Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Security Architecture practice sets

CAS-004 Security Architecture • Complete Question Bank

CAS-004 Security Architecture — All Questions With Answers

Complete CAS-004 Security Architecture question bank — all 0 questions with answers and detailed explanations.

76
Questions
Free
No signup
Certifications/CAS-004/Practice Test/Security Architecture/All Questions
Question 1mediummultiple choice
Read the full Security Architecture explanation →

A security architect is designing a new DMZ for an e-commerce platform. The DMZ must host a web server, an API gateway, and a database server. The architect needs to minimize the attack surface while ensuring the web server can communicate with the API gateway, and the API gateway can communicate with the database. Which network segmentation approach best meets these requirements?

Question 2hardmultiple choice
Read the full VPN explanation →

An organization is implementing a zero trust architecture (ZTA). The security architect proposes using a software-defined perimeter (SDP) to replace the traditional VPN for remote access. Which of the following best describes the primary security benefit of SDP over VPN in a zero trust model?

Question 3easymultiple choice
Read the full Security Architecture explanation →

A security architect is evaluating cloud security architectures. The company requires that all data at rest in a public cloud object storage bucket be encrypted with a key that is managed by the company's own hardware security module (HSM) on-premises. Which encryption approach should the architect recommend?

Question 4mediummultiple choice
Review the full subnetting walkthrough →

A security architect is designing a secure remote access solution for a global workforce. The company requires that all remote connections be authenticated using certificates issued by the company's internal PKI, and that the connection be encrypted and integrity-protected. Additionally, the solution must support IP-based network access control to restrict access to specific internal subnets based on the user's role. Which of the following should the architect recommend?

Question 5hardmultiple choice
Read the full Security Architecture explanation →

A security architect is reviewing the network architecture of a financial trading system. The system uses a time-sensitive order matching engine that must process trades with minimal latency. The architect is concerned about the risk of a DDoS attack on the matching engine. Which of the following architectural changes would best mitigate DDoS risk while preserving low latency?

Question 6mediummulti select
Read the full Security Architecture explanation →

A security architect is designing a hybrid cloud environment where a web application hosted in AWS needs to securely access an on-premises database. The architect wants to minimize exposure to the internet and ensure encryption in transit. Which TWO techniques should the architect consider? (Choose two.)

Question 7hardmulti select
Read the full Security Architecture explanation →

A security architect is planning the migration of a legacy application to a containerized microservices architecture on Kubernetes. The architect must ensure that the architecture supports secrets management, service-to-service authentication, and encryption of data in transit between microservices. Which THREE components should the architect include in the design? (Choose three.)

Question 8mediummultiple choice
Read the full Security Architecture explanation →

A security architect is designing a zero-trust network architecture for a hybrid cloud environment. The company uses on-premises servers and AWS. Which of the following best implements the principle of least privilege for inter-component communication?

Question 9hardmultiple choice
Read the full Security Architecture explanation →

A company is migrating from a legacy three-tier architecture to a microservices architecture on Kubernetes. The security team wants to ensure that service-to-service communication is encrypted and mutually authenticated. Which approach best meets these requirements with minimal operational overhead?

Question 10easymultiple choice
Read the full Security Architecture explanation →

A security administrator needs to secure remote access for employees using personal devices. The company requires that company data be encrypted and that the device be wiped if lost. Which solution best meets these requirements?

Question 11mediummultiple choice
Read the full Security Architecture explanation →

A company is designing a secure web application that processes credit card payments. The architect needs to ensure that the application is resilient against SQL injection attacks. Which of the following is the most effective defense?

Question 12hardmultiple choice
Read the full Security Architecture explanation →

A large enterprise is designing a disaster recovery site that must support rapid failover with minimal data loss. The primary data center is 50 miles away. The RPO is 1 minute, and RTO is 15 minutes. Which replication strategy best meets these requirements?

Question 13easymulti select
Read the full Security Architecture explanation →

Which TWO of the following are essential characteristics of a hardware security module (HSM)? (Select TWO.)

