Bash, the Crucial Exams Chat Bot
AI Bot
Network & Infrastructure Security (SCS-C03) Flashcards
AWS Certified Security Specialty SCS-C03 Flashcards
| Front | Back |
| Direct Connect vs VPN | Direct Connect offers predictable performance and higher bandwidth VPN is encrypted over the public Internet |
| How do NACL rules get processed | NACLs are evaluated in order by rule number and the first matching rule is applied |
| How do route propagation and static routes differ | Propagation automatically learns routes from attachments Static routes are manually added |
| How to control S3 access from a VPC | Use gateway endpoints VPC endpoint policies and S3 bucket policies with VPC conditions |
| How to design VPC CIDR to support growth | Plan non overlapping blocks use larger prefixes for expansion and reserve space for peering and TGW |
| How to enable high availability for VPN connections | Use multiple tunnels with multiple providers or use Direct Connect with VPN fallback |
| How to implement network segmentation in AWS | Use VPCs subnets security groups NACLs and Transit Gateway route tables |
| How to limit cross account access over VPC endpoints | Use endpoint policies resource policies and IAM conditions to control cross account access |
| How to protect management interfaces | Place in private subnets use bastion or Session Manager enable MFA and restrict by source IP |
| How to secure a bastion host | Limit access by IP use multi factor authentication patch regularly use logging and monitoring |
| Public subnet vs private subnet | Public has a route to an Internet Gateway Private has no direct route to an Internet Gateway |
| Stateful vs stateless | Stateful tracks connection state and allows return traffic Stateless does not track state and requires explicit rules |
| Transit Gateway route tables purpose | Control how traffic is routed between TGW attachments and support segmentation |
| Use cases for VPC Flow Logs | Traffic analysis troubleshooting security monitoring and cost optimization |
| VPC endpoint types | GW endpoint for S3 and DynamoDB Interface endpoint for PrivateLink and services via ENIs |
| VPC peering limitations | No transitive routing across peered VPCs and overlapping CIDR blocks are not allowed |
| What are NACL best practices | Use NACLs for coarse subnet level control prefer stateless rules for logging and enforce deny rules where needed |
| What are security group best practices | Least privilege rules use explicit ports and protocols avoid wide open rules and use tags for management |
| What are security group rule evaluation semantics | All rules are evaluated and the most permissive matching rule applies because security groups are allow only |
| What does stateful mean in the context of security groups | Return traffic is automatically allowed for permitted inbound connections and vice versa |
| What is a bastion host | A hardened instance in a public subnet used as a jump server to access resources in private subnets |
| What is a host based firewall advantage | Provides additional layer of defense close to the workload and enforces process level policies |
| What is a NAT gateway | Managed service that allows instances in private subnets to access the Internet for outbound traffic |
| What is a network ACL | NACL is a stateless subnet level firewall evaluated per packet with explicit allow and deny rules |
| What is a route table | Set of rules that determines where network traffic from a subnet or gateway is directed |
| What is a security group | A virtual firewall for EC2 instances that is stateful and attached to network interfaces |
| What is a site to site VPN | Encrypted IPsec tunnel between on prem network and a VPC for private connectivity |
| What is a subnet | A subdivision of a VPC that partitions IP address space and defines routing and network isolation |
| What is an AWS Hosted Zone private DNS benefit | Enables private DNS resolution inside one or more VPCs for internal resources only |
| What is an endpoint policy | Resource based policy attached to a VPC endpoint that controls access to the service |
| What is an IGW route 0.0.0.0 0.0.0.0 significance | Routes all Internet bound traffic from a subnet to the Internet Gateway |
| What is an Internet Gateway | Managed AWS component that enables VPC resources to access the Internet and vice versa |
| What is attachment isolation in Transit Gateway | Use separate TGW route tables to prevent or allow routing between specific attachments |
| What is AWS Global Accelerator | Service that improves availability and performance by routing user traffic to optimal regional endpoints |
| What is AWS Network Firewall | Managed service that provides stateful and stateless inspection for VPC traffic with custom rules |
| What is AWS PrivateLink | Private connectivity solution that provides interface VPC endpoints for accessing services privately |
| What is AWS Shield Standard vs Advanced | Standard provides basic DDoS protection at no extra cost Advanced offers enhanced detection response and cost protection |
| What is AWS Transit Gateway | A scalable hub that connects multiple VPCs and on prem networks with centralized routing |
| What is AWS WAF | Web Application Firewall that protects web apps from common exploits like SQL injection and XSS |
| What is Direct Connect | Dedicated private network connection from on prem to AWS offering consistent low latency and higher bandwidth |
| What is Firewall Manager | Centralized security policy management for AWS WAF Shield and security groups across accounts |
| What is inter region VPC peering | Peering connection that routes traffic across AWS regions without traversing the public Internet |
| What is network segmentation | Dividing a network into segments to limit lateral movement and enforce security boundaries |
| What is path MTU and why it matters | Maximum transmission unit size on a path affects fragmentation and can impact VPN and Direct Connect performance |
| What is port range management | Limit allowed source and destination ports to only required ranges to reduce attack surface |
| What is route propagation | Automatic addition of routes to a route table from a connected gateway or attachment |
| What is Session Manager advantage over bastion hosts | Provides secure shell access without opening inbound ports or managing bastion credentials |
| What is split horizon DNS in hybrid networks | Using different DNS responses depending on source network to resolve internal and external addresses |
| What is VPC Flow Logs | Feature that captures information about IP traffic going to and from network interfaces for auditing and troubleshooting |
| What is VPC peering | One to one network connection between two VPCs that allows routing of traffic using private IPs |
| When to use a gateway endpoint | Use for high throughput access to S3 or DynamoDB without leaving the AWS network |
| When to use an interface endpoint | Use for private connectivity to AWS services or partner services on a per ENI basis |
| When to use Network Firewall vs Security Groups | Use Network Firewall for centralized deeper packet inspection and SGs for host level filtering |
| Why avoid overlapping CIDR blocks | Avoid routing conflicts and ensure unique addressing for peering Transit Gateway and Direct Connect |
| Why monitor network logs centrally | Enables detection of anomalies troubleshooting and compliance reporting across accounts and VPCs |
| Why use route tables with VPN and Direct Connect | To control which subnets use which on prem connections and enable failover |
Focuses on VPC design and network controls: subnets, route tables, security groups, NACLs, bastion hosts, Transit Gateway, VPC endpoints, private connectivity (VPN/Direct Connect), WAF, Shield, Firewall Manager and network segmentation.