Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCV0-004DomainsSecurity
CV0-004Free — No Signup

Security

Practice CV0-004 Security questions with full explanations on every answer.

110questions

Start practicing

Security — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

CV0-004 Domains

Cloud Architecture and DesignDeploymentSecurityOperations and SupportTroubleshooting

Practice Security questions

10Q20Q30Q50Q

All CV0-004 Security questions (110)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A cloud engineer is configuring a web application on AWS and needs to ensure that only HTTP and HTTPS traffic from the internet is allowed to reach the EC2 instances. Which AWS service should be used to control inbound traffic at the instance level?

2

A company is migrating to a public cloud and wants to understand security responsibilities. According to the shared responsibility model, which of the following is the customer responsible for in an IaaS deployment?

3

A security administrator needs to enforce least privilege for a Kubernetes cluster in a cloud environment. Which approach should be used to restrict permissions for pods that need to access the cloud provider's API?

4

An organization is moving sensitive data to the cloud and must ensure it is encrypted while stored on disk. Which type of encryption should be implemented?

5

A cloud administrator needs to provide external partners with access to a cloud application using their existing corporate credentials. Which federation protocol should be used?

6

A company is using a SaaS application and wants to gain visibility into user activity and enforce data loss prevention policies. Which technology should be deployed?

7

During a security audit, a cloud engineer discovers that a container image used in production has a known critical vulnerability in a base layer. Which practice should be implemented to prevent this in the future?

8

An organization needs to store database credentials and API keys securely in the cloud, with automatic rotation every 90 days. Which service should be used?

9

A cloud architect is designing a network to protect a web application from common attacks such as SQL injection and cross-site scripting. Which cloud service should be used?

10

A company requires multi-factor authentication (MFA) for all users accessing the cloud management console. Which IAM policy element should be used to enforce this?

11

A cloud security team is reviewing audit logs and notices that a service account has been used to launch several high-risk API calls that are not part of its normal behavior. Which security control should be implemented to detect such anomalies in real time?

12

An organization is subject to PCI DSS compliance and must demonstrate that it is meeting security requirements. Which cloud service can aggregate compliance findings and provide a dashboard?

13

A cloud administrator is configuring network security for a multi-tier application. Which TWO statements about security groups and network ACLs are correct?

14

A cloud security team is implementing encryption for data at rest using customer-managed keys in a cloud KMS. Which THREE practices should be followed?

15

A company is adopting a shared responsibility model for a PaaS cloud deployment. Which THREE responsibilities belong to the customer?

16

A cloud customer is deploying a virtual machine (VM) in a public IaaS environment. According to the shared responsibility model, which of the following security tasks is the customer responsible for?

17

A cloud administrator needs to ensure that a set of AWS EC2 instances can only be accessed via SSH from the corporate office IP range 203.0.113.0/24. Which configuration should the administrator implement?

18

A company is migrating a legacy application to a Kubernetes cluster in the cloud. The application requires a database password to be accessible at runtime. Which approach aligns with cloud security best practices for secrets management?

19

A security auditor is reviewing the IAM configuration for a cloud account. The auditor finds that a user has permissions to create and delete resources in all services. Which principle of security is being violated?

20

An organization is subject to PCI DSS compliance and must ensure that all data transmitted between its cloud application and users is encrypted. Which encryption method should be enforced?

21

A company uses AWS and wants to centralize security monitoring across multiple accounts. Which service should they use to aggregate security findings and check compliance against standards like CIS AWS Foundations?

22

A cloud administrator needs to protect a web application from common attacks such as SQL injection and cross-site scripting (XSS). Which cloud service should be implemented?

23

A company's cloud environment uses Azure Active Directory for identity management. They want to allow employees to sign in using their existing on-premises Active Directory credentials without synchronizing passwords to the cloud. Which federation protocol should they use?

24

A security team discovers that a container image used in production contains a known vulnerability in one of its base image layers. Which action should be taken to remediate this issue?

25

A cloud architect is designing a multi-tier application. The application tier needs to access a database, but the database should not be reachable from the internet. Which network security control should be used?

26

A cloud customer needs to ensure that data stored in an S3 bucket is encrypted at rest. The customer wants to manage the encryption keys themselves. Which encryption option should they choose?

27

A company uses Google Cloud Platform (GCP) and wants to enforce that all service accounts used by applications have only the permissions necessary to perform their tasks. Which IAM concept should the administrator apply?

