Practice CCSP Cloud Security Operations questions with full explanations on every answer.
Start practicing
Cloud Security Operations — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A cloud security engineer is troubleshooting a failure in automated backups for a production database. The backup job runs nightly but has failed for the past three nights. The logs show permission denied errors when the backup service attempts to write to the storage bucket. Which action should the engineer take first?
2An organization is designing a cloud storage solution for highly sensitive customer data. The data must be encrypted at rest and the encryption keys must be managed by the customer, not the cloud provider. Additionally, the solution must allow granular access control based on data classification. Which combination of services should the architect recommend?
3A company uses a cloud-based SIEM to aggregate logs from multiple sources. Recently, the SIEM stopped receiving logs from a critical application server. The server is running and the application is functioning normally. The security team has verified that the log forwarder service is running on the server and the network path to the SIEM is open. Which additional step should the team take to diagnose the issue?
4Which TWO of the following are best practices for securing a cloud-based container orchestration platform?
5Which THREE of the following are key considerations when designing a disaster recovery plan for a cloud-based application?
6Which TWO of the following are valid methods for securing data at rest in a cloud storage service?
7Refer to the exhibit. A security analyst is investigating a potential unauthorized key pair creation. The CloudTrail log shows a successful CreateKeyPair event for an admin user. What additional step should the analyst take to determine if this was an authorized action?
8Refer to the exhibit. A security engineer has attached the above IAM policy to a user. What is the effect of this policy?
9Refer to the exhibit. A cloud administrator ran the Azure CLI command to list virtual machines. One VM shows a ProvisioningState of 'Failed'. What is the most likely cause of this state?
10A financial services company runs a critical application on a cloud infrastructure. The application consists of a web tier, an application tier, and a database tier, all deployed in a single cloud region. The database is a managed relational database service with automated backups enabled. The company's disaster recovery plan requires a Recovery Time Objective (RTO) of 4 hours and a Recovery Point Objective (RPO) of 1 hour. During a recent regional outage, the primary region became unavailable for 6 hours. The company attempted to restore the database from the latest automated backup in a different region, but the restore took 5 hours due to the large database size, exceeding the RTO. Additionally, the backup was 2 hours old at the time of the outage, exceeding the RPO. The security team has also noted that the backup data is encrypted with a cloud-managed key, which may not meet future compliance requirements for customer-managed encryption keys. Which course of action should the company take to meet both the RTO and RPO objectives while also addressing the encryption requirement?
11A healthcare organization has deployed a cloud-based application that handles protected health information (PHI). The application runs on virtual machines in a virtual private cloud (VPC). The security team has implemented security groups to control traffic to the VMs. Recently, an external penetration test revealed that a web server VM is accessible from the internet on port 22 (SSH) from any IP address (0.0.0.0/0). The security team also discovered that the SSH key pair used for the web server was created with a weak algorithm (1024-bit RSA). The team needs to remediate these issues without causing downtime for the application. Additionally, the application logs must be sent to a centralized logging solution that is encrypted in transit and at rest. Which combination of actions should the security team take?
12A cloud security team is investigating a data breach in their AWS environment. The logs show that an EC2 instance with an attached IAM role was compromised. The attacker used the instance's temporary credentials to access an S3 bucket containing sensitive data. Which design change would BEST prevent this type of attack in the future?
13A company is migrating a critical application to the cloud and must ensure that its security operations center (SOC) can detect and respond to threats in real time. The application generates high volumes of logs. Which combination of services would provide the MOST efficient and cost-effective solution for centralized logging, analysis, and alerting?
14During a cloud security audit, it is discovered that a cloud storage bucket is configured to allow access from any IP address. The bucket contains sensitive customer data. What is the BEST immediate action to secure the bucket?
15A cloud security engineer is tasked with automating the response to a detected malware infection on a virtual machine. The engineer wants to isolate the VM from the network immediately upon detection. Which cloud-native feature should be used?
