Practice CCSP Cloud Application Security questions with full explanations on every answer.
Start practicing
Cloud Application Security — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
During a code review, a developer discovers hardcoded AWS access keys in a configuration file that was committed to the repository. Which tool is specifically designed to detect such secrets in code repositories?
2Which cloud-specific vulnerability involves an attacker making a server-side request to the cloud metadata endpoint (e.g., 169.254.169.254) to retrieve temporary credentials?
3An organization is implementing a DevSecOps pipeline for cloud-native applications. Which security testing method should be integrated early in the CI/CD pipeline to analyze source code for vulnerabilities without executing the application?
4A security engineer is reviewing a Terraform configuration and wants to prevent deployment of an S3 bucket with public read access. Which IaC scanning tool is best suited for this task?
5Which OWASP Top 10 vulnerability is most directly related to cloud API security when an attacker can modify parameters to access another user's data?
6A cloud application uses an IAM role with a policy that allows 's3:*' on all buckets. This is an example of which cloud security issue?
7Which practice is essential for securing cloud application secrets such as database passwords and API tokens?
8A security team wants to detect container image vulnerabilities before they are pushed to a registry. Which stage of the CI pipeline should container image scanning occur?
9An attacker publishes a malicious package to a public registry using the same name as an internal package used by a cloud application. This is known as:
10What is a Software Bill of Materials (SBOM) primarily used for?
11An API endpoint returns user profile data including fields like 'credit_card_number' even when the client application does not need it. Which OWASP API security risk does this represent?
12A security engineer is reviewing an S3 bucket policy that grants 's3:GetObject' access to 'Principal: *' and 'Condition: {IpAddress: {aws:SourceIp: ["1.2.3.4/32"]}}'. Despite the IP restriction, why is this policy still considered risky?
13A cloud security team is implementing a DevSecOps pipeline. Which TWO of the following are examples of shift-left security practices? (Select two.)
14Which TWO of the following are effective measures to prevent dependency confusion attacks? (Select two.)
15Which THREE of the following are recommended practices for securing cloud application APIs? (Select three.)
16A cloud security team wants to integrate security testing early in the development lifecycle to reduce vulnerabilities. Which approach best describes this concept?
17A cloud-native application is deployed on AWS. During a security review, the team discovers that if an attacker can send a crafted request to the application, the application will make an HTTP request to http://169.254.169.254/latest/meta-data/iam/security-credentials/. Which vulnerability is being exploited?
18A DevOps team is implementing a CI/CD pipeline for a cloud application. They want to automatically scan source code for security vulnerabilities before building the application. Which type of scanning should they integrate?
19During a security audit of a Kubernetes deployment, a team finds that containers are allowed to run as root with full privilege escalation. Which IaC scanning tool would have detected this misconfiguration before deployment?
20Which practice helps prevent hardcoded cloud credentials from being committed to source code repositories?
21An organization uses a private artifact registry for approved package sources. A developer accidentally publishes a package with a similar name to an internal package to the public registry. This could lead to which type of attack?
22A cloud application uses an API that allows users to view other users' profile details by changing the user ID in the request. Which vulnerability is this?
23A security team wants to ensure that only signed container images are deployed in production. Which practice should they implement?
24Which of the following is a cloud-specific vulnerability that can lead to exposure of IAM credentials through the metadata service?
25A developer configures an AWS S3 bucket to allow public access by setting a bucket policy that grants 's3:GetObject' to 'Principal: *'. Which vulnerability does this introduce?
26Which runtime security control monitors application behavior and can block attacks by analyzing application logic and context?
27What is the primary purpose of a Software Bill of Materials (SBOM) in cloud application security?
28A cloud security engineer is reviewing an AWS IAM policy that includes the following statement: 'Effect: Allow, Action: iam:*, Resource: *'. Which two security concerns does this configuration create? (Choose TWO.)
29A security team is implementing a DevSecOps pipeline for a cloud-native application. Which three practices should be included to enhance application security? (Choose THREE.)
30An organization wants to prevent secrets from being exposed in source code. Which two practices should they adopt? (Choose TWO.)
31A security engineer is integrating security into a cloud application's CI/CD pipeline. Which practice is an example of 'shift-left' security?
32During a threat modeling session for a cloud-native application, which cloud-specific attack path is most critical to identify?
33Which tool is specifically designed to scan Infrastructure as Code (IaC) templates for cloud misconfigurations before deployment?
34A developer accidentally commits AWS access keys to a public GitHub repository. Which tool would be most effective in detecting this secret exposure?
35Which vulnerability is considered a cloud-specific API security issue?
36An organization uses a private artifact registry for approved packages. What attack does this practice primarily defend against?
37Which of the following is a key benefit of using a Software Bill of Materials (SBOM)?
38A cloud application uses IAM roles to grant permissions to compute instances. What is the primary security advantage of this approach over hardcoding credentials?
39During a security audit, a cloud security architect discovers that an S3 bucket is configured with a bucket policy that allows 's3:GetObject' from any principal. What is the most likely risk?
40Which of the following is an example of a runtime application self-protection (RASP) capability?
41A cloud application allows users to upload profile pictures. The application stores the files in an S3 bucket with public read access. An attacker uploads a malicious script that executes when other users view the image. Which type of attack is this?
42Which of the following is a best practice for managing secrets in cloud-native applications?
