Network Diagram PBQs: AWS Certified Security - Specialty (SCS-C03)

easy

Question 1 of 3

You are a security engineer designing a VPC for a web application that must meet baseline security requirements. The VPC has three subnets: a Public Subnet for internet-facing resources, a Private Subnet for application workloads that should not be directly reachable from the internet, and a Restricted Subnet for sensitive data stores. An Internet Gateway and a WAF are already deployed. Assign the remaining AWS security and application resources to their correct subnets based on defense-in-depth principles.

Network Topology

Public Subnet

Internet-facing — WAF, ALB, NAT Gateway

Internet Gateway🔒

AWS WAF🔒

Private Subnet

Application servers, internal services, security agents

Drop devices here

Restricted Subnet

Databases, secrets managers, encrypted data stores

Drop devices here

Available Devices

Drag devices into the correct network zone above

Application Load Balancer

Application Server

RDS Encrypted Instance

Progress

0 of 3 devices placed

Drag devices into the correct network zones

0 of 3 marked complete