamoDB restricts access to the specified IAM role, ensuring only the Lambda function can access the table.

Why this answer

Option B is correct because using a resource-based policy on the DynamoDB table that grants access only to the Lambda function's role is the proper way to restrict access. Option A is wrong because an IAM role attached to the Lambda function alone does not restrict other principals from accessing the table; a resource-based policy is needed. Option C is wrong because DynamoDB does not support VPC endpoints for resource-based policies in this manner.

Option D is wrong because encryption does not control access.

132
MCQeasy

A company uses Amazon Aurora MySQL and needs to audit all database logins, including failed attempts. Which feature should be enabled?

A.Database Activity Streams
B.Enhanced Monitoring
C.VPC Flow Logs
D.AWS CloudTrail
AnswerA

Database Activity Streams provide a near real-time stream of database activity, including login attempts.

Why this answer

Option A is correct because Aurora MySQL supports database activity streams for auditing. Option B is wrong because CloudTrail does not log database-level queries. Option C is wrong because VPC Flow Logs capture network traffic, not database logins.

Option D is wrong because enhanced monitoring provides OS-level metrics, not audit logs.

133
Multi-Selecteasy

A company is using Amazon RDS for Oracle and needs to comply with regulatory requirements that mandate encryption of all data at rest and in transit. Which TWO actions should be taken to meet these requirements?

Select 2 answers
A.Enable encryption at rest by specifying a KMS key when creating the DB instance.
B.Use Oracle Transparent Data Encryption (TDE) to encrypt the data at rest.
C.Enable encryption for CloudWatch Logs.
D.Configure Oracle Native Network Encryption in the sqlnet.ora file.
E.Enable SSL/TLS encryption by setting the rds.force_ssl parameter and using the RDS SSL certificate.
AnswersA, E

This encrypts the database storage.

Why this answer

Options A and C are correct. Option A: Encryption at rest is enabled via the console or API when creating the instance. Option C: Encryption in transit is enforced by setting rds.force_ssl=1 and using SSL certificates.

Option B is wrong because native network encryption is an alternative but not the recommended approach; RDS supports Oracle native network encryption but it is less secure than SSL/TLS. Option D is wrong because TDE is for encryption at rest but is a separate feature; however, enabling encryption at rest via RDS is sufficient. Option E is wrong because CloudWatch Logs encryption is for logs, not the database itself.

134
Multi-Selectmedium

A company is migrating an on-premises MongoDB database to Amazon DocumentDB (with MongoDB compatibility). The security team requires that data be encrypted at rest and in transit. Additionally, the team wants to use IAM roles to authenticate applications. Which THREE steps should the database specialist take to meet these requirements?

Select 3 answers
A.Use IAM roles to authenticate applications to the DocumentDB cluster.
B.Use a custom certificate authority for SSL/TLS.
C.Enable encryption at rest for the DocumentDB cluster.
D.Create a VPC endpoint for DocumentDB to enforce encryption.
E.Enable encryption in transit by using TLS for all connections.
AnswersA, C, E

DocumentDB supports IAM database authentication.

Why this answer

Options A, B, and E are correct. Encryption at rest is enabled by default; in-transit encryption is enabled via TLS; IAM authentication is supported through IAM roles. Option C is wrong because DocumentDB uses TLS, not SSL/TLS with custom certificates.

Option D is wrong because DocumentDB does not support VPC endpoints for encryption; encryption at rest is cluster-level.

135
MCQeasy

A company is using Amazon Aurora MySQL-Compatible Edition. The security team wants to audit all database login attempts and store the logs in Amazon S3 for 90 days. Which solution meets these requirements with the LEAST operational overhead?

A.Enable the Aurora audit log and publish logs to Amazon CloudWatch Logs. Create a CloudWatch Logs subscription filter to stream the logs to an Amazon S3 bucket.
B.Enable the Aurora audit log and configure the DB cluster to publish logs directly to an S3 bucket.
C.Install a custom audit plugin on the Aurora cluster that writes logs to a file, then use an AWS Lambda function to upload the file to S3.
D.Enable the Aurora audit log and use Amazon Kinesis Data Firehose to stream the logs to S3.
AnswerA

This uses managed services with minimal configuration.

Why this answer

Option D is correct because Aurora can publish audit logs to CloudWatch Logs, which can then be streamed to S3 via a subscription filter. Option A is wrong because Aurora does not directly write logs to S3. Option B is wrong because third-party tools add operational overhead.

Option C is wrong because RDS does not send logs to Kinesis directly.

136
Multi-Selectmedium

Which TWO actions will help protect an Amazon RDS for MySQL database from a SQL injection attack? (Select TWO.)