Question 14hardmulti select
Read the full Security Architecture explanation →

A security architect is evaluating a new cloud-based application that will process sensitive customer data. The architect must ensure compliance with GDPR and PCI DSS. Which THREE of the following controls should be implemented? (Select THREE.)

Question 15mediummultiple choice
Read the full Security Architecture explanation →

A security architect is designing a segmentation strategy for a multi-tier web application. The public-facing web servers must communicate only with application servers, and application servers must communicate only with database servers. The architect wants to use a firewall that can inspect application-layer traffic to prevent SQL injection attacks. Which firewall type should be deployed between the application tier and the database tier?

Question 16hardmultiple choice
Read the full Security Architecture explanation →

A security architect is evaluating a new cloud SaaS application that will handle sensitive customer data. The SaaS provider offers a shared responsibility model where the customer is responsible for data classification, access management, and encryption of data at rest using customer-managed keys. The architect must ensure that the organization retains the ability to revoke access to the data if the provider is compromised. Which key management strategy best meets this requirement?

Question 17easymultiple choice
Read the full wireless explanation →

An organization is deploying a new wireless network for employees and guests. The security policy requires that all wireless traffic be encrypted using AES-CCMP, and that clients must authenticate using 802.1X with EAP-TLS. Which of the following wireless security standards should be implemented?

Question 18hardmulti select
Read the full Security Architecture explanation →

A security architect is reviewing the network security controls for a critical industrial control system (ICS) environment. The architect must select two controls that are most effective at preventing unauthorized access to the ICS network from the corporate IT network, while still allowing necessary monitoring traffic. Which TWO controls should be implemented? (Choose two.)

Question 19mediummulti select
Study the full ACL explanation →

A network administrator is troubleshooting connectivity to a server at 192.168.1.100. The ACL shown is applied inbound on GigabitEthernet0/0. Which THREE statements are true regarding this ACL configuration? (Choose three.)

Exhibit

Refer to the exhibit.

```
interface GigabitEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip access-group ACL-IN in
!
interface GigabitEthernet0/1
 ip address 10.0.0.1 255.255.255.0
!
access-list 100 deny tcp any host 192.168.1.100 eq 22
access-list 100 deny tcp any host 192.168.1.100 eq 3389
access-list 100 permit ip any any
```
Question 20hardmultiple choice
Read the full VPN explanation →

A large healthcare organization has implemented a zero-trust network architecture (ZTNA) to secure access to its electronic health record (EHR) system. The architecture uses a software-defined perimeter (SDP) where all users must authenticate and be authorized before accessing the EHR. The EHR system is hosted in a private cloud and communicates with a legacy billing system that cannot support modern authentication protocols. The billing system is accessed by a small number of finance employees via a dedicated VPN. Recently, an auditor discovered that a finance employee's credentials were compromised, and the attacker used the VPN to access the billing system and exfiltrate patient billing data. The security architect must prevent such lateral movement while maintaining access for legitimate users. Which of the following is the BEST course of action?

Question 21easymultiple choice
Read the full Security Architecture explanation →

A security architect is designing a network segmentation strategy for a multi-tier web application. The web servers must be accessible from the internet, while the application and database servers must only be accessible from the web tier. Which architecture best meets these requirements?

Question 22mediummulti select
Read the full Security Architecture explanation →

A security engineer is reviewing the configuration of a web application firewall (WAF) that protects a critical e-commerce site. Which TWO settings should be enabled to defend against SQL injection attacks? (Select TWO.)

Question 23hardmultiple choice
Read the full Security Architecture explanation →

A security analyst observes that SSH connections to the server are failing, but HTTP and HTTPS traffic works. Based on the exhibit, what is the most likely cause?

Network Topology
0 0 ACCEPT alllo * 0.0.0.0/0100 540 DROP tcp50 3000 ACCEPT tcp20 1200 ACCEPT tcpRefer to the exhibit.```
Question 24mediumdrag order
Study the full AAA explanation →

Drag and drop the steps to configure a RADIUS server for 802.1X authentication into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 25mediummatching
Read the full Security Architecture explanation →

Match each error code or HTTP status code to its meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Forbidden

Not Found

Internal Server Error

Bad Gateway

Unauthorized

Question 26easymultiple choice
Read the full Security Architecture explanation →

A company is implementing a microservices architecture and needs to ensure secure service-to-service communication. Which of the following BEST describes the recommended approach?

