Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

Certifications›SCS-C02›Objectives›Infrastructure Security
Objective 3.0

Infrastructure Security

SCS-C02 Practice Questions

Use this page to practise Infrastructure Security questions for this certification. Focus on how the exam tests infrastructure security in scenario format — understanding the why behind each answer builds more durable knowledge than memorising options.

Full Practice Test →All Objectives

What this objective tests

SCS-C02 Infrastructure Security — Key Topics

Infrastructure Security questions on this certification test your ability to deploy and manage infrastructure security concepts in scenario-based situations.

  • Core Infrastructure Security concepts and how they apply in real-world cloud scenarios.
  • How to deploy infrastructure security correctly and verify the outcome.
  • Troubleshooting infrastructure security issues by interpreting error output and system state.
  • Cloud best practices and Infrastructure Security design trade-offs tested by this certification.

Common exam traps

Where candidates lose marks on Infrastructure Security

  • ⚠Selecting the most expensive service when a simpler managed option meets the requirement.
  • ⚠Forgetting that cloud resources must be explicitly secured — defaults are rarely secure.
  • ⚠Choosing a global service fix when the issue is region-specific.
  • ⚠Overlooking cost implications of cross-region data transfer in architecture questions.

SCS-C02 Infrastructure Security — Practice Questions

30 questions from this objective

Question 2mediummultiple choice
Full question →

A company is designing a multi-tier web application on AWS. The web tier must be accessible from the internet, but the application and database tiers must be isolated. The security team requires that all traffic between tiers be encrypted and that the application tier can only be accessed by the web tier. Which architecture should be used?

Question 3hardmultiple choice
Review the full subnetting walkthrough →

A security engineer is troubleshooting connectivity issues between an Amazon EC2 instance in a VPC and an on-premises server over a Direct Connect virtual interface. The EC2 instance has a security group that allows outbound traffic to the on-premises CIDR block (10.0.0.0/16). The VPC has a route table entry pointing the on-premises CIDR to the virtual private gateway. The on-premises firewall shows that packets are received from the EC2 instance but responses are not reaching the instance. What is the most likely cause?

Question 4easymultiple choice
Full question →

A company uses AWS Organizations with multiple accounts. The security team wants to enforce that all Amazon S3 buckets across the organization have server-side encryption (SSE-S3 or SSE-KMS) enabled. Which approach should be used to enforce this policy?

Question 5hardmulti select
Full question →

A company is migrating a legacy application to AWS. The application requires two-way communication between the web servers and the database servers using TCP port 3306. The security team wants to follow the principle of least privilege. Which TWO actions should be taken to secure the traffic?

Question 6mediummultiple choice
Full question →

A security engineer is reviewing the SQS queue policy shown in the exhibit. The queue is subscribed to an SNS topic in the same account. The security team has a requirement that only the SNS topic should be allowed to send messages to the queue. What is the issue with this policy?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "sqs:SendMessage",
      "Resource": "arn:aws:sqs:us-east-1:123456789012:MyQueue",
      "Condition": {
        "ArnLike": {
          "aws:SourceArn": "arn:aws:sns:us-east-1:123456789012:MyTopic"
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "sqs:ReceiveMessage",
      "Resource": "arn:aws:sqs:us-east-1:123456789012:MyQueue",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/8"
        }
      }
    }
  ]
}
Question 7hardmultiple choice
Study the full AAA explanation →

A financial services company runs a critical application on Amazon EC2 instances in a VPC. The application processes sensitive financial data and must meet strict compliance requirements. The security team recently discovered that an EC2 instance was compromised due to an unpatched vulnerability. The attacker used the instance's IAM role to access an S3 bucket containing customer data and exfiltrated the data. The security team needs to prevent such incidents in the future. They have implemented the following controls: - All EC2 instances are launched in private subnets. - The IAM roles used by EC2 instances follow the principle of least privilege. - Security groups restrict inbound and outbound traffic. - AWS Systems Manager Patch Manager is used to patch instances. - AWS CloudTrail is enabled and logs are sent to a centralized S3 bucket. - Amazon GuardDuty is enabled.

Despite these controls, the team is concerned about the blast radius if an instance is compromised again. Which additional measure would MOST effectively limit the blast radius of a compromised EC2 instance?

Question 8mediummulti select
Review the full subnetting walkthrough →

A security engineer is designing a VPC with public and private subnets. The application servers in the private subnets need to access the internet for software updates, but must not be directly reachable from the internet. Which TWO actions satisfy these requirements?

Question 9hardmultiple choice
Full question →

Refer to the exhibit. A security engineer finds the above IAM policy attached to an IAM group. The policy is intended to allow all EC2 actions only from the corporate network (10.0.0.0/8). However, users report that they can perform EC2 actions from outside the corporate network. What is the MOST likely reason?

Exhibit

Refer to the exhibit.
```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "ec2:*",
      "Resource": "*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/8"
        }
      }
    }
  ]
}
```
Question 10easymultiple choice
Full question →

A company runs a web application on EC2 instances in an Auto Scaling group across two Availability Zones. The instances are behind an Application Load Balancer. The security team wants to ensure that only the ALB can send traffic to the instances. The instances are in a security group named 'app-sg'. Currently, 'app-sg' has an inbound rule allowing HTTP traffic from 0.0.0.0/0. The team wants to restrict access to only the ALB's security group. The ALB is in a security group named 'alb-sg'. Which course of action should the security engineer take to meet the requirement with minimal disruption?

