Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsSCS-C02DomainsInfrastructure Security
SCS-C02Free — No Signup

Infrastructure Security

Infrastructure Security questions on this certification test your ability to deploy and manage infrastructure security concepts in scenario-based situations.

333questions

Start practicing

Infrastructure Security — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

SCS-C02 Domains

Threat Detection and Incident ResponseSecurity Logging and MonitoringIdentity and Access ManagementManagement and Security GovernanceInfrastructure SecurityData Protection

Domain overview

About the Infrastructure Security domain

Use this page to practise Infrastructure Security questions for this certification. Focus on how the exam tests infrastructure security in scenario format — understanding the why behind each answer builds more durable knowledge than memorising options.

Exam objectives

What Infrastructure Security tests on SCS-C02

  1. 1

    Core Infrastructure Security concepts and how they apply in real-world cloud scenarios.

  2. 2

    How to deploy infrastructure security correctly and verify the outcome.

  3. 3

    Troubleshooting infrastructure security issues by interpreting error output and system state.

  4. 4

    Cloud best practices and Infrastructure Security design trade-offs tested by this certification.

Watch out — common Infrastructure Security traps

  • !

    Selecting the most expensive service when a simpler managed option meets the requirement.

  • !

    Forgetting that cloud resources must be explicitly secured — defaults are rarely secure.

  • !

    Choosing a global service fix when the issue is region-specific.

  • !

    Overlooking cost implications of cross-region data transfer in architecture questions.

Practice Infrastructure Security questions

10Q20Q30Q50Q

SCS-C02 Infrastructure Security questions (showing 300 of 333)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A company is designing a multi-tier web application on AWS. The web tier must be accessible from the internet, but the application and database tiers must be isolated. The security team requires that all traffic between tiers be encrypted and that the application tier can only be accessed by the web tier. Which architecture should be used?

2

A security engineer is troubleshooting connectivity issues between an Amazon EC2 instance in a VPC and an on-premises server over a Direct Connect virtual interface. The EC2 instance has a security group that allows outbound traffic to the on-premises CIDR block (10.0.0.0/16). The VPC has a route table entry pointing the on-premises CIDR to the virtual private gateway. The on-premises firewall shows that packets are received from the EC2 instance but responses are not reaching the instance. What is the most likely cause?

3

A company uses AWS Organizations with multiple accounts. The security team wants to enforce that all Amazon S3 buckets across the organization have server-side encryption (SSE-S3 or SSE-KMS) enabled. Which approach should be used to enforce this policy?

4

A company is migrating a legacy application to AWS. The application requires two-way communication between the web servers and the database servers using TCP port 3306. The security team wants to follow the principle of least privilege. Which TWO actions should be taken to secure the traffic?

5

A security engineer is reviewing the SQS queue policy shown in the exhibit. The queue is subscribed to an SNS topic in the same account. The security team has a requirement that only the SNS topic should be allowed to send messages to the queue. What is the issue with this policy?

6

A financial services company runs a critical application on Amazon EC2 instances in a VPC. The application processes sensitive financial data and must meet strict compliance requirements. The security team recently discovered that an EC2 instance was compromised due to an unpatched vulnerability. The attacker used the instance's IAM role to access an S3 bucket containing customer data and exfiltrated the data. The security team needs to prevent such incidents in the future. They have implemented the following controls: - All EC2 instances are launched in private subnets. - The IAM roles used by EC2 instances follow the principle of least privilege. - Security groups restrict inbound and outbound traffic. - AWS Systems Manager Patch Manager is used to patch instances. - AWS CloudTrail is enabled and logs are sent to a centralized S3 bucket. - Amazon GuardDuty is enabled. Despite these controls, the team is concerned about the blast radius if an instance is compromised again. Which additional measure would MOST effectively limit the blast radius of a compromised EC2 instance?

7

A security engineer is designing a VPC with public and private subnets. The application servers in the private subnets need to access the internet for software updates, but must not be directly reachable from the internet. Which TWO actions satisfy these requirements?

8

Refer to the exhibit. A security engineer finds the above IAM policy attached to an IAM group. The policy is intended to allow all EC2 actions only from the corporate network (10.0.0.0/8). However, users report that they can perform EC2 actions from outside the corporate network. What is the MOST likely reason?

9

A company runs a web application on EC2 instances in an Auto Scaling group across two Availability Zones. The instances are behind an Application Load Balancer. The security team wants to ensure that only the ALB can send traffic to the instances. The instances are in a security group named 'app-sg'. Currently, 'app-sg' has an inbound rule allowing HTTP traffic from 0.0.0.0/0. The team wants to restrict access to only the ALB's security group. The ALB is in a security group named 'alb-sg'. Which course of action should the security engineer take to meet the requirement with minimal disruption?

10

Drag and drop the steps to set up AWS Certificate Manager (ACM) for a custom domain in the correct order.

11

Match each AWS Storage service encryption feature to its description.

12

A company uses Network Load Balancer (NLB) in front of a fleet of EC2 instances in private subnets. Security team requires that the source IP addresses of clients be preserved in the access logs of the backend instances. Which configuration should the security engineer verify?

13

A security engineer is designing a VPC with public and private subnets. The application must be able to send outbound traffic to the internet, but inbound traffic from the internet must be blocked except for a single HTTP load balancer. The application also needs to access an S3 bucket in the same AWS region. Which combination of VPC components meets these requirements? (Choose two.)

14

A company is using AWS WAF to protect its Application Load Balancer (ALB). The security team wants to block requests that do not contain a valid API key in the HTTP header 'X-API-Key'. Which WAF rule type should be used?

15

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to download patches from the internet. The instance is associated with a security group that allows outbound HTTPS (port 443) to 0.0.0.0/0. The private subnet route table has a default route (0.0.0.0/0) pointing to a NAT Gateway in the public subnet. The NAT Gateway's security group allows inbound HTTPS from the private subnet CIDR. However, the instance cannot download patches. What is the most likely cause?

16

A company uses AWS Direct Connect to connect its on-premises data center to AWS. The connection is set up with a private VIF to a VPC using a virtual private gateway. The security team wants to encrypt all traffic between on-premises and the VPC. Which solution should be implemented?

17

A company wants to restrict access to an S3 bucket so that only requests from a specific VPC endpoint are allowed. Which S3 bucket policy condition key should be used?

18

A company is using AWS CloudFormation to deploy a multi-tier application. The security team requires that the database tier (RDS) be deployed in private subnets that are not directly routable from the application tier (EC2). The application tier must communicate with the database using an internal network path. Which solution meets these requirements?

19

A company is using AWS Shield Advanced to protect its web application against DDoS attacks. Which additional AWS service can be used to automatically mitigate application layer attacks?

20

A company has a VPC with public and private subnets. An EC2 instance in a private subnet needs to access an S3 bucket to store logs. The security team wants to ensure that traffic does not traverse the internet. Which solution should be used? (Choose two.)

21

A company wants to deploy a web application that must be accessible over HTTPS only. The application runs behind an Application Load Balancer (ALB). The security team wants to enforce HTTP Strict Transport Security (HSTS) to prevent downgrade attacks. Which configuration achieves this?

22

A company is using AWS CloudTrail to log API calls. The security team wants to ensure that the logs are encrypted at rest and that access to the logs is controlled. Which actions should be taken? (Choose two.)

23

A company is using AWS Key Management Service (KMS) to encrypt data at rest in Amazon S3. The security team wants to ensure that only a specific IAM role can decrypt the data. Which KMS policy element should be used?

24

A company uses Amazon CloudFront with an Application Load Balancer (ALB) as the origin. The security team wants to restrict access to the ALB so that it only accepts traffic from CloudFront. Which configuration should be used?

25

A security engineer is designing a VPC with private subnets for an application that must access the internet for software updates. The VPC has a NAT gateway in a public subnet. The private subnet route table has a default route (0.0.0.0/0) pointing to the NAT gateway. Which additional security measure should be implemented to ensure that only the application instances can use the NAT gateway, and not any other resources in the VPC?

