4. Infrastructure Security (18%)

Infrastructure security is the physical backbone of your defense-in-depth strategy — the walls, doors, and locks that control what traffic enters your environment, which compute resources are trusted, and how networks are segmented. Without infrastructure security, even perfect IAM policies and encryption are undermined: an attacker who can reach your database server directly bypasses every application-level control you've built. Think of it like a bank vault with a perfect combination lock but no building around it — the lock works perfectly, but anyone can walk up and try combinations. The SCS-C03 organizes infrastructure security into three tiers: network edge (stopping threats before they enter), compute workloads (hardening the resources that run your code), and network controls (segmenting traffic between resources).

The First Principle is that infrastructure security implements defense-in-depth at three layers — edge, compute, and network — where each layer operates independently so that a failure in one doesn't cascade to the others.

Scenario: A web application is protected by WAF at the edge, but an attacker discovers an unprotected API endpoint that bypasses CloudFront. Without compute-level and network-level controls, the attacker exploits a vulnerability in the application server and moves laterally to the database.

Reflection Question: How does the three-tier infrastructure model (edge → compute → network) ensure that bypassing one layer doesn't give an attacker unrestricted access?