Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Cloud Security practice sets

350-701 Cloud Security • Complete Question Bank

350-701 Cloud Security — All Questions With Answers

Complete 350-701 Cloud Security question bank — all 0 questions with answers and detailed explanations.

85
Questions
Free
No signup
Certifications/350-701/Practice Test/Cloud Security/All Questions
Question 1easymultiple choice
Read the full Cloud Security explanation →

A company is moving its on-premises applications to AWS EC2 instances. According to the shared responsibility model, which of the following is the customer's responsibility?

Question 2mediummultiple choice
Read the full Cloud Security explanation →

An organization uses multiple SaaS applications and wants to enforce data loss prevention (DLP) policies to prevent sensitive data from being shared externally. Which cloud security solution should be deployed?

Question 3hardmultiple choice
Read the full DNS explanation →

A security engineer is configuring Cisco Umbrella to enforce web security for remote users. The requirement is to block threats by intercepting DNS requests and only perform SSL decryption on specific high-risk categories. Which Umbrella feature should be used for selective SSL inspection?

Question 4mediummultiple choice
Read the full Cloud Security explanation →

A company is deploying a multi-tier application in AWS. The web servers must be accessible from the internet, but the database servers should only be reachable from the web servers. Which AWS security controls should be used to enforce this?

Question 5easymultiple choice
Read the full Cloud Security explanation →

An organization wants to implement zero trust principles for cloud access. Which of the following is a key component of a zero trust architecture in the cloud?

Question 6mediummultiple choice
Read the full Cloud Security explanation →

A DevOps team is integrating security into their CI/CD pipeline. They want to automatically scan Terraform scripts for misconfigurations before deployment. Which tool is specifically designed for this purpose?

Question 7hardmultiple choice
Read the full Cloud Security explanation →

A company uses Azure AD Conditional Access policies to enforce security for cloud applications. They need to require MFA for all external users accessing a sensitive SaaS app, but only when the access is from an untrusted network. Which condition should be configured in the policy?

Question 8mediummultiple choice
Read the full Cloud Security explanation →

An organization wants to connect its on-premises data center to a GCP VPC privately, avoiding the public internet. Which GCP service provides a dedicated, private connection?

Question 9easymultiple choice
Read the full Cloud Security explanation →

Which of the following is the primary function of a Cloud Security Posture Management (CSPM) tool?

Question 10mediummultiple choice
Read the full DNS explanation →

A company uses Cisco Umbrella to provide DNS-layer security. An employee tries to visit a website that is hosting malware, but the domain is not yet categorized. How does Umbrella handle this request?

Question 11hardmultiple choice
Read the full Cloud Security explanation →

An organization is deploying containerized applications in a Kubernetes cluster on AWS EKS. They need to ensure that container images are scanned for vulnerabilities before deployment. Which approach aligns with DevSecOps best practices?

Question 12mediummultiple choice
Read the full Cloud Security explanation →

A security team is implementing AWS WAF to protect a web application. They want to block requests that contain SQL injection patterns in the query string. Which AWS WAF component should be used?

Question 13easymultiple choice
Read the full Cloud Security explanation →

In the shared responsibility model for PaaS, which of the following is typically the customer's responsibility?

Question 14mediummultiple choice
Read the full Cloud Security explanation →

A company uses Azure NSGs to filter network traffic to VMs. They want to allow RDP access (port 3389) only from the company's public IP range. Which type of NSG rule should be created?

Question 15hardmultiple choice
Read the full Cloud Security explanation →

A DevSecOps team is implementing secrets management for a cloud-native application. They want to avoid storing secrets in environment variables or code. Which solution should they use?

Question 16mediummulti select
Read the full Cloud Security explanation →

A security administrator is evaluating Cisco Umbrella for cloud-delivered security. Which TWO capabilities are provided by the Secure Internet Gateway (SIG) feature? (Choose two.)

