Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCCSPDomainsCloud Application Security
CCSPFree — No Signup

Cloud Application Security

Practice CCSP Cloud Application Security questions with full explanations on every answer.

111questions

Start practicing

Cloud Application Security — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

CCSP Domains

Cloud Application SecurityCloud Security OperationsLegal, Risk and ComplianceCloud Concepts, Architecture and DesignCloud Platform and Infrastructure SecurityCloud Data Security

Practice Cloud Application Security questions

10Q20Q30Q50Q

All CCSP Cloud Application Security questions (111)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A company is migrating a legacy application to the cloud. The application uses hardcoded database credentials. Which secure development practice should be implemented to address this?

2

A security architect is designing a CI/CD pipeline for a cloud-native application. The team wants to automatically scan container images for vulnerabilities before deployment. Which of the following is the most effective approach?

3

A SaaS provider uses a customer-managed encryption key (CMEK) model for data-at-rest. The provider's application runs in a multi-tenant cloud environment. Which attack surface is MOST directly mitigated by this approach?

4

An organization is developing a mobile app that communicates with a cloud API. To ensure secure authentication, which of the following should be used?

5

A cloud security team is implementing a Web Application Firewall (WAF) for a public-facing web application. The application uses a REST API with JSON payloads. Which of the following is the WAF's primary benefit?

6

A company deploys microservices in Kubernetes. Each service communicates via gRPC with mutual TLS. A security assessment reveals that some services use self-signed certificates. What is the primary risk?

7

A developer is tasked with securely storing a session token in a browser-based web application. Which storage mechanism is most secure?

8

A cloud application uses a third-party identity provider (IdP) for SSO. The security team notices that tokens are being reused across different applications. Which token binding mechanism should be implemented?

9

A company is implementing a serverless application using AWS Lambda. The function processes S3 events and writes to a DynamoDB table. Which of the following is the MOST secure way to grant the necessary permissions?

10

Which TWO of the following are common best practices for securing cloud application APIs? (Choose two.)

11

Which THREE of the following are essential components of a Secure Software Development Lifecycle (SSDLC) in the cloud? (Choose three.)

12

Which TWO of the following are effective methods to protect against server-side request forgery (SSRF) in a cloud application? (Choose two.)

13

Refer to the exhibit. A security administrator is reviewing an S3 bucket policy. What is the primary security concern with this policy?

14

Refer to the exhibit. A Kubernetes pod is configured as shown. Which security enhancement should be added to follow cloud security best practices?

15

Refer to the exhibit. A log entry shows a suspected SQL injection attack. Which security control would have prevented this attack?

16

A financial services company uses a multi-region cloud deployment for its trading application. The application consists of a web frontend, a REST API, and a relational database. Recently, a penetration test revealed that an attacker could perform a time-based blind SQL injection through the API's search functionality. The injection allows the attacker to enumerate database contents by observing response times. The development team was already aware of the issue but had prioritized other features. The security team now demands immediate remediation. The application is critical and cannot be taken offline. Which of the following is the most effective immediate action to mitigate the risk without modifying the application code?

17

A healthcare SaaS provider is deploying a new application that processes protected health information (PHI). The application uses a microservices architecture running on Kubernetes. Each microservice stores its data in a separate database. The compliance team requires that all data at rest be encrypted and that encryption keys be managed by the customer (CMEK). The cloud provider supports KMS with CMEK. However, the development team wants to use a single customer-managed key for all databases to simplify key management. The security architect is concerned about the blast radius if the key is compromised. Which of the following recommendations best balances security and operational efficiency?

18

A cloud security architect is designing a CI/CD pipeline for a serverless application using AWS Lambda. The application processes sensitive user data and requires encryption at rest and in transit. Which of the following is the BEST approach to securely manage database credentials used by the Lambda function?

19

A security team is implementing a web application firewall (WAF) for a cloud-based e-commerce application. The application is built on a microservices architecture and uses a RESTful API. Which of the following is the PRIMARY reason to deploy the WAF at the API gateway level rather than at the individual service level?

