CCNA Db Security Questions

21 of 321 questions · Page 5/5 · Db Security topic · Answers revealed

301
MCQhard

A company uses Amazon DynamoDB with a global secondary index (GSI) on a table that contains sensitive data. The security team requires that the GSI be encrypted with a different AWS KMS key than the base table. Can this be achieved, and if so, how?

A.Yes, by using a custom KMS key policy that differentiates between table and index.
B.Yes, by specifying a different KMS key ID when creating the GSI.
C.No, DynamoDB encrypts the entire table and all its indexes with the same KMS key.
D.No, but you can use a different KMS key for the table and then the GSI will automatically use a different key.
AnswerC

DynamoDB uses one KMS key for the table and all associated indexes.

Why this answer

Option C is correct because DynamoDB encrypts all data at rest using a single KMS key per table. The base table and all of its GSIs are encrypted with the same key. It is not possible to use a different KMS key for a GSI.

Option A is wrong because the GSI cannot have a separate key. Option B is wrong because KMS key policies do not allow per-index encryption. Option D is wrong because the table and its GSIs always use the same key.

302
MCQmedium

A company is using Amazon DynamoDB to store sensitive customer data. They need to ensure that all data is encrypted at rest using a customer-managed AWS KMS key. The company also wants to rotate the KMS key every year. What is the simplest way to achieve key rotation?

A.Create a new KMS key every year and update the DynamoDB table to use the new key.
B.Manually rotate the key by deleting and recreating the KMS key each year.
C.Enable automatic key rotation in AWS KMS for the customer-managed key.
D.Import new key material into the existing KMS key every year.
AnswerC

Automatic rotation rotates the key material annually without manual intervention.

Why this answer

Option A is correct because AWS KMS supports automatic annual rotation for customer-managed keys when enabled. You can enable automatic rotation using the KMS console or API. Option B is wrong because creating a new key and updating the DynamoDB table requires manual effort and is more complex.

Option C is wrong because AWS KMS does not support importing key material for symmetric keys; you can import key material for asymmetric keys but rotation is not automatic. Option D is wrong because manual rotation is not required and is more error-prone.

303
MCQmedium

A database administrator runs the described command. What does the output indicate about the RDS instance?

A.The DB instance is not encrypted at rest.
B.The DB instance is in a failed state.
C.The DB instance is running PostgreSQL.
D.The DB instance is encrypted at rest using a KMS key.
AnswerA

StorageEncrypted is false.

Why this answer

Option C is correct. The output shows 'StorageEncrypted: false' and 'KmsKeyId: null', which means the instance is not encrypted at rest. Option A is incorrect because the instance is available.

Option B is incorrect because the engine is MySQL. Option D is incorrect because the output clearly shows encryption status.

304
Drag & Dropmedium

Arrange the steps to restore an Amazon RDS for MySQL DB instance to a new instance from a manual snapshot in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Restoring from a manual snapshot involves selecting the snapshot, configuring the new instance, and waiting for completion.

305
MCQhard

A financial services company uses Amazon RDS for MySQL to store sensitive customer data. The compliance team requires that all database administrators (DBAs) must authenticate using IAM database authentication, and no static database passwords should be used. A junior DBA has been granted the rds_iam role in the database. However, the junior DBA is unable to connect using the AWS CLI command: aws rds generate-db-auth-token --hostname mydb.xyz.us-east-1.rds.amazonaws.com --port 3306 --username jdba. The error message says 'Access denied'. What is the most likely cause?

A.The RDS instance does not have a resource-based policy that grants the junior DBA access.
B.The junior DBA is not using an SSL connection to the database.
C.The security group does not allow inbound traffic on port 3306 from the junior DBA's IP address.
D.The RDS instance does not have IAM database authentication enabled.
AnswerD

Without IAM DB auth enabled on the instance, the authentication token is not accepted.

Why this answer

Option C is correct because IAM database authentication requires the RDS instance to have the IAM DB authentication enabled; if it is not enabled, the authentication token will be rejected. Option A is wrong because the error 'Access denied' suggests authentication failure, not a network issue. Option B is wrong because SSL/TLS is required for IAM auth, but the error would be different if SSL was not used.

Option D is wrong because the RDS resource-based policy cannot grant the IAM user permission to generate the token; that requires an IAM policy attached to the user or role.

