- Which characteristic of cloud computing as defined by NIST allows a consumer to unilaterally provision computing capabilities such as server time and network storage without requiring human interaction with the service provider?
- Measured service
- Broad network access
- Resource pooling
- On-demand self-service
Correct answer: On-demand self-service
On-demand self-service means a consumer can provision capabilities automatically without human interaction with the provider. Broad network access, resource pooling, and measured service are the other four NIST essential characteristics.
- In the cloud shared responsibility model, which deployment model places the greatest portion of security responsibility on the customer?
- Platform as a Service (PaaS)
- Infrastructure as a Service (IaaS)
- Function as a Service (FaaS)
- Software as a Service (SaaS)
Correct answer: Infrastructure as a Service (IaaS)
In IaaS the provider manages only the underlying hardware, virtualization, and network, leaving the OS, middleware, runtime, applications, and data to the customer. SaaS places the least responsibility on the customer.
- A company wants the elasticity of public cloud for variable workloads but must keep regulated data on dedicated private infrastructure. Which deployment model best fits?
- Multi-tenant cloud
- Community cloud
- Public cloud
- Hybrid cloud
Correct answer: Hybrid cloud
A hybrid cloud combines two or more distinct cloud infrastructures (e.g., private and public) bound together to allow data and application portability. This lets regulated data stay private while bursting to public cloud for elasticity.
- Which cloud computing role is responsible for making services available to consumers and for managing the cloud infrastructure?
- Cloud service provider
- Cloud service broker
- Cloud auditor
- Cloud service partner
Correct answer: Cloud service provider
The cloud service provider (CSP) owns and operates the cloud infrastructure and makes services available to consumers. A broker negotiates relationships, and an auditor independently assesses controls.
- What is the primary security benefit of resource pooling combined with multi-tenancy in a cloud environment?
- It guarantees physical isolation of each tenant
- It enables economies of scale and efficient resource use
- It removes the provider's responsibility for security
- It eliminates the need for encryption
Correct answer: It enables economies of scale and efficient resource use
Resource pooling with multi-tenancy lets the provider serve many customers from the same physical resources, achieving economies of scale. Logical, not physical, isolation separates tenants, so it does not guarantee physical isolation.
- Which technology is the foundational enabler of cloud computing by abstracting physical hardware into logical resources?
- Microservices
- Serverless functions
- Virtualization
- Containers
Correct answer: Virtualization
Virtualization abstracts physical hardware (CPU, memory, storage, network) into logical resources managed by a hypervisor, enabling the multi-tenancy and resource pooling that define cloud computing.
- A hypervisor that runs directly on the host hardware without an underlying operating system is classified as which type?
- Type 0 (paravirtual)
- Type 2 (hosted)
- Type 1 (bare-metal)
- Type 3 (nested)
Correct answer: Type 1 (bare-metal)
A Type 1, or bare-metal, hypervisor runs directly on the physical hardware, offering better performance and a smaller attack surface. A Type 2 hypervisor runs as an application on top of a host OS.
- Which document is most commonly used to evaluate the security and assurance posture of a cloud provider against a comprehensive control framework before signing a contract?
- The provider's marketing brochure
- The customer's own incident response plan
- A penetration test scope document
- A SOC 2 Type II report
Correct answer: A SOC 2 Type II report
A SOC 2 Type II report provides an independent auditor's attestation of a provider's controls over a period of time across trust service criteria. It is a key artifact for assessing provider assurance during due diligence.
- Within the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM), what is the primary purpose of the framework?
- To define encryption algorithms for cloud data
- To provide a cybersecurity control framework mapped to multiple standards and regulations
- To certify individual cloud engineers
- To establish service-level uptime guarantees
Correct answer: To provide a cybersecurity control framework mapped to multiple standards and regulations
The CSA CCM is a cybersecurity control framework specifically for cloud computing, with controls mapped to standards such as ISO 27001, NIST, and PCI DSS. It helps organizations assess provider and customer responsibilities.
- Which of the following best describes the concept of 'cloud bursting'?
- Distributing load across multiple availability zones
- Encrypting data before it leaves the data center
- Dynamically provisioning public cloud resources when private capacity is exceeded
- Deleting cloud resources when no longer needed
Correct answer: Dynamically provisioning public cloud resources when private capacity is exceeded
Cloud bursting is a hybrid cloud technique where an application running in a private cloud or data center 'bursts' into a public cloud when demand for capacity spikes. It provides elasticity without permanently over-provisioning private infrastructure.
- Which design principle ensures that a system continues operating, possibly at reduced capability, when one or more components fail?
- Vendor lock-in
- Resiliency
- Reversibility
- Interoperability
Correct answer: Resiliency
Resiliency is the ability of a system to withstand and recover from failures while continuing to function, often at a degraded level. It is achieved through redundancy, failover, and distributed architecture.
- What cloud architectural concept refers to the ability to move applications and data from one cloud provider to another with minimal disruption?
- Interoperability
- Scalability
- Portability
- Multi-tenancy
Correct answer: Portability
Portability is the ability to move workloads and data between providers or environments. Interoperability, by contrast, is the ability of systems to work together and exchange information.
- An organization is concerned about being unable to migrate away from its cloud provider due to proprietary APIs and data formats. This risk is best described as:
- Shadow IT
- Data remanence
- Vendor lock-in
- Resource contention
Correct answer: Vendor lock-in
Vendor lock-in occurs when proprietary technologies, formats, or contractual terms make it difficult and costly to switch providers. Using open standards and ensuring portability/reversibility mitigates this risk.
- Which ISO/IEC standard provides a reference architecture for cloud computing, defining roles, activities, and functional components?
- ISO/IEC 17789
- ISO/IEC 31000
- ISO/IEC 27017
- ISO/IEC 27001
Correct answer: ISO/IEC 17789
ISO/IEC 17789 defines the Cloud Computing Reference Architecture (CCRA), including roles, sub-roles, activities, and functional components. ISO/IEC 27017 provides cloud-specific security controls.
- What is the primary purpose of a Trusted Platform Module (TPM) in cloud host hardware?
- To balance VM load across a cluster
- To pool storage across hosts
- To accelerate network packet processing
- To provide a hardware root of trust for cryptographic operations and attestation
Correct answer: To provide a hardware root of trust for cryptographic operations and attestation
A TPM is a dedicated secure cryptoprocessor that provides a hardware root of trust, securely storing keys and supporting platform attestation and measured boot. It underpins trusted computing in cloud hosts.
- Which emerging technology uses a distributed, immutable ledger and is relevant to cloud security for tamper-evident record keeping?
- Quantum computing
- Confidential computing
- Blockchain
- Edge computing
Correct answer: Blockchain
Blockchain provides a distributed, append-only ledger where records are cryptographically linked, making tampering evident. It is useful for integrity-sensitive use cases such as audit trails and supply chain provenance.
- Confidential computing primarily protects data in which state?
- Data at rest
- Data in use
- Data in transit
- Data in archive
Correct answer: Data in use
Confidential computing protects data in use by performing computation within hardware-based trusted execution environments (TEEs/enclaves), keeping data encrypted even in memory during processing.
- When selecting a cloud service category for a business that wants to deploy custom applications without managing the OS or runtime, which model is most appropriate?
Correct answer: PaaS
Platform as a Service (PaaS) provides a managed platform including OS, runtime, and middleware, letting customers deploy and manage their own applications without handling the underlying infrastructure.
- Which of the following is a key advantage of using a cloud reference architecture during system design?
- It provides a common vocabulary and structure for stakeholders
- It removes all compliance obligations
- It eliminates the need for a contract
- It guarantees the lowest possible cost
Correct answer: It provides a common vocabulary and structure for stakeholders
A cloud reference architecture supplies a common framework, vocabulary, and set of components that align stakeholders and guide consistent, secure design. It does not eliminate cost, contract, or compliance considerations.
- Which NIST essential characteristic is most directly supported by a provider's automated metering of CPU, storage, and bandwidth usage?
- Resource pooling
- Rapid elasticity
- On-demand self-service
- Measured service
Correct answer: Measured service
Measured service means cloud systems automatically control and optimize resource use through metering, enabling transparency and pay-per-use billing. This supports accountability for both provider and consumer.
- What is the main security concern introduced by serverless (Function as a Service) architectures compared to traditional VMs?
- Customers must patch the underlying OS
- Higher physical security risk
- Longer boot times
- Increased attack surface from event triggers and reduced visibility into the runtime
Correct answer: Increased attack surface from event triggers and reduced visibility into the runtime
Serverless shifts OS and runtime management to the provider but introduces concerns around numerous event triggers, function permissions, and limited runtime visibility. Misconfigured permissions and insecure event sources are common risks.
- Which cloud role acts as an intermediary that negotiates relationships and may add value such as aggregation or integration between consumers and providers?
- Cloud regulator
- Cloud service broker
- Cloud auditor
- Cloud carrier
Correct answer: Cloud service broker
A cloud service broker (or partner) intermediates between consumers and providers, offering service intermediation, aggregation, or arbitrage. The cloud carrier provides connectivity and transport.
- Which principle of secure cloud design dictates that each component or user should have only the access necessary to perform its function?
- Least privilege
- Fail-safe defaults
- Defense in depth
- Separation of duties
Correct answer: Least privilege
Least privilege restricts each subject's access rights to the minimum necessary to perform its function, reducing the impact of compromise. It is foundational to identity and access management in the cloud.
- A community cloud is best characterized as infrastructure that is:
- Shared by several organizations with common concerns such as compliance
- Owned by a single tenant exclusively
- Available to the general public over the internet
- A mix of on-premises and public resources
Correct answer: Shared by several organizations with common concerns such as compliance
A community cloud is provisioned for exclusive use by a specific community of organizations that share concerns such as mission, security requirements, or compliance. It may be managed by one or more of those organizations or a third party.
- Which characteristic distinguishes rapid elasticity from simple scalability in the cloud?
- Elasticity allows resources to scale automatically and quickly, appearing unlimited to the consumer
- Elasticity only applies to storage
- Elasticity requires manual approval each time
- Elasticity is unrelated to demand
Correct answer: Elasticity allows resources to scale automatically and quickly, appearing unlimited to the consumer
Rapid elasticity allows capabilities to be provisioned and released automatically and quickly to match demand, appearing virtually unlimited to the consumer. Scalability is the broader ability to grow, while elasticity emphasizes automatic, demand-driven adjustment.
- Which framework is specifically designed to help organizations assess and document the security controls of cloud providers through a self-assessment questionnaire?
- PCI DSS SAQ
- CSA Consensus Assessments Initiative Questionnaire (CAIQ)
- MITRE ATT&CK
- OWASP Top 10
Correct answer: CSA Consensus Assessments Initiative Questionnaire (CAIQ)
The CSA CAIQ is a standardized questionnaire that providers complete (and publish via the STAR registry) to document their security controls aligned to the Cloud Controls Matrix. Consumers use it for due diligence.
- In the cloud data lifecycle, which phase immediately follows the Create phase?
Correct answer: Store
The cloud data lifecycle phases are Create, Store, Use, Share, Archive, and Destroy. Store directly follows Create, when newly created data is committed to a storage medium.
- Which encryption approach protects data such that the cloud provider cannot read it because the customer controls the keys outside the provider's environment?
- Client-side encryption with customer-managed keys
- Storage-level encryption by the provider
- Transparent data encryption by the provider
- Provider-managed keys
Correct answer: Client-side encryption with customer-managed keys
Client-side encryption with customer-managed keys (and external key management) ensures the provider never has access to plaintext or keys, preserving confidentiality even from the provider. Provider-managed keys do not offer this assurance.
- What is the primary function of tokenization in protecting sensitive data?
- It hashes data irreversibly
- It encrypts data using a public key
- It replaces sensitive values with non-sensitive surrogate values mapped in a secure vault
- It compresses data to save storage
Correct answer: It replaces sensitive values with non-sensitive surrogate values mapped in a secure vault
Tokenization substitutes sensitive data (e.g., a credit card number) with a non-sensitive token, while the mapping is kept in a secure token vault. The token has no exploitable value if exposed.
- Which technique permanently and irreversibly removes the ability to recover encrypted data by destroying the encryption keys?
- Crypto-shredding
- Data masking
- Deduplication
- Tokenization
Correct answer: Crypto-shredding
Crypto-shredding (cryptographic erasure) destroys the encryption keys so the encrypted data becomes permanently unrecoverable. It is especially useful in multi-tenant cloud where physical media destruction is impractical.
- Which data discovery approach analyzes the metadata and labels attached to data rather than the content itself?
- Lexical analysis
- Statistical sampling
- Label-based discovery
- Content analysis
Correct answer: Label-based discovery
Label-based (or metadata-based) discovery relies on existing labels and metadata to classify data, which is fast but depends on accurate labeling. Content analysis inspects the actual data.
- A Data Loss Prevention (DLP) system inspecting traffic leaving the network to block sensitive data exfiltration is operating in which mode?
- Data in motion (network) DLP
- Data in use (endpoint) DLP
- Discovery DLP
- Data at rest DLP
Correct answer: Data in motion (network) DLP
Data in motion DLP monitors and controls data traversing the network, such as email and web traffic, to prevent exfiltration. Data at rest DLP scans stored data and endpoint DLP monitors data in use on devices.
- Which key management practice provides the strongest separation of duties for cryptographic keys in the cloud?
- Using the same key for all tenants
- Storing keys alongside encrypted data
- Embedding keys in application source code
- Using a dedicated Hardware Security Module (HSM) or external KMS separate from the data
Correct answer: Using a dedicated Hardware Security Module (HSM) or external KMS separate from the data
Storing keys in a dedicated HSM or external key management service separate from the encrypted data enforces separation of duties and prevents a single point of compromise. Co-locating keys with data defeats the purpose of encryption.
- What does data masking accomplish that allows it to be used in non-production environments?
- It replaces real data with realistic but fictitious values to preserve format and usability
- It permanently deletes the original data
- It compresses the data for faster transfer
- It encrypts the data with a customer key
Correct answer: It replaces real data with realistic but fictitious values to preserve format and usability
Data masking (obfuscation) replaces sensitive data with realistic but fictitious values while preserving the format, so test and development environments can use representative data without exposing real sensitive information.
- Which type of data masking transforms data permanently before it is stored or moved to another environment?
- On-the-fly masking
- Static masking
- Dynamic masking
- Format-preserving encryption
Correct answer: Static masking
Static data masking creates a permanently altered copy of the data, typically for use in lower environments. Dynamic masking obscures data in real time as it is queried without altering the stored data.
- Information Rights Management (IRM) in the cloud primarily provides which capability?
- Persistent access controls and usage restrictions that travel with the data
- Load balancing across regions
- Network segmentation
- Automated patching of servers
Correct answer: Persistent access controls and usage restrictions that travel with the data
IRM (also called Digital Rights Management for enterprise data) embeds persistent controls in the data itself, restricting actions such as copying, printing, or forwarding even after the file leaves the organization's boundary.
- Which storage type in IaaS is most analogous to a raw, attachable disk volume presented to a virtual machine?
- Block storage
- Ephemeral cache
- File storage
- Object storage
Correct answer: Block storage
Block storage presents raw volumes that can be attached to VMs and formatted with a file system, similar to a physical disk. Object storage stores data as objects with metadata accessed via APIs.
- Which storage type is best suited for storing large volumes of unstructured data such as images and backups, accessed via HTTP APIs?
- Structured database storage
- Block storage
- Object storage
- Raw device mapping
Correct answer: Object storage
Object storage stores unstructured data as objects with rich metadata and unique identifiers, accessed over HTTP/REST APIs. It scales massively and is ideal for media, backups, and archives.
- What is the primary purpose of data classification in a cloud environment?
- To reduce storage costs
- To improve application performance
- To eliminate the need for encryption
- To assign protection levels and handling requirements based on sensitivity
Correct answer: To assign protection levels and handling requirements based on sensitivity
Data classification categorizes data by sensitivity and value so appropriate controls, handling, and protection levels can be applied. It drives downstream decisions about encryption, access, retention, and DLP policies.
- Which concept refers to residual data that remains on storage media after attempts to delete or erase it?
- Data remanence
- Data sovereignty
- Data portability
- Data minimization
Correct answer: Data remanence
Data remanence is the residual representation of data that persists after deletion. In multi-tenant cloud where physical destruction is impractical, crypto-shredding is the preferred mitigation.
- An organization wants to ensure that even if a database backup file is stolen, the contents remain unreadable. Which control most directly addresses this?
- Multi-factor authentication
- Network firewall rules
- Encryption of data at rest
- Rate limiting
Correct answer: Encryption of data at rest
Encrypting data at rest ensures that stolen storage media or backup files cannot be read without the keys. Network and authentication controls protect access but not the confidentiality of the raw stored bytes if exfiltrated.
- Which approach to key management gives the customer control over key lifecycle while still using the provider's KMS, by importing or owning the key material?
- Default service encryption
- Bring Your Own Key (BYOK)
- No key management
- Provider-generated keys
Correct answer: Bring Your Own Key (BYOK)
Bring Your Own Key (BYOK) lets customers generate or own key material and import it into the provider's key management service, retaining greater control over the key lifecycle. Hold Your Own Key (HYOK) keeps keys entirely external.
- Which of the following best describes 'data dispersion' as a cloud storage protection technique?
- Storing all data in a single region for compliance
- Compressing data before storage
- Splitting data into fragments distributed across multiple locations, often with redundancy
- Encrypting each field separately
Correct answer: Splitting data into fragments distributed across multiple locations, often with redundancy
Data dispersion (often using erasure coding) breaks data into fragments with parity and spreads them across multiple nodes or locations, improving availability and durability while making any single fragment useless on its own.
- When designing a DLP solution for cloud SaaS applications, which deployment option inspects activity by integrating with the SaaS provider's APIs?
- API-based (out-of-band) mode
- Inline proxy mode
- Endpoint agent mode
- Network tap mode
Correct answer: API-based (out-of-band) mode
API-based DLP, common in CASB solutions, connects to the SaaS provider's APIs to scan data at rest and monitor activity out-of-band. Inline proxy mode intercepts traffic in real time before it reaches the SaaS app.
- Which data lifecycle phase is the most appropriate point to apply data classification labels?
- Destroy
- Share
- Create
- Archive
Correct answer: Create
Classification should occur as early as possible, ideally during the Create phase, so the correct protections follow the data through its entire lifecycle. Late classification risks improper handling in earlier phases.
- What is the main risk addressed by 'data sovereignty' requirements?
- Excessive storage costs
- Poor data quality
- Legal jurisdiction over data based on its physical storage location
- Slow network performance
Correct answer: Legal jurisdiction over data based on its physical storage location
Data sovereignty means data is subject to the laws of the country where it is physically stored or processed. Organizations must control storage geography to meet residency and jurisdictional legal requirements.
- Which technique allows analytics to be performed on data while it remains encrypted, without decrypting it first?
- Tokenization
- Homomorphic encryption
- Symmetric encryption
- Transport Layer Security
Correct answer: Homomorphic encryption
Homomorphic encryption permits computations to be performed directly on ciphertext, producing an encrypted result that, when decrypted, matches the result of operations on the plaintext. It is promising for privacy-preserving cloud analytics.
- An organization must retain financial records for seven years and then dispose of them securely. Which combination of policies governs this?
- Backup and replication
- Data retention and data destruction policies
- Encryption and tokenization
- Access control and authentication
Correct answer: Data retention and data destruction policies
Data retention policies define how long data must be kept, and data destruction (disposal) policies define how it is securely removed afterward. Together they ensure legal compliance and reduce unnecessary data exposure.
- Which of the following is the most significant disadvantage of using provider-managed encryption keys for highly sensitive regulated data?
- It only works for data in transit
- It cannot be rotated
- The provider can technically access the plaintext, weakening assurance against provider access
- It is slower than client-side encryption
Correct answer: The provider can technically access the plaintext, weakening assurance against provider access
With provider-managed keys, the provider holds both the data and the keys, so it could technically decrypt the data, which is unacceptable for some regulated or highly sensitive data. Customer-managed or external keys mitigate this.
- Which data discovery method is most effective at finding sensitive data that has not been properly labeled?
- Label-based discovery
- Metadata indexing
- Content analysis with pattern matching
- Filename scanning
Correct answer: Content analysis with pattern matching
Content analysis inspects the actual data using pattern matching (e.g., regular expressions for SSNs or credit cards) and can find sensitive data regardless of labels. Label and metadata methods miss unlabeled data.
- What is the primary purpose of key rotation in a cloud key management system?
- To eliminate the need for backups
- To increase storage capacity
- To improve application latency
- To limit the amount of data exposed if a key is compromised and meet compliance requirements
Correct answer: To limit the amount of data exposed if a key is compromised and meet compliance requirements
Key rotation periodically replaces cryptographic keys to limit the volume of data protected by any single key, reducing the impact of a compromise and satisfying many compliance frameworks.
- Which storage controls are typically the responsibility of the customer in an IaaS object storage service?
- Data center HVAC
- Bucket access policies, encryption settings, and lifecycle rules
- Physical disk destruction
- Hypervisor patching
Correct answer: Bucket access policies, encryption settings, and lifecycle rules
In IaaS, the customer configures logical controls such as bucket/access policies, encryption options, and lifecycle/retention rules, while the provider handles physical infrastructure. Misconfigured bucket policies are a leading cause of cloud data breaches.
- Which approach best mitigates the risk of unauthorized data access between tenants in a shared cloud database?
- Single shared schema with no isolation
- Disabling encryption to improve performance
- Allowing all tenants administrative access
- Logical isolation through separate schemas/keys and strict access controls
Correct answer: Logical isolation through separate schemas/keys and strict access controls
Logical isolation using separate schemas, per-tenant encryption keys, and strict access controls prevents cross-tenant data access in multi-tenant databases. Strong tenancy controls are essential where physical isolation is not feasible.
- When a customer decommissions a cloud service, which method ensures sensitive data cannot be reconstructed despite shared physical media?
- Logical deletion only
- Renaming the storage bucket
- Disabling the user account
- Crypto-shredding by destroying the encryption keys
Correct answer: Crypto-shredding by destroying the encryption keys
Because customers cannot physically destroy shared cloud media, crypto-shredding (destroying the keys used to encrypt the data) is the recommended method to render data permanently unrecoverable upon decommissioning.
- Which metric describes the maximum acceptable amount of data loss measured in time after an incident?
- Recovery Point Objective (RPO)
- Maximum Tolerable Downtime (MTD)
- Mean Time to Repair (MTTR)
- Recovery Time Objective (RTO)
Correct answer: Recovery Point Objective (RPO)
The Recovery Point Objective (RPO) defines the maximum tolerable period of data loss, dictating how frequently backups or replication must occur. RTO defines how quickly systems must be restored.
- Which of the following best protects data in transit between a client and a cloud service?
- Tokenization vault
- Database column encryption
- TLS 1.2 or higher
- AES encryption at rest
Correct answer: TLS 1.2 or higher
Transport Layer Security (TLS) 1.2 or higher encrypts data in transit between endpoints, protecting it from interception. At-rest and column encryption protect stored data, not data moving across the network.
- What is the primary purpose of the micro-segmentation strategy in cloud infrastructure security?
- To consolidate all workloads into one subnet
- To eliminate the need for encryption
- To create granular security zones around individual workloads to limit lateral movement
- To increase network bandwidth
Correct answer: To create granular security zones around individual workloads to limit lateral movement
Micro-segmentation enforces fine-grained, workload-level security policies so that compromise of one workload cannot easily spread laterally. It is a core component of zero trust network design in the cloud.
- Which component is responsible for enforcing isolation between virtual machines on the same physical host?
- The object storage service
- The DNS resolver
- The hypervisor
- The load balancer
Correct answer: The hypervisor
The hypervisor manages and isolates VMs sharing physical hardware, controlling their access to CPU, memory, and devices. A vulnerability in the hypervisor could allow VM escape and cross-tenant compromise.
- A VM escape attack is best described as:
- Migrating a VM to another region
- Throttling a VM's CPU
- A guest VM breaking isolation to access the hypervisor or other VMs
- Deleting a VM snapshot
Correct answer: A guest VM breaking isolation to access the hypervisor or other VMs
A VM escape (or hyperjacking-adjacent) attack exploits a hypervisor vulnerability so a guest VM can break out of its isolation and access the host or neighboring VMs. It is one of the most serious virtualization threats.
