Try 10 focused AWS SCS-C03 questions on Infrastructure Security, with explanations, then continue with IT Mastery.
Open the matching IT Mastery practice page for timed mocks, topic drills, progress tracking, explanations, and full practice.
| Field | Detail |
|---|---|
| Exam route | AWS SCS-C03 |
| Topic area | Infrastructure Security |
| Blueprint weight | 18% |
| Page purpose | Focused sample questions before returning to mixed practice |
Use this page to isolate Infrastructure Security for AWS SCS-C03. Work through the 10 questions first, then review the explanations and return to mixed practice in IT Mastery.
| Pass | What to do | What to record |
|---|---|---|
| First attempt | Answer without checking the explanation first. | The fact, rule, calculation, or judgment point that controlled your answer. |
| Review | Read the explanation even when you were correct. | Why the best answer is stronger than the closest distractor. |
| Repair | Repeat only missed or uncertain items after a short break. | The pattern behind misses, not the answer letter. |
| Transfer | Return to mixed practice once the topic feels stable. | Whether the same skill holds up when the topic is no longer obvious. |
Blueprint context: 18% of the practice outline. A focused topic score can overstate readiness if you recognize the pattern too quickly, so use it as repair work before timed mixed sets.
These original IT Mastery practice questions are aligned to this topic area. Use them for self-assessment, scope review, and deciding what to drill next.
Topic: Infrastructure Security
A company serves a public web application through Amazon CloudFront with an Application Load Balancer origin. The security team observes a surge of automated POST /login requests from many IP addresses. The traffic is not saturating network bandwidth, but it is causing account lockouts and increased origin load. Which edge protection approach best addresses this attack type?
Options:
A. Add a network ACL rule to block the source IP ranges
B. Configure Route 53 Resolver DNS Firewall domain lists
C. Attach AWS WAF to CloudFront with Bot Control and login rate limits
D. Enable AWS Shield Advanced only for the CloudFront distribution
Best answer: C
Explanation: This is an application-layer credential stuffing and bot traffic problem, not a volumetric network DDoS event. AWS WAF is the right control because it evaluates HTTP request attributes such as URI path, method, headers, labels, IP reputation, bot signals, and request rate. Associating the web ACL with CloudFront lets the filtering occur at the edge, reducing load on the Application Load Balancer and origin. Bot Control, managed rules, CAPTCHA/Challenge actions, and a rate-based rule scoped to POST /login can reduce automated login abuse while preserving legitimate access. Shield Advanced can help with DDoS protection, but it does not replace WAF rules for request-level login abuse.
Topic: Infrastructure Security
A security team must provide emergency administrative access to private EC2 instances in several production VPCs. The instances do not need inbound SSH from user networks, administrators must not manage long-lived SSH keys, and all sessions must be attributable to IAM identities with session activity stored centrally. What is the best security decision?
Options:
A. Use EC2 Instance Connect with permanent user SSH keys
B. Place bastion hosts in public subnets for administrator access
C. Open SSH only from the corporate VPN CIDR
D. Use Systems Manager Session Manager with no inbound SSH rules
Best answer: D
Explanation: Systems Manager Session Manager is the best fit when administrative access is needed but direct network exposure is unnecessary. It uses IAM authorization, the SSM Agent, and an instance profile to establish sessions without opening inbound SSH on the instance security group. For private subnets, VPC endpoints for Systems Manager services can keep access off the public internet. Session logs can be sent to centralized destinations such as CloudWatch Logs or Amazon S3, and access can be scoped by IAM conditions such as instance tags. This reduces blast radius compared with SSH-based access paths and removes the need to distribute or rotate administrator SSH keys. EC2 Instance Connect can be useful for SSH workflows, but Session Manager better satisfies the stated no-inbound-SSH and centralized session logging requirements.
Topic: Infrastructure Security
A security engineer reviews hybrid connectivity between an on-premises network and a production VPC through AWS Transit Gateway. What is the best interpretation of the evidence?
| Evidence | Value |
|---|---|
| VPN propagated route | 10.0.0.0/8 to TGW route table |
| Production subnet route | 10.0.0.0/8 -> tgw-attach-vpn |
| Database security group | Allows TCP 5432 from 10.0.0.0/8 |
| Public route to database | None found |
Options:
A. Only the specific on-premises database administrators can reach the database.
B. The database is reachable from overly broad private networks over the VPN.
C. The database is exposed directly to the internet.
D. There is no exposure because the traffic uses an encrypted VPN.
Best answer: B
Explanation: The evidence supports a hybrid network exposure, not a public internet exposure. The VPN route propagates a broad 10.0.0.0/8 prefix into the transit gateway path, and the production database security group allows TCP 5432 from that same broad range. That means any routed source within that private address space that can traverse the VPN/TGW path could potentially reach the database port. Encryption on the VPN protects traffic in transit but does not enforce least-privilege network access. The appropriate implication is to validate intended on-premises source CIDRs and reduce both routing and security group permissions to the minimum required ranges.
