Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Infrastructure Security practice sets

SCS-C02 Infrastructure Security • Complete Question Bank

SCS-C02 Infrastructure Security — All Questions With Answers

Complete SCS-C02 Infrastructure Security question bank — all 0 questions with answers and detailed explanations.

328
Questions
Free
No signup
Certifications/SCS-C02/Practice Test/Infrastructure Security/All Questions
Question 1mediummultiple choice
Read the full Infrastructure Security explanation →

A company is designing a multi-tier web application on AWS. The web tier must be accessible from the internet, but the application and database tiers must be isolated. The security team requires that all traffic between tiers be encrypted and that the application tier can only be accessed by the web tier. Which architecture should be used?

Question 2hardmultiple choice
Review the full subnetting walkthrough →

A security engineer is troubleshooting connectivity issues between an Amazon EC2 instance in a VPC and an on-premises server over a Direct Connect virtual interface. The EC2 instance has a security group that allows outbound traffic to the on-premises CIDR block (10.0.0.0/16). The VPC has a route table entry pointing the on-premises CIDR to the virtual private gateway. The on-premises firewall shows that packets are received from the EC2 instance but responses are not reaching the instance. What is the most likely cause?

Question 3easymultiple choice
Read the full Infrastructure Security explanation →

A company uses AWS Organizations with multiple accounts. The security team wants to enforce that all Amazon S3 buckets across the organization have server-side encryption (SSE-S3 or SSE-KMS) enabled. Which approach should be used to enforce this policy?

Question 4hardmulti select
Read the full Infrastructure Security explanation →

A company is migrating a legacy application to AWS. The application requires two-way communication between the web servers and the database servers using TCP port 3306. The security team wants to follow the principle of least privilege. Which TWO actions should be taken to secure the traffic?

Question 5mediummultiple choice
Read the full Infrastructure Security explanation →

A security engineer is reviewing the SQS queue policy shown in the exhibit. The queue is subscribed to an SNS topic in the same account. The security team has a requirement that only the SNS topic should be allowed to send messages to the queue. What is the issue with this policy?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "sqs:SendMessage",
      "Resource": "arn:aws:sqs:us-east-1:123456789012:MyQueue",
      "Condition": {
        "ArnLike": {
          "aws:SourceArn": "arn:aws:sns:us-east-1:123456789012:MyTopic"
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "sqs:ReceiveMessage",
      "Resource": "arn:aws:sqs:us-east-1:123456789012:MyQueue",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/8"
        }
      }
    }
  ]
}
Question 6hardmultiple choice
Study the full AAA explanation →

A financial services company runs a critical application on Amazon EC2 instances in a VPC. The application processes sensitive financial data and must meet strict compliance requirements. The security team recently discovered that an EC2 instance was compromised due to an unpatched vulnerability. The attacker used the instance's IAM role to access an S3 bucket containing customer data and exfiltrated the data. The security team needs to prevent such incidents in the future. They have implemented the following controls: - All EC2 instances are launched in private subnets. - The IAM roles used by EC2 instances follow the principle of least privilege. - Security groups restrict inbound and outbound traffic. - AWS Systems Manager Patch Manager is used to patch instances. - AWS CloudTrail is enabled and logs are sent to a centralized S3 bucket. - Amazon GuardDuty is enabled.

Despite these controls, the team is concerned about the blast radius if an instance is compromised again. Which additional measure would MOST effectively limit the blast radius of a compromised EC2 instance?

Question 7mediummulti select
Review the full subnetting walkthrough →

A security engineer is designing a VPC with public and private subnets. The application servers in the private subnets need to access the internet for software updates, but must not be directly reachable from the internet. Which TWO actions satisfy these requirements?

Question 8hardmultiple choice
Read the full Infrastructure Security explanation →

Refer to the exhibit. A security engineer finds the above IAM policy attached to an IAM group. The policy is intended to allow all EC2 actions only from the corporate network (10.0.0.0/8). However, users report that they can perform EC2 actions from outside the corporate network. What is the MOST likely reason?

Exhibit

Refer to the exhibit.
```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "ec2:*",
      "Resource": "*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/8"
        }
      }
    }
  ]
}
```
Question 9easymultiple choice
Read the full Infrastructure Security explanation →

A company runs a web application on EC2 instances in an Auto Scaling group across two Availability Zones. The instances are behind an Application Load Balancer. The security team wants to ensure that only the ALB can send traffic to the instances. The instances are in a security group named 'app-sg'. Currently, 'app-sg' has an inbound rule allowing HTTP traffic from 0.0.0.0/0. The team wants to restrict access to only the ALB's security group. The ALB is in a security group named 'alb-sg'. Which course of action should the security engineer take to meet the requirement with minimal disruption?

Question 10mediumdrag order
Read the full Infrastructure Security explanation →

Drag and drop the steps to set up AWS Certificate Manager (ACM) for a custom domain in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 11mediummatching
Read the full Infrastructure Security explanation →

Match each AWS Storage service encryption feature to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Server-side encryption with S3 managed keys

Server-side encryption with AWS KMS

Server-side encryption with customer-provided keys

Encryption at rest for EBS volumes

Encryption at rest for RDS instances

Question 12mediummultiple choice
Review the full subnetting walkthrough →

A company uses Network Load Balancer (NLB) in front of a fleet of EC2 instances in private subnets. Security team requires that the source IP addresses of clients be preserved in the access logs of the backend instances. Which configuration should the security engineer verify?

Question 13hardmulti select
Read the full NAT/PAT explanation →

A security engineer is designing a VPC with public and private subnets. The application must be able to send outbound traffic to the internet, but inbound traffic from the internet must be blocked except for a single HTTP load balancer. The application also needs to access an S3 bucket in the same AWS region. Which combination of VPC components meets these requirements? (Choose two.)

Question 14easymultiple choice
Read the full Infrastructure Security explanation →

A company is using AWS WAF to protect its Application Load Balancer (ALB). The security team wants to block requests that do not contain a valid API key in the HTTP header 'X-API-Key'. Which WAF rule type should be used?

Question 15mediummultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to download patches from the internet. The instance is associated with a security group that allows outbound HTTPS (port 443) to 0.0.0.0/0. The private subnet route table has a default route (0.0.0.0/0) pointing to a NAT Gateway in the public subnet. The NAT Gateway's security group allows inbound HTTPS from the private subnet CIDR. However, the instance cannot download patches. What is the most likely cause?

Question 16hardmultiple choice
Read the full Infrastructure Security explanation →

A company uses AWS Direct Connect to connect its on-premises data center to AWS. The connection is set up with a private VIF to a VPC using a virtual private gateway. The security team wants to encrypt all traffic between on-premises and the VPC. Which solution should be implemented?

Question 17easymultiple choice
Read the full Infrastructure Security explanation →

A company wants to restrict access to an S3 bucket so that only requests from a specific VPC endpoint are allowed. Which S3 bucket policy condition key should be used?

Question 18hardmultiple choice
Read the full NAT/PAT explanation →

A company is using AWS CloudFormation to deploy a multi-tier application. The security team requires that the database tier (RDS) be deployed in private subnets that are not directly routable from the application tier (EC2). The application tier must communicate with the database using an internal network path. Which solution meets these requirements?

Question 19easymultiple choice
Read the full Infrastructure Security explanation →

A company is using AWS Shield Advanced to protect its web application against DDoS attacks. Which additional AWS service can be used to automatically mitigate application layer attacks?

Question 20hardmulti select
Review the full subnetting walkthrough →

A company has a VPC with public and private subnets. An EC2 instance in a private subnet needs to access an S3 bucket to store logs. The security team wants to ensure that traffic does not traverse the internet. Which solution should be used? (Choose two.)

Question 21hardmultiple choice
Read the full Infrastructure Security explanation →

A company wants to deploy a web application that must be accessible over HTTPS only. The application runs behind an Application Load Balancer (ALB). The security team wants to enforce HTTP Strict Transport Security (HSTS) to prevent downgrade attacks. Which configuration achieves this?

Question 22mediummulti select
Read the full Infrastructure Security explanation →

A company is using AWS CloudTrail to log API calls. The security team wants to ensure that the logs are encrypted at rest and that access to the logs is controlled. Which actions should be taken? (Choose two.)

Question 23easymultiple choice
Read the full Infrastructure Security explanation →

A company is using AWS Key Management Service (KMS) to encrypt data at rest in Amazon S3. The security team wants to ensure that only a specific IAM role can decrypt the data. Which KMS policy element should be used?

Question 24mediummultiple choice
Read the full Infrastructure Security explanation →

A company uses Amazon CloudFront with an Application Load Balancer (ALB) as the origin. The security team wants to restrict access to the ALB so that it only accepts traffic from CloudFront. Which configuration should be used?

Question 25hardmultiple choice
Read the full NAT/PAT explanation →

A security engineer is designing a VPC with private subnets for an application that must access the internet for software updates. The VPC has a NAT gateway in a public subnet. The private subnet route table has a default route (0.0.0.0/0) pointing to the NAT gateway. Which additional security measure should be implemented to ensure that only the application instances can use the NAT gateway, and not any other resources in the VPC?

Question 26easymultiple choice
Read the full Infrastructure Security explanation →

A company wants to use AWS Direct Connect to establish a dedicated network connection from its on-premises data center to AWS. Which of the following is a security best practice when configuring Direct Connect?

Question 27mediummultiple choice
Read the full Infrastructure Security explanation →

A company has an Amazon S3 bucket that stores sensitive data. The security team wants to ensure that all access to the bucket is made only via HTTPS. Which policy should be used?

Question 28hardmultiple choice
Read the full Infrastructure Security explanation →

A company has a multi-account AWS environment using AWS Organizations. The security team wants to centrally manage VPC security group rules across all accounts. Which solution should be used?

Question 29easymultiple choice
Review the full subnetting walkthrough →

A company is deploying a web application on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB). The instances are in a private subnet. How should the security group for the EC2 instances be configured?

Question 30mediummultiple choice
Read the full NAT/PAT explanation →

A security engineer is troubleshooting why an EC2 instance in a private subnet cannot access the internet through a NAT gateway. The route table for the private subnet has a default route pointing to the NAT gateway. The NAT gateway is in a public subnet with a route to an internet gateway. What is the most likely cause of the issue?

Question 31easymultiple choice
Read the full Infrastructure Security explanation →

A company wants to securely store and manage SSL/TLS certificates for use with CloudFront. Which AWS service should be used?

Question 32hardmultiple choice
Review the full subnetting walkthrough →

A company has a VPC with multiple subnets across multiple Availability Zones. The security team wants to inspect all traffic between subnets for malicious activity. Which AWS service should be used?

Question 33mediummulti select
Read the full Infrastructure Security explanation →

A security engineer is configuring a VPC for a three-tier application. The web tier must be accessible from the internet, the application tier must be accessible only from the web tier, and the database tier must be accessible only from the application tier. Which TWO security group configurations should be used? (Choose TWO.)

Question 34hardmulti select
Read the full Infrastructure Security explanation →

A company is using AWS Direct Connect with a private virtual interface (VIF) to connect its on-premises network to a VPC. The security team wants to encrypt traffic over the Direct Connect connection. Which TWO options can be used? (Choose TWO.)

Question 35mediummulti select
Read the full Infrastructure Security explanation →

A company has an Amazon S3 bucket with a bucket policy that restricts access to a specific VPC endpoint. However, users are still able to access the bucket from outside the VPC. Which THREE steps should the security engineer take to troubleshoot this issue? (Choose THREE.)

Question 36hardmultiple choice
Read the full Infrastructure Security explanation →

Refer to the exhibit. A security engineer attaches this bucket policy to an S3 bucket. A user from IP address 203.0.113.10 tries to download an object using HTTP (not HTTPS). What will happen?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "203.0.113.0/24"
        }
      }
    }
  ]
}
Question 37mediummultiple choice
Review the full subnetting walkthrough →

Refer to the exhibit. A security engineer runs the CLI command and receives the output shown. The engineer expects to see flow logs for a specific subnet, but the output shows the resource ID as a VPC. What is the most likely reason?

