Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Cloud Security practice sets

350-701 Cloud Security • Complete Question Bank

350-701 Cloud Security — All Questions With Answers

Complete 350-701 Cloud Security question bank — all 0 questions with answers and detailed explanations.

95
Questions
Free
No signup
Certifications/350-701/Practice Test/Cloud Security/All Questions
Question 1mediummultiple choice
Read the full Cloud Security explanation →

A company is migrating a web application to AWS and wants to protect against DDoS attacks at the application layer. Which Cisco security solution should they deploy?

Question 2hardmultiple choice
Review the full subnetting walkthrough →

An organization uses AWS with a VPC and wants to inspect all traffic between instances in the same subnet using Cisco Firepower. What must be implemented?

Question 3easymultiple choice
Read the full Cloud Security explanation →

A company is implementing cloud security posture management (CSPM). Which Cisco product provides CSPM capabilities?

Question 4mediummultiple choice
Read the full Cloud Security explanation →

A security architect is designing a hybrid cloud with AWS and on-premises data center. They need to enforce consistent security policies across both environments. Which approach is most effective?

Question 5hardmultiple choice
Read the full Cloud Security explanation →

After deploying a Cisco Cloudlock policy, a user reports that a sanctioned application (Salesforce) is being blocked for file downloads. What is the most likely cause?

Question 6easymultiple choice
Read the full Cloud Security explanation →

An enterprise wants to prevent data exfiltration from its SaaS applications to unauthorized personal cloud storage. Which Cisco solution should be deployed?

Question 7mediummultiple choice
Read the full Cloud Security explanation →

A DevOps team is deploying containers in Kubernetes and needs to enforce network security policies between pods. Which Cisco solution is designed for this?

Question 8hardmultiple choice
Read the full Cloud Security explanation →

During a cloud migration, an organization notices increased latency in AWS workloads when using Cisco Firepower for traffic inspection. What is the most likely cause?

Question 9mediummulti select
Read the full Cloud Security explanation →

Which TWO of the following are benefits of using Cisco Cloudlock for cloud security? (Choose two.)

Question 10hardmulti select
Read the full Cloud Security explanation →

Which THREE of the following are common challenges when securing multi-cloud environments? (Choose three.)

Question 11easymulti select
Read the full Cloud Security explanation →

Which TWO of the following are features of Cisco Umbrella? (Choose two.)

Question 12mediummultiple choice
Read the full Cloud Security explanation →

Refer to the exhibit. A user is unable to access Dropbox, which is a high-risk application. The administrator wants to allow Dropbox but still block other high-risk apps. What is the most efficient way to achieve this?

Exhibit

Refer to the exhibit.

Cisco Cloudlock Policy:
Policy Name: Block High-Risk Apps
Application: Any
Action: Block
Risk Level: High
User: All Users

Cloudlock Activity Log:
User: [email protected]
Application: Dropbox
Action: Blocked
Reason: Risk Level (High)
Question 13hardmultiple choice
Read the full Cloud Security explanation →

Refer to the exhibit. A security analyst notices this CloudTrail log entry. Which security best practice is being violated?

Exhibit

Refer to the exhibit.

AWS CloudTrail Log:
{
  "eventVersion": "1.08",
  "userIdentity": {
    "arn": "arn:aws:iam::123456789012:user/Admin",
    "accountId": "123456789012"
  },
  "eventTime": "2025-03-28T14:35:00Z",
  "eventSource": "ec2.amazonaws.com",
  "eventName": "AuthorizeSecurityGroupIngress",
  "requestParameters": {
    "groupId": "sg-0abcd1234",
    "ipPermissions": {
      "ipProtocol": "tcp",
      "fromPort": 3389,
      "toPort": 3389,
      "ipRanges": [{"cidrIp": "0.0.0.0/0"}]
    }
  }
}
Question 14hardmultiple choice
Read the full DNS explanation →

You are a security engineer for a multinational corporation that uses a hybrid cloud environment with AWS and Azure. The company has deployed Cisco Cloudlock for SaaS security and Cisco Umbrella for DNS-layer security. Recently, the incident response team detected that an employee's credentials were compromised, and the attacker used them to access the company's Office 365 tenant. The attacker exfiltrated sensitive data by sending emails with attachments to external addresses. Cloudlock logs show that the data exfiltration occurred because the policy for 'Outbound Email with Attachments' was set to 'Allow' for all users. The attacker also used a personal Google Drive account to store stolen data, which was not detected by Cloudlock because Google Drive is not sanctioned. You need to recommend a course of action to prevent similar incidents. Which action should you take first?

