Practice CV0-004 Security questions with full explanations on every answer.
Start practicing
Security — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A cloud administrator is troubleshooting an issue where a user in the finance department cannot access a critical application hosted on a private cloud. The user can access other applications in the same subnet. The security team recently implemented a new network security policy. Which of the following is MOST likely causing the issue?
2An organization wants to ensure that only authorized personnel can access the cloud management console. Which of the following is the BEST method to achieve this?
3A company is migrating a legacy application to a public cloud. The application requires a static IP address for licensing. The security team insists on encrypting all traffic between the application and the database. Which of the following should the cloud architect implement?
4A cloud administrator is tasked with ensuring that only encrypted connections are used to transfer files to a cloud storage bucket. Which of the following should the administrator enforce?
5A company is implementing a cloud-based SIEM solution. Which TWO of the following are essential data sources that should be integrated to ensure comprehensive security monitoring?
6A cloud administrator is designing a secure multi-tenant environment. Which THREE of the following are best practices for isolating tenant workloads?
7A company experiences a data breach where an attacker exfiltrated data from a cloud storage bucket. The security team discovers that the bucket had a policy allowing public access. The cloud administrator had previously set the bucket to be private. Which of the following is the MOST likely reason the bucket became public?
8A cloud administrator is configuring a web application hosted on a public cloud VM. The application must be accessible over HTTPS, and the administrator needs to ensure that all traffic between the client and the server is encrypted. The cloud provider offers a managed certificate service. Which of the following is the BEST practice for securing the application?
9A cloud administrator is troubleshooting connectivity to a web server running on a Linux VM. The web server is configured to listen on ports 80 (HTTP) and 443 (HTTPS). The administrator runs the iptables command shown in the exhibit. Based on the output, what is the MOST likely reason that external users cannot access the web server on port 443?
10A cloud engineer is responsible for securing a multi-tier application deployed on IaaS. The application consists of web servers, application servers, and database servers. The engineer needs to implement network segmentation to minimize the attack surface. Which of the following is the BEST approach?
11A company is migrating its on-premises workload to a public cloud. The security team wants to ensure that all data transmitted between the on-premises network and the cloud VPC is encrypted in transit and that the connection uses dedicated bandwidth. Which of the following should the security team implement?
12A cloud administrator notices that an IAM user has permissions that are not explicitly assigned. The administrator suspects that the user is inheriting permissions through group membership or role assignment. Which TWO methods can the administrator use to identify all effective permissions for this user? (Choose TWO.)
13Refer to the exhibit. A cloud security engineer is reviewing an S3 bucket policy that controls access to the 'example-bucket' bucket. The 'AdminRole' IAM role attempts to upload an object to the bucket using the AWS CLI without specifying the '--server-side-encryption' parameter. The object transfer uses HTTPS. What will be the outcome?
14Sequence the steps to troubleshoot a cloud-based application that is not accessible from the internet.
15Sequence the steps to configure a cloud monitoring alert for high memory usage on a virtual machine.
16Match each storage type to its characteristic.
17Match each troubleshooting command to its function.
18A cloud administrator is configuring a new virtual private cloud (VPC) and needs to ensure that traffic between web servers and database servers is restricted to only the necessary ports. Which security approach should the administrator implement?
19A company has deployed a multi-tier application on a public cloud platform. The security team discovers that a Compute Instance is communicating with an external IP address known for malicious activity. The instance is part of an auto scaling group. What is the BEST immediate action to contain the threat while minimizing downtime?
20A cloud architect is designing a solution to ensure that data at rest in an object storage bucket is encrypted. The company requires that the encryption keys are managed by an on-premises hardware security module (HSM) to maintain control. Which encryption approach should the architect choose?
21A company's cloud environment uses a shared responsibility model. The security team notices that a data breach occurred due to misconfigured storage buckets in the public cloud. Which party is primarily responsible for this misconfiguration according to the shared responsibility model?
22An organization uses a private cloud and wants to implement multifactor authentication (MFA) for administrative access to the hypervisor. However, due to legacy system constraints, the hypervisor does not support MFA directly. What is the BEST alternative to achieve MFA for administrative logins?
23A cloud administrator is tasked with ensuring that all API requests to the cloud management plane are encrypted. Which protocol should be enforced to meet this requirement?
24A company's compliance policy requires that all virtual machine (VM) instances must have security patches applied within 30 days of release. The cloud environment automatically deploys VMs from a golden image. Which strategy would BEST ensure compliance without manual intervention?
25During a security audit, it is discovered that a cloud application can be accessed using a shared service account that has elevated privileges. The audit recommends implementing a just-in-time (JIT) access model. What is the primary benefit of JIT access in this scenario?