Question 17hardmulti select
Read the full Cloud Security explanation →

An organization is adopting zero trust principles for cloud access. Which THREE measures are essential for implementing identity-centric security? (Choose three.)

Question 18mediummulti select
Read the full Cloud Security explanation →

A company is using Azure and wants to enforce security compliance across their cloud resources. Which TWO services are part of CSPM (Cloud Security Posture Management) in Azure? (Choose two.)

Question 19easymultiple choice
Read the full Cloud Security explanation →

In the shared responsibility model for cloud services, which layer is the customer responsible for managing in an IaaS environment?

Question 20mediummultiple choice
Read the full Cloud Security explanation →

A security team wants to gain visibility into Shadow IT usage of SaaS applications and enforce data loss prevention policies. Which cloud security solution should they deploy?

Question 21mediummultiple choice
Read the full Cloud Security explanation →

An organization uses Cisco Umbrella to block malicious domains. Which layer does Umbrella primarily operate at to prevent connections before they are established?

Question 22hardmultiple choice
Read the full Cloud Security explanation →

A company uses AWS and wants to ensure that no EC2 instance has a public IP address attached to a security group that allows inbound SSH from 0.0.0.0/0. Which service can continuously monitor and alert on such misconfigurations?

Question 23mediummultiple choice
Read the full Cloud Security explanation →

An organization wants to enforce MFA for all administrative access to their Azure environment and also require that access from non-compliant devices be blocked. Which Azure feature should they use?

Question 24hardmultiple choice
Read the full Cloud Security explanation →

A DevSecOps team is integrating security into their CI/CD pipeline. They want to scan Terraform configuration files for misconfigurations before deployment. Which tool is specifically designed for that purpose?

Question 25mediummultiple choice
Read the full Cloud Security explanation →

A company uses Google Cloud and needs to securely connect their on-premises data center to a VPC without traversing the public internet. Which solution should they use?

Question 26easymultiple choice
Read the full Cloud Security explanation →

In the shared responsibility model for PaaS, which of the following is the customer responsible for?

Question 27mediummultiple choice
Read the full Cloud Security explanation →

An organization uses Cisco Umbrella's Secure Internet Gateway (SIG). Which two capabilities are typically included in a SIG solution?

Question 28hardmultiple choice
Read the full Cloud Security explanation →

A cloud security architect is designing zero trust for a multi-cloud environment. Which principle is most critical?

Question 29mediummultiple choice
Read the full Cloud Security explanation →

A security team wants to inspect SSL-encrypted traffic from users accessing SaaS applications through Cisco Umbrella. Which feature should they enable?

Question 30easymultiple choice
Read the full Cloud Security explanation →

Which cloud security control is specifically designed to protect workloads such as VMs and containers from threats?

Question 31mediummultiple choice
Review the full subnetting walkthrough →

A company uses Azure and wants to restrict network traffic between subnets. Which Azure resource should they use?

Question 32hardmultiple choice
Read the full Cloud Security explanation →

In a DevSecOps pipeline, a team wants to prevent secrets (e.g., API keys) from being stored in source code. Which approach is most effective?

Question 33mediummultiple choice
Read the full Cloud Security explanation →

An organization wants to protect their web application hosted on AWS from common exploits like SQL injection. Which AWS service should they use?

Question 34easymultiple choice
Read the full Cloud Security explanation →

In the shared responsibility model for cloud security, which responsibility is the customer's in an IaaS deployment?

Question 35mediummultiple choice
Read the full Cloud Security explanation →

A security team wants to gain visibility into shadow IT usage of SaaS applications and enforce DLP policies for data shared via cloud apps. Which cloud security solution should they deploy?

Question 36mediummultiple choice
Read the full DNS explanation →

An organization uses Cisco Umbrella to block malicious domains. The security team notices that some malware traffic bypasses DNS-layer blocking because the malware uses hardcoded IP addresses. Which Umbrella feature should be enabled to additionally inspect traffic at the IP layer?