26

A company wants to use AWS Direct Connect to establish a dedicated network connection from its on-premises data center to AWS. Which of the following is a security best practice when configuring Direct Connect?

27

A company has an Amazon S3 bucket that stores sensitive data. The security team wants to ensure that all access to the bucket is made only via HTTPS. Which policy should be used?

28

A company has a multi-account AWS environment using AWS Organizations. The security team wants to centrally manage VPC security group rules across all accounts. Which solution should be used?

29

A company is deploying a web application on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB). The instances are in a private subnet. How should the security group for the EC2 instances be configured?

30

A security engineer is troubleshooting why an EC2 instance in a private subnet cannot access the internet through a NAT gateway. The route table for the private subnet has a default route pointing to the NAT gateway. The NAT gateway is in a public subnet with a route to an internet gateway. What is the most likely cause of the issue?

31

A company wants to securely store and manage SSL/TLS certificates for use with CloudFront. Which AWS service should be used?

32

A company has a VPC with multiple subnets across multiple Availability Zones. The security team wants to inspect all traffic between subnets for malicious activity. Which AWS service should be used?

33

A security engineer is configuring a VPC for a three-tier application. The web tier must be accessible from the internet, the application tier must be accessible only from the web tier, and the database tier must be accessible only from the application tier. Which TWO security group configurations should be used? (Choose TWO.)

34

A company is using AWS Direct Connect with a private virtual interface (VIF) to connect its on-premises network to a VPC. The security team wants to encrypt traffic over the Direct Connect connection. Which TWO options can be used? (Choose TWO.)

35

A company has an Amazon S3 bucket with a bucket policy that restricts access to a specific VPC endpoint. However, users are still able to access the bucket from outside the VPC. Which THREE steps should the security engineer take to troubleshoot this issue? (Choose THREE.)

36

Refer to the exhibit. A security engineer attaches this bucket policy to an S3 bucket. A user from IP address 203.0.113.10 tries to download an object using HTTP (not HTTPS). What will happen?

37

Refer to the exhibit. A security engineer runs the CLI command and receives the output shown. The engineer expects to see flow logs for a specific subnet, but the output shows the resource ID as a VPC. What is the most likely reason?

38

Refer to the exhibit. A security engineer is reviewing an IAM policy attached to an S3 bucket. What does this policy allow?

39

A company wants to restrict access to an Amazon S3 bucket so that only objects uploaded with server-side encryption using AWS KMS (SSE-KMS) are allowed. Which bucket policy condition key should be used?

40

A company has an AWS Lambda function that needs to access an Amazon RDS database. The database is in a private subnet. Which configuration will allow the Lambda function to securely access the database without traversing the internet?

41

A security engineer notices that an Amazon EC2 instance has a security group that allows inbound SSH (port 22) from 0.0.0.0/0. The instance is a bastion host. What is a more secure alternative to this configuration?

42

A company is designing a multi-tier web application. The web servers must be accessible from the internet, but the application servers must only be accessible from the web servers. Which AWS feature should be used to meet these requirements?

43

A company uses AWS CloudFormation to deploy infrastructure. A security engineer needs to ensure that all CloudFormation stacks use a specific AWS KMS key for encrypting resources that support encryption. Which approach should be used?

44

A company wants to audit all API calls made to Amazon S3 within a specific AWS account. Which combination of services should be used to meet this requirement?

45

A company has a VPC with public and private subnets. The private subnets need to access the internet for software updates. Which component should be added to the VPC to enable this?

46

A security engineer needs to ensure that an Amazon S3 bucket blocks all public access. Which S3 block public access settings should be enabled?

47

A company uses an AWS Transit Gateway to connect multiple VPCs and on-premises networks. A security engineer needs to ensure that traffic between VPCs is inspected by a third-party firewall appliance. Which architecture should be used?

48

Which TWO actions are valid ways to restrict access to an Amazon S3 bucket using a bucket policy? (Choose two.)

49

Which THREE are AWS best practices for securing an Amazon EC2 instance? (Choose three.)

50

Which TWO of the following are valid methods to secure data at rest in Amazon S3? (Choose two.)

51

A company is using an Application Load Balancer (ALB) to distribute traffic to a set of EC2 instances in private subnets. The security team wants to ensure that only traffic from the ALB can reach the EC2 instances. Which security group configuration should be applied to the EC2 instances?

52

A security engineer is designing a VPC with public and private subnets in two Availability Zones. The company requires that all outbound traffic from private subnets to the internet must go through a single, centrally managed NAT gateway. Which combination of resources and route table entries should be used?

53

A company has a VPC with a public subnet and a private subnet. The public subnet hosts a NAT instance (Amazon Linux) that provides internet access to instances in the private subnet. The security team notices that the NAT instance is receiving high inbound traffic on port 22 from an external IP address. The team wants to block this traffic at the network layer without affecting other traffic. What is the most effective solution?

54

A company is using AWS CloudFormation to deploy a web application. The template includes an EC2 instance with a security group that allows inbound HTTP traffic from 0.0.0.0/0. The security team wants to ensure that this security group is never used in production. Which AWS service can automatically remediate this noncompliant configuration?

55

A security engineer is designing a VPC with a public subnet and a private subnet. The private subnet will host a database instance that should only be accessible from the application instances in the public subnet. The application instances use an Auto Scaling group. Which configuration ensures that only the application instances can access the database?

56

A company has a VPC with a single public subnet and a single private subnet. The private subnet contains an RDS MySQL database that should not be accessible from the internet. The public subnet contains a bastion host that is used for SSH access to the database instance. The security team wants to ensure that the database can only be accessed from the bastion host. Which two security group rules should be configured? (Choose TWO.)

57

A company has a VPC with multiple subnets. The security team wants to control traffic between subnets using a stateful firewall that can automatically allow return traffic. Which AWS service should be used?

58

A security engineer is troubleshooting connectivity issues between two EC2 instances in the same VPC but different subnets. Both instances have security groups that allow all traffic from each other's security group. However, traffic is still blocked. What is the most likely cause?

59

A company is using AWS Transit Gateway to connect multiple VPCs and on-premises networks via VPN. The security team wants to inspect all traffic between VPCs before it reaches its destination. Which architecture should be used?

60

A company wants to allow only specific IP addresses to access an S3 bucket. Which two methods can achieve this? (Choose TWO.)

61

A security engineer is designing a VPC with public and private subnets. The private subnets will host databases that should not have direct internet access. Which three components are required to provide outbound internet access for these databases? (Choose THREE.)

62

A company is using AWS Organizations to manage multiple accounts. The security team wants to restrict the use of specific instance types across all accounts. Which two AWS services can enforce this restriction? (Choose TWO.)

63

A company runs a web application on EC2 instances behind an Application Load Balancer (ALB). The security team requires that all traffic between the ALB and EC2 instances be encrypted. Which configuration ensures this requirement is met?

64

A security engineer needs to ensure that an EC2 instance can only be launched using an approved Amazon Machine Image (AMI) from a specific AWS account. Which AWS service should be used to enforce this requirement?

65

A company has a VPC with public and private subnets. The private subnets need to access the internet for software updates. Which AWS service provides a managed, highly available, and scalable solution for this requirement?

66

An organization uses AWS Organizations with multiple accounts. The security team wants to enforce that all S3 buckets have server-side encryption enabled. Which approach would enforce this across all accounts?

67

A company is designing a network architecture for a multi-tier web application. The application consists of a public-facing ALB, web servers in private subnets, and an RDS database in isolated subnets. The security team requires that the web servers have no direct internet access. Which VPC configuration meets this requirement?

68

A company wants to use AWS WAF to protect its web application from common web exploits. Which AWS service must be integrated with AWS WAF to provide this protection?

69

A security engineer is designing a network segmentation strategy for a VPC that hosts sensitive data. The engineer needs to ensure that EC2 instances in a private subnet can communicate with an RDS database in a different private subnet, but cannot communicate with any other resources in the same VPC. Which configuration should be used?