Network Topology
aws ec2 describe-flow-logsfilter "Name=log-group-nameRefer to the exhibit.Output:"FlowLogs": ["CreationTime": "2023-08-01T12:00:00Z","FlowLogId": "fl-12345678","FlowLogStatus": "ACTIVE","ResourceId": "vpc-12345678","TrafficType": "ALL","LogGroupName": "my-flow-log-group","DeliverLogsPermissionArn": "arn:aws:iam::123456789012:role/FlowLogRole","LogDestinationType": "cloud-watch-logs"
Question 38easymultiple choice
Read the full Infrastructure Security explanation →

Refer to the exhibit. A security engineer is reviewing an IAM policy attached to an S3 bucket. What does this policy allow?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/CrossAccountRole"
      },
      "Action": [
        "ec2:DescribeInstances",
        "ec2:StartInstances",
        "ec2:StopInstances"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:SourceAccount": "123456789012"
        }
      }
    }
  ]
}
Question 39easymultiple choice
Read the full Infrastructure Security explanation →

A company wants to restrict access to an Amazon S3 bucket so that only objects uploaded with server-side encryption using AWS KMS (SSE-KMS) are allowed. Which bucket policy condition key should be used?

Question 40mediummultiple choice
Review the full subnetting walkthrough →

A company has an AWS Lambda function that needs to access an Amazon RDS database. The database is in a private subnet. Which configuration will allow the Lambda function to securely access the database without traversing the internet?

Question 41hardmultiple choice
Read the full NAT/PAT explanation →

A security engineer notices that an Amazon EC2 instance has a security group that allows inbound SSH (port 22) from 0.0.0.0/0. The instance is a bastion host. What is a more secure alternative to this configuration?

Question 42easymultiple choice
Read the full Infrastructure Security explanation →

A company is designing a multi-tier web application. The web servers must be accessible from the internet, but the application servers must only be accessible from the web servers. Which AWS feature should be used to meet these requirements?

Question 43mediummultiple choice
Read the full Infrastructure Security explanation →

A company uses AWS CloudFormation to deploy infrastructure. A security engineer needs to ensure that all CloudFormation stacks use a specific AWS KMS key for encrypting resources that support encryption. Which approach should be used?

Question 44hardmultiple choice
Read the full NAT/PAT explanation →

A company wants to audit all API calls made to Amazon S3 within a specific AWS account. Which combination of services should be used to meet this requirement?

Question 45easymultiple choice
Review the full subnetting walkthrough →

A company has a VPC with public and private subnets. The private subnets need to access the internet for software updates. Which component should be added to the VPC to enable this?

Question 46mediummultiple choice
Read the full Infrastructure Security explanation →

A security engineer needs to ensure that an Amazon S3 bucket blocks all public access. Which S3 block public access settings should be enabled?

Question 47hardmultiple choice
Read the full Infrastructure Security explanation →

A company uses an AWS Transit Gateway to connect multiple VPCs and on-premises networks. A security engineer needs to ensure that traffic between VPCs is inspected by a third-party firewall appliance. Which architecture should be used?

Question 48mediummulti select
Read the full Infrastructure Security explanation →

Which TWO actions are valid ways to restrict access to an Amazon S3 bucket using a bucket policy? (Choose two.)

Question 49hardmulti select
Read the full Infrastructure Security explanation →

Which THREE are AWS best practices for securing an Amazon EC2 instance? (Choose three.)

Question 50easymulti select
Read the full Infrastructure Security explanation →

Which TWO of the following are valid methods to secure data at rest in Amazon S3? (Choose two.)

Question 51easymultiple choice
Review the full subnetting walkthrough →

A company is using an Application Load Balancer (ALB) to distribute traffic to a set of EC2 instances in private subnets. The security team wants to ensure that only traffic from the ALB can reach the EC2 instances. Which security group configuration should be applied to the EC2 instances?

Question 52mediummultiple choice
Read the full NAT/PAT explanation →

A security engineer is designing a VPC with public and private subnets in two Availability Zones. The company requires that all outbound traffic from private subnets to the internet must go through a single, centrally managed NAT gateway. Which combination of resources and route table entries should be used?

Question 53hardmultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with a public subnet and a private subnet. The public subnet hosts a NAT instance (Amazon Linux) that provides internet access to instances in the private subnet. The security team notices that the NAT instance is receiving high inbound traffic on port 22 from an external IP address. The team wants to block this traffic at the network layer without affecting other traffic. What is the most effective solution?

Question 54easymultiple choice
Read the full Infrastructure Security explanation →

A company is using AWS CloudFormation to deploy a web application. The template includes an EC2 instance with a security group that allows inbound HTTP traffic from 0.0.0.0/0. The security team wants to ensure that this security group is never used in production. Which AWS service can automatically remediate this noncompliant configuration?

Question 55mediummultiple choice
Review the full subnetting walkthrough →

A security engineer is designing a VPC with a public subnet and a private subnet. The private subnet will host a database instance that should only be accessible from the application instances in the public subnet. The application instances use an Auto Scaling group. Which configuration ensures that only the application instances can access the database?

Question 56hardmulti select
Review the full subnetting walkthrough →

A company has a VPC with a single public subnet and a single private subnet. The private subnet contains an RDS MySQL database that should not be accessible from the internet. The public subnet contains a bastion host that is used for SSH access to the database instance. The security team wants to ensure that the database can only be accessed from the bastion host. Which two security group rules should be configured? (Choose TWO.)

Question 57easymultiple choice
Review the full subnetting walkthrough →

A company has a VPC with multiple subnets. The security team wants to control traffic between subnets using a stateful firewall that can automatically allow return traffic. Which AWS service should be used?

Question 58mediummultiple choice
Review the full subnetting walkthrough →

A security engineer is troubleshooting connectivity issues between two EC2 instances in the same VPC but different subnets. Both instances have security groups that allow all traffic from each other's security group. However, traffic is still blocked. What is the most likely cause?

Question 59hardmultiple choice
Read the full VPN explanation →

A company is using AWS Transit Gateway to connect multiple VPCs and on-premises networks via VPN. The security team wants to inspect all traffic between VPCs before it reaches its destination. Which architecture should be used?

Question 60easymulti select
Read the full Infrastructure Security explanation →

A company wants to allow only specific IP addresses to access an S3 bucket. Which two methods can achieve this? (Choose TWO.)

Question 61mediummulti select
Review the full subnetting walkthrough →

A security engineer is designing a VPC with public and private subnets. The private subnets will host databases that should not have direct internet access. Which three components are required to provide outbound internet access for these databases? (Choose THREE.)

Question 62hardmulti select
Read the full Infrastructure Security explanation →

A company is using AWS Organizations to manage multiple accounts. The security team wants to restrict the use of specific instance types across all accounts. Which two AWS services can enforce this restriction? (Choose TWO.)

Question 63mediummultiple choice
Read the full Infrastructure Security explanation →

A company runs a web application on EC2 instances behind an Application Load Balancer (ALB). The security team requires that all traffic between the ALB and EC2 instances be encrypted. Which configuration ensures this requirement is met?

Question 64hardmultiple choice
Read the full Infrastructure Security explanation →

A security engineer needs to ensure that an EC2 instance can only be launched using an approved Amazon Machine Image (AMI) from a specific AWS account. Which AWS service should be used to enforce this requirement?

Question 65easymultiple choice
Review the full subnetting walkthrough →

A company has a VPC with public and private subnets. The private subnets need to access the internet for software updates. Which AWS service provides a managed, highly available, and scalable solution for this requirement?

Question 66mediummultiple choice
Read the full Infrastructure Security explanation →

An organization uses AWS Organizations with multiple accounts. The security team wants to enforce that all S3 buckets have server-side encryption enabled. Which approach would enforce this across all accounts?

Question 67hardmultiple choice
Review the full subnetting walkthrough →

A company is designing a network architecture for a multi-tier web application. The application consists of a public-facing ALB, web servers in private subnets, and an RDS database in isolated subnets. The security team requires that the web servers have no direct internet access. Which VPC configuration meets this requirement?

Question 68easymultiple choice
Read the full Infrastructure Security explanation →

A company wants to use AWS WAF to protect its web application from common web exploits. Which AWS service must be integrated with AWS WAF to provide this protection?

Question 69hardmultiple choice
Review the full subnetting walkthrough →

A security engineer is designing a network segmentation strategy for a VPC that hosts sensitive data. The engineer needs to ensure that EC2 instances in a private subnet can communicate with an RDS database in a different private subnet, but cannot communicate with any other resources in the same VPC. Which configuration should be used?

Question 70mediummultiple choice
Read the full Infrastructure Security explanation →

A company uses AWS CloudFormation to deploy infrastructure. The security team needs to ensure that all CloudFormation stacks include a specific tag with a value that complies with corporate policies. Which AWS service can enforce this requirement?

Question 71easymultiple choice
Review the full subnetting walkthrough →

A company has a VPC with an IPv4 CIDR block of 10.0.0.0/16. The security team wants to create a subnet for a legacy application that requires 2000 IP addresses. What is the smallest subnet CIDR that meets this requirement?

Question 72mediummulti select
Read the full Infrastructure Security explanation →

A company uses AWS Organizations and wants to restrict the use of specific instance types across all accounts. Which TWO actions should be taken to enforce this restriction?

Question 73hardmulti select
Review the full subnetting walkthrough →

A security engineer is designing a secure VPC architecture for a web application that must be accessible from the internet. The application runs on EC2 instances in private subnets. Which THREE components are required to provide secure internet connectivity?

Question 74mediummulti select
Read the full Infrastructure Security explanation →

A company wants to implement a defense-in-depth strategy for its web application running on EC2 instances. Which TWO AWS services should be used to provide both network and application-layer protection?

Question 75easymultiple choice
Read the full Infrastructure Security explanation →

A company wants to ensure that all Amazon EC2 instances in a VPC can only be accessed via SSH from a specific IP address range (203.0.113.0/24). Which VPC component should be used to enforce this restriction?

Question 76easymultiple choice
Read the full Infrastructure Security explanation →

A security engineer needs to ensure that all data stored in an Amazon S3 bucket is encrypted at rest. The bucket must use server-side encryption with a key managed by the customer (SSE-C). What must the engineer include in the PUT request to enforce this?

Question 77mediummultiple choice
Review the full subnetting walkthrough →

A company has deployed a multi-tier web application on AWS. The web servers are in a public subnet, and the application servers are in a private subnet. The security team wants to ensure that the application servers cannot initiate outbound connections to the internet. What should the team do?

Question 78mediummultiple choice
Read the full Infrastructure Security explanation →

A company uses AWS CloudFormation to deploy infrastructure. The security team wants to ensure that no sensitive data, such as database passwords, is exposed in plaintext in the CloudFormation templates. What is the MOST secure way to handle secrets?

Question 79mediummultiple choice
Read the full Infrastructure Security explanation →

A company's security team discovers that an Amazon EC2 instance has been compromised and is sending outbound traffic to a known malicious IP address. The instance is in a VPC with a security group that allows all outbound traffic. What is the FASTEST way to stop the outbound traffic without affecting other instances?

Question 80hardmultiple choice
Read the full NAT/PAT explanation →

A company runs a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The ALB is configured to terminate SSL/TLS and forward traffic to the instances over HTTP. The security team wants to ensure that the instances only accept traffic from the ALB, not from any other source. How can this be achieved?

Question 81hardmultiple choice
Read the full Infrastructure Security explanation →

A company is designing a network architecture for a critical application that must meet strict compliance requirements. The application consists of Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer. The instances need to access an Amazon RDS database in a different VPC. The company wants to minimize exposure to the internet. Which solution should the company use?

Question 82hardmultiple choice
Read the full Infrastructure Security explanation →

A security engineer is investigating a potential data exfiltration from an Amazon S3 bucket. The bucket policy allows access to a specific IAM role, but the engineer suspects that the role has been compromised. The engineer wants to quickly block all access to the bucket without deleting the bucket or the policy. What is the BEST course of action?

Question 83easymultiple choice
Review the full subnetting walkthrough →

A company wants to allow a developer to launch EC2 instances only in a specific subnet. The developer should not be able to use any other subnet. Which IAM policy action should be used to enforce this?

Question 84mediummulti select
Review the full subnetting walkthrough →

A security engineer is designing a VPC with public and private subnets. The private subnets must be able to download software updates from the internet. Which TWO components can provide this functionality without exposing the private instances to inbound internet traffic?

Question 85mediummulti select
Read the full Infrastructure Security explanation →

A company is using AWS CloudTrail to log API calls. The security team wants to ensure that the logs are protected from unauthorized access and deletion. Which TWO actions should be taken?

Question 86hardmulti select
Read the full Infrastructure Security explanation →

A company is designing a security group for a web server that must allow HTTP (80) and HTTPS (443) traffic from the internet. The server also needs to make outbound connections to an Amazon RDS database on port 3306 and to the internet for software updates. Which THREE rules should be included in the security group? (Select THREE.)

