Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCCSPExam Questions

ISC2 · Free Practice Questions · Last reviewed May 2026

CCSP Exam Questions and Answers

36real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.

150 exam questions
240 min time limit
Pass: 700/1000 / 1000
6 exam domains
OverviewDomain BlueprintStudy GuideAll QuestionsSample by Domain
1. Cloud Application Security2. Cloud Security Operations3. Legal, Risk and Compliance4. Cloud Concepts, Architecture and Design5. Cloud Platform and Infrastructure Security6. Cloud Data Security
1

Domain 1: Cloud Application Security

All Cloud Application Security questions
Q1
easyFull explanation →

A company is migrating a legacy application to the cloud. The application uses hardcoded database credentials. Which secure development practice should be implemented to address this?

A

Use code signing for all deployments

B

Implement input validation on all user inputs

C

Enable encryption at rest for the database

D

Use a secrets management service

Secrets management securely stores and rotates credentials, eliminating hardcoding.

Why: Hardcoded database credentials in application code create a severe security risk because they are exposed in version control, logs, and static analysis. Using a secrets management service (e.g., AWS Secrets Manager, HashiCorp Vault, Azure Key Vault) allows credentials to be stored securely, rotated automatically, and accessed at runtime via API calls, eliminating the need to embed secrets in code. This aligns with the principle of least privilege and secure credential management in cloud application security.
Q2
mediumFull explanation →

A security architect is designing a CI/CD pipeline for a cloud-native application. The team wants to automatically scan container images for vulnerabilities before deployment. Which of the following is the most effective approach?

A

Manually review images before each deployment

B

Integrate a container image scanner into the pipeline

Automated scanning in the pipeline prevents vulnerable images from being deployed.

C

Perform vulnerability scanning at runtime using a host-based agent

D

Scan the network for open ports on the container hosts

Why: Integrating a container image scanner into the CI/CD pipeline ensures that vulnerabilities are detected early, before the image is deployed to production. This approach automates security checks as part of the build process, aligning with DevSecOps principles by shifting security left. Tools like Trivy, Clair, or Anchore can be configured to fail the pipeline if critical vulnerabilities are found, preventing insecure images from reaching runtime.
Q3
hardFull explanation →

A SaaS provider uses a customer-managed encryption key (CMEK) model for data-at-rest. The provider's application runs in a multi-tenant cloud environment. Which attack surface is MOST directly mitigated by this approach?

A

Misconfigured storage buckets exposing data

B

Insider threats from cloud provider employees

CMEK prevents provider access to customer data without the key.

C

SQL injection vulnerabilities in the application

D

Side-channel attacks on shared physical hardware

Why: A customer-managed encryption key (CMEK) model gives the customer control over the key used to encrypt data at rest. This directly mitigates the risk of a cloud provider employee accessing the plaintext data, because even if the employee has administrative access to the storage infrastructure, they cannot decrypt the data without the customer's key. The provider holds the encrypted data, but the decryption key is managed and controlled by the customer, creating a logical separation that protects against insider threats from the provider's personnel.
Q4
easyFull explanation →

An organization is developing a mobile app that communicates with a cloud API. To ensure secure authentication, which of the following should be used?

A

Session cookies for state management

B

Basic authentication with username and password

C

OAuth 2.0 with OpenID Connect

Provides delegated authorization and authentication for mobile apps.

D

API keys sent in HTTP headers

Why: OAuth 2.0 with OpenID Connect (OIDC) is the correct choice because it provides a delegated authorization framework (OAuth 2.0) combined with an identity layer (OIDC) that enables secure authentication and single sign-on (SSO) for mobile apps communicating with cloud APIs. This combination issues short-lived access tokens and ID tokens (typically JWTs) rather than exposing long-lived credentials, and supports token refresh, scoped permissions, and PKCE (Proof Key for Code Exchange) to prevent authorization code interception on mobile devices.
Q5
mediumFull explanation →

A cloud security team is implementing a Web Application Firewall (WAF) for a public-facing web application. The application uses a REST API with JSON payloads. Which of the following is the WAF's primary benefit?

A

Scanning for data loss prevention (DLP) violations

B

Preventing network-layer DDoS attacks

C

Encrypting data in transit between client and server

D

Inspecting HTTP traffic for malicious payloads

WAFs filter application-layer attacks.

