AWS Certified Database – Specialty — Question 25

A company is running a two-tier ecommerce application in one AWS account. The web server is deployed using an Amazon RDS for MySQL Multi-AZ DB instance. A Developer mistakenly deleted the database in the production environment. The database has been restored, but this resulted in hours of downtime and lost revenue.
Which combination of changes in existing IAM policies should a Database Specialist make to prevent an error like this from happening in the future? (Choose three.)

Answer options

• A. Grant least privilege to groups, users, and roles
• B. Allow all users to restore a database from a backup that will reduce the overall downtime to restore the database
• C. Enable multi-factor authentication for sensitive operations to access sensitive resources and API operations
• D. Use policy conditions to restrict access to selective IP addresses
• E. Use AccessList Controls policy type to restrict users for database instance deletion
• F. Enable AWS CloudTrail logging and Enhanced Monitoring

Correct answer: A, C, D

Explanation

The correct answers are A, C, and D. Granting least privilege (A) helps ensure users have only the permissions necessary, reducing the risk of accidental deletions. Enabling multi-factor authentication (C) adds an extra layer of security for sensitive operations, while restricting access to specific IP addresses (D) further protects critical resources. Options B, E, and F do not directly address the prevention of such accidental deletions as effectively as the correct choices.