Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCCSPDomainsCloud Platform and Infrastructure Security
CCSPFree — No Signup

Cloud Platform and Infrastructure Security

Practice CCSP Cloud Platform and Infrastructure Security questions with full explanations on every answer.

44questions

Start practicing

Cloud Platform and Infrastructure Security — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

CCSP Domains

Cloud Application SecurityCloud Security OperationsLegal, Risk and ComplianceCloud Concepts, Architecture and DesignCloud Platform and Infrastructure SecurityCloud Data Security

Practice Cloud Platform and Infrastructure Security questions

10Q20Q30Q50Q

All CCSP Cloud Platform and Infrastructure Security questions (44)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A financial services company is migrating its on-premises data center to a public cloud IaaS environment. During the transition, the security team must ensure that the same network segmentation and firewall rules are maintained. Which of the following is the BEST approach to replicate the on-premises network security controls in the cloud?

2

A cloud architect is designing a multi-tier application in a public cloud. The web tier must be accessible from the internet, while the application and database tiers must only be reachable from the web tier. The architect needs to ensure that even if the web server is compromised, the attacker cannot directly access the database. Which architecture BEST meets this requirement?

3

During a cloud migration, a company discovers that its existing virtual machine images contain embedded credentials and proprietary software that must not be exposed to the cloud provider's administrators. Which of the following is the BEST strategy to protect this sensitive data while maintaining the ability to create new instances?

4

A company's security policy requires that all data stored in the cloud must be encrypted at rest. The cloud provider offers server-side encryption with either cloud-managed keys or customer-managed keys (CMK). Which additional control should the company implement to ensure that the CMK is not compromised and that access is auditable?

5

A company is deploying a critical application on a public cloud IaaS platform. To ensure high availability and disaster recovery, which TWO of the following strategies should the company implement? (Choose two.)

6

A multinational corporation is deploying a containerized microservices application on a public cloud Kubernetes cluster. The cluster spans three availability zones in a single region. The application consists of a front-end service, a payment service, and a database service. The security team requires that the payment service must not be directly accessible from the internet, but must be accessible from the front-end service. The database must only be accessible from the payment service. Additionally, all inter-service communication must be encrypted, and the cluster must be able to scale up to 500 nodes during peak load. The cloud provider's container orchestration service is used. After deployment, the security team discovers that the payment service is still reachable from the internet via a public load balancer that was configured for testing. The team needs to remediate this issue immediately without disrupting the front-end service. Which of the following actions should the team take FIRST?

7

A security architect is designing a cloud workload protection platform (CWPP) for a hybrid cloud environment. The architect needs to ensure that security policies are consistently applied across virtual machines running in both on-premises and public cloud environments. Which TWO components are essential for achieving this goal?

8

A cloud security engineer reviews the IAM policy shown in the exhibit, which is attached to an S3 bucket. The engineer finds that users from outside the 10.0.0.0/8 network can still download objects from the bucket. What is the most likely reason for this behavior?

9

A large financial institution hosts a critical application in a multi-cloud environment using AWS and Azure. The application processes sensitive customer data and requires low-latency access to a shared database. The database is deployed as a MySQL instance in AWS RDS, and the Azure application instances connect to it over the public internet using SSL. Recently, the security team discovered that the database connection traffic is being routed through an unencrypted proxy, exposing the data in transit. The network architect must redesign the connectivity to ensure encryption end-to-end and minimize latency. The current setup includes an AWS Direct Connect and an Azure ExpressRoute that both terminate at the same on-premises data center. The on-premises network has a firewall that inspects all traffic. The architect proposes using the on-premises data center as an intermediary to route traffic between clouds. Which of the following solutions best addresses the security and latency requirements?

10

Drag and drop the steps for implementing a disaster recovery plan using cross-region replication in AWS into the correct order.

11

Match each key management solution to its characteristic.

12

A company wants to enforce that all EC2 instances launched in a specific AWS account are tagged with the key "Environment" and "Owner". What is the most effective way to enforce this policy?

13

An organization requires that all data at rest in a cloud storage service be encrypted using a key that is managed entirely on-premises and never exposed to the cloud provider. The organization wants to use server-side encryption. Which approach should be used?

14

A multi-tier web application is deployed across two VPCs connected via VPC peering. The web tier in VPC A must communicate with the database tier in VPC B on port 3306. Security groups are used for instance-level security. Which security group configuration is MOST secure?

15

A developer accidentally launched an EC2 instance with an overly permissive security group that allows SSH from 0.0.0.0/0. After a security review, the team wants to ensure this cannot happen again. What is the MOST effective preventive control?

16

A company is using AWS CloudTrail to log API calls. A security analyst needs to be alerted when an IAM user creates a new access key for another user. Which CloudTrail event should be monitored?

17

An organization has a cloud environment with many accounts. They want to prevent any account from using certain services that are not approved (e.g., outside of a defined list). What is the BEST way to enforce this at the organizational level?

18

A cloud administrator needs to ensure that all data transferred between an on-premises data center and a cloud VPC is encrypted in transit. Which solution should be used?

19

A security engineer is reviewing logs and finds repeated failed login attempts to a cloud database instance. The database is accessible only from a specific security group. What is the BEST immediate action to reduce the attack surface?

20

A company uses AWS Organizations with multiple accounts. A security team wants to ensure that a specific S3 bucket in the production account cannot be deleted by anyone, including the root user of that account. Which control should be implemented?

21

A cloud security team is designing a defense-in-depth strategy for a web application. Which TWO of the following are effective network-level security controls? (Choose two.)