70

A company uses AWS CloudFormation to deploy infrastructure. The security team needs to ensure that all CloudFormation stacks include a specific tag with a value that complies with corporate policies. Which AWS service can enforce this requirement?

71

A company has a VPC with an IPv4 CIDR block of 10.0.0.0/16. The security team wants to create a subnet for a legacy application that requires 2000 IP addresses. What is the smallest subnet CIDR that meets this requirement?

72

A company uses AWS Organizations and wants to restrict the use of specific instance types across all accounts. Which TWO actions should be taken to enforce this restriction?

73

A security engineer is designing a secure VPC architecture for a web application that must be accessible from the internet. The application runs on EC2 instances in private subnets. Which THREE components are required to provide secure internet connectivity?

74

A company wants to implement a defense-in-depth strategy for its web application running on EC2 instances. Which TWO AWS services should be used to provide both network and application-layer protection?

75

A company wants to ensure that all Amazon EC2 instances in a VPC can only be accessed via SSH from a specific IP address range (203.0.113.0/24). Which VPC component should be used to enforce this restriction?

76

A security engineer needs to ensure that all data stored in an Amazon S3 bucket is encrypted at rest. The bucket must use server-side encryption with a key managed by the customer (SSE-C). What must the engineer include in the PUT request to enforce this?

77

A company has deployed a multi-tier web application on AWS. The web servers are in a public subnet, and the application servers are in a private subnet. The security team wants to ensure that the application servers cannot initiate outbound connections to the internet. What should the team do?

78

A company uses AWS CloudFormation to deploy infrastructure. The security team wants to ensure that no sensitive data, such as database passwords, is exposed in plaintext in the CloudFormation templates. What is the MOST secure way to handle secrets?

79

A company's security team discovers that an Amazon EC2 instance has been compromised and is sending outbound traffic to a known malicious IP address. The instance is in a VPC with a security group that allows all outbound traffic. What is the FASTEST way to stop the outbound traffic without affecting other instances?

80

A company runs a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The ALB is configured to terminate SSL/TLS and forward traffic to the instances over HTTP. The security team wants to ensure that the instances only accept traffic from the ALB, not from any other source. How can this be achieved?

81

A company is designing a network architecture for a critical application that must meet strict compliance requirements. The application consists of Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer. The instances need to access an Amazon RDS database in a different VPC. The company wants to minimize exposure to the internet. Which solution should the company use?

82

A security engineer is investigating a potential data exfiltration from an Amazon S3 bucket. The bucket policy allows access to a specific IAM role, but the engineer suspects that the role has been compromised. The engineer wants to quickly block all access to the bucket without deleting the bucket or the policy. What is the BEST course of action?

83

A company wants to allow a developer to launch EC2 instances only in a specific subnet. The developer should not be able to use any other subnet. Which IAM policy action should be used to enforce this?

84

A security engineer is designing a VPC with public and private subnets. The private subnets must be able to download software updates from the internet. Which TWO components can provide this functionality without exposing the private instances to inbound internet traffic?

85

A company is using AWS CloudTrail to log API calls. The security team wants to ensure that the logs are protected from unauthorized access and deletion. Which TWO actions should be taken?

86

A company is designing a security group for a web server that must allow HTTP (80) and HTTPS (443) traffic from the internet. The server also needs to make outbound connections to an Amazon RDS database on port 3306 and to the internet for software updates. Which THREE rules should be included in the security group? (Select THREE.)

87

Refer to the exhibit. The bucket policy allows access from a specific IP range and denies access over HTTP. A user from IP 198.51.100.5 makes a GET request over HTTPS. What will happen?

88

Refer to the exhibit. A security engineer runs the iptables command on an EC2 instance in a VPC. The instance has a security group that allows all outbound traffic and inbound SSH from 0.0.0.0/0, HTTP from 0.0.0.0/0, and HTTPS from 0.0.0.0/0. A user from IP 203.0.113.5 tries to connect to the instance over HTTP. What will happen?

89

Refer to the exhibit. A security engineer deploys this CloudFormation template. An IAM role 'DataAccessRole' in the same account needs to read objects from the bucket. After deployment, users assume the role but get AccessDenied errors when trying to read objects. What is the MOST likely cause?

90

A company uses an Application Load Balancer (ALB) to distribute traffic to a fleet of EC2 instances in private subnets. The security team wants to ensure that only the ALB can communicate with the EC2 instances. Which security group configuration should be applied to the EC2 instances?

91

A security engineer is designing a network ACL for a public subnet containing an Application Load Balancer. The subnet must allow inbound HTTPS traffic from the internet and outbound traffic to the internet for patches. Which inbound rule should be added?

92

A company runs a critical application on EC2 instances behind an Application Load Balancer. The security team suspects that a DDoS attack is targeting the application. Which AWS service can be used to absorb and mitigate the attack at the network layer before traffic reaches the ALB?

93

A company wants to allow an EC2 instance in a VPC to download patches from the internet but block all other outbound traffic. Which configuration should be used?

94

A company has a security group that allows inbound SSH from a specific IP range. A security engineer notices that the security group rule is not being applied to a newly launched EC2 instance. What is the most likely cause?

95

A company uses AWS Systems Manager Session Manager to manage EC2 instances without opening inbound ports. Which IAM policy is required for an EC2 instance to allow Session Manager to connect?

96

A security engineer needs to ensure that all traffic between two EC2 instances in different subnets is encrypted in transit. What is the most secure and efficient solution?

97

A company's security team wants to detect and block malicious SQL injection attempts against an Application Load Balancer. Which AWS service should be used?

98

A company wants to restrict access to an S3 bucket so that only requests from a specific VPC are allowed. Which policy type should be used?

99

Which TWO of the following are valid methods to protect sensitive data in transit between an on-premises data center and AWS? (Select TWO.)

100

Which THREE of the following are best practices for securing an Amazon RDS database instance? (Select THREE.)

101

Which TWO of the following are valid ways to control inbound traffic to an EC2 instance? (Select TWO.)

102

A company is using AWS WAF to protect a web application. The security team notices that a specific IP address is generating a high volume of requests and triggering the WAF rate-based rule. However, the IP address is a legitimate partner's static IP. What should the security team do to allow this IP while still protecting against other malicious traffic?

103

A company runs a critical application on Amazon EC2 instances behind an Application Load Balancer (ALB). The security team wants to ensure that only traffic from the ALB reaches the EC2 instances, and that instances cannot initiate outbound connections to the internet. Which combination of security group rules should be implemented? (Select TWO.)

104

A company wants to restrict access to an Amazon S3 bucket so that only users from a specific AWS account can upload objects. Which policy mechanism should be used?

105

A security engineer is designing a VPC with public and private subnets. The VPC will host web servers in public subnets and database servers in private subnets. The web servers need to send traffic to the database servers, and the database servers must not have direct internet access. Which TWO configurations should the engineer implement?

106

A company is using AWS CloudFormation to deploy infrastructure. The security team wants to ensure that all Amazon S3 buckets created by CloudFormation are encrypted by default. Which approach should be taken?

107

An organization has a multi-account AWS environment using AWS Organizations. The security team needs to ensure that no Amazon EC2 instances are launched without an IAM instance profile that includes a specific role. Which preventive control should be implemented?

108

A security engineer is configuring a VPC with a public subnet for web servers and a private subnet for databases. The web servers need to download patches from the internet. Which TWO components are required to allow the web servers to access the internet while keeping the database servers isolated?

109

A company is using AWS CloudTrail to log API calls. The security team needs to ensure that log files are not tampered with and can be used to verify integrity. Which feature should be enabled?

110

A company is deploying a multi-tier web application on AWS. The application uses an Application Load Balancer (ALB) to distribute traffic to EC2 instances in private subnets. The security team wants to protect the application from common web exploits like SQL injection and cross-site scripting. Which AWS service should be used?

111

A security engineer is tasked with securing an Amazon RDS for MySQL database. The database must be accessible only from a specific set of EC2 instances. Which THREE steps should the engineer take?