Question 37hardmultiple choice
Read the full Cloud Security explanation →

A company is deploying a multi-tier application on AWS. The web servers must be accessible from the internet only on ports 80 and 443, while the database servers should be accessible only from the web servers on port 3306. Which combination of cloud network security controls should be used?

Question 38mediummultiple choice
Read the full Cloud Security explanation →

A DevOps team is building a CI/CD pipeline for a cloud-native application. They want to automatically check Terraform scripts for insecure configurations before deployment. Which tool should be integrated into the pipeline?

Question 39mediummultiple choice
Read the full Cloud Security explanation →

An organization is adopting a zero-trust model for cloud access. Which component enforces conditional access policies based on user, device, location, and risk level in Azure AD?

Question 40easymultiple choice
Read the full Cloud Security explanation →

In the shared responsibility model, which is the customer's responsibility in a SaaS model?

Question 41hardmultiple choice
Review the full subnetting walkthrough →

A company uses Azure NSGs to control traffic between subnets. They need to allow traffic from the frontend subnet to the backend subnet only on TCP 443. Which configuration correctly achieves this?

Question 42easymultiple choice
Read the full DNS explanation →

Which Cisco Umbrella feature provides off-network protection by intercepting DNS requests on a user's device?

Question 43mediummultiple choice
Read the full Cloud Security explanation →

A security engineer is configuring Cisco Umbrella to block HTTPS traffic to malicious sites. However, they want to inspect SSL-encrypted traffic selectively to avoid breaking applications. Which Umbrella feature should they use?

Question 44hardmultiple choice
Read the full Cloud Security explanation →

An organization uses AWS WAF to protect its web application. They need to block requests from a specific geographic region. What should they configure?

Question 45mediummultiple choice
Read the full Cloud Security explanation →

A company is moving workloads to Google Cloud and needs private connectivity between its on-premises data center and VPC without traversing the internet. Which service should be used?

Question 46mediummulti select
Read the full Cloud Security explanation →

A security team is implementing DevSecOps practices. Which TWO actions should be taken to secure secrets (e.g., API keys, passwords) in a CI/CD pipeline? (Choose two.)

Question 47mediummulti select
Read the full Cloud Security explanation →

A company is adopting a zero-trust security model for its cloud environment. Which THREE practices align with zero-trust principles? (Choose three.)

Question 48hardmulti select
Read the full Cloud Security explanation →

A security engineer is designing cloud workload protection (CWPP) for a hybrid environment with VMs and containers. Which TWO capabilities should a CWPP solution provide? (Choose two.)

Question 49easymultiple choice
Read the full Cloud Security explanation →

In the shared responsibility model for cloud computing, which responsibility is managed by the customer in all service models (IaaS, PaaS, SaaS)?

Question 50mediummultiple choice
Read the full Cloud Security explanation →

A security administrator wants to enforce a policy that blocks upload of sensitive data to unauthorized cloud applications. Which technology should be used to gain visibility and control over sanctioned and unsanctioned SaaS applications?

Question 51hardmultiple choice
Read the full DNS explanation →

An organization uses Cisco Umbrella to protect remote users. The security team notices that some malicious domains are not blocked because users are bypassing the DNS layer by using direct IP connections or non-DNS protocols. Which Cisco Umbrella feature should be enabled to inspect all traffic, including non-web traffic, and enforce policies regardless of DNS resolution?

Question 52mediummultiple choice
Read the full Cloud Security explanation →

A company is deploying workloads in AWS and wants to ensure that the security groups are not overly permissive. They need to continuously monitor for misconfigurations and compare against the CIS AWS Foundations Benchmark. Which tool should be used?

Question 53mediummultiple choice
Read the full Cloud Security explanation →

To enforce zero trust principles in a cloud environment, an administrator requires all access to cloud resources to be authenticated and authorized based on user identity and device health. Which Azure AD feature enables policies that consider conditions such as location, device compliance, and risk level?