22

An organization is migrating critical workloads to the cloud and must ensure data confidentiality. Which THREE of the following practices help protect data in transit? (Choose three.)

23

Which TWO of the following are recommended practices for securing cloud storage buckets? (Choose two.)

24

Refer to the exhibit. A security engineer attaches this bucket policy to an S3 bucket. What does this policy accomplish?

25

Refer to the exhibit. A CloudFormation template defines a security group as shown. What is the security concern with this configuration?

26

Refer to the exhibit. A security analyst reviews this CloudTrail log entry. What is the most immediate concern?

27

A company is migrating on-premises workloads to IaaS. They need to ensure that virtual machine images are secure and free of malware. Which approach is best practice?

28

A cloud administrator notices that a storage bucket containing sensitive data is publicly accessible. What is the most likely misconfiguration?

29

A financial services firm uses a hybrid cloud architecture with a VPN connection to AWS. They need to comply with PCI DSS requirements for network segmentation. Which design is best?

30

A cloud security engineer is designing a disaster recovery plan for a critical application running on virtual machines. The RTO is 4 hours and RPO is 1 hour. Which approach meets these requirements?

31

An organization wants to encrypt data at rest in a cloud object storage service. Which control is appropriate?

32

A DevOps team is deploying containers in a Kubernetes cluster. They need to ensure that container images are scanned for vulnerabilities before deployment. Which is the most effective approach?

33

A company uses a cloud provider's key management service. They want to rotate keys automatically every 90 days. What is the correct way to achieve this?

34

A security architect is designing network segmentation for a multi-tier application in the cloud. Which TWO configurations help enforce micro-segmentation? (Choose two.)

35

A cloud security team is auditing a cloud environment and needs to ensure compliance with logging requirements. Which TWO actions are essential? (Choose two.)

36

A company is implementing a software-defined perimeter (SDP) for their cloud environment. Which THREE characteristics are typical of an SDP? (Choose three.)

37

Refer to the exhibit. A security analyst finds this IAM policy attached to an S3 bucket. What is the primary security issue?

38

Refer to the exhibit. A cloud administrator sees this error when trying to provision an EC2 instance. Which is the best course of action?

39

A large healthcare organization runs its electronic health records (EHR) system on a private cloud built with VMware vSphere. They have implemented a hybrid cloud strategy with a public cloud provider for disaster recovery. The EHR application is mission-critical and must maintain high availability with zero data loss. During a routine audit, the security team discovers that the replication between the private cloud and the public cloud uses asynchronous replication with a 15-minute recovery point objective (RPO). However, the application requires an RPO of less than 1 minute. Additionally, the replication data is not encrypted in transit. The compliance officer demands immediate remediation. The cloud architect must propose a solution that meets the RPO requirement and ensures encryption of data in transit. Which of the following actions is the most appropriate first step?

40

A medium-sized e-commerce company uses a cloud provider's container orchestration service (e.g., Amazon ECS or Google Kubernetes Engine). They have a security requirement to ensure that all containers run with the least privilege principle. The development team often requests containers to run as root for debugging purposes. The security team wants to enforce a policy that prevents containers from running as root in the production environment. However, the development team still needs the ability to troubleshoot occasionally. The cloud security architect must design a solution that restricts root privilege in production but allows controlled troubleshooting. Which of the following approaches is the most effective?

41

A small business recently migrated its file server to a cloud storage service like Amazon S3. They use bucket policies to control access. The IT manager, who is not a security expert, configured the bucket policy to allow all users within the company's AWS account to have read and write access. During an internal audit, it was discovered that the bucket also had a public ACL that allowed 'Everyone' to read objects. The security analyst needs to fix the misconfiguration and prevent future occurrences. Which of the following actions should the analyst take first?

42

A cloud security architect is concerned about potential side-channel attacks against VMs running on a shared hypervisor. Which TWO of the following measures would be most effective in mitigating such attacks?

43

Refer to the exhibit. A cloud security administrator is reviewing the following security group configuration associated with a web server instance. What security best practice is being violated?

44

A financial services company uses a public IaaS provider to host its customer-facing applications. They have strict compliance requirements (e.g., PCI DSS) mandating that all customer data be encrypted at rest and in transit. The cloud provider recently performed a scheduled hypervisor update that required live migration of all customer VMs to different physical hosts to apply security patches. After the migration, the company's security team discovers that temporary files from one of their VMs remained on the original host's local storage and were accessible by another customer's VM that was subsequently provisioned on that host. Although the files did not contain actual customer data because the VM had encrypted its volumes, the security team is concerned about potential data remanence. Which of the following actions would BEST prevent such data remanence in future hypervisor migrations?

Practice all 44 Cloud Platform and Infrastructure Security questions

Other CCSP exam domains

Cloud Application SecurityCloud Security OperationsLegal, Risk and ComplianceCloud Concepts, Architecture and DesignCloud Data Security

Frequently asked questions

What does the Cloud Platform and Infrastructure Security domain cover on the CCSP exam?

The Cloud Platform and Infrastructure Security domain covers the key concepts tested in this area of the CCSP exam blueprint published by ISC2. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CCSP domains — no account required.

How many Cloud Platform and Infrastructure Security questions are in the CCSP question bank?

The Courseiva CCSP question bank contains 44 questions in the Cloud Platform and Infrastructure Security domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Cloud Platform and Infrastructure Security for CCSP?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Cloud Platform and Infrastructure Security questions for CCSP?

Yes — the session launcher on this page draws questions exclusively from the Cloud Platform and Infrastructure Security domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your CCSP domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

CISSPSCS-C02AZ-500