DBS-C01 Question #166: Real Exam Question with Answer & Explanation

Question

A company is running a two-tier ecommerce application in one AWS account. The application is backed by an Amazon RDS for MySQL Multi-AZ DB instance. A developer mistakenly deleted the DB instance in the production environment. The company restores the database, but this event results in hours of downtime and lost revenue. Which combination of changes would minimize the risk of this mistake occurring in the future? (Choose three.)

Options

• AGrant least privilege to groups, IAM users, and roles.
• BAllow all users to restore a database from a backup.
• CEnable deletion protection on existing production DB instances.
• DUse an ACL policy to restrict users from DB instance deletion.
• EEnable AWS CloudTrail logging and Enhanced Monitoring.

Explanation

To minimize the risk of accidental deletion of a production Amazon RDS DB instance, implement least privilege for IAM users and roles, enable deletion protection on the DB instance, and use IAM policies to explicitly restrict deletion permissions.

Common mistakes.

• B. Allowing all users to restore a database from a backup does not prevent accidental deletion and could introduce unnecessary security risks by granting broad permissions.
• E. AWS CloudTrail logging provides an audit trail of API calls, and Enhanced Monitoring provides performance metrics, but neither actively prevents a deletion action from occurring.

Concept tested. RDS deletion protection and IAM least privilege

Reference. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Common.html#CHAP_Common.DeletionProtection

No community discussion yet for this question.