Practice 350-701 Cloud Security questions with full explanations on every answer.
Start practicing
Cloud Security — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A company is moving its on-premises applications to AWS EC2 instances. According to the shared responsibility model, which of the following is the customer's responsibility?
2An organization uses multiple SaaS applications and wants to enforce data loss prevention (DLP) policies to prevent sensitive data from being shared externally. Which cloud security solution should be deployed?
3A security engineer is configuring Cisco Umbrella to enforce web security for remote users. The requirement is to block threats by intercepting DNS requests and only perform SSL decryption on specific high-risk categories. Which Umbrella feature should be used for selective SSL inspection?
4A company is deploying a multi-tier application in AWS. The web servers must be accessible from the internet, but the database servers should only be reachable from the web servers. Which AWS security controls should be used to enforce this?
5An organization wants to implement zero trust principles for cloud access. Which of the following is a key component of a zero trust architecture in the cloud?
6A DevOps team is integrating security into their CI/CD pipeline. They want to automatically scan Terraform scripts for misconfigurations before deployment. Which tool is specifically designed for this purpose?
7A company uses Azure AD Conditional Access policies to enforce security for cloud applications. They need to require MFA for all external users accessing a sensitive SaaS app, but only when the access is from an untrusted network. Which condition should be configured in the policy?
8An organization wants to connect its on-premises data center to a GCP VPC privately, avoiding the public internet. Which GCP service provides a dedicated, private connection?
9Which of the following is the primary function of a Cloud Security Posture Management (CSPM) tool?
10A company uses Cisco Umbrella to provide DNS-layer security. An employee tries to visit a website that is hosting malware, but the domain is not yet categorized. How does Umbrella handle this request?
11An organization is deploying containerized applications in a Kubernetes cluster on AWS EKS. They need to ensure that container images are scanned for vulnerabilities before deployment. Which approach aligns with DevSecOps best practices?
12A security team is implementing AWS WAF to protect a web application. They want to block requests that contain SQL injection patterns in the query string. Which AWS WAF component should be used?
13In the shared responsibility model for PaaS, which of the following is typically the customer's responsibility?
14A company uses Azure NSGs to filter network traffic to VMs. They want to allow RDP access (port 3389) only from the company's public IP range. Which type of NSG rule should be created?
15A DevSecOps team is implementing secrets management for a cloud-native application. They want to avoid storing secrets in environment variables or code. Which solution should they use?
16A security administrator is evaluating Cisco Umbrella for cloud-delivered security. Which TWO capabilities are provided by the Secure Internet Gateway (SIG) feature? (Choose two.)
17An organization is adopting zero trust principles for cloud access. Which THREE measures are essential for implementing identity-centric security? (Choose three.)
18A company is using Azure and wants to enforce security compliance across their cloud resources. Which TWO services are part of CSPM (Cloud Security Posture Management) in Azure? (Choose two.)
19In the shared responsibility model for cloud services, which layer is the customer responsible for managing in an IaaS environment?
20A security team wants to gain visibility into Shadow IT usage of SaaS applications and enforce data loss prevention policies. Which cloud security solution should they deploy?
21An organization uses Cisco Umbrella to block malicious domains. Which layer does Umbrella primarily operate at to prevent connections before they are established?
22A company uses AWS and wants to ensure that no EC2 instance has a public IP address attached to a security group that allows inbound SSH from 0.0.0.0/0. Which service can continuously monitor and alert on such misconfigurations?
23An organization wants to enforce MFA for all administrative access to their Azure environment and also require that access from non-compliant devices be blocked. Which Azure feature should they use?
24A DevSecOps team is integrating security into their CI/CD pipeline. They want to scan Terraform configuration files for misconfigurations before deployment. Which tool is specifically designed for that purpose?
25A company uses Google Cloud and needs to securely connect their on-premises data center to a VPC without traversing the public internet. Which solution should they use?
26In the shared responsibility model for PaaS, which of the following is the customer responsible for?
27An organization uses Cisco Umbrella's Secure Internet Gateway (SIG). Which two capabilities are typically included in a SIG solution?
28A cloud security architect is designing zero trust for a multi-cloud environment. Which principle is most critical?
29A security team wants to inspect SSL-encrypted traffic from users accessing SaaS applications through Cisco Umbrella. Which feature should they enable?
