Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Security practice sets

CV0-004 Security • Complete Question Bank

CV0-004 Security — All Questions With Answers

Complete CV0-004 Security question bank — all 0 questions with answers and detailed explanations.

67
Questions
Free
No signup
Certifications/CV0-004/Practice Test/Security/All Questions
Question 1mediummultiple choice
Review the full subnetting walkthrough →

A cloud administrator is troubleshooting an issue where a user in the finance department cannot access a critical application hosted on a private cloud. The user can access other applications in the same subnet. The security team recently implemented a new network security policy. Which of the following is MOST likely causing the issue?

Question 2easymultiple choice
Read the full Security explanation →

An organization wants to ensure that only authorized personnel can access the cloud management console. Which of the following is the BEST method to achieve this?

Question 3hardmultiple choice
Read the full Security explanation →

A company is migrating a legacy application to a public cloud. The application requires a static IP address for licensing. The security team insists on encrypting all traffic between the application and the database. Which of the following should the cloud architect implement?

Question 4easymultiple choice
Read the full Security explanation →

A cloud administrator is tasked with ensuring that only encrypted connections are used to transfer files to a cloud storage bucket. Which of the following should the administrator enforce?

Question 5mediummulti select
Read the full Security explanation →

A company is implementing a cloud-based SIEM solution. Which TWO of the following are essential data sources that should be integrated to ensure comprehensive security monitoring?

Question 6hardmulti select
Read the full Security explanation →

A cloud administrator is designing a secure multi-tenant environment. Which THREE of the following are best practices for isolating tenant workloads?

Question 7hardmultiple choice
Read the full Security explanation →

A company experiences a data breach where an attacker exfiltrated data from a cloud storage bucket. The security team discovers that the bucket had a policy allowing public access. The cloud administrator had previously set the bucket to be private. Which of the following is the MOST likely reason the bucket became public?

Question 8mediummultiple choice
Read the full Security explanation →

A cloud administrator is configuring a web application hosted on a public cloud VM. The application must be accessible over HTTPS, and the administrator needs to ensure that all traffic between the client and the server is encrypted. The cloud provider offers a managed certificate service. Which of the following is the BEST practice for securing the application?

Question 9hardmultiple choice
Read the full Security explanation →

A cloud administrator is troubleshooting connectivity to a web server running on a Linux VM. The web server is configured to listen on ports 80 (HTTP) and 443 (HTTPS). The administrator runs the iptables command shown in the exhibit. Based on the output, what is the MOST likely reason that external users cannot access the web server on port 443?

Exhibit

Refer to the exhibit.

# iptables -L -n -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
 100  12000 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
  50   6000 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
  20   2400 ACCEPT     tcp  --  eth0   *       10.0.0.0/8           0.0.0.0/0            tcp dpt:443
  10   1200 DROP       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
Question 10easymultiple choice
Read the full Security explanation →

A cloud engineer is responsible for securing a multi-tier application deployed on IaaS. The application consists of web servers, application servers, and database servers. The engineer needs to implement network segmentation to minimize the attack surface. Which of the following is the BEST approach?

Question 11easymultiple choice
Read the full Security explanation →

A company is migrating its on-premises workload to a public cloud. The security team wants to ensure that all data transmitted between the on-premises network and the cloud VPC is encrypted in transit and that the connection uses dedicated bandwidth. Which of the following should the security team implement?

Question 12mediummulti select
Read the full Security explanation →

A cloud administrator notices that an IAM user has permissions that are not explicitly assigned. The administrator suspects that the user is inheriting permissions through group membership or role assignment. Which TWO methods can the administrator use to identify all effective permissions for this user? (Choose TWO.)

Question 13hardmultiple choice
Read the full Security explanation →

Refer to the exhibit. A cloud security engineer is reviewing an S3 bucket policy that controls access to the 'example-bucket' bucket. The 'AdminRole' IAM role attempts to upload an object to the bucket using the AWS CLI without specifying the '--server-side-encryption' parameter. The object transfer uses HTTPS. What will be the outcome?

Exhibit

Refer to the exhibit.

