SCS-C02 · topic practice

Infrastructure Security practice questions

Use this page to practise Infrastructure Security questions for this certification. Focus on how the exam tests infrastructure security in scenario format — understanding the why behind each answer builds more durable knowledge than memorising options.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Infrastructure Security

What the exam tests

What to know about Infrastructure Security

Infrastructure Security questions on this certification test your ability to deploy and manage infrastructure security concepts in scenario-based situations.

Core Infrastructure Security concepts and how they apply in real-world cloud scenarios.

How to deploy infrastructure security correctly and verify the outcome.

Troubleshooting infrastructure security issues by interpreting error output and system state.

Cloud best practices and Infrastructure Security design trade-offs tested by this certification.

Watch out for

Common Infrastructure Security exam traps

  • Selecting the most expensive service when a simpler managed option meets the requirement.
  • Forgetting that cloud resources must be explicitly secured — defaults are rarely secure.
  • Choosing a global service fix when the issue is region-specific.
  • Overlooking cost implications of cross-region data transfer in architecture questions.

Practice set

Infrastructure Security questions

20 questions · select your answer, then reveal the explanation

A company is designing a multi-tier web application on AWS. The web tier must be accessible from the internet, but the application and database tiers must be isolated. The security team requires that all traffic between tiers be encrypted and that the application tier can only be accessed by the web tier. Which architecture should be used?

Question 2hardmultiple choice
Review the full subnetting walkthrough →

A security engineer is troubleshooting connectivity issues between an Amazon EC2 instance in a VPC and an on-premises server over a Direct Connect virtual interface. The EC2 instance has a security group that allows outbound traffic to the on-premises CIDR block (10.0.0.0/16). The VPC has a route table entry pointing the on-premises CIDR to the virtual private gateway. The on-premises firewall shows that packets are received from the EC2 instance but responses are not reaching the instance. What is the most likely cause?

A company uses AWS Organizations with multiple accounts. The security team wants to enforce that all Amazon S3 buckets across the organization have server-side encryption (SSE-S3 or SSE-KMS) enabled. Which approach should be used to enforce this policy?

A company is migrating a legacy application to AWS. The application requires two-way communication between the web servers and the database servers using TCP port 3306. The security team wants to follow the principle of least privilege. Which TWO actions should be taken to secure the traffic?

A security engineer is reviewing the SQS queue policy shown in the exhibit. The queue is subscribed to an SNS topic in the same account. The security team has a requirement that only the SNS topic should be allowed to send messages to the queue. What is the issue with this policy?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "sqs:SendMessage",
      "Resource": "arn:aws:sqs:us-east-1:123456789012:MyQueue",
      "Condition": {
        "ArnLike": {
          "aws:SourceArn": "arn:aws:sns:us-east-1:123456789012:MyTopic"
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "sqs:ReceiveMessage",
      "Resource": "arn:aws:sqs:us-east-1:123456789012:MyQueue",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/8"
        }
      }
    }
  ]
}
Question 6hardmultiple choice
Study the full AAA explanation →

A financial services company runs a critical application on Amazon EC2 instances in a VPC. The application processes sensitive financial data and must meet strict compliance requirements. The security team recently discovered that an EC2 instance was compromised due to an unpatched vulnerability. The attacker used the instance's IAM role to access an S3 bucket containing customer data and exfiltrated the data. The security team needs to prevent such incidents in the future. They have implemented the following controls: - All EC2 instances are launched in private subnets. - The IAM roles used by EC2 instances follow the principle of least privilege. - Security groups restrict inbound and outbound traffic. - AWS Systems Manager Patch Manager is used to patch instances. - AWS CloudTrail is enabled and logs are sent to a centralized S3 bucket. - Amazon GuardDuty is enabled.

Despite these controls, the team is concerned about the blast radius if an instance is compromised again. Which additional measure would MOST effectively limit the blast radius of a compromised EC2 instance?

Question 7mediummulti select
Review the full subnetting walkthrough →

A security engineer is designing a VPC with public and private subnets. The application servers in the private subnets need to access the internet for software updates, but must not be directly reachable from the internet. Which TWO actions satisfy these requirements?