Why: A WAF operates at Layer 7 (application layer) and is specifically designed to inspect HTTP/HTTPS traffic for malicious payloads such as SQL injection, cross-site scripting (XSS), and JSON-based attacks. For a REST API using JSON, the WAF can parse and validate the JSON structure, blocking malformed or malicious payloads before they reach the application server. This is the primary benefit because it directly protects the application logic from web-based exploits.
Q6
hardFull explanation →

A company deploys microservices in Kubernetes. Each service communicates via gRPC with mutual TLS. A security assessment reveals that some services use self-signed certificates. What is the primary risk?

A

Inability to revoke certificates

B

Exposure of private keys in the container image

C

Increased latency due to certificate validation

D

Man-in-the-middle (MITM) attacks between services

Without trusted CA validation, MITM is possible.

Why: The primary risk of using self-signed certificates in a gRPC mutual TLS environment is that there is no trusted Certificate Authority (CA) to verify the identity of the communicating services. Without proper CA-signed certificates, an attacker can easily perform a man-in-the-middle (MITM) attack by presenting a forged self-signed certificate, intercepting and modifying gRPC traffic between microservices.

Want more Cloud Application Security practice?

Practice this domain
2

Domain 2: Cloud Security Operations

All Cloud Security Operations questions
Q1
easyFull explanation →

A cloud security engineer is troubleshooting a failure in automated backups for a production database. The backup job runs nightly but has failed for the past three nights. The logs show permission denied errors when the backup service attempts to write to the storage bucket. Which action should the engineer take first?

A

Open a support ticket with the cloud provider for incident response.

B

Check the IAM roles and bucket ACLs assigned to the service account.

The error indicates a permission issue, so this is the correct first step.

C

Restart the backup service and retry the job.

D

Rotate the service account keys used for authentication.

Why: The permission denied errors indicate that the service account used by the backup job lacks the necessary permissions to write to the storage bucket. Checking the IAM roles and bucket ACLs is the first logical step to identify and resolve the misconfiguration, as it directly addresses the root cause without introducing unnecessary changes or escalations.
Q2
mediumFull explanation →

An organization is designing a cloud storage solution for highly sensitive customer data. The data must be encrypted at rest and the encryption keys must be managed by the customer, not the cloud provider. Additionally, the solution must allow granular access control based on data classification. Which combination of services should the architect recommend?

A

Server-side encryption with customer-managed keys and a storage bucket with bucket-level policies.

B

Server-side encryption with cloud-managed keys and a storage bucket with bucket-level policies.

C

Cloud HSM for key management and a cloud storage service with object-level ACLs.

Customer-managed keys in HSM and object-level ACLs meet both requirements.

D

Client-side encryption with a cloud KMS and a storage bucket with bucket-level policies.

Why: Option C is correct because Cloud HSM provides customer-managed keys for encryption at rest, ensuring the customer retains sole control over the keys. Combined with a cloud storage service that supports object-level ACLs, this allows granular access control based on data classification, meeting both requirements.
Q3
hardFull explanation →

A company uses a cloud-based SIEM to aggregate logs from multiple sources. Recently, the SIEM stopped receiving logs from a critical application server. The server is running and the application is functioning normally. The security team has verified that the log forwarder service is running on the server and the network path to the SIEM is open. Which additional step should the team take to diagnose the issue?

A

Check the server's CPU and memory utilization.

B

Review the firewall rules between the server and the SIEM.

C

Restart the SIEM collector service.

D

Inspect the log forwarder's configuration and recent log files for errors.

This directly addresses the most probable cause of misconfiguration.

Why: Option D is correct because the most likely cause of logs not being received by the SIEM, when the server is running and the network path is open, is a misconfiguration or error within the log forwarder itself. Inspecting the forwarder's configuration (e.g., destination IP, port, protocol) and its local log files (e.g., syslog, Windows Event Forwarding logs) can reveal authentication failures, queue overflows, or parsing errors that prevent log transmission. This step directly addresses the log generation and forwarding pipeline, which is the remaining point of failure after verifying network connectivity and service status.
Q4
mediumFull explanation →

Which TWO of the following are best practices for securing a cloud-based container orchestration platform?