- Which control plane concept refers to the management interfaces and APIs used to configure and operate cloud infrastructure?
- Storage plane
- Data plane
- Control plane
- Forwarding plane
Correct answer: Control plane
The control plane comprises the management APIs and interfaces used to provision, configure, and operate cloud resources. Compromise of the control plane is critical because it grants broad administrative authority.
- What is the primary security purpose of a bastion host (jump box) in cloud architecture?
- To provide a hardened, monitored single point of administrative access into private networks
- To store encryption keys
- To serve web content to the public
- To balance traffic across availability zones
Correct answer: To provide a hardened, monitored single point of administrative access into private networks
A bastion host is a hardened, tightly controlled system that serves as a single audited entry point for administrative access to private resources, reducing the attack surface and centralizing monitoring.
- Which approach best ensures infrastructure consistency and reduces configuration drift in the cloud?
- Disabling logging to save resources
- Ad hoc SSH changes
- Manual configuration of each server
- Infrastructure as Code (IaC) with version control
Correct answer: Infrastructure as Code (IaC) with version control
Infrastructure as Code defines infrastructure in versioned, reviewable templates, ensuring consistent, repeatable deployments and reducing configuration drift. It also enables automated security scanning of configurations.
- Which of the following is a primary benefit of deploying workloads across multiple availability zones?
- Lower data transfer costs
- Reduced need for encryption
- Higher availability and fault tolerance against zone-level failures
- Simplified compliance
Correct answer: Higher availability and fault tolerance against zone-level failures
Distributing workloads across multiple availability zones protects against the failure of any single zone, improving availability and fault tolerance. It is a foundational pattern for resilient cloud design.
- In a zero trust architecture, what is the guiding principle for granting access?
- Trust based solely on IP address
- Never trust, always verify, regardless of network location
- Trust everything inside the network perimeter
- Trust once authenticated for the entire session indefinitely
Correct answer: Never trust, always verify, regardless of network location
Zero trust assumes no implicit trust based on network location and requires continuous verification of identity, device posture, and context for every access request. This is well suited to perimeterless cloud environments.
- Which logical infrastructure component allows a customer to define an isolated, private network within a public cloud provider?
- Content delivery network
- Object storage bucket
- Virtual private cloud (VPC)
- Managed database instance
Correct answer: Virtual private cloud (VPC)
A virtual private cloud (VPC) provides a logically isolated section of the provider's network where the customer defines subnets, route tables, and security controls. It is the foundation for network segmentation in IaaS.
- What is the recommended practice for managing the security of the management plane (cloud admin console and APIs)?
- Disable session timeouts
- Allow access from any IP without restriction
- Enforce MFA, least privilege, and detailed logging on all administrative access
- Use shared admin accounts for convenience
Correct answer: Enforce MFA, least privilege, and detailed logging on all administrative access
The management plane is high-value, so it requires MFA, least-privilege roles, IP restrictions where feasible, and comprehensive logging. Compromise here can affect the entire cloud estate.
- Which type of penetration testing assesses cloud infrastructure with no prior knowledge of the environment, simulating an external attacker?
- Gray-box testing
- Black-box testing
- Static analysis
- White-box testing
Correct answer: Black-box testing
Black-box testing provides the tester no internal knowledge, simulating an external attacker's perspective. White-box testing provides full information, and gray-box provides partial knowledge.
- Which document defines the conditions, scope, and rules of engagement before performing penetration testing against a cloud provider's environment?
- Provider authorization and rules of engagement (and adherence to provider testing policy)
- A marketing agreement
- An employee handbook
- A data classification policy
Correct answer: Provider authorization and rules of engagement (and adherence to provider testing policy)
Penetration testing in the cloud requires explicit provider authorization and agreed rules of engagement to avoid violating acceptable use policies and to define scope. Many providers publish specific pen-test policies.
- What is the primary purpose of a host intrusion detection system (HIDS) on a cloud VM?
- To monitor the host for suspicious activity such as file integrity changes and anomalous processes
- To provision new VMs
- To encrypt object storage
- To balance network load
Correct answer: To monitor the host for suspicious activity such as file integrity changes and anomalous processes
A HIDS monitors activity on an individual host, detecting indicators such as file integrity violations, suspicious processes, and log anomalies. It complements network-based detection in cloud workloads.
- When designing the physical environment of a cloud data center, which control addresses environmental threats like overheating?
- TLS encryption
- Network ACLs
- Redundant HVAC and environmental monitoring
- Multifactor authentication
Correct answer: Redundant HVAC and environmental monitoring
Redundant heating, ventilation, and air conditioning (HVAC) systems with environmental monitoring maintain safe operating temperatures and humidity, protecting equipment from environmental threats. This is part of physical and environmental security.
- Which redundancy concept describes having no single point of failure in power, networking, and cooling within a data center tier rating?
- Concurrently maintainable and fault-tolerant infrastructure
- Single-homed design
- Cold standby only
- Best-effort uptime
Correct answer: Concurrently maintainable and fault-tolerant infrastructure
Higher data center tier ratings (e.g., Uptime Institute Tier III/IV) require concurrently maintainable and fault-tolerant infrastructure with redundant power, cooling, and networking paths, eliminating single points of failure.
- Which network security control inspects traffic at the application layer and can block attacks such as SQL injection before reaching a web app?
- Web application firewall (WAF)
- DNS resolver
- VPN gateway
- Network firewall (layer 3/4)
Correct answer: Web application firewall (WAF)
A web application firewall inspects HTTP/HTTPS traffic at the application layer and can detect and block attacks such as SQL injection and cross-site scripting. Traditional network firewalls operate at layers 3 and 4.
- What is the security advantage of immutable infrastructure?
- It eliminates the need for IAM
- Servers are never modified after deployment; changes require redeploying from a known-good image, reducing drift and persistence of attackers
- It allows in-place patching of running servers
- It removes the need for monitoring
Correct answer: Servers are never modified after deployment; changes require redeploying from a known-good image, reducing drift and persistence of attackers
Immutable infrastructure replaces rather than modifies running instances, deploying fresh from validated images. This reduces configuration drift and makes it harder for attackers to maintain persistence on long-lived hosts.
- Which of the following is the BEST way to secure inter-service communication within a cloud microservices deployment?
- Shared root credentials
- Disabling authentication internally
- Mutual TLS (mTLS) between services
- Plaintext HTTP for speed
Correct answer: Mutual TLS (mTLS) between services
Mutual TLS authenticates both client and server services and encrypts traffic between them, protecting east-west communication in microservices. Service meshes commonly automate mTLS enforcement.
- Which cloud infrastructure risk arises when a tenant consumes excessive shared resources, degrading performance for others?
- Data remanence
- Resource contention (noisy neighbor)
- Vendor lock-in
- Account hijacking
Correct answer: Resource contention (noisy neighbor)
The 'noisy neighbor' problem is resource contention in multi-tenant environments where one tenant's heavy usage degrades performance for others. Providers mitigate it with resource limits, quotas, and isolation.
- What is the primary function of a security group in a cloud VPC?
- To store user passwords
- To manage DNS records
- To act as a stateful virtual firewall controlling inbound and outbound traffic to instances
- To encrypt data at rest
Correct answer: To act as a stateful virtual firewall controlling inbound and outbound traffic to instances
A security group functions as a stateful virtual firewall at the instance level, defining allowed inbound and outbound traffic. Network ACLs, by contrast, are typically stateless and operate at the subnet level.
- When planning Business Continuity and Disaster Recovery (BCDR) in the cloud, what does the Recovery Time Objective (RTO) define?
- Number of availability zones
- Maximum tolerable data loss
- Maximum acceptable time to restore a service after disruption
- Frequency of backups
Correct answer: Maximum acceptable time to restore a service after disruption
The Recovery Time Objective (RTO) specifies the maximum acceptable duration to restore a service following a disruption. It drives decisions about failover architecture and recovery strategy.
- Which BCDR strategy maintains a fully running duplicate environment to enable near-instant failover?
- Hot site
- Backup tapes only
- Cold site
- Warm site
Correct answer: Hot site
A hot site is a fully operational duplicate environment that can take over with minimal delay, achieving the lowest RTO at the highest cost. Cold and warm sites trade lower cost for longer recovery times.
- Which practice reduces the attack surface of cloud VM images before deployment?
- Installing every available package
- Leaving default credentials in place
- Disabling all logging
- Hardening the image by removing unnecessary services and applying secure baselines
Correct answer: Hardening the image by removing unnecessary services and applying secure baselines
Hardening an image (golden image) by removing unneeded services, closing ports, applying CIS or similar baselines, and patching reduces the attack surface before mass deployment. Hardened base images promote consistency.
- Which type of cloud network attack involves overwhelming a service with traffic from many distributed sources to deny availability?
- SQL injection
- Privilege escalation
- Distributed Denial of Service (DDoS)
- Cross-site scripting
Correct answer: Distributed Denial of Service (DDoS)
A Distributed Denial of Service (DDoS) attack floods a target with traffic from many compromised sources to exhaust resources and deny availability. Cloud providers offer DDoS protection and scrubbing services to mitigate it.
- Which approach to identity management is recommended for granting cloud VMs access to other cloud services without embedding static credentials?
- Hardcoding access keys in code
- Sharing the root account key
- Using instance roles / managed identities that provide temporary credentials
- Storing credentials in plaintext config files
Correct answer: Using instance roles / managed identities that provide temporary credentials
Instance roles or managed identities supply temporary, automatically rotated credentials to workloads, eliminating the need to embed static secrets. This greatly reduces the risk of credential leakage.
- Which physical security principle ensures that an individual cannot enter a secure data center area without being authenticated and preventing tailgating?
- Mantrap (access control vestibule)
- Single shared badge
- Honor system entry
- Open-door policy
Correct answer: Mantrap (access control vestibule)
A mantrap, or access control vestibule, uses two interlocking doors so only one authenticated person passes at a time, preventing tailgating into secure areas. It is a common physical control in data centers.
- Which secure software development practice integrates security testing automatically into the build and deployment pipeline?
- Manual review only after release
- Waterfall sign-off at the end
- DevSecOps with automated SAST/DAST in the CI/CD pipeline
- Skipping testing to ship faster
Correct answer: DevSecOps with automated SAST/DAST in the CI/CD pipeline
DevSecOps embeds security into the CI/CD pipeline, running automated static (SAST) and dynamic (DAST) analysis and other checks continuously. This 'shifts security left' so issues are caught early.
- Which OWASP category addresses flaws where untrusted data is sent to an interpreter, allowing attacks such as SQL or command injection?
- Vulnerable and Outdated Components
- Injection
- Cryptographic Failures
- Security Misconfiguration
Correct answer: Injection
Injection flaws occur when untrusted input is interpreted as a command or query, enabling SQL, NoSQL, OS command, and similar attacks. Parameterized queries and input validation are primary defenses.
- What is the primary purpose of input validation in secure application development?
- To cache database queries
- To improve page load speed
- To compress responses
- To ensure data conforms to expected format and reject malicious input
Correct answer: To ensure data conforms to expected format and reject malicious input
Input validation enforces that incoming data matches expected types, lengths, and formats, rejecting malformed or malicious input. Combined with output encoding, it mitigates injection and many other attacks.
- Which testing method analyzes source code without executing it to find security flaws?
- Fuzz testing
- Static Application Security Testing (SAST)
- Penetration testing
- Dynamic Application Security Testing (DAST)
Correct answer: Static Application Security Testing (SAST)
SAST examines source code, bytecode, or binaries without running the application to detect vulnerabilities early. DAST tests a running application from the outside, finding runtime issues.
- Which testing method evaluates a running application by sending inputs and observing responses, without access to source code?
- Code review
- SAST
- Software composition analysis
- DAST
Correct answer: DAST
Dynamic Application Security Testing (DAST) tests a running application from the outside, simulating attacks to find runtime vulnerabilities such as injection and authentication flaws. It complements SAST.
- What does Software Composition Analysis (SCA) primarily detect?
- Network misconfigurations
- Known vulnerabilities in open-source and third-party dependencies
- Custom code logic errors
- Physical security gaps
Correct answer: Known vulnerabilities in open-source and third-party dependencies
Software Composition Analysis identifies open-source and third-party components in an application and flags those with known vulnerabilities or problematic licenses. It is essential given heavy reliance on dependencies.
- Which API security control limits the number of requests a client can make in a given period to prevent abuse?
- Load balancing
- Content compression
- Caching
- Rate limiting (throttling)
Correct answer: Rate limiting (throttling)
Rate limiting (throttling) caps how many requests a client may make over a time window, mitigating brute-force, scraping, and denial-of-service abuse against APIs. It is a standard API gateway control.
- Which standard is commonly used for delegated authorization, allowing an application to access resources on a user's behalf without sharing credentials?
- Kerberos
- SAML
- LDAP
- OAuth 2.0
Correct answer: OAuth 2.0
OAuth 2.0 is an authorization framework that lets applications obtain limited access to user resources via tokens, without exposing the user's credentials. OpenID Connect adds an authentication layer on top of OAuth 2.0.
- What is the primary role of OpenID Connect (OIDC) relative to OAuth 2.0?
- It adds an identity/authentication layer providing verifiable user identity (ID tokens)
- It manages firewall rules
- It encrypts data at rest
- It replaces TLS
Correct answer: It adds an identity/authentication layer providing verifiable user identity (ID tokens)
OpenID Connect builds on OAuth 2.0 to add authentication, issuing ID tokens that convey verified user identity. OAuth alone handles authorization, not authentication.
- Which threat modeling methodology uses the categories Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege?
Correct answer: STRIDE
STRIDE categorizes threats as Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege. It helps developers systematically identify threats during design.
- Which secure coding practice prevents cross-site scripting (XSS) by ensuring user-supplied data is rendered safely in a web page?
- Output encoding/escaping
- Increasing server memory
- Disabling cookies
- Using HTTP instead of HTTPS
Correct answer: Output encoding/escaping
Output encoding (contextual escaping) ensures user-supplied data is treated as data, not executable script, when rendered, preventing cross-site scripting. It is paired with input validation and a Content Security Policy.
- What is the main security purpose of an API gateway in cloud application architecture?
- To compile source code
- To provision virtual machines
- To store application data
- To centralize authentication, authorization, rate limiting, and logging for API traffic
Correct answer: To centralize authentication, authorization, rate limiting, and logging for API traffic
An API gateway is a single entry point that centralizes cross-cutting concerns such as authentication, authorization, throttling, and logging for backend APIs. This consistent enforcement strengthens API security.
- Which phase of the secure SDLC focuses on identifying security requirements and performing threat modeling?
- Maintenance
- Deployment
- Disposal
- Design
Correct answer: Design
The design phase is where security requirements are refined and threat modeling is performed to identify and mitigate risks before code is written. Addressing flaws here is far cheaper than after release.
- Which container security best practice reduces the risk of running vulnerable software in production?
- Using the latest tag without pinning
- Disabling image registries
- Scanning container images for vulnerabilities before deployment
- Running all containers as root
Correct answer: Scanning container images for vulnerabilities before deployment
Scanning container images for known vulnerabilities before deployment, and using trusted, signed, minimal base images, reduces the risk of shipping exploitable software. It is a core step in container CI/CD pipelines.
- Why is running containers as a non-root user considered a security best practice?
- It improves image download speed
- It removes the need for network policies
- It eliminates the need for image scanning
- It limits the impact of a container compromise by reducing privileges available to an attacker
Correct answer: It limits the impact of a container compromise by reducing privileges available to an attacker
Running containers as non-root applies least privilege, so a compromised container has fewer capabilities and a breakout to the host is harder. It is a key container hardening control.
- Which OWASP API Security risk involves an API exposing object identifiers that an attacker can manipulate to access unauthorized data?
- Excessive logging
- Broken Object Level Authorization (BOLA/IDOR)
- Rate limiting
- Strong encryption
Correct answer: Broken Object Level Authorization (BOLA/IDOR)
Broken Object Level Authorization (BOLA), also called IDOR, occurs when an API fails to verify that the requesting user is authorized for the specific object referenced by an ID. It is the top API security risk.
- What is the primary purpose of a Software Bill of Materials (SBOM)?
- To define network routing rules
- To list physical hardware in a data center
- To provide an inventory of components and dependencies in software for supply chain transparency
- To track employee access
Correct answer: To provide an inventory of components and dependencies in software for supply chain transparency
An SBOM is a formal inventory of all components and dependencies in a software product, enabling rapid identification of affected systems when a vulnerability (e.g., in a library) is disclosed. It supports supply chain security.
- Which approach best protects secrets such as API keys and database passwords used by cloud applications?
- Hardcoding them in source code
- Emailing them to developers
- Committing them to the public repository
- Storing them in a managed secrets manager with access controls and rotation
Correct answer: Storing them in a managed secrets manager with access controls and rotation
A managed secrets manager stores secrets encrypted, enforces access policies, audits access, and supports automatic rotation. Hardcoding or committing secrets exposes them to leakage and is a common breach cause.
- Which testing technique sends malformed or random data to an application to discover crashes and unexpected behavior?
- Fuzz testing
- Smoke testing
- Regression testing
- Unit testing
Correct answer: Fuzz testing
Fuzz testing (fuzzing) automatically injects malformed, unexpected, or random inputs to uncover crashes, memory errors, and security flaws. It is effective at finding edge-case vulnerabilities.
- Which control verifies the integrity and origin of a deployed software artifact in a cloud pipeline?
- Code signing and artifact verification
- Disabling TLS
- Adding more CPU
- Increasing log verbosity
Correct answer: Code signing and artifact verification
Code signing and verifying artifact signatures ensure that deployed software has not been tampered with and originates from a trusted source. This protects the integrity of the software supply chain.
- Which authentication factor category does a hardware security key (e.g., FIDO2) represent?
- Something you have
- Something you know
- Something you are
- Somewhere you are
Correct answer: Something you have
A hardware security key is a possession factor, 'something you have.' Combined with a password (something you know) or biometric (something you are), it provides strong multi-factor authentication resistant to phishing.
- What is the security benefit of using short-lived, scoped access tokens over long-lived static tokens in APIs?
- They limit the window of misuse if leaked and reduce blast radius
- They eliminate the need for TLS
- They increase API latency
- They are easier to memorize
Correct answer: They limit the window of misuse if leaked and reduce blast radius
Short-lived, narrowly scoped tokens expire quickly and grant minimal permissions, so a leaked token is useful to an attacker only briefly and for limited actions. This reduces the blast radius of credential compromise.
- Which cloud-native security practice involves verifying that infrastructure-as-code templates comply with security policies before provisioning?
- Policy-as-code scanning of IaC templates
- Manual server hardening
- Granting admin to all developers
- Disabling version control
Correct answer: Policy-as-code scanning of IaC templates
Policy-as-code tools scan IaC templates against defined security policies before deployment, catching misconfigurations such as open security groups or unencrypted storage early. This shifts security left into the build process.
- Which application-layer protection helps mitigate cross-site request forgery (CSRF)?
- Disabling cookies entirely
- Increasing TLS key length
- Anti-CSRF tokens tied to the user session
- Using a CDN
Correct answer: Anti-CSRF tokens tied to the user session
Anti-CSRF tokens (synchronizer tokens) bound to the user's session ensure that state-changing requests originate from the legitimate application, blocking forged cross-site requests. SameSite cookie attributes also help.
- What is the primary reason to validate data on the server side even when client-side validation exists?
- Server validation is faster
- Client-side validation is more secure
- It reduces server load
- Client-side validation can be bypassed by an attacker, so server-side validation is authoritative
Correct answer: Client-side validation can be bypassed by an attacker, so server-side validation is authoritative
Client-side validation improves user experience but can be trivially bypassed by attackers manipulating requests. Server-side validation is the authoritative, trustworthy control and must always be enforced.
- Which approach to functional cloud application testing verifies that the application correctly implements specified security requirements?
- Usability testing
- Abuse case testing only
- Performance load testing
- Security functional testing against requirements
Correct answer: Security functional testing against requirements
Security functional testing verifies that implemented controls (e.g., authentication, authorization, logging) meet defined security requirements. It complements non-functional and abuse-case testing in a comprehensive program.
- Which phase of incident response focuses on limiting the scope and magnitude of an incident?
- Recovery
- Containment
- Detection
- Eradication
Correct answer: Containment
Containment limits the spread and impact of an incident, isolating affected systems before eradication removes the threat and recovery restores normal operations. Short-term and long-term containment strategies are often distinguished.
- Which tool aggregates and correlates log and event data from across the cloud environment to detect security incidents?
- Security Information and Event Management (SIEM)
- Load balancer
- DNS server
- Content delivery network
Correct answer: Security Information and Event Management (SIEM)
A SIEM collects, normalizes, and correlates logs and events from many sources to detect, alert on, and support investigation of security incidents. It is central to cloud security monitoring.
- What is the primary purpose of a Cloud Access Security Broker (CASB)?
- To provision virtual machines
- To replace the hypervisor
- To manage physical data center access
- To enforce security policy between cloud users and cloud services, providing visibility and control over SaaS usage
Correct answer: To enforce security policy between cloud users and cloud services, providing visibility and control over SaaS usage
A CASB sits between users and cloud services to enforce security policies, provide visibility into cloud usage (including shadow IT), and apply controls such as DLP, threat protection, and access governance.
- Which operational practice ensures cloud systems are kept current against known vulnerabilities?
- Patch and vulnerability management
- Disabling logging
- Increasing instance sizes
- Removing MFA
Correct answer: Patch and vulnerability management
Patch and vulnerability management identifies, prioritizes, and remediates vulnerabilities through timely patching and configuration fixes. In immutable environments this often means redeploying updated images.
- Which configuration management concept establishes an approved, secure starting configuration for systems?
- A data classification
- A load test
- A penetration test
- A security baseline
Correct answer: A security baseline
A security baseline defines the approved, secure configuration standard for a system type. Deviations from the baseline are detected as configuration drift and remediated.
- What is the main goal of change management in cloud security operations?
- To eliminate logging
- To stop all changes permanently
- To bypass testing for speed
- To ensure changes are reviewed, approved, tested, and documented to reduce risk
Correct answer: To ensure changes are reviewed, approved, tested, and documented to reduce risk
Change management ensures changes are evaluated for risk, approved, tested, documented, and reversible, minimizing the chance that changes cause outages or security gaps. It maintains the integrity of the environment.
- Which forensic principle is most challenging in multi-tenant cloud environments?
- Powering off the data center
- Confiscating provider hardware
- Maintaining chain of custody and isolating relevant data without affecting other tenants
- Imaging every physical disk
Correct answer: Maintaining chain of custody and isolating relevant data without affecting other tenants
In multi-tenant cloud, investigators must preserve chain of custody and collect only the relevant tenant's data without disturbing other tenants or seizing shared hardware. Provider cooperation and cloud-native collection methods are essential.
- Which document captures the agreed-upon performance and availability metrics between a customer and a cloud provider?
- Acceptable Use Policy
- Penetration test report
- Service Level Agreement (SLA)
- Business Impact Analysis
Correct answer: Service Level Agreement (SLA)
A Service Level Agreement (SLA) defines measurable commitments such as uptime, performance, and support response, along with remedies for breaches. It is a key tool for managing provider accountability.
- Which monitoring approach detects deviations from normal behavior rather than matching known attack signatures?
- Port scanning
- Static code analysis
- Signature-based detection
- Anomaly (behavior-based) detection
Correct answer: Anomaly (behavior-based) detection
Anomaly-based detection establishes a baseline of normal behavior and flags deviations, enabling detection of novel or unknown threats. Signature-based detection only catches known patterns.
- What is the purpose of log centralization and aggregation in cloud operations?
- To encrypt data at rest only
- To reduce the number of servers
- To improve application UI
- To consolidate logs for correlation, retention, tamper resistance, and investigation
Correct answer: To consolidate logs for correlation, retention, tamper resistance, and investigation
Centralizing logs into a protected, aggregated store enables correlation across sources, supports retention/compliance requirements, resists tampering by attackers, and facilitates investigations. Distributed, deletable logs are easily lost or altered.