112

A company wants to audit all changes to security group rules in their AWS account. Which AWS service should be used to record these changes?

113

A company is using AWS Organizations to manage multiple accounts. The security team wants to ensure that all accounts have AWS CloudTrail enabled in all regions. Which approach should be used?

114

A company has an Amazon S3 bucket that stores sensitive data. The security team needs to ensure that all access to the bucket is encrypted in transit. Which condition should be added to the bucket policy?

115

A security engineer sees the above security group configuration for an EC2 instance. The instance hosts a web application that should only be accessible from the internal network (10.0.0.0/8) over HTTPS, and SSH should not be open to the internet. What is the security issue with this configuration?

116

A security engineer is reviewing an IAM policy attached to a user. The policy is intended to allow all EC2 actions except deleting volumes in the Production environment. However, the user reports being able to delete volumes that are tagged with Environment=Production. What is the reason for this behavior?

117

A company wants to restrict access to an S3 bucket so that only traffic from a specific VPC can read objects. Which security mechanism should be used?

118

A security engineer notices that an EC2 instance in a private subnet is able to make outbound connections to the internet. The instance does not have a public IP, and there is no NAT gateway or instance in the VPC. What is the most likely cause?

119

A company uses AWS Organizations with multiple accounts. The security team wants to enforce that all S3 buckets have encryption enabled. Which approach is MOST effective and scalable?

120

A company hosts a web application on EC2 instances behind an Application Load Balancer. The security team wants to ensure that only traffic from the ALB can reach the EC2 instances. Which configuration should be applied?

121

A company wants to block SSH access (port 22) to all EC2 instances from the internet, but allow SSH from a specific management VPN IP range (10.0.0.0/16). Which configuration should be used?

122

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks. The security team wants to inspect all traffic between VPCs using a third-party firewall appliance. Which architecture should be used?

123

A company needs to securely store database credentials used by a Lambda function. The credentials must be automatically rotated. Which service should be used?

124

A security engineer is configuring a new VPC with public and private subnets. The application servers in the private subnet need to download patches from the internet. Which component is required?

125

A company uses AWS CloudFormation to deploy infrastructure. The security team wants to ensure that all CloudFormation stacks include a specific tag "Environment" with a value of "Production" or "Development". Which approach should be used?

126

A security engineer is designing a network architecture for a multi-tier application. The web servers must be accessible from the internet, while the application servers must only be accessible from the web servers. Which TWO configurations should be used? (Choose TWO.)

127

A company wants to encrypt data at rest for an Amazon RDS for MySQL DB instance. Which THREE options can be used to achieve this? (Choose THREE.)

128

A company wants to ensure that all Amazon S3 bucket policies comply with a security baseline that prohibits public read access. Which TWO methods can be used to detect non-compliant buckets? (Choose TWO.)

129

Refer to the exhibit. A security engineer creates the S3 bucket policy above to allow an IAM role to upload objects only from the corporate network IP range (10.0.0.0/16). However, users report that they can still upload objects from outside the range when assuming the role. What is the most likely cause?

130

Refer to the exhibit. A security engineer runs the describe-instances command for an EC2 instance. The instance has a public IP address. The security group "allow-ssh-http" has inbound rules that allow SSH from 0.0.0.0/0 and HTTP from 0.0.0.0/0. The engineer wants to block SSH access from the internet while keeping HTTP access. Which change should be made?

131

A company has a multi-account AWS environment using AWS Organizations. The security team needs to ensure that all Amazon S3 buckets across all accounts are encrypted with AWS KMS customer managed keys (CMKs). They have implemented a service control policy (SCP) that denies s3:PutObject unless the request includes the x-amz-server-side-encryption header with value aws:kms. Additionally, they have an SCP that denies s3:CreateBucket unless the bucket is configured with default encryption using KMS. Despite these policies, a developer in the production account reports that they were able to upload a sensitive object to an existing bucket without encryption. The developer used the AWS CLI with the command: aws s3 cp sensitive.txt s3://my-bucket/. The bucket does not have default encryption enabled. The SCPs are attached to the root organizational unit (OU) and are in effect. What is the MOST likely reason the upload succeeded?

132

A company is designing a VPC with public and private subnets. The web servers in the public subnets must be accessible from the internet on port 443, but the database servers in the private subnets should only be accessible from the web servers on port 3306. Which combination of security group rules and network ACL rules should be used to meet these requirements with the least administrative overhead?

133

Refer to the exhibit. A security engineer is reviewing this IAM policy attached to a user. The user reports that they are able to stop and start instances, but they cannot terminate instances. However, the engineer notices that there is no explicit deny for termination. Why is the user unable to terminate instances?

134

A company wants to ensure that all data in transit between its EC2 instances and an RDS database is encrypted. The instances and the database are in the same VPC. Which configuration step is necessary to achieve this?

135

A security engineer needs to restrict outbound traffic from a VPC to only allow HTTPS traffic to specific domains (e.g., api.example.com). The VPC has a NAT gateway in a public subnet. What is the most secure way to implement this restriction?

136

Refer to the exhibit. A security engineer is reviewing this CloudFormation template. What security risk is present in this configuration?

137

A company has an S3 bucket that contains sensitive data. The security team wants to ensure that all access to the bucket is encrypted in transit. Which policy should be attached to the bucket to enforce this?

138

A company's security engineer is configuring a web application firewall (WAF) to protect a public-facing Application Load Balancer (ALB). The application is vulnerable to SQL injection attacks. Which AWS WAF rule should be used to mitigate this threat?

139

Refer to the exhibit. A security engineer runs the command above and sees that the flow log status is ACTIVE. However, the engineer notices that no logs are appearing in the CloudWatch log group. What is the most likely cause?

140

A company wants to allow a user to assume a role in another AWS account to access resources. Which AWS service should be used to create and manage the trust relationship between the accounts?

141

Which TWO actions should a security engineer take to protect an Amazon EC2 instance from unauthorized access? (Choose two.)

142

Which THREE measures can be taken to secure a VPC's network boundary? (Choose three.)

143

Which TWO AWS services can be used to encrypt data at rest in an Amazon S3 bucket? (Choose two.)

144

A company runs a multi-tier web application on AWS. The application uses an Application Load Balancer (ALB) in a public subnet, EC2 instances in private subnets for the web tier, and an RDS MySQL database in a private subnet. The security team has noticed that the EC2 instances are receiving traffic from unexpected IP addresses on port 22 (SSH). The instances were launched with a default security group that allowed SSH from 0.0.0.0/0. The security engineer has corrected the security group to allow SSH only from the company's bastion host security group. However, the engineer also wants to implement defense-in-depth by adding a network ACL to the private subnet to block SSH from all sources except the bastion host's private IP (10.0.1.10). The private subnet's current network ACL allows all inbound and outbound traffic. The engineer creates a new network ACL with the following rules: Inbound: Rule 100: Allow SSH from 10.0.1.10/32; Rule 200: Deny SSH from 0.0.0.0/0; Rule *: Deny all. Outbound: Rule 100: Allow all. After associating this new NACL with the private subnet, the engineer finds that SSH connections from the bastion host are still being blocked. What is the most likely cause?

145

A company is using AWS CloudTrail to monitor API activity in their account. They have enabled CloudTrail in all regions and are logging to an S3 bucket. The security team wants to ensure that log files are not tampered with after delivery. They enable CloudTrail log file integrity validation. Which additional step must be taken to verify the integrity of the log files?

146

A company has a requirement to block traffic from specific IP addresses known to be malicious. The company has an Application Load Balancer (ALB) that fronts a web application. The security engineer needs to implement a solution that can block these IP addresses at the edge before they reach the ALB. Which AWS service should be used?

147

A company wants to restrict access to an S3 bucket so that only traffic from a specific VPC can download objects. Which combination of actions should the company take? (Choose TWO.)

148

A security engineer is designing a multi-tier web application. The application uses an Application Load Balancer (ALB) to distribute traffic to EC2 instances in private subnets. The engineer needs to ensure that the EC2 instances only accept traffic from the ALB and not from any other source. Which security group configuration should the engineer use?