20

A cloud application developer is using a containerized application with Docker. The security team requires that the application runs with the least privilege possible. Which of the following is the BEST practice to ensure the container does not run as root?

21

A company is migrating a legacy monolithic application to a cloud-native microservices architecture. The security architect is concerned about securing inter-service communication. Which of the following should be implemented to ensure mutual authentication and encryption between services?

22

Which THREE of the following are essential components of a Secure Software Development Lifecycle (SSDLC) for cloud applications?

23

An AWS S3 bucket policy is configured as shown in the exhibit. The security team wants to ensure that only requests from the corporate IP range (203.0.113.0/24) can read objects in the bucket. However, they notice that a CloudFront distribution configured to serve content from this bucket is returning 403 Forbidden errors. What is the MOST likely cause?

24

You are a cloud security engineer for a financial services company. The company has developed a cloud-native application that processes credit card transactions and stores sensitive financial data. The application is deployed on a Kubernetes cluster in a public cloud provider. The compliance team requires that all data at rest be encrypted using a customer-managed key (CMK) with automatic rotation. The application uses a managed database service (e.g., Amazon RDS) and object storage (e.g., Amazon S3) for storing transaction logs. The current configuration uses cloud-provider-managed keys for both services. The development team is concerned that enabling CMK with automatic rotation might cause application downtime due to key rotation latency. Additionally, the security team wants to ensure that access to the keys is auditable. Which course of action BEST addresses the compliance requirement while minimizing risk?

25

A company is implementing a secure software development lifecycle (SSDLC) for its cloud-native applications. Which practice should be automated to detect vulnerabilities early in the development process?

26

Which TWO of the following are primary objectives of a cloud application security program?

27

Refer to the exhibit. A security analyst reviews the S3 bucket policy shown. Which security issue should be flagged?

28

Drag and drop the steps for implementing a cloud data encryption strategy using a customer-managed key (CMK) in AWS KMS into the correct order.

29

Drag and drop the steps for conducting a cloud security risk assessment using the NIST CSF framework into the correct order.

30

Match each cloud service model to its primary responsibility area according to the shared responsibility model.

31

Match each compliance framework to its primary jurisdiction or industry.

32

A cloud security architect is designing a multi-tier application that processes sensitive customer data. To protect data in transit between the web tier and the application tier, which of the following is the MOST appropriate approach?

33

A DevSecOps team is integrating static application security testing (SAST) into their CI/CD pipeline. Which of the following is the PRIMARY benefit of performing SAST during the build phase rather than later in the pipeline?

34

A company is deploying a containerized application on Kubernetes. The security team requires that containers run with the least privilege, and that any attempt to escalate privileges within a container is blocked. Which Kubernetes security context setting should be applied to the pod specification?

35

A security analyst is reviewing application logs and notices that a large number of requests from a single IP address are attempting to access a REST API endpoint with invalid session tokens. Which cloud-based mitigation is MOST effective at blocking such automated attacks?

36

A financial services company is adopting a cloud-native microservices architecture. They want to ensure that only authorized services can communicate with each other, and that all inter-service communication is encrypted. Which of the following is the BEST approach?

37

An organization is migrating a legacy application to the cloud and plans to use a cloud access security broker (CASB). Which of the following is the PRIMARY function of a CASB in securing cloud applications?

38

A developer is writing code that will be deployed as a serverless function (e.g., AWS Lambda). The function needs to read data from an Amazon S3 bucket. According to the principle of least privilege, how should the developer grant access?

39

A company is adopting DevSecOps and wants to incorporate security testing into their continuous integration pipeline. They have decided to run SAST (static analysis) and SCA (software composition analysis) tools. Which of the following is the PRIMARY reason for including SCA in addition to SAST?

40

A cloud security engineer is configuring an AWS Lambda function that processes messages from an Amazon SQS queue. The function needs to write results to a DynamoDB table. Which of the following is the SECUREST way to manage the function's credentials?

41

Which TWO of the following are secure coding practices that help prevent injection attacks?

42

Which THREE of the following are common challenges in securing serverless applications?

