AWS Certified Security Deep Dive is a focused podcast designed for IT professionals, cloud architects, and security enthusiasts aiming to master the AWS Security curriculum. Each episode breaks down key concepts, best practices, and real-world scenarios from the AWS Certified Security – Specialty exam, covering topics like identity and access management, data protection, incident response, and infrastructure security. Hosted by industry experts, the show offers actionable insights, exam tips, and updates on AWS security services to help listeners achieve certification and excel in securing cloud environments.
All content for AWS Certified Security Specialist Podcast is the property of bhrionn and is served directly from their servers
with no modification, redirects, or rehosting. The podcast is not affiliated with or endorsed by Podjoint in any way.
AWS Certified Security Deep Dive is a focused podcast designed for IT professionals, cloud architects, and security enthusiasts aiming to master the AWS Security curriculum. Each episode breaks down key concepts, best practices, and real-world scenarios from the AWS Certified Security – Specialty exam, covering topics like identity and access management, data protection, incident response, and infrastructure security. Hosted by industry experts, the show offers actionable insights, exam tips, and updates on AWS security services to help listeners achieve certification and excel in securing cloud environments.
AWS Certified Security Speciality (SCS-C02) Exam
Domain 3: Infrastructure Security Questions
Below are 50 unique questions and answers for Domain 3: Infrastructure Security, covering all task statements, knowledge, and skills as outlined in the AWS Certified Security - Specialty (SCS-C02) Exam Guide.
## Domain 3: Infrastructure Security
### Task Statement 3.1: Design and implement security controls for edge services.
**Knowledge of:**
- 3.1.1 Security features on edge services (for example, AWS WAF, load balancers, Amazon Route 53, Amazon CloudFront, AWS Shield)
- 3.1.2 Common attacks, threats, and exploits (for example, Open Web Application Security Project [OWASP] Top 10, DDoS)
- 3.1.3 Layered web application architecture
**Skills in:**
- 3.1.4 Defining edge security strategies for common use cases (for example, public website, serverless app, mobile app backend)
- 3.1.5 Selecting appropriate edge services based on anticipated threats and attacks (for example, OWASP Top 10, DDoS)
- 3.1.6 Selecting appropriate protections based on anticipated vulnerabilities and risks (for example, vulnerable software, applications, libraries)
- 3.1.7 Defining layers of defense by combining edge security services (for example, CloudFront with AWS WAF and load balancers)
- 3.1.8 Applying restrictions at the edge based on various criteria (for example, geography, geolocation, rate limit)
- 3.1.9 Activating logs, metrics, and monitoring around edge services to indicate attacks
### Task Statement 3.2: Design and implement network security controls.
**Knowledge of:**
- 3.2.1 VPC security mechanisms (for example, security groups, network ACLs, AWS Network Firewall)
- 3.2.2 Inter-VPC connectivity (for example, AWS Transit Gateway, VPC endpoints)
- 3.2.3 Security telemetry sources (for example, Traffic Mirroring, VPC Flow Logs)
- 3.2.4 VPN technology, terminology, and usage
- 3.2.5 On-premises connectivity options (for example, AWS VPN, AWS Direct Connect)
**Skills in:**
- 3.2.6 Implementing network segmentation based on security requirements (for example, public subnets, private subnets, sensitive VPCs, on-premises connectivity)
- 3.2.7 Designing network controls to permit or prevent network traffic as required (for example, by using security groups, network ACLs, and Network Firewall)
- 3.2.8 Designing network flows to keep data off the public internet (for example, by using Transit Gateway, VPC endpoints, and Lambda in VPCs)
- 3.2.9 Determining which telemetry sources to monitor based on network design, threats, and attacks (for example, load balancer logs, VPC Flow Logs, Traffic Mirroring)
- 3.2.10 Determining redundancy and security workload requirements for communication between on-premises environments and the AWS Cloud (for example, by using AWS VPN, AWS VPN over Direct Connect, and MACsec)
- 3.2.11 Identifying and removing unnecessary network access
- 3.2.12 Managing network configurations as requirements change (for example, by using AWS Firewall Manager)
### Task Statement 3.3: Design and implement security controls for compute workloads.
**Knowledge of:**
- 3.3.1 Provisioning and maintenance of EC2 instances (for example, patching, inspecting, creation of snapshots and AMIs, use of EC2 Image Builder)
- 3.3.2 IAM instance roles and IAM service roles
- 3.3.3 Services that scan for vulnerabilities in compute workloads (for example, Amazon Inspector, Amazon Elastic Container Registry [Amazon ECR])
- 3.3.4 Host-based security (for example, firewalls, hardening)
**Skills in:**
- 3.3.5 Creating hardened EC2 AMIs
- 3.3.6 Applying instance roles and service roles as appropriate to authorize compute workloads
- 3.3.7 Scanning EC2 instances and container images for known vulnerabilities
- 3.3.8 Applying patches across a fleet of EC2 instances or container images
- 3.3.9 Activating host-based security mechanisms (for example, host-based firewalls)
- 3.3.10 Analyzing Amazon Inspector findings and determining appropriate
AWS Certified Security Specialist Podcast
AWS Certified Security Deep Dive is a focused podcast designed for IT professionals, cloud architects, and security enthusiasts aiming to master the AWS Security curriculum. Each episode breaks down key concepts, best practices, and real-world scenarios from the AWS Certified Security – Specialty exam, covering topics like identity and access management, data protection, incident response, and infrastructure security. Hosted by industry experts, the show offers actionable insights, exam tips, and updates on AWS security services to help listeners achieve certification and excel in securing cloud environments.
