Practice CV0-004 Security questions with full explanations on every answer.
Start practicing
Security — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A cloud engineer is configuring a web application on AWS and needs to ensure that only HTTP and HTTPS traffic from the internet is allowed to reach the EC2 instances. Which AWS service should be used to control inbound traffic at the instance level?
2A company is migrating to a public cloud and wants to understand security responsibilities. According to the shared responsibility model, which of the following is the customer responsible for in an IaaS deployment?
3A security administrator needs to enforce least privilege for a Kubernetes cluster in a cloud environment. Which approach should be used to restrict permissions for pods that need to access the cloud provider's API?
4An organization is moving sensitive data to the cloud and must ensure it is encrypted while stored on disk. Which type of encryption should be implemented?
5A cloud administrator needs to provide external partners with access to a cloud application using their existing corporate credentials. Which federation protocol should be used?
6A company is using a SaaS application and wants to gain visibility into user activity and enforce data loss prevention policies. Which technology should be deployed?
7During a security audit, a cloud engineer discovers that a container image used in production has a known critical vulnerability in a base layer. Which practice should be implemented to prevent this in the future?
8An organization needs to store database credentials and API keys securely in the cloud, with automatic rotation every 90 days. Which service should be used?
9A cloud architect is designing a network to protect a web application from common attacks such as SQL injection and cross-site scripting. Which cloud service should be used?
10A company requires multi-factor authentication (MFA) for all users accessing the cloud management console. Which IAM policy element should be used to enforce this?
11A cloud security team is reviewing audit logs and notices that a service account has been used to launch several high-risk API calls that are not part of its normal behavior. Which security control should be implemented to detect such anomalies in real time?
12An organization is subject to PCI DSS compliance and must demonstrate that it is meeting security requirements. Which cloud service can aggregate compliance findings and provide a dashboard?
13A cloud administrator is configuring network security for a multi-tier application. Which TWO statements about security groups and network ACLs are correct?
14A cloud security team is implementing encryption for data at rest using customer-managed keys in a cloud KMS. Which THREE practices should be followed?
15A company is adopting a shared responsibility model for a PaaS cloud deployment. Which THREE responsibilities belong to the customer?
16A cloud customer is deploying a virtual machine (VM) in a public IaaS environment. According to the shared responsibility model, which of the following security tasks is the customer responsible for?
17A cloud administrator needs to ensure that a set of AWS EC2 instances can only be accessed via SSH from the corporate office IP range 203.0.113.0/24. Which configuration should the administrator implement?
18A company is migrating a legacy application to a Kubernetes cluster in the cloud. The application requires a database password to be accessible at runtime. Which approach aligns with cloud security best practices for secrets management?
19A security auditor is reviewing the IAM configuration for a cloud account. The auditor finds that a user has permissions to create and delete resources in all services. Which principle of security is being violated?
20An organization is subject to PCI DSS compliance and must ensure that all data transmitted between its cloud application and users is encrypted. Which encryption method should be enforced?
21A company uses AWS and wants to centralize security monitoring across multiple accounts. Which service should they use to aggregate security findings and check compliance against standards like CIS AWS Foundations?
22A cloud administrator needs to protect a web application from common attacks such as SQL injection and cross-site scripting (XSS). Which cloud service should be implemented?
23A company's cloud environment uses Azure Active Directory for identity management. They want to allow employees to sign in using their existing on-premises Active Directory credentials without synchronizing passwords to the cloud. Which federation protocol should they use?
24A security team discovers that a container image used in production contains a known vulnerability in one of its base image layers. Which action should be taken to remediate this issue?
25A cloud architect is designing a multi-tier application. The application tier needs to access a database, but the database should not be reachable from the internet. Which network security control should be used?
26A cloud customer needs to ensure that data stored in an S3 bucket is encrypted at rest. The customer wants to manage the encryption keys themselves. Which encryption option should they choose?
27A company uses Google Cloud Platform (GCP) and wants to enforce that all service accounts used by applications have only the permissions necessary to perform their tasks. Which IAM concept should the administrator apply?
28A security engineer is implementing DDoS protection for a public-facing web application hosted in AWS. Which TWO services should be used together to provide comprehensive DDoS mitigation? (Choose two.)