43

Which THREE of the following are effective controls to secure a RESTful API in the cloud?

44

A developer is implementing a cloud application that stores sensitive user data. To minimize the risk of data exposure during transit, which security control should be enforced as a baseline requirement?

45

A security team is reviewing a cloud application's CI/CD pipeline. They want to ensure that only approved open-source libraries are used in production builds. Which approach best addresses this requirement?

46

An organization uses a multi-cloud architecture with applications running on both AWS and Azure. They need to implement a secrets management solution that works across both platforms and supports automated rotation. Which approach best meets these requirements?

47

A cloud application is being designed to handle highly sensitive financial data. The security architect wants to ensure that encryption keys are managed outside the application's memory space. Which service model should they use?

48

During a security audit, a cloud application is found to have numerous container images with critical vulnerabilities. The DevOps team wants to prevent vulnerable images from being deployed to production. Which two controls should be implemented? (Select TWO)

49

A security engineer is investigating an incident where an attacker exploited a server-side request forgery (SSRF) vulnerability in a cloud application. The application runs on AWS and uses internal metadata endpoints. Which mitigation should be prioritized to prevent future SSRF attacks?

50

A cloud application processes data subject to GDPR. The security team needs to ensure that all personally identifiable information (PII) is encrypted at rest and that access is logged. Which combination of controls should be implemented? (Select THREE)

51

A company is adopting a serverless architecture using AWS Lambda. The security team is concerned about potential injection attacks via event payloads. Which practice is most effective at mitigating such attacks?

52

A cloud application uses containers orchestrated by Kubernetes. The security team wants to enforce that containers cannot run as root and that file systems are read-only at runtime. Which Kubernetes security context configuration should be applied?

53

A cloud application uses a RESTful API that handles payment transactions. The security team identifies that the API is vulnerable to brute-force attacks on the authentication endpoint. Which control should be implemented to mitigate this?

54

An organization uses infrastructure as code (IaC) to deploy cloud resources. The security team wants to prevent misconfigurations such as open security groups from being deployed. Which two practices should be integrated into the IaC pipeline? (Select TWO)

55

A cloud application uses a service mesh for inter-service communication. The security team wants to enforce mutual TLS (mTLS) between all services and ensure that service identities are verified. What is the most effective way to achieve this?

56

A developer receives the above error when trying to create a route in an API Gateway. Which action should the developer take to resolve the issue?

57

A security analyst reviews the above S3 bucket policy. The bucket stores sensitive application data. What is the primary security issue with this policy?

58

A security analyst is reviewing CloudTrail logs and sees the above event. The analyst suspects that the AMI used may be outdated and vulnerable. Which action should the analyst take to verify the security posture of the launched instance?

59

A security architect is designing access controls for a cloud-based microservices application. Which approach best aligns with the principle of least privilege for service-to-service authentication?

60

A development team is migrating a legacy application to the cloud. Which security testing approach should be adopted early in the CI/CD pipeline to catch vulnerabilities as code is written?

61

A cloud security engineer needs to ensure that a containerized application running in a Kubernetes cluster securely stores and rotates database credentials. Which is the most appropriate solution?

62

During a code review, a developer identifies that an application uses input from an HTTP request to generate a SQL query string. What is the primary security concern?

63

An organization deploys a serverless application using AWS Lambda functions that access an RDS database. Which practice best ensures that the database credentials are protected?

64

Which of the following is a key benefit of using a software composition analysis (SCA) tool in a cloud application security program?

65

A company wants to enforce that all API calls to its cloud services are authenticated and authorized. Which design pattern should be implemented?

66

A security auditor is reviewing a cloud application's data encryption strategy. The application stores sensitive data in a cloud database. Which configuration would best ensure data confidentiality in the event of a database dump?

67

A DevOps team wants to prevent insecure code from being deployed to production. Which gate should be implemented in the CI/CD pipeline?

68

Which TWO measures are effective for securing container images in a cloud environment?

69

Which THREE are best practices for implementing secrets management in cloud applications?