- Which ITIL-aligned process restores normal service operation as quickly as possible after a disruption?
- Release management
- Incident management
- Problem management
- Capacity management
Correct answer: Incident management
Incident management focuses on restoring normal service as quickly as possible and minimizing business impact. Problem management addresses the underlying root cause to prevent recurrence.
- Which ITIL process identifies and addresses the root cause of recurring incidents?
- Change management
- Service catalog management
- Incident management
- Problem management
Correct answer: Problem management
Problem management investigates and resolves the root causes of incidents to prevent recurrence, whereas incident management focuses on rapid service restoration. Both are part of IT service management.
- What is the security benefit of network flow logs in a cloud VPC?
- They replace firewalls
- They provide records of accepted and rejected traffic for monitoring, investigation, and anomaly detection
- They speed up the network
- They encrypt traffic
Correct answer: They provide records of accepted and rejected traffic for monitoring, investigation, and anomaly detection
VPC flow logs capture metadata about network traffic (source, destination, ports, accept/reject), supporting security monitoring, troubleshooting, and forensic investigation. They do not encrypt or block traffic themselves.
- Which practice ensures that only approved software runs on cloud workloads by permitting known-good applications?
- Application allowlisting (whitelisting)
- Granting local admin to all users
- Disabling antivirus
- Open execution policy
Correct answer: Application allowlisting (whitelisting)
Application allowlisting permits only explicitly approved applications to execute, blocking unknown or malicious software by default. It is a strong preventive control against malware.
- What is the primary purpose of a runbook (or playbook) in cloud security operations?
- To store encryption keys
- To define pricing
- To provide standardized, repeatable procedures for responding to specific events or incidents
- To advertise services
Correct answer: To provide standardized, repeatable procedures for responding to specific events or incidents
A runbook or playbook documents step-by-step procedures for handling specific operational or security events, ensuring consistent, efficient, and auditable responses. Automated playbooks underpin SOAR platforms.
- Which technology automates the orchestration of incident response actions across security tools?
- SOAR (Security Orchestration, Automation, and Response)
- SIEM only
- CDN
- DNS
Correct answer: SOAR (Security Orchestration, Automation, and Response)
SOAR platforms automate and orchestrate response workflows across multiple security tools using playbooks, reducing manual effort and response time. They often integrate with SIEMs to act on detected events.
- Which evidence-handling principle requires documenting every person who handled evidence and when?
- Defense in depth
- Separation of duties
- Chain of custody
- Least privilege
Correct answer: Chain of custody
Chain of custody documents the chronological handling of evidence, including who collected, accessed, or transferred it and when, preserving its integrity and admissibility. It is critical for digital forensics.
- Which capacity management activity ensures cloud resources meet current and projected demand without over- or under-provisioning?
- Removing redundancy
- Disabling autoscaling
- Deleting all logs
- Forecasting and monitoring resource utilization
Correct answer: Forecasting and monitoring resource utilization
Capacity management forecasts demand and monitors utilization so resources are provisioned efficiently, balancing performance, availability, and cost. Autoscaling and right-sizing are common cloud techniques.
- What is the purpose of conducting regular tabletop exercises in cloud security operations?
- To test and improve incident response plans and team coordination through simulated scenarios
- To configure firewalls
- To increase storage capacity
- To replace technical controls
Correct answer: To test and improve incident response plans and team coordination through simulated scenarios
Tabletop exercises simulate incident scenarios in a discussion-based format to validate response plans, clarify roles, and identify gaps without disrupting production. They strengthen organizational readiness.
- Which monitoring metric helps operations teams measure the average time taken to detect a security incident?
- Mean Time to Detect (MTTD)
- Service uptime percentage
- Cost per instance
- Recovery Point Objective
Correct answer: Mean Time to Detect (MTTD)
Mean Time to Detect (MTTD) measures how long, on average, it takes to identify an incident after it begins. Reducing MTTD (and Mean Time to Respond) limits attacker dwell time and damage.
- Which approach best maintains availability during planned maintenance of cloud systems?
- Removing all backups
- Rolling updates with load balancing and redundant instances
- Taking the entire service offline
- Disabling monitoring during maintenance
Correct answer: Rolling updates with load balancing and redundant instances
Rolling updates take instances out of rotation behind a load balancer, update them, and return them to service incrementally, maintaining availability throughout. Redundancy ensures capacity during the process.
- Which step should occur after eradication and recovery in the incident response lifecycle?
- Preparation
- Containment
- Lessons learned (post-incident activity)
- Detection
Correct answer: Lessons learned (post-incident activity)
The post-incident 'lessons learned' phase reviews the incident to improve processes, controls, and the response plan. It closes the loop and feeds back into preparation for future incidents.
- Which control helps detect insider misuse by ensuring no single administrator can perform a sensitive action alone?
- Granting everyone root
- Separation of duties with dual authorization
- Shared admin accounts
- Disabling audit logs
Correct answer: Separation of duties with dual authorization
Separation of duties, often enforced with dual authorization for sensitive actions, prevents any single individual from completing a high-risk operation alone, reducing the risk of insider misuse and error.
- Which agreement type between an internal customer and provider documents the level of service expected but is typically non-contractual and internal?
- Non-disclosure Agreement
- Master Service Agreement
- Operational Level Agreement (OLA)
- Statement of Work
Correct answer: Operational Level Agreement (OLA)
An Operational Level Agreement (OLA) defines interdependent service commitments between internal teams supporting an external SLA. It is internal and supports the customer-facing SLA rather than replacing it.
- Under GDPR, which role determines the purposes and means of processing personal data?
- Data processor
- Data subject
- Data controller
- Supervisory authority
Correct answer: Data controller
The data controller determines the purposes and means of processing personal data and bears primary accountability. A processor (often the cloud provider) processes data on the controller's behalf.
- In cloud contracts, which clause defines what happens to customer data and services when the contract ends?
- Termination and data return/destruction clause
- Indemnification clause
- Force majeure clause
- Pricing clause
Correct answer: Termination and data return/destruction clause
Termination clauses should specify how customer data is returned or securely destroyed and how services wind down at contract end. This protects portability and prevents data being stranded with the provider.
- Which standard provides cloud-specific privacy controls for processing personally identifiable information (PII) by public cloud providers acting as processors?
- ISO/IEC 27018
- ISO/IEC 27001
- SOC 1
- PCI DSS
Correct answer: ISO/IEC 27018
ISO/IEC 27018 provides a code of practice for protecting PII in public clouds acting as data processors, extending ISO/IEC 27002 with privacy-specific controls. It is widely referenced in cloud privacy assurance.
- Which risk treatment option involves purchasing insurance to address financial impact of a risk?
- Risk transfer
- Risk avoidance
- Risk acceptance
- Risk mitigation
Correct answer: Risk transfer
Risk transfer shifts the financial impact of a risk to a third party, commonly through insurance or contractual indemnification. It does not eliminate the risk but allocates its consequences.
- Which document analyzes the potential effects of disruptions to critical business functions and informs continuity planning?
- Acceptable Use Policy
- Service Level Agreement
- Data classification policy
- Business Impact Analysis (BIA)
Correct answer: Business Impact Analysis (BIA)
A Business Impact Analysis (BIA) identifies critical functions and quantifies the impact of their disruption over time, establishing RTO and RPO targets that drive BCDR planning. It is foundational to continuity strategy.
- Which framework provides a catalog of security and privacy controls widely used by U.S. federal agencies and adopted broadly in industry?
- NIST SP 800-53
- GDPR
- COBIT
- PCI DSS
Correct answer: NIST SP 800-53
NIST SP 800-53 provides a comprehensive catalog of security and privacy controls for federal information systems and is broadly adopted across industry. FedRAMP authorizations for cloud services are based on it.
- What does the U.S. FedRAMP program primarily standardize?
- Data center construction
- A standardized approach to security assessment, authorization, and continuous monitoring for cloud services used by federal agencies
- Network protocols
- Cloud pricing
Correct answer: A standardized approach to security assessment, authorization, and continuous monitoring for cloud services used by federal agencies
FedRAMP standardizes how cloud products and services are security-assessed, authorized, and continuously monitored for use by U.S. federal agencies. It promotes 'do once, use many times' authorizations.
- Which type of audit report restricts distribution to the service organization, its customers, and their auditors, and details controls and test results?
- SOC 3 report
- SOC 2 (Type II) report
- Public press release
- SOC 1 Type I
Correct answer: SOC 2 (Type II) report
A SOC 2 report is a restricted-use report detailing controls relevant to security, availability, processing integrity, confidentiality, and privacy, including test results for Type II. A SOC 3 is a general-use summary.
- Which concept refers to the legal requirement that data be subject to the laws of the country in which it resides?
- Data masking
- Data sovereignty
- Data minimization
- Data portability
Correct answer: Data sovereignty
Data sovereignty holds that data is governed by the laws of the jurisdiction in which it is physically located. It drives requirements about where cloud data may be stored and processed.
- Which standard is specifically focused on protecting cardholder data for organizations that handle payment cards?
- GDPR
- PCI DSS
- HIPAA
- ISO 22301
Correct answer: PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) defines requirements for protecting cardholder data for any entity that stores, processes, or transmits payment card information. It is enforced contractually by the card brands.
- Which regulation in the United States governs the privacy and security of protected health information?
Correct answer: HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) governs the privacy and security of protected health information (PHI) in the U.S. Cloud providers handling PHI typically must sign a Business Associate Agreement.
- Which contract is required between a covered entity and a cloud provider handling protected health information under HIPAA?
- Non-disclosure Agreement
- Business Associate Agreement (BAA)
- Service Level Agreement
- Master Service Agreement
Correct answer: Business Associate Agreement (BAA)
Under HIPAA, a Business Associate Agreement (BAA) must be in place with any vendor, including a cloud provider, that handles PHI. It defines responsibilities for safeguarding PHI and breach notification.
- Which principle of data privacy requires collecting only the personal data necessary for the stated purpose?
- Data maximization
- Data minimization
- Data replication
- Data aggregation
Correct answer: Data minimization
Data minimization, a core privacy principle (including under GDPR), requires that only personal data necessary for the specified purpose be collected and retained. It reduces risk and supports compliance.
- Which assessment specifically evaluates the privacy risks of a new system or process handling personal data?
- Load test
- Vulnerability scan
- Penetration test
- Privacy Impact Assessment (PIA) / Data Protection Impact Assessment (DPIA)
Correct answer: Privacy Impact Assessment (PIA) / Data Protection Impact Assessment (DPIA)
A Privacy Impact Assessment (PIA), called a Data Protection Impact Assessment (DPIA) under GDPR, evaluates privacy risks of processing personal data and identifies mitigations. It is required for high-risk processing under GDPR.
- In vendor risk management, what is the primary purpose of reviewing a provider's third-party audit reports and certifications?
- To negotiate lower prices
- To replace the customer's own controls entirely
- To avoid signing any contract
- To gain independent assurance about the provider's control environment for due diligence
Correct answer: To gain independent assurance about the provider's control environment for due diligence
Reviewing independent audit reports (e.g., SOC 2, ISO 27001) and certifications provides assurance about the provider's controls during due diligence. It informs risk decisions but does not transfer all responsibility to the provider.
- Which legal process compels the preservation and production of electronically stored information relevant to litigation?
- Penetration testing
- eDiscovery
- Tokenization
- Data masking
Correct answer: eDiscovery
eDiscovery is the identification, preservation, collection, and production of electronically stored information for legal proceedings. Cloud complicates eDiscovery due to data location, multi-tenancy, and provider access constraints.
- Which qualitative risk measure combines the likelihood of a threat with the magnitude of its impact?
- Throughput
- Uptime percentage
- Latency
- Risk score/rating
Correct answer: Risk score/rating
A risk score or rating typically combines likelihood and impact to prioritize risks for treatment. Qualitative methods use scales (e.g., low/medium/high) while quantitative methods use values like ALE.
- Which quantitative risk metric represents the expected monetary loss from a risk over a one-year period?
- Annualized Rate of Occurrence (ARO)
- Single Loss Expectancy (SLE)
- Annualized Loss Expectancy (ALE)
- Exposure Factor (EF)
Correct answer: Annualized Loss Expectancy (ALE)
Annualized Loss Expectancy (ALE) is calculated as Single Loss Expectancy (SLE) multiplied by the Annualized Rate of Occurrence (ARO), representing expected annual loss. It supports cost-benefit decisions on controls.
- A finance team complains that their on-premises ordering system requires them to file an IT ticket and wait two days whenever they need a new test server. A cloud architect explains that the public cloud equivalent lets the team allocate compute and storage themselves through a web portal or API, with no human interaction on the provider's side. Which NIST essential characteristic of cloud computing is the architect describing?
- On-demand self-service
- Broad network access
- Measured service
- Resource pooling
Correct answer: On-demand self-service
On-demand self-service is the NIST SP 800-145 essential characteristic that lets a consumer unilaterally provision computing capabilities, such as server time and storage, automatically and without requiring human interaction with the service provider. Broad network access concerns availability over the network through standard mechanisms, and resource pooling concerns multi-tenant sharing of provider resources; neither addresses the self-service provisioning the architect highlighted.
- During a design review, a stakeholder asks for the formal, vendor-neutral definition the CCSP body of knowledge relies on for the term 'cloud computing.' Which source provides that definition and the five essential characteristics, three service models, and four deployment models?
- ISO/IEC 27017
- NIST Special Publication 800-145
- NIST Special Publication 800-53
- The CSA Cloud Controls Matrix
Correct answer: NIST Special Publication 800-145
NIST Special Publication 800-145, The NIST Definition of Cloud Computing, is the authoritative document that defines cloud computing and enumerates the five essential characteristics, three service models, and four deployment models used throughout the CCSP body of knowledge. NIST SP 800-53 is a security and privacy controls catalog, ISO/IEC 27017 provides cloud security control guidance, and the CSA Cloud Controls Matrix is a control framework; none of these supplies the canonical definition.
- A retailer's e-commerce platform sees predictable traffic most of the year but a tenfold surge during a holiday weekend. The architecture is built so that capacity is automatically added in seconds as demand climbs and released just as quickly afterward, so the retailer appears to have unlimited capacity available at any time. Which NIST essential characteristic does this behavior demonstrate?
- Broad network access
- Rapid elasticity
- On-demand self-service
- Resource pooling
Correct answer: Rapid elasticity
Rapid elasticity is the NIST essential characteristic describing capabilities that can be elastically provisioned and released, in some cases automatically, to scale rapidly with demand, so that to the consumer the capabilities often appear to be unlimited. On-demand self-service describes the consumer's ability to provision without provider interaction, which is related but distinct from the automatic scaling and release that elasticity captures.
- A managed services firm runs the customer's workload on physical infrastructure that simultaneously serves many other tenants, dynamically assigning and reassigning processor, memory, and storage according to each tenant's demand. The customer generally has no knowledge or control over the exact physical location of the resources serving them. Which NIST essential characteristic is in play?
- Measured service
- On-demand self-service
- Resource pooling
- Rapid elasticity
Correct answer: Resource pooling
Resource pooling is the NIST essential characteristic in which the provider's computing resources are pooled to serve multiple consumers using a multi-tenant model, with physical and virtual resources dynamically assigned and reassigned according to demand and a degree of location independence. Measured service concerns metering and billing of usage, not the multi-tenant sharing of pooled resources described here.
- A SaaS provider's contract states that customers are billed precisely for the storage, API calls, and active user seats they consume, and that both parties can view transparent usage dashboards. Which NIST essential characteristic underpins this pay-for-what-you-use, transparent reporting model?
- Measured service
- Rapid elasticity
- Broad network access
- Resource pooling
Correct answer: Measured service
Measured service is the NIST essential characteristic in which cloud systems automatically control and optimize resource use by leveraging a metering capability appropriate to the type of service, so that usage can be monitored, controlled, and reported transparently for both the provider and consumer. Rapid elasticity concerns scaling capacity, not the metering and billing transparency described.
- An organization wants its mobile, tablet, laptop, and thin-client users to all reach a cloud application over the internet using standard protocols, without specialized client hardware. Which NIST essential characteristic most directly supports this requirement?
- Measured service
- On-demand self-service
- Broad network access
- Rapid elasticity
Correct answer: Broad network access
Broad network access is the NIST essential characteristic stating that capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms such as phones, tablets, laptops, and workstations. The other characteristics address provisioning, metering, and scaling rather than network availability across diverse client devices.
- A development team needs to deploy a custom application but wants the cloud provider to manage the operating systems, runtime, and middleware, so the team can focus only on their code and data. Which cloud service model best fits this requirement?
- Platform as a Service (PaaS)
- Software as a Service (SaaS)
- Infrastructure as a Service (IaaS)
- Storage as a Service
Correct answer: Platform as a Service (PaaS)
Platform as a Service (PaaS) gives the consumer a managed application-hosting environment, including the operating system, runtime, and middleware, while the consumer controls only the deployed applications and their configuration and data. IaaS would require the team to manage operating systems themselves, and SaaS provides a finished application with no room to deploy custom code.
- An IT director wants maximum control over operating systems, networking configuration, and patching, renting only virtualized compute, storage, and network from the provider. Which service model gives the consumer the most control over the stack above the hypervisor?
- Identity as a Service (IDaaS)
- Software as a Service (SaaS)
- Infrastructure as a Service (IaaS)
- Platform as a Service (PaaS)
Correct answer: Infrastructure as a Service (IaaS)
Infrastructure as a Service (IaaS) provides fundamental computing resources such as processing, storage, and networks, with the consumer controlling operating systems, storage, and deployed applications and possibly limited networking components. PaaS abstracts away the operating system, and SaaS provides a complete application, so neither gives the consumer the operating-system-level control the director requires.
- A small business uses a fully hosted email and document collaboration suite where they only manage their account settings and data; the provider runs everything else. Which service model does this represent?
- Infrastructure as a Service (IaaS)
- Software as a Service (SaaS)
- Platform as a Service (PaaS)
- Database as a Service
Correct answer: Software as a Service (SaaS)
Software as a Service (SaaS) delivers a complete provider-managed application that the consumer accesses without managing the underlying infrastructure, platform, or even individual application capabilities beyond limited user-specific configuration. PaaS and IaaS would leave the consumer responsible for deploying applications or operating systems, which the fully hosted suite does not require.
- A defense contractor builds a private cloud that it provisions exclusively for its own use, operated on-premises by its internal team. Which NIST deployment model is this, and what is its defining trait?
- Hybrid cloud, where two or more distinct infrastructures are bound together
- Community cloud, where the infrastructure is shared by organizations with common concerns
- Public cloud, where the infrastructure is open for use by the general public
- Private cloud, where the infrastructure is provisioned for exclusive use by a single organization
Correct answer: Private cloud, where the infrastructure is provisioned for exclusive use by a single organization
A private cloud per NIST is cloud infrastructure provisioned for exclusive use by a single organization comprising multiple consumers; it may be owned, managed, and operated by the organization, a third party, or a combination, and may exist on or off premises. A community cloud serves several organizations with shared concerns, and a public cloud is open to the general public, so neither matches single-organization exclusivity.
- Several hospitals in a region that share regulatory, security, and mission requirements jointly fund and use a cloud environment dedicated to their group rather than the open market. Which NIST deployment model best describes this arrangement?
- Hybrid cloud
- Public cloud
- Private cloud
- Community cloud
Correct answer: Community cloud
A community cloud is infrastructure provisioned for exclusive use by a specific community of consumers from organizations that share concerns such as mission, security requirements, policy, and compliance considerations. A private cloud serves a single organization, and a public cloud is open to the general public, so neither captures the shared-community model the hospitals adopted.
- An organization keeps its sensitive records in its private cloud but routes overflow web traffic to a public cloud during peak periods, keeping the two environments as distinct infrastructures connected by standardized technology that enables data and application portability. Which deployment model is this?
- Multi-cloud
- Public cloud
- Hybrid cloud
- Community cloud
Correct answer: Hybrid cloud
A hybrid cloud is a composition of two or more distinct cloud infrastructures, such as private and public, that remain unique entities but are bound together by standardized or proprietary technology enabling data and application portability. Multi-cloud refers to using multiple providers of the same type and is not a NIST deployment model, so it does not describe binding a private and a public environment.
- A risk committee asks for the precise term describing the scenario where a private cloud temporarily reaches into a public cloud to absorb a short spike in demand, then releases that capacity. Which term and benefit best describe this?
- Lift-and-shift, which rehosts an application unchanged in the cloud
- Forklift migration, which moves an entire workload to a new provider at once
- Cloud bursting, which lets an organization handle peak demand using public cloud capacity while keeping baseline workloads private
- Geo-fencing, which restricts workloads to specific physical regions
Correct answer: Cloud bursting, which lets an organization handle peak demand using public cloud capacity while keeping baseline workloads private
Cloud bursting is a hybrid cloud technique in which an application running in a private cloud bursts into a public cloud when demand spikes, so the organization handles peaks with rented capacity while keeping steady-state workloads in the controlled private environment. Lift-and-shift and forklift migration describe relocating workloads, and geo-fencing restricts location; none captures the temporary overflow-to-public behavior.
- A governance lead distinguishes the parties in the NIST cloud reference architecture. Which role makes cloud services available to consumers and is responsible for the service delivery and the underlying infrastructure?
- Cloud carrier
- Cloud service consumer
- Cloud auditor
- Cloud service provider
Correct answer: Cloud service provider
The cloud service provider is the role responsible for making a cloud service available to interested parties and for managing the infrastructure required to deliver it. The cloud consumer uses the services, the cloud auditor independently assesses them, and the cloud carrier provides connectivity and transport, so none of these performs the provider's service-delivery role.
- In the cloud reference architecture, which role acts as an intermediary that can aggregate services from multiple providers, customize them, or arbitrage between them to deliver added value to consumers?
- Cloud auditor
- Cloud service broker
- Cloud service provider
- Cloud carrier
Correct answer: Cloud service broker
The cloud service broker is an intermediary that manages the use, performance, and delivery of cloud services and negotiates relationships between providers and consumers, often through service aggregation, intermediation, or arbitrage. The cloud carrier provides connectivity, and the cloud auditor performs independent assessment, so neither adds the brokered, value-added intermediary function described.
- A telecom firm supplies the network transport and connectivity that lets cloud consumers reach a provider's services but does not host or operate those services itself. Which cloud reference architecture role does the telecom firm fulfill?
- Cloud broker
- Cloud service provider
- Cloud auditor
- Cloud carrier
Correct answer: Cloud carrier
The cloud carrier is the role that provides connectivity and transport of cloud services from providers to consumers, typically through telecommunication and network access. A cloud broker intermediates service relationships and a cloud auditor assesses controls, so neither matches the transport-only function the telecom firm performs.
- A design team adopts a documented blueprint that standardizes cloud roles, activities, functional components, and their relationships, giving architects a common vocabulary and a starting structure for new systems. What is the primary value of using such a cloud reference architecture?
- It eliminates the need for the shared responsibility model
- It replaces the requirement to perform a risk assessment
- It provides a common, standardized framework that improves consistency and communication across cloud designs
- It guarantees that any system built from it will automatically pass a SOC 2 audit
Correct answer: It provides a common, standardized framework that improves consistency and communication across cloud designs
The primary value of a cloud reference architecture is that it offers a common, standardized framework of roles, activities, and components that promotes consistency, shared vocabulary, and clearer communication when designing cloud systems. It does not guarantee audit outcomes, remove the need for risk assessment, or supersede the shared responsibility model, all of which remain necessary.
- A CISO is explaining why no single party is solely accountable for all security in a cloud engagement. She notes that the division of duties shifts based on whether the service is IaaS, PaaS, or SaaS. What is the core purpose of the shared responsibility model?
- It applies only to data centers the customer physically owns
- It clarifies which security obligations belong to the provider and which belong to the customer for a given service model
- It eliminates the customer's obligation to configure access controls
- It transfers all security liability to the cloud provider once a contract is signed
Correct answer: It clarifies which security obligations belong to the provider and which belong to the customer for a given service model
The shared responsibility model clarifies the division of security obligations between the cloud provider and the customer, and that division shifts with the service model so that customers retain more responsibility in IaaS and less in SaaS, while never being fully relieved of duties such as data classification and access management. It does not transfer all liability to the provider or remove the customer's configuration responsibilities.