Question 15mediummultiple choice
Read the full Cloud Security explanation →

You are tasked with securing a new cloud deployment on AWS. The environment consists of a web application running on EC2 instances behind an Application Load Balancer (ALB), with data stored in an RDS database. The security requirements include: (1) protect against web application attacks (SQL injection, XSS), (2) ensure only authorized users can access the application, (3) monitor for anomalous behavior. You have decided to use AWS WAF for web application protection, AWS Cognito for user authentication, and Amazon GuardDuty for threat detection. However, the CISO also wants to integrate with Cisco's security portfolio for centralized management and visibility. Which Cisco product would best integrate with these AWS services to provide centralized security management?

Question 16mediummultiple choice
Read the full NAT/PAT explanation →

A company is deploying a cloud-native application using microservices on AWS. They need to ensure that inter-service communication is encrypted and authenticated. The security team wants to use mutual TLS (mTLS) without managing individual certificates. Which solution should they implement?

Question 17hardmultiple choice
Open the full BGP breakdown →

A multinational corporation is migrating its on-premises data center to a public cloud provider. The security policy requires that all traffic between cloud VPCs and the on-premises network must be inspected by a next-generation firewall (NGFW) deployed in the cloud. The on-premises network uses BGP for dynamic routing. Which design meets the requirement while minimizing latency and administrative overhead?

Question 18easymultiple choice
Read the full Cloud Security explanation →

A security engineer is configuring a cloud access security broker (CASB) to protect a SaaS application used by employees. The primary concern is to prevent sensitive data from being uploaded to the application. Which deployment mode should the engineer choose?

Question 19mediummultiple choice
Read the full DNS explanation →

An organization uses Cisco Umbrella for DNS-layer security. They want to block access to a newly discovered malicious domain (malware.example.com) immediately. Which action should the administrator take in the Umbrella dashboard?

Question 20mediummulti select
Read the full Cloud Security explanation →

A company is implementing a cloud security posture management (CSPM) solution. Which TWO of the following are primary functions of CSPM?

Question 21hardmultiple choice
Read the full NAT/PAT explanation →

An enterprise is migrating a critical application to AWS. The architecture includes an Application Load Balancer (ALB) in front of EC2 instances across multiple Availability Zones. The application must be protected against common web exploits such as SQL injection and cross-site scripting. The security team decides to use AWS WAF. They also need to ensure that only traffic from the company's corporate IP range (203.0.113.0/24) is allowed to reach the application, except for a partner integration that requires access from a specific IP (198.51.100.5). Additionally, all traffic must be inspected by a third-party NGFW for advanced threat detection. The NGFW is deployed in a separate VPC connected via VPC Peering. The current configuration: ALB is internet-facing, WAF is associated with the ALB, and the NGFW is not in the traffic path. After deployment, traffic from corporate users is not being inspected by the NGFW, and partner traffic is being blocked. What is the most efficient solution to meet all requirements?

Question 22mediummulti select
Read the full Cloud Security explanation →

A company is migrating critical workloads to AWS and wants to ensure secure connectivity between their on-premises network and the VPC. Which TWO actions should be taken to meet this requirement?

Question 23hardmultiple choice
Read the full Cloud Security explanation →

A security analyst discovers that a user downloaded a CSV file containing social security numbers from a sanctioned cloud storage app, but no alert was generated. The DLP policy shown in the exhibit was applied. What is the most likely reason the policy failed to trigger?

Exhibit

Refer to the exhibit.