29A cloud administrator is configuring an Azure environment for a healthcare application that must comply with HIPAA. Which TWO configurations are required to meet HIPAA security and privacy rules? (Choose two.)
30A company is deploying a cloud-native application that uses containers orchestrated by Kubernetes. The security team wants to enforce the principle of least privilege at the Kubernetes level. Which THREE measures should be implemented? (Choose three.)
31According to the shared responsibility model, which of the following is the cloud provider responsible for?
32A company has a requirement to enforce least privilege for its cloud resources. The cloud engineer is configuring IAM policies. Which of the following best describes least privilege?
33An organization uses AWS and wants to control inbound traffic to its EC2 instances. They need a solution that automatically allows response traffic for any permitted inbound request. Which of the following should they use?
34A cloud administrator is configuring encryption for data at rest in a cloud storage service. The administrator wants to use a key that is generated and managed by the cloud provider but stored in the customer's account. Which key management option is being described?
35Which of the following compliance frameworks is specifically designed for handling healthcare information in the United States?
36A DevOps team is deploying containerized applications on Kubernetes. They want to ensure containers do not run with root privileges and that host filesystem access is restricted. Which Kubernetes feature should they use?
37An organization uses multiple SaaS applications and wants to enforce data loss prevention policies and gain visibility into user activity. Which technology should they implement?
38A cloud security team is implementing a secrets management solution for applications running on AWS. They need to automatically rotate database credentials every 30 days and avoid hardcoding secrets. Which service should they use?
39Which of the following is a benefit of using a Web Application Firewall (WAF)?
40A cloud administrator needs to audit all API calls made in a GCP project for compliance purposes. Which service should be enabled to log these actions?
41A company uses Azure AD for identity federation with an on-premises Active Directory. They want to enable single sign-on (SSO) for cloud applications using an open standard. Which protocol should they use?
42A cloud security analyst is reviewing a compliance report and sees that the organization needs to ensure encryption keys are rotated periodically. Which of the following would best satisfy this requirement?
43A cloud architect is designing a container security strategy. Which TWO of the following should be implemented to secure containers? (Choose two.)
44A company is migrating to AWS and needs to meet PCI DSS compliance. Which THREE of the following should be implemented? (Choose three.)
45A cloud engineer is tasked with securing network traffic in a VPC. Which TWO of the following are stateful security mechanisms? (Choose two.)
46A cloud architect is designing a multi-tenant SaaS application on AWS. Which of the following security responsibilities is the CUSTOMER responsible for under the shared responsibility model?
47A security engineer is reviewing IAM policies and notices a policy that allows all actions on all resources for a user. Which principle of security is being violated?
48A company has deployed a containerized application on a Kubernetes cluster. The security team wants to ensure that containers cannot run as the root user and that the container's root filesystem is read-only. Which Kubernetes security mechanism should be used?
49An organization uses Azure and wants to ensure that only authenticated users from its on-premises Active Directory can access cloud resources. The company has Azure AD Connect set up and wants to enable single sign-on (SSO) for cloud applications. Which federation standard should be used?
50A cloud administrator notices that a security group rule allowing SSH (port 22) from any IP address (0.0.0.0/0) was created for a Linux server. The server is used for administrative purposes only. Which security best practice should be applied to reduce the attack surface?
51A cloud engineer is configuring encryption for data stored in an S3 bucket. The company requires that encryption keys be managed by the organization, not the cloud provider. Which encryption option should be used?
52A company uses a SaaS application for customer relationship management (CRM). The security team wants to monitor user activities and enforce data loss prevention (DLP) policies. Which type of security tool should be deployed?
53A security administrator is configuring a Web Application Firewall (WAF) to protect a public-facing web application. The application experiences a high volume of traffic from certain geographic regions that are not serving customers. Which WAF feature should be used to block this traffic?
54A company is migrating a financial application to the cloud and must comply with PCI DSS. Which of the following cloud compliance programs is most relevant to demonstrate compliance?
55A cloud engineer is deploying a new application and needs to securely store database credentials. The credentials must be automatically rotated every 90 days. Which service should be used?
56An organization wants to audit all API calls made in their AWS account. Which AWS service should be enabled to capture these logs?