Question 87mediummultiple choice
Read the full Infrastructure Security explanation →

Refer to the exhibit. The bucket policy allows access from a specific IP range and denies access over HTTP. A user from IP 198.51.100.5 makes a GET request over HTTPS. What will happen?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "203.0.113.0/24"
        }
      }
    },
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}
Question 88hardmultiple choice
Read the full Infrastructure Security explanation →

Refer to the exhibit. A security engineer runs the iptables command on an EC2 instance in a VPC. The instance has a security group that allows all outbound traffic and inbound SSH from 0.0.0.0/0, HTTP from 0.0.0.0/0, and HTTPS from 0.0.0.0/0. A user from IP 203.0.113.5 tries to connect to the instance over HTTP. What will happen?

Network Topology
0.0.0.0/0 0.0.0.0/0 tcp dpt:22ACCEPT tcp10.0.0.0/16 0.0.0.0/0 tcp dpt:8010.0.0.0/16 0.0.0.0/0 tcp dpt:443Refer to the exhibit.Chain INPUT (policy DROP)target prot opt source destinationChain FORWARD (policy DROP)Chain OUTPUT (policy ACCEPT)
Question 89mediummultiple choice
Read the full Infrastructure Security explanation →

Refer to the exhibit. A security engineer deploys this CloudFormation template. An IAM role 'DataAccessRole' in the same account needs to read objects from the bucket. After deployment, users assume the role but get AccessDenied errors when trying to read objects. What is the MOST likely cause?

Exhibit

Refer to the exhibit.

Resources:
  MyBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: my-secure-bucket
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
      BucketPolicy:
        Statement:
        - Effect: Allow
          Principal:
            AWS: arn:aws:iam::123456789012:role/DataAccessRole
          Action: s3:GetObject
          Resource: !Sub arn:aws:s3:::${MyBucket}/*
Question 90mediummultiple choice
Review the full subnetting walkthrough →

A company uses an Application Load Balancer (ALB) to distribute traffic to a fleet of EC2 instances in private subnets. The security team wants to ensure that only the ALB can communicate with the EC2 instances. Which security group configuration should be applied to the EC2 instances?

Question 91mediummultiple choice
Study the full ACL explanation →

A security engineer is designing a network ACL for a public subnet containing an Application Load Balancer. The subnet must allow inbound HTTPS traffic from the internet and outbound traffic to the internet for patches. Which inbound rule should be added?

Question 92hardmultiple choice
Read the full Infrastructure Security explanation →

A company runs a critical application on EC2 instances behind an Application Load Balancer. The security team suspects that a DDoS attack is targeting the application. Which AWS service can be used to absorb and mitigate the attack at the network layer before traffic reaches the ALB?

Question 93easymultiple choice
Read the full NAT/PAT explanation →

A company wants to allow an EC2 instance in a VPC to download patches from the internet but block all other outbound traffic. Which configuration should be used?

Question 94hardmultiple choice
Read the full Infrastructure Security explanation →

A company has a security group that allows inbound SSH from a specific IP range. A security engineer notices that the security group rule is not being applied to a newly launched EC2 instance. What is the most likely cause?

Question 95easymultiple choice
Read the full Infrastructure Security explanation →

A company uses AWS Systems Manager Session Manager to manage EC2 instances without opening inbound ports. Which IAM policy is required for an EC2 instance to allow Session Manager to connect?

Question 96mediummultiple choice
Review the full subnetting walkthrough →

A security engineer needs to ensure that all traffic between two EC2 instances in different subnets is encrypted in transit. What is the most secure and efficient solution?

Question 97hardmultiple choice
Read the full Infrastructure Security explanation →

A company's security team wants to detect and block malicious SQL injection attempts against an Application Load Balancer. Which AWS service should be used?

Question 98easymultiple choice
Read the full Infrastructure Security explanation →

A company wants to restrict access to an S3 bucket so that only requests from a specific VPC are allowed. Which policy type should be used?

Question 99mediummulti select
Read the full Infrastructure Security explanation →

Which TWO of the following are valid methods to protect sensitive data in transit between an on-premises data center and AWS? (Select TWO.)

Question 100hardmulti select
Read the full Infrastructure Security explanation →

Which THREE of the following are best practices for securing an Amazon RDS database instance? (Select THREE.)

Question 101mediummulti select
Read the full Infrastructure Security explanation →

Which TWO of the following are valid ways to control inbound traffic to an EC2 instance? (Select TWO.)

Question 102mediummultiple choice
Read the full Infrastructure Security explanation →

A company is using AWS WAF to protect a web application. The security team notices that a specific IP address is generating a high volume of requests and triggering the WAF rate-based rule. However, the IP address is a legitimate partner's static IP. What should the security team do to allow this IP while still protecting against other malicious traffic?

Question 103hardmultiple choice
Read the full NAT/PAT explanation →

A company runs a critical application on Amazon EC2 instances behind an Application Load Balancer (ALB). The security team wants to ensure that only traffic from the ALB reaches the EC2 instances, and that instances cannot initiate outbound connections to the internet. Which combination of security group rules should be implemented? (Select TWO.)

Question 104easymultiple choice
Read the full Infrastructure Security explanation →

A company wants to restrict access to an Amazon S3 bucket so that only users from a specific AWS account can upload objects. Which policy mechanism should be used?

Question 105mediummulti select
Review the full subnetting walkthrough →

A security engineer is designing a VPC with public and private subnets. The VPC will host web servers in public subnets and database servers in private subnets. The web servers need to send traffic to the database servers, and the database servers must not have direct internet access. Which TWO configurations should the engineer implement?

Question 106mediummultiple choice
Read the full Infrastructure Security explanation →

A company is using AWS CloudFormation to deploy infrastructure. The security team wants to ensure that all Amazon S3 buckets created by CloudFormation are encrypted by default. Which approach should be taken?

Question 107hardmultiple choice
Read the full Infrastructure Security explanation →

An organization has a multi-account AWS environment using AWS Organizations. The security team needs to ensure that no Amazon EC2 instances are launched without an IAM instance profile that includes a specific role. Which preventive control should be implemented?

Question 108easymulti select
Read the full NAT/PAT explanation →

A security engineer is configuring a VPC with a public subnet for web servers and a private subnet for databases. The web servers need to download patches from the internet. Which TWO components are required to allow the web servers to access the internet while keeping the database servers isolated?

Question 109mediummultiple choice
Read the full Infrastructure Security explanation →

A company is using AWS CloudTrail to log API calls. The security team needs to ensure that log files are not tampered with and can be used to verify integrity. Which feature should be enabled?

Question 110hardmultiple choice
Review the full subnetting walkthrough →

A company is deploying a multi-tier web application on AWS. The application uses an Application Load Balancer (ALB) to distribute traffic to EC2 instances in private subnets. The security team wants to protect the application from common web exploits like SQL injection and cross-site scripting. Which AWS service should be used?

Question 111mediummulti select
Read the full Infrastructure Security explanation →

A security engineer is tasked with securing an Amazon RDS for MySQL database. The database must be accessible only from a specific set of EC2 instances. Which THREE steps should the engineer take?

Question 112easymultiple choice
Read the full Infrastructure Security explanation →

A company wants to audit all changes to security group rules in their AWS account. Which AWS service should be used to record these changes?

Question 113hardmultiple choice
Read the full Infrastructure Security explanation →

A company is using AWS Organizations to manage multiple accounts. The security team wants to ensure that all accounts have AWS CloudTrail enabled in all regions. Which approach should be used?

Question 114mediummultiple choice
Read the full Infrastructure Security explanation →

A company has an Amazon S3 bucket that stores sensitive data. The security team needs to ensure that all access to the bucket is encrypted in transit. Which condition should be added to the bucket policy?

Question 115mediummultiple choice
Read the full Infrastructure Security explanation →

A security engineer sees the above security group configuration for an EC2 instance. The instance hosts a web application that should only be accessible from the internal network (10.0.0.0/8) over HTTPS, and SSH should not be open to the internet. What is the security issue with this configuration?

Network Topology
$ aws ec2 describe-security-groupsgroup-ids sg-12345678Refer to the exhibit.```"SecurityGroups": ["GroupId": "sg-12345678","IpPermissions": ["IpProtocol": "tcp","FromPort": 22,"ToPort": 22,"IpRanges": ["CidrIp": "10.0.0.0/8","Description": "SSH from internal network"},"FromPort": 443,"ToPort": 443,"CidrIp": "0.0.0.0/0","Description": "HTTPS from anywhere"],"IpPermissionsEgress": ["IpProtocol": "-1","FromPort": -1,"ToPort": -1,"CidrIp": "0.0.0.0/0"
Question 116hardmultiple choice
Read the full Infrastructure Security explanation →

A security engineer is reviewing an IAM policy attached to a user. The policy is intended to allow all EC2 actions except deleting volumes in the Production environment. However, the user reports being able to delete volumes that are tagged with Environment=Production. What is the reason for this behavior?

Exhibit

Refer to the exhibit.

