Practice CCSP Cloud Concepts, Architecture and Design questions with full explanations on every answer.
Start practicing
Cloud Concepts, Architecture and Design — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A healthcare organization is migrating sensitive patient data to a public cloud. The compliance team requires that data be encrypted at rest and in transit, and that the cloud provider cannot access the encryption keys. Which cloud service model should the organization use to maintain sole control over encryption keys?
2A company is designing a multi-tier application in the cloud. The web tier must automatically scale based on CPU utilization, while the database tier should remain fixed to maintain data consistency. Which architectural pattern best meets these requirements?
3A financial services firm is designing a cloud environment that must comply with PCI DSS. The security architect proposes using a virtual private cloud (VPC) with subnets, security groups, and network ACLs. However, the compliance officer is concerned about the risk of data exposure due to misconfiguration. Which additional control would BEST address this concern?
4A cloud architect is tasked with designing a disaster recovery plan for a critical application. The recovery time objective (RTO) is 1 hour, and the recovery point objective (RPO) is 15 minutes. The application runs on IaaS with data stored in a relational database. Which replication strategy is MOST cost-effective while meeting the objectives?
5Which THREE of the following are key characteristics of cloud computing as defined by NIST SP 800-145?
6Refer to the exhibit. A security engineer is reviewing this S3 bucket policy. The bucket contains sensitive documents that should only be accessible from the internal network (10.0.0.0/24) and only over HTTPS. What is the most likely effect of this policy?
7Your company, a global e-commerce platform, operates on a multi-cloud environment with workloads in AWS and Azure. You are the lead cloud architect. The platform experiences peak traffic during promotional events, with traffic spikes up to 10x normal. The application is composed of microservices running in containers orchestrated by Kubernetes on both clouds. Each cloud provider's Kubernetes cluster uses cluster autoscaler and horizontal pod autoscaler. Recently, during a flash sale, the AWS cluster failed to scale adequately, causing latency spikes and timeouts. AWS support indicated that the cluster hit a service quota limit for EC2 instances. You need to prevent this from recurring. You have the following options: A) Implement a multi-region deployment on AWS to distribute load. B) Pre-warm the AWS environment by requesting a service quota increase and using a pod priority class to ensure critical pods scale first. C) Migrate all workloads to Azure to simplify management. D) Use a global load balancer to route traffic to the cloud with the most available capacity. Which option is the best course of action?
8Drag and drop the steps for performing a cloud migration using the 'lift and shift' strategy into the correct order.
9Drag and drop the steps for implementing a data retention policy for cloud storage (e.g., Amazon S3) into the correct order.
10Match each NIST SP 800-53 control family to its focus area.
11Match each cloud auditing term to its definition.
12A company is migrating to the cloud to reduce capital expenditures. They want to pay only for the resources they consume with no upfront investment. Which financial model does this describe?
13A healthcare provider is subject to HIPAA regulations. They are planning to use a public cloud provider. Which design consideration is most important to ensure compliance?
14An organization is designing a cloud application that must remain available even if an entire AWS availability zone fails. Which architecture pattern should they implement?
15A company wants to ensure that their cloud deployment has the highest level of isolation between tenants. Which deployment model is most appropriate?
16A developer is designing a microservices-based application in the cloud. They need to ensure communication between services is loosely coupled and resilient to failures. Which design pattern should they implement?
17An auditor is reviewing a cloud provider's SOC 2 Type II report. Which aspect of the report is most relevant for assessing the effectiveness of controls over a period?
18A cloud architect is designing a disaster recovery plan for a financial application with RTO of 15 minutes and RPO of 5 minutes. Which recovery strategy is most appropriate?
19A small business wants to use a cloud service but has limited in-house IT expertise. Which cloud service model requires the least customer management responsibility?
20During a cloud migration, a company decides to move a legacy application with no code changes. Which migration strategy are they using?
21A cloud architect is evaluating cloud service models for a new application. Which two characteristics are advantages of PaaS over IaaS? (Choose two.)
22A company is implementing a hybrid cloud architecture. Which two components are essential for establishing a secure connection between on-premises and cloud environments? (Choose two.)
23A cloud architect is designing a multi-cloud strategy to avoid vendor lock-in. Which three design considerations should be included? (Choose three.)
24What is the effective permission for a request coming from IP address 10.1.2.3?
25What is the most likely cause of the failure?
26Which type of threat is this log most likely indicating?
27A company is migrating its on-premises workloads to a public cloud environment. The security team is concerned about maintaining visibility into network traffic between virtual machines in the same virtual network. Which cloud architecture component should be implemented to address this concern?