57A security analyst is reviewing logs and finds that an unauthorized user accessed a storage blob in Azure. The analyst needs to determine which permissions allowed the access. Which Azure feature provides a detailed view of effective permissions for a user?
58A company uses Google Cloud Platform and wants to enforce that all Compute Engine instances use a specific Customer-Managed Encryption Key (CMEK) for disk encryption. Which GCP service should be used to enforce this policy?
59A cloud architect is designing network security for a VPC. The architect needs to implement both stateful and stateless firewalls. Which TWO of the following correctly describe these firewall types?
60A company is implementing a secrets management solution. The security team wants to ensure that secrets are protected and rotated regularly. Which THREE of the following are best practices for secrets management?
61Which of the following is the cloud provider's responsibility under the shared responsibility model?
62A security administrator is configuring a web application firewall (WAF) to protect against SQL injection attacks. Which WAF feature should be enabled?
63A company uses AWS and needs to enforce that all S3 buckets are encrypted at rest with customer-managed keys stored in AWS KMS. Which IAM policy condition would ensure this?
64An organization wants to ensure that only authenticated users from their corporate Active Directory can access cloud resources. Which federation protocol is most commonly used for this purpose?
65A cloud architect is designing a security group for a web server in AWS. The server must receive HTTPS traffic from the internet. What is the most secure inbound rule?
66Which of the following is a stateless network access control that requires explicit allow rules for both inbound and outbound traffic?
67A DevOps team deploys a containerized application to a Kubernetes cluster. They need to ensure that containers cannot run with privileged access. Which Kubernetes security mechanism should be applied?
68A company needs to meet PCI DSS compliance requirements for storing credit card data in the cloud. Which compliance certification should they verify their cloud provider has?
69Which of the following is a best practice for managing secrets in cloud applications?
70A cloud administrator notices that an AWS IAM user has more permissions than necessary. Which principle should be applied to correct this?
71A company uses Azure and wants to centrally audit all management operations across subscriptions. Which service should be used to collect and analyze these logs?
72A security team needs to enforce multi-factor authentication (MFA) for all users accessing the cloud management console. Which IAM feature should be configured?
73A cloud security engineer is hardening a Kubernetes cluster. Which TWO measures should be implemented to improve container security? (Choose two.)
74A company is migrating to GCP and needs to ensure data encryption in transit for all external communications. Which THREE measures should be implemented? (Choose three.)
75A cloud administrator is configuring a CASB (Cloud Access Security Broker) for SaaS applications. Which TWO capabilities should the administrator expect from the CASB? (Choose two.)
76In the shared responsibility model, which of the following is the cloud customer responsible for?
77A security engineer is configuring an AWS IAM policy for a new application. The policy must allow the application to read objects from a specific S3 bucket. Which IAM policy element determines whether the action is allowed or denied?
78A cloud administrator is designing network security for a three-tier application. The web tier must be accessible from the internet, but the application and database tiers should only be reachable from the web tier. Which security group configuration should be used?
79A company running a critical web application on AWS wants to protect against SQL injection and cross-site scripting attacks. The application is behind an Application Load Balancer. Which service should be deployed to provide this protection?
80Which encryption standard is most commonly used for data at rest in cloud storage services?
81A cloud architect needs to ensure that all data transmitted between an on-premises data center and a cloud VPC is encrypted. Which solution should be implemented?
82An organization's compliance policy requires that all access to cloud resources be logged and that logs be immutable. Which service should be used to meet these requirements?
83A company uses Azure and wants to enforce multi-factor authentication (MFA) for all administrative users. The solution must be centrally managed and apply to all Azure subscriptions. Which approach should be used?
84Which of the following is a key benefit of using a Cloud Access Security Broker (CASB)?
85A cloud engineer is deploying a containerized application on Kubernetes. The security team requires that containers run with reduced privileges and that certain capabilities are dropped. Which Kubernetes feature should be used to enforce these requirements?
86An organization uses multiple cloud providers and wants to centralize secrets management. Which solution would best meet this requirement?
87During a security audit, it is discovered that a cloud storage bucket contains sensitive data that should have been encrypted at rest. The bucket was created with default settings. Which step must be taken to encrypt the data that is already stored?
88A cloud security team is implementing the principle of least privilege for IAM roles. Which TWO actions are consistent with this principle?