30Which cloud security control is specifically designed to protect workloads such as VMs and containers from threats?
31A company uses Azure and wants to restrict network traffic between subnets. Which Azure resource should they use?
32In a DevSecOps pipeline, a team wants to prevent secrets (e.g., API keys) from being stored in source code. Which approach is most effective?
33An organization wants to protect their web application hosted on AWS from common exploits like SQL injection. Which AWS service should they use?
34In the shared responsibility model for cloud security, which responsibility is the customer's in an IaaS deployment?
35A security team wants to gain visibility into shadow IT usage of SaaS applications and enforce DLP policies for data shared via cloud apps. Which cloud security solution should they deploy?
36An organization uses Cisco Umbrella to block malicious domains. The security team notices that some malware traffic bypasses DNS-layer blocking because the malware uses hardcoded IP addresses. Which Umbrella feature should be enabled to additionally inspect traffic at the IP layer?
37A company is deploying a multi-tier application on AWS. The web servers must be accessible from the internet only on ports 80 and 443, while the database servers should be accessible only from the web servers on port 3306. Which combination of cloud network security controls should be used?
38A DevOps team is building a CI/CD pipeline for a cloud-native application. They want to automatically check Terraform scripts for insecure configurations before deployment. Which tool should be integrated into the pipeline?
39An organization is adopting a zero-trust model for cloud access. Which component enforces conditional access policies based on user, device, location, and risk level in Azure AD?
40In the shared responsibility model, which is the customer's responsibility in a SaaS model?
41A company uses Azure NSGs to control traffic between subnets. They need to allow traffic from the frontend subnet to the backend subnet only on TCP 443. Which configuration correctly achieves this?
42Which Cisco Umbrella feature provides off-network protection by intercepting DNS requests on a user's device?
43A security engineer is configuring Cisco Umbrella to block HTTPS traffic to malicious sites. However, they want to inspect SSL-encrypted traffic selectively to avoid breaking applications. Which Umbrella feature should they use?
44An organization uses AWS WAF to protect its web application. They need to block requests from a specific geographic region. What should they configure?
45A company is moving workloads to Google Cloud and needs private connectivity between its on-premises data center and VPC without traversing the internet. Which service should be used?
46A security team is implementing DevSecOps practices. Which TWO actions should be taken to secure secrets (e.g., API keys, passwords) in a CI/CD pipeline? (Choose two.)
47A company is adopting a zero-trust security model for its cloud environment. Which THREE practices align with zero-trust principles? (Choose three.)
48A security engineer is designing cloud workload protection (CWPP) for a hybrid environment with VMs and containers. Which TWO capabilities should a CWPP solution provide? (Choose two.)
49In the shared responsibility model for cloud computing, which responsibility is managed by the customer in all service models (IaaS, PaaS, SaaS)?
50A security administrator wants to enforce a policy that blocks upload of sensitive data to unauthorized cloud applications. Which technology should be used to gain visibility and control over sanctioned and unsanctioned SaaS applications?
51An organization uses Cisco Umbrella to protect remote users. The security team notices that some malicious domains are not blocked because users are bypassing the DNS layer by using direct IP connections or non-DNS protocols. Which Cisco Umbrella feature should be enabled to inspect all traffic, including non-web traffic, and enforce policies regardless of DNS resolution?
52A company is deploying workloads in AWS and wants to ensure that the security groups are not overly permissive. They need to continuously monitor for misconfigurations and compare against the CIS AWS Foundations Benchmark. Which tool should be used?
53To enforce zero trust principles in a cloud environment, an administrator requires all access to cloud resources to be authenticated and authorized based on user identity and device health. Which Azure AD feature enables policies that consider conditions such as location, device compliance, and risk level?
54In a DevSecOps pipeline, a security engineer wants to automatically scan Infrastructure as Code (IaC) templates for security misconfigurations before deployment. Which tool is commonly used for static analysis of Terraform templates?
55A company wants to establish private connectivity between its on-premises data center and a VPC in AWS, avoiding the public internet. Which AWS service should be used?
56A security team is implementing secure access for remote users connecting from untrusted networks. They want to enforce DNS-layer security even when users are off the corporate network. Which Cisco Umbrella feature should be deployed on the endpoints?
