Practice CCSP Cloud Platform and Infrastructure Security questions with full explanations on every answer.
Start practicing
Cloud Platform and Infrastructure Security — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A financial services company is migrating its on-premises data center to a public cloud IaaS environment. During the transition, the security team must ensure that the same network segmentation and firewall rules are maintained. Which of the following is the BEST approach to replicate the on-premises network security controls in the cloud?
2A cloud architect is designing a multi-tier application in a public cloud. The web tier must be accessible from the internet, while the application and database tiers must only be reachable from the web tier. The architect needs to ensure that even if the web server is compromised, the attacker cannot directly access the database. Which architecture BEST meets this requirement?
3During a cloud migration, a company discovers that its existing virtual machine images contain embedded credentials and proprietary software that must not be exposed to the cloud provider's administrators. Which of the following is the BEST strategy to protect this sensitive data while maintaining the ability to create new instances?
4A company's security policy requires that all data stored in the cloud must be encrypted at rest. The cloud provider offers server-side encryption with either cloud-managed keys or customer-managed keys (CMK). Which additional control should the company implement to ensure that the CMK is not compromised and that access is auditable?
5A company is deploying a critical application on a public cloud IaaS platform. To ensure high availability and disaster recovery, which TWO of the following strategies should the company implement? (Choose two.)
6A multinational corporation is deploying a containerized microservices application on a public cloud Kubernetes cluster. The cluster spans three availability zones in a single region. The application consists of a front-end service, a payment service, and a database service. The security team requires that the payment service must not be directly accessible from the internet, but must be accessible from the front-end service. The database must only be accessible from the payment service. Additionally, all inter-service communication must be encrypted, and the cluster must be able to scale up to 500 nodes during peak load. The cloud provider's container orchestration service is used. After deployment, the security team discovers that the payment service is still reachable from the internet via a public load balancer that was configured for testing. The team needs to remediate this issue immediately without disrupting the front-end service. Which of the following actions should the team take FIRST?
7A security architect is designing a cloud workload protection platform (CWPP) for a hybrid cloud environment. The architect needs to ensure that security policies are consistently applied across virtual machines running in both on-premises and public cloud environments. Which TWO components are essential for achieving this goal?
8A cloud security engineer reviews the IAM policy shown in the exhibit, which is attached to an S3 bucket. The engineer finds that users from outside the 10.0.0.0/8 network can still download objects from the bucket. What is the most likely reason for this behavior?
9A large financial institution hosts a critical application in a multi-cloud environment using AWS and Azure. The application processes sensitive customer data and requires low-latency access to a shared database. The database is deployed as a MySQL instance in AWS RDS, and the Azure application instances connect to it over the public internet using SSL. Recently, the security team discovered that the database connection traffic is being routed through an unencrypted proxy, exposing the data in transit. The network architect must redesign the connectivity to ensure encryption end-to-end and minimize latency. The current setup includes an AWS Direct Connect and an Azure ExpressRoute that both terminate at the same on-premises data center. The on-premises network has a firewall that inspects all traffic. The architect proposes using the on-premises data center as an intermediary to route traffic between clouds. Which of the following solutions best addresses the security and latency requirements?
10Drag and drop the steps for implementing a disaster recovery plan using cross-region replication in AWS into the correct order.
11Match each key management solution to its characteristic.
12A company wants to enforce that all EC2 instances launched in a specific AWS account are tagged with the key "Environment" and "Owner". What is the most effective way to enforce this policy?
13An organization requires that all data at rest in a cloud storage service be encrypted using a key that is managed entirely on-premises and never exposed to the cloud provider. The organization wants to use server-side encryption. Which approach should be used?
14A multi-tier web application is deployed across two VPCs connected via VPC peering. The web tier in VPC A must communicate with the database tier in VPC B on port 3306. Security groups are used for instance-level security. Which security group configuration is MOST secure?
15A developer accidentally launched an EC2 instance with an overly permissive security group that allows SSH from 0.0.0.0/0. After a security review, the team wants to ensure this cannot happen again. What is the MOST effective preventive control?
16A company is using AWS CloudTrail to log API calls. A security analyst needs to be alerted when an IAM user creates a new access key for another user. Which CloudTrail event should be monitored?
17An organization has a cloud environment with many accounts. They want to prevent any account from using certain services that are not approved (e.g., outside of a defined list). What is the BEST way to enforce this at the organizational level?
18A cloud administrator needs to ensure that all data transferred between an on-premises data center and a cloud VPC is encrypted in transit. Which solution should be used?
19A security engineer is reviewing logs and finds repeated failed login attempts to a cloud database instance. The database is accessible only from a specific security group. What is the BEST immediate action to reduce the attack surface?
20A company uses AWS Organizations with multiple accounts. A security team wants to ensure that a specific S3 bucket in the production account cannot be deleted by anyone, including the root user of that account. Which control should be implemented?
21A cloud security team is designing a defense-in-depth strategy for a web application. Which TWO of the following are effective network-level security controls? (Choose two.)