89A company is deploying a web application on GCP and needs to protect against OWASP Top 10 threats and DDoS attacks. Which THREE services should be combined to provide comprehensive protection?
90A cloud administrator is configuring network ACLs (NACLs) for a VPC subnet. The subnet hosts a web server that must accept HTTP (port 80) and HTTPS (port 443) from the internet, and the server needs to respond to clients. Which TWO rules are required?
91A company is migrating its on-premises applications to a public cloud. The security team wants to ensure that the cloud provider is responsible for physical security of data centers, while the company remains responsible for securing guest operating systems. Which concept does this describe?
92A cloud administrator needs to grant a developer read-only access to a specific storage bucket in AWS. Which IAM component should the administrator modify?
93A company uses Azure RBAC to manage access to resources. A user is assigned a Contributor role at the subscription scope. Which of the following is true regarding the scope of this role?
94A security engineer is configuring a network security group (NSG) in Azure to allow inbound HTTPS traffic to a web server. The engineer creates an inbound rule allowing TCP port 443 from the Internet. What must be done to ensure the web server can respond to clients?
95A cloud architect is designing a DDoS protection strategy for a web application hosted on AWS. The application uses an Application Load Balancer (ALB). Which service provides automatic, always-on DDoS protection at no additional cost?
96A company stores sensitive customer data in an S3 bucket and must encrypt the data at rest using a key managed by the company (not AWS). Which encryption option should the company use?
97Which of the following is a benefit of using a Cloud Access Security Broker (CASB) for SaaS applications?
98A company's compliance team must provide evidence that their cloud environment meets PCI DSS requirements. Which AWS service can aggregate security findings and automate compliance checks?
99A DevOps team deploys a containerized application on Amazon EKS. The security team wants to ensure that containers do not run as root and that read-only root filesystems are enforced. Which Kubernetes mechanism should be used?
100A security administrator needs to store database credentials and API keys securely in AWS. The credentials must be automatically rotated every 90 days. Which service should the administrator use?
101A cloud administrator is implementing network security for a VPC. The administrator needs to create a stateless firewall that filters traffic based on source and destination IP, port, and protocol. Which TWO of the following are characteristics of this type of firewall? (Select TWO.)
102A company is implementing multi-factor authentication (MFA) for cloud console access. Which TWO of the following are valid MFA methods? (Select TWO.)
103A security engineer is designing a data classification policy for a cloud environment. The policy must identify sensitive data, apply appropriate controls, and monitor access. Which THREE of the following should be included in the policy? (Select THREE.)
104A cloud architect is designing a secrets management solution for a microservices application. The solution must avoid hardcoding secrets in code and support automatic rotation. Which THREE of the following are best practices? (Select THREE.)
105A company is deploying a web application in a cloud environment and needs to protect against SQL injection and cross-site scripting (XSS) attacks. Additionally, the company wants to block traffic from specific geographic regions. Which TWO services should be used? (Select TWO.)
106A cloud engineer is configuring a web application that must comply with PCI DSS. The application runs on virtual machines in a public cloud. Which of the following security responsibilities falls under the customer's scope according to the shared responsibility model?
107A security administrator is deploying a web application firewall (WAF) to protect a public-facing web application. The application experiences a high volume of traffic from a specific geographic region that is not part of the target customer base. Which WAF feature would best reduce the attack surface without impacting legitimate users?
108A cloud architect is designing identity and access management (IAM) for a multi-cloud environment. The architect wants to enforce least privilege and support federation with an on-premises Active Directory. Which TWO of the following should be implemented? (Select TWO).
109A security team is implementing encryption for a cloud-based database. The compliance requirements mandate that encryption keys be managed by the customer and rotated every 90 days. Which THREE of the following should the team use? (Select THREE).
110A cloud security analyst is investigating a potential container security incident. The analyst notices that a container is sending outbound traffic to a known malicious IP address. The container was deployed from an image that passed a vulnerability scan. Which TWO of the following should the analyst implement to detect and prevent such behavior in the future? (Select TWO).
The Security domain covers the key concepts tested in this area of the CV0-004 exam blueprint published by CompTIA. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CV0-004 domains — no account required.
The Courseiva CV0-004 question bank contains 110 questions in the Security domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Security domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included