149

A company has a VPC with public and private subnets. The private subnets need to access the internet for software updates. The security engineer has set up a NAT gateway in a public subnet and updated the route tables accordingly. However, instances in the private subnets cannot reach the internet. The engineer checks the security group for the NAT gateway and finds that it allows all outbound traffic. What is the most likely cause of the issue?

150

A company wants to encrypt data at rest in an Amazon RDS for MySQL DB instance. Which AWS service or feature should be used to achieve this?

151

A security engineer is setting up a new VPC with public and private subnets. The VPC has an Internet Gateway attached. The public subnet's route table has a default route (0.0.0.0/0) pointing to the Internet Gateway. The private subnet's route table has a default route pointing to a NAT gateway. The engineer launches an EC2 instance in the private subnet and assigns it a public IP address. However, the instance cannot access the internet. What should the engineer do to resolve this issue?

152

A company is deploying a web application on EC2 instances behind an Application Load Balancer. The security team requires that all traffic between the ALB and the EC2 instances be encrypted. Which configuration should the engineer implement?

153

A company wants to allow an EC2 instance to access an S3 bucket without exposing the instance to the internet. Which AWS service should be used to achieve this?

154

A security engineer is reviewing the security group rules for a web server. The security group currently has the following inbound rules: allow HTTP from 0.0.0.0/0, allow HTTPS from 0.0.0.0/0, and allow SSH from 0.0.0.0/0. Which change should the engineer make to improve security?

155

A company has a VPC with a CIDR of 10.0.0.0/16. They have two public subnets (10.0.1.0/24 and 10.0.2.0/24) and two private subnets (10.0.3.0/24 and 10.0.4.0/24). They have an Application Load Balancer in the public subnets and EC2 instances in the private subnets. The EC2 instances need to access the internet for updates. The security engineer has set up a NAT gateway in each public subnet. The route table for the private subnets has a default route pointing to the NAT gateway in the same Availability Zone. However, the EC2 instances are unable to reach the internet. What is the most likely cause?

156

A company is using AWS Systems Manager Session Manager to provide secure shell access to EC2 instances without opening inbound ports. Which of the following is a requirement for this setup?

157

A security engineer is configuring a VPC for a web application. The VPC has public and private subnets. The web servers are in public subnets and the database servers are in private subnets. The engineer wants to ensure that the database servers are not accessible from the internet. Which two actions should the engineer take?

158

A security engineer is reviewing the security of an Amazon EKS cluster. The cluster is used to run containerized applications. Which three actions should the engineer take to improve the security of the cluster?

159

A security engineer needs to protect an S3 bucket that contains sensitive data. Which two methods should the engineer use?

160

A company is considering using AWS Shield Advanced to protect against DDoS attacks. Which three features are included with AWS Shield Advanced? (Choose THREE.)

161

A company runs a critical application on EC2 instances in an Auto Scaling group across multiple Availability Zones. The application uses an Application Load Balancer (ALB) to distribute traffic. The security team has implemented a security group for the ALB that allows inbound HTTPS from 0.0.0.0/0 and a security group for the EC2 instances that allows inbound HTTP from the ALB's security group. Recently, the company experienced a security incident where an attacker exploited a vulnerability in the application to gain access to an EC2 instance and then moved laterally to the database. The database is in a private subnet and uses a security group that allows inbound traffic from the EC2 instance security group on port 3306 (MySQL). The security team wants to prevent lateral movement in the future. Which of the following is the MOST effective course of action?

162

A company is migrating its on-premises data center to AWS. The company has a VPC with a CIDR of 10.0.0.0/16 and needs to connect its on-premises network (192.168.0.0/16) to the VPC using an AWS Site-to-Site VPN. The security engineer has configured the virtual private gateway (VGW) and the customer gateway (CGW) with the correct settings. The VPN tunnel status is UP, but the on-premises servers cannot ping the EC2 instances in the VPC. The EC2 instances have security groups that allow ICMP traffic from the on-premises network. The VPC route table has a route for the on-premises network pointing to the VGW. What is the most likely cause of the issue?

163

A company uses AWS Organizations to manage multiple accounts. The security team wants to enforce that all S3 buckets in the organization are encrypted with server-side encryption (SSE-S3) and that no public access is allowed. The team has created an SCP that denies the s3:PutBucketPublicAccessBlock action and also denies s3:PutBucketPolicy if the policy would grant public access. However, the team discovers that some buckets in the production account still have public access enabled. The SCP is applied to the root OU, which includes the production account. What is the most likely reason that the SCP is not being enforced?

164

A company has a web application running on EC2 instances behind an Application Load Balancer (ALB). The application uses a custom header X-Auth-Token to authenticate requests. The security team wants to use AWS WAF to block requests that do not contain this header or contain an invalid token. The WAF is associated with the ALB. The team creates a rule with a match condition that checks for the presence of the X-Auth-Token header and a regex pattern for the token value. However, the rule is not blocking any requests. What is the most likely cause?

165

A company has a VPC with a public subnet and a private subnet. The public subnet contains a NAT gateway and a bastion host. The private subnet contains a web server that needs to be patched via the internet. The security engineer has configured the route tables: the public subnet route table has a default route to the Internet Gateway, and the private subnet route table has a default route to the NAT gateway. The web server can successfully initiate outbound connections to the internet to download patches. However, the security team notices that the web server is also receiving inbound connections from the internet on port 80. The web server's security group allows inbound HTTP from 0.0.0.0/0. What should the engineer do to prevent inbound internet traffic while still allowing outbound patching?

166

A company wants to ensure that all traffic to an Amazon S3 bucket is encrypted in transit. Which bucket policy condition should be used?

167

A security engineer is designing a VPC with private and public subnets. Which TWO actions improve network security? (Choose two.)

168

A company runs a web application on EC2 instances behind an Application Load Balancer (ALB). The security team wants to allow only HTTP and HTTPS traffic from the internet to the ALB, and only HTTP traffic from the ALB to the EC2 instances. Which THREE security group configurations are required? (Choose three.)

169

A company has the S3 bucket policy shown in the exhibit. The bucket contains sensitive data that should only be accessible from within the corporate network (10.0.0.0/16). However, users inside the corporate network report that they cannot access objects in the bucket. What is the most likely cause?

170

A company has a multi-tier web application hosted on AWS. The application consists of an Application Load Balancer (ALB), a fleet of EC2 instances in an Auto Scaling group, and an Amazon RDS MySQL database. The security team has implemented security groups and network ACLs. Recently, a vulnerability scan revealed that the RDS database is accessible from the internet. The security engineer investigates and finds that the database security group allows inbound traffic on port 3306 from 0.0.0.0/0. The engineer also checks the network ACLs and finds that inbound rules allow traffic on port 3306 from 0.0.0.0/0, and outbound rules allow all traffic. The database is in a private subnet. Which combination of steps should the engineer take to remediate the issue while maintaining application functionality?

171

A company uses AWS Organizations with multiple accounts. The security team needs to enforce that all Amazon S3 buckets across the organization are configured to block public access. Which solution should be used to centrally enforce this requirement?

172

A company runs a web application on Amazon EC2 behind an Application Load Balancer (ALB). The security team wants to allow only traffic from the ALB to reach the EC2 instances. Which security group configuration should be used?

173

A security engineer needs to ensure that an Amazon RDS database instance is not accessible from the internet. Which configuration step will achieve this?

174

A company uses AWS CloudFormation to deploy infrastructure. A security requirement states that no security group should allow inbound SSH access from 0.0.0.0/0. What is the best way to enforce this policy?

175

A company has a VPC with public and private subnets. The private sub host Amazon RDS instances. To allow the RDS instances to access the internet for software updates without exposing them to inbound internet traffic, what should be configured?

176

A company wants to encrypt data at rest for an Amazon S3 bucket. Which action should be taken?

177

A security engineer is designing a network architecture for a three-tier web application. The web tier must be accessible from the internet, but the application and database tiers must not. Which VPC configuration should be used?