22An organization is migrating critical workloads to the cloud and must ensure data confidentiality. Which THREE of the following practices help protect data in transit? (Choose three.)
23Which TWO of the following are recommended practices for securing cloud storage buckets? (Choose two.)
24Refer to the exhibit. A security engineer attaches this bucket policy to an S3 bucket. What does this policy accomplish?
25Refer to the exhibit. A CloudFormation template defines a security group as shown. What is the security concern with this configuration?
26Refer to the exhibit. A security analyst reviews this CloudTrail log entry. What is the most immediate concern?
27A company is migrating on-premises workloads to IaaS. They need to ensure that virtual machine images are secure and free of malware. Which approach is best practice?
28A cloud administrator notices that a storage bucket containing sensitive data is publicly accessible. What is the most likely misconfiguration?
29A financial services firm uses a hybrid cloud architecture with a VPN connection to AWS. They need to comply with PCI DSS requirements for network segmentation. Which design is best?
30A cloud security engineer is designing a disaster recovery plan for a critical application running on virtual machines. The RTO is 4 hours and RPO is 1 hour. Which approach meets these requirements?
31An organization wants to encrypt data at rest in a cloud object storage service. Which control is appropriate?
32A DevOps team is deploying containers in a Kubernetes cluster. They need to ensure that container images are scanned for vulnerabilities before deployment. Which is the most effective approach?
33A company uses a cloud provider's key management service. They want to rotate keys automatically every 90 days. What is the correct way to achieve this?
34A security architect is designing network segmentation for a multi-tier application in the cloud. Which TWO configurations help enforce micro-segmentation? (Choose two.)
35A cloud security team is auditing a cloud environment and needs to ensure compliance with logging requirements. Which TWO actions are essential? (Choose two.)
36A company is implementing a software-defined perimeter (SDP) for their cloud environment. Which THREE characteristics are typical of an SDP? (Choose three.)
37Refer to the exhibit. A security analyst finds this IAM policy attached to an S3 bucket. What is the primary security issue?
38Refer to the exhibit. A cloud administrator sees this error when trying to provision an EC2 instance. Which is the best course of action?
39A large healthcare organization runs its electronic health records (EHR) system on a private cloud built with VMware vSphere. They have implemented a hybrid cloud strategy with a public cloud provider for disaster recovery. The EHR application is mission-critical and must maintain high availability with zero data loss. During a routine audit, the security team discovers that the replication between the private cloud and the public cloud uses asynchronous replication with a 15-minute recovery point objective (RPO). However, the application requires an RPO of less than 1 minute. Additionally, the replication data is not encrypted in transit. The compliance officer demands immediate remediation. The cloud architect must propose a solution that meets the RPO requirement and ensures encryption of data in transit. Which of the following actions is the most appropriate first step?
40A medium-sized e-commerce company uses a cloud provider's container orchestration service (e.g., Amazon ECS or Google Kubernetes Engine). They have a security requirement to ensure that all containers run with the least privilege principle. The development team often requests containers to run as root for debugging purposes. The security team wants to enforce a policy that prevents containers from running as root in the production environment. However, the development team still needs the ability to troubleshoot occasionally. The cloud security architect must design a solution that restricts root privilege in production but allows controlled troubleshooting. Which of the following approaches is the most effective?
41A small business recently migrated its file server to a cloud storage service like Amazon S3. They use bucket policies to control access. The IT manager, who is not a security expert, configured the bucket policy to allow all users within the company's AWS account to have read and write access. During an internal audit, it was discovered that the bucket also had a public ACL that allowed 'Everyone' to read objects. The security analyst needs to fix the misconfiguration and prevent future occurrences. Which of the following actions should the analyst take first?
42A cloud security architect is concerned about potential side-channel attacks against VMs running on a shared hypervisor. Which TWO of the following measures would be most effective in mitigating such attacks?
43Refer to the exhibit. A cloud security administrator is reviewing the following security group configuration associated with a web server instance. What security best practice is being violated?
44A financial services company uses a public IaaS provider to host its customer-facing applications. They have strict compliance requirements (e.g., PCI DSS) mandating that all customer data be encrypted at rest and in transit. The cloud provider recently performed a scheduled hypervisor update that required live migration of all customer VMs to different physical hosts to apply security patches. After the migration, the company's security team discovers that temporary files from one of their VMs remained on the original host's local storage and were accessible by another customer's VM that was subsequently provisioned on that host. Although the files did not contain actual customer data because the VM had encrypted its volumes, the security team is concerned about potential data remanence. Which of the following actions would BEST prevent such data remanence in future hypervisor migrations?
The Cloud Platform and Infrastructure Security domain covers the key concepts tested in this area of the CCSP exam blueprint published by ISC2. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CCSP domains — no account required.
The Courseiva CCSP question bank contains 44 questions in the Cloud Platform and Infrastructure Security domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Cloud Platform and Infrastructure Security domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included