Select 2 answers
A.Use parameterized queries in the application code.
B.Enable encryption at rest for the RDS instance.
C.Place the RDS instance in a private VPC subnet.
D.Restrict database user permissions to only required operations.
E.Enable auto minor version upgrade on the RDS instance.
AnswersA, D

Parameterized queries prevent injection.

Why this answer

Using parameterized queries (prepared statements) prevents SQL injection. Also, restricting database user permissions to only necessary operations limits damage. Enabling encryption at rest does not prevent injection.

Using a VPC does not prevent injection. Enabling auto minor version upgrade does not prevent injection.

137
MCQmedium

A company's security team wants to encrypt data at rest for an existing RDS for PostgreSQL DB instance. The instance is currently unencrypted. Which steps should the team take to enable encryption with minimal downtime?

A.Modify the DB instance and enable encryption in the RDS console.
B.Create a read replica of the DB instance and promote it to a standalone instance.
C.Create a new option group with encryption enabled and associate it with the DB instance.
D.Take a snapshot of the DB instance, copy the snapshot with encryption enabled, and restore a new DB instance from the encrypted snapshot.
AnswerD

This is the standard method to encrypt an existing unencrypted RDS instance.

Why this answer

Option D is correct because Amazon RDS does not support direct encryption of an existing unencrypted DB instance. The only way is to create a snapshot, copy it with encryption, and restore a new encrypted instance. Option A is wrong because you cannot enable encryption on an existing instance directly.

Option B is wrong because modifying the DB instance does not allow enabling encryption. Option C is wrong because creating a read replica does not enable encryption.

138
MCQmedium

A company uses Amazon RDS for MySQL and wants to ensure that database users are authenticated using IAM database authentication. Which action must be performed to enable this?

A.Create database users with MySQL native password authentication.
B.Attach an IAM role to the RDS instance for database authentication.
C.Change the database port to 3306 to enable IAM authentication.
D.Set the parameter 'require_secure_transport' to ON and use the AWSAuthenticationPlugin.
AnswerD

IAM auth requires SSL and the AWSAuthenticationPlugin.

Why this answer

Option D is correct because IAM database authentication requires a specific parameter group setting (require_secure_transport=ON) and authentication plugin. Option A is wrong because native MySQL authentication is not IAM. Option B is wrong because IAM roles for RDS are for API access, not database authentication.

Option C is wrong because the standard MySQL port is 3306.

139
MCQmedium

A company is using Amazon RDS for MySQL and needs to encrypt data at rest for an existing DB instance. Which approach meets this requirement with minimal downtime?

A.Take a snapshot of the DB instance, copy the snapshot with encryption enabled, and restore from the encrypted snapshot.
B.Enable encryption directly on the existing DB instance by modifying it.
C.Use the AWS CLI command modify-db-instance with the --storage-encrypted flag.
D.Create a read replica of the DB instance with encryption enabled, then promote it.
AnswerA

This is the standard method to encrypt an existing RDS instance with minimal downtime.

Why this answer

Option B is correct because enabling encryption on an existing RDS instance requires a snapshot copy with encryption and then restoring it, which is the standard method with minimal downtime. Option A is wrong because you cannot enable encryption directly on the instance. Option C is wrong because RDS does not support enabling encryption via the ModifyDBInstance API directly.

Option D is wrong because creating a read replica with encryption still requires a snapshot restore for the primary.

140
MCQeasy

A developer is checking the encryption status of an RDS MySQL instance. The CLI output shows StorageEncrypted is true. What does this indicate?

A.Connections to the database are encrypted in transit.
B.The database is encrypted using the AWS managed key for RDS.
C.The database does not have encryption at rest enabled.
D.The database is encrypted at rest using a KMS key.
AnswerD

StorageEncrypted true confirms at-rest encryption.

Why this answer

Option C is correct because StorageEncrypted: true means the data at rest is encrypted using the specified KMS key. Option A is wrong because it does not indicate in-transit encryption. Option B is wrong because the key is a KMS key, not necessarily AWS managed.

Option D is wrong because encryption at rest is enabled.

141
MCQhard

A company is designing a security strategy for an Amazon Aurora MySQL database. They need to ensure that database activity is monitored for suspicious behavior and that alerts are sent when anomalies are detected. Which AWS services should be combined to achieve this? (Select TWO.)

A.Amazon GuardDuty
B.Amazon RDS Database Activity Streams
C.AWS WAF
D.Amazon EventBridge
E.Amazon Inspector
AnswerA, B

GuardDuty can analyze database activity streams for threats.

Why this answer

Options A and D are correct. Option A: Database Activity Streams send activity to CloudWatch Logs and Kinesis. Option D: Amazon GuardDuty can analyze the stream for threats.