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/AdminRole"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "StringEquals": {
          "s3:x-amz-server-side-encryption": "AES256"
        }
      }
    },
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}
```
Question 14mediumdrag order
Read the full Security explanation →

Sequence the steps to troubleshoot a cloud-based application that is not accessible from the internet.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 15mediumdrag order
Read the full Security explanation →

Sequence the steps to configure a cloud monitoring alert for high memory usage on a virtual machine.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 16mediummatching
Read the full Security explanation →

Match each storage type to its characteristic.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Data stored as objects with metadata

Data divided into blocks; used in SAN

Data stored in a hierarchical file system

Temporary storage tied to instance lifecycle

Question 17mediummatching
Read the full Security explanation →

Match each troubleshooting command to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Test network connectivity

Trace path to destination

Query DNS records

Display network connections and ports

Transfer data using various protocols

Question 18mediummultiple choice
Read the full Security explanation →

A cloud administrator is configuring a new virtual private cloud (VPC) and needs to ensure that traffic between web servers and database servers is restricted to only the necessary ports. Which security approach should the administrator implement?

Question 19hardmultiple choice
Read the full Security explanation →

A company has deployed a multi-tier application on a public cloud platform. The security team discovers that a Compute Instance is communicating with an external IP address known for malicious activity. The instance is part of an auto scaling group. What is the BEST immediate action to contain the threat while minimizing downtime?

Question 20easymultiple choice
Read the full Security explanation →

A cloud architect is designing a solution to ensure that data at rest in an object storage bucket is encrypted. The company requires that the encryption keys are managed by an on-premises hardware security module (HSM) to maintain control. Which encryption approach should the architect choose?

Question 21mediummultiple choice
Read the full Security explanation →

A company's cloud environment uses a shared responsibility model. The security team notices that a data breach occurred due to misconfigured storage buckets in the public cloud. Which party is primarily responsible for this misconfiguration according to the shared responsibility model?

Question 22hardmultiple choice
Study the full virtualization explanation →

An organization uses a private cloud and wants to implement multifactor authentication (MFA) for administrative access to the hypervisor. However, due to legacy system constraints, the hypervisor does not support MFA directly. What is the BEST alternative to achieve MFA for administrative logins?

Question 23easymultiple choice
Read the full Security explanation →

A cloud administrator is tasked with ensuring that all API requests to the cloud management plane are encrypted. Which protocol should be enforced to meet this requirement?

Question 24mediummultiple choice
Read the full NAT/PAT explanation →

A company's compliance policy requires that all virtual machine (VM) instances must have security patches applied within 30 days of release. The cloud environment automatically deploys VMs from a golden image. Which strategy would BEST ensure compliance without manual intervention?

Question 25hardmultiple choice
Read the full Security explanation →

During a security audit, it is discovered that a cloud application can be accessed using a shared service account that has elevated privileges. The audit recommends implementing a just-in-time (JIT) access model. What is the primary benefit of JIT access in this scenario?

Question 26easymultiple choice
Read the full Security explanation →

A company wants to protect data in transit between its on-premises data center and a public cloud environment. Which technology should be used to create a secure encrypted tunnel over the internet?

Question 27mediummulti select
Read the full Security explanation →

Which TWO actions should a cloud administrator take to protect against data exfiltration from a cloud storage bucket? (Choose two.)

Question 28hardmulti select
Read the full Security explanation →

Which THREE elements are required for a complete key lifecycle management strategy in a cloud environment? (Choose three.)

Question 29easymulti select
Read the full Security explanation →

Which TWO steps should be performed to ensure that a new cloud user has only the minimum required permissions to perform their job? (Choose two.)

Question 30mediummultiple choice
Read the full Security explanation →

Refer to the exhibit. What is the effect of this bucket policy?

Exhibit

Refer to the exhibit.
```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "203.0.113.0/24"
        }
      }
    }
  ]
}
```
Question 31hardmultiple choice
Read the full Security explanation →

Refer to the exhibit. A cloud administrator runs the above command on a Linux virtual machine. What is the effect of the current firewall rules?

Exhibit

Refer to the exhibit.
```
$ sudo iptables -L -n -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3389
```
Question 32easymultiple choice
Read the full Security explanation →

Refer to the exhibit. This log message is from a cloud security scanner. Which principle did the scanner likely detect?

Exhibit

Refer to the exhibit.
```
[critical] [security] [user_data] [user_data_1e3b] User credentials stored in user data where they are accessible to all users with read access.
```
Question 33mediummultiple choice
Read the full Security explanation →

A cloud administrator notices that an IAM role in a public cloud environment has permissions to perform all actions on all resources. The principle of least privilege should be applied. What is the best first step to reduce the security risk?

Question 34easymultiple choice
Read the full Security explanation →

A company uses a cloud provider's key management service to encrypt data at rest. The security team wants to ensure that encryption keys are automatically rotated every 90 days to meet compliance requirements. Which feature should be enabled?

Question 35hardmultiple choice
Read the full Security explanation →