178

A company uses AWS Key Management Service (KMS) to encrypt data at rest. The security team needs to ensure that only specific IAM roles can use a particular KMS key to encrypt and decrypt data. What is the most secure way to achieve this?

179

A company wants to protect its Amazon EC2 instances from distributed denial-of-service (DDoS) attacks at the network layer. Which AWS service should be used?

180

A security engineer is configuring a VPC for a new application. Which TWO actions will improve network security? (Choose two.)

181

A company needs to enforce that all Amazon S3 buckets are encrypted at rest. Which TWO actions should be taken? (Choose two.)

182

A security engineer is designing a secure VPC architecture. Which THREE components should be used to implement defense in depth? (Choose three.)

183

A company wants to restrict access to an S3 bucket so that only traffic from a specific VPC can read objects. The VPC has a VPC endpoint for S3 configured. Which policy should be attached to the bucket?

184

A Security Engineer is designing a network architecture for a multi-tier application. The web tier must be accessible from the internet, while the application tier should only be accessible from the web tier, and the database tier only from the application tier. All tiers are in the same VPC. Which configuration meets these requirements with minimal administrative overhead?

185

A company wants to encrypt data at rest in an Amazon S3 bucket. Which AWS service can centrally manage the encryption keys?

186

A company is using an Application Load Balancer (ALB) to distribute traffic to EC2 instances in a VPC. The Security Engineer notices that the ALB health checks are failing. Which configuration change should the Engineer make to resolve the issue?

187

A company has an AWS Direct Connect connection to its on-premises data center. The company wants to ensure that all traffic between the data center and AWS is encrypted. Which solution meets this requirement?

188

An application running on EC2 instances needs to access an S3 bucket. The Security Engineer wants to ensure that the EC2 instances do not have access keys and that the access is restricted to only the required bucket. What is the most secure way to provide this access?

189

A company is using AWS Transit Gateway to connect multiple VPCs and on-premises networks. The Security Engineer needs to ensure that traffic between VPCs is inspected by a central network appliance. Which architecture should the Engineer implement?

190

A Security Engineer needs to block SSH traffic (port 22) from the internet to all EC2 instances in a VPC. Which approach is the most secure and scalable?

191

A company is using AWS WAF to protect a web application behind an Application Load Balancer. The Security Engineer wants to block requests that contain SQL injection attacks. Which action should the Engineer take?

192

A Security Engineer is configuring a VPC with a public subnet for a web server and a private subnet for a database. The web server needs to download patches from the internet. Which TWO actions should the Engineer take to allow the web server internet access without exposing the database to the internet?

193

A company wants to enforce encryption in transit for all traffic between its VPC and on-premises data center over AWS Direct Connect. Which TWO configurations can achieve this?

194

A Security Engineer is designing a secure VPC architecture. Which THREE components are essential for creating a public subnet that can host a web server accessible from the internet?

195

A company is using Amazon EC2 instances in a VPC with a security group that allows inbound SSH from 0.0.0.0/0. A security engineer needs to restrict SSH access to only the company's public IP range (203.0.113.0/24) while maintaining all other existing rules. What is the MOST efficient way to accomplish this?

196

A company wants to ensure that all traffic to and from an Amazon RDS instance is encrypted in transit. Which solution should the security engineer implement?

197

A security engineer is designing a multi-tier web application on AWS. The web tier must be accessible from the internet, but the application tier should be accessible only from the web tier. The database tier should be accessible only from the application tier. Which combination of security groups provides the MOST secure configuration?

198

A company has multiple AWS accounts and wants to centralize VPC flow log analysis. Flow logs are enabled for all VPCs and are published to Amazon S3 buckets in each account. A security engineer needs to aggregate these logs into a single S3 bucket in the centralized logging account. What should the security engineer do?

199

A security engineer is configuring a VPC for a highly sensitive application. The VPC must not have a route to the internet, but the application needs to periodically download security patches from a specific domain (patches.example.com). Which solution meets these requirements with minimal operational overhead?

200

A company uses AWS Organizations to manage multiple accounts. The security team wants to ensure that no resources can be created in a specific AWS Region except for the us-east-1 Region. Which policy type should the security team use?

201

A security engineer notices that an Amazon EC2 instance is sending suspicious outbound traffic to an unknown IP address. The instance is part of an Auto Scaling group. The engineer needs to immediately stop the traffic without affecting the availability of the application. What should the engineer do?

202

A company is designing a shared services VPC architecture with multiple VPCs connected via a transit gateway. The security engineer needs to ensure that all traffic between VPCs is inspected by a centralized firewall appliance deployed in the shared services VPC. What configuration is required?

203

A company wants to provide temporary, limited-privilege credentials to users so they can access AWS resources from mobile applications. Which AWS service should the company use?

204

A security engineer needs to ensure that all Amazon S3 buckets in an AWS account have server-side encryption (SSE) enabled. The engineer wants to automatically remediate any bucket that is created without SSE. Which solution should the engineer implement?

205

A company is deploying a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The security engineer needs to protect the application from common web exploits such as SQL injection and cross-site scripting. Which TWO services can be used together to achieve this? (Choose TWO.)

206

A security engineer is designing a network architecture in AWS. The engineer needs to ensure that all outbound traffic from a VPC goes through a centrally managed NAT device for logging and filtering. The VPC has multiple private subnets. Which TWO steps are required to accomplish this? (Choose TWO.)

207

A company wants to use AWS CloudTrail to log all API calls in an AWS account. The security engineer needs to ensure that the logs are encrypted at rest and are accessible only to authorized personnel. Which THREE steps should the engineer take? (Choose THREE.)

208

A security engineer is investigating a potential security incident in an AWS account. The engineer needs to determine which user or role performed a specific API call that created a new security group. Which THREE AWS tools can the engineer use to find this information? (Choose THREE.)

209

A company uses AWS Organizations with multiple accounts. The security team wants to ensure that all new member accounts automatically deny public access to S3 buckets. Which policy should be attached to the root organizational unit?

210

A security engineer is investigating a potential breach. The engineer notices that an EC2 instance's security group allows inbound SSH (port 22) from 0.0.0.0/0. The instance is in a public subnet and has a public IP address. However, the engineer finds that SSH access is only possible from a specific IP address. What is the most likely explanation?

211

A company wants to host a static website in an Amazon S3 bucket. The bucket must be private and accessible only through an Amazon CloudFront distribution. Which configuration ensures that CloudFront can access the S3 bucket while blocking direct access via S3 URL?

212

A company uses AWS Systems Manager Session Manager to manage EC2 instances. The security team wants to ensure that all SSH sessions are logged and that commands are recorded. What should be configured?

213

A company is designing a VPC with public and private subnets. The application servers in the private subnets need to download patches from the internet. Which architecture provides the highest security while allowing internet access?

214

A security engineer needs to ensure that an EC2 instance can only be accessed using SSH key pairs, not passwords. Which configuration is required?

215

A company uses AWS WAF to protect a web application. The security team wants to block requests that contain SQL injection patterns. Which WAF rule type should be used?

216

A company wants to allow cross-account access to an S3 bucket. The bucket owner (Account A) wants to grant read-only access to users in Account B. Which combination of policies is required?

217

A security engineer needs to audit all changes to AWS resources in an account. Which AWS service should be enabled?

218

A company is designing a VPC with multiple subnets. The security team wants to ensure that traffic between the application tier and database tier is encrypted in transit. Which TWO actions should be taken?

219

A security engineer is configuring an AWS WAF web ACL for an Application Load Balancer. The engineer wants to block requests that contain cross-site scripting (XSS) and also limit the rate of requests from a single IP. Which THREE rule groups should be added?

220

A company uses AWS CloudFormation to deploy infrastructure. The security team wants to ensure that all S3 buckets created by CloudFormation have encryption enabled by default. Which TWO approaches can achieve this?

221

A security engineer reviews the above IAM policy attached to an IAM user. The user reports that they cannot download objects from the S3 bucket 'example-bucket' when connected from the office network (IP range 10.0.0.0/16). What is the most likely cause?