Option B is wrong because AWS WAF is for web application firewall. Option C is wrong because Amazon Inspector is for EC2 vulnerabilities. Option E is wrong because EventBridge can trigger alerts but is not a monitoring service for anomalies.

142
Multi-Selectmedium

Which THREE measures can help protect an Amazon RDS database from a DDoS attack? (Choose 3.)

Select 3 answers
A.Place the RDS instance in a private subnet without direct internet access.
B.Use security groups to restrict inbound traffic to known IP addresses.
C.Make the RDS instance publicly accessible for easy monitoring.
D.Use AWS Shield Advanced.
E.Disable audit logging to reduce resource usage.
AnswersA, B, D

Reduces exposure to DDoS attacks.

Why this answer

Placing the RDS instance in a private subnet without direct internet access prevents any external traffic from reaching the database endpoint. Since DDoS attacks rely on overwhelming a publicly routable IP address, removing internet-facing connectivity eliminates the attack surface entirely. This is a foundational network-layer defense that complements other security controls.

Exam trap

The trap here is that candidates may think making an RDS instance publicly accessible is acceptable for monitoring purposes, but AWS best practices require all database access to go through a bastion host or VPN, and disabling audit logging is a common distractor that appears to reduce overhead but actually removes critical security visibility without any DDoS benefit.

143
Multi-Selecthard

Which THREE are valid methods to encrypt data at rest in Amazon DynamoDB? (Choose 3.)

Select 3 answers
A.Use a customer managed CMK.
B.Use S3 server-side encryption.
C.Use an AWS-owned CMK.
D.Use an AWS managed CMK.
E.Use client-side encryption with the DynamoDB Encryption Client.
AnswersC, D, E

Default encryption uses AWS-owned keys.

Why this answer

Option C is correct because DynamoDB encrypts data at rest by default using an AWS-owned customer master key (CMK), which is a key managed by AWS on behalf of the customer. This key is used to protect the table data, backups, and replicas without requiring any customer configuration.

Exam trap

The trap here is that candidates often confuse server-side encryption options across AWS services, incorrectly assuming that S3 server-side encryption can be applied to DynamoDB, or they forget that client-side encryption is a valid method for encrypting data at rest in DynamoDB.

144
MCQeasy

A company wants to ensure that an Amazon RDS for MySQL DB instance is encrypted at rest. Which action should be taken to enable encryption for the first time?

A.Enable encryption on the existing DB instance using the AWS CLI.
B.Create a new encrypted DB instance using AWS KMS.
C.Set the rds.encrypted parameter to true in the DB parameter group.
D.Modify the existing DB instance and enable encryption.
AnswerB

Encryption at rest must be specified at instance creation time.

Why this answer

Option A is correct because RDS encryption at rest can only be enabled when creating a new DB instance, not on an existing one. Option B is wrong because enabling encryption requires creating an encrypted snapshot and restoring as a new instance, not just modifying. Option C is wrong because encryption cannot be enabled on an existing instance.

Option D is wrong because encryption is configured at instance creation, not through parameter groups.

145
MCQhard

A company is migrating its on-premises Oracle database to Amazon RDS for Oracle. The database contains sensitive data that must be encrypted at rest and in transit. The security team also requires that the encryption keys be rotated every year. The DBA has enabled encryption at rest using a customer-managed KMS key and SSL/TLS for in-transit encryption. What additional step is needed to meet the key rotation requirement?

A.Manually create a new KMS key every year and update the RDS instance to use the new key.
B.Configure the RDS option group to rotate the encryption key.
C.Use an AWS CloudHSM key and configure automatic rotation.
D.Enable automatic KMS key rotation for the customer-managed key.
AnswerD

KMS can rotate the key automatically every year.

Why this answer

Option B is correct because KMS automatic key rotation rotates the key material annually. Option A is wrong because manual rotation requires creating a new key and updating the RDS instance. Option C is wrong because CloudHSM is not used with RDS.

Option D is wrong because the option group does not control key rotation.

146
MCQmedium

A company uses Amazon RDS for PostgreSQL with Multi-AZ deployment. The security team wants to ensure that any access to the database is logged, including SELECT queries. What should be done to capture these logs?

A.Modify the DB parameter group to enable query logging and publish logs to Amazon CloudWatch Logs.
B.Enable automated backups and export logs to Amazon S3.
C.Enable RDS Performance Insights.
D.Enable RDS Enhanced Monitoring.
AnswerA

This captures query logs and stores them in CloudWatch.

Why this answer

Enabling RDS Enhanced Monitoring does not capture query logs. Enabling automatic backups does not log queries. Enabling RDS Performance Insights does not log queries.

To capture SELECT queries, you need to enable PostgreSQL query logging by setting the appropriate parameter group parameters (e.g., log_statement = 'all' or 'mod') and then export logs to CloudWatch Logs.

