Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

Certifications›350-701›Objectives›Cloud Security
Objective 3.0

Cloud Security

350-701 Practice Questions

Use this page to practise Cloud Security questions for this certification. Focus on how the exam tests cloud security in scenario format — understanding the why behind each answer builds more durable knowledge than memorising options.

Full Practice Test →All Objectives

What this objective tests

350-701 Cloud Security — Key Topics

Cloud Security questions on this certification test your ability to deploy and manage cloud security concepts in scenario-based situations.

  • Core Cloud Security concepts and how they apply in real-world cloud scenarios.
  • How to deploy cloud security correctly and verify the outcome.
  • Troubleshooting cloud security issues by interpreting error output and system state.
  • Cloud best practices and Cloud Security design trade-offs tested by this certification.

Common exam traps

Where candidates lose marks on Cloud Security

  • ⚠Selecting the most expensive service when a simpler managed option meets the requirement.
  • ⚠Forgetting that cloud resources must be explicitly secured — defaults are rarely secure.
  • ⚠Choosing a global service fix when the issue is region-specific.
  • ⚠Overlooking cost implications of cross-region data transfer in architecture questions.

350-701 Cloud Security — Practice Questions

30 questions from this objective

Question 2mediummultiple choice
Full question →

A company is migrating a web application to AWS and wants to protect against DDoS attacks at the application layer. Which Cisco security solution should they deploy?

Question 3hardmultiple choice
Review the full subnetting walkthrough →

An organization uses AWS with a VPC and wants to inspect all traffic between instances in the same subnet using Cisco Firepower. What must be implemented?

Question 4easymultiple choice
Full question →

A company is implementing cloud security posture management (CSPM). Which Cisco product provides CSPM capabilities?

Question 5mediummultiple choice
Full question →

A security architect is designing a hybrid cloud with AWS and on-premises data center. They need to enforce consistent security policies across both environments. Which approach is most effective?

Question 6hardmultiple choice
Full question →

After deploying a Cisco Cloudlock policy, a user reports that a sanctioned application (Salesforce) is being blocked for file downloads. What is the most likely cause?

Question 7easymultiple choice
Full question →

An enterprise wants to prevent data exfiltration from its SaaS applications to unauthorized personal cloud storage. Which Cisco solution should be deployed?

Question 8mediummultiple choice
Full question →

A DevOps team is deploying containers in Kubernetes and needs to enforce network security policies between pods. Which Cisco solution is designed for this?

Question 9hardmultiple choice
Full question →

During a cloud migration, an organization notices increased latency in AWS workloads when using Cisco Firepower for traffic inspection. What is the most likely cause?

Question 10mediummulti select
Full question →

Which TWO of the following are benefits of using Cisco Cloudlock for cloud security? (Choose two.)

Question 11hardmulti select
Full question →

Which THREE of the following are common challenges when securing multi-cloud environments? (Choose three.)

Question 12easymulti select
Full question →

Which TWO of the following are features of Cisco Umbrella? (Choose two.)

Question 13mediummultiple choice
Full question →

Refer to the exhibit. A user is unable to access Dropbox, which is a high-risk application. The administrator wants to allow Dropbox but still block other high-risk apps. What is the most efficient way to achieve this?

Exhibit

Refer to the exhibit.

Cisco Cloudlock Policy:
Policy Name: Block High-Risk Apps
Application: Any
Action: Block
Risk Level: High
User: All Users

Cloudlock Activity Log:
User: [email protected]
Application: Dropbox
Action: Blocked
Reason: Risk Level (High)
Question 14hardmultiple choice
Full question →

Refer to the exhibit. A security analyst notices this CloudTrail log entry. Which security best practice is being violated?

Exhibit

Refer to the exhibit.

AWS CloudTrail Log:
{
  "eventVersion": "1.08",
  "userIdentity": {
    "arn": "arn:aws:iam::123456789012:user/Admin",
    "accountId": "123456789012"
  },
  "eventTime": "2025-03-28T14:35:00Z",
  "eventSource": "ec2.amazonaws.com",
  "eventName": "AuthorizeSecurityGroupIngress",
  "requestParameters": {
    "groupId": "sg-0abcd1234",
    "ipPermissions": {
      "ipProtocol": "tcp",
      "fromPort": 3389,
      "toPort": 3389,
      "ipRanges": [{"cidrIp": "0.0.0.0/0"}]
    }
  }
}
Question 15hardmultiple choice
Read the full DNS explanation →

You are a security engineer for a multinational corporation that uses a hybrid cloud environment with AWS and Azure. The company has deployed Cisco Cloudlock for SaaS security and Cisco Umbrella for DNS-layer security. Recently, the incident response team detected that an employee's credentials were compromised, and the attacker used them to access the company's Office 365 tenant. The attacker exfiltrated sensitive data by sending emails with attachments to external addresses. Cloudlock logs show that the data exfiltration occurred because the policy for 'Outbound Email with Attachments' was set to 'Allow' for all users. The attacker also used a personal Google Drive account to store stolen data, which was not detected by Cloudlock because Google Drive is not sanctioned. You need to recommend a course of action to prevent similar incidents. Which action should you take first?