Cisco CloudLock configuration snippet:

dlp-policy EXAMPLE_POLICY
  match condition:
    file-extension .csv
    content-regex "\d{3}-\d{2}-\d{4}"
  action:
    notify admin
    block download
Question 24hardmultiple choice
Read the full VPN explanation →

A financial services company uses a multi-cloud strategy with workloads in AWS and Azure. They must comply with PCI DSS, which requires encryption of cardholder data at rest and in transit. The security team has implemented the following: 1) AWS S3 buckets use server-side encryption with AWS KMS (SSE-KMS). 2) Azure Blob Storage uses Azure Storage Service Encryption (SSE) with Azure Key Vault. 3) All traffic between VPCs and VNets uses IPsec VPN tunnels. During an audit, the assessor notes that data stored in AWS S3 is encrypted with a key that is also used for a development environment. Additionally, logs from Azure Blob Storage are accessible to a group of developers with read-only permissions. Which action should the security team take to address the compliance gaps?

Question 25mediumdrag order
Study the full AAA explanation →

Drag and drop the steps to configure a Cisco ISE as a RADIUS server for network access control into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 26mediummatching
Read the full Cloud Security explanation →

Match each 802.1X component to its role.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Client requesting network access

Network device that enforces access control

RADIUS server that validates credentials

Extensible Authentication Protocol framework

Protocol used for AAA services

Question 27easymultiple choice
Read the full Cloud Security explanation →

An organization is migrating to AWS and wants to ensure that all internet-bound traffic from VPCs is inspected by a central security appliance. Which AWS service should be used to redirect this traffic?

Question 28mediummultiple choice
Read the full DNS explanation →

A security engineer is configuring Cisco Umbrella to block malicious domains. They need to ensure that internal DNS queries from remote users using Cisco AnyConnect are protected. Which deployment method should they use?

Question 29hardmultiple choice
Read the full Cloud Security explanation →

A company uses AWS Organizations with multiple accounts. They need to enforce that all S3 buckets have encryption enabled. Which AWS service can centrally audit and automatically remediate non-compliant buckets?

Question 30easymultiple choice
Read the full Cloud Security explanation →

A DevOps team is deploying containerized applications on Kubernetes and needs to ensure that only authorized images are run. Which solution should they integrate with Kubernetes to enforce image trust and scanning?

Question 31mediummultiple choice
Read the full Cloud Security explanation →

An organization is using Microsoft 365 and wants to prevent sensitive data from being shared externally via email and OneDrive. Which Cisco cloud security product should they deploy?

Question 32hardmultiple choice
Read the full Cloud Security explanation →

A security team notices that an AWS Lambda function is allowed to access an S3 bucket containing PII. The Lambda role has an attached policy that grants s3:PutObject and s3:GetObject to the bucket. Which action would be the most effective to ensure least privilege?

Question 33easymultiple choice
Read the full DNS explanation →

A company is planning to use Cisco Umbrella to secure internet access for branch offices. They already have Cisco Meraki MX appliances at each branch. What is the best way to send DNS traffic from the branches to Umbrella?

Question 34mediummultiple choice
Read the full Cloud Security explanation →

An enterprise uses multiple IaaS providers (AWS, Azure, GCP). They need a single solution to enforce consistent security policies across all cloud environments. Which Cisco product provides multi-cloud security posture management?

Question 35hardmultiple choice
Read the full Cloud Security explanation →

A cloud architect is designing a hybrid network between on-premises and AWS. They need to ensure traffic to the internet from the VPC uses the on-premises security stack for inspection. The VPC has an Internet Gateway (IGW). What must be configured to force outbound traffic to the on-premises firewall?

Question 36mediummulti select
Read the full Cloud Security explanation →

A security team is evaluating cloud security solutions. Which TWO of the following are core capabilities of a Cloud Access Security Broker (CASB)?

Question 37hardmulti select
Read the full Cloud Security explanation →

An organization is deploying Cisco Cloud Workload Protection (CWP) in AWS. Which THREE of the following components are part of a standard CWP architecture?

Question 38easymulti select
Read the full Cloud Security explanation →

A company wants to implement Zero Trust principles in their cloud environment. Which THREE of the following are key Zero Trust tenets?