Question 27mediummultiple choice
Read the full Security Architecture explanation →

A security architect is designing a network segmentation strategy for a multi-tenant cloud environment. Which of the following is the MOST effective technique to isolate tenant workloads while maintaining manageability?

Question 28hardmultiple choice
Read the full Security Architecture explanation →

An organization is migrating to a zero-trust architecture. Which of the following components is CRITICAL for enforcing policy decisions based on user identity, device health, and context?

Question 29easymultiple choice
Read the full Security Architecture explanation →

A company wants to protect sensitive data stored in a public cloud bucket. Which of the following is the MOST effective control to prevent accidental public exposure?

Question 30mediummultiple choice
Read the full Security Architecture explanation →

A security architect is evaluating a hardware security module (HSM) for key management. Which of the following is a PRIMARY benefit of using an HSM over software-based key storage?

Question 31hardmultiple choice
Read the full Security Architecture explanation →

An organization is implementing a secure software development lifecycle. Which of the following practices BEST ensures that security requirements are addressed early in the development process?

Question 32easymultiple choice
Read the full Security Architecture explanation →

A network architect is designing a DMZ for a web application. Which of the following is the MOST appropriate placement for a reverse proxy?

Question 33mediummultiple choice
Read the full Security Architecture explanation →

A company is adopting a DevOps model and wants to integrate security into CI/CD pipelines. Which of the following is the MOST effective approach?

Question 34hardmultiple choice
Read the full Security Architecture explanation →

An architect is designing a multi-factor authentication (MFA) solution for remote access. Which of the following is the STRONGEST form of second factor?

Question 35mediummulti select
Read the full NAT/PAT explanation →

A security architect is designing a cloud-native application that must comply with GDPR data residency requirements. Which TWO of the following measures should the architect implement? (Choose two.)

Question 36easymulti select
Read the full Security Architecture explanation →

A security architect is reviewing firewall rules for a new application tier. Which TWO of the following principles should be applied when designing the firewall policy? (Choose two.)

Question 37hardmulti select
Read the full Security Architecture explanation →

A security architect is evaluating a new SIEM solution for a large enterprise. Which THREE of the following capabilities are CRITICAL for effective threat detection and response? (Choose three.)

Question 38mediummultiple choice
Read the full Security Architecture explanation →

Refer to the exhibit. A security analyst notices that traffic from external clients to the web server at 10.0.0.10 port 80 is being blocked. Which of the following is the MOST likely cause?

Exhibit

access-list 100 deny ip any any
access-list 100 permit tcp any host 10.0.0.10 eq 80
Question 39easymultiple choice
Read the full Security Architecture explanation →

Refer to the exhibit. A security architect is reviewing this S3 bucket policy. Which of the following security concerns is MOST evident?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::mybucket/*"
    }
  ]
}
Question 40hardmultiple choice
Read the full Security Architecture explanation →

Refer to the exhibit. A web server is unable to connect to a local database socket. Which of the following actions would MOST likely resolve this issue?

Exhibit

type=AVC msg=audit(1234567890.123:456): avc:  denied  { connectto } for  pid=1234 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:unconfined_t:s0 tclass=unix_stream_socket
Question 41mediummultiple choice
Read the full Security Architecture explanation →

A financial services company is implementing a zero-trust architecture. The security architect needs to ensure that all network traffic between application tiers is inspected and logged regardless of source location. Which of the following should be implemented?

Question 42easymultiple choice
Read the full Security Architecture explanation →

A small business is designing a defense-in-depth strategy for its e-commerce website. The web server is hosted in a cloud provider and handles credit card transactions. Which of the following additional controls best complements the existing firewall and IDS?

Question 43hardmultiple choice
Read the full Security Architecture explanation →

An organization plans to establish a cross-forest trust between two Active Directory forests to enable resource access. The security architect is concerned about the risk of privilege escalation from a compromised domain in one forest. Which design choice best mitigates this risk?