- Under the shared responsibility model, which set of duties remains with the customer regardless of whether they use IaaS, PaaS, or SaaS?
- Maintaining the physical security of the provider's data centers
- Patching the underlying hypervisor and physical host firmware
- Replacing failed storage hardware in the provider's facilities
- Data classification, identity and access management decisions, and proper use of the service
Correct answer: Data classification, identity and access management decisions, and proper use of the service
Across IaaS, PaaS, and SaaS, the customer always retains responsibility for classifying its own data, deciding and managing identities and access, and using the service appropriately. Patching the hypervisor, securing the data center physically, and replacing hardware are provider responsibilities in all service models, so they never shift to the customer.
- An enterprise wants visibility and policy enforcement over the many sanctioned and unsanctioned SaaS applications its employees use, including data loss prevention, access control, and shadow-IT discovery. Which technology is purpose-built to sit between users and cloud services to provide this?
- Hardware security module (HSM)
- Trusted Platform Module (TPM)
- Software-defined perimeter (SDP) gateway
- Cloud access security broker (CASB)
Correct answer: Cloud access security broker (CASB)
A cloud access security broker (CASB) is a security policy enforcement point placed between cloud consumers and cloud providers to enforce policies such as authentication, authorization, encryption, data loss prevention, and to discover shadow IT and govern SaaS usage. An HSM and a TPM are cryptographic hardware components, and an SDP gateway focuses on network access control, so none delivers the cloud-application governance a CASB provides.
- A security team is comparing two CASB deployment approaches. One sits directly in the data path so traffic flows through it in real time, while the other connects to cloud services through provider APIs to inspect data already at rest and after the fact. Which pairing correctly labels these modes?
- Both modes operate only in the real-time data path
- Inline (proxy) mode operates in the data path in real time, while API-based mode inspects activity and data out of band through provider APIs
- API-based mode operates in the data path in real time, while inline mode inspects data out of band
- Both modes operate only out of band through APIs
Correct answer: Inline (proxy) mode operates in the data path in real time, while API-based mode inspects activity and data out of band through provider APIs
Inline, or proxy-based, CASB deployment places the broker in the live data path so it can inspect and enforce policy on traffic in real time, while API-based deployment integrates with the cloud provider's APIs to inspect data and activity out of band, including data already at rest. Reversing these definitions or claiming both work the same way mischaracterizes how the two CASB modes operate.
- An architecture standard requires that new cloud systems ship with the most restrictive configuration enabled out of the box, so administrators must consciously open access rather than lock it down later. Storage is private, ports are closed, and accounts have minimal rights until justified. Which principle is being enforced?
- Separation of duties
- Security through obscurity
- Defense in depth
- Secure by default
Correct answer: Secure by default
Secure by default means a system's initial, out-of-the-box configuration is the most secure and restrictive option, requiring deliberate action to relax controls rather than to apply them. Defense in depth layers multiple controls and separation of duties divides privileges, but neither specifically dictates that the default delivered state must be the locked-down one, which is the heart of secure by default.
- A platform team bakes threat modeling, least privilege, fail-secure handling, and minimized attack surface into the earliest stages of building a cloud service rather than bolting security on after release. Which design philosophy does this represent?
- Continuous monitoring
- Capacity planning
- Secure by design
- Just-in-time provisioning
Correct answer: Secure by design
Secure by design is the philosophy of integrating security considerations such as threat modeling, least privilege, fail-secure behavior, and attack-surface reduction from the very beginning of system design rather than adding them afterward. Continuous monitoring is an operations activity and capacity planning addresses resource sizing, so neither describes embedding security into the design phase itself.
- An organization deliberately runs equivalent workloads across two unrelated public cloud providers to avoid being locked into one vendor and to improve resilience if a single provider has an outage. What is the most accurate term for this strategy?
- Multi-cloud
- Single-tenancy
- Cloud bursting
- Hybrid cloud
Correct answer: Multi-cloud
Multi-cloud is the practice of intentionally using cloud services from more than one provider, often of the same service type, to reduce vendor lock-in, increase resilience, and avoid dependence on a single provider. Hybrid cloud specifically combines private and public infrastructures bound together, and cloud bursting is a peak-overflow technique, so neither describes spreading equivalent workloads across independent providers.
- A governance team standing up a multi-cloud program finds that each provider names services differently, exposes different APIs, and enforces controls in incompatible ways. Which challenge is most characteristic of multi-cloud governance?
- Multi-cloud eliminates the need for centralized identity management
- Multi-cloud guarantees uniform compliance posture automatically
- Inconsistent controls, tooling, and identity across heterogeneous providers increase operational and security complexity
- Using more than one provider removes all vendor lock-in concerns
Correct answer: Inconsistent controls, tooling, and identity across heterogeneous providers increase operational and security complexity
The defining governance challenge of multi-cloud is that differing service definitions, APIs, control implementations, identity systems, and tooling across providers create inconsistency and added complexity that the organization must reconcile. Multi-cloud does not eliminate centralized identity needs, automatically harmonize compliance, or remove every lock-in concern, since data-gravity and integration dependencies can persist.
- A cloud team wants to express the difference between two related capabilities: moving an application or data from one provider to another, versus having components from different systems work together through shared interfaces. Which pairing correctly defines portability and interoperability?
- Portability is the ability to move workloads or data between environments; interoperability is the ability of components or systems to work together through common interfaces
- Both terms mean the same thing in cloud architecture
- Portability refers only to physical media transport between data centers
- Interoperability is the ability to move workloads between providers; portability is the ability of components to work together
Correct answer: Portability is the ability to move workloads or data between environments; interoperability is the ability of components or systems to work together through common interfaces
Portability is the ability to move applications and data from one cloud environment to another with minimal rework, while interoperability is the ability of different systems or components to exchange information and work together through common interfaces and formats. Swapping these definitions or treating them as identical misstates two distinct concerns that both reduce vendor lock-in.
- A CCSP candidate is asked which condition most directly creates vendor lock-in, undermining an organization's ability to leave a cloud provider. Which condition is the strongest contributor?
- Using only open standards and widely supported APIs
- Maintaining current exportable backups in standard formats
- Documenting an exit strategy in the contract
- Heavy reliance on a provider's proprietary services and data formats that lack portable equivalents
Correct answer: Heavy reliance on a provider's proprietary services and data formats that lack portable equivalents
Vendor lock-in is driven most directly by dependence on proprietary services, APIs, and data formats that have no easily portable equivalent, making migration costly or impractical. Using open standards, keeping exportable backups in standard formats, and documenting an exit strategy all reduce lock-in rather than cause it.
- A regulated firm reviews a candidate cloud provider and wants an independent, internationally recognized way to evaluate the provider's adherence to cloud-specific security controls before signing. Which resource is specifically designed to help organizations assess and document a provider's security posture?
- The OWASP Top Ten
- The PCI DSS Self-Assessment Questionnaire
- The NIST National Vulnerability Database
- The CSA Security, Trust, Assurance and Risk (STAR) registry
Correct answer: The CSA Security, Trust, Assurance and Risk (STAR) registry
The Cloud Security Alliance STAR program and its registry let organizations evaluate and document a cloud provider's security and compliance posture, with entries based on the Cloud Controls Matrix and the Consensus Assessments Initiative Questionnaire. The PCI DSS SAQ addresses card data environments, the NIST NVD catalogs vulnerabilities, and the OWASP Top Ten lists web application risks, so none is the cloud-provider assurance registry described.
- During provider evaluation, an organization wants the catalog of cloud-specific security controls, mapped to many other frameworks, that it can use as the baseline for assessing a provider. Which artifact best fits this need?
- The shared responsibility model diagram
- The CSA Cloud Controls Matrix (CCM)
- NIST SP 800-145
- ISO/IEC 17789
Correct answer: The CSA Cloud Controls Matrix (CCM)
The CSA Cloud Controls Matrix (CCM) is a cloud-specific cybersecurity control framework that provides a structured set of controls mapped to numerous industry standards and regulations, making it a strong baseline for assessing a provider's security. NIST SP 800-145 defines cloud computing, ISO/IEC 17789 describes a reference architecture, and the shared responsibility model is a division-of-duties concept, so none is a mappable control catalog like the CCM.
- A security architect evaluating IaaS infrastructure wants to confirm that the provider abstracts physical servers into pools of virtual machines, which is the foundational technology that makes resource pooling and elasticity possible. Which technology is she confirming?
- A reverse proxy
- A relational database cluster
- Virtualization via a hypervisor
- A content delivery network
Correct answer: Virtualization via a hypervisor
Virtualization, implemented through a hypervisor, abstracts physical compute, storage, and network hardware into virtual resources, and it is the foundational enabler of cloud resource pooling, multi-tenancy, and elasticity. A content delivery network, database cluster, and reverse proxy are higher-level components that may run on top of virtualized infrastructure but do not provide the underlying abstraction.
- A team is weighing the security trade-offs of running an application in containers versus serverless functions. Which statement most accurately distinguishes the customer's responsibility in a serverless (Function as a Service) model?
- Serverless removes the customer's responsibility for securing their own code
- In serverless, the provider manages the operating system and runtime, so the customer focuses on securing function code, configurations, permissions, and dependencies
- Containers always shift more security responsibility to the provider than serverless does
- In serverless, the customer must patch the underlying operating system the functions run on
Correct answer: In serverless, the provider manages the operating system and runtime, so the customer focuses on securing function code, configurations, permissions, and dependencies
In a serverless or Function as a Service model the provider abstracts and manages the operating system and runtime, so the customer's remaining responsibilities center on securing their function code, configurations, granted permissions, and third-party dependencies. The customer does not patch the underlying operating system in serverless, still owns their code's security, and serverless typically shifts more infrastructure responsibility to the provider than containers do.
- A DevSecOps initiative integrates automated security testing into the continuous integration and continuous delivery pipeline so that vulnerabilities are caught as code is built rather than after deployment. Which statement best captures the core aim of DevSecOps in cloud delivery?
- It assigns security solely to a separate team operating after deployment
- It defers all security testing to a manual review just before production release
- It embeds security as a shared, automated responsibility throughout the development and delivery pipeline
- It replaces the need for any access controls in the pipeline
Correct answer: It embeds security as a shared, automated responsibility throughout the development and delivery pipeline
DevSecOps embeds security as a shared, automated responsibility integrated continuously throughout the development and delivery pipeline, shifting testing left so issues are found early rather than after release. Deferring security to a late manual gate, isolating it in a separate post-deployment team, or removing access controls all contradict the continuous, shared-ownership model DevSecOps promotes.
- An organization designing for resilience adopts a zero trust approach in its cloud environment, where no user or device is implicitly trusted based on network location. Which principle is most central to a zero trust design?
- Every access request is continuously authenticated, authorized, and validated regardless of location
- Internal traffic is exempt from authentication because it originates inside the perimeter
- Network segmentation alone establishes trust for all internal services
- Trust is granted permanently once a device joins the corporate network
Correct answer: Every access request is continuously authenticated, authorized, and validated regardless of location
Zero trust is built on the principle that no implicit trust is granted based on network location, so every access request must be continuously authenticated, authorized, and validated using identity, device posture, and context. Granting permanent trust at join time, exempting internal traffic, or relying on segmentation alone all violate the never-trust, always-verify foundation of zero trust.
- A payment processor wants to remove primary account numbers (PANs) from its application database entirely so that a database breach would expose no card numbers, while still letting the application reference each card consistently. A security architect recommends tokenization over encryption for this use case. What is the strongest justification for that recommendation?
- Tokenization replaces the PAN with a surrogate that has no mathematical relationship to the original, so a breach of the application database yields no recoverable card data
- Tokenization automatically rotates the underlying card numbers on a schedule
- Tokenization is mathematically stronger than AES-256 against brute-force attacks
- Tokenization compresses the PAN so it occupies less storage in the database
Correct answer: Tokenization replaces the PAN with a surrogate that has no mathematical relationship to the original, so a breach of the application database yields no recoverable card data
Tokenization is preferred because the token is a surrogate value with no mathematical or algorithmic relationship to the original PAN; the real values live only in a separately secured token vault, so a breach of the application database exposes no recoverable card data. Encryption, by contrast, keeps a reversible mathematical relationship to the plaintext, so a stolen key would expose the data. Tokenization is not 'stronger' as a cryptographic primitive, nor does it compress or rotate the underlying values.
- A development team needs a representative copy of a customer table for testing, but the copy must irreversibly remove the ability to recover real names and emails, with no mapping retained. Which protection technique best meets this requirement?
- Data masking that produces an anonymized, non-reversible dataset
- Format-preserving encryption with a customer-managed key
- Pseudonymization with a retained re-identification key
- Tokenization with a secure vault
Correct answer: Data masking that produces an anonymized, non-reversible dataset
Data masking that anonymizes the dataset best fits because, unlike tokenization, masking does not retain a vault or mapping that allows the original values to be recovered. Tokenization and pseudonymization both keep a reversible mapping, and format-preserving encryption is reversible with the key, so none of those satisfy the requirement for irreversible removal of the original data.
- A CCSP candidate is asked to list the six phases of the cloud secure data lifecycle in order. Which sequence is correct?
- Create, Store, Use, Share, Archive, Destroy
- Create, Classify, Store, Use, Retain, Delete
- Acquire, Store, Process, Transmit, Retain, Dispose
- Store, Create, Share, Use, Archive, Destroy
Correct answer: Create, Store, Use, Share, Archive, Destroy
The correct order is Create, Store, Use, Share, Archive, Destroy. This is the canonical cloud secure data lifecycle used in CCSP material; data is created, committed to storage, accessed and processed (Use), exchanged with others (Share), moved to long-term retention (Archive), and finally securely destroyed. The other sequences insert non-standard phases or reorder them incorrectly.
- In the cloud secure data lifecycle, during which phase is data most exposed because it is decrypted in memory to be processed by an application?
Correct answer: Use
The Use phase is where data is most exposed, because data typically must be decrypted into memory to be read, modified, or processed by an application or user. Store and Archive can keep data encrypted at rest, and Destroy removes it, but the Use phase requires plaintext access, which is why confidential computing and tight access controls focus there.
- An organization is choosing cloud storage for a workload that maintains a transactional relational database requiring a mountable file system on the instance. Which IaaS storage type is the appropriate primary choice?
- Content delivery network edge cache
- Object storage accessed via REST API
- Ephemeral instance store discarded on stop
- Block (volume) storage attached to the instance
Correct answer: Block (volume) storage attached to the instance
Block (volume) storage is the appropriate choice because it presents a raw, mountable volume that the operating system formats with a file system, which is what a transactional relational database needs for low-latency block-level I/O. Object storage exposes whole objects over REST and is not mountable as a file system, and a CDN edge cache is for content distribution, not database storage.
- A team needs shared storage that multiple cloud virtual machines can mount simultaneously and access using standard file-system semantics and directory hierarchies (such as NFS or SMB). Which cloud storage type fits?
- Object storage
- Block storage
- File storage
- Raw device mapping
Correct answer: File storage
File storage fits because it presents a shared, hierarchical file system that multiple instances can mount concurrently using protocols such as NFS or SMB. Block storage is typically attached to a single instance and exposes raw volumes, and object storage uses a flat namespace accessed by API rather than file-system directory semantics.
- A CCSP is explaining data discovery to a stakeholder. Which statement most accurately distinguishes data discovery from data classification?
- Discovery and classification are identical terms used interchangeably
- Discovery is the process of finding and identifying data across cloud stores, while classification assigns sensitivity levels and handling rules to that data
- Discovery applies only to structured databases, while classification applies only to files
- Discovery assigns sensitivity labels, while classification finds where data resides
Correct answer: Discovery is the process of finding and identifying data across cloud stores, while classification assigns sensitivity levels and handling rules to that data
Data discovery is the process of locating and identifying data across cloud repositories, whereas classification then assigns sensitivity levels and handling requirements to the discovered data. Discovery answers 'what data do we have and where,' and classification answers 'how sensitive is it and how must it be handled.' They are sequential and distinct, not interchangeable, and both apply to structured and unstructured data.
- A cloud team must protect a large object-storage data set against the loss of an entire storage node while avoiding the 3x overhead of full replication. They implement a scheme that splits each object into data and parity fragments distributed across nodes so the object can be rebuilt from a subset. What is this technique called?
- Erasure coding
- Crypto-shredding
- Deduplication
- Full mirroring (RAID 1)
Correct answer: Erasure coding
Erasure coding is the technique: it splits data into fragments plus computed parity, distributing them so the original can be reconstructed from any sufficient subset, providing durability with far less overhead than full replication. Crypto-shredding destroys keys to render data unrecoverable, and deduplication removes redundant copies rather than adding fault tolerance.
- How are data dispersion and erasure coding related in cloud storage protection?
- Data dispersion always uses full replication, while erasure coding never adds redundancy
- They are unrelated; dispersion is a key-management method and erasure coding is an access-control method
- Data dispersion is the broader strategy of fragmenting and spreading data across locations, and erasure coding is a common mechanism that implements it with parity fragments
- Erasure coding requires storing all fragments in a single location, while dispersion spreads encryption keys
Correct answer: Data dispersion is the broader strategy of fragmenting and spreading data across locations, and erasure coding is a common mechanism that implements it with parity fragments
Data dispersion is the broader strategy of breaking data into fragments and spreading them across multiple nodes or locations, and erasure coding is a common mechanism that implements dispersion by adding computed parity fragments so the data can be rebuilt from a subset. Dispersion improves availability and makes any single fragment useless on its own; erasure coding is how that dispersion is often achieved efficiently.
- A CCSP is asked to define data dispersion in a cloud context for an audit. Which description is most accurate?
- Fragmenting data and distributing the fragments (often with parity) across multiple nodes or locations so no single location holds the complete data
- Replacing sensitive values with vault-mapped tokens
- Encrypting each database column with a separate key
- Storing all data in one geographic region to satisfy residency rules
Correct answer: Fragmenting data and distributing the fragments (often with parity) across multiple nodes or locations so no single location holds the complete data
Data dispersion is the fragmenting of data and distribution of those fragments, often with parity, across multiple storage nodes or locations so that no single location holds the complete, usable data set. This improves durability and availability and limits the value of any one compromised location. It is distinct from column encryption, tokenization, or single-region residency storage.
- An enterprise uses several cloud encryption products (database TDE, storage encryption, and an application key vault) and wants them all to talk to one centralized key manager through a single standardized interface. Which standard directly addresses this need?
- SAML 2.0
- SCIM
- OAuth 2.0
- KMIP (Key Management Interoperability Protocol)
Correct answer: KMIP (Key Management Interoperability Protocol)
KMIP, the Key Management Interoperability Protocol, is the OASIS standard that defines a single interface so any KMIP-compliant application can create, retrieve, rotate, and destroy keys on any KMIP-compliant key manager. It eliminates proprietary, product-specific key APIs and centralizes key management. SAML, OAuth, and SCIM address authentication, authorization, and identity provisioning, not key management interoperability.
- Which statement best describes the governance and primary purpose of KMIP?
- It is an OASIS standard that provides interoperable communication between key management systems and the clients that use cryptographic keys
- It is a NIST standard defining approved encryption algorithms
- It is an IETF transport-layer protocol that encrypts data in motion
- It is a Cloud Security Alliance control framework for provider assessment
Correct answer: It is an OASIS standard that provides interoperable communication between key management systems and the clients that use cryptographic keys
KMIP is an OASIS-governed standard whose purpose is interoperable communication between key management systems and the clients (encryption products, applications, devices) that consume keys, so organizations can avoid vendor lock-in across diverse key managers. It is not a transport encryption protocol, an algorithm standard, or a provider-assessment framework such as the CSA Cloud Controls Matrix.
- A privacy team must define key terms. Which statement best describes de-identification as used in NIST guidance such as NISTIR 8053?
- A synonym for encryption of personal data at rest
- A general term for any process that removes the association between identifying data and the data subject
- A method that only applies to credit card numbers
- A specific irreversible technique that always deletes all data fields
Correct answer: A general term for any process that removes the association between identifying data and the data subject
De-identification is a general, umbrella term for any process that removes the association between a set of identifying data and the data subject, per NIST guidance such as NISTIR 8053. Specific techniques such as pseudonymization and anonymization fall under this umbrella; de-identification is not itself a single irreversible operation, a synonym for encryption, or limited to card data.
- Under common privacy guidance, what distinguishes pseudonymization from anonymization?
- Pseudonymization replaces identifiers but retains a separate mapping that allows re-identification, while anonymization is intended to be irreversible
- They are identical processes with different regional names
- Pseudonymization applies only to structured data and anonymization only to unstructured data
- Pseudonymization is irreversible, while anonymization keeps a re-identification mapping
Correct answer: Pseudonymization replaces identifiers but retains a separate mapping that allows re-identification, while anonymization is intended to be irreversible
Pseudonymization replaces direct identifiers with surrogate values but retains a separate mapping or key that allows re-identification, so the data is still considered reversible (and still personal data under regimes like GDPR). Anonymization is intended to be irreversible, removing any practical ability to re-identify the subject. The reversibility of the mapping is the key distinction.
- A security operations team wants to detect and block an employee attempting to upload a spreadsheet containing thousands of Social Security numbers to a personal cloud drive. Which class of control is specifically designed to identify and prevent this exfiltration?
- Content Delivery Network (CDN)
- Network Time Protocol (NTP)
- Single Sign-On (SSO)
- Data Loss Prevention (DLP)
Correct answer: Data Loss Prevention (DLP)
Data Loss Prevention (DLP) is the control designed to detect and prevent unauthorized exfiltration of sensitive data, such as a file full of Social Security numbers leaving the organization. DLP inspects content against policy (patterns, classifiers, fingerprints) across data at rest, in motion, and in use. NTP, SSO, and CDN serve time synchronization, authentication, and content distribution respectively.
- A DLP program typically operates across three states of data. Which set correctly names those three states?
- Data created, data shared, data archived
- Data at rest, data in motion, data in use
- Data public, data internal, data confidential
- Data structured, data unstructured, data semi-structured
Correct answer: Data at rest, data in motion, data in use
DLP operates across data at rest (stored data scanned in repositories), data in motion (traffic inspected on the network), and data in use (activity monitored at the endpoint). These three states define where DLP discovery, monitoring, and enforcement occur. The other groupings describe lifecycle phases, data structure types, or classification levels rather than DLP operating states.
- A US federal agency contract requires that cryptographic modules protecting data be validated under the government's cryptographic module standard. Which standard establishes the security requirements for cryptographic modules used to protect sensitive federal information?
- FIPS 140 (currently FIPS 140-3)
- ISO/IEC 27017
- SOC 2
- PCI DSS
Correct answer: FIPS 140 (currently FIPS 140-3)
FIPS 140, currently FIPS 140-3, is the US federal standard that specifies security requirements for cryptographic modules protecting sensitive but unclassified information, validated through NIST's Cryptographic Module Validation Program. PCI DSS governs payment-card data, ISO/IEC 27017 provides cloud security controls, and SOC 2 is an attestation report; none of these validate cryptographic modules for federal use.
- As of 2026, what is the status of FIPS 140-2 relative to FIPS 140-3 for cryptographic module validation?
- FIPS 140-3 applies only to quantum-resistant algorithms
- CMVP stopped accepting new FIPS 140-2 submissions and FIPS 140-3 (which references ISO/IEC 19790) is the standard for new validations, with 140-2 modules moving to the Historical list
- FIPS 140-2 and 140-3 are unrelated standards covering different industries
- FIPS 140-2 is the only accepted standard and FIPS 140-3 has been withdrawn
Correct answer: CMVP stopped accepting new FIPS 140-2 submissions and FIPS 140-3 (which references ISO/IEC 19790) is the standard for new validations, with 140-2 modules moving to the Historical list
FIPS 140-3 is the current standard for new cryptographic module validations and references ISO/IEC 19790 for international alignment; CMVP stopped accepting new FIPS 140-2 submissions, and previously validated 140-2 modules are being moved to the Historical list by September 2026. FIPS 140-2 was not withdrawn outright, the two are successive versions of the same standard, and 140-3 is not limited to quantum-resistant algorithms.
- A media company distributes copyrighted training videos to partners and needs controls that prevent forwarding, printing, and copying even after a file leaves the company's network, with permissions that travel with the file itself. Which technology provides this?