Topic: Infrastructure Security
A company runs a public sign-in page behind Amazon CloudFront and an Application Load Balancer. A security engineer reviews this alert before choosing an edge control.
Evidence:
| Signal | Observation |
|---|---|
| CloudFront requests | Normal total volume, but /login is 82% of requests |
| WAF sampled requests | Many IPs, repeated failed usernames, browser automation user agents |
| ALB metrics | HTTP 401 responses increased 18x; no network saturation |
| Shield event | No L3/L4 DDoS event detected |
Which edge protection approach is best supported by the evidence?
Options:
A. Add AWS WAF Bot Control and rate limiting for /login.
B. Use CloudFront geographic restriction to block all foreign traffic.
C. Deploy Route 53 Resolver DNS Firewall for the sign-in domain.
D. Enable Shield Advanced as the primary mitigation for volumetric DDoS.
Best answer: A
Explanation: The evidence points to an application-layer automation attack against the sign-in endpoint, not a volumetric network DDoS. The strongest indicators are concentrated /login traffic, repeated failed usernames, automation-like user agents, and a large increase in HTTP 401 responses while overall request volume and network health remain normal. AWS WAF attached to CloudFront is the appropriate edge control for HTTP-layer inspection and enforcement. Bot Control can identify common automated clients, and a rate-based rule scoped to /login can throttle abusive request patterns without blocking the entire site. Shield Advanced helps with DDoS protection, but the visible evidence does not show an L3/L4 DDoS event.
Topic: Infrastructure Security
A company uses AWS IoT Core for thousands of factory edge devices. Each device has its own X.509 certificate and is registered as an IoT thing. Security requires that a device can connect only using its own thing name as the MQTT client ID and can publish or subscribe only under factory/{thingName}/#. Which configuration best meets this requirement?
Options:
A. Use an IAM role policy on the application backend
B. Use AWS WAF rules on the IoT Core endpoint
C. Use one shared IoT policy allowing factory/* topics
D. Use an IoT policy with thing policy variables and an attachment condition
Best answer: D
Explanation: AWS IoT Core authorizes device MQTT actions with IoT policies attached to the device certificate or thing. For per-device isolation, the policy should use thing policy variables such as ${iot:Connection.Thing.ThingName} in the client, topic, and topic filter resources. Adding the iot:Connection.Thing.IsAttached condition ensures the certificate is attached to the registered thing whose name is being used. This applies least privilege at the device interaction layer, not only at the backend. A broad shared topic policy would allow devices to impersonate or access other devices’ namespaces.
Topic: Infrastructure Security
A development team uses AWS CodePipeline and AWS CodeBuild to release a Java web application. Recent pull requests introduced hardcoded secrets and an injection vulnerability that were not found until after deployment. The security team wants an automated pipeline control that scans source code before release and gives developers remediation guidance. Which approach best meets this requirement?
Options:
A. Send deployment findings to AWS Security Hub
B. Enable Amazon Inspector on the CodeBuild project
C. Run Amazon CodeGuru Security scans in CodeBuild
D. Enable Amazon GuardDuty Runtime Monitoring
Best answer: C
Explanation: Pipeline security for source-code vulnerabilities is best handled before deployment with a code-scanning control in the build or pull-request workflow. Amazon CodeGuru Security can scan application code for issues such as injection flaws and hardcoded secrets, then provide findings and remediation guidance that developers can address before the artifact is released. This applies the control at the development and CI/CD layer, where the risky code is introduced.
Runtime and posture services are still useful, but they do not replace pre-release code scanning for this requirement.
Topic: Infrastructure Security
A company runs Amazon EC2 instances in private subnets across multiple AWS accounts. Compliance requires critical OS security patches to be installed during approved maintenance windows, with centralized evidence of patch compliance. The security team also wants to avoid opening inbound SSH or RDP access to the instances. Which action is the BEST security decision?