Question 54easymultiple choice
Read the full Cloud Security explanation →

In a DevSecOps pipeline, a security engineer wants to automatically scan Infrastructure as Code (IaC) templates for security misconfigurations before deployment. Which tool is commonly used for static analysis of Terraform templates?

Question 55mediummultiple choice
Read the full Cloud Security explanation →

A company wants to establish private connectivity between its on-premises data center and a VPC in AWS, avoiding the public internet. Which AWS service should be used?

Question 56mediummultiple choice
Read the full DNS explanation →

A security team is implementing secure access for remote users connecting from untrusted networks. They want to enforce DNS-layer security even when users are off the corporate network. Which Cisco Umbrella feature should be deployed on the endpoints?

Question 57hardmultiple choice
Read the full Cloud Security explanation →

An organization uses Azure for its cloud workloads. To protect web applications from common exploits like SQL injection and cross-site scripting, they need to deploy a web application firewall (WAF) that integrates with Azure Application Gateway. Which Azure WAF SKU should they choose?

Question 58easymultiple choice
Read the full Cloud Security explanation →

In the shared responsibility model for PaaS, which component is the customer responsible for managing?

Question 59mediummultiple choice
Read the full Cloud Security explanation →

A company uses multiple SaaS applications and wants to enforce data loss prevention (DLP) policies to prevent sensitive data from being shared externally. Which technology provides the ability to scan data in transit and at rest within these SaaS applications?

Question 60hardmultiple choice
Read the full Cloud Security explanation →

A security engineer is configuring Cisco Umbrella Intelligent Proxy to selectively decrypt and inspect HTTPS traffic. The goal is to balance security and user privacy by only inspecting traffic to high-risk domains. How does Intelligent Proxy decide which traffic to inspect?

Question 61mediummulti select
Read the full Cloud Security explanation →

A security team is implementing a DevSecOps pipeline for containerized applications. Which TWO of the following practices should be included to ensure container security?

Question 62mediummulti select
Read the full Cloud Security explanation →

An organization is adopting zero trust principles for cloud access. Which THREE components should be implemented to enforce identity as the new perimeter?

Question 63hardmulti select
Read the full Cloud Security explanation →

A company uses AWS and Azure and wants to protect its cloud workloads (VMs and containers) from threats. Which TWO technologies are specifically designed for workload protection in the cloud?

Question 64easymultiple choice
Read the full Cloud Security explanation →

In the shared responsibility model for cloud security, which of the following is the customer responsible for in an IaaS deployment?

Question 65easymultiple choice
Read the full Cloud Security explanation →

A company is using a SaaS application like Office 365. Which security responsibility falls on the customer according to the shared responsibility model?

Question 66mediummultiple choice
Read the full Cloud Security explanation →

A security team wants to gain visibility into shadow IT usage of cloud applications and enforce data loss prevention policies. Which cloud security control should they deploy?

Question 67mediummultiple choice
Read the full DNS explanation →

An organization uses Cisco Umbrella to block malicious domains. What is the primary security benefit of DNS-layer security?

Question 68hardmultiple choice
Read the full Cloud Security explanation →

A company is deploying Cisco Umbrella with the Intelligent Proxy feature. Under what condition does the Intelligent Proxy perform SSL decryption?

Question 69mediummultiple choice
Read the full Cloud Security explanation →

In AWS, which resource acts as a stateful firewall at the instance level to control inbound and outbound traffic?

Question 70hardmultiple choice
Read the full Cloud Security explanation →

A security architect is designing a zero-trust model for cloud access. Which of the following is a core principle of zero trust in the cloud?

Question 71mediummultiple choice
Read the full Cloud Security explanation →

An organization wants to enforce conditional access policies for users accessing cloud applications. Which Azure AD feature should they use?