A

Use minimal base images to reduce the attack surface.

Minimal images reduce vulnerabilities.

B

Store secrets in environment variables for ease of use.

C

Run containers with root privileges by default.

D

Enable audit logging for all administrative actions.

Audit logs are essential for security.

E

Disable TLS certificate validation for internal communications.

Why: Using minimal base images (e.g., Alpine or distroless images) reduces the number of installed packages and libraries, thereby shrinking the attack surface. This practice limits the potential vectors for privilege escalation or remote code execution within containers, which is a core security principle for containerized workloads in platforms like Kubernetes.
Q5
hardFull explanation →

Which THREE of the following are key considerations when designing a disaster recovery plan for a cloud-based application?

A

Performing manual failover testing only once a year.

B

Eliminating all security controls to speed up recovery.

C

Implementing cross-region replication for critical data.

Cross-region replication ensures availability.

D

Defining the Recovery Time Objective (RTO) for critical services.

RTO is a key DR metric.

E

Ensuring data consistency and integrity across replicated environments.

Data consistency is vital.

Why: Option C is correct because cross-region replication ensures that critical data is asynchronously or synchronously copied to a geographically separate cloud region, providing resilience against regional outages. This design directly supports disaster recovery by enabling failover to a secondary site with minimal data loss, often leveraging cloud-native services like AWS S3 Cross-Region Replication or Azure Geo-Redundant Storage.
Q6
easyFull explanation →

Which TWO of the following are valid methods for securing data at rest in a cloud storage service?

A

Disabling encryption to reduce latency.

B

Implementing client-side encryption before uploading data.

Client-side encryption ensures data is encrypted before transmission.

C

Using server-side encryption with customer-managed keys.

This is a standard method for data at rest encryption.

D

Setting the storage bucket to public read access.

E

Enabling access logging for the storage bucket.

Why: Option B is correct because client-side encryption ensures data is encrypted before it leaves the client environment, so the cloud provider never has access to the plaintext. This is a valid method for securing data at rest in cloud storage, as the encrypted objects are stored in the service and can only be decrypted by the client holding the keys.

Want more Cloud Security Operations practice?

Practice this domain
3

Domain 3: Legal, Risk and Compliance

All Legal, Risk and Compliance questions
Q1
mediumFull explanation →

A company's cloud infrastructure is subject to GDPR. The DPO requires that all customer personal data be encrypted at rest and in transit. The cloud provider offers SSE-S3 for object storage and enforces TLS 1.2 for API calls. Which additional control should the company implement to meet GDPR accountability requirements?

A

Implement client-side encryption with a key management service.

B

Enable detailed logging of all access to encrypted data.

Logging provides an audit trail to demonstrate compliance with GDPR accountability.

C

Automatically delete backups older than 30 days.

D

Apply data masking to all personal data fields before storage.

Why: While SSE-S3 and TLS 1.2 address encryption at rest and in transit, GDPR accountability requires the company to demonstrate compliance through audit trails. Enabling detailed logging of all access to encrypted data (Option B) provides the necessary records to prove who accessed personal data, when, and from where, fulfilling the 'demonstrate compliance' principle under Article 5(2) and Article 30 of the GDPR.
Q2
hardFull explanation →

A financial institution uses a multi-cloud strategy with AWS and Azure. They must comply with PCI DSS. The security team found that a developer accidentally stored a file with credit card numbers in an S3 bucket that is publicly readable. Which immediate action should be taken to contain the breach?

A

Delete the file immediately.

B

Enable default encryption on the bucket.

C

Remove the public read permission on the bucket.

This stops further exposure while preserving the file for forensic analysis.

D

Revoke the developer's IAM credentials.

Why: Option C is correct because removing the public read permission on the S3 bucket immediately stops unauthorized access to the file containing credit card numbers, containing the breach in accordance with PCI DSS incident response requirements. This action does not destroy evidence (unlike deletion) and directly addresses the root cause—the bucket's misconfigured access control list (ACL) or bucket policy that allowed public read access. It is the fastest way to prevent further data exfiltration while preserving the file for forensic analysis.
Q3
easyFull explanation →

A cloud service provider (CSP) offers a shared responsibility model. According to this model, who is responsible for patching the hypervisor?