28A cloud architect is designing a multi-region application to ensure high availability. The application must automatically fail over to a secondary region if the primary region becomes unavailable. Which strategy best meets this requirement?
29A company uses a cloud provider's object storage service for backup data. The security policy requires that data be encrypted at rest using keys managed by the company's on-premises hardware security module (HSM). Which encryption method should be used?
30A cloud architect is designing a cost-optimized architecture for a batch processing job that runs once per day. The job requires high compute capacity for approximately 5 hours. Which cloud service model is most suitable?
31A company is deploying a new application that processes sensitive personal data. The cloud provider operates in a specific region that adheres to the EU General Data Protection Regulation (GDPR). The company requires that data never leave the region. Which combination of cloud architecture controls should be implemented?
32A cloud architect is designing a disaster recovery (DR) solution for a critical application with a recovery time objective (RTO) of 30 minutes and a recovery point objective (RPO) of 5 minutes. The application runs on virtual machines in a private cloud. The architect is considering using a colocation facility as the DR site. Which replication method will meet the RPO requirement?
33A company wants to ensure that its cloud infrastructure can automatically add capacity during traffic spikes and remove capacity during low demand. Which cloud characteristic is primarily needed?
34A company is moving a legacy application to a public cloud. The application requires low latency and high throughput between two application tiers. Which two cloud design principles should be applied? (Choose two.)
35An organization wants to ensure compliance with industry regulations by implementing data classification in the cloud. Which two actions should the organization take? (Choose two.)
36A cloud architect is designing a multi-cloud solution that must maintain high availability and disaster recovery across two cloud providers. Which three key considerations should be included in the architecture? (Choose three.)
37Refer to the exhibit. A security auditor is reviewing the security group configuration for a web server. Which change would improve the security posture without breaking the application functionality?
38Refer to the exhibit. An organization has attached this IAM policy to a role used by a backup application to access encrypted objects in an S3 bucket. The application is failing with an access denied error when trying to download objects. What is the most likely cause?
39A multinational corporation operates a cloud-based application that stores customer data across multiple regions to comply with local data residency laws. The application is deployed on virtual machines in a Infrastructure as a Service (IaaS) environment. Recently, the compliance team discovered that some user data from the European region was accidentally stored in a storage bucket located in the United States due to a misconfigured storage class. The company needs to immediately ensure that no further data breaches occur and that all future data storage actions comply with regional restrictions. The cloud architect proposes implementing a data loss prevention (DLP) solution, but the compliance team wants a more preventative approach. Which of the following is the BEST course of action to prevent this issue?
40A software development company is migrating its development and test environments to a public cloud. The security team has identified that many developers have assigned overly permissive IAM roles to the resources they create, such as giving full administrative access to databases and virtual machines. The company wants to enforce least privilege without impeding development agility. The cloud architect suggests using a combination of permission boundaries and service control policies. Which of the following approaches BEST enforces least privilege while maintaining development flexibility?
41A financial services company is required to maintain audit trails of all user activities in its cloud environment for regulatory compliance. The company uses multiple cloud services and wants a centralized logging solution. The current architecture sends logs to a central storage bucket, but some logs are being lost due to high volume and insufficient throughput. Additionally, the logs must be immutable to prevent tampering. The company needs to ensure that all logs are captured and stored in a tamper-proof manner. Which of the following solutions BEST meets the requirements?
42A cloud security analyst is troubleshooting an access denied error when an application attempts to read an object from an S3 bucket. The application uses an IAM user that is not associated with the role specified in the policy. Which of the following is the most likely cause of the error?
43Which THREE of the following are essential characteristics of cloud computing as defined by NIST SP 800-145?
44A healthcare organization recently migrated a patient records management application from on-premises infrastructure to a cloud environment using Infrastructure as a Service (IaaS). The application was originally designed as a monolithic workload running on bare-metal servers. After migration, the application is deployed on a fleet of virtual machines (VMs) of the same instance type. The organization is using a combination of Reserved Instances for baseline capacity and On-Demand instances to handle spikes. However, two months after the migration, the cloud bill is 40% higher than the estimated on-premises total cost of ownership. Additionally, performance reports indicate that the application experiences inconsistent latency and occasional timeouts during peak hours. The operations team has confirmed that the application code has not changed, and the cloud provider's infrastructure is healthy. There is no issue with network bandwidth or storage I/O. The team is considering several options to address both cost and performance issues. What should the team do first?
The Cloud Concepts, Architecture and Design domain covers the key concepts tested in this area of the CCSP exam blueprint published by ISC2. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CCSP domains — no account required.
The Courseiva CCSP question bank contains 44 questions in the Cloud Concepts, Architecture and Design domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Cloud Concepts, Architecture and Design domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included