Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

Certifications›CAS-004›Objectives›Security Architecture
Objective 1.0

Security Architecture

CAS-004 Practice Questions

Use this page to practise secure architecture questions. The most common mistake is confusing the responsibility boundary — know which security controls AWS manages and which are your responsibility.

Full Practice Test →All Objectives

What this objective tests

CAS-004 Security Architecture — Key Topics

Secure architecture questions test IAM policies, VPC security controls, encryption at rest and in transit, and the right AWS security service for a given threat.

  • IAM policies: identity-based, resource-based, permission boundaries.
  • VPC security: security groups vs NACLs, route tables, VPC endpoints.
  • Encryption: KMS, SSE-S3, SSE-KMS, client-side encryption.
  • AWS security services: GuardDuty, Inspector, Macie, Shield, WAF.

Common exam traps

Where candidates lose marks on Security Architecture

  • ⚠Security groups are stateful; NACLs are stateless.
  • ⚠KMS manages keys; it does not encrypt data directly.
  • ⚠GuardDuty detects threats; Inspector assesses vulnerabilities; Macie finds sensitive data.
  • ⚠A VPC endpoint keeps traffic off the public internet; it does not encrypt traffic.

CAS-004 Security Architecture — Practice Questions

30 questions from this objective

Question 2mediummultiple choice
Full question →

A security architect is designing a new DMZ for an e-commerce platform. The DMZ must host a web server, an API gateway, and a database server. The architect needs to minimize the attack surface while ensuring the web server can communicate with the API gateway, and the API gateway can communicate with the database. Which network segmentation approach best meets these requirements?

Question 3hardmultiple choice
Read the full VPN explanation →

An organization is implementing a zero trust architecture (ZTA). The security architect proposes using a software-defined perimeter (SDP) to replace the traditional VPN for remote access. Which of the following best describes the primary security benefit of SDP over VPN in a zero trust model?

Question 4easymultiple choice
Full question →

A security architect is evaluating cloud security architectures. The company requires that all data at rest in a public cloud object storage bucket be encrypted with a key that is managed by the company's own hardware security module (HSM) on-premises. Which encryption approach should the architect recommend?

Question 5mediummultiple choice
Review the full subnetting walkthrough →

A security architect is designing a secure remote access solution for a global workforce. The company requires that all remote connections be authenticated using certificates issued by the company's internal PKI, and that the connection be encrypted and integrity-protected. Additionally, the solution must support IP-based network access control to restrict access to specific internal subnets based on the user's role. Which of the following should the architect recommend?

Question 6hardmultiple choice
Full question →

A security architect is reviewing the network architecture of a financial trading system. The system uses a time-sensitive order matching engine that must process trades with minimal latency. The architect is concerned about the risk of a DDoS attack on the matching engine. Which of the following architectural changes would best mitigate DDoS risk while preserving low latency?

Question 7mediummulti select
Full question →

A security architect is designing a hybrid cloud environment where a web application hosted in AWS needs to securely access an on-premises database. The architect wants to minimize exposure to the internet and ensure encryption in transit. Which TWO techniques should the architect consider? (Choose two.)

Question 8hardmulti select
Full question →

A security architect is planning the migration of a legacy application to a containerized microservices architecture on Kubernetes. The architect must ensure that the architecture supports secrets management, service-to-service authentication, and encryption of data in transit between microservices. Which THREE components should the architect include in the design? (Choose three.)

Question 9mediummultiple choice
Full question →

A security architect is designing a zero-trust network architecture for a hybrid cloud environment. The company uses on-premises servers and AWS. Which of the following best implements the principle of least privilege for inter-component communication?

Question 10hardmultiple choice
Full question →

A company is migrating from a legacy three-tier architecture to a microservices architecture on Kubernetes. The security team wants to ensure that service-to-service communication is encrypted and mutually authenticated. Which approach best meets these requirements with minimal operational overhead?

Question 11easymultiple choice
Full question →

A security administrator needs to secure remote access for employees using personal devices. The company requires that company data be encrypted and that the device be wiped if lost. Which solution best meets these requirements?

Question 12mediummultiple choice
Full question →

A company is designing a secure web application that processes credit card payments. The architect needs to ensure that the application is resilient against SQL injection attacks. Which of the following is the most effective defense?

Question 13hardmultiple choice
Full question →

A large enterprise is designing a disaster recovery site that must support rapid failover with minimal data loss. The primary data center is 50 miles away. The RPO is 1 minute, and RTO is 15 minutes. Which replication strategy best meets these requirements?

Question 14easymulti select
Full question →

Which TWO of the following are essential characteristics of a hardware security module (HSM)? (Select TWO.)

Question 15hardmulti select
Full question →

A security architect is evaluating a new cloud-based application that will process sensitive customer data. The architect must ensure compliance with GDPR and PCI DSS. Which THREE of the following controls should be implemented? (Select THREE.)