306
Multi-Selectmedium

A company has an Amazon DynamoDB table that stores user sessions. The security team wants to ensure that only authorized applications can read and write to the table, and that all access is logged. Which THREE steps should the company take to meet these requirements?

Select 3 answers
A.Enable AWS CloudTrail to log DynamoDB API calls.
B.Create an IAM role with a policy that allows only the required DynamoDB actions.
C.Use an interface VPC endpoint for DynamoDB with a VPC endpoint policy.
D.Encrypt the table using a customer-managed KMS key.
E.Enable DynamoDB Streams and process events with Lambda.
AnswersA, B, C

Logs all data plane and control plane operations.

Why this answer

Options B, C, and D are correct. IAM roles with least privilege restrict access. AWS CloudTrail logs API calls.

VPC endpoints ensure traffic stays within AWS network and can be controlled via endpoint policies. Option A is for auditing, but CloudTrail is more comprehensive. Option E is for encryption, not access control.

307
Multi-Selectmedium

Which TWO actions can help protect an RDS database from SQL injection attacks? (Choose 2.)

Select 2 answers
A.Enable Multi-AZ for the RDS instance.
B.Enable encryption at rest using KMS.
C.Use parameterized SQL statements in the application.
D.Restrict network access using security groups.
E.Implement input validation and sanitization.
AnswersC, E

Parameterized queries separate SQL logic from data.

Why this answer

Option C is correct because parameterized SQL statements (also known as prepared statements) ensure that user input is treated strictly as data, not executable code. By separating SQL logic from data, the database engine compiles the query template once and safely binds parameters, preventing an attacker from injecting malicious SQL fragments. This is the most effective defense against SQL injection at the application layer.

Exam trap

The trap here is that candidates often confuse network-level controls (security groups) or encryption features with application-layer input validation, mistakenly believing that restricting access or encrypting data can prevent SQL injection, when in fact only proper query construction and input handling can stop the attack.

308
Multi-Selecthard

A company is designing a disaster recovery strategy for an Amazon RDS for SQL Server DB instance that contains sensitive financial data. The database must be encrypted at rest using a customer-managed AWS KMS key. The recovery point objective (RPO) is 5 minutes, and the recovery time objective (RTO) is 1 hour. Which THREE steps should be taken to meet these requirements?

Select 3 answers
A.Take a manual DB snapshot every hour.
B.Enable Multi-AZ deployment for automatic failover.
C.Store the KMS key in the secondary Region by creating a cross-Region KMS key replica.
D.Configure automated backups with a 5-minute backup interval.
E.Create a cross-Region read replica in a different AWS Region.
AnswersB, D, E

Multi-AZ provides automatic failover within a Region, helping meet RTO.

Why this answer

To meet the RPO of 5 minutes, enable Multi-AZ with automatic failover (Option A) and automated backups with a 5-minute backup window (Option B). For RTO of 1 hour, manual DB snapshot restore is faster than point-in-time restore; automated backups allow point-in-time recovery but may take longer. Option C is wrong because manual snapshots are not automated; you need automated backups.

Option D is correct because you need to ensure the KMS key is available in the secondary Region for cross-Region DR. Option E is correct because a read replica can be promoted faster than restoring from a snapshot.

309
MCQmedium

A developer needs to connect to the RDS instance from an EC2 instance in the same VPC. The EC2 instance's security group allows outbound traffic to 0.0.0.0/0. The RDS security group inbound rules currently allow traffic from 0.0.0.0/0 on port 3306. After a security review, the company decides to restrict inbound traffic to the VPC only. Which inbound rule should be added to the RDS security group?

A.An inbound rule allowing traffic from the RDS endpoint address on port 3306.
B.An inbound rule allowing traffic from the EC2 instance's security group ID on port 3306.
C.An inbound rule allowing traffic from 10.0.0.0/8 on port 3306.
D.An inbound rule allowing traffic from the VPC CIDR (e.g., 10.0.0.0/16) on port 3306.
AnswerB

This restricts access to only the EC2 instances in that security group.

Why this answer

Option D is correct because the EC2 instance is in the same VPC, and using the security group ID is the most secure and specific. Option A is too broad. Option B is unnecessary since the RDS endpoint is not an IP.

Option C would allow all traffic in the VPC, but using the security group is better.

