0
0
AWScloud~20 mins

RDS security (encryption, security groups) in AWS - Practice Problems & Coding Challenges

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Challenge - 5 Problems
🎖️
RDS Security Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
🧠 Conceptual
intermediate
2:00remaining
Understanding RDS Encryption at Rest

Which statement correctly describes how encryption at rest works for an AWS RDS instance?

AEncryption at rest encrypts the data stored on the disk and backups using AWS KMS keys.
BEncryption at rest encrypts data only during transmission between the client and the RDS instance.
CEncryption at rest requires manual encryption of data before storing it in the database.
DEncryption at rest is enabled by default for all RDS instances regardless of configuration.
Attempts:
2 left
💡 Hint

Think about what 'at rest' means in terms of data storage.

Configuration
intermediate
2:00remaining
RDS Security Group Configuration

You want to allow only EC2 instances in a specific security group to access your RDS instance. Which security group rule should you add to the RDS security group?

AInbound rule allowing TCP port 22 from the EC2 instances' security group ID.
BOutbound rule allowing all traffic to the EC2 instances' security group ID.
CInbound rule allowing TCP port 3306 from the EC2 instances' security group ID.
DInbound rule allowing UDP port 3306 from the EC2 instances' security group ID.
Attempts:
2 left
💡 Hint

Consider the default port for MySQL and the direction of traffic for database access.

Architecture
advanced
3:00remaining
Designing Secure RDS Access in a VPC

You have an RDS instance in a private subnet inside a VPC. You want to allow access only from a web server in a public subnet. Which architecture and security group setup is best?

ACreate a security group for the RDS allowing inbound traffic on port 22 from the web server's security group.
BAssign a public IP to the RDS instance and allow inbound traffic from anywhere on the database port.
CPlace the RDS instance in the public subnet and allow inbound traffic from the internet on the database port.
DCreate a security group for the RDS allowing inbound traffic on the database port from the web server's security group. The web server is in the public subnet with a security group allowing outbound traffic to RDS.
Attempts:
2 left
💡 Hint

Think about subnet types and limiting exposure of the database.

security
advanced
2:00remaining
RDS Encryption Key Management

You enabled encryption for your RDS instance using a customer-managed AWS KMS key. What happens if you delete this KMS key?

AThe RDS instance data is decrypted automatically and remains accessible.
BThe RDS instance and its data become inaccessible because the encryption key is deleted.
CThe RDS instance automatically switches to a default AWS-managed key without downtime.
DThe RDS instance continues working normally because encryption is only applied during backups.
Attempts:
2 left
💡 Hint

Consider the role of the KMS key in decrypting data at rest.

service_behavior
expert
3:00remaining
RDS Security Group Behavior with Multiple Rules

An RDS security group has two inbound rules: one allows TCP port 5432 from 10.0.0.0/24, and another allows TCP port 5432 from security group sg-12345. An EC2 instance with security group sg-12345 and IP 10.0.1.10 tries to connect on port 5432. What is the outcome?

AThe connection is allowed because the EC2 instance's security group matches the allowed security group rule.
BThe connection is denied because the EC2 instance's IP is outside the 10.0.0.0/24 CIDR range.
CThe connection is denied because both rules must match for access to be granted.
DThe connection is allowed only if the EC2 instance's IP is within 10.0.0.0/24.
Attempts:
2 left
💡 Hint

Remember how security group rules are evaluated in AWS.