57An organization uses Azure for its cloud workloads. To protect web applications from common exploits like SQL injection and cross-site scripting, they need to deploy a web application firewall (WAF) that integrates with Azure Application Gateway. Which Azure WAF SKU should they choose?
58In the shared responsibility model for PaaS, which component is the customer responsible for managing?
59A company uses multiple SaaS applications and wants to enforce data loss prevention (DLP) policies to prevent sensitive data from being shared externally. Which technology provides the ability to scan data in transit and at rest within these SaaS applications?
60A security engineer is configuring Cisco Umbrella Intelligent Proxy to selectively decrypt and inspect HTTPS traffic. The goal is to balance security and user privacy by only inspecting traffic to high-risk domains. How does Intelligent Proxy decide which traffic to inspect?
61A security team is implementing a DevSecOps pipeline for containerized applications. Which TWO of the following practices should be included to ensure container security?
62An organization is adopting zero trust principles for cloud access. Which THREE components should be implemented to enforce identity as the new perimeter?
63A company uses AWS and Azure and wants to protect its cloud workloads (VMs and containers) from threats. Which TWO technologies are specifically designed for workload protection in the cloud?
64In the shared responsibility model for cloud security, which of the following is the customer responsible for in an IaaS deployment?
65A company is using a SaaS application like Office 365. Which security responsibility falls on the customer according to the shared responsibility model?
66A security team wants to gain visibility into shadow IT usage of cloud applications and enforce data loss prevention policies. Which cloud security control should they deploy?
67An organization uses Cisco Umbrella to block malicious domains. What is the primary security benefit of DNS-layer security?
68A company is deploying Cisco Umbrella with the Intelligent Proxy feature. Under what condition does the Intelligent Proxy perform SSL decryption?
69In AWS, which resource acts as a stateful firewall at the instance level to control inbound and outbound traffic?
70A security architect is designing a zero-trust model for cloud access. Which of the following is a core principle of zero trust in the cloud?
71An organization wants to enforce conditional access policies for users accessing cloud applications. Which Azure AD feature should they use?
72In a DevSecOps pipeline, which tool would be used to scan Infrastructure as Code (IaC) templates for security misconfigurations?
73A company wants to privately connect an on-premises network to an Azure virtual network without traversing the internet. Which Azure service should they use?
74A security engineer needs to prevent secrets (e.g., API keys) from being stored in code repositories. Which DevSecOps practice should be implemented?
75Which cloud workload protection platform (CWPP) capability is essential for protecting containerized applications?
76A company is using Cisco Umbrella for cloud security. Which two features are part of the Secure Internet Gateway (SIG) functionality? (Choose two.)
77A security team is implementing CSPM to ensure cloud compliance. Which three checks would a CSPM tool typically perform? (Choose three.)
78Which two controls are considered part of a zero-trust architecture for cloud access? (Choose two.)
79A company uses a SaaS application for customer relationship management. In the cloud shared responsibility model, which security controls are the customer's primary responsibility?
80A security team wants to enforce data loss prevention (DLP) policies across multiple sanctioned cloud applications used by employees. Which cloud security solution is best suited for this task?
81An organization is implementing a zero trust strategy for cloud access. They require that all access to cloud resources be authenticated and authorized based on user identity and device health, with session risk assessment. Which Azure AD feature should they primarily use?
82A company uses Cisco Umbrella to protect remote users. They want to ensure that SSL-encrypted traffic to malicious websites is inspected, but without breaking compliance with privacy regulations. Which Umbrella feature should they enable?
83A cloud engineer is deploying a web application on AWS and needs to control inbound and outbound traffic at both the instance and subnet levels. Which two AWS security controls should they configure? (Select two.)
84A DevSecOps team is integrating security into their CI/CD pipeline. They want to scan infrastructure-as-code templates for misconfigurations and container images for vulnerabilities. Which two tools are appropriate? (Select two.)
85An organization is adopting a zero trust model for cloud access. Which three principles should be implemented? (Select three.)
The Cloud Security domain covers the key concepts tested in this area of the 350-701 exam blueprint published by Cisco. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all 350-701 domains — no account required.
The Courseiva 350-701 question bank contains 85 questions in the Cloud Security domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Cloud Security domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included