DBS-C01 · Question #44
DBS-C01 Question #44: Real Exam Question with Answer & Explanation
The correct answer is C: Launch the RDS for PostgreSQL database in a DB subnet group containing private subnets.. Explanation Placing the RDS instance in a DB subnet group containing private subnets ensures the database has no direct internet-facing exposure, meaning only resources within the VPC (such as application servers and the bastion host) can reach it - this satisfies the security re
Question
A medical company is planning to migrate its on-premises PostgreSQL database, along with application and web servers, to AWS. Amazon RDS for PostgreSQL is being considered as the target database engine. Access to the database should be limited to application servers and a bastion host in a VPC. Which solution meets the security requirements?
Options
- ALaunch the RDS for PostgreSQL database in a DB subnet group containing private subnets.
- BLaunch the RDS for PostgreSQL database in a DB subnet group containing public subnets.
- CLaunch the RDS for PostgreSQL database in a DB subnet group containing private subnets.
- DLaunch the RDS for PostgreSQL database in a DB subnet group containing private subnets.
Explanation
Explanation
Placing the RDS instance in a DB subnet group containing private subnets ensures the database has no direct internet-facing exposure, meaning only resources within the VPC (such as application servers and the bastion host) can reach it - this satisfies the security requirement of restricted access. Option B is clearly wrong because launching the database in public subnets would expose it to the internet, violating the principle of least privilege and the stated security requirements. Options A and D are structurally identical to C in this question (likely a formatting artifact), but in real exam scenarios, distractors typically differ by adding insecure configurations like enabling public accessibility or using overly permissive security groups. To reinforce the correct approach, combine private subnets with a Security Group that only allows inbound PostgreSQL traffic (port 5432) from the application servers' and bastion host's security groups.
Memory Tip: Think "Private = Protected" - databases containing sensitive medical data should always live in private subnets with no public IP, accessible only through controlled VPC resources. If you see "database" + "restricted access" in an exam question, private subnets are almost always part of the correct answer.
Topics
Community Discussion
No community discussion yet for this question.