20+ practice questions focused on Infrastructure Security — one of the most tested topics on the AWS Certified Security Specialty SCS-C02 exam. Each question includes a detailed explanation so you learn why the right answer is correct.
Start Infrastructure Security PracticeA company is designing a multi-tier web application on AWS. The web tier must be accessible from the internet, but the application and database tiers must be isolated. The security team requires that all traffic between tiers be encrypted and that the application tier can only be accessed by the web tier. Which architecture should be used?
Explanation: Option B is correct because it places the web tier in a public subnet with an Internet Gateway (IGW) for internet-facing access, while the application and database tiers reside in private subnets with no direct internet path. Separate security groups enforce least-privilege: the web tier security group allows inbound HTTP/HTTPS (ports 80/443) from 0.0.0.0/0, the app tier security group allows inbound traffic only from the web tier security group (using a security group reference), and the database tier security group allows inbound traffic only from the app tier security group. This ensures encryption (e.g., TLS for web-to-app, and database-native encryption like TLS or AWS RDS encryption in transit) and complete isolation of the internal tiers.
A security engineer is troubleshooting connectivity issues between an Amazon EC2 instance in a VPC and an on-premises server over a Direct Connect virtual interface. The EC2 instance has a security group that allows outbound traffic to the on-premises CIDR block (10.0.0.0/16). The VPC has a route table entry pointing the on-premises CIDR to the virtual private gateway. The on-premises firewall shows that packets are received from the EC2 instance but responses are not reaching the instance. What is the most likely cause?
Explanation: The on-premises firewall logs show packets are received from the EC2 instance, but responses are not reaching it. This indicates a routing issue on the on-premises side: the on-premises router must have a route pointing the VPC CIDR back to the Direct Connect interface (virtual interface) for return traffic to be forwarded correctly. Without this return route, the on-premises server sends responses via its default route (likely the internet), which are dropped by the VPC security group or never reach the EC2 instance.
A company uses AWS Organizations with multiple accounts. The security team wants to enforce that all Amazon S3 buckets across the organization have server-side encryption (SSE-S3 or SSE-KMS) enabled. Which approach should be used to enforce this policy?
Explanation: Option D is correct because Service Control Policies (SCPs) in AWS Organizations allow you to centrally deny API actions across all accounts. By creating an SCP that denies `s3:CreateBucket` unless the request includes encryption parameters (SSE-S3 or SSE-KMS), you enforce encryption at the point of bucket creation, preventing non-compliant buckets from ever being created. This is the only approach that proactively enforces the policy across the entire organization, rather than relying on detection or per-account configurations.
A company is migrating a legacy application to AWS. The application requires two-way communication between the web servers and the database servers using TCP port 3306. The security team wants to follow the principle of least privilege. Which TWO actions should be taken to secure the traffic?
Explanation: Option A is correct because security groups are stateful, so allowing outbound traffic on port 3306 from the web servers to the database security group automatically permits the corresponding return traffic. This adheres to the principle of least privilege by specifying the destination as the database security group ID rather than a broad CIDR range, ensuring only the intended web servers can initiate the connection.
A security engineer is reviewing the SQS queue policy shown in the exhibit. The queue is subscribed to an SNS topic in the same account. The security team has a requirement that only the SNS topic should be allowed to send messages to the queue. What is the issue with this policy?
Explanation: Option A is correct because the second statement in the SQS queue policy allows any principal in the 10.0.0.0/8 IP range to receive messages from the queue, which violates the security requirement that only the SNS topic should be allowed to send messages. The policy should restrict the `sqs:SendMessage` action to the SNS topic using a condition like `aws:SourceArn` and should not include a broad `Effect: Allow` for `sqs:ReceiveMessage` without restricting the principal or source.
+15 more Infrastructure Security questions available
Practice all Infrastructure Security questions1. Baseline your knowledge
Start with 10 questions to gauge your current understanding of Infrastructure Security. This tells you whether you need a concept refresher or just practice.
2. Review every explanation
For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.
3. Focus on exam traps
Infrastructure Security questions on the SCS-C02 frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.
4. Reach 80% consistently
Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.
The exact number varies per candidate. Infrastructure Security is tested as part of the AWS Certified Security Specialty SCS-C02 blueprint. Practicing with targeted Infrastructure Security questions ensures you can handle any format or difficulty that appears.
Yes. Courseiva provides free SCS-C02 practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.
Difficulty is subjective, but Infrastructure Security is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.
Launch a full Infrastructure Security practice session with instant scoring and detailed explanations.
Start Infrastructure Security Practice →