222

A security engineer runs the above AWS CLI command. The engineer notices that the security group has no outbound rules. What is the implication of this configuration?

223

A company configures a Route 53 alias record to point to a CloudFront distribution. The security team wants to ensure that users can only access the website via CloudFront and not directly via the S3 bucket origin. What additional configuration is needed?

224

A company is designing a VPC with public and private subnets in two Availability Zones. They need to ensure that instances in the private subnets can access the internet for software updates but cannot be directly accessed from the internet. Which AWS service or feature should be used to meet this requirement?

225

A security engineer is troubleshooting connectivity issues from an EC2 instance in a private subnet to an S3 bucket. The instance has a security group allowing outbound HTTPS (443) to 0.0.0.0/0, and the subnet's network ACL allows outbound HTTPS to 0.0.0.0/0. However, requests to S3 are timing out. Which additional configuration is most likely required?

226

A company wants to restrict access to an S3 bucket so that only requests from a specific VPC are allowed. Which policy should be used?

227

A security engineer is designing a web application that will run on EC2 instances behind an Application Load Balancer (ALB). The application must be protected from common web exploits like SQL injection and cross-site scripting. Which AWS service should be used to provide this protection?

228

A company has a multi-account AWS environment using AWS Organizations. The security team needs to enforce that all new S3 buckets created in any account in the organization are encrypted with a specific KMS key. Which approach should be used?

229

A company wants to allow an EC2 instance to access a DynamoDB table without traversing the internet. Which AWS feature should be used?

230

A company has a requirement to log all network traffic flowing through a VPC, including traffic between EC2 instances within the same subnet. Which AWS service should be used?

231

A security engineer is configuring a security group for a web server that should only accept HTTPS traffic from the internet. Which inbound rule should be set?

232

A company uses AWS Direct Connect to connect its on-premises data center to a VPC. The security team wants to encrypt all traffic between on-premises and the VPC. Which solution should be used?

233

Which TWO actions can be taken to protect an S3 bucket from accidental public access? (Choose 2.)

234

Which THREE components are required to set up a client VPN for remote access to a VPC? (Choose 3.)

235

Which TWO AWS services are designed to provide DDoS protection? (Choose 2.)

236

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks via AWS Site-to-Site VPN. Security engineers need to ensure that traffic between VPCs is inspected by a third-party firewall appliance deployed in a centralized inspection VPC. Which architecture should be used?

237

A security engineer is reviewing AWS CloudTrail logs and notices repeated `UnauthorizedOperation` errors for `ec2:RunInstances` from a specific IAM user. The user has a policy that allows `ec2:RunInstances` with a condition `aws:RequestedRegion` set to `us-east-1`. The engineer confirms the user is launching instances in `us-east-1`. What is the most likely cause of the error?

238

A company is designing a security group for a web application that must receive HTTPS traffic from the internet and send traffic to a backend database. The backend database is an Amazon RDS MySQL instance. What is the best practice for configuring the security groups?

239

A company wants to allow its developers to SSH into EC2 instances only from the corporate network IP range (203.0.113.0/24). Which configuration should be used to enforce this restriction?

240

A security team needs to audit all changes to security group rules across multiple AWS accounts in an organization. Which combination of services should be used to meet this requirement?

241

An organization has a VPC with public and private subnets. A NAT Gateway is deployed in a public subnet to allow instances in private subnets to access the internet. The security team notices that instances in a private subnet can reach the internet, but cannot initiate connections to an on-premises network connected via AWS Direct Connect. The on-premises network advertises a specific route. What is the most likely cause?

242

A company wants to ensure that all data transmitted between its EC2 instances and an Application Load Balancer (ALB) is encrypted. Which configuration should be applied?

243

A security engineer is tasked with implementing network segmentation for a multi-tier application. The web tier must be accessible from the internet, but the application tier must only be accessible from the web tier. The database tier must only be accessible from the application tier. All tiers are in the same VPC. Which design meets these requirements?

244

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to download patches from the internet. The company wants to minimize costs and avoid NAT Gateway or NAT Instance charges. Which solution should be used?

245

Which TWO actions can be taken to improve the security of an Amazon RDS for MySQL database instance? (Choose TWO.)

246

Which THREE are benefits of using AWS Systems Manager Session Manager to connect to EC2 instances? (Choose THREE.)

247

Which TWO are valid methods to secure data at rest in Amazon S3? (Choose TWO.)

248

A company wants to restrict access to an S3 bucket so that only requests from a specific VPC Endpoint are allowed. Which policy element should be used in the bucket policy?

249

A security engineer is designing a network architecture for a three-tier web application. The web tier must be accessible from the internet, the application tier should only be accessible from the web tier, and the database tier should only be accessible from the application tier. Which combination of security groups should be used?

250

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to download patches from the internet. Which AWS service should be used to allow this without assigning a public IP address to the instance?

251

A security team notices that an S3 bucket containing sensitive data is publicly accessible. The bucket policy is as follows: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::example-bucket/*" } ] } Which step should be taken to secure the bucket while maintaining access for authorized users?

252

A company is designing a hybrid cloud architecture with an AWS Direct Connect connection. The company wants to ensure that traffic to and from the VPC goes through the Direct Connect connection and not over the internet. Which configuration should be used?

253

A company wants to block traffic from a specific IP address range from accessing an Application Load Balancer (ALB). Which AWS feature should be used?

254

A company is running a critical application on EC2 instances behind an Application Load Balancer. The security team wants to ensure that only traffic from the ALB reaches the EC2 instances. How can this be achieved?

255

A company has a VPC with multiple subnets. An EC2 instance in a private subnet needs to access an S3 bucket. Which configuration provides the most secure and efficient access?

256

A company wants to ensure that all data sent to an S3 bucket is encrypted in transit. Which policy statement should be added to the bucket policy?

257

A security engineer is configuring a VPC with public and private subnets. The engineer wants to ensure that the private subnet instances cannot initiate outbound connections to the internet but can receive responses from the internet if initiated from within the VPC. Which TWO configurations should be used?

258

A company wants to restrict access to an RDS database to only EC2 instances that have a specific tag 'Environment: Production'. Which TWO steps should be taken?

259

A company is using AWS CloudFormation to deploy infrastructure. The security team wants to ensure that all S3 buckets created by CloudFormation are encrypted at rest. Which THREE configuration steps should be taken?

260

A company uses AWS CloudFormation to deploy infrastructure. The security team requires that all security groups restrict SSH access to only the company's VPN public IP address range (203.0.113.0/24). A developer creates a stack that includes a security group with SSH open to 0.0.0.0/0. The stack deploys successfully. Which action should the security team take to prevent this in the future?

261

A company has a VPC with public and private subnets. The private subnets contain Amazon RDS instances. The security team wants to ensure that the RDS instances are not accessible from the internet. Which combination of controls should the security team implement? (Choose TWO.)

262

Refer to the exhibit. A security engineer is reviewing VPC Flow Logs and sees the above entry. The engineer notices that traffic from IP 203.0.113.10 to an instance in the VPC on port 443 is being accepted. The security group for the instance only allows inbound HTTPS from the VPC CIDR (10.0.0.0/16). What is the most likely reason the traffic is accepted?

263

A company is designing a new AWS account structure using AWS Organizations. The security team wants to restrict the use of specific AWS services across all member accounts. Which feature should they use?

264

A company runs a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The security team wants to protect the application from common web exploits such as SQL injection and cross-site scripting. Which AWS service should they use?

265

A company has a VPC with a public subnet and a private subnet. An Amazon RDS instance is in the private subnet, and an application server is in the public subnet. The security team needs to allow the application server to connect to the RDS instance on port 3306 (MySQL). Which configuration will meet this requirement securely?

266

A company is using AWS CloudTrail to log API calls. The security team wants to ensure that log files are not modified after they are created. Which feature should they enable?

267

A company has a multi-account AWS environment using AWS Organizations. The security team wants to centrally manage VPC security group rules across all accounts. Which AWS service should they use?

