About This Flashcard Deck
This flashcard deck contains 10 cards covering key Network & Edge Security concepts for the SCS-C02 exam. Test your knowledge of VPC security, Network Firewall, WAF, Shield, and network-level protection. Use active recall by attempting to answer each question before revealing the answer. Research shows that flashcard-based active recall is one of the most effective study techniques for certification exams.
Question
What is AWS Firewall Manager?
Click to reveal answer
Answer
Centrally manages WAF rules, Shield Advanced, security groups, Network Firewall, and Route 53 Resolver DNS Firewall across all accounts in an Organization.
Click to flip back
All Network & Edge Security Flashcards
Q: What is AWS Firewall Manager?
A: Centrally manages WAF rules, Shield Advanced, security groups, Network Firewall, and Route 53 Resolver DNS Firewall across all accounts in an Organization.
Q: How does Network Firewall TLS inspection work?
A: Decrypts TLS traffic using a certificate, inspects content with stateful rules, then re-encrypts. Requires configuring a CA certificate for intercepting connections.
Q: What is the difference between Shield Standard and Advanced?
A: Standard: free, auto L3/L4 protection. Advanced: $3K/mo, L7 protection, DRT access, cost protection for scaling during DDoS, custom health checks.
Q: What is a WAF Bot Control managed rule group?
A: Identifies and manages bot traffic: verified bots (search engines), unverified bots, and malicious bots. Can block, rate-limit, or challenge with CAPTCHA.
Q: How does VPC Flow Logs help with security?
A: Records accepted/rejected traffic at ENI level. Detect: port scanning (many rejected flows), data exfiltration (large outbound), unauthorized access attempts.
Q: What is DNS Firewall (Route 53 Resolver)?
A: Filters outbound DNS queries from VPC. Block or alert on queries to known bad domains. Managed domain lists + custom. Prevents DNS exfiltration.
Q: What is a Network Firewall stateless vs stateful rule?
A: Stateless: evaluated first, 5-tuple match (fast, simple). Stateful: connection-aware, Suricata syntax, can inspect payload, domain filtering.
Q: What is Gateway Load Balancer for security?
A: Routes all traffic through third-party virtual appliances (firewalls) transparently using GENEVE encapsulation. Scales appliances without changing routes.
Q: What is PrivateLink security benefit?
A: Traffic never traverses the internet — stays on AWS private network. Consumer only sees the endpoint ENI, not the provider VPC. Minimizes attack surface.
Q: How do you prevent DNS exfiltration?
A: Use Route 53 Resolver DNS Firewall to block queries to suspicious domains. Monitor DNS query logs for high-entropy subdomains (tunneling indicators).