Question 44mediummultiple choice
Read the full Security Architecture explanation →

A company is migrating its on-premises ERP system to a public cloud IaaS environment. The ERP system contains sensitive financial data. Which of the following architectural changes best maintains data security during and after migration?

Question 45easymultiple choice
Read the full Security Architecture explanation →

A security architect is designing a secure remote access solution for employees using personal devices (BYOD). The company requires that corporate data is separated from personal data and can be wiped remotely without affecting personal data. Which solution best meets these requirements?

Question 46mediummultiple choice
Read the full Security Architecture explanation →

An enterprise is adopting a DevOps model and wants to integrate security into the CI/CD pipeline. The security architect recommends adding automated security testing. Which phase of the pipeline should static application security testing (SAST) be introduced to minimize rework?

Question 47hardmultiple choice
Read the full Security Architecture explanation →

A company is designing a hybrid cloud architecture with AWS and an on-premises data center. They need to ensure that all data transmitted between environments is encrypted and that the connection is resilient. Which design should the architect choose?

Question 48mediummultiple choice
Read the full Security Architecture explanation →

A security architect is reviewing the network segmentation of a healthcare organization that must comply with HIPAA. The current flat network allows all devices to communicate. Which segmentation approach provides the best balance of security and manageability?

Question 49hardmultiple choice
Read the full Security Architecture explanation →

An organization uses a multi-cloud strategy with workloads in AWS and Azure. The security architect needs to implement a single identity provider for all cloud resources while maintaining on-premises Active Directory as the authoritative source. Which architecture minimizes latency and complexity?

Question 50mediummulti select
Read the full wireless explanation →

A security architect is designing a secure wireless network for a government facility. Which TWO of the following measures should be implemented to ensure the highest level of security? (Select TWO.)

Question 51hardmulti select
Read the full Security Architecture explanation →

A company is implementing a hardware security module (HSM) to protect cryptographic keys. The security architect must ensure the solution meets FIPS 140-2 Level 3 requirements. Which TWO of the following features are required for Level 3?

Question 52easymulti select
Read the full Security Architecture explanation →

A security architect is designing a secure remote access solution for contractors who need temporary access to a few internal applications. Which THREE of the following are best practices for controlling contractor access? (Select THREE.)

Question 53mediummultiple choice
Read the full Security Architecture explanation →

A security architect reviews the iptables firewall rules above. A new web server with IP 192.168.1.100 must be reachable from the internet on ports 80 and 443. Which of the following changes is necessary to allow inbound HTTPS while maintaining security?

Exhibit

Refer to the exhibit.

```
$ iptables -L -n -v --line-numbers
Chain INPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
2        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
3        0     0 ACCEPT     tcp  --  *      *       192.168.1.0/24       0.0.0.0/0            tcp dpt:443
4        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
5        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
Chain FORWARD (policy DROP)
Chain OUTPUT (policy ACCEPT)
```
Question 54hardmultiple choice
Read the full Security Architecture explanation →

A security architect finds this IAM policy attached to an S3 bucket. Which of the following best describes a critical security flaw in this policy?

Exhibit

Refer to the exhibit.

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "aws:SourceAccount": "123456789012"
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-sensitive-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/8"
        }
      }
    }
  ]
}
```
Question 55easymultiple choice
Study the full ACL explanation →

A security architect reviews this Cisco router ACL configuration. The web server at 192.168.1.100 is accessible from the internet. What additional security measure should be implemented to protect the internal network (10.0.0.0/24)?

Exhibit

Refer to the exhibit.

