It's easy to think RDS security means "check the encryption box, set backup retention to 7 days, and set a few CloudWatch alarms and you're done." But production accidents happen in exactly those gaps. The July 2019 Capital One breach — 106 million personal records exposed — was not a flaw in RDS itself but gaps in operations around metadata authentication, IAM permissions, and S3 backup exposure. Today's topics — encryption, IAM DB authentication, backups, monitoring — are all operational features RDS has evolved to prevent such incidents.
In DVA-C02, this topic is a scenario favorite