70

Which TWO practices help protect against insecure deserialization attacks in cloud applications?

71

An IAM policy named S3ReadOnlyAccess has DefaultVersionId v3. What does this indicate?

72

An architect reviews this S3 bucket policy. What security concern should be raised?

73

A cloud security engineer reviews this Terraform configuration for a security group. Which change is necessary to improve security?

74

A company develops a microservices application and wants to ensure secrets such as API keys and database credentials are not exposed in container images. Which approach best meets this requirement?

75

During a security review, a cloud security architect discovers that a PaaS database service has public network access enabled. The application team claims they need it for external integrations. What is the most secure alternative to allow necessary access?

76

A SaaS application allows users to upload profile pictures. The development team wants to prevent upload of malicious files that could compromise the server. Which control is most effective?

77

A cloud application uses OAuth 2.0 for authorization. What is the primary purpose of using a refresh token in this flow?

78

An organization uses a CI/CD pipeline that automatically builds and deploys container images to a Kubernetes cluster. A security scanner flags that the base image contains a critical vulnerability. What is the best course of action to prevent vulnerable images from being deployed?

79

A developer wants to ensure that sensitive data in a cloud database is protected even if the database backup files are stolen. Which best practice should be implemented?

80

A cloud security engineer is reviewing the authentication mechanism for a web application. The application currently uses API keys transmitted in the URL query string. What is the primary security concern with this approach?

81

Which of the following is the best way to protect a web application from cross-site scripting (XSS) attacks?

82

A company uses a serverless architecture with AWS Lambda to process user-uploaded files. The Lambda function is triggered by an S3 bucket event. While reviewing security, the architect wants to ensure that the Lambda function cannot be invoked by unauthorized S3 buckets or accounts. What is the most secure configuration?

83

Which TWO of the following are considered best practices for securing containerized applications in a cloud environment?

84

Which THREE of the following are valid techniques to protect application programming interfaces (APIs) from abuse?

85

Which TWO of the following are key components of a secure software development lifecycle (SSDLC) in a cloud environment?

86

A company is moving a legacy application to the cloud. The application uses hard-coded passwords for database connections. Which secure development practice should be implemented to address this issue?

87

A cloud application experiences intermittent failures during peak load. Logs show database connection timeouts. Which architecture change would best address this issue?

88

A financial services company uses a CI/CD pipeline to deploy microservices to a Kubernetes cluster. The security team wants to ensure container images are scanned for vulnerabilities before deployment. Which integration point in the pipeline is most effective?

89

A software company develops an API for third-party integrations. They want to ensure that only authorized partners can access the API. Which authentication mechanism is most appropriate?

90

A developer needs to store session state for a cloud-based web application. Which of the following is the most secure approach?

91

A company uses a cloud-based identity provider for single sign-on. An application needs to verify the user's identity without storing credentials. Which token type should the application validate?

92

During a security audit, it is discovered that a cloud application's API endpoints are vulnerable to injection attacks. Which defense in depth measure would be most effective in preventing such attacks?

93

A team is adopting DevSecOps. Which practice best integrates security into the development lifecycle?

94

A cloud application uses customer-managed encryption keys (CMK) stored in a cloud HSM. The application needs to decrypt data on demand. How should the key be accessed?

95

Which TWO best practices help secure a cloud application's runtime environment?

96

Which TWO are effective strategies for securing cloud application data at rest?

97

Which THREE are key considerations when designing a secure software development lifecycle (SSDLC) for cloud applications?

98

Refer to the exhibit. A developer reports that users are being denied access to a cloud application. The error log shows the above. What is the most likely cause of the denial?

99

A company runs a multi-tier cloud application with a web frontend, an API layer, and a database. The application uses OAuth 2.0 for authentication. Recently, users have been experiencing session hijacking attacks. Upon investigation, the security team finds that session tokens are being intercepted in transit. The application uses HTTPS for all communications, but a developer discovers that the application is also accessible via HTTP due to a misconfiguration. The team wants to implement additional security controls to prevent token theft. Which course of action should be taken first?