A

The customer.

B

The regulatory authority.

C

The cloud service provider.

The CSP manages the hypervisor as part of the shared responsibility model.

D

A third-party auditor.

Why: Option A is correct because the hypervisor is part of the underlying infrastructure, which the CSP manages. Option B is wrong because the customer does not have access to patch the hypervisor. Option C is wrong because a third party is not involved. Option D is wrong because the hypervisor is not typically managed by a regulatory body.
Q4
mediumFull explanation →

A company is migrating to the cloud and must comply with the Health Insurance Portability and Accountability Act (HIPAA). They plan to store electronic protected health information (ePHI) in a cloud database. Which of the following is a mandatory requirement for the cloud service agreement?

A

The CSP must store data in a specific geographic location.

B

The CSP must perform quarterly penetration tests.

C

The CSP must encrypt all data at rest using AES-256.

D

The CSP must sign a Business Associate Agreement (BAA).

A BAA is required to ensure the CSP safeguards ePHI.

Why: Under HIPAA, a covered entity or business associate must have a written Business Associate Agreement (BAA) with any cloud service provider (CSP) that creates, receives, maintains, or transmits electronic protected health information (ePHI) on their behalf. The BAA is a mandatory contractual requirement that establishes the CSP's permitted uses and disclosures of ePHI, as well as its obligations to safeguard the data. Without a signed BAA, the CSP cannot lawfully handle ePHI, making this the only option that is a direct regulatory mandate under HIPAA.
Q5
hardFull explanation →

An e-commerce company uses a cloud-based web application firewall (WAF) to protect against common web exploits. The security team notices that a specific IP address is sending a high volume of requests that appear to be a DDoS attack. What is the best immediate response to mitigate the attack while minimizing impact on legitimate users?

A

Change the DNS to point to a different IP address.

B

Increase the compute capacity of the web servers.

C

Block the IP address in the WAF.

D

Implement rate limiting on the IP address with a threshold that allows normal traffic.

Rate limiting can distinguish between human users and automated attacks, reducing impact.

Why: Option D is correct because rate limiting at the WAF allows the security team to restrict the volume of requests from the offending IP address without completely blocking it. This approach ensures that legitimate traffic from that IP (e.g., a shared NAT gateway or a user with a dynamic IP) can still pass through, while the DDoS attack traffic is throttled. WAFs typically support granular rate-limiting rules based on IP, session, or URI, making this the most precise and least disruptive immediate response.
Q6
easyFull explanation →

A company is conducting a risk assessment for a new cloud service. They identify a vulnerability that could lead to a data breach. The likelihood is low, but the impact is high. According to common risk management frameworks, how should this risk be addressed?

A

Ignore the risk until it materializes.

B

Accept the risk because the likelihood is low.

C

Implement controls to reduce the risk.

Mitigation is appropriate for high-impact risks even if likelihood is low.

D

Transfer the risk to a third party.

Why: Option C is correct because, in risk management frameworks like NIST SP 800-37 or ISO 27005, a risk with high impact must be mitigated regardless of low likelihood. The potential for a data breach from this vulnerability means the organization should implement controls (e.g., encryption, access controls, or patching) to reduce the risk to an acceptable level, as the cost of a breach outweighs the low probability.

Want more Legal, Risk and Compliance practice?

Practice this domain
4

Domain 4: Cloud Concepts, Architecture and Design

All Cloud Concepts, Architecture and Design questions
Q1
mediumFull explanation →

A healthcare organization is migrating sensitive patient data to a public cloud. The compliance team requires that data be encrypted at rest and in transit, and that the cloud provider cannot access the encryption keys. Which cloud service model should the organization use to maintain sole control over encryption keys?

A

Software as a Service (SaaS)

B

Infrastructure as a Service (IaaS)

IaaS gives the customer control over the OS, storage, and encryption keys.

C

Hybrid Cloud

D

Platform as a Service (PaaS)

Why: IaaS provides the customer with full control over the underlying infrastructure, including virtual machines, storage, and networking. This allows the organization to implement their own encryption mechanisms and manage their own keys using a Hardware Security Module (HSM) or a key management service (KMS) that the cloud provider cannot access. In contrast, SaaS and PaaS typically abstract away the infrastructure, limiting customer control over encryption key management.
Q2
easyFull explanation →

A company is designing a multi-tier application in the cloud. The web tier must automatically scale based on CPU utilization, while the database tier should remain fixed to maintain data consistency. Which architectural pattern best meets these requirements?

