Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertifications350-701DomainsCloud Security
350-701Free — No Signup

Cloud Security

Practice 350-701 Cloud Security questions with full explanations on every answer.

85questions

Start practicing

Cloud Security — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

350-701 Domains

Security ConceptsNetwork SecurityEndpoint Security and IdentityCloud SecurityContent SecurityEndpoint Protection and DetectionSecure Network Access, Visibility and Enforcement

Practice Cloud Security questions

10Q20Q30Q50Q

All 350-701 Cloud Security questions (85)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A company is moving its on-premises applications to AWS EC2 instances. According to the shared responsibility model, which of the following is the customer's responsibility?

2

An organization uses multiple SaaS applications and wants to enforce data loss prevention (DLP) policies to prevent sensitive data from being shared externally. Which cloud security solution should be deployed?

3

A security engineer is configuring Cisco Umbrella to enforce web security for remote users. The requirement is to block threats by intercepting DNS requests and only perform SSL decryption on specific high-risk categories. Which Umbrella feature should be used for selective SSL inspection?

4

A company is deploying a multi-tier application in AWS. The web servers must be accessible from the internet, but the database servers should only be reachable from the web servers. Which AWS security controls should be used to enforce this?

5

An organization wants to implement zero trust principles for cloud access. Which of the following is a key component of a zero trust architecture in the cloud?

6

A DevOps team is integrating security into their CI/CD pipeline. They want to automatically scan Terraform scripts for misconfigurations before deployment. Which tool is specifically designed for this purpose?

7

A company uses Azure AD Conditional Access policies to enforce security for cloud applications. They need to require MFA for all external users accessing a sensitive SaaS app, but only when the access is from an untrusted network. Which condition should be configured in the policy?

8

An organization wants to connect its on-premises data center to a GCP VPC privately, avoiding the public internet. Which GCP service provides a dedicated, private connection?

9

Which of the following is the primary function of a Cloud Security Posture Management (CSPM) tool?

10

A company uses Cisco Umbrella to provide DNS-layer security. An employee tries to visit a website that is hosting malware, but the domain is not yet categorized. How does Umbrella handle this request?

11

An organization is deploying containerized applications in a Kubernetes cluster on AWS EKS. They need to ensure that container images are scanned for vulnerabilities before deployment. Which approach aligns with DevSecOps best practices?

12

A security team is implementing AWS WAF to protect a web application. They want to block requests that contain SQL injection patterns in the query string. Which AWS WAF component should be used?

13

In the shared responsibility model for PaaS, which of the following is typically the customer's responsibility?

14

A company uses Azure NSGs to filter network traffic to VMs. They want to allow RDP access (port 3389) only from the company's public IP range. Which type of NSG rule should be created?

15

A DevSecOps team is implementing secrets management for a cloud-native application. They want to avoid storing secrets in environment variables or code. Which solution should they use?

16

A security administrator is evaluating Cisco Umbrella for cloud-delivered security. Which TWO capabilities are provided by the Secure Internet Gateway (SIG) feature? (Choose two.)

17

An organization is adopting zero trust principles for cloud access. Which THREE measures are essential for implementing identity-centric security? (Choose three.)

18

A company is using Azure and wants to enforce security compliance across their cloud resources. Which TWO services are part of CSPM (Cloud Security Posture Management) in Azure? (Choose two.)

19

In the shared responsibility model for cloud services, which layer is the customer responsible for managing in an IaaS environment?

20

A security team wants to gain visibility into Shadow IT usage of SaaS applications and enforce data loss prevention policies. Which cloud security solution should they deploy?

21

An organization uses Cisco Umbrella to block malicious domains. Which layer does Umbrella primarily operate at to prevent connections before they are established?

22

A company uses AWS and wants to ensure that no EC2 instance has a public IP address attached to a security group that allows inbound SSH from 0.0.0.0/0. Which service can continuously monitor and alert on such misconfigurations?

23

An organization wants to enforce MFA for all administrative access to their Azure environment and also require that access from non-compliant devices be blocked. Which Azure feature should they use?

24

A DevSecOps team is integrating security into their CI/CD pipeline. They want to scan Terraform configuration files for misconfigurations before deployment. Which tool is specifically designed for that purpose?

25

A company uses Google Cloud and needs to securely connect their on-premises data center to a VPC without traversing the public internet. Which solution should they use?

26

In the shared responsibility model for PaaS, which of the following is the customer responsible for?

27

An organization uses Cisco Umbrella's Secure Internet Gateway (SIG). Which two capabilities are typically included in a SIG solution?

28

A cloud security architect is designing zero trust for a multi-cloud environment. Which principle is most critical?