During a security audit, an organization discovers their cloud-based database is accessible from any public IP address due to a firewall rule allowing 0.0.0.0/0 on port 3306 (MySQL). The database must remain accessible to remote developers working from home. What is the most effective remediation?

Question 36mediummultiple choice
Read the full Security explanation →

A cloud security analyst finds the above JSON policy attached to an S3 bucket containing confidential customer data. What change must be made to comply with the principle of least privilege?

Exhibit

Refer to the exhibit.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::confidential/*",
      "Principal": "*"
    }
  ]
}
Question 37easymultiple choice
Read the full Security explanation →

The above condition is included in an IAM policy. What does this condition restrict?

Exhibit

Refer to the exhibit.
Condition: {
    IpAddress: {
        "aws:SourceIp": "192.168.1.0/24"
    }
}
Question 38hardmultiple choice
Read the full Security explanation →

A user attempted to copy an encrypted snapshot to a different region and received the above error. What is the most likely cause?

Exhibit

Refer to the exhibit.
Snapshot ID: snap-123
Status: failed
Error: "The snapshot uses a KMS key that is not available in this region."
Question 39mediummultiple choice
Read the full Security explanation →

A cloud architect is designing a multi-tier application. To ensure secure communication between the web tier and the application tier within the same VPC, which approach should be used?

Question 40easymultiple choice
Read the full Security explanation →

Which of the following is the best practice for securely storing secrets such as database passwords in a cloud environment?

Question 41hardmultiple choice
Read the full Security explanation →

A company uses a cloud provider's identity federation to allow employees to sign in using their corporate Active Directory credentials. After a merger, employees from the acquired company need access. What must be modified to enable federated access for the new users without disrupting existing access?

Question 42mediummultiple choice
Read the full Security explanation →

A security team wants to implement host-based intrusion detection on their virtual machines in a public cloud. Which approach provides the most effective detection while minimizing performance impact?

Question 43easymultiple choice
Read the full Security explanation →

A company stores sensitive data in a cloud object storage. They want to ensure that data is automatically deleted after a retention period of 7 years to comply with legal requirements. Which feature should be used?

Question 44hardmultiple choice
Read the full Security explanation →

During a penetration test, a cloud security engineer discovers that a storage bucket is publicly accessible because of a misconfigured block public access setting. The bucket contains encrypted data. Which of the following is the primary risk?

Question 45easymulti select
Read the full Security explanation →

Which TWO of the following are effective methods to protect data in transit within a cloud environment? Select two.

Question 46mediummulti select
Read the full Security explanation →

Which TWO of the following are common vulnerabilities in cloud environments that can lead to unauthorized access? Select two.

Question 47hardmulti select
Read the full Security explanation →

Which THREE of the following are essential components of a cloud incident response plan? Select three.

Question 48mediummultiple choice
Read the full Security explanation →

A company's IaaS environment has a high rate of failed login attempts to a critical database server. The security team wants to temporarily block the source IPs after 5 failed attempts within 10 minutes. Which security control should be implemented?

Question 49hardmultiple choice
Read the full Security explanation →

A cloud architect is designing a multi-tier application in a public cloud that must comply with PCI DSS. The web tier must be accessible from the internet, but the application tier should not have any public IP addresses. Which architecture meets these requirements?

Question 50easymultiple choice
Read the full Security explanation →

A cloud administrator notices that a storage bucket in a cloud object storage service is publicly accessible. The bucket contains sensitive customer data. What is the most likely cause of this issue?

Question 51hardmultiple choice
Read the full Security explanation →

A security analyst is investigating a potential data exfiltration from a cloud environment. The analyst finds that an instance IAM role was assumed by a compromised user, and the role has permissions to read from a sensitive database. What is the BEST way to prevent this type of attack in the future?

Question 52mediummultiple choice
Read the full Security explanation →

A company is migrating a legacy on-premises application to a cloud VM. The application requires a static private IP address for compliance. During a disaster recovery failover, the VM must automatically retain the same IP address in the secondary region. Which solution should be used?

Question 53easymultiple choice
Read the full Security explanation →

A cloud security team needs to ensure that all API calls made to the cloud provider are logged and monitored for suspicious activity. Which service should be enabled?

Question 54hardmultiple choice
Read the full Security explanation →

A DevOps team uses infrastructure as code to deploy cloud resources. Security policy requires that all storage buckets have versioning enabled and are not publicly accessible. How can these requirements be enforced automatically?

Question 55mediummultiple choice
Read the full Security explanation →

During a security assessment, a cloud auditor discovers that a virtual machine has a publicly accessible SSH port (22) open to the entire internet (0.0.0.0/0). The VM is a bastion host intended for administration. What should be done to reduce risk?

Question 56mediummulti select
Read the full Security explanation →

Which TWO of the following are best practices for securing a cloud object storage bucket?

Question 57hardmulti select
Read the full Security explanation →

Which THREE of the following are valid methods to manage identity and access in a multi-cloud environment?

Question 58easymulti select
Read the full Security explanation →

Which TWO of the following are common security concerns specific to a public cloud infrastructure?

Question 59hardmultiple choice
Read the full Security explanation →

A cloud engineer runs the commands shown in the exhibit. Based on the output, which security issue is present?

Exhibit

Refer to the exhibit.