```
interface GigabitEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip access-group OUTSIDE_IN in
!
ip access-list extended OUTSIDE_IN
 permit tcp any host 192.168.1.100 eq 80
 permit tcp any host 192.168.1.100 eq 443
 deny   ip any any log
! 
interface GigabitEthernet0/1
 ip address 10.0.0.1 255.255.255.0
 ip access-group INSIDE_OUT out
!
ip access-list extended INSIDE_OUT
 permit ip 10.0.0.0 0.0.0.255 any
 deny   ip any any log
```
Question 56easymultiple choice
Read the full Security Architecture explanation →

A company is designing a new multi-tier web application. The security team recommends placing a web application firewall (WAF) in front of the web servers and a network firewall between the web and application tiers. Which security architecture principle does this represent?

Question 57mediummultiple choice
Read the full NAT/PAT explanation →

An incident responder notices that a compromised host is sending encrypted C2 traffic over TCP port 443. The existing firewall rule allows outbound HTTPS (443) to any destination. Which change to the security architecture would best detect this behavior while minimizing impact on legitimate traffic?

Question 58hardmultiple choice
Read the full NAT/PAT explanation →

A security architect at a financial institution is designing a cloud-native application using AWS. The application processes sensitive customer data and must comply with PCI DSS. Which of the following security architecture decisions best supports both compliance and operational efficiency?

Question 59easymultiple choice
Read the full Security Architecture explanation →

During a security assessment, it is discovered that an organization's DMZ hosts can initiate outbound connections to the internal network. Which architectural change would best mitigate the risk of a DMZ compromise spreading to the internal network?

Question 60mediummultiple choice
Read the full Security Architecture explanation →

A company is implementing a zero-trust network architecture. Which of the following components is essential for enforcing micro-segmentation?

Question 61hardmultiple choice
Read the full Security Architecture explanation →

An organization's containerized application is deployed on Kubernetes. The security team wants to enforce that containers run with the least privilege and cannot access the host file system. Which Kubernetes security mechanism should be configured?

Question 62easymultiple choice
Read the full Security Architecture explanation →

A security architect is evaluating a new identity management solution. The requirement is to allow users to authenticate using their existing social media accounts while maintaining corporate control over access policies. Which architecture best meets this requirement?

Question 63mediummultiple choice
Review the full routing breakdown →

During a merger, two companies need to integrate their networks securely. Company A uses RFC 1918 addresses (10.0.0.0/8) and Company B also uses 10.0.0.0/8. Which architectural solution prevents routing conflicts and maintains security?

Question 64hardmultiple choice
Read the full Security Architecture explanation →

A company wants to protect its intellectual property stored on a file server. The security architect proposes implementing rights management services (RMS) integrated with Active Directory. Which attack is this architecture primarily designed to mitigate?

Question 65mediummulti select
Read the full Security Architecture explanation →

A security architect is designing a secure enclave for processing classified data. Which TWO of the following controls are essential for ensuring data confidentiality in such an enclave? (Select TWO.)

Question 66hardmulti select
Read the full Security Architecture explanation →

When evaluating the security architecture of a containerized application, which THREE of the following practices should be implemented to minimize the attack surface? (Select THREE.)

Question 67easymulti select
Read the full Security Architecture explanation →

A company is implementing a software-defined perimeter (SDP) architecture. Which TWO of the following are key characteristics of SDP? (Select TWO.)

Question 68hardmultiple choice
Study the full ACL explanation →

An organization has recently migrated its on-premises data center to a public cloud. The security team notices that several virtual machines (VMs) in the same subnet are communicating with each other without any restrictions. The company policy requires that only specific application traffic (e.g., database queries from web servers) be allowed between VMs, and all other inter-VM traffic must be blocked to comply with a zero-trust model. The cloud provider offers native security group and network ACL features. The architect must design a solution that enforces the policy with minimal administrative overhead and supports future expansion.

Which of the following is the BEST course of action?

Question 69mediummultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is deploying a new application that will be accessed by employees, partners, and customers. The security architecture must support single sign-on (SSO) across different identity providers (IdPs) while maintaining strict access control based on user attributes such as role, location, and device posture. The company uses Active Directory for employees, a cloud IdP for partners, and self-registration for customers. The architect needs to design a centralized policy enforcement point that can evaluate access requests from multiple IdPs and enforce dynamic access policies before granting access to the application.