28

A security engineer is implementing DDoS protection for a public-facing web application hosted in AWS. Which TWO services should be used together to provide comprehensive DDoS mitigation? (Choose two.)

29

A cloud administrator is configuring an Azure environment for a healthcare application that must comply with HIPAA. Which TWO configurations are required to meet HIPAA security and privacy rules? (Choose two.)

30

A company is deploying a cloud-native application that uses containers orchestrated by Kubernetes. The security team wants to enforce the principle of least privilege at the Kubernetes level. Which THREE measures should be implemented? (Choose three.)

31

According to the shared responsibility model, which of the following is the cloud provider responsible for?

32

A company has a requirement to enforce least privilege for its cloud resources. The cloud engineer is configuring IAM policies. Which of the following best describes least privilege?

33

An organization uses AWS and wants to control inbound traffic to its EC2 instances. They need a solution that automatically allows response traffic for any permitted inbound request. Which of the following should they use?

34

A cloud administrator is configuring encryption for data at rest in a cloud storage service. The administrator wants to use a key that is generated and managed by the cloud provider but stored in the customer's account. Which key management option is being described?

35

Which of the following compliance frameworks is specifically designed for handling healthcare information in the United States?

36

A DevOps team is deploying containerized applications on Kubernetes. They want to ensure containers do not run with root privileges and that host filesystem access is restricted. Which Kubernetes feature should they use?

37

An organization uses multiple SaaS applications and wants to enforce data loss prevention policies and gain visibility into user activity. Which technology should they implement?

38

A cloud security team is implementing a secrets management solution for applications running on AWS. They need to automatically rotate database credentials every 30 days and avoid hardcoding secrets. Which service should they use?

39

Which of the following is a benefit of using a Web Application Firewall (WAF)?

40

A cloud administrator needs to audit all API calls made in a GCP project for compliance purposes. Which service should be enabled to log these actions?

41

A company uses Azure AD for identity federation with an on-premises Active Directory. They want to enable single sign-on (SSO) for cloud applications using an open standard. Which protocol should they use?

42

A cloud security analyst is reviewing a compliance report and sees that the organization needs to ensure encryption keys are rotated periodically. Which of the following would best satisfy this requirement?

43

A cloud architect is designing a container security strategy. Which TWO of the following should be implemented to secure containers? (Choose two.)

44

A company is migrating to AWS and needs to meet PCI DSS compliance. Which THREE of the following should be implemented? (Choose three.)

45

A cloud engineer is tasked with securing network traffic in a VPC. Which TWO of the following are stateful security mechanisms? (Choose two.)

46

A cloud architect is designing a multi-tenant SaaS application on AWS. Which of the following security responsibilities is the CUSTOMER responsible for under the shared responsibility model?

47

A security engineer is reviewing IAM policies and notices a policy that allows all actions on all resources for a user. Which principle of security is being violated?

48

A company has deployed a containerized application on a Kubernetes cluster. The security team wants to ensure that containers cannot run as the root user and that the container's root filesystem is read-only. Which Kubernetes security mechanism should be used?

49

An organization uses Azure and wants to ensure that only authenticated users from its on-premises Active Directory can access cloud resources. The company has Azure AD Connect set up and wants to enable single sign-on (SSO) for cloud applications. Which federation standard should be used?

50

A cloud administrator notices that a security group rule allowing SSH (port 22) from any IP address (0.0.0.0/0) was created for a Linux server. The server is used for administrative purposes only. Which security best practice should be applied to reduce the attack surface?

51

A cloud engineer is configuring encryption for data stored in an S3 bucket. The company requires that encryption keys be managed by the organization, not the cloud provider. Which encryption option should be used?

52

A company uses a SaaS application for customer relationship management (CRM). The security team wants to monitor user activities and enforce data loss prevention (DLP) policies. Which type of security tool should be deployed?

53

A security administrator is configuring a Web Application Firewall (WAF) to protect a public-facing web application. The application experiences a high volume of traffic from certain geographic regions that are not serving customers. Which WAF feature should be used to block this traffic?

54

A company is migrating a financial application to the cloud and must comply with PCI DSS. Which of the following cloud compliance programs is most relevant to demonstrate compliance?

55

A cloud engineer is deploying a new application and needs to securely store database credentials. The credentials must be automatically rotated every 90 days. Which service should be used?

56

An organization wants to audit all API calls made in their AWS account. Which AWS service should be enabled to capture these logs?

57

A security analyst is reviewing logs and finds that an unauthorized user accessed a storage blob in Azure. The analyst needs to determine which permissions allowed the access. Which Azure feature provides a detailed view of effective permissions for a user?