```
[user@bastion ~]$ gcloud compute instances list --format="value(name,zone,status)"
web-server-1 us-central1-a RUNNING
web-server-2 us-central1-b RUNNING
db-server us-central1-a RUNNING
[user@bastion ~]$ gcloud compute ssh web-server-1 --command="sudo systemctl status nginx"
● nginx.service - A high performance web server
   Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2024-03-14 10:23:45 UTC; 1h 30min ago
[user@bastion ~]$ gcloud compute firewall-rules list --filter="allowed=('tcp:22')"
NAME        NETWORK  DIRECTION  PRIORITY  ALLOW    DENY  DISABLED
allow-ssh   default  INGRESS    1000      tcp:22                False
[user@bastion ~]$ gcloud compute firewall-rules describe allow-ssh
allowed:
- IPProtocol: tcp
  ports:
  - '22'
sourceRanges:
- 0.0.0.0/0
```
Question 60hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation runs a critical application on a private cloud hosted in their data center. The application uses virtual machines (VMs) that are attached to a storage area network (SAN) for block storage. The company is migrating the application to a public cloud IaaS model to reduce on-premises costs. The security team mandates that all data at rest in the cloud must be encrypted using customer-managed keys, and the cloud provider must not have access to the keys. The application requires low-latency block storage for a database. The storage must be replicated within the same region for availability. The cloud architect needs to choose a storage solution that meets these security and performance requirements. The cloud provider offers: (A) Object storage with server-side encryption using provider-managed keys. (B) Ephemeral instance storage with encryption at rest using provider-managed keys. (C) Persistent block storage volumes with encryption using customer-managed keys stored in the provider's key management service (KMS) integrated with hardware security modules (HSM). (D) Network file system (NFS) shares encrypted with customer-managed keys managed on-premises. Which option should the architect choose?

Question 61mediummultiple choice
Review the full subnetting walkthrough →

A healthcare organization uses a cloud-based virtual private cloud (VPC) to host a web application that processes protected health information (PHI). The application consists of a public-facing load balancer, a web server tier in a public subnet, and a database tier in a private subnet. The database runs on a managed relational database service with encryption at rest enabled using a cloud provider-managed key. The security auditor requires that the database encryption key must be controlled by the organization and rotated every 90 days. Additionally, the database must only be accessible from the web server tier. The database is currently accessible from the entire VPC CIDR block. What should the cloud administrator do to meet these requirements?

Question 62easymultiple choice
Read the full VPN explanation →

A small business uses a public cloud IaaS to host a single Windows virtual machine (VM) running a line-of-business application. The VM has a public IP address and is in a network security group that allows RDP (port 3389) from the internet (0.0.0.0/0). The administrator frequently connects from home and various client sites. The administrator is concerned about brute force attacks on the RDP service. The business does not have a VPN server. What is the best way to secure the RDP access without changing the public IP address or blocking all external access?

Question 63mediummulti select
Read the full Security explanation →

A cloud administrator is designing a hybrid cloud environment that connects on-premises resources to a public cloud. To ensure data protection, the administrator needs to implement controls for data in transit and data at rest. Which TWO security controls should the administrator implement? (Choose two.)

Question 64easymultiple choice
Read the full Security explanation →