Refer to the exhibit. A security engineer finds the above IAM policy attached to an IAM group. The policy is intended to allow all EC2 actions only from the corporate network (10.0.0.0/8). However, users report that they can perform EC2 actions from outside the corporate network. What is the MOST likely reason?

Exhibit

Refer to the exhibit.
```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "ec2:*",
      "Resource": "*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/8"
        }
      }
    }
  ]
}
```

A company runs a web application on EC2 instances in an Auto Scaling group across two Availability Zones. The instances are behind an Application Load Balancer. The security team wants to ensure that only the ALB can send traffic to the instances. The instances are in a security group named 'app-sg'. Currently, 'app-sg' has an inbound rule allowing HTTP traffic from 0.0.0.0/0. The team wants to restrict access to only the ALB's security group. The ALB is in a security group named 'alb-sg'. Which course of action should the security engineer take to meet the requirement with minimal disruption?

Drag and drop the steps to set up AWS Certificate Manager (ACM) for a custom domain in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Match each AWS Storage service encryption feature to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Server-side encryption with S3 managed keys

Server-side encryption with AWS KMS

Server-side encryption with customer-provided keys

Encryption at rest for EBS volumes

Encryption at rest for RDS instances

Question 12mediummultiple choice
Review the full subnetting walkthrough →

A company uses Network Load Balancer (NLB) in front of a fleet of EC2 instances in private subnets. Security team requires that the source IP addresses of clients be preserved in the access logs of the backend instances. Which configuration should the security engineer verify?

Question 13hardmulti select
Read the full NAT/PAT explanation →

A security engineer is designing a VPC with public and private subnets. The application must be able to send outbound traffic to the internet, but inbound traffic from the internet must be blocked except for a single HTTP load balancer. The application also needs to access an S3 bucket in the same AWS region. Which combination of VPC components meets these requirements? (Choose two.)

A company is using AWS WAF to protect its Application Load Balancer (ALB). The security team wants to block requests that do not contain a valid API key in the HTTP header 'X-API-Key'. Which WAF rule type should be used?

Question 15mediummultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to download patches from the internet. The instance is associated with a security group that allows outbound HTTPS (port 443) to 0.0.0.0/0. The private subnet route table has a default route (0.0.0.0/0) pointing to a NAT Gateway in the public subnet. The NAT Gateway's security group allows inbound HTTPS from the private subnet CIDR. However, the instance cannot download patches. What is the most likely cause?

A company uses AWS Direct Connect to connect its on-premises data center to AWS. The connection is set up with a private VIF to a VPC using a virtual private gateway. The security team wants to encrypt all traffic between on-premises and the VPC. Which solution should be implemented?

A company wants to restrict access to an S3 bucket so that only requests from a specific VPC endpoint are allowed. Which S3 bucket policy condition key should be used?

Question 18hardmultiple choice
Read the full NAT/PAT explanation →

A company is using AWS CloudFormation to deploy a multi-tier application. The security team requires that the database tier (RDS) be deployed in private subnets that are not directly routable from the application tier (EC2). The application tier must communicate with the database using an internal network path. Which solution meets these requirements?

A company is using AWS Shield Advanced to protect its web application against DDoS attacks. Which additional AWS service can be used to automatically mitigate application layer attacks?

A company has a VPC with public and private subnets. An EC2 instance in a private subnet needs to access an S3 bucket to store logs. The security team wants to ensure that traffic does not traverse the internet. Which solution should be used? (Choose two.)

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Infrastructure Security sessions

Start a Infrastructure Security only practice session

Every question in these sessions is drawn from the Infrastructure Security domain — nothing else.

Related practice questions

Related SCS-C02 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the SCS-C02 exam test about Infrastructure Security?
Infrastructure Security questions on this certification test your ability to deploy and manage infrastructure security concepts in scenario-based situations.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Infrastructure Security questions in a focused session?
Yes — the session launcher on this page draws every question from the Infrastructure Security domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other SCS-C02 topics?
Use the topic links above to move to related areas, or go back to the SCS-C02 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the SCS-C02 exam covers. They are not copied from any real exam or dump site.