Infrastructure Security
Drill 20 practice questions focused entirely on Infrastructure Security for the AWS SCS-C03 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.
A media company serves static video assets from an S3 bucket through a CloudFront distribution. The security team discovers that users can bypass CloudFront and download objects directly using the S3 bucket's website endpoint URLs, avoiding WAF rules and geo-restrictions applied at the edge. The team wants to ensure all access to the S3 objects is only possible through CloudFront, using the most current AWS-recommended mechanism. What should they implement?
A security team operates a public web application served through Amazon CloudFront with an Application Load Balancer origin. A recent penetration test flagged that the application does not enforce HTTP Strict Transport Security (HSTS) and is missing X-Content-Type-Options and X-Frame-Options headers on responses. The development team is busy and cannot modify the application code for several sprints. The team needs a way to consistently add these security headers to all responses at the edge with minimal operational effort. Which approach best meets this requirement?
A retail company serves its web application through Amazon CloudFront with an Application Load Balancer (ALB) origin. AWS WAF is associated with the CloudFront distribution to filter malicious requests. During a security review, the team discovers that attackers are bypassing CloudFront by sending requests directly to the ALB's public DNS name, avoiding the WAF rules entirely. The ALB must remain internet-facing to support the CloudFront integration. Which combination of controls MOST effectively ensures that only CloudFront-originated traffic reaches the ALB?
A company runs a web application on EC2 instances in a private subnet behind an internet-facing Application Load Balancer. A security engineer adds an inbound rule to the subnet's network ACL allowing TCP port 443 from 0.0.0.0/0 so users can reach the application. Users report that connections still time out. The instances' security group already allows inbound 443 from the ALB security group and all outbound traffic. What is the MOST likely cause and correct fix?
A company operates a multi-VPC environment connected through an AWS Transit Gateway. Security policy requires that all traffic between VPCs (east-west) and all traffic to the internet (north-south) pass through a centralized AWS Network Firewall for stateful inspection. The security engineer creates a dedicated inspection VPC with AWS Network Firewall endpoints deployed across Availability Zones. Which routing configuration ensures traffic is correctly directed to the firewall endpoints for inspection without asymmetric routing issues?
A company runs hundreds of EC2 instances across multiple private subnets in a single VPC. Security policy requires that outbound HTTPS traffic to the internet be allowed ONLY to an approved list of fully qualified domain names (for example, updates.vendor.com and api.partner.com), and all other outbound traffic must be denied and logged. The solution must be centrally managed, scale with the fleet, and inspect traffic at the application layer without deploying agents on the instances. Which approach best meets these requirements?
A security engineer deploys AWS Network Firewall in a dedicated inspection subnet to centrally filter egress traffic from several spoke VPCs connected via a transit gateway. After deployment, users report that some outbound connections intermittently fail, while others succeed. VPC Flow Logs show that return traffic for the failing flows is bypassing the firewall endpoint and being dropped by the stateful engine as unsolicited. What is the MOST likely root cause and the correct remediation?
A financial services company routes all outbound traffic from a workload VPC through AWS Network Firewall for inspection. Compliance requires that EC2 instances can only reach a fixed set of external SaaS domains over HTTPS. The instances do NOT use a forward proxy, and the security team wants to avoid decrypting traffic due to certificate-handling overhead. They need the firewall to allow only the approved domains and block all other HTTPS destinations. Which approach meets the requirement with the least operational overhead?
A financial services company routes all outbound VPC traffic through AWS Network Firewall. The security team must inspect the payload of outbound HTTPS connections to detect data exfiltration hidden inside encrypted sessions, while allowing employees to reach approved SaaS providers. Currently, Network Firewall can only match on the SNI of the TLS handshake and cannot see inside the encrypted traffic. Which approach lets the firewall inspect the decrypted application-layer content at scale without deploying third-party proxy appliances?
A company runs a multi-account AWS environment with a centralized inspection VPC. The security team must deploy a third-party next-generation firewall appliance (from a vendor in AWS Marketplace) to inspect all north-south and east-west traffic. They require the solution to scale automatically across multiple appliance instances, preserve traffic symmetry (return traffic reaches the same appliance), and integrate transparently into the existing traffic flow without requiring source/destination changes to packets. Which AWS service should they use to insert the third-party appliances into the traffic path?