310
MCQhard

A company is using Amazon Aurora MySQL-Compatible Edition. The security team wants to ensure that database credentials are not stored in application configuration files. They decide to use AWS Secrets Manager to manage credentials. The application is hosted on Amazon EC2 instances that have an IAM role attached. What is the most secure way to grant the application access to the secret?

A.Grant the IAM role attached to the EC2 instance permissions to read the secret, and use the Secrets Manager API to retrieve it at runtime.
B.Store the secret in the application code and rotate it periodically.
C.Attach a resource-based policy to the EC2 instance allowing access to the secret.
D.Store the secret in an encrypted S3 bucket and have the application download it at startup.
AnswerA

This is the most secure approach because the secret is never stored on the instance; it is retrieved on demand via API.

Why this answer

Option D is correct because the most secure approach is to grant the EC2 IAM role permission to read the secret using an IAM policy attached to the role, and then have the application call the Secrets Manager API to retrieve the secret at runtime. This avoids storing secrets in code or configuration files. Option A is wrong because hardcoding credentials defeats the purpose.

Option B is wrong because storing the secret in a configuration file is not secure. Option C is wrong because you should not attach a resource-based policy to the EC2 instance; IAM roles are the correct mechanism.

311
MCQmedium

A company stores sensitive data in an Amazon S3 bucket that is accessed by an Amazon Redshift cluster. The security team requires that the data in transit between Redshift and S3 be encrypted. Which configuration ensures this?

A.Enable server-side encryption (SSE-S3) on the S3 bucket.
B.Ensure that the Redshift cluster has SSL enabled, which encrypts data in transit by default for COPY/UNLOAD operations to S3.
C.Configure a VPC endpoint for S3.
D.Use client-side encryption on the data before uploading to S3.
AnswerB

Redshift uses SSL for data transfer to S3 by default.

Why this answer

Option B is correct. Redshift automatically uses SSL encryption for data in transit when moving data to and from S3 using COPY/UNLOAD commands. Option A is incorrect because server-side encryption (SSE-S3) encrypts data at rest, not in transit.

Option C is incorrect because client-side encryption encrypts data before sending, but Redshift handles this automatically with SSL. Option D is incorrect because VPC endpoints do not encrypt data in transit; they provide private connectivity.

312
MCQhard

Refer to the exhibit. A company has an S3 bucket with server-side encryption using AWS KMS. The bucket policy allows access to a user, but the user receives 'Access Denied' when trying to download an object. The IAM policy for the user is shown. What is the MOST likely cause?

A.The user does not have MFA enabled.
B.The KMS key ID in the policy is incorrect.
C.The policy does not allow kms:Decrypt for the S3 bucket.
D.The policy has a condition that limits kms:Decrypt to when the request is made through the S3 service, but the user might be using a different service to access the object (e.g., directly via KMS API).
AnswerD

The condition 'kms:ViaService' ensures decryption only through S3.

Why this answer

The policy restricts kms:Decrypt to requests coming via S3 service only. If the user is using the AWS CLI with the S3 API directly (not via S3 service principal), the condition fails. Option A is correct.

Option B is wrong because the key ID is correct in the policy. Option C is wrong because condition is the issue, not MFA. Option D is wrong because the policy allows kms:Decrypt for S3.

313
MCQhard

A company uses Amazon DynamoDB with fine-grained access control based on user identity. The IAM policy for a user includes a condition that restricts access to items where the 'department' attribute equals 'engineering'. However, the user is receiving an 'AccessDeniedException' when trying to query items. What is the most likely cause?

A.The user is not using the correct IAM role.
B.The 'department' attribute is not the partition key of the table.
C.The DynamoDB table is not configured to require SSL.
D.The IAM policy is missing a 'Condition' block.
AnswerB

Fine-grained access control using 'LeadingKeys' requires the condition on the partition key.

Why this answer

Fine-grained access control in DynamoDB uses IAM policy conditions with the 'dynamodb:LeadingKeys' or 'dynamodb:Attributes' condition keys. The 'department' attribute must be the partition key of the table for 'LeadingKeys' to work. If 'department' is not the partition key, the condition cannot be evaluated for the query.

Option A is possible but less likely if the user is using the correct role. Option C is wrong because DynamoDB does not require SSL for all operations. Option D is wrong because Condition check is exactly how it works.

314
MCQeasy

A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The database contains sensitive data that must be encrypted at rest. Which action should the company take to enable encryption on the RDS instance?