26A company wants to protect data in transit between its on-premises data center and a public cloud environment. Which technology should be used to create a secure encrypted tunnel over the internet?
27Which TWO actions should a cloud administrator take to protect against data exfiltration from a cloud storage bucket? (Choose two.)
28Which THREE elements are required for a complete key lifecycle management strategy in a cloud environment? (Choose three.)
29Which TWO steps should be performed to ensure that a new cloud user has only the minimum required permissions to perform their job? (Choose two.)
30Refer to the exhibit. What is the effect of this bucket policy?
31Refer to the exhibit. A cloud administrator runs the above command on a Linux virtual machine. What is the effect of the current firewall rules?
32Refer to the exhibit. This log message is from a cloud security scanner. Which principle did the scanner likely detect?
33A cloud administrator notices that an IAM role in a public cloud environment has permissions to perform all actions on all resources. The principle of least privilege should be applied. What is the best first step to reduce the security risk?
34A company uses a cloud provider's key management service to encrypt data at rest. The security team wants to ensure that encryption keys are automatically rotated every 90 days to meet compliance requirements. Which feature should be enabled?
35During a security audit, an organization discovers their cloud-based database is accessible from any public IP address due to a firewall rule allowing 0.0.0.0/0 on port 3306 (MySQL). The database must remain accessible to remote developers working from home. What is the most effective remediation?
36A cloud security analyst finds the above JSON policy attached to an S3 bucket containing confidential customer data. What change must be made to comply with the principle of least privilege?
37The above condition is included in an IAM policy. What does this condition restrict?
38A user attempted to copy an encrypted snapshot to a different region and received the above error. What is the most likely cause?
39A cloud architect is designing a multi-tier application. To ensure secure communication between the web tier and the application tier within the same VPC, which approach should be used?
40Which of the following is the best practice for securely storing secrets such as database passwords in a cloud environment?
41A company uses a cloud provider's identity federation to allow employees to sign in using their corporate Active Directory credentials. After a merger, employees from the acquired company need access. What must be modified to enable federated access for the new users without disrupting existing access?
42A security team wants to implement host-based intrusion detection on their virtual machines in a public cloud. Which approach provides the most effective detection while minimizing performance impact?
43A company stores sensitive data in a cloud object storage. They want to ensure that data is automatically deleted after a retention period of 7 years to comply with legal requirements. Which feature should be used?
44During a penetration test, a cloud security engineer discovers that a storage bucket is publicly accessible because of a misconfigured block public access setting. The bucket contains encrypted data. Which of the following is the primary risk?
45Which TWO of the following are effective methods to protect data in transit within a cloud environment? Select two.
46Which TWO of the following are common vulnerabilities in cloud environments that can lead to unauthorized access? Select two.
47Which THREE of the following are essential components of a cloud incident response plan? Select three.
48A company's IaaS environment has a high rate of failed login attempts to a critical database server. The security team wants to temporarily block the source IPs after 5 failed attempts within 10 minutes. Which security control should be implemented?
49A cloud architect is designing a multi-tier application in a public cloud that must comply with PCI DSS. The web tier must be accessible from the internet, but the application tier should not have any public IP addresses. Which architecture meets these requirements?
50A cloud administrator notices that a storage bucket in a cloud object storage service is publicly accessible. The bucket contains sensitive customer data. What is the most likely cause of this issue?
51A security analyst is investigating a potential data exfiltration from a cloud environment. The analyst finds that an instance IAM role was assumed by a compromised user, and the role has permissions to read from a sensitive database. What is the BEST way to prevent this type of attack in the future?
52A company is migrating a legacy on-premises application to a cloud VM. The application requires a static private IP address for compliance. During a disaster recovery failover, the VM must automatically retain the same IP address in the secondary region. Which solution should be used?
53A cloud security team needs to ensure that all API calls made to the cloud provider are logged and monitored for suspicious activity. Which service should be enabled?
54A DevOps team uses infrastructure as code to deploy cloud resources. Security policy requires that all storage buckets have versioning enabled and are not publicly accessible. How can these requirements be enforced automatically?
55During a security assessment, a cloud auditor discovers that a virtual machine has a publicly accessible SSH port (22) open to the entire internet (0.0.0.0/0). The VM is a bastion host intended for administration. What should be done to reduce risk?
56Which TWO of the following are best practices for securing a cloud object storage bucket?
57Which THREE of the following are valid methods to manage identity and access in a multi-cloud environment?
58Which TWO of the following are common security concerns specific to a public cloud infrastructure?