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ec2:*",
            "Resource": "*"
        },
        {
            "Effect": "Deny",
            "Action": "ec2:DeleteVolume",
            "Resource": "arn:aws:ec2:us-east-1:123456789012:volume/*",
            "Condition": {
                "StringNotEquals": {
                    "ec2:ResourceTag/Environment": "Production"
                }
            }
        }
    ]
}
```
Question 117easymultiple choice
Read the full Infrastructure Security explanation →

A company wants to restrict access to an S3 bucket so that only traffic from a specific VPC can read objects. Which security mechanism should be used?

Question 118mediummultiple choice
Read the full NAT/PAT explanation →

A security engineer notices that an EC2 instance in a private subnet is able to make outbound connections to the internet. The instance does not have a public IP, and there is no NAT gateway or instance in the VPC. What is the most likely cause?

Question 119hardmultiple choice
Read the full Infrastructure Security explanation →

A company uses AWS Organizations with multiple accounts. The security team wants to enforce that all S3 buckets have encryption enabled. Which approach is MOST effective and scalable?

Question 120mediummultiple choice
Read the full Infrastructure Security explanation →

A company hosts a web application on EC2 instances behind an Application Load Balancer. The security team wants to ensure that only traffic from the ALB can reach the EC2 instances. Which configuration should be applied?

Question 121easymultiple choice
Read the full VPN explanation →

A company wants to block SSH access (port 22) to all EC2 instances from the internet, but allow SSH from a specific management VPN IP range (10.0.0.0/16). Which configuration should be used?

Question 122hardmultiple choice
Read the full Infrastructure Security explanation →

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks. The security team wants to inspect all traffic between VPCs using a third-party firewall appliance. Which architecture should be used?

Question 123mediummultiple choice
Read the full Infrastructure Security explanation →

A company needs to securely store database credentials used by a Lambda function. The credentials must be automatically rotated. Which service should be used?

Question 124easymultiple choice
Read the full NAT/PAT explanation →

A security engineer is configuring a new VPC with public and private subnets. The application servers in the private subnet need to download patches from the internet. Which component is required?

Question 125hardmultiple choice
Read the full Infrastructure Security explanation →

A company uses AWS CloudFormation to deploy infrastructure. The security team wants to ensure that all CloudFormation stacks include a specific tag "Environment" with a value of "Production" or "Development". Which approach should be used?

Question 126mediummulti select
Read the full Infrastructure Security explanation →

A security engineer is designing a network architecture for a multi-tier application. The web servers must be accessible from the internet, while the application servers must only be accessible from the web servers. Which TWO configurations should be used? (Choose TWO.)

Question 127hardmulti select
Read the full Infrastructure Security explanation →

A company wants to encrypt data at rest for an Amazon RDS for MySQL DB instance. Which THREE options can be used to achieve this? (Choose THREE.)

Question 128mediummulti select
Read the full Infrastructure Security explanation →

A company wants to ensure that all Amazon S3 bucket policies comply with a security baseline that prohibits public read access. Which TWO methods can be used to detect non-compliant buckets? (Choose TWO.)

Question 129mediummultiple choice
Read the full Infrastructure Security explanation →

Refer to the exhibit. A security engineer creates the S3 bucket policy above to allow an IAM role to upload objects only from the corporate network IP range (10.0.0.0/16). However, users report that they can still upload objects from outside the range when assuming the role. What is the most likely cause?

Exhibit

Refer to the exhibit.
```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/AdminRole"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/16"
        }
      }
    }
  ]
}
```
Question 130hardmultiple choice
Read the full Infrastructure Security explanation →

Refer to the exhibit. A security engineer runs the describe-instances command for an EC2 instance. The instance has a public IP address. The security group "allow-ssh-http" has inbound rules that allow SSH from 0.0.0.0/0 and HTTP from 0.0.0.0/0. The engineer wants to block SSH access from the internet while keeping HTTP access. Which change should be made?

Network Topology
$ aws ec2 describe-instancesinstance-ids i-0abcd1234efgh5678Refer to the exhibit.```"Reservations": ["Groups": [],"Instances": ["InstanceId": "i-0abcd1234efgh5678","ImageId": "ami-0abcdef1234567890","State": {"Code": 16,"Name": "running"},"PrivateIpAddress": "172.31.0.10","SecurityGroups": ["GroupName": "allow-ssh-http","GroupId": "sg-12345678"],"NetworkInterfaces": ["Association": {"PublicIp": "54.123.45.67""Attachment": {"DeviceIndex": 0
Question 131hardmultiple choice
Read the full Infrastructure Security explanation →

A company has a multi-account AWS environment using AWS Organizations. The security team needs to ensure that all Amazon S3 buckets across all accounts are encrypted with AWS KMS customer managed keys (CMKs). They have implemented a service control policy (SCP) that denies s3:PutObject unless the request includes the x-amz-server-side-encryption header with value aws:kms. Additionally, they have an SCP that denies s3:CreateBucket unless the bucket is configured with default encryption using KMS. Despite these policies, a developer in the production account reports that they were able to upload a sensitive object to an existing bucket without encryption. The developer used the AWS CLI with the command: aws s3 cp sensitive.txt s3://my-bucket/. The bucket does not have default encryption enabled. The SCPs are attached to the root organizational unit (OU) and are in effect. What is the MOST likely reason the upload succeeded?

Question 132mediummultiple choice
Study the full ACL explanation →

A company is designing a VPC with public and private subnets. The web servers in the public subnets must be accessible from the internet on port 443, but the database servers in the private subnets should only be accessible from the web servers on port 3306. Which combination of security group rules and network ACL rules should be used to meet these requirements with the least administrative overhead?

Question 133hardmultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. A security engineer is reviewing this IAM policy attached to a user. The user reports that they are able to stop and start instances, but they cannot terminate instances. However, the engineer notices that there is no explicit deny for termination. Why is the user unable to terminate instances?

Exhibit

Refer to the exhibit.

Exhibit: (IAM policy JSON)
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeInstances",
        "ec2:StartInstances",
        "ec2:StopInstances"
      ],
      "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeInstances",
        "ec2:DescribeInstanceStatus"
      ],
      "Resource": "*"
    }
  ]
}
Question 134easymultiple choice
Read the full Infrastructure Security explanation →

A company wants to ensure that all data in transit between its EC2 instances and an RDS database is encrypted. The instances and the database are in the same VPC. Which configuration step is necessary to achieve this?

Question 135mediummultiple choice
Read the full NAT/PAT explanation →

A security engineer needs to restrict outbound traffic from a VPC to only allow HTTPS traffic to specific domains (e.g., api.example.com). The VPC has a NAT gateway in a public subnet. What is the most secure way to implement this restriction?

Question 136hardmultiple choice
Read the full Infrastructure Security explanation →

Refer to the exhibit. A security engineer is reviewing this CloudFormation template. What security risk is present in this configuration?

Exhibit

Refer to the exhibit.

Exhibit: (CloudFormation snippet)
Resources:
  MyEC2Instance:
    Type: AWS::EC2::Instance
    Properties:
      InstanceType: t2.micro
      ImageId: ami-0abcdef1234567890
      SecurityGroups:
        - !Ref MySecurityGroup
  MySecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Allow HTTP and SSH
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          CidrIp: 0.0.0.0/0
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp: 10.0.0.0/8
Question 137easymultiple choice
Read the full Infrastructure Security explanation →

A company has an S3 bucket that contains sensitive data. The security team wants to ensure that all access to the bucket is encrypted in transit. Which policy should be attached to the bucket to enforce this?

Question 138mediummultiple choice
Read the full Infrastructure Security explanation →

A company's security engineer is configuring a web application firewall (WAF) to protect a public-facing Application Load Balancer (ALB). The application is vulnerable to SQL injection attacks. Which AWS WAF rule should be used to mitigate this threat?

Question 139hardmultiple choice
Read the full Infrastructure Security explanation →

Refer to the exhibit. A security engineer runs the command above and sees that the flow log status is ACTIVE. However, the engineer notices that no logs are appearing in the CloudWatch log group. What is the most likely cause?

Network Topology
$ aws ec2 describe-flow-logsfilter "Name=log-group-nameRefer to the exhibit.Exhibit: (AWS CLI command output)"FlowLogs": ["CreationTime": "2023-01-01T00:00:00Z","FlowLogId": "fl-12345678","FlowLogStatus": "ACTIVE","ResourceId": "eni-12345678","TrafficType": "ALL","LogGroupName": "my-flow-log","DeliverLogsPermissionArn": "arn:aws:iam::123456789012:role/flow-logs-role","LogDestinationType": "cloud-watch-logs"
Question 140easymultiple choice
Read the full Infrastructure Security explanation →

A company wants to allow a user to assume a role in another AWS account to access resources. Which AWS service should be used to create and manage the trust relationship between the accounts?

Question 141mediummulti select
Read the full Infrastructure Security explanation →

Which TWO actions should a security engineer take to protect an Amazon EC2 instance from unauthorized access? (Choose two.)

Question 142hardmulti select
Read the full Infrastructure Security explanation →

Which THREE measures can be taken to secure a VPC's network boundary? (Choose three.)

Question 143easymulti select
Read the full Infrastructure Security explanation →

Which TWO AWS services can be used to encrypt data at rest in an Amazon S3 bucket? (Choose two.)

Question 144hardmultiple choice
Study the full ACL explanation →

A company runs a multi-tier web application on AWS. The application uses an Application Load Balancer (ALB) in a public subnet, EC2 instances in private subnets for the web tier, and an RDS MySQL database in a private subnet. The security team has noticed that the EC2 instances are receiving traffic from unexpected IP addresses on port 22 (SSH). The instances were launched with a default security group that allowed SSH from 0.0.0.0/0. The security engineer has corrected the security group to allow SSH only from the company's bastion host security group. However, the engineer also wants to implement defense-in-depth by adding a network ACL to the private subnet to block SSH from all sources except the bastion host's private IP (10.0.1.10). The private subnet's current network ACL allows all inbound and outbound traffic. The engineer creates a new network ACL with the following rules: Inbound: Rule 100: Allow SSH from 10.0.1.10/32; Rule 200: Deny SSH from 0.0.0.0/0; Rule *: Deny all. Outbound: Rule 100: Allow all. After associating this new NACL with the private subnet, the engineer finds that SSH connections from the bastion host are still being blocked. What is the most likely cause?

Question 145mediummultiple choice
Read the full Infrastructure Security explanation →

A company is using AWS CloudTrail to monitor API activity in their account. They have enabled CloudTrail in all regions and are logging to an S3 bucket. The security team wants to ensure that log files are not tampered with after delivery. They enable CloudTrail log file integrity validation. Which additional step must be taken to verify the integrity of the log files?

Question 146easymultiple choice
Read the full Infrastructure Security explanation →

A company has a requirement to block traffic from specific IP addresses known to be malicious. The company has an Application Load Balancer (ALB) that fronts a web application. The security engineer needs to implement a solution that can block these IP addresses at the edge before they reach the ALB. Which AWS service should be used?

Question 147easymulti select
Read the full NAT/PAT explanation →

A company wants to restrict access to an S3 bucket so that only traffic from a specific VPC can download objects. Which combination of actions should the company take? (Choose TWO.)

Question 148mediummultiple choice
Review the full subnetting walkthrough →

A security engineer is designing a multi-tier web application. The application uses an Application Load Balancer (ALB) to distribute traffic to EC2 instances in private subnets. The engineer needs to ensure that the EC2 instances only accept traffic from the ALB and not from any other source. Which security group configuration should the engineer use?

Question 149hardmultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with public and private subnets. The private subnets need to access the internet for software updates. The security engineer has set up a NAT gateway in a public subnet and updated the route tables accordingly. However, instances in the private subnets cannot reach the internet. The engineer checks the security group for the NAT gateway and finds that it allows all outbound traffic. What is the most likely cause of the issue?

Question 150easymultiple choice
Read the full Infrastructure Security explanation →

A company wants to encrypt data at rest in an Amazon RDS for MySQL DB instance. Which AWS service or feature should be used to achieve this?

Question 151mediummultiple choice
Read the full NAT/PAT explanation →

A security engineer is setting up a new VPC with public and private subnets. The VPC has an Internet Gateway attached. The public subnet's route table has a default route (0.0.0.0/0) pointing to the Internet Gateway. The private subnet's route table has a default route pointing to a NAT gateway. The engineer launches an EC2 instance in the private subnet and assigns it a public IP address. However, the instance cannot access the internet. What should the engineer do to resolve this issue?

Question 152hardmultiple choice
Read the full Infrastructure Security explanation →

A company is deploying a web application on EC2 instances behind an Application Load Balancer. The security team requires that all traffic between the ALB and the EC2 instances be encrypted. Which configuration should the engineer implement?

Question 153easymultiple choice
Read the full Infrastructure Security explanation →

A company wants to allow an EC2 instance to access an S3 bucket without exposing the instance to the internet. Which AWS service should be used to achieve this?

Question 154mediummultiple choice
Read the full Infrastructure Security explanation →

A security engineer is reviewing the security group rules for a web server. The security group currently has the following inbound rules: allow HTTP from 0.0.0.0/0, allow HTTPS from 0.0.0.0/0, and allow SSH from 0.0.0.0/0. Which change should the engineer make to improve security?