16Which TWO of the following are key components of a cloud incident response plan that should be tested regularly?
17Refer to the exhibit. A cloud security analyst reviews the bucket policy for example-bucket. Based on the policy, which of the following is true?
18A multinational corporation runs its critical applications on a cloud platform. The security team has implemented a Security Information and Event Management (SIEM) solution that collects logs from various cloud services, including virtual machines, storage, and databases. The SIEM is configured to generate alerts based on predefined rules. Recently, the team noticed an increase in false positive alerts, causing alert fatigue among the analysts. Additionally, there is a lack of context in the alerts, making it difficult to triage and prioritize incidents. The team wants to improve the efficiency of the SOC without increasing headcount. Which of the following is the BEST course of action to address these issues?
19A company's security team is investigating an anomalous spike in outbound traffic from a cloud workload. The workload is a web server running in an IaaS environment. The team suspects data exfiltration. Which of the following is the BEST initial step to identify the source and type of traffic?
20A cloud security architect is designing a secure CI/CD pipeline for a containerized application deployed on a Kubernetes cluster. The pipeline must ensure that only approved images are deployed. Which TWO of the following controls should be implemented? (Choose two.)
21Refer to the exhibit. A cloud security analyst is reviewing an S3 bucket policy. The bucket contains sensitive data and must only be accessible over HTTPS from the internal network (10.0.0.0/24). Which of the following correctly describes the behavior of this policy?
22Drag and drop the steps for responding to a security incident involving a compromised cloud VM into the correct order.
23Drag and drop the steps for implementing a secure DevOps (DevSecOps) pipeline in a cloud environment into the correct order.
24Match each data state to its encryption requirement in cloud environments.
25Match each virtualization security concept to its description.
26A company experiences a security breach in its cloud environment, and the security team needs to preserve evidence for legal proceedings. Which of the following is the MOST important step to take first?
27A cloud administrator is configuring log retention for a financial application that must comply with PCI DSS. What is the minimum log retention period required by PCI DSS?
28A security analyst is conducting a forensic investigation of a compromised virtual machine in a public cloud. The VM is running in a production environment and cannot be stopped. Which of the following techniques is MOST appropriate to acquire volatile memory evidence?
29A company uses a cloud key management service with automatic annual key rotation. An auditor requires that keys are rotated every 90 days to meet internal policy. What should the cloud security architect do to satisfy this requirement?
30A cloud administrator is designing a backup strategy for a critical database. Which of the following is the BEST approach to ensure data recoverability in case of a regional outage?
31A company is deploying a multi-tier application in a public cloud and needs to restrict traffic between tiers. The web tier must only accept HTTPS from the internet, and the app tier must only accept HTTP from the web tier. Which cloud networking feature should be used to enforce this?
32An organization uses a continuous integration/continuous deployment (CI/CD) pipeline to deploy infrastructure as code. The security team wants to ensure that all cloud resources comply with internal security policies before deployment. Which of the following is the MOST effective method to enforce this?
33A cloud operations team has a process for making changes to production environments. Which change management practice is MOST important for reducing the risk of service disruption?
34A multinational corporation operates in a country where data sovereignty laws require that all customer data remain within the country's borders. The company uses a global public cloud provider. Which operational control is MOST critical to ensure compliance?
35Which TWO responsibilities are typically shared between the cloud customer and the cloud provider in an IaaS model? (Choose two.)
36Which THREE components are essential for establishing a secure baseline configuration for a cloud virtual machine? (Choose three.)
37Which TWO cloud monitoring tools are used primarily for detecting anomalous behavior that may indicate a security incident? (Choose two.)
38Refer to the exhibit. An IAM policy is attached to a user. Which action is the user allowed to perform?
39Refer to the exhibit. An administrator attaches security group sg-12345 to a web server. Which of the following describes the traffic that will be allowed by the security group?