- A web application firewall
- Information Rights Management (IRM)
- A reverse proxy
- A network access control list
Correct answer: Information Rights Management (IRM)
Information Rights Management (IRM) provides persistent, file-embedded controls that restrict actions such as forwarding, printing, copying, and editing, and these permissions travel with the file even after it leaves the organization's boundary. A WAF, reverse proxy, and network ACL protect network access points but cannot enforce usage restrictions once a file has been downloaded.
- Which capability is unique to Information Rights Management (IRM) compared to traditional access control lists on a file share?
- It performs antivirus scanning of attachments
- It enforces persistent, granular usage policies (such as no-print or expiration) that remain with the document regardless of where it is stored or sent
- It load-balances document downloads across regions
- It encrypts data only while in transit over the network
Correct answer: It enforces persistent, granular usage policies (such as no-print or expiration) that remain with the document regardless of where it is stored or sent
IRM uniquely enforces persistent, granular usage policies, such as preventing printing, blocking copy/paste, or setting an access expiration, that stay attached to the document no matter where it travels. A traditional ACL only governs access at the storage location and loses all control once a copy leaves that location. IRM is not a transit-only encryption, antivirus, or load-balancing function.
- A CCSP must explain tokenization in cloud security to an auditor. Which description is most accurate?
- Substituting a sensitive data element with a non-sensitive surrogate value, where the original is recoverable only through a secure token vault
- A hashing function that produces a fixed-length irreversible digest
- A reversible cipher applied to whole disk volumes
- A protocol for negotiating TLS session keys
Correct answer: Substituting a sensitive data element with a non-sensitive surrogate value, where the original is recoverable only through a secure token vault
Tokenization in cloud security substitutes a sensitive data element (such as a PAN or SSN) with a non-sensitive surrogate token, and the original value is recoverable only by looking it up in a secured token vault. Unlike encryption, the token has no mathematical relationship to the original, and unlike hashing it is reversible through the vault. It is not whole-disk encryption or a TLS key-negotiation protocol.
- In which scenario does tokenization offer a compliance scope-reduction advantage that encryption does not provide as cleanly?
- Generating one-time passwords for multifactor authentication
- Protecting data in transit between a browser and a server
- Removing cardholder data from systems so those systems fall outside PCI DSS assessment scope because they store only non-sensitive tokens
- Compressing backups to reduce storage cost
Correct answer: Removing cardholder data from systems so those systems fall outside PCI DSS assessment scope because they store only non-sensitive tokens
Tokenization can take cardholder data entirely out of an application's systems so those systems store only non-sensitive tokens, which can reduce PCI DSS assessment scope because the systems no longer hold actual card data. Encryption keeps the protected data (and the burden of key management) within scope. Tokenization does not protect data in transit, generate OTPs, or compress backups.
- A team is choosing between dynamic data masking and tokenization to let analysts run reports on a customer table without exposing real phone numbers, while preserving the format. The values must look realistic but never need to be reversed back to the originals by the analysts. Which trade-off correctly guides the choice toward masking?
- Tokenization cannot preserve data format, while masking always changes the length
- Masking obscures the data without a recoverable mapping for the analysts, while tokenization preserves a reversible vault relationship that masking does not require
- Masking encrypts the data with the customer's key, while tokenization does not protect the data at all
- Masking maintains a reversible vault mapping, making it better for irreversible needs
Correct answer: Masking obscures the data without a recoverable mapping for the analysts, while tokenization preserves a reversible vault relationship that masking does not require
Masking is appropriate here because it obscures the data for the analysts without maintaining a reversible vault mapping for their use, whereas tokenization preserves a vault relationship that can reverse tokens back to originals, which is unnecessary and adds risk for read-only analytics. Both can preserve format; the deciding factor is that masking does not require a recoverable mapping while tokenization does.
- An organization adopts envelope encryption in its cloud KMS. Which statement correctly describes how envelope encryption works?
- Encryption keys are embedded in the application binary and shipped with releases
- Each record is encrypted directly with the master key stored in the KMS
- The data and its key are stored together in the same object for convenience
- A data encryption key (DEK) encrypts the data, and the DEK is itself encrypted by a key encryption key (KEK) held in the KMS or HSM
Correct answer: A data encryption key (DEK) encrypts the data, and the DEK is itself encrypted by a key encryption key (KEK) held in the KMS or HSM
In envelope encryption, a data encryption key (DEK) encrypts the actual data, and that DEK is then encrypted ('wrapped') by a key encryption key (KEK) that is securely held in the KMS or HSM. This limits exposure of the master KEK, allows efficient bulk encryption, and simplifies key rotation. Encrypting every record directly with the master key, co-locating keys with data, or embedding keys in binaries are all poor practices.
- A regulated financial firm wants to use a public cloud KMS but requires that the provider never have access to the key material that protects its most sensitive data, with keys held entirely outside the provider's control. Which key-management model meets this requirement?
- Hold Your Own Key (HYOK) / external key store
- Provider-managed default encryption
- Server-side encryption with provider-owned keys
- Provider-generated keys with automatic rotation
Correct answer: Hold Your Own Key (HYOK) / external key store
Hold Your Own Key (HYOK), using an external key store, meets the requirement because the key material remains entirely under the customer's control outside the provider's environment, so the provider cannot access the keys or decrypt the data on its own. Provider-managed, provider-generated, and server-side provider-owned key models all leave the provider with technical access to the keys.
- Why is separating cryptographic key storage from the encrypted data it protects a foundational principle of cloud key management?
- It removes the need to rotate keys
- If an attacker obtains the encrypted data store, they still cannot decrypt it without separately compromising the key store, preserving confidentiality
- It permits keys to be embedded in application source code
- It allows the same key to be reused across all tenants safely
Correct answer: If an attacker obtains the encrypted data store, they still cannot decrypt it without separately compromising the key store, preserving confidentiality
Separating key storage from the encrypted data means that compromising the data store alone does not yield the keys, so the data remains protected unless the attacker also breaches the separate, hardened key store. This enforces separation of duties and avoids a single point of compromise. It does not justify key reuse across tenants, eliminate rotation, or permit hardcoding keys.
- A CCSP is mapping protections to the Archive phase of the cloud data lifecycle. Which control combination is most important for long-term archived data?
- Real-time DLP endpoint agents on every archive node
- Encryption at rest with durable key management and clearly defined retention/legal-hold policies
- High-performance compute and low-latency networking
- Maximum read-write throughput tuning
Correct answer: Encryption at rest with durable key management and clearly defined retention/legal-hold policies
For archived data, the priority is encryption at rest with durable, long-lived key management plus clearly defined retention and legal-hold policies, because archived data is held for long periods and must remain confidential and producible (or destroyable) per legal requirements. Low-latency compute, endpoint DLP agents, and throughput tuning are not the central concerns of long-term archival protection.
- During which two phases of the cloud secure data lifecycle is encryption in transit (such as TLS) most directly relevant?
- Use and Share, when data moves between users, services, or organizations
- Create and Destroy
- None of the phases involve data movement
- Store and Archive only
Correct answer: Use and Share, when data moves between users, services, or organizations
Encryption in transit such as TLS is most directly relevant during the Use and Share phases, when data is actively moving between users, services, applications, or organizations and is exposed on the network. Store and Archive primarily call for encryption at rest, and the lifecycle does involve data movement, so transit protection is a real concern.
- A data engineer claims a dataset is 'anonymized' but retains a separate lookup table that can map the surrogate IDs back to real patients. From a de-identification standpoint, how should this dataset be classified?
- Pseudonymized, because a reversible mapping to identities still exists
- Fully anonymized and out of regulatory scope
- Encrypted at rest with a customer-managed key
- Tokenized and therefore non-personal data
Correct answer: Pseudonymized, because a reversible mapping to identities still exists
The dataset is pseudonymized, not anonymized, because a separate lookup table allows re-identification, so the data is still reversible and remains personal data under most privacy regimes. True anonymization requires that re-identification be irreversibly removed. The presence of a retained mapping is exactly what distinguishes pseudonymization from anonymization, regardless of any encryption applied.
- A cloud architect needs to scan terabytes of unstructured documents in object storage to find files containing protected health information that may be unlabeled. Which discovery method is most effective for this goal?
- Filename keyword search only
- Label/metadata-based discovery relying on existing tags
- Reviewing the storage bucket's access logs
- Content-based discovery using pattern matching and classifiers on the actual file contents
Correct answer: Content-based discovery using pattern matching and classifiers on the actual file contents
Content-based discovery using pattern matching and classifiers on the actual file contents is most effective for finding unlabeled sensitive data, because it inspects what is inside the files rather than trusting tags that may be missing or wrong. Label/metadata and filename methods miss unlabeled data, and access logs show who touched files, not whether the files contain PHI.
- After data discovery identifies sensitive records, why is accurate data classification a prerequisite for an effective DLP and encryption strategy?
- Classification determines the storage vendor's pricing tier
- Classification is only used for marketing analytics
- Classification assigns sensitivity levels that drive which protection controls (encryption strength, DLP rules, access restrictions) apply to each data type
- Classification replaces the need for any encryption
Correct answer: Classification assigns sensitivity levels that drive which protection controls (encryption strength, DLP rules, access restrictions) apply to each data type
Accurate classification assigns sensitivity levels that drive downstream protection decisions, determining which encryption requirements, DLP policies, and access restrictions apply to each data type. Without correct classification, controls are applied inconsistently, over-protecting low-risk data and under-protecting sensitive data. Classification does not set vendor pricing, replace encryption, or serve only marketing.
- A SaaS application stores customer files. The customer wants to ensure that when they delete a tenant, the underlying data on the provider's shared media is rendered unrecoverable even though they cannot physically destroy the disks. Which approach is the recommended cloud method?
- Setting the files to read-only
- Crypto-shredding by destroying the per-tenant encryption keys
- Renaming the storage container
- Overwriting the disks with multiple passes (degaussing)
Correct answer: Crypto-shredding by destroying the per-tenant encryption keys
Crypto-shredding, destroying the encryption keys used for that tenant's data, is the recommended cloud method because customers cannot physically destroy shared media in a multi-tenant environment, and without the keys the encrypted data is rendered permanently unrecoverable. Multi-pass overwrite and degaussing are physical-media techniques unsuited to shared cloud storage, and renaming or read-only flags do not destroy data.
- A company encrypts each customer's data in the cloud with a unique key and plans to use key destruction as its primary secure-deletion mechanism. What is a critical operational risk they must manage for this approach to work reliably?
- Encryption must be disabled before deleting the keys
- Keys must be reused across customers to simplify rotation
- Crypto-shredding requires physically shredding the storage disks as well
- All copies, backups, and replicas of the encryption key must be tracked and destroyed, or residual key copies could allow recovery
Correct answer: All copies, backups, and replicas of the encryption key must be tracked and destroyed, or residual key copies could allow recovery
The critical risk is that every copy, backup, and replica of the encryption key must be tracked and destroyed; if a residual key copy survives in a backup or escrow, the supposedly crypto-shredded data could still be recovered. This is why rigorous key lifecycle management is essential to make cryptographic erasure trustworthy. Key reuse, physical shredding, and disabling encryption are not requirements or are counterproductive.
- An auditor asks how an organization protects structured database fields containing SSNs so that application screens display only the last four digits to most users, without changing the stored data. Which technique is being described?
- Dynamic data masking
- Erasure coding
- Static data masking
- Crypto-shredding
Correct answer: Dynamic data masking
Dynamic data masking is being described because it obscures data in real time as it is queried or displayed (for example showing only the last four digits) without altering the underlying stored values. Static masking permanently alters a copy of the data, crypto-shredding destroys keys, and erasure coding is a storage durability technique, none of which match a real-time display-only obfuscation.
- A multinational organization must keep EU customer personal data physically stored and processed within the EU to satisfy legal requirements. In the cloud data lifecycle, which control area most directly addresses this constraint?
- Storage geography and data residency controls (region/zone selection)
- Backup compression ratios
- Key rotation frequency
- TLS cipher suite selection
Correct answer: Storage geography and data residency controls (region/zone selection)
Storage geography and data residency controls, selecting the cloud regions and zones where data is stored and processed, most directly address the requirement to keep EU personal data within the EU, because data is subject to the laws of the jurisdiction where it physically resides. Key rotation, cipher selection, and backup compression are real controls but do not determine the physical location of the data.
- A cloud database stores a column of customer birthdates that analysts need for age-band reporting but not for identifying individuals. Which de-identification approach lets the analytics proceed while reducing identifiability of the birthdate field?
- Generalization, such as replacing the exact birthdate with a birth year or age range
- Storing the exact birthdate in plaintext for accuracy
- Replicating the column across regions
- Encrypting the entire database with a single key
Correct answer: Generalization, such as replacing the exact birthdate with a birth year or age range
Generalization, replacing the exact birthdate with a coarser value such as a birth year or age range, reduces identifiability while still supporting age-band analytics, and it is a recognized de-identification technique in NIST guidance. Keeping the exact value in plaintext does nothing to reduce identifiability, and full-database encryption or replication addresses confidentiality and availability rather than reducing the identifiability of the analytic field.
- A cloud architect must protect data in use during processing of highly sensitive records so that even the cloud provider's privileged administrators cannot read the plaintext in memory. Within the data security toolkit, which protection most directly addresses the Use phase exposure?
- TLS 1.3 for the network connection
- Encryption at rest with provider-managed keys
- Object versioning
- Confidential computing using hardware-based trusted execution environments (enclaves)
Correct answer: Confidential computing using hardware-based trusted execution environments (enclaves)
Confidential computing, which runs computation inside hardware-based trusted execution environments (enclaves), most directly addresses the Use phase because it keeps data encrypted even while in memory during processing, shielding plaintext from privileged administrators and the host OS. Encryption at rest protects stored data, TLS protects data in transit, and object versioning addresses recovery, none of which protect data actively being processed in memory.
- A CCSP-aligned architect is drawing a reference diagram of a cloud data center and needs to separate the components that exist as tangible equipment from those that are abstracted by software. Which grouping correctly lists the PHYSICAL infrastructure components rather than the virtual ones?
- Hypervisor schedulers, guest operating systems, and container runtimes
- Servers, storage arrays, network cabling, and HVAC and power systems
- Software-defined network overlays, security groups, and elastic load balancers
- Virtual machines, virtual switches, and virtual network interfaces
Correct answer: Servers, storage arrays, network cabling, and HVAC and power systems
Servers, storage arrays, network cabling, and HVAC and power systems are the physical infrastructure components, the tangible hardware and facility systems on which the cloud runs. The virtual layer (VMs, virtual switches, hypervisor scheduling, containers, SDN overlays, and security groups) is abstracted by software and runs on top of the physical layer, so those choices describe the logical or virtual components rather than the physical ones.
- A startup is sizing its disaster recovery posture for a cloud-hosted checkout service. The business states it can tolerate losing at most 5 minutes of transaction data but can accept up to 2 hours of downtime while the service is restored. How should these two tolerances be expressed?
- A 5-minute MTD and a 2-hour MTTR
- A 5-minute RTO and a 2-hour RPO
- A 2-hour RPO and a 2-hour RTO
- A 5-minute RPO and a 2-hour RTO
Correct answer: A 5-minute RPO and a 2-hour RTO
This is a 5-minute RPO and a 2-hour RTO. The recovery point objective (RPO) is the maximum acceptable amount of data loss measured in time, so the 5-minute data-loss tolerance is the RPO. The recovery time objective (RTO) is the maximum acceptable time to restore service, so the 2-hour downtime tolerance is the RTO. Swapping the two reverses their meanings, and MTD or MTTR describe different metrics.
- A security engineer wants to stop an attacker who lands on one compromised workload from freely reaching other workloads in the same subnet. The engineer applies per-workload policies that permit only the specific east-west flows each application actually needs. Which strategy is being implemented?
- Microsegmentation
- Hypervisor introspection
- Network address translation
- Coarse-grained perimeter firewalling
Correct answer: Microsegmentation
This is microsegmentation. Microsegmentation divides the network into very small, individually policed zones (often down to a single workload) and applies granular allow rules to east-west traffic, so a compromised host cannot move laterally to peers that it has no business communicating with. A traditional perimeter firewall controls north-south traffic, NAT only rewrites addresses, and hypervisor introspection inspects VM state rather than enforcing per-workload network policy.
- A cloud provider is rolling out a network design in which the decision-making logic that determines how packets are forwarded is decoupled from the switches and routers and centralized in software. What is this architectural model called?
- Network function virtualization of the firewall appliance only
- A demilitarized zone that segments public-facing servers
- A content delivery network that caches static assets at the edge
- Software-defined networking, which separates the control plane from the data plane
Correct answer: Software-defined networking, which separates the control plane from the data plane
This describes software-defined networking (SDN), which separates the control plane (the centralized logic that decides how traffic is forwarded) from the data plane (the devices that actually forward packets). This centralization lets operators program network behavior dynamically. A DMZ is a segmentation concept, NFV virtualizes specific network appliances, and a CDN is an edge-caching service, none of which capture the control/data plane separation that defines SDN.
- During an architecture review, two virtualization layers are compared. One runs directly on the bare-metal host with no underlying operating system, and the other installs as an application on top of a host operating system. Which statement correctly distinguishes a Type 1 hypervisor from a Type 2 hypervisor?
- A Type 2 hypervisor is always more secure because it inherits the host OS hardening
- Both Type 1 and Type 2 hypervisors require a full guest OS for the hypervisor itself
- A Type 1 hypervisor runs directly on the hardware, while a Type 2 hypervisor runs as software on top of a host operating system
- A Type 1 hypervisor runs as an app on a host OS, while a Type 2 hypervisor runs on bare metal
Correct answer: A Type 1 hypervisor runs directly on the hardware, while a Type 2 hypervisor runs as software on top of a host operating system
A Type 1 (bare-metal) hypervisor runs directly on the hardware, while a Type 2 (hosted) hypervisor runs as software on top of a host operating system. Type 1 hypervisors are typical for production cloud hosts because they have a smaller attack surface and no underlying OS to compromise. Type 2 is convenient for desktop and testing use but adds the host OS as an extra layer of attack surface, so it is not inherently more secure.
- A penetration tester running inside a guest virtual machine manages to break out of that guest's isolation boundary and execute code on the underlying host and the hypervisor. What is this class of attack called, and why is it so serious in a multi-tenant cloud?
- A VM sprawl event, because too many idle VMs accumulated on the host
- A side-channel timing attack limited to read-only cache observation
- A VM escape, because breaking the hypervisor boundary can expose the host and other tenants' VMs
- A denial-of-service attack confined to the single guest VM
Correct answer: A VM escape, because breaking the hypervisor boundary can expose the host and other tenants' VMs
This is a VM escape. In a VM escape, code running inside a guest breaks through the hypervisor's isolation boundary to reach the host or hypervisor, which in a multi-tenant environment can place every co-resident tenant's VM at risk. VM sprawl is an unrelated governance problem, a side-channel attack only infers data indirectly, and a DoS that stays inside one guest does not breach isolation.
- An operations review finds that, over two years, thousands of virtual machines were spun up for short-lived projects and never decommissioned. Many are unpatched, unmonitored, and still consuming capacity. Which virtualization risk does this describe, and what is the primary security concern?
- VM sprawl, because unmanaged, unpatched VMs expand the attack surface and evade monitoring
- VM escape, because the idle VMs can break hypervisor isolation
- Data remanence, because deleted snapshots leave residual data
- Resource exhaustion of a noisy neighbor consuming shared CPU
Correct answer: VM sprawl, because unmanaged, unpatched VMs expand the attack surface and evade monitoring
This is VM sprawl. VM sprawl is the uncontrolled proliferation of virtual machines that are never retired; because they fall outside patching, monitoring, and inventory processes, they quietly enlarge the attack surface and create blind spots. VM escape is a hypervisor breakout, data remanence concerns residual deleted data, and noisy-neighbor exhaustion is a performance-isolation issue, none of which match the proliferation problem described.
- An auditor asks a public cloud provider to explain how it keeps one customer's compute, storage, and network resources logically separated from another customer's on shared physical hardware. Which concept best captures the control the provider is describing?
- Data dispersion, the fragmentation of stored data across nodes
- Tenant partitioning, the logical separation that isolates each tenant on shared infrastructure
- Geofencing, the restriction of access by geographic region
- Federated identity, the trust relationship between identity providers
Correct answer: Tenant partitioning, the logical separation that isolates each tenant on shared infrastructure
This is tenant partitioning (multitenancy isolation), the logical separation that keeps each customer's resources segregated even though they share the same underlying physical infrastructure. Provider controls such as hypervisor isolation, separate virtual networks, and access scoping enforce it. Federated identity, geofencing, and data dispersion address authentication trust, location restrictions, and storage fragmentation respectively, not tenant-to-tenant isolation.
- A CCSP candidate is asked why the management plane of a cloud platform deserves the strongest protection of any layer. Which explanation is MOST accurate?
- The management plane is the physical cabling between data center racks
- The management plane is the encrypted tunnel used by customer VPN clients
- The management plane controls provisioning and configuration of all resources, so its compromise can affect the entire environment
- The management plane only handles end-user application traffic and carries the least privilege
Correct answer: The management plane controls provisioning and configuration of all resources, so its compromise can affect the entire environment
The management plane controls provisioning and configuration of all resources, so its compromise can affect the entire environment. Because the management plane (and its APIs and consoles) can create, delete, and reconfigure resources across tenants and regions, an attacker with management-plane access holds keys to the whole platform, which is why it requires the strongest authentication, monitoring, and least-privilege controls. The other descriptions confuse it with the data plane, physical cabling, or a customer VPN.
- A risk team is performing a structured risk assessment of a new cloud platform. After identifying assets and threats, which sequence of steps reflects a sound qualitative risk assessment approach?
- Calculate annualized loss expectancy before any threats are identified
- Identify assets and threats, determine likelihood and impact, rate the risk, then select treatment
- Accept all residual risk before measuring likelihood or impact
- Apply controls first, then identify whether any threats exist
Correct answer: Identify assets and threats, determine likelihood and impact, rate the risk, then select treatment
A sound qualitative risk assessment identifies assets and threats, determines likelihood and impact, rates each risk, then selects a treatment (accept, mitigate, transfer, or avoid). Controls are chosen as treatment after risks are understood, not before threats are even identified. Computing loss expectancy without threats, or accepting residual risk before measuring it, inverts the proper order of the process.
- A cloud risk assessment must distinguish risks the customer can directly control from those that depend on the provider. In an IaaS deployment, which risk is MOST clearly the provider's responsibility under the shared responsibility model?
- Configuring the customer's network security groups
- Hardening the customer's guest operating system
- Managing the customer's application-layer access controls
- Physical security and hypervisor patching of the host hardware
Correct answer: Physical security and hypervisor patching of the host hardware
Physical security and hypervisor patching of the host hardware fall to the provider in IaaS. Under the shared responsibility model, the provider secures the underlying facility, hardware, and virtualization layer, while the customer remains responsible for the guest OS, network configuration, and application access. A risk assessment must account for provider-owned risks separately because the customer cannot remediate them directly and must rely on assurance such as audit reports.
- An enterprise designs BCDR for a workload running in a single cloud region and wants protection against the loss of an entire data center within that region. Which design choice MOST directly addresses that failure scenario at the lowest added complexity?
- Rely on a single availability zone but increase the instance size
- Disable replication to avoid synchronization overhead
- Distribute the workload across multiple availability zones within the region
- Store backups only on the same host as the production workload
Correct answer: Distribute the workload across multiple availability zones within the region
Distributing the workload across multiple availability zones within the region directly mitigates the loss of a single data center, because availability zones are isolated facilities with independent power, cooling, and networking inside the same region. Staying in one zone, co-locating backups on the production host, or disabling replication all leave the workload exposed to the very single-facility failure the design must survive.
- A team must validate a cloud BCDR plan but cannot risk any disruption to the live payment system. They walk through the recovery procedures verbally with all stakeholders to confirm roles and steps without touching production systems. Which test type is this?