59A cloud engineer runs the commands shown in the exhibit. Based on the output, which security issue is present?
60A multinational corporation runs a critical application on a private cloud hosted in their data center. The application uses virtual machines (VMs) that are attached to a storage area network (SAN) for block storage. The company is migrating the application to a public cloud IaaS model to reduce on-premises costs. The security team mandates that all data at rest in the cloud must be encrypted using customer-managed keys, and the cloud provider must not have access to the keys. The application requires low-latency block storage for a database. The storage must be replicated within the same region for availability. The cloud architect needs to choose a storage solution that meets these security and performance requirements. The cloud provider offers: (A) Object storage with server-side encryption using provider-managed keys. (B) Ephemeral instance storage with encryption at rest using provider-managed keys. (C) Persistent block storage volumes with encryption using customer-managed keys stored in the provider's key management service (KMS) integrated with hardware security modules (HSM). (D) Network file system (NFS) shares encrypted with customer-managed keys managed on-premises. Which option should the architect choose?
61A healthcare organization uses a cloud-based virtual private cloud (VPC) to host a web application that processes protected health information (PHI). The application consists of a public-facing load balancer, a web server tier in a public subnet, and a database tier in a private subnet. The database runs on a managed relational database service with encryption at rest enabled using a cloud provider-managed key. The security auditor requires that the database encryption key must be controlled by the organization and rotated every 90 days. Additionally, the database must only be accessible from the web server tier. The database is currently accessible from the entire VPC CIDR block. What should the cloud administrator do to meet these requirements?
62A small business uses a public cloud IaaS to host a single Windows virtual machine (VM) running a line-of-business application. The VM has a public IP address and is in a network security group that allows RDP (port 3389) from the internet (0.0.0.0/0). The administrator frequently connects from home and various client sites. The administrator is concerned about brute force attacks on the RDP service. The business does not have a VPN server. What is the best way to secure the RDP access without changing the public IP address or blocking all external access?
63A cloud administrator is designing a hybrid cloud environment that connects on-premises resources to a public cloud. To ensure data protection, the administrator needs to implement controls for data in transit and data at rest. Which TWO security controls should the administrator implement? (Choose two.)
64A company hosts its critical applications on a cloud provider's virtual machines within a virtual private cloud. The security team receives an alert from the intrusion detection system indicating that one of the VMs is exhibiting signs of a ransomware infection. The administrator connects to the VM via a bastion host and observes that several important files have been encrypted and a ransom note has been left. The incident response plan is still being developed, but the administrator knows the immediate priority is to contain the threat and prevent it from spreading to other VMs and storage resources. The company has daily backups stored in a separate cloud storage service that is not directly accessible from the production network. Which of the following actions should the administrator take FIRST to contain the incident and minimize further damage?
65A company uses a multi-account AWS organization with separate accounts for development, testing, and production. A developer in the development account needs to access an S3 bucket in the production account to retrieve log files for troubleshooting. The developer has an IAM user in the development account with full S3 permissions, and the production account's S3 bucket policy includes a statement that grants access to the root user of the development account. However, when the developer attempts to access the bucket using AWS CLI with their IAM user credentials, they receive an 'Access Denied' error. The security team has verified that there are no explicit deny policies in either account, and that the bucket policy is correctly configured. The administrator has confirmed that the developer's IAM user has permissions to perform S3 operations. Which of the following is the MOST likely cause of the access failure?
66A cloud administrator is configuring a new virtual private cloud (VPC) with a public subnet for a web application. The administrator must ensure that the web application can receive HTTPS traffic from the internet but cannot be directly accessed via SSH. Which TWO security controls should the administrator implement? (Choose two.)
67A mid-sized company is migrating its on-premises applications to a public cloud. The security team has implemented a cloud access security broker (CASB) to monitor and enforce policies for sensitive data. The company uses a multi-cloud environment with both AWS and Azure. After deployment, the security team receives alerts that a developer accidentally exposed a set of credentials in a public GitHub repository. The credentials were associated with a service account that has read-write access to an AWS S3 bucket containing customer PII (personally identifiable information). The team immediately revokes the credentials and rotates the access keys. The security team wants to prevent such incidents in the future and ensure that any exposed credentials are promptly detected without relying solely on manual GitHub scans. The company also wants to maintain a least-privilege model for all cloud resources. Given this scenario, which of the following actions should the security team take FIRST to reduce the risk of credential exposure and improve detection?
The Security domain covers the key concepts tested in this area of the CV0-004 exam blueprint published by CompTIA. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CV0-004 domains — no account required.
The Courseiva CV0-004 question bank contains 67 questions in the Security domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Security domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included