40Refer to the exhibit. A data sync job fails with the error shown. The IAM role 'data-sync-role' has the following policy attached: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": "arn:aws:s3:*:*:data-bucket-2024/*" } ] } What is the MOST likely cause of the failure?
41A security analyst notices that a cloud storage bucket contains objects with public read access. The organization's policy prohibits public access. What is the most efficient way to remediate this issue across all objects in the bucket?
42A cloud operations team is implementing a logging strategy for their hybrid cloud environment. They need to ensure that logs from on-premises systems are collected and stored in a centralized cloud logging service with low latency. Which configuration is most appropriate?
43During a security audit, it is discovered that a cloud service provider's infrastructure-as-a-service (IaaS) environment has virtual machines that were provisioned with default firewall rules allowing all inbound traffic from the internet. The organization's cloud security policy requires that all VM firewall rules follow a least-privilege model. What is the most effective approach to enforce this policy going forward?
44A cloud security administrator is reviewing the security controls for a SaaS application. Which of the following are typically the responsibility of the cloud customer (tenant) in a SaaS model? (Choose two.)
45A cloud operations team is implementing a disaster recovery plan. Which of the following are valid strategies for data replication in a cloud environment? (Choose three.)
46A cloud security engineer is investigating a potential data breach in a cloud environment. The organization uses a cloud access security broker (CASB) and has deployed a security information and event management (SIEM) system. Which of the following are likely indicators that the CASB has detected unauthorized data exfiltration? (Choose two.)
47A security analyst reviews the bucket policy above. What is the primary security concern?
48The security team notices that the request above is from a known malicious IP address. However, the load balancer did not block it. What is the most likely reason?
49A cloud security engineer reviews the Terraform configuration above. Which of the following is a security best practice that has been violated?
50A cloud security administrator needs to ensure that all API calls to the cloud provider's management plane are logged for audit purposes. Which service should be enabled?
51A cloud operations team is setting up a new virtual network in the cloud. They need to segment traffic between different tiers of an application (web, application, database). Which security control should they implement?
52A company has deployed a mission-critical application in the cloud and needs to ensure that it remains available even if an entire cloud region fails. Which architecture pattern should they adopt?
53A security analyst is using a cloud security posture management (CSPM) tool that reports a finding of "storage bucket publicly accessible." However, upon manual inspection, the bucket's ACL and bucket policy both restrict access to authorized users only. What is the most likely cause of the false positive?
54An organization uses a cloud key management service (KMS) to encrypt data at rest. The security policy requires that the encryption keys be rotated every 90 days. The operations team is concerned about the impact of key rotation on encrypted data. Which of the following statements is true regarding KMS key rotation?
55A cloud security engineer is reviewing incident response procedures for a hybrid cloud environment. During a security incident, the team needs to collect forensic evidence from a compromised virtual machine while preserving its state. Which of the following actions should be taken first?
56A security analyst is investigating a data breach in a cloud environment. The analyst needs to preserve evidence for legal proceedings. Which of the following actions is most critical to ensure the chain of custody is maintained?
57During a security incident in a multi-tenant cloud environment, the cloud provider's logging system indicates that a virtual machine (VM) on a shared hypervisor has been compromised. The provider wants to assist the customer with forensic analysis while minimizing impact to other tenants. Which approach is most appropriate?
58A company uses an Infrastructure as a Service (IaaS) provider for critical applications. They need to define a backup retention policy that meets regulatory requirements for keeping financial records for 7 years. Which of the following strategies best meets this requirement while optimizing costs?
59An organization has implemented a change management process for its cloud infrastructure. During a routine change, a network security group rule is modified incorrectly, causing a critical application to become inaccessible. What is the most effective way to prevent this issue in future changes?
60A cloud security team needs to implement a logging strategy that captures user activity, API calls, and resource changes across multiple cloud services. The logs must be tamper-proof and retained for at least one year. Which combination of actions best meets these requirements?