A

Horizontal auto-scaling for the web tier and a fixed database tier

This pattern separates stateless and stateful components appropriately.

B

Manual scaling for both tiers

C

Vertical scaling of all tiers

D

Single-tier architecture with auto-scaling

Why: Option A is correct because it separates the stateless web tier, which can safely scale horizontally using auto-scaling groups triggered by CPU utilization thresholds, from the stateful database tier, which must remain fixed to avoid consistency issues such as split-brain or replication lag. Horizontal scaling adds or removes identical web server instances without affecting session state, while a fixed database tier preserves ACID properties and prevents conflicts from concurrent writes across multiple database nodes.
Q3
hardFull explanation →

A financial services firm is designing a cloud environment that must comply with PCI DSS. The security architect proposes using a virtual private cloud (VPC) with subnets, security groups, and network ACLs. However, the compliance officer is concerned about the risk of data exposure due to misconfiguration. Which additional control would BEST address this concern?

A

Use a Web Application Firewall (WAF)

B

Implement a Security Information and Event Management (SIEM) system

C

Integrate Cloud Security Posture Management (CSPM)

CSPM automates monitoring and remediation of misconfigurations.

D

Deploy Data Loss Prevention (DLP) tools

Why: CSPM tools continuously monitor cloud infrastructure configurations against compliance frameworks like PCI DSS, automatically detecting misconfigurations such as overly permissive security group rules or network ACLs that could expose cardholder data. This directly addresses the compliance officer's concern about data exposure due to misconfiguration by providing real-time visibility and remediation guidance, which is more proactive than the other options.
Q4
mediumFull explanation →

A cloud architect is tasked with designing a disaster recovery plan for a critical application. The recovery time objective (RTO) is 1 hour, and the recovery point objective (RPO) is 15 minutes. The application runs on IaaS with data stored in a relational database. Which replication strategy is MOST cost-effective while meeting the objectives?

A

Daily full backups to another region

B

Synchronous database mirroring across regions

C

Multi-region active-active deployment with load balancing

D

Asynchronous storage-level replication with 15-minute snapshots

Asynchronous replication with frequent snapshots meets the RPO cost-effectively.

Why: Option D is correct because asynchronous storage-level replication with 15-minute snapshots meets the RPO of 15 minutes and the RTO of 1 hour, while being more cost-effective than synchronous replication. Asynchronous replication avoids the latency and bandwidth costs of synchronous mirroring across regions, and the 15-minute snapshot schedule ensures data loss is limited to the RPO window. This strategy is suitable for IaaS relational databases where near-real-time consistency is acceptable.
Q5
hardFull explanation →

Which THREE of the following are key characteristics of cloud computing as defined by NIST SP 800-145?

A

Broad network access

Resources are available over the network and accessed through standard mechanisms.

B

On-demand self-service

Users can provision resources automatically without human interaction.

C

Location independence

D

Dedicated hardware per tenant

E

Rapid elasticity

Capabilities can be elastically provisioned and released to scale rapidly.

Why: Option A is correct because NIST SP 800-145 defines broad network access as the capability for cloud capabilities to be accessed over the network by standard mechanisms (e.g., HTTPS, SSH, VPN) that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, workstations). This characteristic ensures that resources are available from any location with internet connectivity, not limited to a single physical network segment.
Q6
hardFull explanation →

Refer to the exhibit. A security engineer is reviewing this S3 bucket policy. The bucket contains sensitive documents that should only be accessible from the internal network (10.0.0.0/24) and only over HTTPS. What is the most likely effect of this policy?

A

The policy allows access from any IP if the request uses HTTPS.

B

The policy allows GetObject from the internal network only when using HTTPS.

The Allow with IP condition permits internal requests, and the Deny on non-SecureTransport blocks HTTP requests, effectively requiring HTTPS.

C

The policy allows access from any IP in 10.0.0.0/24, but blocks access from the VPC.

D

The policy denies all access to the bucket because of the explicit Deny statement.