Question 39hardmultiple choice
Read the full Cloud Security explanation →

A security engineer reviews the security group rules for an EC2 instance. Based on the exhibit, which security concern should be addressed immediately?

Network Topology
aws ec2 describe-security-groupsgroup-ids sg-12345678query 'SecurityGroups[0].IpPermissions'Refer to the exhibit.```"FromPort": 22,"IpProtocol": "tcp","IpRanges": ["CidrIp": "10.0.0.0/8"},"CidrIp": "203.0.113.0/24"],"Ipv6Ranges": [],"PrefixListIds": [],"ToPort": 22,"UserIdGroupPairs": []"FromPort": 3389,"CidrIp": "0.0.0.0/0""ToPort": 3389,
Question 40mediummultiple choice
Read the full Cloud Security explanation →

An ASA firewall is configured as shown. A web server is behind the ASA with IP 10.1.1.100. Which additional configuration is required to allow HTTPS traffic from the internet to the web server?

Exhibit

Refer to the exhibit.
```
interface GigabitEthernet0/0
 nameif inside
 security-level 100
 ip address 10.1.1.1 255.255.255.0
!
interface GigabitEthernet0/1
 nameif outside
 security-level 0
 ip address 198.51.100.1 255.255.255.0
!
access-list OUTSIDE extended permit tcp any host 198.51.100.100 eq https
!
access-group OUTSIDE in interface outside
!
route outside 0.0.0.0 0.0.0.0 198.51.100.2
```
Question 41easymultiple choice
Read the full Cloud Security explanation →

An S3 bucket policy is shown. What does the condition "aws:SecureTransport": "true" enforce?

Exhibit

Refer to the exhibit.
```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "true"
        }
      }
    }
  ]
}
```
Question 42easymultiple choice
Read the full Cloud Security explanation →

An organization wants to enforce granular data loss prevention (DLP) policies for SaaS applications like Google Drive and Salesforce. Which Cisco product provides cloud access security broker (CASB) functionality with DLP capabilities?

Question 43mediummultiple choice
Read the full Cloud Security explanation →

A company uses Cisco Stealthwatch Cloud for network visibility in AWS. They notice a spike in encrypted traffic from an EC2 instance to an unknown external IP. Which Stealthwatch Cloud feature can analyze this traffic for threats without decrypting it?

Question 44hardmultiple choice
Read the full Cloud Security explanation →

A DevOps team is deploying microservices in Azure Kubernetes Service (AKS). They need to enforce inter-container communication policies based on labels. Which Cisco solution provides micro-segmentation for containers in AKS?

Question 45easymultiple choice
Read the full NAT/PAT explanation →

A multinational company needs to gain centralized visibility into cloud security posture across AWS, Azure, and GCP. Which Cisco product provides multi-cloud security posture management (CSPM) capabilities?

Question 46mediummultiple choice
Read the full DNS explanation →

An organization uses Cisco Umbrella to secure remote users. The security team wants to ensure that all DNS queries from endpoints are forwarded to Umbrella even when users are off the corporate network. Which deployment method achieves this?

Question 47hardmultiple choice
Read the full Cloud Security explanation →

A company is connecting multiple VPCs in AWS to a shared services VPC using AWS Transit Gateway. They want to inspect east-west traffic between VPCs with a common security policy. Which design best achieves this using Cisco solutions?

Question 48easymultiple choice
Read the full Cloud Security explanation →

A company wants to enforce consistent security policies for Office 365, Salesforce, and Box. Which Cisco product provides CASB functionality with policy enforcement for SaaS applications?

Question 49mediummultiple choice
Read the full VPN explanation →

A company deploys a Cisco ASAv in AWS for VPN termination. They need to enforce multi-factor authentication (MFA) for remote access VPN users. Which Cisco solution integrates with ASAv to provide MFA?

Question 50hardmultiple choice
Read the full NAT/PAT explanation →

A cloud security team is investigating a possible data exfiltration incident involving an AWS S3 bucket configured with cross-region replication. Which Cisco Cloudlock feature can detect unusual replication patterns that may indicate data theft?

