AWS Certified Security Specialist Podcast

AWS SECURITY - Domain 3 - 50x - QUESTIONS and ANSWERS

Listen

Description

AWS Certified Security Speciality (SCS-C02) Exam


Domain 3: Infrastructure Security Questions

Below are 50 unique questions and answers for Domain 3: Infrastructure Security, covering all task statements, knowledge, and skills as outlined in the AWS Certified Security - Specialty (SCS-C02) Exam Guide.

 


## Domain 3: Infrastructure Security

 


### Task Statement 3.1: Design and implement security controls for edge services.

 


**Knowledge of:**
- 3.1.1 Security features on edge services (for example, AWS WAF, load balancers, Amazon Route 53, Amazon CloudFront, AWS Shield)
- 3.1.2 Common attacks, threats, and exploits (for example, Open Web Application Security Project [OWASP] Top 10, DDoS)
- 3.1.3 Layered web application architecture

 


**Skills in:**
- 3.1.4 Defining edge security strategies for common use cases (for example, public website, serverless app, mobile app backend)
- 3.1.5 Selecting appropriate edge services based on anticipated threats and attacks (for example, OWASP Top 10, DDoS)
- 3.1.6 Selecting appropriate protections based on anticipated vulnerabilities and risks (for example, vulnerable software, applications, libraries)
- 3.1.7 Defining layers of defense by combining edge security services (for example, CloudFront with AWS WAF and load balancers)
- 3.1.8 Applying restrictions at the edge based on various criteria (for example, geography, geolocation, rate limit)
- 3.1.9 Activating logs, metrics, and monitoring around edge services to indicate attacks

 


### Task Statement 3.2: Design and implement network security controls.

 


**Knowledge of:**
- 3.2.1 VPC security mechanisms (for example, security groups, network ACLs, AWS Network Firewall)
- 3.2.2 Inter-VPC connectivity (for example, AWS Transit Gateway, VPC endpoints)
- 3.2.3 Security telemetry sources (for example, Traffic Mirroring, VPC Flow Logs)
- 3.2.4 VPN technology, terminology, and usage
- 3.2.5 On-premises connectivity options (for example, AWS VPN, AWS Direct Connect)

 


**Skills in:**
- 3.2.6 Implementing network segmentation based on security requirements (for example, public subnets, private subnets, sensitive VPCs, on-premises connectivity)
- 3.2.7 Designing network controls to permit or prevent network traffic as required (for example, by using security groups, network ACLs, and Network Firewall)
- 3.2.8 Designing network flows to keep data off the public internet (for example, by using Transit Gateway, VPC endpoints, and Lambda in VPCs)
- 3.2.9 Determining which telemetry sources to monitor based on network design, threats, and attacks (for example, load balancer logs, VPC Flow Logs, Traffic Mirroring)
- 3.2.10 Determining redundancy and security workload requirements for communication between on-premises environments and the AWS Cloud (for example, by using AWS VPN, AWS VPN over Direct Connect, and MACsec)
- 3.2.11 Identifying and removing unnecessary network access
- 3.2.12 Managing network configurations as requirements change (for example, by using AWS Firewall Manager)

 


### Task Statement 3.3: Design and implement security controls for compute workloads.

 


**Knowledge of:**
- 3.3.1 Provisioning and maintenance of EC2 instances (for example, patching, inspecting, creation of snapshots and AMIs, use of EC2 Image Builder)
- 3.3.2 IAM instance roles and IAM service roles
- 3.3.3 Services that scan for vulnerabilities in compute workloads (for example, Amazon Inspector, Amazon Elastic Container Registry [Amazon ECR])
- 3.3.4 Host-based security (for example, firewalls, hardening)

 


**Skills in:**
- 3.3.5 Creating hardened EC2 AMIs
- 3.3.6 Applying instance roles and service roles as appropriate to authorize compute workloads
- 3.3.7 Scanning EC2 instances and container images for known vulnerabilities
- 3.3.8 Applying patches across a fleet of EC2 instances or container images
- 3.3.9 Activating host-based security mechanisms (for example, host-based firewalls)
- 3.3.10 Analyzing Amazon Inspector findings and determining appropriate mitigation techniques
- 3.3.11 Passing secrets and credentials securely to compute workloads

 


### Task Statement 3.4: Troubleshoot network security.

 


**Knowledge of:**
- 3.4.1 How to analyze reachability (for example, by using VPC Reachability Analyzer and Amazon Inspector)
- 3.4.2 Fundamental TCP/IP networking concepts (for example, UDP compared with TCP, ports, Open Systems Interconnection [OSI] model, network operating system utilities)
- 3.4.3 How to read relevant log sources (for example, Route 53 logs, AWS WAF logs, VPC Flow Logs)

 


**Skills in:**
- 3.4.4 Identifying, interpreting, and prioritizing problems in network connectivity (for example, by using Amazon Inspector Network Reachability)
- 3.4.5 Determining solutions to produce desired network behavior
- 3.4.6 Analyzing log sources to identify problems
- 3.4.7 Capturing traffic samples for problem analysis (for example, by using Traffic Mirroring)