Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsSCS-C02TopicsInfrastructure Security
Free · No Signup RequiredAmazon Web Services · SCS-C02

SCS-C02 Infrastructure Security Practice Questions

20+ practice questions focused on Infrastructure Security — one of the most tested topics on the AWS Certified Security Specialty SCS-C02 exam. Each question includes a detailed explanation so you learn why the right answer is correct.

Start Infrastructure Security Practice

Exam Domains

Threat Detection and Incident ResponseSecurity Logging and MonitoringIdentity and Access ManagementManagement and Security GovernanceInfrastructure SecurityData ProtectionAll domains →

Study Tools

Practice TestMock ExamFlashcardsAll Topics

Sample Infrastructure Security Questions

Practice all 20+ →
1.

A company is designing a multi-tier web application on AWS. The web tier must be accessible from the internet, but the application and database tiers must be isolated. The security team requires that all traffic between tiers be encrypted and that the application tier can only be accessed by the web tier. Which architecture should be used?

A.Place all tiers in public subnets and use security groups to restrict traffic.
B.Place the web tier in a public subnet with an internet gateway, and the app and database tiers in private subnets. Use separate security groups for each tier, allowing only necessary traffic.
C.Place the web and app tiers in public subnets and the database in a private subnet.
D.Place all tiers in private subnets and use a single security group to allow traffic between them.

Explanation: Option B is correct because it places the web tier in a public subnet with an Internet Gateway (IGW) for internet-facing access, while the application and database tiers reside in private subnets with no direct internet path. Separate security groups enforce least-privilege: the web tier security group allows inbound HTTP/HTTPS (ports 80/443) from 0.0.0.0/0, the app tier security group allows inbound traffic only from the web tier security group (using a security group reference), and the database tier security group allows inbound traffic only from the app tier security group. This ensures encryption (e.g., TLS for web-to-app, and database-native encryption like TLS or AWS RDS encryption in transit) and complete isolation of the internal tiers.

2.

A security engineer is troubleshooting connectivity issues between an Amazon EC2 instance in a VPC and an on-premises server over a Direct Connect virtual interface. The EC2 instance has a security group that allows outbound traffic to the on-premises CIDR block (10.0.0.0/16). The VPC has a route table entry pointing the on-premises CIDR to the virtual private gateway. The on-premises firewall shows that packets are received from the EC2 instance but responses are not reaching the instance. What is the most likely cause?

A.The on-premises router does not have a route pointing the VPC CIDR back to the Direct Connect interface.
B.The network ACL for the subnet is blocking outbound traffic to the on-premises CIDR.
C.The virtual private gateway is not attached to the VPC.
D.The security group does not allow inbound traffic from the on-premises server.

Explanation: The on-premises firewall logs show packets are received from the EC2 instance, but responses are not reaching it. This indicates a routing issue on the on-premises side: the on-premises router must have a route pointing the VPC CIDR back to the Direct Connect interface (virtual interface) for return traffic to be forwarded correctly. Without this return route, the on-premises server sends responses via its default route (likely the internet), which are dropped by the VPC security group or never reach the EC2 instance.

3.

A company uses AWS Organizations with multiple accounts. The security team wants to enforce that all Amazon S3 buckets across the organization have server-side encryption (SSE-S3 or SSE-KMS) enabled. Which approach should be used to enforce this policy?

A.Create an S3 bucket policy in each account to deny access to unencrypted buckets.
B.Use AWS Config rules to detect buckets without encryption and send alerts.
C.Create an IAM role in each account that requires encryption when creating buckets.
D.Create a service control policy (SCP) that denies s3:CreateBucket if the bucket does not have encryption enabled.

Explanation: Option D is correct because Service Control Policies (SCPs) in AWS Organizations allow you to centrally deny API actions across all accounts. By creating an SCP that denies `s3:CreateBucket` unless the request includes encryption parameters (SSE-S3 or SSE-KMS), you enforce encryption at the point of bucket creation, preventing non-compliant buckets from ever being created. This is the only approach that proactively enforces the policy across the entire organization, rather than relying on detection or per-account configurations.

4.

A company is migrating a legacy application to AWS. The application requires two-way communication between the web servers and the database servers using TCP port 3306. The security team wants to follow the principle of least privilege. Which TWO actions should be taken to secure the traffic?

A.Create a security group for the web servers that allows outbound traffic on port 3306 to the database security group.
B.Create a security group for the database servers that allows inbound traffic on port 3306 from the web subnet CIDR.
C.Place the database servers in a public subnet for easier connectivity.
D.Configure the network ACL for the database subnet to allow inbound traffic on port 3306 from the web subnet CIDR.

Explanation: Option A is correct because security groups are stateful, so allowing outbound traffic on port 3306 from the web servers to the database security group automatically permits the corresponding return traffic. This adheres to the principle of least privilege by specifying the destination as the database security group ID rather than a broad CIDR range, ensuring only the intended web servers can initiate the connection.

5.

A security engineer is reviewing the SQS queue policy shown in the exhibit. The queue is subscribed to an SNS topic in the same account. The security team has a requirement that only the SNS topic should be allowed to send messages to the queue. What is the issue with this policy?

A.The second statement allows any principal in the 10.0.0.0/8 range to receive messages from the queue.
B.The policy does not specify a principal, so it will not work.
C.The aws:SourceArn condition uses ArnLike which is deprecated.
D.The aws:SourceIp condition cannot be used with SQS queue policies.

Explanation: Option A is correct because the second statement in the SQS queue policy allows any principal in the 10.0.0.0/8 IP range to receive messages from the queue, which violates the security requirement that only the SNS topic should be allowed to send messages. The policy should restrict the `sqs:SendMessage` action to the SNS topic using a condition like `aws:SourceArn` and should not include a broad `Effect: Allow` for `sqs:ReceiveMessage` without restricting the principal or source.

+15 more Infrastructure Security questions available

Practice all Infrastructure Security questions

How to master Infrastructure Security for SCS-C02

1. Baseline your knowledge

Start with 10 questions to gauge your current understanding of Infrastructure Security. This tells you whether you need a concept refresher or just practice.

2. Review every explanation

For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.

3. Focus on exam traps

Infrastructure Security questions on the SCS-C02 frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.

4. Reach 80% consistently

Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.

Frequently asked questions

How many SCS-C02 Infrastructure Security questions are on the real exam?

The exact number varies per candidate. Infrastructure Security is tested as part of the AWS Certified Security Specialty SCS-C02 blueprint. Practicing with targeted Infrastructure Security questions ensures you can handle any format or difficulty that appears.

Are these SCS-C02 Infrastructure Security practice questions free?

Yes. Courseiva provides free SCS-C02 practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.

Is Infrastructure Security one of the harder SCS-C02 topics?

Difficulty is subjective, but Infrastructure Security is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.

Ready to practice?

Launch a full Infrastructure Security practice session with instant scoring and detailed explanations.

Start Infrastructure Security Practice →

Topic Info

Topic

Infrastructure Security

Exam

SCS-C02

Questions available

20+