Question 51easymulti select
Read the full Cloud Security explanation →

Which TWO Cisco solutions provide virtual firewall capabilities in public cloud environments? (Choose two.)

Question 52mediummulti select
Read the full Cloud Security explanation →

A company is implementing zero trust architecture in the cloud. Which TWO principles are fundamental to zero trust? (Choose two.)

Question 53hardmulti select
Read the full Cloud Security explanation →

Which THREE are key components of Cisco's Cloud Security architecture? (Choose three.)

Question 54easymultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. What is the effect of this NAT rule on the Cisco FTD device deployed in the cloud?

Exhibit

Refer to the exhibit.

ciscoftd(config)# show running-config | section nat
nat (inside,outside) source static 10.0.1.0 10.0.1.0 destination static 192.168.1.0 192.168.1.0 no-proxy-arp route-lookup
Question 55mediummultiple choice
Read the full Cloud Security explanation →

Refer to the exhibit. This JSON policy is part of a Cisco Cloudlock DLP configuration. What will happen when a user attempts to upload a file containing the word 'secret' to a cloud storage service?

Exhibit

Refer to the exhibit.

{
  "policyName": "DLP-Confidential",
  "rules": [
    {
      "condition": {
        "content": {
          "contains": "secret"
        }
      },
      "action": "block"
    }
  ]
}
Question 56hardmultiple choice
Read the full DNS explanation →

Refer to the exhibit. Enter the command output from a Cisco Umbrella deployment. An administrator observes that 25 DNS queries were blocked. What does this indicate?

Exhibit

Refer to the exhibit.

cisco-umbrella-cli> show summary
Total DNS queries: 1500
Total blocked: 25
Total allowed: 1475
Question 57easymultiple choice
Read the full Cloud Security explanation →

A company is deploying cloud workload protection for their Azure VMs. They want to ensure that security policies are automatically adjusted based on workload changes. Which technology should they implement?

Question 58mediummultiple choice
Read the full Cloud Security explanation →

A company uses multiple cloud providers (AWS and Azure) and wants to unify security monitoring and policy enforcement. They have on-premises data centers as well. Which Cisco solution is best suited for this?

Question 59hardmultiple choice
Read the full Cloud Security explanation →

A security team is troubleshooting an incident where a compromised application running in a Kubernetes cluster on AWS EKS is being used to exfiltrate data to an external IP. They have deployed Cisco Secure Workload. How would the agent on the container report the exfiltration attempt?

Question 60mediummulti select
Read the full Cloud Security explanation →

A cloud security engineer is evaluating CSPM (Cloud Security Posture Management) solutions. Which TWO capabilities are essential for a CSPM tool? (Select two.)

Question 61hardmulti select
Read the full Cloud Security explanation →

An organization is adopting a cloud-first strategy and wants to ensure least-privilege access for cloud resources. Which THREE measures should be implemented as part of a cloud IAM strategy? (Select three.)

Question 62easymulti select
Read the full Cloud Security explanation →

A company is deploying a cloud-based web application and wants to protect against OWASP Top 10 attacks. Which THREE security controls should they implement? (Select three.)

Question 63mediummultiple choice
Study the full ACL explanation →

Refer to the exhibit. A Cisco ASA firewall is deployed in a cloud environment. After applying this ACL to an interface, users report that they cannot access cloud instances from on-premises. What is the most likely cause?

Exhibit

ip access-list extended CLOUD-FILTER
 deny ip 10.0.0.0 0.255.255.255 any
 deny ip 172.16.0.0 0.15.255.255 any
 deny ip 192.168.0.0 0.0.255.255 any
 permit ip any any
Question 64easymultiple choice
Read the full Cloud Security explanation →

Refer to the exhibit. A security administrator implements this S3 bucket policy to restrict access to the bucket 'my-bucket'. What type of condition is being used?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "192.0.2.0/24"
        }
      }
    }
  ]
}
Question 65hardmultiple choice
Read the full Cloud Security explanation →

Refer to the exhibit. An administrator in us-west-2 tries to launch an instance. The policy allows only us-east-1. What should the administrator do to successfully launch the instance?