Options:
A. Allow temporary SSH and RDP access for administrators to patch manually
B. Use AWS Config managed rules only to record missing patches
C. Use Systems Manager Patch Manager patch policies with approved baselines
D. Use Amazon Inspector findings as the patch deployment mechanism
Best answer: C
Explanation: Systems Manager Patch Manager is the right control when the requirement is to install operating system patches on managed EC2 instances, enforce approved patch baselines, run during maintenance windows, and produce compliance status. It works through the Systems Manager agent and IAM instance profile, so the company does not need inbound SSH or RDP. Amazon Inspector is valuable for continuous vulnerability detection and prioritization, but Inspector findings do not replace a patch deployment process. A strong process often uses Inspector to identify exposure and Patch Manager to remediate approved OS patches at scale.
Topic: Infrastructure Security
A company protects a CloudFront distribution with AWS WAF. During tuning, the security team wants AWS Managed Rules to classify requests but block only requests with a specific managed-rule label. The expected requests are still allowed.
Current web ACL:
| Priority | Rule | Action |
|---|---|---|
| 0 | BlockRfiLabel | Block if label exists |
| 10 | AWSManagedRulesCommonRuleSet | Count |
Which change best satisfies the requirement?
Options:
A. Run the managed rule group before the label-match rule.
B. Change the managed rule group action from Count to Block.
C. Use a CloudFront cache behavior to block the label.
D. Attach a Regional AWS WAF web ACL to the origin ALB.
Best answer: A
Explanation: AWS WAF evaluates rules in priority order, from the lowest number to the highest. A label-match rule can act only on labels that have already been applied by earlier rules in the same web ACL evaluation. In this design, BlockRfiLabel runs before AWSManagedRulesCommonRuleSet, so the label does not exist yet when the block rule checks for it. Keep the managed rule group in Count mode if the team wants classification without broad blocking, but assign it a higher precedence than the custom label-match block rule. The label-match rule can then selectively block only the labeled requests.
Topic: Infrastructure Security
A company uses AWS CodePipeline and CodeBuild to deploy a Java microservice. Security wants to discover source-code vulnerabilities and hardcoded secrets before deployment, provide developers with remediation guidance, and avoid adding broad IAM permissions or a separate custom scanning fleet. Which is the BEST security decision?
Options:
A. Create a custom CodeBuild scanner with administrator permissions
B. Integrate Amazon CodeGuru Security into the CI/CD pipeline
C. Enable Amazon Inspector only after the service is deployed
D. Require Amazon Q Developer scans only in each developer IDE
Best answer: B
Explanation: Amazon CodeGuru Security is the best fit when the requirement is pipeline-centered application security testing. It can scan source code for vulnerabilities and hardcoded secrets during CI/CD and provide findings that developers can use to remediate issues before release. This satisfies the stated need to shift discovery earlier in the deployment process without building a custom scanning fleet or granting broad permissions. Amazon Q Developer can help developers find and fix issues in an IDE, but IDE-only use does not enforce a pipeline gate for every build. The key distinction is developer assistance versus controlled pipeline security validation.
Topic: Infrastructure Security
An ecommerce company serves www.example.com through CloudFront to an Application Load Balancer. AWS WAF logs show credential-stuffing attempts against /login from countries where the company does not operate and from rotating source IPs that share a small set of TLS client fingerprints. Requirements are to enforce controls at the edge, block disallowed countries, slow repeated login attempts by client fingerprint, and retain request evidence. Which is the BEST security decision?
Options:
A. Associate AWS WAF with the ALB and rate limit by source IP.
B. Use CloudFront AWS WAF with GeoMatch, /login JA4 rate limiting, and logging.
C. Use CloudFront geographic restrictions and standard access logs.
D. Enable Shield Advanced automatic application-layer DDoS mitigation.
Best answer: B
Explanation: AWS WAF on CloudFront is the best fit because the required controls must run at the edge before traffic reaches the origin. A GeoMatch rule can block requests from disallowed countries. A rate-based rule scoped to /login and aggregated on a client fingerprint such as JA4 helps detect repeated attempts even when attackers rotate source IP addresses. Enabling AWS WAF logging preserves request-level evidence for investigation and tuning. CloudFront geographic restrictions can block countries but cannot implement login-specific client-fingerprint rate limiting.
Use the AWS SCS-C03 Practice Test page for the full IT Mastery practice bank, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.
Try AWS SCS-C03 on Web View AWS SCS-C03 Practice Test
Use the practice page above for mixed-topic practice, timed mocks, explanations, and app access.