58

A company uses Google Cloud Platform and wants to enforce that all Compute Engine instances use a specific Customer-Managed Encryption Key (CMEK) for disk encryption. Which GCP service should be used to enforce this policy?

59

A cloud architect is designing network security for a VPC. The architect needs to implement both stateful and stateless firewalls. Which TWO of the following correctly describe these firewall types?

60

A company is implementing a secrets management solution. The security team wants to ensure that secrets are protected and rotated regularly. Which THREE of the following are best practices for secrets management?

61

Which of the following is the cloud provider's responsibility under the shared responsibility model?

62

A security administrator is configuring a web application firewall (WAF) to protect against SQL injection attacks. Which WAF feature should be enabled?

63

A company uses AWS and needs to enforce that all S3 buckets are encrypted at rest with customer-managed keys stored in AWS KMS. Which IAM policy condition would ensure this?

64

An organization wants to ensure that only authenticated users from their corporate Active Directory can access cloud resources. Which federation protocol is most commonly used for this purpose?

65

A cloud architect is designing a security group for a web server in AWS. The server must receive HTTPS traffic from the internet. What is the most secure inbound rule?

66

Which of the following is a stateless network access control that requires explicit allow rules for both inbound and outbound traffic?

67

A DevOps team deploys a containerized application to a Kubernetes cluster. They need to ensure that containers cannot run with privileged access. Which Kubernetes security mechanism should be applied?

68

A company needs to meet PCI DSS compliance requirements for storing credit card data in the cloud. Which compliance certification should they verify their cloud provider has?

69

Which of the following is a best practice for managing secrets in cloud applications?

70

A cloud administrator notices that an AWS IAM user has more permissions than necessary. Which principle should be applied to correct this?

71

A company uses Azure and wants to centrally audit all management operations across subscriptions. Which service should be used to collect and analyze these logs?

72

A security team needs to enforce multi-factor authentication (MFA) for all users accessing the cloud management console. Which IAM feature should be configured?

73

A cloud security engineer is hardening a Kubernetes cluster. Which TWO measures should be implemented to improve container security? (Choose two.)

74

A company is migrating to GCP and needs to ensure data encryption in transit for all external communications. Which THREE measures should be implemented? (Choose three.)

75

A cloud administrator is configuring a CASB (Cloud Access Security Broker) for SaaS applications. Which TWO capabilities should the administrator expect from the CASB? (Choose two.)

76

In the shared responsibility model, which of the following is the cloud customer responsible for?

77

A security engineer is configuring an AWS IAM policy for a new application. The policy must allow the application to read objects from a specific S3 bucket. Which IAM policy element determines whether the action is allowed or denied?

78

A cloud administrator is designing network security for a three-tier application. The web tier must be accessible from the internet, but the application and database tiers should only be reachable from the web tier. Which security group configuration should be used?

79

A company running a critical web application on AWS wants to protect against SQL injection and cross-site scripting attacks. The application is behind an Application Load Balancer. Which service should be deployed to provide this protection?

80

Which encryption standard is most commonly used for data at rest in cloud storage services?

81

A cloud architect needs to ensure that all data transmitted between an on-premises data center and a cloud VPC is encrypted. Which solution should be implemented?

82

An organization's compliance policy requires that all access to cloud resources be logged and that logs be immutable. Which service should be used to meet these requirements?

83

A company uses Azure and wants to enforce multi-factor authentication (MFA) for all administrative users. The solution must be centrally managed and apply to all Azure subscriptions. Which approach should be used?

84

Which of the following is a key benefit of using a Cloud Access Security Broker (CASB)?

85

A cloud engineer is deploying a containerized application on Kubernetes. The security team requires that containers run with reduced privileges and that certain capabilities are dropped. Which Kubernetes feature should be used to enforce these requirements?

86

An organization uses multiple cloud providers and wants to centralize secrets management. Which solution would best meet this requirement?

87

During a security audit, it is discovered that a cloud storage bucket contains sensitive data that should have been encrypted at rest. The bucket was created with default settings. Which step must be taken to encrypt the data that is already stored?

88

A cloud security team is implementing the principle of least privilege for IAM roles. Which TWO actions are consistent with this principle?

89

A company is deploying a web application on GCP and needs to protect against OWASP Top 10 threats and DDoS attacks. Which THREE services should be combined to provide comprehensive protection?