Exhibit

{
  "Effect": "Allow",
  "Action": "ec2:RunInstances",
  "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*",
  "Condition": {
    "StringEquals": {
      "aws:RequestedRegion": "us-east-1"
    }
  }
}
Question 66easymultiple choice
Read the full DNS explanation →

A company uses Cisco Umbrella for DNS-layer security. They want to block access to known malicious IPs that may be resolved by non-DNS traffic. Which feature should they enable?

Question 67mediummultiple choice
Read the full Cloud Security explanation →

A cloud security architect is designing a zero-trust architecture for an enterprise using AWS and Azure. They need to enforce micro-segmentation between application tiers. Which Cisco solution is most appropriate?

Question 68hardmultiple choice
Read the full Cloud Security explanation →

During a cloud migration, an administrator notices that a workload in Azure is generating outbound traffic that is being blocked by the cloud security group. The workload requires connectivity to a specific SaaS application (Office 365) using TLS. The security group denies all outbound traffic except to specific IP ranges. Which action should the administrator take?

Question 69easymultiple choice
Read the full Cloud Security explanation →

A small business uses Cisco Duo for multi-factor authentication. They want to ensure that employees accessing cloud apps from personal devices are compliant with device security policies. Which Duo feature should they use?

Question 70mediummultiple choice
Read the full Cloud Security explanation →

A company deploys a web application firewall (WAF) from Cisco on AWS Marketplace. They want to integrate with AWS CloudTrail for logging. What is the primary benefit?

Question 71hardmultiple choice
Read the full Cloud Security explanation →

A cloud operations team reports that after enabling Cisco Secure Cloud Analytics (CSCA) for an AWS account, some legitimate traffic is being flagged as suspicious. The team has fine-tuned the ML models but false positives persist. Which additional step should they take?

Question 72easymultiple choice
Read the full Cloud Security explanation →

A company is moving its data to AWS and wants to use Cisco Cloudlock for cloud access security broker (CASB) capabilities. Which deployment mode is required for Cloudlock to inspect traffic for shadow IT discovery?

Question 73easymultiple choice
Read the full Cloud Security explanation →

A network engineer is configuring Cisco Umbrella to secure remote users connecting to a SaaS application. The users are not assigned a static public IP and often connect from various locations. Which deployment method best protects these users?

Question 74easymultiple choice
Read the full Cloud Security explanation →

A company wants to use Cisco DUO for MFA to protect access to its Azure AD applications. Which authentication method should be configured for cloud applications?

Question 75easymultiple choice
Read the full Cloud Security explanation →

A security analyst wants to detect misconfigurations in cloud storage buckets using Cisco Secure Cloud Analytics (formerly Stealthwatch Cloud). What must be configured first?

Question 76mediummultiple choice
Read the full Cloud Security explanation →

An organization uses AWS and Azure. They deploy Cisco Secure Workload to enforce microsegmentation. They discover that after deploying agents on EC2 instances, some traffic is misclassified due to overlapping IPs across multiple VPCs. Which configuration change best resolves this?

Question 77mediummultiple choice
Study the full SD-WAN breakdown →

An engineer is designing a cloud security solution using Cisco SD-WAN with cloud on-ramp. They want to ensure that traffic to a specific IaaS provider is inspected by the Cisco Umbrella SIG. Which configuration is necessary on the SD-WAN edge?

Question 78mediummultiple choice
Read the full Cloud Security explanation →

An organization deploys Cisco Secure Firewall (formerly Firepower) in a public cloud environment (AWS). They need to inspect traffic between VPCs. What is the recommended deployment model?

Question 79hardmultiple choice
Read the full Cloud Security explanation →

During a cloud migration, the security team uses Cisco CloudLock for DLP. They notice that the DLP engine is not scanning certain files in Google Drive shared with external users. The CloudLock admin console shows the connector status as 'connected'. What is the most likely cause?