Question 11mediumdrag order
Full question →

Drag and drop the steps to set up AWS Certificate Manager (ACM) for a custom domain in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 12mediummatching
Full question →

Match each AWS Storage service encryption feature to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Server-side encryption with S3 managed keys

Server-side encryption with AWS KMS

Server-side encryption with customer-provided keys

Encryption at rest for EBS volumes

Encryption at rest for RDS instances

Question 13mediummultiple choice
Review the full subnetting walkthrough →

A company uses Network Load Balancer (NLB) in front of a fleet of EC2 instances in private subnets. Security team requires that the source IP addresses of clients be preserved in the access logs of the backend instances. Which configuration should the security engineer verify?

Question 14hardmulti select
Read the full NAT/PAT explanation →

A security engineer is designing a VPC with public and private subnets. The application must be able to send outbound traffic to the internet, but inbound traffic from the internet must be blocked except for a single HTTP load balancer. The application also needs to access an S3 bucket in the same AWS region. Which combination of VPC components meets these requirements? (Choose two.)

Question 15easymultiple choice
Full question →

A company is using AWS WAF to protect its Application Load Balancer (ALB). The security team wants to block requests that do not contain a valid API key in the HTTP header 'X-API-Key'. Which WAF rule type should be used?

Question 16mediummultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to download patches from the internet. The instance is associated with a security group that allows outbound HTTPS (port 443) to 0.0.0.0/0. The private subnet route table has a default route (0.0.0.0/0) pointing to a NAT Gateway in the public subnet. The NAT Gateway's security group allows inbound HTTPS from the private subnet CIDR. However, the instance cannot download patches. What is the most likely cause?

Question 17hardmultiple choice
Full question →

A company uses AWS Direct Connect to connect its on-premises data center to AWS. The connection is set up with a private VIF to a VPC using a virtual private gateway. The security team wants to encrypt all traffic between on-premises and the VPC. Which solution should be implemented?

Question 18easymultiple choice
Full question →

A company wants to restrict access to an S3 bucket so that only requests from a specific VPC endpoint are allowed. Which S3 bucket policy condition key should be used?

Question 19hardmultiple choice
Read the full NAT/PAT explanation →

A company is using AWS CloudFormation to deploy a multi-tier application. The security team requires that the database tier (RDS) be deployed in private subnets that are not directly routable from the application tier (EC2). The application tier must communicate with the database using an internal network path. Which solution meets these requirements?

Question 20easymultiple choice
Full question →

A company is using AWS Shield Advanced to protect its web application against DDoS attacks. Which additional AWS service can be used to automatically mitigate application layer attacks?

Question 21hardmulti select
Review the full subnetting walkthrough →

A company has a VPC with public and private subnets. An EC2 instance in a private subnet needs to access an S3 bucket to store logs. The security team wants to ensure that traffic does not traverse the internet. Which solution should be used? (Choose two.)

Question 22hardmultiple choice
Full question →

A company wants to deploy a web application that must be accessible over HTTPS only. The application runs behind an Application Load Balancer (ALB). The security team wants to enforce HTTP Strict Transport Security (HSTS) to prevent downgrade attacks. Which configuration achieves this?

Question 23mediummulti select
Full question →

A company is using AWS CloudTrail to log API calls. The security team wants to ensure that the logs are encrypted at rest and that access to the logs is controlled. Which actions should be taken? (Choose two.)

Question 24easymultiple choice
Full question →

A company is using AWS Key Management Service (KMS) to encrypt data at rest in Amazon S3. The security team wants to ensure that only a specific IAM role can decrypt the data. Which KMS policy element should be used?

Question 25mediummultiple choice
Full question →

A company uses Amazon CloudFront with an Application Load Balancer (ALB) as the origin. The security team wants to restrict access to the ALB so that it only accepts traffic from CloudFront. Which configuration should be used?

Question 26hardmultiple choice
Read the full NAT/PAT explanation →

A security engineer is designing a VPC with private subnets for an application that must access the internet for software updates. The VPC has a NAT gateway in a public subnet. The private subnet route table has a default route (0.0.0.0/0) pointing to the NAT gateway. Which additional security measure should be implemented to ensure that only the application instances can use the NAT gateway, and not any other resources in the VPC?

Question 27easymultiple choice
Full question →

A company wants to use AWS Direct Connect to establish a dedicated network connection from its on-premises data center to AWS. Which of the following is a security best practice when configuring Direct Connect?

Question 28mediummultiple choice
Full question →

A company has an Amazon S3 bucket that stores sensitive data. The security team wants to ensure that all access to the bucket is made only via HTTPS. Which policy should be used?

Question 29hardmultiple choice
Full question →

A company has a multi-account AWS environment using AWS Organizations. The security team wants to centrally manage VPC security group rules across all accounts. Which solution should be used?

Question 30easymultiple choice
Review the full subnetting walkthrough →

A company is deploying a web application on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB). The instances are in a private subnet. How should the security group for the EC2 instances be configured?

Question 31mediummultiple choice
Read the full NAT/PAT explanation →

A security engineer is troubleshooting why an EC2 instance in a private subnet cannot access the internet through a NAT gateway. The route table for the private subnet has a default route pointing to the NAT gateway. The NAT gateway is in a public subnet with a route to an internet gateway. What is the most likely cause of the issue?

More Infrastructure Security questions available in the full practice test.

Continue Practising →

Next objective

Data Protection

→

All SCS-C02 Objectives

  • 3.Infrastructure Security
  • 5.Data Protection