A.Modify the existing RDS DB instance and enable encryption.
B.Create a new RDS DB instance with encryption enabled and migrate the data.
C.Enable Oracle Transparent Data Encryption (TDE) on the existing RDS instance.
D.Take a snapshot of the existing database, encrypt the snapshot, and restore from it.
AnswerB

Encryption can only be enabled at creation time.

Why this answer

Amazon RDS for Oracle supports encryption at rest using AWS KMS. Encryption can only be enabled when the DB instance is created; you cannot encrypt an existing unencrypted RDS instance. You must either create a new encrypted instance and migrate the data, or use Oracle features like TDE.

Option A is correct because you create a new encrypted instance. Option B is wrong because you cannot modify an existing instance to add encryption. Option C is wrong because you cannot encrypt a snapshot and restore from it if the original instance was unencrypted.

Option D is wrong because Oracle TDE is an option but requires additional configuration; the simplest solution is to create a new encrypted instance.

315
MCQmedium

A company is using Amazon RDS for MySQL with automated backups enabled. The security team requires that all backups be encrypted at rest. Which configuration ensures that new automated backups are encrypted?

A.Create a new encrypted DB instance and migrate the data. Automated backups will inherit encryption.
B.Modify the DB instance to enable encryption at rest after creation.
C.Use AWS KMS to encrypt the S3 bucket where automated backups are stored.
D.Enable encryption at rest on the DB instance and also enable encryption on automated backups using the DBSnapshot option.
AnswerA

Creating an encrypted instance ensures all backups (automated and manual) are encrypted.

Why this answer

Option D is correct because enabling encryption on the RDS instance encrypts automated backups as well. Option A is wrong because enabling encryption at rest on the DB instance does encrypt backups, but the DBSnapshot option alone does not encrypt future automated backups. Option B is wrong because automated backups are stored in S3 but cannot be encrypted separately from the instance.

Option C is wrong because encryption at rest must be enabled at creation time; you cannot enable it later without a snapshot restore.

316
MCQhard

A security engineer is designing a VPC with an RDS instance. The database must not be accessible from the internet, but EC2 instances in a private subnet must connect. Which security group configuration is MOST secure?

A.Set the RDS security group inbound rule to allow traffic from the VPC CIDR on port 3306.
B.Set the RDS security group inbound rule to allow traffic from 0.0.0.0/0 on port 3306.
C.Set the RDS security group inbound rule to allow traffic from the private subnet CIDR on port 3306.
D.Set the RDS security group inbound rule to allow traffic from the EC2 security group on port 3306.
AnswerD

This is the most secure, least-privilege approach.

Why this answer

Option D is the most secure because it uses a security group reference instead of a CIDR block. By referencing the EC2 security group as the source in the RDS security group inbound rule, only instances associated with that specific security group can communicate with the database on port 3306. This approach adheres to the principle of least privilege and automatically scales as instances are added or removed from the EC2 security group, without needing to update CIDR ranges.

Exam trap

The trap here is that candidates often choose a CIDR-based rule (like the private subnet CIDR) thinking it is sufficiently restrictive, but they overlook the superior security and operational benefits of using a security group reference, which is a key concept tested in the DBS-C01 exam for database security.

How to eliminate wrong answers

Option A is wrong because allowing traffic from the entire VPC CIDR (e.g., 10.0.0.0/16) is overly permissive; any resource in the VPC, including those in public subnets or unintended services, could reach the RDS instance, increasing the attack surface. Option B is wrong because allowing traffic from 0.0.0.0/0 on port 3306 makes the database publicly accessible from the internet, directly violating the requirement that the database must not be accessible from the internet. Option C is wrong because while it restricts traffic to the private subnet CIDR, it still allows any instance in that subnet (including compromised or unauthorized ones) to connect, and it does not automatically adjust if the subnet CIDR changes or if instances are added to a different private subnet.

317
Multi-Selecthard

Which THREE of the following are best practices for securing an Amazon Aurora MySQL database? (Select THREE.)

Select 3 answers
A.Enable encryption at rest using AWS KMS.
B.Enable audit logging to track database activity.
C.Store database credentials in application code for simplicity.
D.Use IAM database authentication for access.
E.Disable automated backups to reduce attack surface.
AnswersA, B, D

Encryption at rest protects data if storage is compromised.