Question 155hardmultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with a CIDR of 10.0.0.0/16. They have two public subnets (10.0.1.0/24 and 10.0.2.0/24) and two private subnets (10.0.3.0/24 and 10.0.4.0/24). They have an Application Load Balancer in the public subnets and EC2 instances in the private subnets. The EC2 instances need to access the internet for updates. The security engineer has set up a NAT gateway in each public subnet. The route table for the private subnets has a default route pointing to the NAT gateway in the same Availability Zone. However, the EC2 instances are unable to reach the internet. What is the most likely cause?

Question 156easymultiple choice
Read the full Infrastructure Security explanation →

A company is using AWS Systems Manager Session Manager to provide secure shell access to EC2 instances without opening inbound ports. Which of the following is a requirement for this setup?

Question 157mediummulti select
Review the full subnetting walkthrough →

A security engineer is configuring a VPC for a web application. The VPC has public and private subnets. The web servers are in public subnets and the database servers are in private subnets. The engineer wants to ensure that the database servers are not accessible from the internet. Which two actions should the engineer take?

Exhibit

Which TWO actions should a security engineer take to secure a VPC that contains a public-facing web application?
Question 158hardmulti select
Read the full Infrastructure Security explanation →

A security engineer is reviewing the security of an Amazon EKS cluster. The cluster is used to run containerized applications. Which three actions should the engineer take to improve the security of the cluster?

Exhibit

Which THREE actions will improve the security of an Amazon EKS cluster?
Question 159easymulti select
Read the full Infrastructure Security explanation →

A security engineer needs to protect an S3 bucket that contains sensitive data. Which two methods should the engineer use?

Exhibit

Which TWO methods can be used to protect an S3 bucket from unauthorized access?
Question 160mediummulti select
Read the full Infrastructure Security explanation →

A company is considering using AWS Shield Advanced to protect against DDoS attacks. Which three features are included with AWS Shield Advanced? (Choose THREE.)

Exhibit

Which THREE components are part of AWS Shield Advanced?
Question 161hardmultiple choice
Review the full subnetting walkthrough →

A company runs a critical application on EC2 instances in an Auto Scaling group across multiple Availability Zones. The application uses an Application Load Balancer (ALB) to distribute traffic. The security team has implemented a security group for the ALB that allows inbound HTTPS from 0.0.0.0/0 and a security group for the EC2 instances that allows inbound HTTP from the ALB's security group. Recently, the company experienced a security incident where an attacker exploited a vulnerability in the application to gain access to an EC2 instance and then moved laterally to the database. The database is in a private subnet and uses a security group that allows inbound traffic from the EC2 instance security group on port 3306 (MySQL). The security team wants to prevent lateral movement in the future. Which of the following is the MOST effective course of action?

Question 162mediummultiple choice
Read the full VPN explanation →

A company is migrating its on-premises data center to AWS. The company has a VPC with a CIDR of 10.0.0.0/16 and needs to connect its on-premises network (192.168.0.0/16) to the VPC using an AWS Site-to-Site VPN. The security engineer has configured the virtual private gateway (VGW) and the customer gateway (CGW) with the correct settings. The VPN tunnel status is UP, but the on-premises servers cannot ping the EC2 instances in the VPC. The EC2 instances have security groups that allow ICMP traffic from the on-premises network. The VPC route table has a route for the on-premises network pointing to the VGW. What is the most likely cause of the issue?

Question 163hardmultiple choice
Read the full Infrastructure Security explanation →

A company uses AWS Organizations to manage multiple accounts. The security team wants to enforce that all S3 buckets in the organization are encrypted with server-side encryption (SSE-S3) and that no public access is allowed. The team has created an SCP that denies the s3:PutBucketPublicAccessBlock action and also denies s3:PutBucketPolicy if the policy would grant public access. However, the team discovers that some buckets in the production account still have public access enabled. The SCP is applied to the root OU, which includes the production account. What is the most likely reason that the SCP is not being enforced?

Question 164mediummultiple choice
Read the full NAT/PAT explanation →

A company has a web application running on EC2 instances behind an Application Load Balancer (ALB). The application uses a custom header X-Auth-Token to authenticate requests. The security team wants to use AWS WAF to block requests that do not contain this header or contain an invalid token. The WAF is associated with the ALB. The team creates a rule with a match condition that checks for the presence of the X-Auth-Token header and a regex pattern for the token value. However, the rule is not blocking any requests. What is the most likely cause?

Question 165hardmultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with a public subnet and a private subnet. The public subnet contains a NAT gateway and a bastion host. The private subnet contains a web server that needs to be patched via the internet. The security engineer has configured the route tables: the public subnet route table has a default route to the Internet Gateway, and the private subnet route table has a default route to the NAT gateway. The web server can successfully initiate outbound connections to the internet to download patches. However, the security team notices that the web server is also receiving inbound connections from the internet on port 80. The web server's security group allows inbound HTTP from 0.0.0.0/0. What should the engineer do to prevent inbound internet traffic while still allowing outbound patching?

Question 166easymultiple choice
Read the full Infrastructure Security explanation →

A company wants to ensure that all traffic to an Amazon S3 bucket is encrypted in transit. Which bucket policy condition should be used?

Question 167mediummulti select
Review the full subnetting walkthrough →

A security engineer is designing a VPC with private and public subnets. Which TWO actions improve network security? (Choose two.)

Question 168hardmulti select
Read the full Infrastructure Security explanation →

A company runs a web application on EC2 instances behind an Application Load Balancer (ALB). The security team wants to allow only HTTP and HTTPS traffic from the internet to the ALB, and only HTTP traffic from the ALB to the EC2 instances. Which THREE security group configurations are required? (Choose three.)

Question 169hardmultiple choice
Read the full Infrastructure Security explanation →

A company has the S3 bucket policy shown in the exhibit. The bucket contains sensitive data that should only be accessible from within the corporate network (10.0.0.0/16). However, users inside the corporate network report that they cannot access objects in the bucket. What is the most likely cause?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/16"
        }
      }
    }
  ]
}
Question 170mediummultiple choice
Study the full ACL explanation →

A company has a multi-tier web application hosted on AWS. The application consists of an Application Load Balancer (ALB), a fleet of EC2 instances in an Auto Scaling group, and an Amazon RDS MySQL database. The security team has implemented security groups and network ACLs. Recently, a vulnerability scan revealed that the RDS database is accessible from the internet. The security engineer investigates and finds that the database security group allows inbound traffic on port 3306 from 0.0.0.0/0. The engineer also checks the network ACLs and finds that inbound rules allow traffic on port 3306 from 0.0.0.0/0, and outbound rules allow all traffic. The database is in a private subnet. Which combination of steps should the engineer take to remediate the issue while maintaining application functionality?

Question 171mediummultiple choice
Read the full Infrastructure Security explanation →

A company uses AWS Organizations with multiple accounts. The security team needs to enforce that all Amazon S3 buckets across the organization are configured to block public access. Which solution should be used to centrally enforce this requirement?

Question 172hardmultiple choice
Read the full Infrastructure Security explanation →

A company runs a web application on Amazon EC2 behind an Application Load Balancer (ALB). The security team wants to allow only traffic from the ALB to reach the EC2 instances. Which security group configuration should be used?

Question 173easymultiple choice
Read the full Infrastructure Security explanation →

A security engineer needs to ensure that an Amazon RDS database instance is not accessible from the internet. Which configuration step will achieve this?

Question 174mediummultiple choice
Read the full Infrastructure Security explanation →

A company uses AWS CloudFormation to deploy infrastructure. A security requirement states that no security group should allow inbound SSH access from 0.0.0.0/0. What is the best way to enforce this policy?

Question 175hardmultiple choice
Review the full subnetting walkthrough →

A company has a VPC with public and private subnets. The private sub host Amazon RDS instances. To allow the RDS instances to access the internet for software updates without exposing them to inbound internet traffic, what should be configured?

Question 176easymultiple choice
Read the full Infrastructure Security explanation →

A company wants to encrypt data at rest for an Amazon S3 bucket. Which action should be taken?

Question 177mediummultiple choice
Read the full Infrastructure Security explanation →

A security engineer is designing a network architecture for a three-tier web application. The web tier must be accessible from the internet, but the application and database tiers must not. Which VPC configuration should be used?

Question 178hardmultiple choice
Read the full Infrastructure Security explanation →

A company uses AWS Key Management Service (KMS) to encrypt data at rest. The security team needs to ensure that only specific IAM roles can use a particular KMS key to encrypt and decrypt data. What is the most secure way to achieve this?

Question 179easymultiple choice
Read the full Infrastructure Security explanation →

A company wants to protect its Amazon EC2 instances from distributed denial-of-service (DDoS) attacks at the network layer. Which AWS service should be used?

Question 180mediummulti select
Read the full Infrastructure Security explanation →

A security engineer is configuring a VPC for a new application. Which TWO actions will improve network security? (Choose two.)

Question 181hardmulti select
Read the full Infrastructure Security explanation →

A company needs to enforce that all Amazon S3 buckets are encrypted at rest. Which TWO actions should be taken? (Choose two.)

Question 182mediummulti select
Read the full Infrastructure Security explanation →

A security engineer is designing a secure VPC architecture. Which THREE components should be used to implement defense in depth? (Choose three.)

Question 183mediummultiple choice
Read the full Infrastructure Security explanation →

A company wants to restrict access to an S3 bucket so that only traffic from a specific VPC can read objects. The VPC has a VPC endpoint for S3 configured. Which policy should be attached to the bucket?

Question 184hardmultiple choice
Read the full Infrastructure Security explanation →

A Security Engineer is designing a network architecture for a multi-tier application. The web tier must be accessible from the internet, while the application tier should only be accessible from the web tier, and the database tier only from the application tier. All tiers are in the same VPC. Which configuration meets these requirements with minimal administrative overhead?

Question 185easymultiple choice
Read the full Infrastructure Security explanation →

A company wants to encrypt data at rest in an Amazon S3 bucket. Which AWS service can centrally manage the encryption keys?

Question 186mediummultiple choice
Read the full Infrastructure Security explanation →

A company is using an Application Load Balancer (ALB) to distribute traffic to EC2 instances in a VPC. The Security Engineer notices that the ALB health checks are failing. Which configuration change should the Engineer make to resolve the issue?

Question 187easymultiple choice
Read the full Infrastructure Security explanation →

A company has an AWS Direct Connect connection to its on-premises data center. The company wants to ensure that all traffic between the data center and AWS is encrypted. Which solution meets this requirement?

Question 188mediummultiple choice
Read the full Infrastructure Security explanation →

An application running on EC2 instances needs to access an S3 bucket. The Security Engineer wants to ensure that the EC2 instances do not have access keys and that the access is restricted to only the required bucket. What is the most secure way to provide this access?

Question 189hardmultiple choice
Read the full Infrastructure Security explanation →

A company is using AWS Transit Gateway to connect multiple VPCs and on-premises networks. The Security Engineer needs to ensure that traffic between VPCs is inspected by a central network appliance. Which architecture should the Engineer implement?

Question 190easymultiple choice
Read the full Infrastructure Security explanation →

A Security Engineer needs to block SSH traffic (port 22) from the internet to all EC2 instances in a VPC. Which approach is the most secure and scalable?

Question 191mediummultiple choice
Read the full Infrastructure Security explanation →

A company is using AWS WAF to protect a web application behind an Application Load Balancer. The Security Engineer wants to block requests that contain SQL injection attacks. Which action should the Engineer take?

Question 192mediummulti select
Read the full NAT/PAT explanation →

A Security Engineer is configuring a VPC with a public subnet for a web server and a private subnet for a database. The web server needs to download patches from the internet. Which TWO actions should the Engineer take to allow the web server internet access without exposing the database to the internet?

Question 193hardmulti select
Read the full Infrastructure Security explanation →

A company wants to enforce encryption in transit for all traffic between its VPC and on-premises data center over AWS Direct Connect. Which TWO configurations can achieve this?

Question 194easymulti select
Review the full subnetting walkthrough →

A Security Engineer is designing a secure VPC architecture. Which THREE components are essential for creating a public subnet that can host a web server accessible from the internet?

Question 195mediummultiple choice
Read the full Infrastructure Security explanation →

A company is using Amazon EC2 instances in a VPC with a security group that allows inbound SSH from 0.0.0.0/0. A security engineer needs to restrict SSH access to only the company's public IP range (203.0.113.0/24) while maintaining all other existing rules. What is the MOST efficient way to accomplish this?

Question 196easymultiple choice
Read the full Infrastructure Security explanation →

A company wants to ensure that all traffic to and from an Amazon RDS instance is encrypted in transit. Which solution should the security engineer implement?

Question 197hardmultiple choice
Read the full NAT/PAT explanation →

A security engineer is designing a multi-tier web application on AWS. The web tier must be accessible from the internet, but the application tier should be accessible only from the web tier. The database tier should be accessible only from the application tier. Which combination of security groups provides the MOST secure configuration?

Question 198mediummultiple choice
Read the full Infrastructure Security explanation →

