Infrastructure Security
Drill 20 practice questions focused entirely on Infrastructure Security for the AWS SCS-C02 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.
A healthcare company operates a public web application behind CloudFront and an Application Load Balancer. A form collects patients' credit card numbers and Social Security numbers. Compliance requires that these specific fields remain encrypted from the moment they enter the AWS edge, so that even the application servers and downstream microservices cannot read them — only a dedicated payment processing service holding a private key may decrypt them. The rest of the request must remain readable for normal application processing. Which CloudFront capability meets this requirement with the least change to backend components?
A media company streams licensed video content through Amazon CloudFront. Licensing agreements require that content be accessible only from viewers in Canada and the United States. Additionally, the security team wants to block a specific list of malicious IP addresses regardless of their geographic origin, and they want both controls applied at the edge with the lowest possible latency and cost. Which combination of controls should the security engineer implement?
A company serves static content from a private S3 bucket through a CloudFront distribution. Security review reveals that the S3 objects can still be downloaded directly using their public S3 URLs, bypassing CloudFront (and its attached WAF web ACL). The team must ensure content is only reachable through CloudFront while following current AWS best practices. What should they implement?
A media company serves video thumbnails and metadata through CloudFront backed by an Application Load Balancer in a single AWS Region. During viral traffic spikes, they observe that origin request volume overwhelms the ALB even though most objects are cacheable, because CloudFront has many regional edge caches making independent requests to the origin on cache misses. The security team also wants to minimize the origin's exposure to direct request bursts. Which CloudFront configuration change most directly reduces redundant origin fetches and consolidates requests to the origin?
A media company stores premium video files in an S3 bucket and serves them to paying subscribers through a CloudFront distribution. The security team requires that each video link works only for a specific authenticated subscriber and automatically stops working after 6 hours. Direct S3 access must remain blocked, and links must not be shareable in a way that grants indefinite access. Which approach meets these requirements with the least operational overhead?
A security engineer is reviewing a fleet of EC2 instances that run a web application behind an Application Load Balancer. A recent penetration test found that the application is vulnerable to server-side request forgery (SSRF), and the tester was able to retrieve temporary IAM role credentials from the instance metadata service. The engineer must harden the instances to prevent this specific class of credential theft without redeploying the application. Which action most directly mitigates the risk?
A financial services company connects its on-premises data center to AWS using a 10 Gbps AWS Direct Connect dedicated connection over a private VIF. A compliance auditor mandates that all data traversing the Direct Connect link between on-premises and the VPC must be encrypted in transit at the network layer. The solution must maintain use of the existing Direct Connect connection. Which approach meets this requirement with the least operational overhead?
A security engineer configured a custom network ACL on a public subnet hosting a web server. Inbound rules allow TCP 443 from 0.0.0.0/0, and outbound rules allow only TCP 443 to 0.0.0.0/0. Users report that HTTPS requests to the web server time out, even though the security group correctly allows inbound 443. What is the most likely cause?
A company runs multiple application VPCs connected through a Transit Gateway to a central egress VPC that provides internet access via NAT gateways. Security requires all outbound traffic from every application VPC to be inspected by AWS Network Firewall before reaching the internet, with a single centrally managed firewall policy. Which architecture meets this requirement most effectively?
A financial services company runs a fleet of EC2 instances in private subnets that must reach only a small, approved set of external SaaS endpoints (identified by domain name) over HTTPS. Traffic to any other external destination must be blocked and logged. The instances have no public IPs and route outbound traffic through a NAT gateway. Security groups and NACLs currently allow all outbound traffic on port 443. Which solution best enforces domain-based egress filtering with centralized inspection and logging?
A financial services company routes all outbound VPC traffic through AWS Network Firewall. Their security team wants to inspect the contents of encrypted HTTPS connections leaving the VPC to detect data exfiltration in payloads, not just filter on SNI or domain names. They need this to work without deploying and managing third-party proxy appliances. Which approach meets this requirement?
A security team must inspect all north-south internet traffic for a fleet of VPCs using a specialized third-party intrusion prevention system (IPS) appliance that the company already licenses. The appliance must be deployed horizontally scalable behind a load balancer, with traffic transparently redirected to it for deep packet inspection before reaching the internet, while preserving the original source and destination IP addresses. Which AWS service should the team use to integrate this third-party appliance into the traffic path?
A company runs a three-tier application in a VPC with public and private subnets across two Availability Zones. The security team wants centralized, stateful inspection of all north-south traffic (internet-bound and inbound) with the ability to apply Suricata-compatible intrusion prevention signatures. They also require that the inspection layer be highly available and managed by AWS rather than self-managed EC2 appliances. Which deployment approach meets these requirements?
A financial services company runs a proprietary risk-scoring API on EC2 instances behind a Network Load Balancer in a producer VPC. Several partner organizations in separate AWS accounts must consume this API. Security requirements state that the traffic must never traverse the public internet, partners must not be able to reach any other resources in the producer VPC, and the producer must explicitly approve each partner before access is granted. Which solution meets all of these requirements?
A financial services company runs an application on EC2 instances in a private subnet with no internet access and no NAT gateway. The application must call the Amazon DynamoDB and Amazon Kinesis APIs, and the security team mandates that all traffic to these services stay entirely within the AWS network and never traverse the public internet. What is the MOST appropriate way to enable this connectivity?
A company runs an internal microservice behind a Network Load Balancer and exposes it as a PrivateLink endpoint service. A consumer account creates an interface VPC endpoint to reach the service. The consumer's application, running on EC2 instances in a private subnet, receives connection timeouts when calling the endpoint's DNS name. Traffic never appears in the provider's target logs. Which action is most likely required to resolve the connectivity issue?
A company runs a fleet of EC2 instances across several private subnets in a VPC. The security team discovers that a compromised host attempted to exfiltrate data by resolving and connecting to a series of dynamically generated command-and-control (C2) domains. The team wants a managed AWS control that inspects outbound DNS queries at the VPC level and blocks queries to known-malicious and custom-defined domains, without deploying agents on each instance. Which solution best meets this requirement?
A company runs a three-tier application in a single VPC. The web tier (behind an internet-facing ALB) must reach the app tier on TCP 8080, and the app tier must reach the database tier on TCP 5432. Instances scale in and out frequently via Auto Scaling, so their IP addresses change constantly. The security team wants the tightest possible network controls that do not require manual updates as instances are added or removed. How should the security groups be configured?
A company runs a three-tier application in a VPC. The database tier EC2 instances are in private subnets, and the application tier must connect to them on TCP 5432. A security engineer configures the database instances' security group to allow inbound TCP 5432 only from the application tier's security group. However, the engineer forgets to add any outbound rule allowing return traffic to the application tier. During testing, application-to-database connections succeed normally. Why do the connections still work despite the missing explicit outbound allow rule?
A company runs a fleet of Linux EC2 instances in private subnets with no route to the internet and no public IP addresses. Security policy prohibits any inbound SSH access and forbids deploying bastion hosts. Administrators still need interactive shell access for troubleshooting, and all sessions must be logged for audit. Which approach meets these requirements with the least additional attack surface?
More SCS-C02 practice
Keep going with the other AWS Certified Security - Specialty domains, or take a full timed mock exam.
← Back to SCS-C02 overview