43A security team is implementing container image scanning in a CI pipeline. Which TWO of the following actions should be performed? (Select TWO)
44Which THREE of the following are effective measures to prevent unauthorized access to cloud storage buckets? (Select THREE)
45A cloud security architect is designing a DevSecOps pipeline for a multi-cloud environment. Which THREE practices should be included to ensure security is integrated early? (Select THREE)
46Which security testing technique is most effective at identifying vulnerabilities early in the development lifecycle by analyzing source code without executing it?
47A security engineer discovers that a cloud application can access the metadata service endpoint at 169.254.169.254. Which vulnerability is most likely being exploited?
48During a CI/CD pipeline, a developer wants to automatically block builds if Terraform configuration files contain security misconfigurations. Which tool is best suited for this task?
49A company uses a private artifact registry for internal packages. An attacker publishes a malicious package with the same name as an internal package to a public registry. Which attack is being described?
50Which of the following is a key practice for secure management of cloud credentials in application code?
51An API allows users to access their own profile data by providing a user ID. However, an attacker can change the user ID parameter to access another user's data. Which OWASP API Security vulnerability is this?
52Which practice is most effective for preventing the deployment of container images with known vulnerabilities in a DevSecOps pipeline?
53A cloud application uses an IAM role with the policy "Action: s3:*" and "Resource: *". Which principle is violated?
54What is the primary purpose of a Software Bill of Materials (SBOM) in cloud application security?
55A company is adopting shift-left security. Which action best exemplifies this approach?
56An attacker exploits a cloud application to make HTTP requests to an internal metadata service and retrieve temporary credentials. Which control would be most effective in preventing this attack?
57Which of the following is a cloud-specific threat that should be included in a threat model for a cloud application?
58Which TWO of the following are effective methods for preventing hardcoded credentials from being committed to a cloud application's source code repository? (Select TWO)
59Which TWO of the following are recommended practices for securing container images in a cloud environment? (Select TWO)
60Which THREE of the following are key components of a secure cloud SDLC that support shift-left security? (Select THREE)
61Which security testing approach is most effective at identifying vulnerabilities early in the cloud software development lifecycle (SDLC) by analyzing source code without executing the application?
62A cloud-native application stores sensitive user files in an Amazon S3 bucket. Which misconfiguration poses the greatest risk of data exposure?
63A developer accidentally hardcodes AWS access keys in a public GitHub repository. Which tool is specifically designed to detect such secrets in code repositories?
64In a DevSecOps pipeline for a cloud application, which practice best ensures that only approved open-source components are used?
65A cloud application allows users to upload profile pictures that are stored in Azure Blob Storage. Which vulnerability is most likely if the application does not validate the content type or size of uploaded files?
66Which cloud-specific attack involves an application making HTTP requests to internal metadata endpoints such as 169.254.169.254 to retrieve cloud instance credentials?
67A cloud security team wants to automatically block malicious requests to a web application before they reach the application servers. Which solution should they implement?
68A company uses Terraform to manage cloud infrastructure. Which infrastructure-as-code (IaC) security scanner can detect misconfigurations such as overly permissive security group rules before deployment?
69An API endpoint returns user profile details including email, phone, and address. The response includes fields that are not needed for the client application. Which OWASP API Security risk does this represent?
70Which of the following is a best practice for managing secrets in a cloud-native application?
71A container image is built and scanned in a CI pipeline. Which practice should be implemented to ensure that the image has not been tampered with before deployment?
72An attacker publishes a malicious package to a public registry using the same name as an internal package used by a cloud application. This attack is known as:
73A cloud application is deployed on Kubernetes and uses an IAM role for service accounts. Which TWO practices should be implemented to ensure least privilege?
74A DevSecOps team is implementing security scanning in the CI/CD pipeline for a cloud application. Which THREE tools or practices should be included to shift security left?
75A cloud application exposes an API that allows users to view their own orders. Which TWO vulnerabilities could allow an attacker to view another user's orders?
76A development team is adopting a DevSecOps approach for a cloud-native application. Which practice best exemplifies the shift-left security principle?
77A security engineer is reviewing a cloud application that uses AWS S3 buckets. Which vulnerability is most specific to cloud environments and is often exploited to access sensitive data?
78During a threat modeling session for a cloud application, the team identifies a risk where an attacker could trick the application into making HTTP requests to the cloud metadata endpoint (e.g., http://169.254.169.254). What is the most critical impact of this attack?
79A cloud security architect is implementing a CI/CD pipeline for a containerized application on AWS. Which TWO practices should be integrated to enforce container image security?
80A development team builds a serverless application using AWS Lambda. The security team wants to prevent hardcoded credentials. Which TWO methods should they enforce for secure secrets management?
81A security auditor is reviewing a cloud application's API endpoints. Which THREE OWASP API Security risks are particularly relevant to cloud applications due to their reliance on APIs for resource access?
82A company uses a private artifact registry for internal packages. An attacker could perform a dependency confusion attack by uploading a malicious package to a public registry with the same name as an internal package. Which THREE measures help mitigate this attack?
83A cloud security team is implementing a DevSecOps pipeline for a Kubernetes-based application. Which THREE scanning tools should be integrated to detect IaC misconfigurations before deployment?
84A cloud application uses IAM roles with wildcard permissions (e.g., iam:* or *:*). Which TWO risks are directly associated with such over-permissive IAM policies?
The Cloud Application Security domain covers the key concepts tested in this area of the CCSP exam blueprint published by ISC2. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CCSP domains — no account required.
The Courseiva CCSP question bank contains 84 questions in the Cloud Application Security domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Cloud Application Security domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included