Bash, the Crucial Exams Chat Bot
AI Bot
Network & Infrastructure Security (SCS-C03) Flashcards
AWS Certified Security Specialty SCS-C03 Flashcards
Study our Network & Infrastructure Security (SCS-C03) flashcards for the AWS Certified Security Specialty SCS-C03 exam with 56+ flashcards. View as flashcards, a searchable table, or as a fun matching game.
| Front | Back |
| Direct Connect vs VPN | Direct Connect offers predictable performance and higher bandwidth VPN is encrypted over the public Internet |
| How do NACL rules get processed | NACLs are evaluated in order by rule number and the first matching rule is applied |
| How do route propagation and static routes differ | Propagation automatically learns routes from attachments Static routes are manually added |
| How to control S3 access from a VPC | Use gateway endpoints VPC endpoint policies and S3 bucket policies with VPC conditions |
| How to design VPC CIDR to support growth | Plan non overlapping blocks use larger prefixes for expansion and reserve space for peering and TGW |
| How to enable high availability for VPN connections | Use multiple tunnels with multiple providers or use Direct Connect with VPN fallback |
| How to implement network segmentation in AWS | Use VPCs subnets security groups NACLs and Transit Gateway route tables |
| How to limit cross account access over VPC endpoints | Use endpoint policies resource policies and IAM conditions to control cross account access |
| How to protect management interfaces | Place in private subnets use bastion or Session Manager enable MFA and restrict by source IP |
| How to secure a bastion host | Limit access by IP use multi factor authentication patch regularly use logging and monitoring |
| Public subnet vs private subnet | Public has a route to an Internet Gateway Private has no direct route to an Internet Gateway |
| Stateful vs stateless | Stateful tracks connection state and allows return traffic Stateless does not track state and requires explicit rules |
| Transit Gateway route tables purpose | Control how traffic is routed between TGW attachments and support segmentation |
| Use cases for VPC Flow Logs | Traffic analysis troubleshooting security monitoring and cost optimization |
| VPC endpoint types | GW endpoint for S3 and DynamoDB Interface endpoint for PrivateLink and services via ENIs |
| VPC peering limitations | No transitive routing across peered VPCs and overlapping CIDR blocks are not allowed |
| What are NACL best practices | Use NACLs for coarse subnet level control prefer stateless rules for logging and enforce deny rules where needed |
| What are security group best practices | Least privilege rules use explicit ports and protocols avoid wide open rules and use tags for management |
| What are security group rule evaluation semantics | All rules are evaluated and the most permissive matching rule applies because security groups are allow only |
| What does stateful mean in the context of security groups | Return traffic is automatically allowed for permitted inbound connections and vice versa |
| What is a bastion host | A hardened instance in a public subnet used as a jump server to access resources in private subnets |
| What is a host based firewall advantage | Provides additional layer of defense close to the workload and enforces process level policies |
| What is a NAT gateway | Managed service that allows instances in private subnets to access the Internet for outbound traffic |
| What is a network ACL | NACL is a stateless subnet level firewall evaluated per packet with explicit allow and deny rules |
| What is a route table | Set of rules that determines where network traffic from a subnet or gateway is directed |
| What is a security group | A virtual firewall for EC2 instances that is stateful and attached to network interfaces |
| What is a site to site VPN | Encrypted IPsec tunnel between on prem network and a VPC for private connectivity |
| What is a subnet | A subdivision of a VPC that partitions IP address space and defines routing and network isolation |
| What is an AWS Hosted Zone private DNS benefit | Enables private DNS resolution inside one or more VPCs for internal resources only |
| What is an endpoint policy | Resource based policy attached to a VPC endpoint that controls access to the service |
| What is an IGW route 0.0.0.0 0.0.0.0 significance | Routes all Internet bound traffic from a subnet to the Internet Gateway |
| What is an Internet Gateway | Managed AWS component that enables VPC resources to access the Internet and vice versa |
| What is attachment isolation in Transit Gateway | Use separate TGW route tables to prevent or allow routing between specific attachments |
| What is AWS Global Accelerator | Service that improves availability and performance by routing user traffic to optimal regional endpoints |
| What is AWS Network Firewall | Managed service that provides stateful and stateless inspection for VPC traffic with custom rules |
| What is AWS PrivateLink | Private connectivity solution that provides interface VPC endpoints for accessing services privately |
| What is AWS Shield Standard vs Advanced | Standard provides basic DDoS protection at no extra cost Advanced offers enhanced detection response and cost protection |
| What is AWS Transit Gateway | A scalable hub that connects multiple VPCs and on prem networks with centralized routing |
| What is AWS WAF | Web Application Firewall that protects web apps from common exploits like SQL injection and XSS |
| What is Direct Connect | Dedicated private network connection from on prem to AWS offering consistent low latency and higher bandwidth |
| What is Firewall Manager | Centralized security policy management for AWS WAF Shield and security groups across accounts |
| What is inter region VPC peering | Peering connection that routes traffic across AWS regions without traversing the public Internet |
| What is network segmentation | Dividing a network into segments to limit lateral movement and enforce security boundaries |
| What is path MTU and why it matters | Maximum transmission unit size on a path affects fragmentation and can impact VPN and Direct Connect performance |
| What is port range management | Limit allowed source and destination ports to only required ranges to reduce attack surface |
| What is route propagation | Automatic addition of routes to a route table from a connected gateway or attachment |
| What is Session Manager advantage over bastion hosts | Provides secure shell access without opening inbound ports or managing bastion credentials |
| What is split horizon DNS in hybrid networks | Using different DNS responses depending on source network to resolve internal and external addresses |
| What is VPC Flow Logs | Feature that captures information about IP traffic going to and from network interfaces for auditing and troubleshooting |
| What is VPC peering | One to one network connection between two VPCs that allows routing of traffic using private IPs |
| When to use a gateway endpoint | Use for high throughput access to S3 or DynamoDB without leaving the AWS network |
| When to use an interface endpoint | Use for private connectivity to AWS services or partner services on a per ENI basis |
| When to use Network Firewall vs Security Groups | Use Network Firewall for centralized deeper packet inspection and SGs for host level filtering |
| Why avoid overlapping CIDR blocks | Avoid routing conflicts and ensure unique addressing for peering Transit Gateway and Direct Connect |
| Why monitor network logs centrally | Enables detection of anomalies troubleshooting and compliance reporting across accounts and VPCs |
| Why use route tables with VPN and Direct Connect | To control which subnets use which on prem connections and enable failover |
About the Flashcards
Flashcards for the AWS Certified Security Specialty exam spotlight the critical networking concepts you need to master when designing secure, scalable environments on AWS. Each card reinforces foundational terms such as subnets, route tables, Internet Gateways, NAT Gateways, and differentiates public from private connectivity to build a solid VPC architecture.
The deck also drills into security and hybrid networking, walking through security groups, NACLs, AWS Network Firewall, WAF, Shield, bastion hosts, Session Manager, and connectivity services like VPC peering, Transit Gateway, Direct Connect, and VPN. Reviewing these cards helps you recall best-practice configurations, route propagation behavior, segmentation strategies, and monitoring tools like VPC Flow Logs so you can confidently answer exam questions.
Topics covered in this flashcard deck:
- VPC architecture
- Subnet design & routing
- Network security controls
- Hybrid connectivity
- Monitoring & logging