Question 16mediummultiple choice
Full question →

You are tasked with securing a new cloud deployment on AWS. The environment consists of a web application running on EC2 instances behind an Application Load Balancer (ALB), with data stored in an RDS database. The security requirements include: (1) protect against web application attacks (SQL injection, XSS), (2) ensure only authorized users can access the application, (3) monitor for anomalous behavior. You have decided to use AWS WAF for web application protection, AWS Cognito for user authentication, and Amazon GuardDuty for threat detection. However, the CISO also wants to integrate with Cisco's security portfolio for centralized management and visibility. Which Cisco product would best integrate with these AWS services to provide centralized security management?

Question 17mediummultiple choice
Read the full NAT/PAT explanation →

A company is deploying a cloud-native application using microservices on AWS. They need to ensure that inter-service communication is encrypted and authenticated. The security team wants to use mutual TLS (mTLS) without managing individual certificates. Which solution should they implement?

Question 18hardmultiple choice
Open the full BGP breakdown →

A multinational corporation is migrating its on-premises data center to a public cloud provider. The security policy requires that all traffic between cloud VPCs and the on-premises network must be inspected by a next-generation firewall (NGFW) deployed in the cloud. The on-premises network uses BGP for dynamic routing. Which design meets the requirement while minimizing latency and administrative overhead?

Question 19easymultiple choice
Full question →

A security engineer is configuring a cloud access security broker (CASB) to protect a SaaS application used by employees. The primary concern is to prevent sensitive data from being uploaded to the application. Which deployment mode should the engineer choose?

Question 20mediummultiple choice
Read the full DNS explanation →

An organization uses Cisco Umbrella for DNS-layer security. They want to block access to a newly discovered malicious domain (malware.example.com) immediately. Which action should the administrator take in the Umbrella dashboard?

Question 21mediummulti select
Full question →

A company is implementing a cloud security posture management (CSPM) solution. Which TWO of the following are primary functions of CSPM?

Question 22hardmultiple choice
Read the full NAT/PAT explanation →

An enterprise is migrating a critical application to AWS. The architecture includes an Application Load Balancer (ALB) in front of EC2 instances across multiple Availability Zones. The application must be protected against common web exploits such as SQL injection and cross-site scripting. The security team decides to use AWS WAF. They also need to ensure that only traffic from the company's corporate IP range (203.0.113.0/24) is allowed to reach the application, except for a partner integration that requires access from a specific IP (198.51.100.5). Additionally, all traffic must be inspected by a third-party NGFW for advanced threat detection. The NGFW is deployed in a separate VPC connected via VPC Peering. The current configuration: ALB is internet-facing, WAF is associated with the ALB, and the NGFW is not in the traffic path. After deployment, traffic from corporate users is not being inspected by the NGFW, and partner traffic is being blocked. What is the most efficient solution to meet all requirements?

Question 23mediummulti select
Full question →

A company is migrating critical workloads to AWS and wants to ensure secure connectivity between their on-premises network and the VPC. Which TWO actions should be taken to meet this requirement?

Question 24hardmultiple choice
Full question →

A security analyst discovers that a user downloaded a CSV file containing social security numbers from a sanctioned cloud storage app, but no alert was generated. The DLP policy shown in the exhibit was applied. What is the most likely reason the policy failed to trigger?

Exhibit

Refer to the exhibit.

Cisco CloudLock configuration snippet:

dlp-policy EXAMPLE_POLICY
  match condition:
    file-extension .csv
    content-regex "\d{3}-\d{2}-\d{4}"
  action:
    notify admin
    block download
Question 25hardmultiple choice
Read the full VPN explanation →

A financial services company uses a multi-cloud strategy with workloads in AWS and Azure. They must comply with PCI DSS, which requires encryption of cardholder data at rest and in transit. The security team has implemented the following: 1) AWS S3 buckets use server-side encryption with AWS KMS (SSE-KMS). 2) Azure Blob Storage uses Azure Storage Service Encryption (SSE) with Azure Key Vault. 3) All traffic between VPCs and VNets uses IPsec VPN tunnels. During an audit, the assessor notes that data stored in AWS S3 is encrypted with a key that is also used for a development environment. Additionally, logs from Azure Blob Storage are accessible to a group of developers with read-only permissions. Which action should the security team take to address the compliance gaps?

Question 26mediumdrag order
Study the full AAA explanation →

Drag and drop the steps to configure a Cisco ISE as a RADIUS server for network access control into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 27mediummatching
Full question →

Match each 802.1X component to its role.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Client requesting network access

Network device that enforces access control

RADIUS server that validates credentials

Extensible Authentication Protocol framework

Protocol used for AAA services

Question 28easymultiple choice
Full question →

An organization is migrating to AWS and wants to ensure that all internet-bound traffic from VPCs is inspected by a central security appliance. Which AWS service should be used to redirect this traffic?

Question 29mediummultiple choice
Read the full DNS explanation →

A security engineer is configuring Cisco Umbrella to block malicious domains. They need to ensure that internal DNS queries from remote users using Cisco AnyConnect are protected. Which deployment method should they use?

Question 30hardmultiple choice
Full question →

A company uses AWS Organizations with multiple accounts. They need to enforce that all S3 buckets have encryption enabled. Which AWS service can centrally audit and automatically remediate non-compliant buckets?

Question 31easymultiple choice
Full question →

A DevOps team is deploying containerized applications on Kubernetes and needs to ensure that only authorized images are run. Which solution should they integrate with Kubernetes to enforce image trust and scanning?

More Cloud Security questions available in the full practice test.

Continue Practising →
←

Previous objective

Network Security

Next objective

Content Security

→

All 350-701 Objectives

  • 1.Security Concepts
  • 2.Network Security
  • 3.Cloud Security
  • 4.Content Security