Why: The policy includes an explicit Deny for any request that does not use HTTPS (i.e., aws:SecureTransport is false), which overrides any Allow. The Allow statement grants s3:GetObject only when the source IP is within 10.0.0.0/24. Therefore, the effective result is that GetObject is allowed only from the internal network and only over HTTPS, making option B correct.

Want more Cloud Concepts, Architecture and Design practice?

Practice this domain
5

Domain 5: Cloud Platform and Infrastructure Security

All Cloud Platform and Infrastructure Security questions
Q1
easyFull explanation →

A financial services company is migrating its on-premises data center to a public cloud IaaS environment. During the transition, the security team must ensure that the same network segmentation and firewall rules are maintained. Which of the following is the BEST approach to replicate the on-premises network security controls in the cloud?

A

Configure a site-to-site VPN between on-premises and cloud to extend the existing network.

B

Use virtual private clouds (VPCs) with subnets and security groups to enforce segmentation and firewall rules.

VPCs and security groups directly replicate network segmentation and firewall controls.

C

Implement an intrusion detection and prevention system (IDPS) to monitor traffic.

D

Deploy a software-defined WAN (SD-WAN) to manage network traffic between cloud resources.

Why: Option B is correct because VPCs with subnets and security groups provide native, software-defined network segmentation and stateful firewall rules that directly replicate on-premises network segmentation and ACLs. Security groups act as virtual firewalls at the instance level, while network ACLs provide subnet-level stateless filtering, together enabling granular control without extending the on-premises network.
Q2
mediumFull explanation →

A cloud architect is designing a multi-tier application in a public cloud. The web tier must be accessible from the internet, while the application and database tiers must only be reachable from the web tier. The architect needs to ensure that even if the web server is compromised, the attacker cannot directly access the database. Which architecture BEST meets this requirement?

A

Place all tiers in the same subnet and use a single security group to control inbound traffic.

B

Place all tiers in the same VPC but different subnets, and use network ACLs to restrict traffic.

C

Place the web tier in a public subnet with a security group allowing HTTP/HTTPS from 0.0.0.0/0, and place the app and database tiers in private subnets with security groups allowing traffic only from the web tier's security group.

This provides proper isolation: private subnets with security group references restrict access to the web tier only.

D

Use a VPN to connect the tiers and rely on IPsec policies for segmentation.

Why: Option C is correct because it implements defense-in-depth by placing the web tier in a public subnet with a security group that allows inbound HTTP/HTTPS from the internet, while the app and database tiers reside in private subnets with security groups that only permit traffic from the web tier's security group. This ensures that even if the web server is compromised, the attacker cannot directly reach the database because the database security group explicitly denies traffic from any source other than the web tier's security group, and the private subnets have no direct internet route.
Q3
hardFull explanation →

During a cloud migration, a company discovers that its existing virtual machine images contain embedded credentials and proprietary software that must not be exposed to the cloud provider's administrators. Which of the following is the BEST strategy to protect this sensitive data while maintaining the ability to create new instances?

A

Use a VPN to encrypt data in transit between the on-premises environment and the cloud.

B

Use a cryptographic hash of the image to ensure integrity, and store the image in object storage with access controls.

C

Encrypt the virtual machine images using a customer-provided key (CMK) integrated with the cloud provider's key management service.

Encryption with a CMK ensures the provider cannot decrypt the image without the key.

D

Tokenize the embedded credentials and replace them with placeholders in the image.

Why: Option C is correct because encrypting the virtual machine images with a customer-provided key (CMK) integrated with the cloud provider's key management service ensures that the cloud provider's administrators cannot access the embedded credentials and proprietary software. The encryption is performed client-side or using envelope encryption where the CMK wraps a data encryption key, and only the customer holds the master key material. This allows the customer to create new instances from the encrypted image while maintaining full control over access to the sensitive data.
Q4
easyFull explanation →

A company's security policy requires that all data stored in the cloud must be encrypted at rest. The cloud provider offers server-side encryption with either cloud-managed keys or customer-managed keys (CMK). Which additional control should the company implement to ensure that the CMK is not compromised and that access is auditable?

A

Enable automatic key rotation and configure detailed audit logging for the key management service.

Key rotation and audit logs are essential controls for CMK security.