A company hosts its critical applications on a cloud provider's virtual machines within a virtual private cloud. The security team receives an alert from the intrusion detection system indicating that one of the VMs is exhibiting signs of a ransomware infection. The administrator connects to the VM via a bastion host and observes that several important files have been encrypted and a ransom note has been left. The incident response plan is still being developed, but the administrator knows the immediate priority is to contain the threat and prevent it from spreading to other VMs and storage resources. The company has daily backups stored in a separate cloud storage service that is not directly accessible from the production network. Which of the following actions should the administrator take FIRST to contain the incident and minimize further damage?

Question 65hardmultiple choice
Read the full Security explanation →

A company uses a multi-account AWS organization with separate accounts for development, testing, and production. A developer in the development account needs to access an S3 bucket in the production account to retrieve log files for troubleshooting. The developer has an IAM user in the development account with full S3 permissions, and the production account's S3 bucket policy includes a statement that grants access to the root user of the development account. However, when the developer attempts to access the bucket using AWS CLI with their IAM user credentials, they receive an 'Access Denied' error. The security team has verified that there are no explicit deny policies in either account, and that the bucket policy is correctly configured. The administrator has confirmed that the developer's IAM user has permissions to perform S3 operations. Which of the following is the MOST likely cause of the access failure?

Question 66easymulti select
Review the full subnetting walkthrough →

A cloud administrator is configuring a new virtual private cloud (VPC) with a public subnet for a web application. The administrator must ensure that the web application can receive HTTPS traffic from the internet but cannot be directly accessed via SSH. Which TWO security controls should the administrator implement? (Choose two.)

Question 67mediummultiple choice
Read the full Security explanation →

A mid-sized company is migrating its on-premises applications to a public cloud. The security team has implemented a cloud access security broker (CASB) to monitor and enforce policies for sensitive data. The company uses a multi-cloud environment with both AWS and Azure. After deployment, the security team receives alerts that a developer accidentally exposed a set of credentials in a public GitHub repository. The credentials were associated with a service account that has read-write access to an AWS S3 bucket containing customer PII (personally identifiable information). The team immediately revokes the credentials and rotates the access keys. The security team wants to prevent such incidents in the future and ensure that any exposed credentials are promptly detected without relying solely on manual GitHub scans. The company also wants to maintain a least-privilege model for all cloud resources. Given this scenario, which of the following actions should the security team take FIRST to reduce the risk of credential exposure and improve detection?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CV0-004 Practice Test 1 — 10 Questions→CV0-004 Practice Test 2 — 10 Questions→CV0-004 Practice Test 3 — 10 Questions→CV0-004 Practice Test 4 — 10 Questions→CV0-004 Practice Test 5 — 10 Questions→CV0-004 Practice Exam 1 — 20 Questions→CV0-004 Practice Exam 2 — 20 Questions→CV0-004 Practice Exam 3 — 20 Questions→CV0-004 Practice Exam 4 — 20 Questions→Free CV0-004 Practice Test 1 — 30 Questions→Free CV0-004 Practice Test 2 — 30 Questions→Free CV0-004 Practice Test 3 — 30 Questions→CV0-004 Practice Questions 1 — 50 Questions→CV0-004 Practice Questions 2 — 50 Questions→CV0-004 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Operations and SupportCloud Architecture and DesignSecurityDeploymentTroubleshooting

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Security setsAll Security questionsCV0-004 Practice Hub