- An unannounced live failover of production traffic
- A tabletop exercise
- A parallel test that runs recovery systems alongside production
- A full interruption (full-scale) test
Correct answer: A tabletop exercise
This is a tabletop exercise, in which stakeholders talk through the recovery plan to validate roles, decisions, and procedures without activating any systems, making it the lowest-risk test. A full interruption test actually shuts down production, a parallel test brings recovery systems online alongside production, and a live failover redirects real traffic, all of which carry far more operational risk than the team is willing to accept.
- A provider markets a service as fully multi-tenant on shared hardware but claims tenants are isolated 'as if on dedicated bare metal.' A CCSP reviewer should recognize which statement as the accurate description of how that isolation is actually achieved?
- No isolation mechanism is needed because the provider trusts all tenants
- Logical isolation is enforced by the hypervisor and virtual networking, not by giving each tenant separate physical hardware
- Each tenant truly receives a separate physical server, so multitenancy does not apply
- Isolation depends entirely on tenants encrypting their own traffic
Correct answer: Logical isolation is enforced by the hypervisor and virtual networking, not by giving each tenant separate physical hardware
In multitenancy, logical isolation is enforced by the hypervisor and virtual networking, not by giving each tenant separate physical hardware. The 'as if dedicated' experience is delivered through software-enforced partitioning on shared resources. The claim of truly separate hardware contradicts multitenancy, tenant-side encryption does not isolate compute resources, and assuming no isolation is needed ignores the core risk of shared infrastructure.
- A network architect securing an SDN deployment is told the SDN controller is the highest-value target. Considering how SDN concentrates network intelligence, why is protecting the controller so critical?
- The controller only stores billing records and has no effect on traffic flow
- The controller programs forwarding decisions for the whole network, so its compromise could let an attacker reroute or intercept all traffic
- The controller is identical to a traditional router and holds no special privilege
- The controller is a passive packet sniffer with no write access to devices
Correct answer: The controller programs forwarding decisions for the whole network, so its compromise could let an attacker reroute or intercept all traffic
The SDN controller programs forwarding decisions for the whole network, so its compromise could let an attacker reroute, drop, or intercept all traffic across the fabric. Because SDN centralizes the control plane, the controller becomes a single point of extraordinary power and a prime target that requires strong authentication, encrypted southbound and northbound channels, and tight access control. The other descriptions understate the controller's authority over the network.
- A team is deciding where compute, storage, and networking responsibilities sit for a SaaS offering they are buying. Which statement BEST reflects the customer's infrastructure security responsibility in a SaaS model?
- The customer's responsibility narrows mostly to data and access management while the provider secures the underlying infrastructure
- The customer owns the full network, OS, and application stack as in on-premises hosting
- The customer must patch the provider's hypervisors and host operating systems
- The customer is responsible for physical data center security
Correct answer: The customer's responsibility narrows mostly to data and access management while the provider secures the underlying infrastructure
In SaaS, the customer's responsibility narrows mostly to data and access management, while the provider secures the application, OS, virtualization, and physical infrastructure. Responsibility shifts progressively toward the customer as you move from SaaS to PaaS to IaaS. Expecting the customer to patch hypervisors, secure the physical facility, or own the full stack describes IaaS or on-premises, not SaaS.
- A database is replicated synchronously to a standby in a second availability zone so that a committed transaction exists in both locations before it is acknowledged. For BCDR purposes, what does this design primarily drive toward?
- A near-zero RTO with no effect on data loss
- A larger RPO to reduce replication cost
- A near-zero RPO, because almost no committed data is lost on failover
- An MTD that is independent of how data is replicated
Correct answer: A near-zero RPO, because almost no committed data is lost on failover
Synchronous replication that commits to both sites before acknowledgment drives a near-zero RPO, because essentially no committed data is lost when the system fails over. RPO is about data loss, while RTO is about how quickly service is restored, so this design targets RPO specifically. It does not by itself minimize RTO, and choosing it to enlarge RPO would be backwards.
- A virtualization risk review flags that VM snapshots and golden image templates are being stored unencrypted in a shared repository. Why is this a meaningful virtualization-specific risk?
- Snapshots automatically expire and delete all data within minutes
- Snapshots cannot contain any sensitive data, so encryption is unnecessary
- Snapshots and templates can contain memory state, secrets, and full disk images, so unencrypted copies expose sensitive data and can be cloned by an attacker
- Templates are write-only and therefore pose no confidentiality risk
Correct answer: Snapshots and templates can contain memory state, secrets, and full disk images, so unencrypted copies expose sensitive data and can be cloned by an attacker
Snapshots and templates can contain memory state, secrets, and full disk images, so storing them unencrypted exposes sensitive data and lets an attacker clone an entire system. Snapshot and template sprawl is a recognized virtualization risk precisely because these artifacts are portable, long-lived, and rich with data. Claims that they hold no sensitive data, are write-only, or auto-expire misstate how virtualization images behave.
- A regulated organization wants to reduce its blast radius so that compromising the web tier does not automatically grant access to the application and database tiers. Which infrastructure approach BEST achieves this segmentation goal?
- A single flat network so all tiers can communicate freely
- Disabling network access control lists to simplify routing
- Placing all tiers in one security group with allow-all rules
- Microsegmentation that isolates each tier and permits only required flows between them
Correct answer: Microsegmentation that isolates each tier and permits only required flows between them
Microsegmentation that isolates each tier and permits only required flows between them best limits the blast radius, ensuring a compromised web tier cannot reach the application or database tiers except through explicitly allowed paths. Flat networks, disabled ACLs, and allow-all security groups do the opposite by removing the boundaries that contain lateral movement.
- A cloud administrator wants to ensure that even if an attacker steals an administrator's password, they still cannot use the management console. Which control MOST directly protects the management plane against credential theft alone?
- Sharing a single admin account across the operations team
- Allowing password-only logins from any IP address
- Disabling logging on the management console to reduce noise
- Phishing-resistant multi-factor authentication on management-plane access
Correct answer: Phishing-resistant multi-factor authentication on management-plane access
Phishing-resistant multi-factor authentication on management-plane access ensures a stolen password alone is insufficient, because the attacker still lacks the second factor. The management plane's broad authority makes strong, phishing-resistant MFA a baseline control. Password-only logins, shared admin accounts, and disabled logging all weaken accountability and make credential theft more damaging, not less.
- A developer wants to run cloud workloads locally for testing using a hosted hypervisor installed on their laptop's operating system. From a security standpoint, which trade-off should a CCSP highlight about this Type 2 setup?
- It provides stronger isolation than a bare-metal hypervisor in production
- It removes the need to patch the guest operating systems
- It eliminates all attack surface because no host OS is involved
- It adds the host OS as extra attack surface, so a compromise of the host OS can undermine the isolation of the guest VMs
Correct answer: It adds the host OS as extra attack surface, so a compromise of the host OS can undermine the isolation of the guest VMs
A Type 2 (hosted) hypervisor adds the host OS as extra attack surface, so compromising that host OS can undermine the isolation protecting the guest VMs. This is why Type 2 is suited to development and testing rather than production. It does not eliminate attack surface, it generally offers weaker isolation than a bare-metal Type 1 hypervisor, and guests still require patching.
- To curb VM sprawl across a large multi-account cloud estate, which combination of controls is MOST effective at preventing unmanaged virtual machines from accumulating?
- Disabling auto-scaling and relying on ad hoc provisioning
- Manual quarterly spreadsheets maintained by a single engineer
- Automated tagging, lifecycle policies that retire idle instances, and continuous inventory reconciliation
- Removing all monitoring so teams can create instances freely
Correct answer: Automated tagging, lifecycle policies that retire idle instances, and continuous inventory reconciliation
Automated tagging, lifecycle policies that retire idle instances, and continuous inventory reconciliation most effectively prevent VM sprawl by enforcing ownership, automatically reclaiming unused resources, and keeping inventory accurate. Manual spreadsheets do not scale, removing monitoring makes sprawl worse, and disabling automation in favor of ad hoc provisioning encourages exactly the uncontrolled growth the controls are meant to stop.
- A risk assessor evaluates threats unique to the virtualization layer rather than the application or data layers. Which of the following is a virtualization-specific risk that a CCSP should flag?
- A weak password policy for end-user accounts
- A VM escape that breaches hypervisor isolation between co-resident tenants
- A SQL injection flaw in a customer web form
- An expired TLS certificate on a public website
Correct answer: A VM escape that breaches hypervisor isolation between co-resident tenants
A VM escape that breaches hypervisor isolation between co-resident tenants is a virtualization-specific risk, arising from a flaw in the very layer that separates guests on shared hardware. SQL injection, expired certificates, and weak end-user passwords are real risks but live at the application, transport, or identity layers, not the virtualization layer the assessor is examining.
- A payment service is assigned an RTO of 4 hours and an RPO of 15 minutes. The BCDR engineer must choose technologies that satisfy both targets. Which pairing aligns the technology to the correct objective?
- Frequent incremental replication to meet the 15-minute RPO and a warm standby to meet the 4-hour RTO
- Synchronous replication to meet the 4-hour RTO and annual backups to meet the 15-minute RPO
- Hourly backups to meet the 15-minute RPO and a cold site to meet the 4-hour RTO
- A cold site to meet the 15-minute RPO and tape backup to meet the 4-hour RTO
Correct answer: Frequent incremental replication to meet the 15-minute RPO and a warm standby to meet the 4-hour RTO
Frequent incremental replication satisfies the 15-minute RPO (limiting data loss to roughly the replication interval), and a warm standby satisfies the 4-hour RTO (an environment that can be brought online well within four hours). Hourly backups exceed a 15-minute RPO, a cold site is unlikely to restore within four hours, and pairing annual backups or tape with these objectives cannot meet either tight target.
- A platform team is choosing between running microservices in containers on a shared host kernel versus running each service in its own full virtual machine. From an isolation standpoint, which statement is accurate?
- VMs provide stronger isolation through a hypervisor boundary, while containers share the host kernel and rely on namespaces and cgroups
- Containers and VMs provide identical isolation because both virtualize hardware
- VMs share the host kernel, while containers each include a full hypervisor
- Containers always provide stronger isolation than VMs because they are smaller
Correct answer: VMs provide stronger isolation through a hypervisor boundary, while containers share the host kernel and rely on namespaces and cgroups
VMs provide stronger isolation through a hypervisor boundary, while containers share the host kernel and rely on namespaces and control groups (cgroups) for separation. Because containers share the kernel, a kernel-level compromise can affect co-located containers, so smaller size does not equate to stronger isolation. The remaining statements invert how containers and VMs actually work.
- A cloud platform risk assessment uses a qualitative scale combining likelihood and impact. Which pairing correctly reflects how a heat-map-style rating is constructed?
- Impact is ignored and only how often the event occurs determines the rating
- A low-likelihood, low-impact threat is rated as the most severe risk
- Likelihood is ignored and only the asset's purchase cost determines the rating
- A high-likelihood, high-impact threat is rated as the most severe risk requiring priority treatment
Correct answer: A high-likelihood, high-impact threat is rated as the most severe risk requiring priority treatment
A high-likelihood, high-impact threat is rated as the most severe risk requiring priority treatment, which is how a qualitative heat map ranks risks by combining the two dimensions. Treating low-likelihood, low-impact items as most severe is backwards, and rating risk on asset cost alone or frequency alone discards half of the likelihood-times-impact calculation that drives a qualitative assessment.
- An organization is implementing zero trust on top of a software-defined network and wants to know how SDN specifically enables that model. Which capability does SDN provide that supports zero trust?
- Static, manually wired VLANs that cannot change once provisioned
- Programmatic, centralized policy that can enforce identity-aware, least-privilege microsegmentation dynamically across the fabric
- A permanent trusted internal zone where traffic is never inspected
- Elimination of the need to authenticate workloads to one another
Correct answer: Programmatic, centralized policy that can enforce identity-aware, least-privilege microsegmentation dynamically across the fabric
SDN provides programmatic, centralized policy that can enforce identity-aware, least-privilege microsegmentation dynamically across the fabric, which is exactly what zero trust needs to verify and constrain every flow. Zero trust rejects the idea of an implicitly trusted internal zone, static VLANs cannot adapt as identities and context change, and zero trust still requires workloads to authenticate to one another rather than eliminating that need.
- A cloud architect must decide whether a given safeguard belongs to the physical or virtual layer when assigning controls. Which control is properly classified as a PHYSICAL infrastructure security control rather than a virtual one?
- Mantraps and biometric access control at the data center entrance
- Hypervisor-enforced VM isolation between tenants
- Security groups restricting traffic to a virtual machine
- Network access control lists on a virtual subnet
Correct answer: Mantraps and biometric access control at the data center entrance
Mantraps and biometric access control at the data center entrance are physical infrastructure security controls, protecting the tangible facility and hardware. Hypervisor isolation, security groups, and virtual subnet ACLs all operate in the software-defined virtual layer. Correctly classifying a control by layer matters because the shared responsibility model assigns physical-layer protections to the provider and many virtual-layer controls to the customer.
- A development team building a multi-tenant SaaS billing platform is preparing to map their controls to the OWASP Top 10 (2021). They want to address the category that ranked first in that edition because it appeared in 94 percent of tested applications. Which category should they prioritize first?
- Broken Access Control
- Cryptographic Failures
- Server-Side Request Forgery
- Security Misconfiguration
Correct answer: Broken Access Control
Broken Access Control is the category they should prioritize first. In the OWASP Top 10 (2021) edition, Broken Access Control moved into the number one position after being found in roughly 94 percent of applications tested, covering failures such as missing function-level checks, IDOR, and privilege escalation. Cryptographic Failures and Security Misconfiguration are also on the list but ranked lower, and Server-Side Request Forgery was a new entry at the bottom of the list, so none of those is the top-ranked item.
- A cloud security architect is adapting the secure software development lifecycle (SDLC) for a CI/CD pipeline that deploys microservices to a managed Kubernetes service many times per day. They want to apply the principle that security activities should occur in every phase rather than as a single gate before release. Which statement best reflects a secure SDLC applied to cloud delivery?
- Security is delegated entirely to the cloud provider under the shared responsibility model once workloads are containerized
- Security requirements, threat modeling, secure coding, testing, and operational monitoring each occur within their corresponding SDLC phase
- All security testing is consolidated into a single penetration test performed after the application is live in production
- Security review is limited to the requirements phase so that later phases can move at deployment speed
Correct answer: Security requirements, threat modeling, secure coding, testing, and operational monitoring each occur within their corresponding SDLC phase
Embedding security requirements, threat modeling, secure coding, testing, and operational monitoring within each corresponding phase best reflects a secure SDLC in cloud delivery. The secure SDLC distributes security activities across the entire lifecycle so defects are caught early and continuously, which fits rapid cloud deployment. Consolidating everything into one post-launch test, deferring all responsibility to the provider, or limiting security to a single phase all leave large windows of unaddressed risk.
- A security lead must choose a threat modeling approach for a payment application where executives want the model to begin from business objectives, incorporate attacker motivations, and include an attack simulation stage. Which methodology is the risk-centric, attacker-focused approach that aligns business and technical objectives across staged phases?
- PASTA (Process for Attack Simulation and Threat Analysis)
- STRIDE
- DREAD
- ATT&CK
Correct answer: PASTA (Process for Attack Simulation and Threat Analysis)
PASTA is the risk-centric, attacker-focused methodology that aligns business and technical objectives through staged phases, including an attack simulation stage. STRIDE is a model-centric categorization scheme focused on technical threat types, and DREAD is a scoring scheme used to rank threats already identified rather than a full staged process. ATT&CK is a knowledge base of adversary techniques, not a structured threat modeling methodology that starts from business objectives.
- During threat modeling, a team has already enumerated specific threats against an API and now wants to assign each one a numeric severity so they can prioritize remediation. Which approach is specifically designed as a scoring scheme to rank already-identified threats, typically by averaging factor scores?
- Data flow diagramming
- STRIDE
- Misuse cases
- DREAD
Correct answer: DREAD
DREAD is the scoring scheme designed to rank already-identified threats, traditionally by scoring factors such as Damage, Reproducibility, Exploitability, Affected users, and Discoverability and averaging them into a severity rating. STRIDE categorizes threats rather than scoring them, misuse cases describe adversarial scenarios, and data flow diagramming is a modeling technique used to surface threats, not to quantify their severity.
- A team is selecting a threat modeling methodology that decomposes a system and classifies potential threats into Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege. A reviewer asks what kind of threat 'Elevation of privilege' represents in this scheme. What does that category describe?
- A component becoming unavailable due to resource exhaustion
- A user gaining capabilities or access rights beyond those they were authorized to have
- An attacker intercepting confidential data in transit between services
- A user denying that they performed an action because no log records it
Correct answer: A user gaining capabilities or access rights beyond those they were authorized to have
In STRIDE, Elevation of privilege describes a user gaining capabilities or access rights beyond those they were authorized to have, such as a standard account obtaining administrator functions. Interception of confidential data maps to Information disclosure, unavailability from resource exhaustion maps to Denial of service, and a user denying an action with no record maps to Repudiation, so those describe other STRIDE categories.
- A platform team deploys a managed Web Application Firewall (WAF) in front of a public e-commerce site. A stakeholder asks, in plain terms, what a WAF is and what it primarily does. Which description is most accurate?
- A security control that inspects and filters HTTP/HTTPS traffic to and from a web application to block attacks such as injection and cross-site scripting
- A network firewall that filters traffic strictly by IP address, port, and protocol at the transport layer
- A key management service that encrypts data at rest in the application's database
- An endpoint agent installed on each user's browser to scan downloaded files for malware
Correct answer: A security control that inspects and filters HTTP/HTTPS traffic to and from a web application to block attacks such as injection and cross-site scripting
A Web Application Firewall is a security control that inspects and filters HTTP and HTTPS traffic to and from a web application, applying rules to block application-layer attacks such as SQL injection and cross-site scripting. It operates at Layer 7 on web request content, unlike a traditional network firewall that filters by IP, port, and protocol. It is neither a browser endpoint scanner nor a key management service for database encryption.
- An organization exposes dozens of internal microservices through a single managed API gateway. From a security standpoint, what is the primary reason to centralize authentication, rate limiting, and request validation at the API gateway?
- It removes the requirement to authorize individual API calls once a token is issued
- It guarantees that backend services cannot be reached except through the public internet
- It eliminates the need for transport encryption between the gateway and backend services
- It provides a single, consistent enforcement point for cross-cutting security controls so each microservice does not have to reimplement them
Correct answer: It provides a single, consistent enforcement point for cross-cutting security controls so each microservice does not have to reimplement them
Centralizing controls at the API gateway provides a single, consistent enforcement point for cross-cutting security functions such as authentication, rate limiting, and request validation, so individual microservices avoid duplicating that logic inconsistently. It does not eliminate the need for transport encryption to backends, does not remove per-call authorization needs, and does not by itself force all traffic through the public internet; private backends are still typical.
- A CISO describes a target operating model in which security responsibilities are embedded into development and operations teams, security testing is automated within the CI/CD pipeline, and developers receive fast feedback on vulnerabilities. Which term best names this cultural and technical practice?
- DevSecOps
- Blue-green deployment
- Waterfall development
- Infrastructure as code
Correct answer: DevSecOps
DevSecOps best names the practice of embedding security responsibilities into development and operations, automating security testing in the CI/CD pipeline, and giving developers fast vulnerability feedback. Waterfall is a sequential lifecycle model, blue-green deployment is a release strategy for reducing downtime, and infrastructure as code is a provisioning technique; none of those specifically describe integrating security culture and automation across the pipeline.
- A security engineer wants an application security testing approach that instruments the running application with agents to observe code execution, data flow, and library calls during functional or interactive testing, combining inside knowledge of the code with runtime behavior. Which testing type is being described?
- Penetration testing
- Interactive Application Security Testing (IAST)
- Static Application Security Testing (SAST)
- Software Composition Analysis (SCA)
Correct answer: Interactive Application Security Testing (IAST)
Interactive Application Security Testing (IAST) instruments the running application with agents to observe code execution, data flow, and library behavior during testing, blending inside knowledge of the code with runtime observation to reduce false positives. SAST analyzes code without executing it, SCA inventories and checks third-party components for known vulnerabilities, and penetration testing is a manual adversarial assessment, so none matches the agent-instrumented runtime description.
- A platform team runs untrusted user-submitted code as part of an online scoring service. They want to execute each submission in an isolated, restricted environment so that even if the code is malicious, it cannot access the host or other tenants. Which security technique are they applying?
- Federation
- Tokenization
- Rate limiting
- Sandboxing
Correct answer: Sandboxing
Sandboxing is the technique of running code in an isolated, restricted environment so that malicious or faulty code cannot reach the host system or other tenants. Tokenization replaces sensitive data values with non-sensitive tokens, federation establishes trust between identity domains, and rate limiting throttles request volume; none of those provides the execution isolation that sandboxing does.
- A team debates two automated testing tools: one scans source code at rest without running the application, and another probes the deployed, running application from the outside by sending crafted requests. How are these two approaches correctly identified?
- The first is DAST and the second is SAST
- Both are forms of DAST because both require access to source code
- Both are forms of SAST because both inspect the application's behavior
- The first is SAST (white-box, no execution) and the second is DAST (black-box, against a running app)
Correct answer: The first is SAST (white-box, no execution) and the second is DAST (black-box, against a running app)
The tool that scans source code at rest without execution is SAST, a white-box technique, and the tool that probes the running application from the outside with crafted requests is DAST, a black-box technique. Reversing those labels is incorrect, and the claim that both are SAST or both are DAST is wrong because SAST and DAST differ precisely in whether the code is executed and whether source access is required.
- A startup releasing a public REST API wants to map its design against the OWASP API Security Top 10. Which risk specifically describes an API that fails to restrict how often or how much clients can call resources, leading to denial of service or excessive cost?
- Security Misconfiguration
- Improper Inventory Management
- Unrestricted Resource Consumption
- Broken Object Level Authorization
Correct answer: Unrestricted Resource Consumption
Unrestricted Resource Consumption is the OWASP API risk describing an API that fails to limit how often or how much clients can consume, enabling denial of service or runaway cloud costs; it is addressed with rate limiting, payload size limits, and quotas. Broken Object Level Authorization concerns accessing objects belonging to other users, Security Misconfiguration covers insecure defaults, and Improper Inventory Management concerns undocumented or shadow API endpoints.
- A retailer migrating to containers wants a deployment practice that minimizes the attack surface of each running container image. Which practice most directly reduces the components an attacker could exploit inside the image?
- Running every container as root to avoid permission errors during startup
- Embedding long-lived cloud credentials inside the image so the app can authenticate
- Building from a minimal or distroless base image that includes only what the application needs to run
- Disabling image scanning to speed up the build pipeline
Correct answer: Building from a minimal or distroless base image that includes only what the application needs to run
Building from a minimal or distroless base image that contains only what the application needs most directly reduces the attack surface, because fewer packages, shells, and utilities mean fewer exploitable components. Running as root expands privilege if the container is compromised, embedding long-lived credentials creates a high-value secret in the image, and disabling scanning hides known vulnerabilities, so all of those increase rather than reduce risk.
- A bank's serverless team builds an application from many functions triggered by events. A reviewer notes that a key application-security concern unique to serverless is that each function may be invoked from multiple event sources. Why does this matter for input validation?
- Each function must validate and sanitize input from every possible trigger, because event data from queues, storage events, or HTTP calls can all be attacker-influenced
- Serverless functions cannot receive untrusted input, so input validation is unnecessary
- Input validation is only required for functions exposed directly through an HTTP endpoint
- The cloud provider validates all event payloads before invoking the function
Correct answer: Each function must validate and sanitize input from every possible trigger, because event data from queues, storage events, or HTTP calls can all be attacker-influenced
Each serverless function must validate and sanitize input from every possible trigger because event data arriving from message queues, storage events, database streams, or HTTP calls can all be attacker-influenced, expanding the injection surface beyond just HTTP. It is incorrect that serverless functions receive only trusted input, that the provider sanitizes payloads for the application, or that only HTTP-triggered functions need validation; non-HTTP event sources are a common blind spot.
- An enterprise running workloads across two public cloud providers wants consistent application-security governance despite different native services and policy languages. Which approach best supports effective multi-cloud governance for application security?