Question 72easymultiple choice
Read the full Cloud Security explanation →

In a DevSecOps pipeline, which tool would be used to scan Infrastructure as Code (IaC) templates for security misconfigurations?

Question 73mediummultiple choice
Read the full Cloud Security explanation →

A company wants to privately connect an on-premises network to an Azure virtual network without traversing the internet. Which Azure service should they use?

Question 74hardmultiple choice
Read the full Cloud Security explanation →

A security engineer needs to prevent secrets (e.g., API keys) from being stored in code repositories. Which DevSecOps practice should be implemented?

Question 75mediummultiple choice
Read the full Cloud Security explanation →

Which cloud workload protection platform (CWPP) capability is essential for protecting containerized applications?

Question 76mediummulti select
Read the full Cloud Security explanation →

A company is using Cisco Umbrella for cloud security. Which two features are part of the Secure Internet Gateway (SIG) functionality? (Choose two.)

Question 77hardmulti select
Read the full Cloud Security explanation →

A security team is implementing CSPM to ensure cloud compliance. Which three checks would a CSPM tool typically perform? (Choose three.)

Question 78mediummulti select
Read the full Cloud Security explanation →

Which two controls are considered part of a zero-trust architecture for cloud access? (Choose two.)

Question 79easymultiple choice
Read the full Cloud Security explanation →

A company uses a SaaS application for customer relationship management. In the cloud shared responsibility model, which security controls are the customer's primary responsibility?

Question 80mediummultiple choice
Read the full Cloud Security explanation →

A security team wants to enforce data loss prevention (DLP) policies across multiple sanctioned cloud applications used by employees. Which cloud security solution is best suited for this task?

Question 81hardmultiple choice
Read the full Cloud Security explanation →

An organization is implementing a zero trust strategy for cloud access. They require that all access to cloud resources be authenticated and authorized based on user identity and device health, with session risk assessment. Which Azure AD feature should they primarily use?

Question 82mediummultiple choice
Read the full Cloud Security explanation →

A company uses Cisco Umbrella to protect remote users. They want to ensure that SSL-encrypted traffic to malicious websites is inspected, but without breaking compliance with privacy regulations. Which Umbrella feature should they enable?

Question 83easymulti select
Review the full subnetting walkthrough →

A cloud engineer is deploying a web application on AWS and needs to control inbound and outbound traffic at both the instance and subnet levels. Which two AWS security controls should they configure? (Select two.)

Question 84mediummulti select
Read the full Cloud Security explanation →

A DevSecOps team is integrating security into their CI/CD pipeline. They want to scan infrastructure-as-code templates for misconfigurations and container images for vulnerabilities. Which two tools are appropriate? (Select two.)

Question 85mediummulti select
Read the full Cloud Security explanation →

An organization is adopting a zero trust model for cloud access. Which three principles should be implemented? (Select three.)

Practice tests

Scored 10-question sessions with instant feedback and explanations.

350-701 Practice Test 1 — 25 Questions→350-701 Practice Test 2 — 25 Questions→350-701 Practice Test 3 — 25 Questions→350-701 Practice Test 4 — 25 Questions→350-701 Practice Test 5 — 25 Questions→350-701 Practice Exam 1 — 20 Questions→350-701 Practice Exam 2 — 20 Questions→350-701 Practice Exam 3 — 20 Questions→350-701 Practice Exam 4 — 20 Questions→Free 350-701 Practice Test 1 — 30 Questions→Free 350-701 Practice Test 2 — 30 Questions→Free 350-701 Practice Test 3 — 30 Questions→350-701 Practice Questions 1 — 50 Questions→350-701 Practice Questions 2 — 50 Questions→350-701 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Security ConceptsNetwork SecurityEndpoint Security and IdentityCloud SecurityContent SecurityEndpoint Protection and DetectionSecure Network Access, Visibility and Enforcement

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Cloud Security setsAll Cloud Security questions350-701 Practice Hub