29

A security team wants to inspect SSL-encrypted traffic from users accessing SaaS applications through Cisco Umbrella. Which feature should they enable?

30

Which cloud security control is specifically designed to protect workloads such as VMs and containers from threats?

31

A company uses Azure and wants to restrict network traffic between subnets. Which Azure resource should they use?

32

In a DevSecOps pipeline, a team wants to prevent secrets (e.g., API keys) from being stored in source code. Which approach is most effective?

33

An organization wants to protect their web application hosted on AWS from common exploits like SQL injection. Which AWS service should they use?

34

In the shared responsibility model for cloud security, which responsibility is the customer's in an IaaS deployment?

35

A security team wants to gain visibility into shadow IT usage of SaaS applications and enforce DLP policies for data shared via cloud apps. Which cloud security solution should they deploy?

36

An organization uses Cisco Umbrella to block malicious domains. The security team notices that some malware traffic bypasses DNS-layer blocking because the malware uses hardcoded IP addresses. Which Umbrella feature should be enabled to additionally inspect traffic at the IP layer?

37

A company is deploying a multi-tier application on AWS. The web servers must be accessible from the internet only on ports 80 and 443, while the database servers should be accessible only from the web servers on port 3306. Which combination of cloud network security controls should be used?

38

A DevOps team is building a CI/CD pipeline for a cloud-native application. They want to automatically check Terraform scripts for insecure configurations before deployment. Which tool should be integrated into the pipeline?

39

An organization is adopting a zero-trust model for cloud access. Which component enforces conditional access policies based on user, device, location, and risk level in Azure AD?

40

In the shared responsibility model, which is the customer's responsibility in a SaaS model?

41

A company uses Azure NSGs to control traffic between subnets. They need to allow traffic from the frontend subnet to the backend subnet only on TCP 443. Which configuration correctly achieves this?

42

Which Cisco Umbrella feature provides off-network protection by intercepting DNS requests on a user's device?

43

A security engineer is configuring Cisco Umbrella to block HTTPS traffic to malicious sites. However, they want to inspect SSL-encrypted traffic selectively to avoid breaking applications. Which Umbrella feature should they use?

44

An organization uses AWS WAF to protect its web application. They need to block requests from a specific geographic region. What should they configure?

45

A company is moving workloads to Google Cloud and needs private connectivity between its on-premises data center and VPC without traversing the internet. Which service should be used?

46

A security team is implementing DevSecOps practices. Which TWO actions should be taken to secure secrets (e.g., API keys, passwords) in a CI/CD pipeline? (Choose two.)

47

A company is adopting a zero-trust security model for its cloud environment. Which THREE practices align with zero-trust principles? (Choose three.)

48

A security engineer is designing cloud workload protection (CWPP) for a hybrid environment with VMs and containers. Which TWO capabilities should a CWPP solution provide? (Choose two.)

49

In the shared responsibility model for cloud computing, which responsibility is managed by the customer in all service models (IaaS, PaaS, SaaS)?

50

A security administrator wants to enforce a policy that blocks upload of sensitive data to unauthorized cloud applications. Which technology should be used to gain visibility and control over sanctioned and unsanctioned SaaS applications?

51

An organization uses Cisco Umbrella to protect remote users. The security team notices that some malicious domains are not blocked because users are bypassing the DNS layer by using direct IP connections or non-DNS protocols. Which Cisco Umbrella feature should be enabled to inspect all traffic, including non-web traffic, and enforce policies regardless of DNS resolution?

52

A company is deploying workloads in AWS and wants to ensure that the security groups are not overly permissive. They need to continuously monitor for misconfigurations and compare against the CIS AWS Foundations Benchmark. Which tool should be used?

53

To enforce zero trust principles in a cloud environment, an administrator requires all access to cloud resources to be authenticated and authorized based on user identity and device health. Which Azure AD feature enables policies that consider conditions such as location, device compliance, and risk level?

54

In a DevSecOps pipeline, a security engineer wants to automatically scan Infrastructure as Code (IaC) templates for security misconfigurations before deployment. Which tool is commonly used for static analysis of Terraform templates?

55

A company wants to establish private connectivity between its on-premises data center and a VPC in AWS, avoiding the public internet. Which AWS service should be used?

56

A security team is implementing secure access for remote users connecting from untrusted networks. They want to enforce DNS-layer security even when users are off the corporate network. Which Cisco Umbrella feature should be deployed on the endpoints?

57

An organization uses Azure for its cloud workloads. To protect web applications from common exploits like SQL injection and cross-site scripting, they need to deploy a web application firewall (WAF) that integrates with Azure Application Gateway. Which Azure WAF SKU should they choose?