B

Implement a VPN for all management traffic to the cloud provider's API.

C

Enable multi-factor authentication (MFA) for all cloud console users.

D

Use encryption in transit (TLS) for all data transfers to and from the cloud.

Why: Option A is correct because enabling automatic key rotation reduces the risk of key compromise by limiting the exposure window of any single key, while detailed audit logging for the key management service (e.g., AWS CloudTrail for KMS, Azure Monitor for Key Vault) provides an immutable record of all key usage and administrative actions. This combination ensures that even if a CMK is exposed, the window of vulnerability is minimized, and any unauthorized access or misuse is detectable through logs. Without these controls, the customer-managed key could remain static for long periods, increasing risk, and access events would not be auditable, violating the policy requirement.
Q5
mediumFull explanation →

A company is deploying a critical application on a public cloud IaaS platform. To ensure high availability and disaster recovery, which TWO of the following strategies should the company implement? (Choose two.)

A

Deploy the application across multiple availability zones within a region.

This provides high availability within a region.

B

Use an active-passive configuration with both instances in the same availability zone.

C

Configure the application to run in only one region to simplify management.

D

Implement automated snapshots and replicate data to a different geographic region.

This ensures disaster recovery and data durability.

E

Use a single, large virtual machine instance to handle all traffic.

Why: Deploying across multiple availability zones (AZs) within a region ensures that if one AZ experiences an outage, the application can continue serving traffic from another AZ, providing high availability. This is a fundamental cloud architecture pattern for fault tolerance, as each AZ is an isolated data center with independent power, cooling, and networking.
Q6
hardFull explanation →

A multinational corporation is deploying a containerized microservices application on a public cloud Kubernetes cluster. The cluster spans three availability zones in a single region. The application consists of a front-end service, a payment service, and a database service. The security team requires that the payment service must not be directly accessible from the internet, but must be accessible from the front-end service. The database must only be accessible from the payment service. Additionally, all inter-service communication must be encrypted, and the cluster must be able to scale up to 500 nodes during peak load. The cloud provider's container orchestration service is used. After deployment, the security team discovers that the payment service is still reachable from the internet via a public load balancer that was configured for testing. The team needs to remediate this issue immediately without disrupting the front-end service. Which of the following actions should the team take FIRST?

A

Change the payment service type from LoadBalancer to ClusterIP and update the front-end configuration.

B

Implement a Kubernetes NetworkPolicy that denies ingress to the payment service pods from all sources except the front-end service's pod label.

This immediately restricts access to only the front-end service, without changing the service type or affecting other components.

C

Delete the public load balancer that was used for testing.

D

Apply a security group to the node instances to block inbound traffic on the payment service port.

Why: Option B is correct because a Kubernetes NetworkPolicy can enforce fine-grained ingress rules at the pod level, allowing only traffic from the front-end service's pod label to reach the payment service pods. This directly addresses the requirement to block internet access while preserving front-end-to-payment communication, without modifying the service type or disrupting the front-end service. NetworkPolicies operate at Layer 3/4 and are native to Kubernetes, making them the immediate and precise remediation.

Want more Cloud Platform and Infrastructure Security practice?

Practice this domain
6

Domain 6: Cloud Data Security

All Cloud Data Security questions
Q1
mediumFull explanation →

A company is storing sensitive customer data in an S3 bucket. They need to ensure data is encrypted at rest and that the encryption keys are managed by the cloud provider. Which encryption strategy should they use?

A

SSE-C (Server-Side Encryption with Customer-Provided Keys)

B

Client-side encryption

C

SSE-KMS (Server-Side Encryption with AWS KMS)

D

SSE-S3 (Server-Side Encryption with S3-Managed Keys)

SSE-S3 uses keys managed by AWS, meeting the requirement.

Why: SSE-S3 (Server-Side Encryption with S3-Managed Keys) encrypts data at rest using AES-256, with the encryption keys fully managed by AWS. This meets the requirement for the cloud provider to handle key management without any customer involvement in key generation, storage, or rotation.
Q2
hardFull explanation →

An organization is migrating a legacy application to the cloud and must comply with PCI DSS. The application currently logs credit card numbers in plaintext. Which data security control should be implemented FIRST?