A company has multiple AWS accounts and wants to centralize VPC flow log analysis. Flow logs are enabled for all VPCs and are published to Amazon S3 buckets in each account. A security engineer needs to aggregate these logs into a single S3 bucket in the centralized logging account. What should the security engineer do?

Question 199hardmultiple choice
Read the full NAT/PAT explanation →

A security engineer is configuring a VPC for a highly sensitive application. The VPC must not have a route to the internet, but the application needs to periodically download security patches from a specific domain (patches.example.com). Which solution meets these requirements with minimal operational overhead?

Question 200easymultiple choice
Read the full Infrastructure Security explanation →

A company uses AWS Organizations to manage multiple accounts. The security team wants to ensure that no resources can be created in a specific AWS Region except for the us-east-1 Region. Which policy type should the security team use?

Question 201mediummultiple choice
Read the full Infrastructure Security explanation →

A security engineer notices that an Amazon EC2 instance is sending suspicious outbound traffic to an unknown IP address. The instance is part of an Auto Scaling group. The engineer needs to immediately stop the traffic without affecting the availability of the application. What should the engineer do?

Question 202hardmultiple choice
Read the full Infrastructure Security explanation →

A company is designing a shared services VPC architecture with multiple VPCs connected via a transit gateway. The security engineer needs to ensure that all traffic between VPCs is inspected by a centralized firewall appliance deployed in the shared services VPC. What configuration is required?

Question 203easymultiple choice
Read the full Infrastructure Security explanation →

A company wants to provide temporary, limited-privilege credentials to users so they can access AWS resources from mobile applications. Which AWS service should the company use?

Question 204mediummultiple choice
Read the full Infrastructure Security explanation →

A security engineer needs to ensure that all Amazon S3 buckets in an AWS account have server-side encryption (SSE) enabled. The engineer wants to automatically remediate any bucket that is created without SSE. Which solution should the engineer implement?

Question 205mediummulti select
Read the full Infrastructure Security explanation →

A company is deploying a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The security engineer needs to protect the application from common web exploits such as SQL injection and cross-site scripting. Which TWO services can be used together to achieve this? (Choose TWO.)

Question 206hardmulti select
Read the full NAT/PAT explanation →

A security engineer is designing a network architecture in AWS. The engineer needs to ensure that all outbound traffic from a VPC goes through a centrally managed NAT device for logging and filtering. The VPC has multiple private subnets. Which TWO steps are required to accomplish this? (Choose TWO.)

Question 207easymulti select
Read the full Infrastructure Security explanation →

A company wants to use AWS CloudTrail to log all API calls in an AWS account. The security engineer needs to ensure that the logs are encrypted at rest and are accessible only to authorized personnel. Which THREE steps should the engineer take? (Choose THREE.)

Question 208mediummulti select
Read the full Infrastructure Security explanation →

A security engineer is investigating a potential security incident in an AWS account. The engineer needs to determine which user or role performed a specific API call that created a new security group. Which THREE AWS tools can the engineer use to find this information? (Choose THREE.)

Question 209mediummultiple choice
Read the full Infrastructure Security explanation →

A company uses AWS Organizations with multiple accounts. The security team wants to ensure that all new member accounts automatically deny public access to S3 buckets. Which policy should be attached to the root organizational unit?

Question 210hardmultiple choice
Read the full NAT/PAT explanation →

A security engineer is investigating a potential breach. The engineer notices that an EC2 instance's security group allows inbound SSH (port 22) from 0.0.0.0/0. The instance is in a public subnet and has a public IP address. However, the engineer finds that SSH access is only possible from a specific IP address. What is the most likely explanation?

Question 211easymultiple choice
Read the full Infrastructure Security explanation →

A company wants to host a static website in an Amazon S3 bucket. The bucket must be private and accessible only through an Amazon CloudFront distribution. Which configuration ensures that CloudFront can access the S3 bucket while blocking direct access via S3 URL?

Question 212mediummultiple choice
Read the full Infrastructure Security explanation →

A company uses AWS Systems Manager Session Manager to manage EC2 instances. The security team wants to ensure that all SSH sessions are logged and that commands are recorded. What should be configured?

Question 213hardmultiple choice
Read the full NAT/PAT explanation →

A company is designing a VPC with public and private subnets. The application servers in the private subnets need to download patches from the internet. Which architecture provides the highest security while allowing internet access?

Question 214easymultiple choice
Read the full Infrastructure Security explanation →

A security engineer needs to ensure that an EC2 instance can only be accessed using SSH key pairs, not passwords. Which configuration is required?

Question 215mediummultiple choice
Read the full NAT/PAT explanation →

A company uses AWS WAF to protect a web application. The security team wants to block requests that contain SQL injection patterns. Which WAF rule type should be used?

Question 216hardmultiple choice
Read the full NAT/PAT explanation →

A company wants to allow cross-account access to an S3 bucket. The bucket owner (Account A) wants to grant read-only access to users in Account B. Which combination of policies is required?

Question 217easymultiple choice
Read the full Infrastructure Security explanation →

A security engineer needs to audit all changes to AWS resources in an account. Which AWS service should be enabled?

Question 218mediummulti select
Review the full subnetting walkthrough →

A company is designing a VPC with multiple subnets. The security team wants to ensure that traffic between the application tier and database tier is encrypted in transit. Which TWO actions should be taken?

Question 219hardmulti select
Study the full ACL explanation →

A security engineer is configuring an AWS WAF web ACL for an Application Load Balancer. The engineer wants to block requests that contain cross-site scripting (XSS) and also limit the rate of requests from a single IP. Which THREE rule groups should be added?

Question 220mediummulti select
Read the full Infrastructure Security explanation →

A company uses AWS CloudFormation to deploy infrastructure. The security team wants to ensure that all S3 buckets created by CloudFormation have encryption enabled by default. Which TWO approaches can achieve this?

Question 221hardmultiple choice
Read the full Infrastructure Security explanation →

A security engineer reviews the above IAM policy attached to an IAM user. The user reports that they cannot download objects from the S3 bucket 'example-bucket' when connected from the office network (IP range 10.0.0.0/16). What is the most likely cause?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/16"
        }
      }
    }
  ]
}
Question 222mediummultiple choice
Read the full Infrastructure Security explanation →

A security engineer runs the above AWS CLI command. The engineer notices that the security group has no outbound rules. What is the implication of this configuration?

Exhibit

Refer to the exhibit.

[ec2-user@ip-10-0-1-5 ~]$ aws ec2 describe-security-groups --group-ids sg-12345678
{
    "SecurityGroups": [
        {
            "GroupId": "sg-12345678",
            "GroupName": "web-sg",
            "VpcId": "vpc-12345678",
            "IpPermissions": [
                {
                    "IpProtocol": "tcp",
                    "FromPort": 80,
                    "ToPort": 80,
                    "IpRanges": [
                        {
                            "CidrIp": "0.0.0.0/0"
                        }
                    ]
                }
            ],
            "IpPermissionsEgress": []
        }
    ]
}
Question 223easymultiple choice
Review the full routing breakdown →

A company configures a Route 53 alias record to point to a CloudFront distribution. The security team wants to ensure that users can only access the website via CloudFront and not directly via the S3 bucket origin. What additional configuration is needed?

Exhibit

Refer to the exhibit.

Resource Record Set:
Name: www.example.com.
Type: A
Alias: Yes
Alias Target: d1234.cloudfront.net.
Question 224mediummultiple choice
Review the full subnetting walkthrough →

A company is designing a VPC with public and private subnets in two Availability Zones. They need to ensure that instances in the private subnets can access the internet for software updates but cannot be directly accessed from the internet. Which AWS service or feature should be used to meet this requirement?

Question 225hardmultiple choice
Study the full ACL explanation →

A security engineer is troubleshooting connectivity issues from an EC2 instance in a private subnet to an S3 bucket. The instance has a security group allowing outbound HTTPS (443) to 0.0.0.0/0, and the subnet's network ACL allows outbound HTTPS to 0.0.0.0/0. However, requests to S3 are timing out. Which additional configuration is most likely required?

Question 226easymultiple choice
Read the full Infrastructure Security explanation →

A company wants to restrict access to an S3 bucket so that only requests from a specific VPC are allowed. Which policy should be used?

Question 227mediummultiple choice
Read the full Infrastructure Security explanation →

A security engineer is designing a web application that will run on EC2 instances behind an Application Load Balancer (ALB). The application must be protected from common web exploits like SQL injection and cross-site scripting. Which AWS service should be used to provide this protection?

Question 228hardmultiple choice
Read the full Infrastructure Security explanation →

A company has a multi-account AWS environment using AWS Organizations. The security team needs to enforce that all new S3 buckets created in any account in the organization are encrypted with a specific KMS key. Which approach should be used?

Question 229easymultiple choice
Read the full Infrastructure Security explanation →

A company wants to allow an EC2 instance to access a DynamoDB table without traversing the internet. Which AWS feature should be used?

Question 230mediummultiple choice
Review the full subnetting walkthrough →

A company has a requirement to log all network traffic flowing through a VPC, including traffic between EC2 instances within the same subnet. Which AWS service should be used?

Question 231easymultiple choice
Read the full Infrastructure Security explanation →

A security engineer is configuring a security group for a web server that should only accept HTTPS traffic from the internet. Which inbound rule should be set?

Question 232hardmultiple choice
Read the full Infrastructure Security explanation →

A company uses AWS Direct Connect to connect its on-premises data center to a VPC. The security team wants to encrypt all traffic between on-premises and the VPC. Which solution should be used?

Question 233mediummulti select
Read the full Infrastructure Security explanation →

Which TWO actions can be taken to protect an S3 bucket from accidental public access? (Choose 2.)

Question 234hardmulti select
Read the full VPN explanation →

Which THREE components are required to set up a client VPN for remote access to a VPC? (Choose 3.)

Question 235easymulti select
Read the full Infrastructure Security explanation →

Which TWO AWS services are designed to provide DDoS protection? (Choose 2.)

Question 236mediummultiple choice
Read the full VPN explanation →

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks via AWS Site-to-Site VPN. Security engineers need to ensure that traffic between VPCs is inspected by a third-party firewall appliance deployed in a centralized inspection VPC. Which architecture should be used?

Question 237hardmultiple choice
Read the full Infrastructure Security explanation →

A security engineer is reviewing AWS CloudTrail logs and notices repeated `UnauthorizedOperation` errors for `ec2:RunInstances` from a specific IAM user. The user has a policy that allows `ec2:RunInstances` with a condition `aws:RequestedRegion` set to `us-east-1`. The engineer confirms the user is launching instances in `us-east-1`. What is the most likely cause of the error?

Question 238easymultiple choice
Read the full Infrastructure Security explanation →

A company is designing a security group for a web application that must receive HTTPS traffic from the internet and send traffic to a backend database. The backend database is an Amazon RDS MySQL instance. What is the best practice for configuring the security groups?

Question 239easymultiple choice
Read the full Infrastructure Security explanation →

A company wants to allow its developers to SSH into EC2 instances only from the corporate network IP range (203.0.113.0/24). Which configuration should be used to enforce this restriction?

Question 240mediummultiple choice
Read the full NAT/PAT explanation →

A security team needs to audit all changes to security group rules across multiple AWS accounts in an organization. Which combination of services should be used to meet this requirement?

Question 241hardmultiple choice
Read the full NAT/PAT explanation →

An organization has a VPC with public and private subnets. A NAT Gateway is deployed in a public subnet to allow instances in private subnets to access the internet. The security team notices that instances in a private subnet can reach the internet, but cannot initiate connections to an on-premises network connected via AWS Direct Connect. The on-premises network advertises a specific route. What is the most likely cause?

Question 242easymultiple choice
Read the full Infrastructure Security explanation →

A company wants to ensure that all data transmitted between its EC2 instances and an Application Load Balancer (ALB) is encrypted. Which configuration should be applied?

Question 243mediummultiple choice
Read the full Infrastructure Security explanation →

A security engineer is tasked with implementing network segmentation for a multi-tier application. The web tier must be accessible from the internet, but the application tier must only be accessible from the web tier. The database tier must only be accessible from the application tier. All tiers are in the same VPC. Which design meets these requirements?

Question 244hardmultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to download patches from the internet. The company wants to minimize costs and avoid NAT Gateway or NAT Instance charges. Which solution should be used?

Question 245mediummulti select
Read the full Infrastructure Security explanation →

Which TWO actions can be taken to improve the security of an Amazon RDS for MySQL database instance? (Choose TWO.)

Question 246hardmulti select
Read the full Infrastructure Security explanation →

Which THREE are benefits of using AWS Systems Manager Session Manager to connect to EC2 instances? (Choose THREE.)

Question 247easymulti select
Read the full Infrastructure Security explanation →

Which TWO are valid methods to secure data at rest in Amazon S3? (Choose TWO.)

Question 248mediummultiple choice
Read the full Infrastructure Security explanation →

A company wants to restrict access to an S3 bucket so that only requests from a specific VPC Endpoint are allowed. Which policy element should be used in the bucket policy?