Question 80hardmultiple choice
Read the full Cloud Security explanation →

A company uses Cisco Secure Workload to enforce microsegmentation across multiple AWS accounts. After enabling enforcement, they find that the policies are only applied to workloads in the primary account. What is the most likely reason?

Question 81hardmultiple choice
Read the full VPN explanation →

Refer to the exhibit. A network engineer configures a site-to-site VPN between a Cisco router and an Azure VPN gateway. After configuration, the tunnel is not coming up. Which issue is most likely causing the problem?

Exhibit

crypto ikev2 proposal azure-proposal
 encryption aes-cbc-256
 integrity sha256
 group 14
!
crypto ikev2 policy azure-policy
 match fvrf any
 proposal azure-proposal
!
crypto ipsec transform-set azure-transform esp-aes 256 esp-sha256-hmac
 mode tunnel
!
crypto map AZURE-MAP 10 ipsec-isakmp
 set peer 20.10.0.1
 set transform-set azure-transform
 match address azure-traffic
!
interface Tunnel200
 ip address 10.10.10.1 255.255.255.252
 tunnel source GigabitEthernet0/0
 tunnel destination 20.10.0.1
 tunnel mode ipsec ipv4
 crypto map AZURE-MAP
!
ip access-list extended azure-traffic
 permit ip 192.168.0.0 0.0.255.255 172.16.0.0 0.0.255.255
Question 82easymulti select
Read the full Cloud Security explanation →

A security architect is evaluating Cisco Cloud Security portfolio for SaaS access protection. Which two solutions provide inline traffic inspection for cloud applications? (Choose two.)

Question 83mediummulti select
Read the full Cloud Security explanation →

An organization is implementing Cisco Secure Cloud Insights (formerly CloudCenter). Which three capabilities does this tool provide? (Choose three.)

Question 84hardmulti select
Read the full Cloud Security explanation →

A cloud security team is deploying Cisco Tetration (Secure Workload) in a hybrid cloud environment. Which three are prerequisites for workload discovery and policy enforcement? (Choose three.)

Question 85mediummultiple choice
Read the full Cloud Security explanation →

A company has 500 users who work remotely and connect to cloud-based SaaS applications. The security team is concerned about malware downloads from these applications. They have deployed Cisco Umbrella with the SIG feature. However, after deployment, a test shows that downloading a file from Dropbox is not being inspected by the cloud security stack. The Umbrella dashboard indicates that the policy is active and the SIG feature is enabled. The network team confirms that the users are using the Umbrella roaming client and that the traffic is correctly forwarding to Umbrella. What is the most likely issue?

Question 86hardmultiple choice
Review the full subnetting walkthrough →

An enterprise migrated its e-commerce application to AWS. They use Cisco Secure Workload (Tetration) for microsegmentation. After enabling enforcement, legitimate traffic between the web tier and database tier is being blocked. The security team verified that the policy allows the traffic based on labels. The Tetration console shows the enforcement mode as 'active blocking'. The database server is in a different VPC, and the web server is in a public subnet. The agents are running on both workloads and report correctly. Which configuration step is most likely missing?

Question 87easymultiple choice
Read the full Cloud Security explanation →

A company uses Cisco Umbrella for cloud-delivered security. Users report that some websites are incorrectly blocked. The security team wants to allow a specific website temporarily while investigating. Which action should the administrator take?

Question 88mediummultiple choice
Read the full Cloud Security explanation →

A network engineer is designing a multi-cloud architecture with AWS and Azure. The company needs consistent security policies across both cloud providers and on-premises data centers. Which Cisco solution should the engineer recommend?

Question 89hardmulti select
Read the full Cloud Security explanation →

A security administrator is configuring a Cisco CloudLock policy for a SaaS application. The policy must detect and alert on sharing of files containing personally identifiable information (PII) with external users. Which TWO actions should the administrator take? (Choose two.)

Question 90mediummulti select
Read the full Cloud Security explanation →

A company uses Amazon Web Services (AWS) and wants to integrate with Cisco Defense Orchestrator (CDO) for centralized security management. Which THREE capabilities does CDO provide when managing AWS security services? (Choose three.)