100

A financial organization is migrating a critical application to a cloud environment. The application processes sensitive customer data and must comply with PCI DSS. The security architect proposes using serverless functions for the compute layer. Which security control is essential to protect the application from injection attacks?

101

A company uses a cloud-based CI/CD pipeline with GitLab. Developers push code to a repository, triggering a build. The security team notices that sensitive API keys are being logged in build output. Which practice best prevents this?

102

A security architect is designing a cloud-native application using microservices. They decide to implement mutual TLS (mTLS) for service-to-service communication in a Kubernetes cluster with hundreds of services. What is the primary challenge in managing mTLS certificates in this dynamic environment?

103

A security team is reviewing controls for a cloud application that transmits personally identifiable information (PII) over the internet. Which TWO controls are essential for protecting data in transit?

104

A cloud application uses AWS Lambda functions in a serverless architecture. The security team wants to enforce least privilege access for these functions. Which THREE practices should be implemented?

105

A fintech startup deploys a customer-facing web application on Azure App Service. The application uses OAuth 2.0 with Azure AD for authentication. Recently, users report being logged out unexpectedly during active sessions. Security logs show multiple token refresh attempts failing with 'invalid_grant' errors. The application uses a standard library for token management. What is the most likely cause and recommended action?

106

A healthcare SaaS company runs containerized microservices on Google Kubernetes Engine (GKE). The security team scans containers with a vulnerability scanner and finds that base images have several critical vulnerabilities. The container build process uses a Dockerfile that pulls the latest Ubuntu image from Docker Hub. The team wants to reduce the attack surface without delaying feature releases. What is the best approach?

107

A global e-commerce platform uses AWS API Gateway to expose REST APIs to third-party developers. The security team notices that a malicious user is repeatedly sending large payloads to a /submit endpoint, causing high CPU usage on backend Lambda functions. The API uses a simple API key for authentication. Which combination of controls should be implemented to mitigate this attack while preserving legitimate access?

108

A large enterprise is migrating a legacy .NET application to Azure App Service. The application currently stores session state in-memory on the web server. During the migration, the team plans to horizontally scale the application across multiple instances. The security team requires that session data remain confidential and be available even if an instance fails. Which solution should the team implement?

109

A media streaming company uses a multi-cloud strategy with AWS and GCP. Their application uses a message queue (Amazon SQS and Google Pub/Sub) for asynchronous processing. The security team discovers that messages contain sensitive user data (e.g., email addresses) that are not encrypted at the broker level. The compliance team mandates encryption of data at rest and in transit for all sensitive data. However, the application already uses TLS for message delivery. What is the most secure and operationally efficient way to meet compliance?

110

A financial services company deploys a containerized application on Amazon ECS with Fargate. The application needs to access an encrypted RDS database. The security policy mandates that database credentials must never be stored in the application code or configuration files and must be rotated automatically every 90 days. Which solution should the DevOps team implement to satisfy these requirements?

111

A software company develops a mobile application that communicates with a cloud backend using REST APIs. The application uses OAuth 2.0 with the authorization code grant and PKCE for authentication. After a security audit, the team identifies that the backend API accepts both a client secret (from the authorization code grant) and a PKCE code verifier. The security team wants to remove unnecessary attack surface. Which change should be made?

Practice all 111 Cloud Application Security questions

Other CCSP exam domains

Cloud Security OperationsLegal, Risk and ComplianceCloud Concepts, Architecture and DesignCloud Platform and Infrastructure SecurityCloud Data Security

Frequently asked questions

What does the Cloud Application Security domain cover on the CCSP exam?

The Cloud Application Security domain covers the key concepts tested in this area of the CCSP exam blueprint published by ISC2. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CCSP domains — no account required.

How many Cloud Application Security questions are in the CCSP question bank?

The Courseiva CCSP question bank contains 111 questions in the Cloud Application Security domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Cloud Application Security for CCSP?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Cloud Application Security questions for CCSP?

Yes — the session launcher on this page draws questions exclusively from the Cloud Application Security domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your CCSP domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

CISSPSCS-C02AZ-500