147
MCQhard

Refer to the exhibit. The output is from the AWS CLI for an RDS instance. The security team suspects that the encryption key used for this DB instance has been compromised. What is the required action to re-encrypt the instance with a new key?

A.Create a snapshot of the DB instance, copy the snapshot with a new KMS key, and restore the DB instance from the copied snapshot.
B.Modify the DB instance to use a new KMS key.
C.Restore the DB instance to a point in time and specify a new KMS key.
D.Enable encryption on a new DB instance and migrate the data.
AnswerA

This process allows re-encryption with a new key.

Why this answer

RDS does not allow changing the encryption key of an existing encrypted DB instance. The only way is to take a snapshot, copy it with a new KMS key, and restore from that snapshot. Option A is wrong because you cannot modify the KMS key directly.

Option B is wrong because restoring to a point in time uses the same key. Option D is wrong because enabling encryption on an unencrypted instance requires a snapshot restore, but this instance is already encrypted.

148
MCQmedium

A company has an Amazon Redshift cluster that contains sensitive data. The security team requires that data be encrypted at rest using a customer-managed AWS KMS key. The cluster was initially launched without encryption. How can the company enable encryption with minimal downtime?

A.Unload the data to Amazon S3, create a new encrypted cluster, and reload the data from S3.
B.Use the AWS CLI to update the cluster encryption setting.
C.Take a snapshot of the cluster and restore it to a new cluster with encryption enabled.
D.Modify the cluster and enable encryption using the AWS Management Console.
AnswerA

This is the standard procedure to enable encryption on an existing Redshift cluster.

Why this answer

Option B is correct. To enable encryption on an existing unencrypted Redshift cluster, you must unload the data to Amazon S3, create a new encrypted cluster, and reload the data. Option A is incorrect because Redshift does not support enabling encryption on an existing cluster directly.

Option C is incorrect because snapshots preserve encryption status; restoring an unencrypted snapshot to an encrypted cluster is not possible. Option D is incorrect because modifying the cluster does not support enabling encryption.

149
MCQmedium

A healthcare company is migrating its patient records database to Amazon RDS for SQL Server. The database contains Protected Health Information (PHI). The compliance team requires that all PHI data be encrypted at rest and that the encryption keys be stored in a dedicated AWS CloudHSM cluster. Additionally, the database must be replicated to a second AWS region for disaster recovery. The DBA has enabled RDS encryption at rest using a KMS key, but the compliance team insists on using CloudHSM. What should the DBA do to meet the compliance requirement while maintaining disaster recovery?

A.Use RDS encryption at rest with a KMS key backed by CloudHSM (custom key store).
B.Migrate the database to Amazon DynamoDB with encryption using CloudHSM via KMS custom key store.
C.Use an RDS Custom for SQL Server instance and configure TDE with CloudHSM, then set up log shipping to another region.
D.Enable Transparent Data Encryption (TDE) using a CloudHSM key and create a cross-region read replica for DR.
AnswerD

TDE supports CloudHSM and cross-region replicas.

Why this answer

Option B is correct because RDS for SQL Server supports Transparent Data Encryption (TDE) which can use CloudHSM as the key store. Multi-AZ deployments support cross-region read replicas, allowing DR. Option A is wrong because RDS encryption at rest cannot use CloudHSM directly.

Option C is wrong because moving to DynamoDB is unnecessary and does not use CloudHSM. Option D is wrong because using an RDS Custom instance with TDE and manual replication is more complex and not recommended.

150
MCQhard

A company uses Amazon DynamoDB to store user session data. The security team requires that all data be encrypted at rest using a customer-managed AWS KMS key. The DynamoDB table is already configured with AWS managed KMS encryption. How can the company meet the encryption requirement without recreating the table?

A.Enable DynamoDB Streams and use a Lambda function to copy data to a new table with the desired encryption.
B.Export the table to Amazon S3 using the on-demand backup feature, then import it into a new table encrypted with the desired KMS key.
C.Use the UpdateTable API to specify the new KMS key in the SSESpecification parameter.
D.Delete the table and recreate it with the new KMS key.
AnswerC

DynamoDB allows updating the encryption key on an existing table via UpdateTable.

Why this answer

Option C is correct because DynamoDB supports updating the encryption key for an existing table using the UpdateTable API with the SSESpecification parameter. You can switch from AWS managed key to a customer managed key. Option A is incorrect because you cannot change the encryption configuration during table creation after the table exists.

Option B is incorrect because exporting to S3 and re-importing is unnecessary and causes more downtime. Option D is incorrect because DynamoDB streams are used for change data capture, not for encryption changes.

← PreviousPage 2 of 5 · 321 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Db Security questions.