61A cloud service provider is designing a new data center. To ensure physical security, which of the following controls is most effective for preventing unauthorized access to the server floor?
62A company has a disaster recovery (DR) plan that includes failing over to a secondary cloud region. The plan was tested six months ago and worked, but since then significant infrastructure changes have been made. Which of the following should the company do to ensure the DR plan remains effective?
63A cloud security architect is designing an API gateway for a microservices application. The gateway must authenticate requests, enforce rate limiting, and log all transactions for audit. Which of the following security controls is most critical to protect against API abuse?
64An organization uses a cloud key management service (KMS) for encryption keys. The security policy requires automatic rotation of keys every 90 days. Which rotation strategy best balances security and operational impact?
65Which TWO of the following are best practices for monitoring a cloud environment to detect security incidents?
66Which THREE of the following are essential steps in the incident response process for a cloud security incident?
67Which THREE of the following are effective strategies for ensuring data backup integrity and recoverability in the cloud?
68A company has implemented a centralized logging solution for its cloud environment. The security team notices that logs from a critical application are missing for the past hour. What is the MOST likely cause?
69During a security incident involving a compromised virtual machine (VM) in a public cloud, the incident response team needs to preserve evidence for potential legal action. Which of the following actions should be taken FIRST?
70A cloud security architect is designing a forensics capability for a multi-tenant infrastructure-as-a-service (IaaS) environment. Which of the following is the MOST significant challenge when performing forensic acquisition of virtual machine (VM) memory?
71A cloud customer is decommissioning a storage service that contains sensitive data. The cloud provider offers several data destruction options. Which method provides the HIGHEST assurance that data is irrecoverable?
72A company runs its production workloads on a cloud platform. The security team wants to ensure that all compute instances are patched within 30 days of a patch release. Which of the following is the BEST approach to enforce this requirement?
73A cloud security operations team is evaluating SIEM solutions. They need to minimize false positives while ensuring critical security events are not missed. Which of the following is the MOST effective technique to achieve this balance?
74A cloud customer experiences a ransomware attack that encrypts data in an object storage bucket. The customer has versioning enabled on the bucket. How can the customer MOST effectively restore the data?
75A company uses a cloud provider's managed database service. The security team is concerned about the shared responsibility model for patching the operating system and database engine. According to the shared responsibility model, who is responsible for applying security patches to the database engine?
76An incident response team is investigating a potential breach in a cloud environment. They have collected logs from various sources. Which of the following is the MOST critical factor to ensure the admissibility of digital evidence in court?
77Which TWO of the following are best practices for implementing baseline configuration management in a cloud environment? (Choose two.)
78Which THREE of the following are key components of an incident response plan specific to cloud environments? (Choose three.)
79Which TWO of the following are valid considerations when performing forensic imaging of virtual machines in a public cloud? (Choose two.)
80Refer to the exhibit. An AWS CloudTrail log entry is shown. Which of the following can be determined from this log entry?
81A company runs its production workloads on a cloud infrastructure-as-a-service (IaaS) platform. The security operations team uses a SIEM to monitor security events. Over the past week, they have observed an increasing number of alerts indicating failed login attempts to a critical database server. The source IP addresses are varied and originate from different geographic regions. The team has also noticed that the database server's CPU usage has spiked during non-business hours. The database is not exposed to the internet; it is in a private subnet. The security team suspects that the database credentials have been compromised. Which of the following actions should the security team take FIRST to mitigate the risk?
82A cloud customer is migrating a legacy application to a cloud platform. The application currently runs on physical servers and uses local storage. The migration plan involves rehosting the application on virtual machines (VMs) in the cloud. The security team wants to ensure that the VMs are properly hardened before deployment. During the migration testing, the team discovers that the base image used for the VMs contains several unnecessary services and default credentials. The team is concerned that these vulnerabilities could be exploited. The cloud provider offers a shared responsibility model where the customer is responsible for securing the OS. Which of the following is the BEST course of action to address this issue?