A security engineer needs to permanently block a single known-malicious external IP address from reaching any resource across all subnets in a production VPC. The VPC contains dozens of subnets and hundreds of EC2 instances managed by multiple teams, and each team independently controls its own security groups. The engineer wants a solution that enforces the block centrally at the subnet boundary, cannot be overridden by individual application teams modifying security groups, and requires the least ongoing administrative effort. Which approach best meets these requirements?
A financial services company runs an internal fraud-scoring API on an Amazon EC2 fleet behind a Network Load Balancer in a provider VPC. They expose it to multiple consumer VPCs (belonging to different internal business units) through an AWS PrivateLink endpoint service. The security team requires that only specific approved consumer applications can send traffic to the service, and that the provider must enforce which source addresses within a consumer VPC can reach the endpoint at the network layer. Which approach correctly enforces this control on the traffic entering the interface endpoint from consumers?
A company runs an internal payments API on EC2 instances behind a Network Load Balancer in their 'provider' VPC (account A). Multiple partner teams in separate AWS accounts (each with overlapping CIDR ranges) must consume this API privately, without traversing the public internet and without exposing the entire provider VPC. The security team requires that consumers cannot initiate connections back into the provider VPC and that traffic never leaves the AWS network. Which solution meets these requirements with the least ongoing operational overhead?
A company runs a fleet of EC2 instances in a private subnet that must only initiate outbound HTTPS connections to a specific partner's API at the IP range 203.0.113.0/24. A security review reveals the instances' security group currently allows all outbound traffic (0.0.0.0/0 on all ports). The security engineer must enforce least-privilege egress while ensuring return traffic from the partner API is still permitted. Which change satisfies these requirements with the least operational overhead?
A company runs a three-tier application in a single VPC. The web tier is an Auto Scaling group behind an internet-facing ALB, the application tier is an Auto Scaling group of EC2 instances, and the database tier is Amazon RDS. Instances scale frequently, so their private IP addresses change constantly. The security team wants the application tier to accept traffic only from the web tier, and the database tier to accept traffic only from the application tier, without maintaining CIDR-based rules that break when instances are replaced. What is the MOST maintainable way to configure the security groups?
A company runs a global web application behind an Application Load Balancer that is protected by AWS Shield Advanced. During a recent volumetric attack, the Shield Response Team (SRT) reported that Shield's automatic mitigations were sometimes triggered late, occasionally causing brief availability impact before mitigation engaged. The security team wants Shield Advanced to react faster and more accurately by incorporating the actual health of the protected application into its detection and mitigation decisions. Which action best achieves this?
A financial services company runs a public web application behind an Application Load Balancer (ALB) fronted by CloudFront. During a recent event, the application experienced a large volume of HTTP GET floods that mimicked legitimate user traffic, causing backend exhaustion. The security team has already subscribed to AWS Shield Advanced. They want automatic layer 7 DDoS mitigation with the ability to have the AWS Shield Response Team (SRT) actively engage during attacks, and they want to minimize false positives against real users. Which configuration best meets these requirements?
A company runs an EC2-based application in private subnets that must read from and write to a specific S3 bucket named 'corp-finance-reports'. Security requirements state that traffic to S3 must not traverse the public internet, and the instances must be prevented from accessing any other S3 bucket, even if application credentials are compromised. A gateway VPC endpoint for S3 has already been created. Which additional configuration BEST enforces these requirements?
A company runs applications on-premises connected to an AWS VPC via an AWS Direct Connect connection. The security team wants on-premises servers to access Amazon Kinesis Data Streams privately, without traffic traversing the public internet, by using an interface VPC endpoint (powered by AWS PrivateLink). After creating the interface endpoint in the VPC, on-premises applications still cannot resolve the Kinesis endpoint DNS name to the private endpoint IP addresses. What is the recommended way to enable correct private DNS resolution for the on-premises hosts?
A company operates three VPCs: a Shared Services VPC (containing DNS resolvers and a centralized logging endpoint), a Production VPC, and a Development VPC. Security policy requires that both Production and Development can reach the Shared Services VPC, but Production and Development must NOT be able to communicate with each other under any circumstance. All three VPCs are connected through a single AWS Transit Gateway. A security engineer must enforce this isolation with the least operational overhead while keeping all traffic on the Transit Gateway. What is the MOST appropriate configuration?
More SCS-C03 practice
Keep going with the other AWS Certified Security - Specialty domains, or take a full timed mock exam.
← Back to SCS-C03 overview