- Defining provider-agnostic security policies and baselines, then enforcing them with tooling that abstracts each cloud's native controls
- Allowing each application team to choose its own controls per cloud with no central baseline
- Adopting whichever security defaults each provider ships and avoiding any cross-cloud standardization
- Consolidating all workloads into one provider's proprietary services to eliminate governance differences
Correct answer: Defining provider-agnostic security policies and baselines, then enforcing them with tooling that abstracts each cloud's native controls
Defining provider-agnostic security policies and baselines and enforcing them with tooling that abstracts each cloud's native controls best supports multi-cloud application-security governance, because it preserves a consistent standard while accommodating differing native services. Simply accepting each provider's defaults, letting every team improvise per cloud, or force-consolidating onto one proprietary stack either creates inconsistency or defeats the stated multi-cloud requirement.
- A development team integrates an automated check into the pipeline that inventories all open-source libraries in the build and flags any with known CVEs or non-compliant licenses. The result of this check shows a high-severity transitive dependency. Which testing category produced this finding?
- Dynamic Application Security Testing (DAST)
- Software Composition Analysis (SCA)
- Manual code review
- Fuzz testing
Correct answer: Software Composition Analysis (SCA)
Software Composition Analysis (SCA) produced this finding, because SCA inventories open-source and third-party components, including transitive dependencies, and flags those with known CVEs or problematic licenses. DAST tests a running application's responses, fuzz testing sends malformed inputs to provoke crashes, and manual code review relies on human inspection; none of those is the automated dependency-and-license inventory that SCA performs.
- A team adds a control that runs inside the production application, monitors its own execution at runtime, and can block attacks such as injection by detecting malicious behavior as requests are processed. Which application security technology is this?
- Runtime Application Self-Protection (RASP)
- A Software Bill of Materials (SBOM)
- Static Application Security Testing (SAST)
- A configuration management database (CMDB)
Correct answer: Runtime Application Self-Protection (RASP)
Runtime Application Self-Protection (RASP) runs inside the production application, monitors its own execution, and can detect and block attacks such as injection as requests are processed. SAST analyzes code before runtime, an SBOM is an inventory of software components rather than an active defense, and a CMDB tracks IT assets; none of those provides the in-application runtime self-defense that RASP does.
- A SaaS provider lets customers authenticate using their own corporate identity provider so that the provider never stores customer passwords. The corporate IdP asserts the user's identity to the application after the user authenticates at the IdP. Which capability is the SaaS application relying on?
- Multi-factor authentication enforced locally by the application
- Certificate pinning between the browser and the application
- Tokenization of stored credentials in the application database
- Federated identity, where an external identity provider asserts authentication to the relying application
Correct answer: Federated identity, where an external identity provider asserts authentication to the relying application
The application is relying on federated identity, in which an external identity provider authenticates the user and asserts that identity to the relying application, so the application never stores customer passwords. Locally enforced multi-factor authentication, tokenization of stored credentials, and certificate pinning are distinct controls that do not, by themselves, delegate authentication to an external corporate IdP.
- A developer wants to ensure that a JSON Web Token (JWT) presented to an API cannot be silently accepted with no signature verification. Which validation step most directly prevents an attacker from forging a token by abusing the token's algorithm field?
- Validating only the token's expiration claim and ignoring the signature
- Base64-decoding the payload and checking that the claims look reasonable
- Rejecting tokens whose signing algorithm is 'none' and validating the signature against an expected, server-controlled algorithm and key
- Trusting the algorithm specified in the token header so the server stays flexible across clients
Correct answer: Rejecting tokens whose signing algorithm is 'none' and validating the signature against an expected, server-controlled algorithm and key
Rejecting tokens that specify an algorithm of 'none' and validating the signature against a server-controlled expected algorithm and key most directly prevents algorithm-confusion and unsigned-token forgery. Trusting the client-supplied algorithm header lets an attacker downgrade or swap algorithms, checking only expiration ignores forgery entirely, and merely decoding and eyeballing the payload performs no cryptographic verification at all.
- An application stores objects in cloud storage and generates URLs so users can download their files. A penetration tester changes a numeric object ID in the URL and retrieves another customer's file. Which secure coding failure does this scenario demonstrate, and what is the appropriate fix?
- Injection; sanitize the object ID before using it in a query
- Cryptographic failure; encrypt the object IDs in the URL
- Broken object-level authorization; enforce an ownership check on every request rather than relying on unguessable identifiers
- Security misconfiguration; disable directory listing on the storage bucket
Correct answer: Broken object-level authorization; enforce an ownership check on every request rather than relying on unguessable identifiers
This demonstrates broken object-level authorization, and the appropriate fix is to enforce an ownership or authorization check on every request so a user can only access objects they own, rather than relying on identifiers being hard to guess. Encrypting IDs, disabling directory listing, or sanitizing input do not address the core problem, which is the missing per-object authorization decision.
- A team practicing DevSecOps wants developers to be alerted to insecure code patterns as early as possible, ideally as they write code, to lower remediation cost. Which placement of automated security testing best embodies the 'shift left' principle?
- Running all security scans only in a nightly job after code is merged to the main branch
- Running security tests exclusively during the production release approval gate
- Deferring security testing until an annual third-party penetration test
- Running fast SAST and secret scanning in the IDE and at commit/pull-request time before code merges
Correct answer: Running fast SAST and secret scanning in the IDE and at commit/pull-request time before code merges
Running fast SAST and secret scanning in the IDE and at commit or pull-request time before code merges best embodies shifting left, because it surfaces issues at the earliest, cheapest point to fix them. Nightly post-merge jobs, a single production release gate, or an annual external pen test all detect issues much later, increasing remediation cost and contradicting the shift-left goal.
- During a design review for a healthcare app, the architects realize a missing rate-limit and weak account-recovery flow are not coding bugs but flaws in how the system was conceived. Which OWASP Top 10 (2021) category specifically covers this class of weakness arising before any code is written?
- Identification and Authentication Failures
- Insecure Design
- Software and Data Integrity Failures
- Vulnerable and Outdated Components
Correct answer: Insecure Design
Insecure Design is the OWASP Top 10 (2021) category that specifically covers weaknesses arising from missing or ineffective security controls at the design stage, before code exists, and it emphasizes threat modeling and secure design patterns. Vulnerable and Outdated Components, Identification and Authentication Failures, and Software and Data Integrity Failures address other concerns and do not capture the idea that the flaw is in the system's conception rather than its implementation.
- A pipeline pulls a base container image and several build dependencies from public registries. To defend against a supply-chain attack where a tampered or malicious component is introduced, which combination of controls is most appropriate?
- Verify signatures or digests of images and dependencies, pin versions, and scan artifacts before promotion
- Always pull the 'latest' tag so the newest patched version is used automatically
- Trust any image from a popular public registry without verification to keep builds fast
- Build only from images that have the most download stars on the registry
Correct answer: Verify signatures or digests of images and dependencies, pin versions, and scan artifacts before promotion
Verifying signatures or content digests, pinning versions, and scanning artifacts before promotion is the most appropriate combination against software-supply-chain tampering, because it confirms provenance and integrity and catches known vulnerabilities. Pulling 'latest' yields unpredictable, unverified content, blind trust of popular registries ignores provenance, and choosing images by popularity is not a security control at all.
- A cloud application uses an OAuth 2.0 authorization flow for a public single-page application that cannot keep a client secret confidential. Which extension is recommended to protect the authorization code from interception during the exchange?
- HTTP Basic authentication on the token endpoint
- Proof Key for Code Exchange (PKCE)
- Client credentials grant with a stored secret
- The implicit grant returning tokens in the URL fragment
Correct answer: Proof Key for Code Exchange (PKCE)
Proof Key for Code Exchange (PKCE) is recommended to protect the authorization code for public clients such as single-page and mobile apps that cannot safely store a secret, because it binds the code to a dynamically generated verifier. The client credentials grant is for machine-to-machine flows with a confidential secret, HTTP Basic on the token endpoint assumes a usable secret, and the implicit grant is now discouraged precisely because returning tokens in the URL fragment is less secure.
- A security architect is documenting a 'secure by default' requirement for a new microservice. Which configuration choice best reflects secure defaults at deployment?
- The service enables all optional features and ports by default to maximize compatibility
- The service denies access unless a request is explicitly authorized and ships with verbose error details disabled
- The service returns full stack traces to clients to speed up debugging in production
- The service grants broad access initially so teams can lock it down after launch
Correct answer: The service denies access unless a request is explicitly authorized and ships with verbose error details disabled
A service that denies access unless a request is explicitly authorized and ships with verbose error details disabled best reflects secure defaults, applying default-deny and least-functionality principles. Granting broad access to tighten later, exposing full stack traces to clients, and enabling all features and ports by default each increase attack surface and information leakage, the opposite of secure-by-default design.
- A team wants to validate that their application correctly enforces an output-handling rule: any user-supplied content reflected into an HTML page must be made safe for that context. A reviewer asks which defense is the primary, most reliable mitigation for cross-site scripting in this scenario.
- Context-aware output encoding of untrusted data at the point it is rendered
- Setting a long session timeout to reduce repeated logins
- Blocking the single quote character in all form fields
- Storing all user content in an encrypted database column
Correct answer: Context-aware output encoding of untrusted data at the point it is rendered
Context-aware output encoding of untrusted data at the point it is rendered is the primary, most reliable mitigation for cross-site scripting, because it neutralizes markup for the specific output context such as HTML body, attribute, or JavaScript. Encrypting the database column protects data at rest but not rendering, session timeouts are unrelated to XSS, and blindly blocking a single character is incomplete and easily bypassed.
- A vendor delivers an application as a container and provides a machine-readable list of every component, library, and version it contains. A customer's security team plans to use this artifact when a new critical vulnerability is announced. How does a Software Bill of Materials (SBOM) help in that moment?
- It serves as the application's runtime firewall policy
- It automatically patches any vulnerable component listed within it
- It encrypts the application's source code to prevent reverse engineering
- It lets the team quickly determine whether the affected component and version are present so they can assess exposure
Correct answer: It lets the team quickly determine whether the affected component and version are present so they can assess exposure
An SBOM lets the team quickly determine whether the affected component and version are present, so they can assess exposure and prioritize response when a new critical vulnerability is disclosed. An SBOM is an inventory, not an automated patcher, not a source-code encryption mechanism, and not a runtime firewall policy, so those descriptions misstate its purpose.
- An API design team must decide how to handle authorization for an endpoint that returns a list of records. They want to prevent a user from receiving records that belong to other tenants in a shared multi-tenant cloud database. Which control most directly enforces this at the data-access layer?
- Relying on the client application to filter out records that do not belong to the user
- Trusting a tenant identifier supplied in the request body without verification
- Scoping every query to the authenticated tenant or user context server-side so results cannot include other tenants' records
- Returning all records and marking unauthorized ones as hidden in the UI
Correct answer: Scoping every query to the authenticated tenant or user context server-side so results cannot include other tenants' records
Scoping every query to the authenticated tenant or user context on the server side so results cannot include other tenants' records most directly enforces tenant isolation at the data-access layer. Client-side filtering, UI-level hiding, and trusting a client-supplied tenant identifier all leave the actual data accessible or spoofable, because the authorization decision must be made and enforced server-side, not on data already returned or on unverified input.
- A cloud SOC analyst is asked to explain, in one sentence, what a SIEM platform fundamentally does. Which description is most accurate?
- It is a tool that automatically applies operating system patches to cloud virtual machines on a schedule
- It is a firewall that filters inbound and outbound traffic based on IP addresses and ports
- It is a key management service that generates and rotates encryption keys for stored data
- It is a centralized platform that collects, normalizes, and correlates log and event data from many sources to detect, alert on, and support investigation of security events
Correct answer: It is a centralized platform that collects, normalizes, and correlates log and event data from many sources to detect, alert on, and support investigation of security events
A SIEM (Security Information and Event Management) platform centrally collects, normalizes, and correlates logs and events from across the environment so that suspicious patterns can be detected, alerted on, and investigated. It is fundamentally a detection and analysis tool, not a patching service, firewall, or key manager. The correlation across many sources is what lets a SIEM surface incidents that individual logs would miss.
- An organization is documenting its operations processes and wants to distinguish change management from configuration management. Which statement correctly describes the difference?
- Change management governs how alterations are requested, reviewed, approved, and deployed, while configuration management records and maintains the accurate state and relationships of the items being changed
- Change management applies only to hardware, while configuration management applies only to software
- Change management records the current state of all assets, while configuration management approves new deployments
- They are identical processes with two interchangeable names
Correct answer: Change management governs how alterations are requested, reviewed, approved, and deployed, while configuration management records and maintains the accurate state and relationships of the items being changed
Change management governs the controlled process of requesting, reviewing, approving, and deploying alterations, whereas configuration management identifies, records, and maintains the accurate state and relationships of configuration items (often in a CMDB). The two are complementary: configuration management supplies the accurate baseline data that change management relies on to assess impact. They are not the same process, and neither is limited to only hardware or only software.
- During a forensic investigation in a public IaaS environment, an investigator needs to acquire a virtual machine's volatile memory and disk while preserving evidentiary integrity. Which cloud-specific challenge most directly complicates this acquisition?
- The impossibility of taking a snapshot of a running virtual machine
- Limited physical access to the underlying hardware and reliance on provider tooling, snapshots, and APIs to acquire evidence
- The complete absence of any logging capability in IaaS
- The requirement that all cloud evidence be printed on paper before analysis
Correct answer: Limited physical access to the underlying hardware and reliance on provider tooling, snapshots, and APIs to acquire evidence
Cloud digital forensics is complicated because the investigator cannot physically seize the underlying hardware and must rely on provider snapshots, APIs, and tooling to capture memory and disk images. This dependence on the provider, combined with multi-tenancy and dynamic resources, makes acquisition and preservation harder than in on-premises environments. IaaS does support logging and live snapshots, and evidence is handled digitally, so those other statements are false.
- A team is building an incident response plan tailored to its cloud deployment. Which element is most important to include that would be less critical in a purely on-premises plan?
- A rule that only the marketing team may declare an incident
- Defined coordination procedures and contact paths with the cloud service provider, reflecting shared-responsibility boundaries for detection, evidence, and remediation
- A requirement to physically unplug affected servers from the wall
- A mandate to disable all logging during an active incident to save costs
Correct answer: Defined coordination procedures and contact paths with the cloud service provider, reflecting shared-responsibility boundaries for detection, evidence, and remediation
A cloud incident response plan must define how the customer coordinates with the cloud service provider, because the shared-responsibility model splits visibility, evidence access, and remediation authority between the parties. Knowing escalation contacts and what the provider will and will not do during an incident is essential and has no equivalent on-premises. Physically unplugging servers is impossible in the cloud, disabling logging destroys evidence, and incident declaration belongs to qualified responders, not marketing.
- A cloud security team wants a log management strategy that supports both real-time detection and later forensic investigation. Which design best meets these goals?
- Allow every developer unrestricted write and delete access to the central log store
- Keep logs only in the application's memory and never write them to disk
- Store logs only on each individual virtual machine and delete them on every reboot
- Centralize logs into a tamper-resistant, time-synchronized repository with defined retention, access controls, and integrity protection, feeding both a SIEM and long-term archival storage
Correct answer: Centralize logs into a tamper-resistant, time-synchronized repository with defined retention, access controls, and integrity protection, feeding both a SIEM and long-term archival storage
Effective cloud log management centralizes logs into a tamper-resistant, time-synchronized repository with retention policies, access controls, and integrity protection, then feeds both a SIEM for real-time detection and archival storage for later forensics. Logs kept only locally are lost when instances are terminated, in-memory logs vanish on restart, and unrestricted write/delete access destroys the integrity needed for investigations. Accurate timestamps and protection against tampering are what make logs admissible and useful.
- An operations team must apply security patches to a fleet of cloud servers built from a hardened baseline image. Which patch management practice best preserves the integrity of that baseline over time?
- Patch only the development environment and leave production unpatched to avoid downtime
- Apply patches manually and differently to each instance so no two are alike
- Skip patching entirely as long as a firewall is present
- Rebuild or update the golden baseline image with tested patches and redeploy instances from it, rather than only patching live instances in place
Correct answer: Rebuild or update the golden baseline image with tested patches and redeploy instances from it, rather than only patching live instances in place
Updating the hardened baseline (golden) image with tested patches and redeploying instances from it keeps the entire fleet consistent and prevents configuration drift, which is the core link between patch management and baselines. Patching each instance differently in place causes drift and undermines the baseline, skipping patches leaves known vulnerabilities open, and leaving production unpatched defeats the purpose. This image-based approach aligns with immutable infrastructure practices.
- A new cloud operations manager wants to understand what ITIL is and why it matters for cloud security operations. Which description is correct?
- ITIL is a network protocol that replaces TLS for securing data in transit
- ITIL is an encryption algorithm used to protect data at rest in the cloud
- ITIL is a hardware appliance that performs deep packet inspection
- ITIL is a widely adopted framework of best practices for IT service management, covering processes such as incident, problem, change, and configuration management
Correct answer: ITIL is a widely adopted framework of best practices for IT service management, covering processes such as incident, problem, change, and configuration management
ITIL (Information Technology Infrastructure Library) is a globally recognized framework of best practices for IT service management, defining processes such as incident, problem, change, release, and configuration management. It provides the operational discipline that underpins many cloud security operations, including how changes are controlled and incidents are handled. It is not an encryption algorithm, a network protocol, or a hardware appliance.
- A cloud SOC is being designed to monitor a multi-cloud estate. Which capability is the core mission of a security operations center?
- Approving employee expense reports and travel requests
- Designing the visual layout of customer-facing web pages
- Negotiating commercial pricing and licensing terms with cloud vendors
- Continuous monitoring, detection, triage, and response to security events across the environment
Correct answer: Continuous monitoring, detection, triage, and response to security events across the environment
A security operations center (SOC) exists to provide continuous monitoring, detection, triage, and response to security events across the environment, often around the clock. In a multi-cloud estate it correlates signals from each provider to give unified visibility. Vendor pricing, web design, and expense approvals are unrelated business functions outside the SOC's mission.
- An administrator must make an emergency fix to a production cloud system after a severe outage, with no time for the normal review board to convene. Which change management mechanism is designed for this situation?
- An emergency change process with expedited approval and mandatory post-implementation review
- Reclassifying the outage as a feature request
- Skipping change management entirely and never documenting the change
- Waiting for the next quarterly change window regardless of the outage
Correct answer: An emergency change process with expedited approval and mandatory post-implementation review
An emergency change process provides an expedited, pre-defined path to approve and implement urgent fixes quickly, followed by a mandatory post-implementation review to ensure the change was appropriate and documented. This balances speed with accountability. Skipping change control altogether removes traceability, waiting for a quarterly window prolongs the outage, and reclassifying the incident does not address it.
- A SOC wants to improve detection without overwhelming analysts. Which approach best reduces false positives while still catching real cloud threats?
- Disabling alerting entirely to eliminate false positives
- Setting every detection rule to its most sensitive threshold and alerting on each raw log line
- Tuning detection rules and correlating multiple signals so that alerts reflect higher-confidence, context-rich events
- Forwarding all alerts directly to executives without triage
Correct answer: Tuning detection rules and correlating multiple signals so that alerts reflect higher-confidence, context-rich events
Tuning detection rules and correlating multiple signals raises the confidence and context of each alert, cutting false positives while preserving the ability to catch genuine threats. Maxing out sensitivity on every rule floods analysts with noise (alert fatigue), disabling alerting blinds the SOC, and sending untriaged alerts to executives is not a detection improvement. Correlation is the key lever that turns raw events into actionable signal.
- In the context of cloud forensics, why is establishing a precise and synchronized time source across systems especially important?
- Accurate time eliminates the need to preserve any evidence
- Time synchronization automatically encrypts all log files
- Synchronized time reduces the cost of object storage
- Accurate, synchronized timestamps allow investigators to correlate events across distributed cloud services and build a reliable timeline of an incident
Correct answer: Accurate, synchronized timestamps allow investigators to correlate events across distributed cloud services and build a reliable timeline of an incident
Accurate, synchronized time (for example via NTP) lets investigators correlate events across many distributed cloud services and reconstruct a trustworthy incident timeline, which is central to cloud forensics. Without consistent timestamps, ordering events across services and accounts becomes unreliable. Time synchronization does not lower storage costs, encrypt logs, or remove the need to preserve evidence.
- A team is selecting a deployment model for a cloud-native SIEM and wants to minimize the operational burden of scaling log ingestion. Which option best fits a small security team?
- A managed, cloud-native SIEM service where the provider handles scaling of ingestion, storage, and search
- Emailing daily log summaries to analysts for manual review
- A single self-hosted SIEM server with no ability to add capacity
- Manually grepping logs on each virtual machine during incidents
Correct answer: A managed, cloud-native SIEM service where the provider handles scaling of ingestion, storage, and search
A managed, cloud-native SIEM offloads the scaling of ingestion, storage, and search to the provider, which suits a small team that cannot operate large analytics infrastructure. A single non-scalable server becomes a bottleneck as log volume grows, manual grepping does not scale or correlate, and emailed summaries miss real-time detection. The managed model lets the team focus on detection content rather than platform operations.
- During incident response in the cloud, an analyst isolates a compromised workload but wants to preserve it for investigation rather than terminate it. Which containment action best supports later forensics?
- Immediately delete the instance to stop the attacker
- Snapshot the instance and its volumes, then quarantine it by restricting its network access while keeping it intact for analysis
- Leave the instance fully connected so monitoring continues unchanged
- Reboot the instance repeatedly to clear the threat
Correct answer: Snapshot the instance and its volumes, then quarantine it by restricting its network access while keeping it intact for analysis
Snapshotting the instance and its volumes, then quarantining it with restrictive network rules, contains the threat while preserving volatile and disk state for forensic analysis. Deleting the instance destroys evidence, repeated reboots wipe memory artifacts, and leaving it fully connected allows the attacker to continue or pivot. Containment in the cloud should isolate without eliminating the evidence the investigation needs.
- Which practice best ensures that log data used as evidence in a cloud investigation can be trusted as unaltered?
- Rotating logs out of existence every hour with no archive
- Writing logs to immutable, append-only storage with integrity hashing and restricted deletion permissions
- Granting application service accounts permission to overwrite historical logs
- Storing logs only on the same instance that generates them
Correct answer: Writing logs to immutable, append-only storage with integrity hashing and restricted deletion permissions
Writing logs to immutable, append-only storage with integrity hashing and tightly restricted deletion ensures that recorded events cannot be silently altered, which is what makes them trustworthy as evidence. Allowing services to overwrite logs, keeping logs only on the generating host, or rotating them away with no archive all destroy the integrity and availability needed for investigations. Immutability and integrity protection are core to defensible log management.
- A vulnerability management program for a cloud estate prioritizes which patches to apply first. Which factor should most influence the prioritization?
- The alphabetical order of the affected hostnames
- The severity of the vulnerability combined with the exposure and criticality of the affected asset
- Whichever vendor most recently sent a sales email
- The age of the server hardware in the provider's data center
Correct answer: The severity of the vulnerability combined with the exposure and criticality of the affected asset
Patch prioritization should be driven by risk, which combines the severity of the vulnerability (for example CVSS and known exploitation) with the exposure and business criticality of the affected asset. A high-severity flaw on an internet-facing, business-critical system warrants faster remediation than a low-severity one on an isolated test box. Hostname ordering, vendor emails, and hardware age are irrelevant to risk-based prioritization.
- A cloud operations team adopts ITIL's problem management process. How does problem management differ from incident management?
- Both processes only apply to hardware failures
- Incident management restores normal service as quickly as possible, while problem management investigates and removes the underlying root cause to prevent recurrence
- Problem management is the same as change approval
- Incident management finds root causes, while problem management restores service quickly
Correct answer: Incident management restores normal service as quickly as possible, while problem management investigates and removes the underlying root cause to prevent recurrence
In ITIL, incident management focuses on restoring normal service operation as quickly as possible to limit business impact, while problem management investigates and eliminates the root cause so the issue does not recur. The two work together: incident management treats symptoms, and problem management addresses the disease. Neither is limited to hardware, and problem management is distinct from change approval.
- A configuration management database (CMDB) is being introduced for a cloud environment. What is its primary security operations value?