Question 249hardmultiple choice
Read the full NAT/PAT explanation →

A security engineer is designing a network architecture for a three-tier web application. The web tier must be accessible from the internet, the application tier should only be accessible from the web tier, and the database tier should only be accessible from the application tier. Which combination of security groups should be used?

Question 250easymultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to download patches from the internet. Which AWS service should be used to allow this without assigning a public IP address to the instance?

Question 251mediummultiple choice
Read the full Infrastructure Security explanation →

A security team notices that an S3 bucket containing sensitive data is publicly accessible. The bucket policy is as follows:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*"
    }
  ]
}

Which step should be taken to secure the bucket while maintaining access for authorized users?

Question 252hardmultiple choice
Read the full Infrastructure Security explanation →

A company is designing a hybrid cloud architecture with an AWS Direct Connect connection. The company wants to ensure that traffic to and from the VPC goes through the Direct Connect connection and not over the internet. Which configuration should be used?

Question 253easymultiple choice
Read the full Infrastructure Security explanation →

A company wants to block traffic from a specific IP address range from accessing an Application Load Balancer (ALB). Which AWS feature should be used?

Question 254mediummultiple choice
Read the full Infrastructure Security explanation →

A company is running a critical application on EC2 instances behind an Application Load Balancer. The security team wants to ensure that only traffic from the ALB reaches the EC2 instances. How can this be achieved?

Question 255hardmultiple choice
Review the full subnetting walkthrough →

A company has a VPC with multiple subnets. An EC2 instance in a private subnet needs to access an S3 bucket. Which configuration provides the most secure and efficient access?

Question 256easymultiple choice
Read the full Infrastructure Security explanation →

A company wants to ensure that all data sent to an S3 bucket is encrypted in transit. Which policy statement should be added to the bucket policy?

Question 257mediummulti select
Review the full subnetting walkthrough →

A security engineer is configuring a VPC with public and private subnets. The engineer wants to ensure that the private subnet instances cannot initiate outbound connections to the internet but can receive responses from the internet if initiated from within the VPC. Which TWO configurations should be used?

Question 258hardmulti select
Read the full Infrastructure Security explanation →

A company wants to restrict access to an RDS database to only EC2 instances that have a specific tag 'Environment: Production'. Which TWO steps should be taken?

Question 259mediummulti select
Read the full Infrastructure Security explanation →

A company is using AWS CloudFormation to deploy infrastructure. The security team wants to ensure that all S3 buckets created by CloudFormation are encrypted at rest. Which THREE configuration steps should be taken?

Question 260mediummultiple choice
Read the full VPN explanation →

A company uses AWS CloudFormation to deploy infrastructure. The security team requires that all security groups restrict SSH access to only the company's VPN public IP address range (203.0.113.0/24). A developer creates a stack that includes a security group with SSH open to 0.0.0.0/0. The stack deploys successfully. Which action should the security team take to prevent this in the future?

Question 261hardmulti select
Read the full NAT/PAT explanation →

A company has a VPC with public and private subnets. The private subnets contain Amazon RDS instances. The security team wants to ensure that the RDS instances are not accessible from the internet. Which combination of controls should the security team implement? (Choose TWO.)

Question 262hardmultiple choice
Review the full subnetting walkthrough →

Refer to the exhibit. A security engineer is reviewing VPC Flow Logs and sees the above entry. The engineer notices that traffic from IP 203.0.113.10 to an instance in the VPC on port 443 is being accepted. The security group for the instance only allows inbound HTTPS from the VPC CIDR (10.0.0.0/16). What is the most likely reason the traffic is accepted?

Exhibit

Refer to the exhibit.

VPC Flow Logs entry:
2 123456789010 eni-12345678 203.0.113.10 10.0.1.5 443 443 6 10 500 1620000000 1620000060 ACCEPT OK
Question 263easymultiple choice
Read the full Infrastructure Security explanation →

A company is designing a new AWS account structure using AWS Organizations. The security team wants to restrict the use of specific AWS services across all member accounts. Which feature should they use?

Question 264mediummultiple choice
Read the full Infrastructure Security explanation →

A company runs a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The security team wants to protect the application from common web exploits such as SQL injection and cross-site scripting. Which AWS service should they use?

Question 265hardmultiple choice
Review the full subnetting walkthrough →

A company has a VPC with a public subnet and a private subnet. An Amazon RDS instance is in the private subnet, and an application server is in the public subnet. The security team needs to allow the application server to connect to the RDS instance on port 3306 (MySQL). Which configuration will meet this requirement securely?

Question 266easymultiple choice
Read the full Infrastructure Security explanation →

A company is using AWS CloudTrail to log API calls. The security team wants to ensure that log files are not modified after they are created. Which feature should they enable?

Question 267mediummultiple choice
Read the full Infrastructure Security explanation →

A company has a multi-account AWS environment using AWS Organizations. The security team wants to centrally manage VPC security group rules across all accounts. Which AWS service should they use?

Question 268hardmultiple choice
Read the full Infrastructure Security explanation →

Refer to the exhibit. A security engineer applies this S3 bucket policy to an S3 bucket. The bucket contains sensitive data. What is the effect of this policy?

Exhibit

Refer to the exhibit.

S3 bucket policy:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}
Question 269mediummultiple choice
Read the full Infrastructure Security explanation →

A company wants to launch an Amazon EC2 instance that must be accessible via SSH from the company's corporate network (IP range 198.51.100.0/24). The instance should not be accessible from the internet. Which network configuration should the security engineer recommend?

Question 270easymultiple choice
Read the full Infrastructure Security explanation →

A company uses Amazon S3 to store sensitive data. The security team wants to ensure that all objects are encrypted at rest. Which feature should they enable on the S3 bucket?

Question 271mediummultiple choice
Read the full Infrastructure Security explanation →

Refer to the exhibit. A security engineer runs the above command and sees the security group configuration. Based on the output, which statement is correct?

Network Topology
$ aws ec2 describe-security-groupsgroup-ids sg-12345678Refer to the exhibit."SecurityGroups": ["GroupId": "sg-12345678","GroupName": "web-sg","Description": "Web server security group","VpcId": "vpc-12345678","IpPermissions": ["IpProtocol": "tcp","FromPort": 80,"ToPort": 80,"IpRanges": ["CidrIp": "0.0.0.0/0"},"FromPort": 22,"ToPort": 22,"CidrIp": "203.0.113.0/24"],"IpPermissionsEgress": ["IpProtocol": "-1",
Question 272mediummultiple choice
Read the full Infrastructure Security explanation →

A company has an AWS Direct Connect connection to its on-premises data center. The security team wants to ensure that traffic between the VPC and the data center is encrypted. Which solution should they use?

Question 273hardmultiple choice
Read the full Infrastructure Security explanation →

Refer to the exhibit. A security engineer reviews this CloudFormation template snippet. What is the security concern with this configuration?

Exhibit

Refer to the exhibit.

CloudFormation template snippet:
Resources:
  MyInstance:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: ami-12345678
      InstanceType: t2.micro
      SecurityGroups:
        - !Ref MySecurityGroup
  MySecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Allow SSH
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp: 0.0.0.0/0
Question 274easymultiple choice
Read the full Infrastructure Security explanation →

A company wants to provide temporary security credentials to users accessing AWS resources from a mobile app. Which AWS service should they use?

Question 275mediummultiple choice
Read the full Infrastructure Security explanation →

A company wants to restrict access to an S3 bucket so that only requests from a specific VPC endpoint are allowed. Which policy element should be used in the S3 bucket policy?

Question 276hardmultiple choice
Read the full NAT/PAT explanation →

A security engineer notices that an EC2 instance in a private subnet can reach the internet, even though there is no NAT gateway or instance in the route table. What is the most likely cause?

Question 277easymultiple choice
Read the full Infrastructure Security explanation →

Which AWS service can be used to create a private network connection between a VPC and an on-premises data center over dedicated physical lines?

Question 278mediummultiple choice
Read the full Infrastructure Security explanation →

A company has a security group that allows inbound SSH from 0.0.0.0/0. The security team wants to restrict access to only the company's public IP range 203.0.113.0/24. What change should be made?

Question 279hardmultiple choice
Read the full Infrastructure Security explanation →

A security engineer needs to ensure that all data in transit between an Application Load Balancer (ALB) and EC2 instances is encrypted. What configuration is required?

Question 280mediummultiple choice
Read the full Infrastructure Security explanation →

A company wants to store audit logs for a minimum of 7 years to meet compliance requirements. The logs are stored in Amazon S3. Which action should be taken to ensure logs are not deleted before 7 years?

Question 281easymultiple choice
Study the full ACL explanation →

Which AWS service can be used to centrally manage VPC security groups and network ACLs across multiple accounts in AWS Organizations?

Question 282hardmulti select
Read the full NAT/PAT explanation →

A company has a VPC with public and private subnets. An EC2 instance in a private subnet needs to download patches from the internet. Which combination of components provides a highly available, managed solution? (Select TWO.)

Question 283mediummultiple choice
Read the full Infrastructure Security explanation →

A security engineer is designing a network architecture for a web application that must be highly available and secure. The application uses an Application Load Balancer (ALB) in front of EC2 instances. Which architecture meets these requirements?

Question 284easymultiple choice
Read the full Infrastructure Security explanation →

Which of the following is a best practice for securing an AWS account root user?

Question 285mediummultiple choice
Read the full Infrastructure Security explanation →

A company is using AWS CloudFormation to deploy infrastructure. Which method ensures that sensitive data, such as database passwords, is not exposed in the template or outputs?

Question 286hardmultiple choice
Review the full subnetting walkthrough →

A company has a VPC with a public subnet and a private subnet. They launch an EC2 instance in the private subnet with a default security group that allows all outbound traffic. The instance needs to download files from an S3 bucket in the same region. Which configuration allows this without internet access?

Question 287hardmultiple choice
Read the full Infrastructure Security explanation →

A company is deploying a multi-tier web application across multiple Availability Zones. The application includes a web tier, application tier, and database tier. The security team requires that the web tier can communicate with the application tier only on port 8080, and the application tier can communicate with the database tier only on port 3306. Which security group configuration should be used?

Question 288mediummulti select
Read the full Infrastructure Security explanation →

A company is designing a network architecture for a critical application that must be highly available and secure. Which TWO actions should be taken to ensure high availability of the network infrastructure?

Question 289hardmulti select
Read the full Infrastructure Security explanation →

A security engineer needs to enable VPC Flow Logs to capture traffic metadata. Which THREE components are required to create a VPC Flow Log?

Question 290easymulti select
Read the full Infrastructure Security explanation →

Which TWO actions can help protect against DDoS attacks at the network layer?

Question 291hardmultiple choice
Study the full ACL explanation →

A company is running a critical web application on EC2 instances behind an Application Load Balancer (ALB) in a VPC. The application serves traffic on port 443. The security team has implemented a security group for the ALB that allows inbound HTTPS from 0.0.0.0/0. The EC2 instances are in a private subnet with a security group that allows inbound traffic from the ALB security group on port 8080. The application works correctly. However, the security team wants to add an additional layer of defense by implementing a web application firewall (WAF) to block common web exploits. The team also wants to ensure that only traffic from the company's corporate IP range (203.0.113.0/24) can access the application for administrative purposes on a separate path. The team has enabled AWS WAF on the ALB and associated a web ACL. They have also created a rule to allow traffic from the corporate IP range and block all other traffic. After deploying these changes, external users (not from corporate IP) cannot access the application at all. The company wants external users to be able to access the main application, but only corporate IPs should access the admin path. What should the security engineer do to fix the issue?

Question 292mediummultiple choice
Read the full Infrastructure Security explanation →

A company is designing a VPC for a three-tier web application that must be accessible from the internet only via HTTPS. The web servers must be able to initiate outbound connections to the internet for software updates, but the database servers must have no direct internet access. Which architecture meets these requirements?

Question 293hardmultiple choice
Review the full subnetting walkthrough →

A security engineer is reviewing the following IAM policy attached to an S3 bucket:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {

"aws:SourceIp": "10.0.0.0/8"

}
      }
    }
  ]
}

The bucket contains sensitive data and should only be accessible from the corporate network (CIDR 10.0.0.0/8). However, the engineer is concerned that this policy might not be effective. What is the primary security concern with this policy?

Question 294easymulti select
Read the full NAT/PAT explanation →

A company uses AWS Systems Manager Session Manager to provide SSH access to EC2 instances without needing to open inbound ports. The security team wants to ensure that all session activity is logged and that only authorized users can start sessions. Which combination of actions should be taken? (Choose TWO.)

Question 295mediummultiple choice
Study the full ACL explanation →

A security engineer is configuring a Network ACL for a public subnet that hosts a web server. The web server must accept HTTPS (TCP 443) traffic from the internet and respond. It must also be able to initiate outbound connections to the internet for software updates (HTTPS). What is the MINIMUM set of rules required for the inbound and outbound Network ACL?