Question 91hardmultiple choice
Review the full subnetting walkthrough →

A company has a hybrid cloud environment with workloads in AWS and Azure, and an on-premises data center. They use Cisco Tetration for micro-segmentation and Cisco CloudCenter for orchestration. Recently, they deployed a new multi-tier application in AWS: a web tier, an application tier, and a database tier, all across multiple Availability Zones. After deployment, the application is unreachable. The security team reviews Tetration policies and finds that a policy is in place to allow traffic between tiers, but the web tier cannot communicate with the application tier. The Tetration agent status shows all agents are healthy. The administrator checks the AWS security groups and notices that the web tier's security group allows inbound HTTP from 0.0.0.0/0, but the application tier's security group does not allow inbound traffic from the web tier's subnet. The application tier's security group only allows inbound traffic from the on-premises CIDR block in error. The network team requests a fix that does not impact other ongoing audits. What should the administrator do?

Question 92easymultiple choice
Read the full DNS explanation →

A small business uses Cisco Umbrella for DNS-layer security. They recently enabled multi-factor authentication (MFA) for all administration accounts. The IT manager is unable to log into the Umbrella dashboard; the login page accepts his password but then asks for an MFA code. However, he never set up MFA. He checks his email and finds no registration email. He is the only administrator. How should he regain access to the Umbrella dashboard?

Question 93mediummultiple choice
Read the full VPN explanation →

A large enterprise is migrating legacy applications to AWS. The security team requires that all data in transit between the applications and the on-premises data center be encrypted and inspected for threats. They have deployed a Cisco Firepower NGFW on-premises and are using Amazon VPC with a VPN connection. The team is concerned about east-west traffic within the VPC also being inspected. They consider deploying Cisco Secure Firewall in the cloud (cFMC). However, budget constraints limit the number of virtual firewalls. Which design best meets the requirements while optimizing cost?

Question 94hardmultiple choice
Read the full Cloud Security explanation →

A company uses Microsoft Azure and has deployed Cisco CloudCenter for workload lifecycle management. They also use Cisco Firepower NGFW in Azure. A security analyst notices that the Firepower logs show outbound connections from a workload to an IP address in a known threat feed. The workload is a Linux server that runs a custom application. The analyst checks Azure Network Security Groups (NSGs) and finds that outbound traffic is not restricted. The company's policy requires that all outbound traffic be inspected and logged. The analyst wants to block the specific IP while allowing other outbound traffic. Which action should be taken?

Question 95easymultiple choice
Read the full DNS explanation →

A company has deployed Cisco Umbrella with a virtual appliance (VA) for content filtering. Users report that some websites are not loading properly, and the helpdesk suspects that the VA is blocking legitimate traffic. The network administrator checks the VA dashboard and sees that the VA is passing traffic normally. However, the administrator notices that the VA's upstream DNS server is set to a public resolver (208.67.222.222) instead of the company's internal DNS servers. This causes internal hostnames to resolve incorrectly. The company uses Active Directory with domain-joined computers. What should the administrator do to resolve the issue?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

350-701 Practice Test 1 — 10 Questions→350-701 Practice Test 2 — 10 Questions→350-701 Practice Test 3 — 10 Questions→350-701 Practice Test 4 — 10 Questions→350-701 Practice Test 5 — 10 Questions→350-701 Practice Exam 1 — 20 Questions→350-701 Practice Exam 2 — 20 Questions→350-701 Practice Exam 3 — 20 Questions→350-701 Practice Exam 4 — 20 Questions→Free 350-701 Practice Test 1 — 30 Questions→Free 350-701 Practice Test 2 — 30 Questions→Free 350-701 Practice Test 3 — 30 Questions→350-701 Practice Questions 1 — 50 Questions→350-701 Practice Questions 2 — 50 Questions→350-701 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Endpoint Protection and DetectionSecure Network Access, Visibility and EnforcementSecurity ConceptsNetwork SecurityCloud SecurityContent Security

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Cloud Security setsAll Cloud Security questions350-701 Practice Hub