A

Implement tokenization for credit card numbers

B

Deploy a data loss prevention (DLP) solution

C

Encrypt the database at rest

D

Perform data discovery and classification

First step is to find and classify sensitive data to understand scope.

Why: Before any remediation can be applied, the organization must first perform data discovery and classification to locate where all credit card numbers (PANs) are stored, including logs, databases, and backups. PCI DSS Requirement 3.1 mandates that cardholder data be identified and classified before implementing controls like tokenization or encryption. Without discovery, subsequent controls may miss critical data stores, leaving plaintext PANs exposed.
Q3
easyFull explanation →

A cloud security architect is designing a key management strategy for a multi-cloud environment. Which of the following is a BEST practice for key management?

A

Use the same key for all data to simplify rotation

B

Store keys in each cloud provider's native KMS separately

C

Embed keys in application code for simplicity

D

Use a centralized key management system that integrates with all clouds

Centralized management ensures consistency and simplifies compliance.

Why: Option D is correct because a centralized key management system (KMS) that integrates with all cloud providers enables consistent key lifecycle management, reduces the risk of key sprawl, and ensures uniform access control policies across a multi-cloud environment. This approach aligns with the principle of separation of duties and allows for centralized auditing and rotation without vendor lock-in.
Q4
hardFull explanation →

A company uses a cloud-based file storage service and wants to enable client-side encryption to prevent the cloud provider from accessing plaintext data. Which of the following MUST be implemented?

A

Server-side encryption with customer-provided keys (SSE-C)

B

Envelope encryption with a master key stored on-premises

Envelope encryption allows client-side encryption; master key on-premises ensures provider cannot access.

C

Transport Layer Security (TLS) for all uploads

D

Key management service (KMS) with auto-rotation

Why: Client-side encryption requires that encryption keys are never accessible to the cloud provider. Envelope encryption with a master key stored on-premises ensures the data encryption key (DEK) is encrypted by a master key that remains under the customer's exclusive control, so the cloud service never has the plaintext key or data. This satisfies the requirement of preventing the provider from accessing plaintext data.
Q5
mediumFull explanation →

A healthcare organization stores patient records in a cloud database. They need to ensure that database administrators cannot view sensitive columns like SSN and diagnosis. Which data masking technique should be applied?

A

Dynamic data masking

DDM masks data in query results based on user privileges.

B

Static data masking

C

Encryption at rest

D

Tokenization

Why: Dynamic data masking (DDM) is the correct choice because it allows the healthcare organization to mask sensitive columns (e.g., SSN, diagnosis) in real-time at the database query layer, based on user permissions. DDM does not alter the underlying stored data; it transforms the result set on-the-fly for unauthorized users (like DBAs), ensuring they see masked values while authorized personnel see the actual data. This meets the requirement of preventing database administrators from viewing sensitive columns without changing the data at rest.
Q6
easyFull explanation →

A company is deploying a cloud application that processes credit card transactions. Which standard must they comply with regarding data security?

A

GDPR

B

PCI DSS

PCI DSS applies to credit card data handling.

C

HIPAA

D

ISO 27001

Why: PCI DSS (Payment Card Industry Data Security Standard) is the mandatory security standard for any organization that handles credit card transactions. It defines strict requirements for protecting cardholder data, including encryption, access control, and network segmentation. Since the application processes credit card transactions, compliance with PCI DSS is legally and contractually required.

Want more Cloud Data Security practice?

Practice this domain

Frequently asked questions

How many questions are on the CCSP exam?

The CCSP exam has 150 questions and must be completed in 240 minutes. The passing score is 700/1000.

What types of questions appear on the CCSP exam?

Scenario questions on cloud security architecture, governance, risk management, infrastructure security, application security, and operations.

How are CCSP questions organised by domain?

The exam covers 6 domains: Cloud Application Security, Cloud Security Operations, Legal, Risk and Compliance, Cloud Concepts, Architecture and Design, Cloud Platform and Infrastructure Security, Cloud Data Security. Questions are weighted by domain — higher-weight domains appear more on your actual exam.

Are these the actual CCSP exam questions?

No. These are original exam-style practice questions written against the official ISC2 CCSP exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.

Ready to practice all 150 CCSP questions?

Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.

Browse all CCSP questionsTake a timed practice test