58

In the shared responsibility model for PaaS, which component is the customer responsible for managing?

59

A company uses multiple SaaS applications and wants to enforce data loss prevention (DLP) policies to prevent sensitive data from being shared externally. Which technology provides the ability to scan data in transit and at rest within these SaaS applications?

60

A security engineer is configuring Cisco Umbrella Intelligent Proxy to selectively decrypt and inspect HTTPS traffic. The goal is to balance security and user privacy by only inspecting traffic to high-risk domains. How does Intelligent Proxy decide which traffic to inspect?

61

A security team is implementing a DevSecOps pipeline for containerized applications. Which TWO of the following practices should be included to ensure container security?

62

An organization is adopting zero trust principles for cloud access. Which THREE components should be implemented to enforce identity as the new perimeter?

63

A company uses AWS and Azure and wants to protect its cloud workloads (VMs and containers) from threats. Which TWO technologies are specifically designed for workload protection in the cloud?

64

In the shared responsibility model for cloud security, which of the following is the customer responsible for in an IaaS deployment?

65

A company is using a SaaS application like Office 365. Which security responsibility falls on the customer according to the shared responsibility model?

66

A security team wants to gain visibility into shadow IT usage of cloud applications and enforce data loss prevention policies. Which cloud security control should they deploy?

67

An organization uses Cisco Umbrella to block malicious domains. What is the primary security benefit of DNS-layer security?

68

A company is deploying Cisco Umbrella with the Intelligent Proxy feature. Under what condition does the Intelligent Proxy perform SSL decryption?

69

In AWS, which resource acts as a stateful firewall at the instance level to control inbound and outbound traffic?

70

A security architect is designing a zero-trust model for cloud access. Which of the following is a core principle of zero trust in the cloud?

71

An organization wants to enforce conditional access policies for users accessing cloud applications. Which Azure AD feature should they use?

72

In a DevSecOps pipeline, which tool would be used to scan Infrastructure as Code (IaC) templates for security misconfigurations?

73

A company wants to privately connect an on-premises network to an Azure virtual network without traversing the internet. Which Azure service should they use?

74

A security engineer needs to prevent secrets (e.g., API keys) from being stored in code repositories. Which DevSecOps practice should be implemented?

75

Which cloud workload protection platform (CWPP) capability is essential for protecting containerized applications?

76

A company is using Cisco Umbrella for cloud security. Which two features are part of the Secure Internet Gateway (SIG) functionality? (Choose two.)

77

A security team is implementing CSPM to ensure cloud compliance. Which three checks would a CSPM tool typically perform? (Choose three.)

78

Which two controls are considered part of a zero-trust architecture for cloud access? (Choose two.)

79

A company uses a SaaS application for customer relationship management. In the cloud shared responsibility model, which security controls are the customer's primary responsibility?

80

A security team wants to enforce data loss prevention (DLP) policies across multiple sanctioned cloud applications used by employees. Which cloud security solution is best suited for this task?

81

An organization is implementing a zero trust strategy for cloud access. They require that all access to cloud resources be authenticated and authorized based on user identity and device health, with session risk assessment. Which Azure AD feature should they primarily use?

82

A company uses Cisco Umbrella to protect remote users. They want to ensure that SSL-encrypted traffic to malicious websites is inspected, but without breaking compliance with privacy regulations. Which Umbrella feature should they enable?

83

A cloud engineer is deploying a web application on AWS and needs to control inbound and outbound traffic at both the instance and subnet levels. Which two AWS security controls should they configure? (Select two.)

84

A DevSecOps team is integrating security into their CI/CD pipeline. They want to scan infrastructure-as-code templates for misconfigurations and container images for vulnerabilities. Which two tools are appropriate? (Select two.)

85

An organization is adopting a zero trust model for cloud access. Which three principles should be implemented? (Select three.)

Practice all 85 Cloud Security questions

Other 350-701 exam domains

Security ConceptsNetwork SecurityEndpoint Security and IdentityContent SecurityEndpoint Protection and DetectionSecure Network Access, Visibility and Enforcement

Frequently asked questions

What does the Cloud Security domain cover on the 350-701 exam?

The Cloud Security domain covers the key concepts tested in this area of the 350-701 exam blueprint published by Cisco. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all 350-701 domains — no account required.

How many Cloud Security questions are in the 350-701 question bank?

The Courseiva 350-701 question bank contains 85 questions in the Cloud Security domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Cloud Security for 350-701?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Cloud Security questions for 350-701?

Yes — the session launcher on this page draws questions exclusively from the Cloud Security domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your 350-701 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

350-401200-301CISSP