Which of the following is the BEST architectural approach?

Question 70mediummulti select
Read the full Security Architecture explanation →

A security architect is designing a network segmentation strategy for a data center to reduce the attack surface. Which TWO of the following are best practices for implementing effective network segmentation?

Question 71easymultiple choice
Read the full Security Architecture explanation →

A company is deploying a new cloud-based application that processes sensitive customer data. The security architect has proposed a zero-trust architecture to secure remote access. The architecture includes identity-aware proxies, microsegmentation, and continuous monitoring. During the transition, several remote users report being unable to access the application. The security architect verifies that the identity-aware proxy is correctly configured and that users are authenticated via SSO. However, access attempts are still failing. The architect suspects that the issue may be related to the microsegmentation rules. What should the security architect do FIRST to resolve the problem?

Question 72mediummultiple choice
Read the full Security Architecture explanation →

A security architect is reviewing the architecture of a critical web application that handles sensitive financial transactions. The application is deployed across three tiers: a web server, an application server, and a database server. The application is protected by a web application firewall (WAF) and a network-based intrusion detection system (IDS). Recent penetration testing identified a SQL injection vulnerability in the application's search feature. The architect needs to propose a remediation that minimizes performance impact and maintains defense in depth. The development team is slow to fix code due to legacy dependencies. What should the security architect recommend as the MOST effective immediate control?

Question 73hardmultiple choice
Read the full network assurance explanation →

A SOC analyst discovers unusual outbound traffic from a host in the production DMZ to an unknown IP address on the internet. The traffic consists of encrypted connections (HTTPS) to a domain that was registered three days ago. The host is a web server that has been fully patched and is configured with a default deny egress firewall policy, but this particular traffic is being allowed because a recently added rule permits outbound HTTPS to any destination for a specific application's updates. The security architect is called in to investigate and must determine the best course of action to identify the scope of the potential compromise and prevent further data exfiltration. The architect has access to network flow data, endpoint detection and response (EDR) telemetry, and firewall logs. What should the security architect do FIRST?

Question 74easymulti select
Read the full Security Architecture explanation →

A security architect is designing a zero-trust network architecture for a hybrid cloud environment. Which TWO principles should be implemented to enforce the "never trust, always verify" model?

Question 75mediummultiple choice
Read the full Security Architecture explanation →

Refer to the exhibit. A security analyst notices that users from the internet can reach the web server at 10.0.1.100 on port 443, but they cannot reach it on port 8443. What is the most likely cause?

Exhibit

access-list extended OUTSIDE-IN
 permit tcp any host 10.0.1.100 eq 443
 permit tcp any host 10.0.1.100 eq 8443
 deny ip any any
Question 76hardmultiple choice
Read the full Security Architecture explanation →

A large enterprise is migrating its critical financial applications to a public cloud provider. The security architecture team has designed a multi-region deployment to ensure availability and disaster recovery. The applications use TLS for data in transit and rely on a key management service (KMS) for encryption keys. During a penetration test, it was discovered that the KMS master keys are stored in a single region, creating a single point of failure. Additionally, the load balancer configuration exposes internal application health check ports to the internet. The security architect must remediate these issues while minimizing latency and cost. Which of the following is the BEST course of action?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CAS-004 Practice Test 1 — 10 Questions→CAS-004 Practice Test 2 — 10 Questions→CAS-004 Practice Test 3 — 10 Questions→CAS-004 Practice Test 4 — 10 Questions→CAS-004 Practice Test 5 — 10 Questions→CAS-004 Practice Exam 1 — 20 Questions→CAS-004 Practice Exam 2 — 20 Questions→CAS-004 Practice Exam 3 — 20 Questions→CAS-004 Practice Exam 4 — 20 Questions→Free CAS-004 Practice Test 1 — 30 Questions→Free CAS-004 Practice Test 2 — 30 Questions→Free CAS-004 Practice Test 3 — 30 Questions→CAS-004 Practice Questions 1 — 50 Questions→CAS-004 Practice Questions 2 — 50 Questions→CAS-004 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Scripting, Containers and AutomationApplication Environment, Configuration and SecurityGovernance, Risk and ComplianceSecurity EngineeringSecurity ArchitectureSecurity Operations

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Security Architecture setsAll Security Architecture questionsCAS-004 Practice Hub