Question 296hardmultiple choice
Read the full Infrastructure Security explanation →

A company uses AWS PrivateLink to connect to a SaaS provider's VPC endpoint service. The security team wants to ensure that traffic between the company's VPC and the SaaS provider's VPC is encrypted in transit and that no other AWS service can access the data. Which configuration meets these requirements?

Question 297easymultiple choice
Read the full Infrastructure Security explanation →

A company has a security group rule that allows inbound traffic from 0.0.0.0/0 on port 22. The security engineer wants to restrict SSH access to only the company's public IP range (203.0.113.0/24). What is the correct way to update the security group rule?

Question 298mediummultiple choice
Review the full subnetting walkthrough →

A company uses an AWS Network Firewall to inspect traffic between subnets in a VPC. The security team wants to ensure that all traffic from the web tier to the database tier passes through the firewall. The web servers are in subnet A, and the database servers are in subnet B. What routing configuration is required?

Question 299hardmultiple choice
Review the full subnetting walkthrough →

A company has a VPC with multiple subnets and uses VPC Flow Logs to capture network traffic. The security team notices that some expected traffic is not appearing in the logs. What is a likely cause?

Question 300mediummultiple choice
Read the full Infrastructure Security explanation →

A company wants to provide its developers with IAM roles that allow them to launch EC2 instances with specific security groups. The security team wants to ensure that developers cannot launch instances without a security group. How can this be enforced?

Question 301easymultiple choice
Review the full subnetting walkthrough →

A company has an Amazon RDS for MySQL database in a private subnet. The security team wants to ensure that only an application server in the same VPC can connect to the database. Which security group configuration should be used?

Question 302hardmultiple choice
Read the full Infrastructure Security explanation →

A company uses AWS Shield Advanced to protect its web application from DDoS attacks. The security team wants to receive real-time notifications when a DDoS attack is detected. Which configuration should be used?

Question 303mediummulti select
Read the full NAT/PAT explanation →

A company has an S3 bucket that stores sensitive data. The security team wants to ensure that all objects in the bucket are encrypted at rest. Which combination of actions should be taken? (Choose TWO.)

Question 304easymultiple choice
Read the full Infrastructure Security explanation →

A company uses Amazon CloudFront to distribute content from an S3 bucket. The security team wants to ensure that only CloudFront can access the S3 bucket. Which configuration should be used?

Question 305mediummultiple choice
Read the full Infrastructure Security explanation →

A company has an EC2 instance that needs to access an S3 bucket. The security team wants to use the principle of least privilege. Which method should be used to grant access?

Question 306hardmultiple choice
Read the full Infrastructure Security explanation →

A company uses AWS WAF to protect its web application from common web exploits. The security team wants to block requests that contain SQL injection or cross-site scripting (XSS) in the query string. Which rule type should be used?

Question 307mediummultiple choice
Read the full Infrastructure Security explanation →

A company wants to restrict access to an S3 bucket so that only objects uploaded with server-side encryption using AWS KMS are allowed. The bucket policy uses the 's3:x-amz-server-side-encryption' condition key. However, users can still upload unencrypted objects. What is the most likely reason?

Question 308easymultiple choice
Review the full subnetting walkthrough →

A security engineer needs to ensure that all traffic to an EC2 instance in a VPC is inspected by a network firewall appliance. The firewall is deployed in a separate subnet. What is the MOST secure and scalable way to route traffic through the firewall?

Question 309hardmultiple choice
Read the full Infrastructure Security explanation →

A company uses AWS Shield Advanced to protect its web application against DDoS attacks. The application is behind an Application Load Balancer (ALB) with a web application firewall (AWS WAF) in front. The security team notices that some requests are being blocked by AWS WAF, but the source IP addresses are legitimate customers. What step should the team take to minimize false positives?

Question 310mediummultiple choice
Read the full Infrastructure Security explanation →

A company wants to securely store secrets used by an application running on EC2 instances. The secrets include database credentials and API keys. What is the MOST secure and manageable approach?

Question 311easymultiple choice
Review the full subnetting walkthrough →

A security engineer is configuring a VPC with public and private subnets. The engineer needs to allow instances in the private subnet to download software updates from the internet. Which component should be added to the VPC?

Question 312hardmultiple choice
Read the full Infrastructure Security explanation →

A company runs a containerized application on Amazon ECS with Fargate. The security team wants to ensure that the containers can only communicate with specific external APIs and not with other containers in the same task. Which security control should be applied?

Question 313mediummulti select
Read the full Infrastructure Security explanation →

A company wants to automate security assessments of its AWS environment. Which TWO AWS services can be used to perform vulnerability scanning and compliance checks?

Question 314hardmulti select
Read the full Infrastructure Security explanation →

A security engineer is designing a multi-account strategy using AWS Organizations. The engineer needs to centrally manage network security across all accounts. Which TWO AWS services are most appropriate for this task?

Question 315mediummulti select
Read the full Infrastructure Security explanation →

A company wants to restrict access to an S3 bucket so that only objects with specific tags can be accessed by a certain IAM role. Which THREE steps are required to implement this?

Question 316hardmultiple choice
Read the full NAT/PAT explanation →

A healthcare company runs a HIPAA-compliant application on AWS. The application consists of an Application Load Balancer (ALB) in front of a fleet of EC2 instances behind an Auto Scaling group. The EC2 instances store sensitive patient data in an S3 bucket encrypted with SSE-KMS. The security team recently enabled AWS CloudTrail and Amazon GuardDuty. During a routine audit, they notice that an EC2 instance is making repeated API calls to the S3 bucket from an IP address outside the corporate network. The security team suspects the instance is compromised. What is the MOST effective immediate step to contain the potential breach while maintaining availability of the application?

Question 317mediummultiple choice
Review the full subnetting walkthrough →

A company uses AWS Direct Connect to connect its on-premises data center to AWS. The company has a VPC with public and private subnets. The security team wants to ensure that all traffic between on-premises and the VPC goes through a set of security appliances (firewalls) deployed in the VPC. The appliances are in separate subnets. Currently, traffic is routed directly via the virtual private gateway. What is the MOST secure and scalable way to force traffic through the security appliances?

Question 318easymultiple choice
Read the full Infrastructure Security explanation →

A startup is building a web application on AWS. They have an Application Load Balancer (ALB) in front of EC2 instances in an Auto Scaling group. They want to protect the application from common web exploits like SQL injection and cross-site scripting. They also need to allow only traffic from certain geographic regions. Which AWS service should they use to achieve these requirements?

Question 319mediummulti select
Review the full subnetting walkthrough →

A security engineer is designing a VPC with public and private subnets. The company requires that all outbound traffic from private subnets to the internet must go through a single IP address for whitelisting by third-party services. Which TWO actions should the engineer take?

Question 320hardmulti select
Read the full Infrastructure Security explanation →

A company wants to restrict access to an S3 bucket so that only requests from a specific VPC endpoint are allowed. The bucket policy must deny all requests that do not come from the VPC endpoint. Which TWO statements are true for this configuration?

Question 321hardmultiple choice
Read the full NAT/PAT explanation →

A company runs a multi-tier web application on AWS. The web tier uses an Application Load Balancer (ALB) in a public subnet, and the application tier runs on EC2 instances in private subnets. The security team recently ran a vulnerability scan and found that the application instances are accessible from the internet on port 8080. The EC2 instances have a security group that allows inbound traffic on port 8080 from the ALB's security group only. However, the ALB's security group allows inbound traffic on port 8080 from 0.0.0.0/0. The architecture also includes a NAT Gateway for outbound internet access from private subnets. The security engineer needs to ensure that only the ALB can communicate with the application instances on port 8080, and that the application instances cannot be directly accessed from the internet. What should the security engineer do?

Question 322hardmultiple choice
Read the full Infrastructure Security explanation →

A company uses AWS Organizations to manage multiple accounts. The security team must enforce that all Amazon S3 buckets across all accounts are encrypted with AWS KMS. The team has enabled S3 default encryption for new buckets, but existing buckets may not be encrypted. They need to automatically remediate any non-compliant buckets. The team has AWS Config and AWS Lambda available. What is the MOST operationally efficient solution?

Question 323hardmultiple choice
Read the full Infrastructure Security explanation →

A company is deploying a new web application on AWS. The application runs on EC2 instances behind an Application Load Balancer (ALB). The security team requires that all traffic between the ALB and the EC2 instances be encrypted using TLS. The ALB uses a certificate from AWS Certificate Manager (ACM). The EC2 instances are Linux-based and have a self-signed certificate installed. The security engineer configured the ALB target group to use HTTPS on port 443, and the EC2 security group allows inbound traffic on port 443 from the ALB security group. However, when testing, the application returns a 502 Bad Gateway error. The ALB health checks are failing. What is the likely cause?

Question 324hardmultiple choice
Read the full Infrastructure Security explanation →

Refer to the exhibit. A developer receives an 'UnauthorizedOperation' error when launching an EC2 instance with the specified security group. The developer has permissions to use ec2:RunInstances. What is the most likely cause?

Network Topology
$ aws ec2 describe-security-groupsgroup-ids sg-12345678$ aws ec2 run-instancesimage-id ami-12345678instance-type t2.microsecurity-group-ids sg-12345678subnet-id subnet-12345678"SecurityGroups": ["GroupId": "sg-12345678","GroupName": "web-sg","IpPermissions": ["FromPort": 443,"ToPort": 443,"IpProtocol": "tcp","IpRanges": ["CidrIp": "10.0.0.0/8"},"FromPort": 80,"ToPort": 80,"CidrIp": "0.0.0.0/0"],"IpPermissionsEgress": ["IpProtocol": "-1",
Question 325mediummultiple choice
Study the full ACL explanation →

Refer to the exhibit. A security engineer applies the IAM policy to a user, and then successfully runs the CLI command. Later, the user attempts to upload an object without specifying the ACL. What will happen?

Network Topology
$ aws s3api put-objectbucket my-bucketkey test.txtbody file.txtacl bucket-owner-full-control"Version": "2012-10-17","Statement": ["Effect": "Allow","Action": "s3:PutObject","Resource": "arn:aws:s3:::my-bucket/*","Condition": {"StringEquals": {"s3:x-amz-acl": "bucket-owner-full-control"},"Effect": "Deny","StringNotEquals": {"ETag": "\"d41d8cd98f00b204e9800998ecf8427e\""
Question 326hardmultiple choice
Read the full Infrastructure Security explanation →

Refer to the exhibit. An application running on EC2 behind an ALB is unreachable from the internet. The ALB health checks are failing. What is the most likely cause?

Exhibit

VPC: vpc-12345
Subnet: subnet-67890 (10.0.1.0/24, us-east-1a)
Network ACL: acl-abcde (associated with subnet-67890)

Inbound rules:
Rule 100: HTTP (80) | Source: 10.0.0.0/16 | ALLOW
Rule 200: HTTPS (443) | Source: 10.0.0.0/16 | ALLOW
Rule *: ALL Traffic | Source: 0.0.0.0/0 | DENY

Outbound rules:
Rule 100: HTTP (80) | Destination: 10.0.0.0/16 | ALLOW
Rule 200: HTTPS (443) | Destination: 10.0.0.0/16 | ALLOW
Rule *: ALL Traffic | Destination: 0.0.0.0/0 | DENY

Security Group: sg-99999 (attached to EC2 instance in subnet-67890)
Inbound: HTTP (80) Source: 0.0.0.0/0
Outbound: ALL Traffic Destination: 0.0.0.0/0

An internet-facing Application Load Balancer (ALB) in a public subnet sends traffic to the EC2 instance on port 80.
Question 327mediummultiple choice
Read the full Infrastructure Security explanation →

Refer to the exhibit. A security engineer is investigating a potential compromise. What is the most critical finding?

Network Topology
$ aws cloudtrail lookup-eventslookup-attributes AttributeKey=EventNamestart-time 2023-01-01T00:00:00Zend-time 2023-01-02T00:00:00Zquery 'Events[?UserIdentity.Type=="Root"]'"EventId": "abc123","EventName": "ConsoleLogin","EventTime": "2023-01-01T12:30:00Z","UserIdentity": {"Type": "Root","Arn": "arn:aws:iam::123456789012:root"},"SourceIPAddress": "203.0.113.5","ResponseElements": {"ConsoleLogin": "Success"$ aws iam get-account-summary"SummaryMap": {"AccountMFAEnabled": 1,"AccountAccessKeysPresent": 2
Question 328hardmultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. A user assumes the role and tries to terminate an instance, but gets an error. The instance i-12345678 has a tag 'Environment' with value 'dev'. What is the most likely reason for the failure?

Network Topology
$ aws sts assume-rolerole-arn "arn:aws:iam::123456789012:role/my-role"role-session-name test$ aws ec2 terminate-instancesinstance-ids i-12345678Resource: aws_iam_role_policyName: my-role-policyRole: my-rolePolicy: {"Version": "2012-10-17","Statement": ["Effect": "Allow","Action": ["ec2:DescribeInstances","ec2:DescribeSecurityGroups","ec2:Describe*"],"Resource": "*"},"ec2:TerminateInstances""Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*","Condition": {"StringEquals": {"aws:ResourceTag/Environment": "dev""Credentials": {"AccessKeyId": "ASIA...","SecretAccessKey": "...","SessionToken": "...","Expiration": "2023-01-01T01:00:00Z""AssumedRoleUser": {"AssumedRoleId": "AROA...:test"

Practice tests

Scored 10-question sessions with instant feedback and explanations.

SCS-C02 Practice Test 1 — 10 Questions→SCS-C02 Practice Test 2 — 10 Questions→SCS-C02 Practice Test 3 — 10 Questions→SCS-C02 Practice Test 4 — 10 Questions→SCS-C02 Practice Test 5 — 10 Questions→SCS-C02 Practice Exam 1 — 20 Questions→SCS-C02 Practice Exam 2 — 20 Questions→SCS-C02 Practice Exam 3 — 20 Questions→SCS-C02 Practice Exam 4 — 20 Questions→Free SCS-C02 Practice Test 1 — 30 Questions→Free SCS-C02 Practice Test 2 — 30 Questions→Free SCS-C02 Practice Test 3 — 30 Questions→SCS-C02 Practice Questions 1 — 50 Questions→SCS-C02 Practice Questions 2 — 50 Questions→SCS-C02 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Threat Detection and Incident ResponseSecurity Logging and MonitoringIdentity and Access ManagementManagement and Security GovernanceInfrastructure SecurityData Protection

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Infrastructure Security setsAll Infrastructure Security questionsSCS-C02 Practice Hub