268

Refer to the exhibit. A security engineer applies this S3 bucket policy to an S3 bucket. The bucket contains sensitive data. What is the effect of this policy?

269

A company wants to launch an Amazon EC2 instance that must be accessible via SSH from the company's corporate network (IP range 198.51.100.0/24). The instance should not be accessible from the internet. Which network configuration should the security engineer recommend?

270

A company uses Amazon S3 to store sensitive data. The security team wants to ensure that all objects are encrypted at rest. Which feature should they enable on the S3 bucket?

271

Refer to the exhibit. A security engineer runs the above command and sees the security group configuration. Based on the output, which statement is correct?

272

A company has an AWS Direct Connect connection to its on-premises data center. The security team wants to ensure that traffic between the VPC and the data center is encrypted. Which solution should they use?

273

Refer to the exhibit. A security engineer reviews this CloudFormation template snippet. What is the security concern with this configuration?

274

A company wants to provide temporary security credentials to users accessing AWS resources from a mobile app. Which AWS service should they use?

275

A company wants to restrict access to an S3 bucket so that only requests from a specific VPC endpoint are allowed. Which policy element should be used in the S3 bucket policy?

276

A security engineer notices that an EC2 instance in a private subnet can reach the internet, even though there is no NAT gateway or instance in the route table. What is the most likely cause?

277

Which AWS service can be used to create a private network connection between a VPC and an on-premises data center over dedicated physical lines?

278

A company has a security group that allows inbound SSH from 0.0.0.0/0. The security team wants to restrict access to only the company's public IP range 203.0.113.0/24. What change should be made?

279

A security engineer needs to ensure that all data in transit between an Application Load Balancer (ALB) and EC2 instances is encrypted. What configuration is required?

280

A company wants to store audit logs for a minimum of 7 years to meet compliance requirements. The logs are stored in Amazon S3. Which action should be taken to ensure logs are not deleted before 7 years?

281

Which AWS service can be used to centrally manage VPC security groups and network ACLs across multiple accounts in AWS Organizations?

282

A company has a VPC with public and private subnets. An EC2 instance in a private subnet needs to download patches from the internet. Which combination of components provides a highly available, managed solution? (Select TWO.)

283

A security engineer is designing a network architecture for a web application that must be highly available and secure. The application uses an Application Load Balancer (ALB) in front of EC2 instances. Which architecture meets these requirements?

284

Which of the following is a best practice for securing an AWS account root user?

285

A company is using AWS CloudFormation to deploy infrastructure. Which method ensures that sensitive data, such as database passwords, is not exposed in the template or outputs?

286

A company has a VPC with a public subnet and a private subnet. They launch an EC2 instance in the private subnet with a default security group that allows all outbound traffic. The instance needs to download files from an S3 bucket in the same region. Which configuration allows this without internet access?

287

A company is deploying a multi-tier web application across multiple Availability Zones. The application includes a web tier, application tier, and database tier. The security team requires that the web tier can communicate with the application tier only on port 8080, and the application tier can communicate with the database tier only on port 3306. Which security group configuration should be used?

288

A company is designing a network architecture for a critical application that must be highly available and secure. Which TWO actions should be taken to ensure high availability of the network infrastructure?

289

A security engineer needs to enable VPC Flow Logs to capture traffic metadata. Which THREE components are required to create a VPC Flow Log?

290

Which TWO actions can help protect against DDoS attacks at the network layer?

291

A company is running a critical web application on EC2 instances behind an Application Load Balancer (ALB) in a VPC. The application serves traffic on port 443. The security team has implemented a security group for the ALB that allows inbound HTTPS from 0.0.0.0/0. The EC2 instances are in a private subnet with a security group that allows inbound traffic from the ALB security group on port 8080. The application works correctly. However, the security team wants to add an additional layer of defense by implementing a web application firewall (WAF) to block common web exploits. The team also wants to ensure that only traffic from the company's corporate IP range (203.0.113.0/24) can access the application for administrative purposes on a separate path. The team has enabled AWS WAF on the ALB and associated a web ACL. They have also created a rule to allow traffic from the corporate IP range and block all other traffic. After deploying these changes, external users (not from corporate IP) cannot access the application at all. The company wants external users to be able to access the main application, but only corporate IPs should access the admin path. What should the security engineer do to fix the issue?

292

A company is designing a VPC for a three-tier web application that must be accessible from the internet only via HTTPS. The web servers must be able to initiate outbound connections to the internet for software updates, but the database servers must have no direct internet access. Which architecture meets these requirements?

293

A security engineer is reviewing the following IAM policy attached to an S3 bucket: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::example-bucket/*", "Condition": { "IpAddress": { "aws:SourceIp": "10.0.0.0/8" } } } ] } The bucket contains sensitive data and should only be accessible from the corporate network (CIDR 10.0.0.0/8). However, the engineer is concerned that this policy might not be effective. What is the primary security concern with this policy?

294

A company uses AWS Systems Manager Session Manager to provide SSH access to EC2 instances without needing to open inbound ports. The security team wants to ensure that all session activity is logged and that only authorized users can start sessions. Which combination of actions should be taken? (Choose TWO.)

295

A security engineer is configuring a Network ACL for a public subnet that hosts a web server. The web server must accept HTTPS (TCP 443) traffic from the internet and respond. It must also be able to initiate outbound connections to the internet for software updates (HTTPS). What is the MINIMUM set of rules required for the inbound and outbound Network ACL?

296

A company uses AWS PrivateLink to connect to a SaaS provider's VPC endpoint service. The security team wants to ensure that traffic between the company's VPC and the SaaS provider's VPC is encrypted in transit and that no other AWS service can access the data. Which configuration meets these requirements?

297

A company has a security group rule that allows inbound traffic from 0.0.0.0/0 on port 22. The security engineer wants to restrict SSH access to only the company's public IP range (203.0.113.0/24). What is the correct way to update the security group rule?

298

A company uses an AWS Network Firewall to inspect traffic between subnets in a VPC. The security team wants to ensure that all traffic from the web tier to the database tier passes through the firewall. The web servers are in subnet A, and the database servers are in subnet B. What routing configuration is required?

299

A company has a VPC with multiple subnets and uses VPC Flow Logs to capture network traffic. The security team notices that some expected traffic is not appearing in the logs. What is a likely cause?

300

A company wants to provide its developers with IAM roles that allow them to launch EC2 instances with specific security groups. The security team wants to ensure that developers cannot launch instances without a security group. How can this be enforced?

Practice all 300 Infrastructure Security questions

Deep-dive questions

Must-know Infrastructure Security questions

The most-searched questions in this domain — detailed explanations, worked examples, full answer breakdowns.

  • Security Group Rules for ALB HTTP/HTTPS to EC2→
  • Security Group Configuration for ALB and EC2 with HTTP/HTTPS→
  • Common IAM Policy Condition Mistake: Using StringNotEquals to Deny Access→
  • Troubleshoot Security Group Not Applied to EC2 Instance→
  • Correct Order for ACM Certificate Setup: Request, DNS Validation, Issuance, Association→
  • How to Verify CloudTrail Logs Have Not Been Tampered With→
  • Restrict EC2 Access to Only ALB Using Security Group Reference→
  • Allow Only ALB Traffic to EC2 with Security Group References→

Other SCS-C02 exam domains

Threat Detection and Incident ResponseSecurity Logging and MonitoringIdentity and Access ManagementManagement and Security GovernanceData Protection

Frequently asked questions

What does the Infrastructure Security domain cover on the SCS-C02 exam?

Infrastructure Security questions on this certification test your ability to deploy and manage infrastructure security concepts in scenario-based situations.

How many Infrastructure Security questions are in the SCS-C02 question bank?

The Courseiva SCS-C02 question bank contains 300 questions in the Infrastructure Security domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Infrastructure Security for SCS-C02?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Infrastructure Security questions for SCS-C02?

Yes — the session launcher on this page draws questions exclusively from the Infrastructure Security domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your SCS-C02 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

SAA-C03SY0-701CISSP