83A financial services company is migrating a critical application to the cloud. They must ensure that the cloud provider supports the ability to conduct forensic investigations in case of a security incident. Which of the following is the MOST important requirement to include in the contract?
84A cloud security architect is designing a defense-in-depth strategy for a multi-tenant IaaS environment. Which of the following controls would BEST protect against workload isolation failure due to a hypervisor vulnerability?
85A multinational corporation uses a hybrid cloud model with on-premises data centers and the AWS cloud. They have implemented a Cloud Access Security Broker (CASB) to enforce security policies. Recently, the security team noticed that users are accessing cloud applications from unusual geographic locations and downloading large volumes of data. The CASB logs show that the users authenticated using single sign-on (SSO) with valid credentials. The company has not enabled multi-factor authentication (MFA) for all users due to a previous pushback from the user community. The security team suspects a credential theft incident. What is the BEST course of action to mitigate the risk and respond to the potential incident?
86A cloud security engineer is responsible for a SaaS application hosted on a public cloud provider. The application uses a relational database to store customer data. The security team recently conducted a vulnerability assessment and discovered that the database can be accessed over the internet without any network restrictions. Additionally, the database admin user has the same password as the root account, and the password has not been changed in 18 months. The company is subject to GDPR and PCI DSS compliance requirements. The engineer needs to remediate these issues immediately. Which of the following actions should be taken FIRST?
87A cloud operations team manages a critical application on AWS that uses EC2 instances behind an Application Load Balancer (ALB). The application experiences occasional high latency and timeout errors. The team has enabled detailed monitoring and CloudWatch Logs. They notice that during peak hours, the CPU utilization on some instances reaches 95%, while others remain around 40%. The security group allows traffic from a wide range of IP addresses. The team needs to improve both performance and security. Which of the following actions would BEST address the performance imbalance and also enhance security posture?
88A company is migrating its on-premises virtualized environment to the Azure cloud. The security team wants to ensure they can detect and respond to security incidents in the cloud. They plan to use Azure Security Center and Azure Sentinel. The on-premises environment uses a SIEM tool and logs from all servers are forwarded to it. In the cloud, they have provisioned virtual machines (VMs) running various workloads. The team needs to ensure that all security events from these VMs are captured and analyzed. Which of the following steps should they take FIRST to achieve comprehensive log collection?
89A healthcare organization is using a cloud-based electronic health record (EHR) system hosted on a PaaS platform. The platform provides a web interface and an API for integration with internal systems. The organization's security policy requires encryption of all data at rest and in transit. They have implemented SSL/TLS for data in transit and enabled server-side encryption for the database. However, during a recent audit, it was discovered that the API returns diagnostic data in clear text when accessed from internal networks. The internal network is considered trusted. The auditor recommends implementing end-to-end encryption. Which of the following is the BEST approach to meet this requirement?
90A cloud security team is developing an incident response plan for a SaaS application hosted on a public cloud. During the preparation phase, which TWO steps are most critical to include?
91A security engineer reviews the S3 bucket policy shown in the exhibit. Which security concern should be addressed immediately?
92A financial services company uses a hybrid cloud environment with an on-premises data center and AWS. They have deployed a Cloud Access Security Broker (CASB) to enforce data loss prevention (DLP) policies for SaaS applications. Recently, the security team noticed that sensitive customer data is being exfiltrated via encrypted traffic to a sanctioned cloud storage application. The CASB logs show the traffic is identified as HTTPS, but the DLP policy is not blocking it. The team verifies that the CASB is configured with a forward proxy and SSL inspection is enabled. Which action should the security team take to prevent this exfiltration?
The Cloud Security Operations domain covers the key concepts tested in this area of the CCSP exam blueprint published by ISC2. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CCSP domains — no account required.
The Courseiva CCSP question bank contains 92 questions in the Cloud Security Operations domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Cloud Security Operations domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included