Here’s a set of 6 scenario-based questions focusing on Amazon RDS
Question #1
A financial system runs on EC2 instances in an Auto Scaling group, behind an Application Load Balancer, and uses Amazon RDS with MySQL in Multi-AZ mode. To ensure database access is secure, you need to authenticate from EC2 instances using temporary credentials tied to their IAM role.
Which of the following should be implemented to achieve this?
A. Enable IAM DB Authentication on the RDS instance
B. Configure SSL to encrypt database connections
C. Attach an IAM role to EC2 instances that grants RDS access
D. Use IAM with AWS STS to issue temporary database tokens
Show answer
A
IAM DB Authentication allows authentication to the database using IAM roles instead of traditional usernames and passwords.
Question #2
A weather-tracking app uses EC2 Spot Instances and stores data in a MySQL RDS database located in a single Availability Zone. You need to improve availability by replicating the database synchronously to another AZ.
Which option ensures synchronous replication in Amazon RDS?
A. Amazon CloudFront with Multi-AZ support
B. DynamoDB with a read replica
C. RDS Read Replica
D. RDS with Multi-AZ configuration
Show answer
D
RDS Multi-AZ deploys a standby instance in another AZ and uses synchronous replication to ensure high availability and failover.
Question #3
A global news website backed by MySQL on Amazon RDS is experiencing high read traffic. The database must maintain full ACID compliance. You want to increase read throughput efficiently.
Which approach is best suited for this use case?
A. Enable Multi-AZ deployment
B. Use SQS to queue requests
C. Enable RDS standby replicas
D. Set up RDS Read Replicas
Show answer
D
Read Replicas handle read-heavy workloads and scale read throughput. They’re asynchronous and ideal for performance gains while keeping ACID properties on the primary.
Question #4
An accounting system is using Amazon RDS with Multi-AZ enabled for high availability. You want to understand what happens during a primary instance failure.
What takes place when the primary RDS instance fails?
A. The primary DB instance’s IP is reassigned to the standby
B. The primary instance reboots
C. The DNS CNAME is updated to point to the standby
D. A new standby instance is launched in a separate AZ
Show answer
C
During a Multi-AZ failover, RDS automatically switches the DNS CNAME to point to the standby instance in another Availability Zone.
Question #5
A company is running a web application hosted on an Auto Scaling group of EC2 instances that connects to a Microsoft SQL Server database hosted on Amazon RDS. The organization needs to ensure that all data transmitted between the application and the database is encrypted in transit.
Which of the following are the MOST suitable actions to implement this requirement? (Choose TWO)
A. Enable rds.force_ssl to force SSL and reboot the DB
B. Download the RDS CA certificate and configure your app for SSL
C. Limit security group access to port 443
D. Enable IAM DB authentication
E. Enable Transparent Data Encryption (TDE) via an option group
Show answer
A, B
A. Enable rds.force_ssl
- This parameter enforces all incoming connections to use SSL. Once set to
true, any client attempting to connect without using SSL will be rejected. - A reboot of the RDS instance is required for this setting to take effect.
B. Install RDS Root CA Certificate & Configure SSL
- To establish a trusted SSL/TLS connection, the application must trust the certificate that RDS uses.
- You must download the Amazon RDS Root CA and install it on your EC2 instance or app container.
- Your application should then explicitly configure the SSL connection string or options.
❌ Why the Other Options Are Incorrect
❌ C. Allowing traffic on port 443
- Port 443 is used for HTTPS, not SQL Server. SQL Server typically uses TCP port 1433.
- Simply filtering ports does not enforce encryption.
❌ D. IAM DB Authentication
- IAM authentication helps secure user access but does not encrypt in-transit data by itself.
- It’s for identity, not encryption.
❌ E. Transparent Data Encryption (TDE)
- TDE is used for encryption at rest, meaning data stored on disk.
- This does not encrypt traffic between EC2 and RDS (i.e., in transit).