AWS SECURITY - Domain 3 - 50x - QUESTIONS and ANSWERS

AWS Certified Security Speciality (SCS-C02) Exam Domain 3: Infrastructure Security Questions Below are 50 unique questions and answers for Domain 3: Infrastructure Security, covering all task statements, knowledge, and skills as outlined in the AWS Certified Security - Specialty (SCS-C02) Exam Guide.   ## Domain 3: Infrastructure Security   ### Task Statement 3.1: Design and implement security controls for edge services.   **Knowledge of:** - 3.1.1 Security features on edge services (for example, AWS WAF, load balancers, Amazon Route 53, Amazon CloudFront, AWS Shield) - 3.1.2 Common attacks, threats, and exploits (for example, Open Web Application Security Project [OWASP] Top 10, DDoS) - 3.1.3 Layered web application architecture   **Skills in:** - 3.1.4 Defining edge security strategies for common use cases (for example, public website, serverless app, mobile app backend) - 3.1.5 Selecting appropriate edge services based on anticipated threats and attacks (for example, OWASP Top 10, DDoS) - 3.1.6 Selecting appropriate protections based on anticipated vulnerabilities and risks (for example, vulnerable software, applications, libraries) - 3.1.7 Defining layers of defense by combining edge security services (for example, CloudFront with AWS WAF and load balancers) - 3.1.8 Applying restrictions at the edge based on various criteria (for example, geography, geolocation, rate limit) - 3.1.9 Activating logs, metrics, and monitoring around edge services to indicate attacks   ### Task Statement 3.2: Design and implement network security controls.   **Knowledge of:** - 3.2.1 VPC security mechanisms (for example, security groups, network ACLs, AWS Network Firewall) - 3.2.2 Inter-VPC connectivity (for example, AWS Transit Gateway, VPC endpoints) - 3.2.3 Security telemetry sources (for example, Traffic Mirroring, VPC Flow Logs) - 3.2.4 VPN technology, terminology, and usage - 3.2.5 On-premises connectivity options (for example, AWS VPN, AWS Direct Connect)   **Skills in:** - 3.2.6 Implementing network segmentation based on security requirements (for example, public subnets, private subnets, sensitive VPCs, on-premises connectivity) - 3.2.7 Designing network controls to permit or prevent network traffic as required (for example, by using security groups, network ACLs, and Network Firewall) - 3.2.8 Designing network flows to keep data off the public internet (for example, by using Transit Gateway, VPC endpoints, and Lambda in VPCs) - 3.2.9 Determining which telemetry sources to monitor based on network design, threats, and attacks (for example, load balancer logs, VPC Flow Logs, Traffic Mirroring) - 3.2.10 Determining redundancy and security workload requirements for communication between on-premises environments and the AWS Cloud (for example, by using AWS VPN, AWS VPN over Direct Connect, and MACsec) - 3.2.11 Identifying and removing unnecessary network access - 3.2.12 Managing network configurations as requirements change (for example, by using AWS Firewall Manager)   ### Task Statement 3.3: Design and implement security controls for compute workloads.   **Knowledge of:** - 3.3.1 Provisioning and maintenance of EC2 instances (for example, patching, inspecting, creation of snapshots and AMIs, use of EC2 Image Builder) - 3.3.2 IAM instance roles and IAM service roles - 3.3.3 Services that scan for vulnerabilities in compute workloads (for example, Amazon Inspector, Amazon Elastic Container Registry [Amazon ECR]) - 3.3.4 Host-based security (for example, firewalls, hardening)   **Skills in:** - 3.3.5 Creating hardened EC2 AMIs - 3.3.6 Applying instance roles and service roles as appropriate to authorize compute workloads - 3.3.7 Scanning EC2 instances and container images for known vulnerabilities - 3.3.8 Applying patches across a fleet of EC2 instances or container images - 3.3.9 Activating host-based security mechanisms (for example, host-based firewalls) - 3.3.10 Analyzing Amazon Inspector findings and determining appropriate mitigation techniques - 3.3.11 Passing secrets and credentials securely to compute workloads   ### Task Statement 3.4: Troubleshoot network security.   **Knowledge of:** - 3.4.1 How to analyze reachability (for example, by using VPC Reachability Analyzer and Amazon Inspector) - 3.4.2 Fundamental TCP/IP networking concepts (for example, UDP compared with TCP, ports, Open Systems Interconnection [OSI] model, network operating system utilities) - 3.4.3 How to read relevant log sources (for example, Route 53 logs, AWS WAF logs, VPC Flow Logs)   **Skills in:** - 3.4.4 Identifying, interpreting, and prioritizing problems in network connectivity (for example, by using Amazon Inspector Network Reachability) - 3.4.5 Determining solutions to produce desired network behavior - 3.4.6 Analyzing log sources to identify problems - 3.4.7 Capturing traffic samples for problem analysis (for example, by using Traffic Mirroring)  

There are no comments yet.

Please log in to write the first comment.