Question 16mediummultiple choice
Full question →

A security architect is designing a segmentation strategy for a multi-tier web application. The public-facing web servers must communicate only with application servers, and application servers must communicate only with database servers. The architect wants to use a firewall that can inspect application-layer traffic to prevent SQL injection attacks. Which firewall type should be deployed between the application tier and the database tier?

Question 17hardmultiple choice
Full question →

A security architect is evaluating a new cloud SaaS application that will handle sensitive customer data. The SaaS provider offers a shared responsibility model where the customer is responsible for data classification, access management, and encryption of data at rest using customer-managed keys. The architect must ensure that the organization retains the ability to revoke access to the data if the provider is compromised. Which key management strategy best meets this requirement?

Question 18easymultiple choice
Read the full wireless explanation →

An organization is deploying a new wireless network for employees and guests. The security policy requires that all wireless traffic be encrypted using AES-CCMP, and that clients must authenticate using 802.1X with EAP-TLS. Which of the following wireless security standards should be implemented?

Question 19hardmulti select
Full question →

A security architect is reviewing the network security controls for a critical industrial control system (ICS) environment. The architect must select two controls that are most effective at preventing unauthorized access to the ICS network from the corporate IT network, while still allowing necessary monitoring traffic. Which TWO controls should be implemented? (Choose two.)

Question 20mediummulti select
Study the full ACL explanation →

A network administrator is troubleshooting connectivity to a server at 192.168.1.100. The ACL shown is applied inbound on GigabitEthernet0/0. Which THREE statements are true regarding this ACL configuration? (Choose three.)

Exhibit

Refer to the exhibit.

```
interface GigabitEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip access-group ACL-IN in
!
interface GigabitEthernet0/1
 ip address 10.0.0.1 255.255.255.0
!
access-list 100 deny tcp any host 192.168.1.100 eq 22
access-list 100 deny tcp any host 192.168.1.100 eq 3389
access-list 100 permit ip any any
```
Question 21hardmultiple choice
Read the full VPN explanation →

A large healthcare organization has implemented a zero-trust network architecture (ZTNA) to secure access to its electronic health record (EHR) system. The architecture uses a software-defined perimeter (SDP) where all users must authenticate and be authorized before accessing the EHR. The EHR system is hosted in a private cloud and communicates with a legacy billing system that cannot support modern authentication protocols. The billing system is accessed by a small number of finance employees via a dedicated VPN. Recently, an auditor discovered that a finance employee's credentials were compromised, and the attacker used the VPN to access the billing system and exfiltrate patient billing data. The security architect must prevent such lateral movement while maintaining access for legitimate users. Which of the following is the BEST course of action?

Question 22easymultiple choice
Full question →

A security architect is designing a network segmentation strategy for a multi-tier web application. The web servers must be accessible from the internet, while the application and database servers must only be accessible from the web tier. Which architecture best meets these requirements?

Question 23mediummulti select
Full question →

A security engineer is reviewing the configuration of a web application firewall (WAF) that protects a critical e-commerce site. Which TWO settings should be enabled to defend against SQL injection attacks? (Select TWO.)

Question 24hardmultiple choice
Full question →

A security analyst observes that SSH connections to the server are failing, but HTTP and HTTPS traffic works. Based on the exhibit, what is the most likely cause?

Network Topology
0 0 ACCEPT alllo * 0.0.0.0/0100 540 DROP tcp50 3000 ACCEPT tcp20 1200 ACCEPT tcpRefer to the exhibit.```
Question 25mediumdrag order
Study the full AAA explanation →

Drag and drop the steps to configure a RADIUS server for 802.1X authentication into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 26mediummatching
Full question →

Match each error code or HTTP status code to its meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Forbidden

Not Found

Internal Server Error

Bad Gateway

Unauthorized

Question 27easymultiple choice
Full question →

A company is implementing a microservices architecture and needs to ensure secure service-to-service communication. Which of the following BEST describes the recommended approach?

Question 28mediummultiple choice
Full question →

A security architect is designing a network segmentation strategy for a multi-tenant cloud environment. Which of the following is the MOST effective technique to isolate tenant workloads while maintaining manageability?

Question 29hardmultiple choice
Full question →

An organization is migrating to a zero-trust architecture. Which of the following components is CRITICAL for enforcing policy decisions based on user identity, device health, and context?

Question 30easymultiple choice
Full question →

A company wants to protect sensitive data stored in a public cloud bucket. Which of the following is the MOST effective control to prevent accidental public exposure?

Question 31mediummultiple choice
Full question →

A security architect is evaluating a hardware security module (HSM) for key management. Which of the following is a PRIMARY benefit of using an HSM over software-based key storage?

More Security Architecture questions available in the full practice test.

Continue Practising →

Next objective

Security Operations

→

All CAS-004 Objectives

  • 1.Security Architecture
  • 2.Security Operations