- It replaces the need for any access controls
- It provides an authoritative inventory of configuration items and their relationships, supporting impact analysis for changes and faster incident scoping
- It encrypts all data in transit between microservices
- It generates marketing analytics for the sales team
Correct answer: It provides an authoritative inventory of configuration items and their relationships, supporting impact analysis for changes and faster incident scoping
A CMDB provides an authoritative record of configuration items and how they relate, which lets teams analyze the impact of proposed changes and quickly scope which assets are affected during an incident. This inventory underpins both change management and incident response. A CMDB does not encrypt traffic, replace access controls, or produce marketing analytics.
- A SOC analyst notices that an attacker erased local logs on a compromised cloud instance after gaining access. Which prior control would have most reduced the impact of this anti-forensic action?
- Increasing the instance's CPU allocation
- Disabling the SIEM to reduce log volume
- Forwarding logs in near real time to a separate, access-controlled central repository the compromised host cannot modify
- Storing logs only on the same instance with stronger file permissions
Correct answer: Forwarding logs in near real time to a separate, access-controlled central repository the compromised host cannot modify
Forwarding logs in near real time to a separate, access-controlled central repository means that even if an attacker wipes the local copy, the evidence already resides somewhere the compromised host cannot reach. Keeping logs only on the host, even with better permissions, still leaves them within the attacker's reach once the host is owned. Adding CPU or disabling the SIEM does nothing to protect log evidence. Off-host centralization is the key safeguard.
- When responding to a confirmed cloud account compromise, which action should typically come first in the response workflow?
- Containment, such as revoking the compromised credentials and isolating affected resources, to stop ongoing damage
- Writing the final lessons-learned report
- Deleting all logs related to the incident
- Publicly announcing the breach before any analysis
Correct answer: Containment, such as revoking the compromised credentials and isolating affected resources, to stop ongoing damage
After detection and analysis confirm a compromise, containment comes next: revoking the compromised credentials and isolating affected resources halts ongoing damage before eradication and recovery. The lessons-learned report is part of the post-incident phase, premature public announcements can be inaccurate and legally risky, and deleting logs destroys the evidence needed to investigate. Stopping the bleeding precedes long-term fixes.
- A cloud team wants to enforce that only reviewed and approved changes reach production infrastructure defined as code. Which control best operationalizes change management in this pipeline?
- Approving changes only verbally with no record
- Disabling version control to speed up deployments
- Allowing any engineer to apply infrastructure changes directly to production without review
- Requiring peer-reviewed, version-controlled pull requests with automated policy checks and approval gates before infrastructure-as-code changes deploy
Correct answer: Requiring peer-reviewed, version-controlled pull requests with automated policy checks and approval gates before infrastructure-as-code changes deploy
Requiring peer-reviewed, version-controlled pull requests with automated policy checks and approval gates embeds change management directly into the infrastructure-as-code pipeline, ensuring changes are reviewed, recorded, and authorized before deployment. Direct unreviewed production changes, disabling version control, and verbal-only approvals all remove the traceability and control that change management requires. This is how modern DevSecOps enforces controlled change.
- A regulated organization must define how long to keep cloud security logs to support both detection and potential legal investigations. Which factor most directly drives the required retention period?
- Applicable legal, regulatory, and contractual requirements together with the organization's investigation and forensic needs
- The color scheme of the SIEM dashboard
- The brand of laptop used by the security team
- The number of analysts on the night shift
Correct answer: Applicable legal, regulatory, and contractual requirements together with the organization's investigation and forensic needs
Log retention periods are driven primarily by applicable legal, regulatory, and contractual obligations along with the organization's own investigation and forensic needs, since some inquiries surface long after an event. These requirements dictate minimum retention to ensure evidence is available when needed. Dashboard styling, staffing levels, and hardware brands have no bearing on how long logs must be kept.
- A SOAR platform is integrated with a cloud SOC. Which scenario best illustrates the value SOAR adds beyond a standalone SIEM?
- Negotiating the cloud provider contract renewal
- Automatically executing a predefined playbook that isolates a host, disables a compromised account, and opens a ticket when the SIEM raises a high-confidence alert
- Rendering 3D graphics for security awareness videos
- Storing encryption keys for data at rest
Correct answer: Automatically executing a predefined playbook that isolates a host, disables a compromised account, and opens a ticket when the SIEM raises a high-confidence alert
SOAR (Security Orchestration, Automation, and Response) adds value by automatically executing predefined playbooks (orchestrating actions across tools) when a SIEM raises a high-confidence alert, for example isolating a host, disabling an account, and opening a ticket. This reduces response time and analyst toil that a SIEM alone cannot. Key storage, graphics rendering, and contract negotiation are unrelated to SOAR's role.
- Which practice best maintains an accurate, secure configuration baseline as a cloud environment evolves?
- Defining the baseline once and never checking instances against it again
- Continuously monitoring for configuration drift and automatically remediating deviations back to the approved baseline
- Removing all configuration standards to maximize developer freedom
- Letting each team invent its own undocumented baseline
Correct answer: Continuously monitoring for configuration drift and automatically remediating deviations back to the approved baseline
Continuously monitoring for configuration drift and automatically remediating deviations keeps deployed systems aligned with the approved secure baseline as the environment changes. A baseline defined once and never re-checked steadily drifts, per-team undocumented baselines create inconsistency, and removing standards eliminates the control entirely. Drift detection and remediation are what keep a baseline meaningful over time.
- An organization wants to validate that its cloud incident response plan actually works before a real crisis. Beyond tabletop exercises, which activity provides the most realistic test of response capabilities?
- Assuming the plan works because it has never been used
- A simulated incident or red-team exercise in a controlled environment that exercises detection, communication, and technical response end to end
- Reading the plan aloud once a year with no actions taken
- Storing the plan in a locked drawer that no responder can access
Correct answer: A simulated incident or red-team exercise in a controlled environment that exercises detection, communication, and technical response end to end
A simulated incident or red-team exercise in a controlled environment exercises detection, communication, and technical response end to end, providing the most realistic validation of the plan beyond discussion-based tabletops. Merely reading the plan, locking it away from responders, or assuming it works without testing all leave gaps undiscovered until a real incident. Realistic exercises reveal whether tooling, runbooks, and people actually perform under pressure.
- A cloud provider and customer disagree during an investigation about who can access certain underlying logs. Which artifact most directly clarifies each party's responsibilities and access rights for evidence?
- The contract and shared-responsibility documentation, including any SLA or addenda defining log access, retention, and incident cooperation
- The provider's quarterly marketing newsletter
- An informal verbal promise made during a sales demo
- The customer's office floor plan
Correct answer: The contract and shared-responsibility documentation, including any SLA or addenda defining log access, retention, and incident cooperation
The contract and shared-responsibility documentation, including SLA terms and addenda covering log access, retention, and incident cooperation, define which party can obtain which evidence and under what conditions. These written terms govern forensic access in the cloud. Marketing newsletters, verbal sales promises, and office floor plans carry no contractual weight for evidence access.
- A DevSecOps team wants security operations to scale with rapid cloud deployments. Which integration most directly embeds operational security into the deployment pipeline?
- Security involvement only after a breach has occurred
- Automated security testing, configuration scanning, and policy checks running within the CI/CD pipeline as gates before deployment
- A manual security review performed months after every release ships
- Disabling pipeline checks to deploy faster
Correct answer: Automated security testing, configuration scanning, and policy checks running within the CI/CD pipeline as gates before deployment
Embedding automated security testing, configuration scanning, and policy checks as gates within the CI/CD pipeline shifts security operations left so issues are caught before deployment, keeping pace with rapid releases. Post-release manual reviews months later, engaging security only after a breach, or disabling checks all undermine operational security. Automated gates are how DevSecOps scales security with deployment velocity.
- A SOC measures how long it takes to contain and remediate confirmed incidents to gauge response effectiveness. Which metric captures this?
- The number of marketing emails sent per quarter
- The total storage capacity of the object store
- The CPU clock speed of the SIEM server
- Mean time to respond/remediate (MTTR), the average time from detection to containment and resolution
Correct answer: Mean time to respond/remediate (MTTR), the average time from detection to containment and resolution
Mean time to respond/remediate (MTTR) measures the average time from detecting an incident to containing and resolving it, directly reflecting response effectiveness. Lowering MTTR limits the damage an incident can cause. Email counts, storage capacity, and CPU clock speed are operational trivia unrelated to incident response performance.
- An organization runs workloads across multiple cloud providers and wants consistent security operations governance. Which approach best addresses multi-cloud operational complexity?
- Trusting that each provider's defaults are sufficient and doing nothing further
- Picking one provider's console at random to watch and ignoring the others
- Centralizing monitoring, policy, and logging through tools that normalize signals across providers into a unified view and consistent controls
- Managing each provider in a completely separate silo with no shared visibility
Correct answer: Centralizing monitoring, policy, and logging through tools that normalize signals across providers into a unified view and consistent controls
Centralizing monitoring, policy, and logging through tools that normalize signals across providers gives a unified view and consistent controls, which is essential for governing multi-cloud security operations. Siloed management creates blind spots, relying on provider defaults leaves gaps unaddressed, and watching only one console ignores real risk elsewhere. Normalization and centralization are what make multi-cloud governance workable.
- A security operations team wants ongoing assurance that newly deployed cloud workloads do not introduce known vulnerabilities between formal assessments. Which practice best provides this continuous assurance?
- Automated, continuous vulnerability scanning of workloads and images integrated into operations and the deployment pipeline
- Scanning only after a customer reports a problem
- Relying solely on the firewall to block all exploits
- A single annual vulnerability scan performed manually
Correct answer: Automated, continuous vulnerability scanning of workloads and images integrated into operations and the deployment pipeline
Automated, continuous vulnerability scanning of running workloads and images, integrated into operations and the deployment pipeline, provides ongoing assurance as new resources spin up rapidly in the cloud. A single annual manual scan leaves long blind windows, firewalls do not detect or remediate vulnerabilities in the workloads themselves, and waiting for customer reports is reactive. Continuous scanning matches the dynamic pace of cloud deployment.
- A SaaS vendor's sales team tells a prospective enterprise customer that the company is GDPR compliant. The customer's privacy officer wants to understand what GDPR fundamentally regulates. Which statement best describes the General Data Protection Regulation?
- A U.S. federal law requiring breach notification for financial institutions only
- An EU regulation governing the protection of personal data and the privacy of individuals in the European Economic Area
- An international standard published by ISO for cloud security controls
- A payment-industry mandate for protecting cardholder account numbers
Correct answer: An EU regulation governing the protection of personal data and the privacy of individuals in the European Economic Area
The General Data Protection Regulation (GDPR) is a European Union regulation that governs the protection of personal data and the privacy of individuals within the European Economic Area, and it also applies to organizations outside the EU that process the personal data of EU data subjects. It is not a U.S. financial law, an ISO standard, or a payment-card mandate; PCI DSS handles cardholder data, and ISO 27017 is the cloud security standard.
- During vendor due diligence, a procurement team receives two audit options from a cloud provider: one report attests to the suitable design of controls at a single date, and another attests to both design and operating effectiveness across a stated window. Which describes the difference between a SOC 2 Type 1 and a SOC 2 Type 2 report?
- A Type 1 report covers a period of time while a Type 2 report covers a single point in time
- A Type 1 report covers a single point in time while a Type 2 report covers operating effectiveness over a period of time
- A Type 1 report addresses financial controls while a Type 2 report addresses privacy controls
- A Type 1 report is for internal use only while a Type 2 report is for general public distribution
Correct answer: A Type 1 report covers a single point in time while a Type 2 report covers operating effectiveness over a period of time
A SOC 2 Type 1 report evaluates whether controls are suitably designed at a single point in time, while a SOC 2 Type 2 report evaluates both the design and the operating effectiveness of those controls over a defined observation period (commonly three to twelve months). Because a Type 2 report demonstrates controls actually worked over time, enterprise buyers generally prefer it for ongoing assurance.
- A multinational retailer must decide where to host a customer database so that the data remains governed by its home country's laws. Which concept describes the principle that data is subject to the laws and legal jurisdiction of the nation in which it is physically located?
- Data sovereignty
- Data dispersion
- Data portability
- Data minimization
Correct answer: Data sovereignty
Data sovereignty is the principle that data is subject to the laws and governance structures of the country in which it is physically stored or processed. Organizations address it by controlling the geographic region where cloud workloads run; portability concerns moving data between providers, and minimization limits how much data is collected.
- A cloud customer is comparing three AICPA System and Organization Controls reports. One addresses controls relevant to financial reporting, one addresses operational trust service criteria in detail, and one is a short general-use summary. Which mapping of SOC 1, SOC 2, and SOC 3 is correct?
- SOC 1, SOC 2, and SOC 3 all cover financial reporting at increasing levels of detail
- SOC 1 is general-use, SOC 2 is for auditors only, SOC 3 covers PCI cardholder data
- SOC 1 covers financial reporting controls, SOC 2 covers trust service criteria with detailed results, SOC 3 is a general-use summary
- SOC 1 covers trust service criteria, SOC 2 covers financial reporting, SOC 3 is a detailed restricted report
Correct answer: SOC 1 covers financial reporting controls, SOC 2 covers trust service criteria with detailed results, SOC 3 is a general-use summary
A SOC 1 report addresses controls relevant to a customer's internal control over financial reporting, a SOC 2 report addresses the trust service criteria (security, availability, processing integrity, confidentiality, privacy) with detailed control descriptions and test results for restricted distribution, and a SOC 3 report is a short general-use summary suitable for public posting. None of them are interchangeable, and SOC 3 is the only one meant for unrestricted distribution.
- An organization wants assurance that its cloud provider follows recognized cloud-specific security guidance, including controls for shared roles and responsibilities, virtual machine hardening, and administrator operational security in cloud services. Which ISO/IEC standard most directly addresses these cloud security controls?
- ISO/IEC 27017
- ISO/IEC 27701
- ISO/IEC 22301
- ISO/IEC 27018
Correct answer: ISO/IEC 27017
ISO/IEC 27017 provides cloud-specific information security guidance, extending ISO/IEC 27002 with cloud controls and additional controls covering shared roles and responsibilities, virtual machine configuration and hardening, monitoring of cloud services, and segregation in virtual environments. ISO/IEC 27018 focuses on protecting personal data in the cloud, ISO/IEC 27701 extends to privacy management, and ISO/IEC 22301 covers business continuity.
- A privacy team is selecting a standard that gives a public cloud provider acting as a processor a code of practice for protecting personally identifiable information, including limits on using PII for advertising without consent and obligations around subprocessor disclosure. Which standard is purpose-built for this?
- PCI DSS
- ISO/IEC 27018
- ISO/IEC 27017
- ISO/IEC 17789
Correct answer: ISO/IEC 27018
ISO/IEC 27018 is the code of practice for protecting personally identifiable information (PII) in public clouds acting as PII processors, addressing consent, transparency, limits on using PII for marketing or advertising, and disclosure of subprocessors. ISO/IEC 27017 covers general cloud security, ISO/IEC 17789 is a reference architecture, and PCI DSS addresses cardholder data.
- A security officer is establishing a structured, repeatable process to categorize cloud systems, select and implement controls, assess them, authorize operation, and continuously monitor risk. Which framework provides this lifecycle approach for managing information security risk in cloud environments?
- The OWASP Top 10
- The CIS Critical Security Controls list
- The MITRE ATT&CK matrix
- The NIST Risk Management Framework (RMF)
Correct answer: The NIST Risk Management Framework (RMF)
The NIST Risk Management Framework (RMF), described in NIST SP 800-37 Rev. 2, provides a structured lifecycle of prepare, categorize, select, implement, assess, authorize, and monitor (seven steps in the current revision) for managing information security and privacy risk, and it applies to cloud systems through control selection from NIST SP 800-53. OWASP, MITRE ATT&CK, and the CIS Controls are valuable resources but are not a full risk management lifecycle framework.
- A company is onboarding a new cloud provider and must evaluate the provider's financial stability, security certifications, breach history, and ability to meet contractual obligations before signing, then reassess these periodically. Which discipline encompasses this ongoing activity?
- Change management
- Capacity management
- Configuration management
- Vendor (third-party) risk management
Correct answer: Vendor (third-party) risk management
Vendor risk management (also called third-party or supply-chain risk management) is the discipline of assessing and continuously monitoring the risks a provider introduces, including financial viability, security posture, certifications, breach history, and contractual reliability. It begins during due diligence and continues throughout the relationship, not just at onboarding.
- Before deploying a new cloud-based application that will collect and process customer health and location data, an organization must systematically evaluate how the processing affects individuals' privacy and identify mitigations. Which assessment is designed for this purpose?
- A penetration test
- A business impact analysis (BIA)
- A service organization control audit
- A privacy impact assessment (PIA)
Correct answer: A privacy impact assessment (PIA)
A privacy impact assessment (PIA) is a process that identifies and evaluates the privacy risks of a new system, product, or process that handles personal data, and recommends mitigations before and during deployment. A business impact analysis evaluates the operational effect of disruptions, while a penetration test assesses technical vulnerabilities, not privacy impact.
- A cloud customer is negotiating a contract and wants documented, measurable commitments for uptime, support response times, and remedies such as service credits if targets are missed. Which contractual instrument captures these commitments?
- A non-disclosure agreement (NDA)
- A service level agreement (SLA)
- A statement of work (SOW)
- A data processing addendum (DPA)
Correct answer: A service level agreement (SLA)
A service level agreement (SLA) defines the measurable service commitments between a cloud provider and customer, such as availability or uptime percentages, performance targets, support response times, and the remedies (for example service credits) when targets are not met. An NDA protects confidentiality, an SOW defines deliverables, and a DPA addresses personal-data processing terms.
- A company facing litigation must identify, preserve, and produce relevant electronically stored information that resides in a multi-tenant SaaS environment. Which factor most complicates eDiscovery in the cloud compared with on-premises systems?
- Electronically stored information cannot be produced from cloud systems
- Data may be commingled across tenants and stored in multiple jurisdictions controlled by the provider
- Providers are legally required to perform all collection on the customer's behalf
- Cloud data is never subject to litigation holds
Correct answer: Data may be commingled across tenants and stored in multiple jurisdictions controlled by the provider
eDiscovery in the cloud is complicated because relevant electronically stored information may be commingled with other tenants' data and physically located across multiple jurisdictions under the provider's control, making identification, preservation, and collection harder. Cloud data is still subject to litigation holds and can be produced; the difficulty is access, custody, and jurisdiction, which should be addressed in the contract.
- Under GDPR, a cloud provider stores and processes personal data strictly according to its customer's documented instructions and does not decide why the data is processed. In this arrangement, the cloud provider acts as which party?
- Data subject
- Data processor
- Data controller
- Supervisory authority
Correct answer: Data processor
A cloud provider that processes personal data only on the documented instructions of its customer, without determining the purposes of processing, is a data processor under GDPR. The customer that decides the purposes and means is the controller, the individual whose data is processed is the data subject, and the supervisory authority is the regulator enforcing the law.
- A controller subject to GDPR experiences a breach of personal data hosted at its cloud processor. The processor discovers the breach. What does GDPR require regarding notifying the supervisory authority?
- Only the cloud provider is ever obligated to notify regulators
- Notification is optional unless financial data was involved
- The controller must notify the supervisory authority without undue delay and where feasible within 72 hours of becoming aware
- The processor must notify the supervisory authority within 24 hours
Correct answer: The controller must notify the supervisory authority without undue delay and where feasible within 72 hours of becoming aware
Under GDPR, the controller must notify the competent supervisory authority of a personal data breach without undue delay and, where feasible, no later than 72 hours after becoming aware of it, unless the breach is unlikely to result in risk to individuals. The processor must notify the controller without undue delay so the controller can meet its obligation; the duty to the regulator rests with the controller.
- An organization is performing a quantitative risk analysis on a cloud database. The asset is valued at $500,000, a successful ransomware event is estimated to destroy 40% of its value, and such an event is expected roughly twice per year. Which figure represents the annualized loss expectancy (ALE)?
- $500,000
- $100,000
- $200,000
- $400,000
Correct answer: $400,000
The annualized loss expectancy is $400,000, calculated as single loss expectancy (asset value $500,000 multiplied by the 40% exposure factor = $200,000) times the annualized rate of occurrence of 2, which equals $400,000. ALE quantifies the expected yearly monetary loss from a risk and informs how much an organization should reasonably spend on controls.
- A cloud customer wants to use a publicly available, standardized registry where providers self-attest to their security controls (often based on the Cloud Controls Matrix) and may also obtain third-party certification. Which CSA program provides this?
- FedRAMP Marketplace
- CSA STAR (Security, Trust, Assurance and Risk)
- PCI DSS Attestation of Compliance
- ISO 27001 Statement of Applicability
Correct answer: CSA STAR (Security, Trust, Assurance and Risk)
The CSA Security, Trust, Assurance and Risk (STAR) program is a publicly accessible registry where cloud providers document their security and privacy controls, typically aligned to the Cloud Controls Matrix, through self-assessment or third-party certification/attestation. Customers use it during due diligence; FedRAMP is the U.S. government authorization program and is not the CSA registry.
- During contract negotiation a customer insists on a clause that lets it retrieve its data in a usable format and requires the provider to securely delete all copies when the agreement ends. Which contractual element addresses this?
- The intellectual property assignment clause
- The acceptable use policy
- The data retention, return, and destruction (exit) provisions
- The limitation of liability clause
Correct answer: The data retention, return, and destruction (exit) provisions
Data retention, return, and destruction provisions (sometimes called exit or termination clauses) define how a customer retrieves its data in a usable form and how the provider securely destroys remaining copies, including the timeframe and verification, when the contract ends. These provisions mitigate vendor lock-in and data remanence risk at offboarding.
- A U.S. federal agency can only adopt a cloud service that has undergone a standardized security assessment, authorization, and continuous monitoring process recognized government-wide. Which program provides this for federal cloud usage?
- FedRAMP
- GDPR
- HITRUST CSF
- SOC 1
Correct answer: FedRAMP
FedRAMP (the Federal Risk and Authorization Management Program) standardizes the security assessment, authorization, and continuous monitoring of cloud products and services for U.S. federal agencies, allowing a 'do once, use many times' authorization. HITRUST is a healthcare-oriented framework, GDPR is an EU privacy regulation, and SOC 1 addresses financial-reporting controls.
- A risk committee decides that the cost of fully mitigating a particular cloud risk exceeds the potential loss, so it formally documents and consciously chooses to take no further action while monitoring the risk. Which risk treatment option is this?
- Risk acceptance
- Risk transference
- Risk mitigation
- Risk avoidance
Correct answer: Risk acceptance
Formally and consciously choosing to take no additional action against a risk, while documenting and monitoring it, is risk acceptance, often used when remediation cost exceeds the expected loss and the residual risk is within tolerance. Avoidance eliminates the activity causing the risk, transference shifts financial impact (for example via insurance), and mitigation reduces the risk through controls.
- An auditor compares a cloud provider's implemented controls against the requirements of a target framework such as ISO/IEC 27001 to identify which requirements are not yet met. What is this activity called?
- A gap analysis
- A disaster recovery test
- A business impact analysis
- A penetration test
Correct answer: A gap analysis
A gap analysis compares the current state of implemented controls against the requirements of a target framework or standard to identify the gaps that must be remediated to achieve compliance. A penetration test probes for exploitable vulnerabilities, while a business impact analysis evaluates the consequences of disruptions, neither of which is a control-to-requirement comparison.
- A healthcare organization operating across the United States, the EU, and Asia must reconcile overlapping and sometimes conflicting laws governing the same personal data in a single multi-cloud deployment. Which governance challenge does this situation primarily illustrate?
- Lack of encryption at rest
- Vendor lock-in
- Insufficient network bandwidth
- Conflicting international legislation and jurisdictional complexity
Correct answer: Conflicting international legislation and jurisdictional complexity
This scenario illustrates the challenge of conflicting international legislation and jurisdictional complexity, where the same personal data may be simultaneously subject to multiple, sometimes contradictory legal regimes (for example GDPR alongside U.S. and Asian laws) across a multi-cloud footprint. Organizations manage it through data localization choices, contractual safeguards, and mapping data flows to applicable laws, which is distinct from lock-in or technical control gaps.