Why this answer

Options A, B, and E are correct. Option C is wrong because storing secrets in application code is insecure. Option D is wrong because disabling automated backups reduces data durability.

318
MCQeasy

A company wants to ensure that only specific IAM users can perform certain operations on an Amazon RDS DB instance, such as creating snapshots or modifying the instance. Which AWS feature should be used to define these permissions?

A.VPC security groups
B.IAM policies
C.DB parameter groups
D.DB subnet groups
AnswerB

IAM policies define permissions for AWS actions on resources like RDS.

Why this answer

Option D is correct. IAM policies are used to grant permissions to IAM users, groups, or roles for specific AWS resources, including RDS. Options A, B, and C are not used for access control: Security groups control network traffic, DB subnet groups define network subnets, and parameter groups configure database engine settings.

319
MCQhard

Refer to the exhibit. A database administrator has this IAM policy attached to their user. They are trying to authorize ingress to a DB security group named 'my-security-group' in the us-east-1 region. The operation fails. What is the most likely reason?

A.The user is not allowed to create DB security groups, which is a prerequisite.
B.The policy does not grant 'rds:AuthorizeDBSecurityGroupIngress' on the specific security group.
C.The security group ARN in the policy is incorrect; it should include the security group ID instead of the name.
D.The user is missing the 'rds:DescribeDBSecurityGroups' permission, which is required to perform the authorize operation.
AnswerD

IAM requires the corresponding Describe action for many APIs.

Why this answer

The policy allows 'AuthorizeDBSecurityGroupIngress' on the specific security group ARN. However, the ARN format is incorrect. The correct ARN for a DB security group is 'arn:aws:rds:us-east-1:123456789012:secgrp:my-security-group'? Actually, the resource type is 'secgrp'? No, the correct resource type is 'security-group'? In AWS RDS, the resource type for DB security groups is 'secgrp'? Wait, let's check: For RDS DB security groups, the resource type in IAM is 'secgrp'? Actually, the ARN format is 'arn:aws:rds:region:account:secgrp:security-group-name'.

So the ARN in the policy is correct? The issue might be that the security group does not exist or is in a different region. However, the most common mistake is that the user also needs permission to 'rds:DescribeDBSecurityGroups' to view the security group. Option A is a valid explanation.

Option B is wrong because the policy does allow the action on that resource. Option C is wrong because the policy allows the action. Option D is wrong because the user can create security groups.

320
MCQeasy

A company is using Amazon Aurora MySQL and needs to audit all database logins and query activity. Which feature should be enabled to meet this requirement?

A.Enable database audit logs by setting the audit_log_enabled parameter to 1.
B.Enable RDS Enhanced Monitoring.
C.Enable AWS CloudTrail to log database queries.
D.Enable Advanced Auditing through the DB cluster parameter group by setting the server_audit_logging parameter and related parameters.
AnswerD

This is the correct feature for auditing queries and logins in Aurora MySQL.

Why this answer

Option B is correct because Aurora MySQL provides an Advanced Auditing feature that captures logins and query activity. Option A (database audit logs) is a generic term but not a specific feature; Advanced Auditing is the correct feature. Option C (CloudTrail) is for AWS API calls, not database queries.

Option D (RDS Enhanced Monitoring) monitors OS metrics, not database activity.

321
MCQmedium

A developer needs to allow an application running on EC2 to access an Amazon RDS database without storing database credentials in the application code. Which solution is the MOST secure?

A.Use IAM database authentication for the RDS instance and assign an IAM role to the EC2 instance.
B.Store the database password in AWS Systems Manager Parameter Store as a SecureString.
C.Store the database password in the application configuration file.
D.Store the database password in AWS Secrets Manager and enable automatic rotation.
AnswerA

IAM database authentication enables passwordless access using IAM roles, eliminating the need to store credentials.

Why this answer

Option D is correct because AWS Secrets Manager can rotate secrets automatically, and the application retrieves them via API, avoiding hardcoded credentials. Option A is wrong because storing credentials in the code is insecure. Option B is wrong because IAM database authentication for RDS MySQL/Aurora allows passwordless access using IAM roles, which is more secure than storing passwords.

Option C is wrong because Parameter Store can store secrets but does not automatically rotate RDS credentials.

← PreviousPage 5 of 5 · 321 questions total

Ready to test yourself?

Try a timed practice session using only Db Security questions.