nerdexam
ExamsDBS-C01Questions#45
AmazonAmazon

DBS-C01 · Question #45

DBS-C01 Question #45: Real Exam Question with Answer & Explanation

The correct answer is C: The security group assigned to the DB instance does not have the necessary rules to allow. Explanation Option C is correct because the error message "could not connect to server: Connection timed out" is a network-level connectivity failure, not an authentication failure - meaning the application servers' traffic is being blocked before it ever reaches the database. Si

Submitted by packet_pusher· Mar 6, 2026Monitoring and Troubleshooting

Question

A company has deployed an e-commerce web application in a new AWS account. An Amazon RDS for MySQL Multi-AZ DB instance is part of this deployment with a database- 1.xxxxxxxxxxxx.us-east-1.rds.amazonaws.com endpoint listening on port 3306. The company's Database Specialist is able to log in to MySQL and run queries from the bastion host using these details. When users try to utilize the application hosted in the AWS account, they are presented with a generic error message. The application servers are logging a "could not connect to server: Connection times out" error message to Amazon CloudWatch Logs. What is the cause of this error?

Options

  • AThe user name and password the application is using are incorrect.
  • BThe security group assigned to the application servers does not have the necessary rules to allow
  • CThe security group assigned to the DB instance does not have the necessary rules to allow
  • DThe user name and password are correct, but the user is not authorized to use the DB instance.

Explanation

Explanation

Option C is correct because the error message "could not connect to server: Connection timed out" is a network-level connectivity failure, not an authentication failure - meaning the application servers' traffic is being blocked before it ever reaches the database. Since the Database Specialist can connect successfully from the bastion host, the RDS instance and its credentials are functioning, but the security group attached to the RDS DB instance is missing an inbound rule that allows traffic on port 3306 from the application servers' security group or IP range.

Why the distractors are wrong:

  • A & D are incorrect because authentication/authorization errors produce messages like "Access denied for user," not connection timeouts - a timeout means the connection never even reached the server to attempt login.
  • B is incorrect because if the application server's outbound security group were the issue, the error would typically be on the outbound side; more importantly, AWS security groups are stateful and default outbound rules generally allow all traffic, making the inbound rule on the RDS security group the more likely culprit.

Memory Tip

Think of it this way: "Timeout = Traffic blocked, Access Denied = Wrong credentials." When troubleshooting connectivity, always check the destination's inbound security group first - the database must explicitly allow who can knock on its door (port 3306).

Topics

#RDS connectivity#Security Groups#Troubleshooting#Network Access Control

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full DBS-C01 PracticeBrowse All DBS-C01 Questions