90

A cloud administrator is configuring network ACLs (NACLs) for a VPC subnet. The subnet hosts a web server that must accept HTTP (port 80) and HTTPS (port 443) from the internet, and the server needs to respond to clients. Which TWO rules are required?

91

A company is migrating its on-premises applications to a public cloud. The security team wants to ensure that the cloud provider is responsible for physical security of data centers, while the company remains responsible for securing guest operating systems. Which concept does this describe?

92

A cloud administrator needs to grant a developer read-only access to a specific storage bucket in AWS. Which IAM component should the administrator modify?

93

A company uses Azure RBAC to manage access to resources. A user is assigned a Contributor role at the subscription scope. Which of the following is true regarding the scope of this role?

94

A security engineer is configuring a network security group (NSG) in Azure to allow inbound HTTPS traffic to a web server. The engineer creates an inbound rule allowing TCP port 443 from the Internet. What must be done to ensure the web server can respond to clients?

95

A cloud architect is designing a DDoS protection strategy for a web application hosted on AWS. The application uses an Application Load Balancer (ALB). Which service provides automatic, always-on DDoS protection at no additional cost?

96

A company stores sensitive customer data in an S3 bucket and must encrypt the data at rest using a key managed by the company (not AWS). Which encryption option should the company use?

97

Which of the following is a benefit of using a Cloud Access Security Broker (CASB) for SaaS applications?

98

A company's compliance team must provide evidence that their cloud environment meets PCI DSS requirements. Which AWS service can aggregate security findings and automate compliance checks?

99

A DevOps team deploys a containerized application on Amazon EKS. The security team wants to ensure that containers do not run as root and that read-only root filesystems are enforced. Which Kubernetes mechanism should be used?

100

A security administrator needs to store database credentials and API keys securely in AWS. The credentials must be automatically rotated every 90 days. Which service should the administrator use?

101

A cloud administrator is implementing network security for a VPC. The administrator needs to create a stateless firewall that filters traffic based on source and destination IP, port, and protocol. Which TWO of the following are characteristics of this type of firewall? (Select TWO.)

102

A company is implementing multi-factor authentication (MFA) for cloud console access. Which TWO of the following are valid MFA methods? (Select TWO.)

103

A security engineer is designing a data classification policy for a cloud environment. The policy must identify sensitive data, apply appropriate controls, and monitor access. Which THREE of the following should be included in the policy? (Select THREE.)

104

A cloud architect is designing a secrets management solution for a microservices application. The solution must avoid hardcoding secrets in code and support automatic rotation. Which THREE of the following are best practices? (Select THREE.)

105

A company is deploying a web application in a cloud environment and needs to protect against SQL injection and cross-site scripting (XSS) attacks. Additionally, the company wants to block traffic from specific geographic regions. Which TWO services should be used? (Select TWO.)

106

A cloud engineer is configuring a web application that must comply with PCI DSS. The application runs on virtual machines in a public cloud. Which of the following security responsibilities falls under the customer's scope according to the shared responsibility model?

107

A security administrator is deploying a web application firewall (WAF) to protect a public-facing web application. The application experiences a high volume of traffic from a specific geographic region that is not part of the target customer base. Which WAF feature would best reduce the attack surface without impacting legitimate users?

108

A cloud architect is designing identity and access management (IAM) for a multi-cloud environment. The architect wants to enforce least privilege and support federation with an on-premises Active Directory. Which TWO of the following should be implemented? (Select TWO).

109

A security team is implementing encryption for a cloud-based database. The compliance requirements mandate that encryption keys be managed by the customer and rotated every 90 days. Which THREE of the following should the team use? (Select THREE).

110

A cloud security analyst is investigating a potential container security incident. The analyst notices that a container is sending outbound traffic to a known malicious IP address. The container was deployed from an image that passed a vulnerability scan. Which TWO of the following should the analyst implement to detect and prevent such behavior in the future? (Select TWO).

Practice all 110 Security questions

Other CV0-004 exam domains

Cloud Architecture and DesignDeploymentOperations and SupportTroubleshooting

Frequently asked questions

What does the Security domain cover on the CV0-004 exam?

The Security domain covers the key concepts tested in this area of the CV0-004 exam blueprint published by CompTIA. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CV0-004 domains — no account required.

How many Security questions are in the CV0-004 question bank?

The Courseiva CV0-004 question bank contains 110 questions in the Security domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Security for CV0-004?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Security questions for CV0-004?

Yes — the session launcher on this page draws questions exclusively from the Security domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your CV0-004 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

CLF-C02AZ-900220-1101