ISC2 · Free Practice Questions · Last reviewed May 2026
36real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.
A company is migrating a legacy application to the cloud. The application uses hardcoded database credentials. Which secure development practice should be implemented to address this?
Use code signing for all deployments
Implement input validation on all user inputs
Enable encryption at rest for the database
Use a secrets management service
Secrets management securely stores and rotates credentials, eliminating hardcoding.
A security architect is designing a CI/CD pipeline for a cloud-native application. The team wants to automatically scan container images for vulnerabilities before deployment. Which of the following is the most effective approach?
Manually review images before each deployment
Integrate a container image scanner into the pipeline
Automated scanning in the pipeline prevents vulnerable images from being deployed.
Perform vulnerability scanning at runtime using a host-based agent
Scan the network for open ports on the container hosts
A SaaS provider uses a customer-managed encryption key (CMEK) model for data-at-rest. The provider's application runs in a multi-tenant cloud environment. Which attack surface is MOST directly mitigated by this approach?
Misconfigured storage buckets exposing data
Insider threats from cloud provider employees
CMEK prevents provider access to customer data without the key.
SQL injection vulnerabilities in the application
Side-channel attacks on shared physical hardware
An organization is developing a mobile app that communicates with a cloud API. To ensure secure authentication, which of the following should be used?
Session cookies for state management
Basic authentication with username and password
OAuth 2.0 with OpenID Connect
Provides delegated authorization and authentication for mobile apps.
API keys sent in HTTP headers
A cloud security team is implementing a Web Application Firewall (WAF) for a public-facing web application. The application uses a REST API with JSON payloads. Which of the following is the WAF's primary benefit?
Scanning for data loss prevention (DLP) violations
Preventing network-layer DDoS attacks
Encrypting data in transit between client and server
Inspecting HTTP traffic for malicious payloads
WAFs filter application-layer attacks.
A company deploys microservices in Kubernetes. Each service communicates via gRPC with mutual TLS. A security assessment reveals that some services use self-signed certificates. What is the primary risk?
Inability to revoke certificates
Exposure of private keys in the container image
Increased latency due to certificate validation
Man-in-the-middle (MITM) attacks between services
Without trusted CA validation, MITM is possible.
Want more Cloud Application Security practice?
Practice this domainA cloud security engineer is troubleshooting a failure in automated backups for a production database. The backup job runs nightly but has failed for the past three nights. The logs show permission denied errors when the backup service attempts to write to the storage bucket. Which action should the engineer take first?
Open a support ticket with the cloud provider for incident response.
Check the IAM roles and bucket ACLs assigned to the service account.
The error indicates a permission issue, so this is the correct first step.
Restart the backup service and retry the job.
Rotate the service account keys used for authentication.
An organization is designing a cloud storage solution for highly sensitive customer data. The data must be encrypted at rest and the encryption keys must be managed by the customer, not the cloud provider. Additionally, the solution must allow granular access control based on data classification. Which combination of services should the architect recommend?
Server-side encryption with customer-managed keys and a storage bucket with bucket-level policies.
Server-side encryption with cloud-managed keys and a storage bucket with bucket-level policies.
Cloud HSM for key management and a cloud storage service with object-level ACLs.
Customer-managed keys in HSM and object-level ACLs meet both requirements.
Client-side encryption with a cloud KMS and a storage bucket with bucket-level policies.
A company uses a cloud-based SIEM to aggregate logs from multiple sources. Recently, the SIEM stopped receiving logs from a critical application server. The server is running and the application is functioning normally. The security team has verified that the log forwarder service is running on the server and the network path to the SIEM is open. Which additional step should the team take to diagnose the issue?
Check the server's CPU and memory utilization.
Review the firewall rules between the server and the SIEM.
Restart the SIEM collector service.
Inspect the log forwarder's configuration and recent log files for errors.
This directly addresses the most probable cause of misconfiguration.
Which TWO of the following are best practices for securing a cloud-based container orchestration platform?
Use minimal base images to reduce the attack surface.
Minimal images reduce vulnerabilities.
Store secrets in environment variables for ease of use.
Run containers with root privileges by default.
Enable audit logging for all administrative actions.
Audit logs are essential for security.
Disable TLS certificate validation for internal communications.
Which THREE of the following are key considerations when designing a disaster recovery plan for a cloud-based application?
Performing manual failover testing only once a year.
Eliminating all security controls to speed up recovery.
Implementing cross-region replication for critical data.
Cross-region replication ensures availability.
Defining the Recovery Time Objective (RTO) for critical services.
RTO is a key DR metric.
Ensuring data consistency and integrity across replicated environments.
Data consistency is vital.
Which TWO of the following are valid methods for securing data at rest in a cloud storage service?
Disabling encryption to reduce latency.
Implementing client-side encryption before uploading data.
Client-side encryption ensures data is encrypted before transmission.
Using server-side encryption with customer-managed keys.
This is a standard method for data at rest encryption.
Setting the storage bucket to public read access.
Enabling access logging for the storage bucket.
Want more Cloud Security Operations practice?
Practice this domainA company's cloud infrastructure is subject to GDPR. The DPO requires that all customer personal data be encrypted at rest and in transit. The cloud provider offers SSE-S3 for object storage and enforces TLS 1.2 for API calls. Which additional control should the company implement to meet GDPR accountability requirements?
Implement client-side encryption with a key management service.
Enable detailed logging of all access to encrypted data.
Logging provides an audit trail to demonstrate compliance with GDPR accountability.
Automatically delete backups older than 30 days.
Apply data masking to all personal data fields before storage.
A financial institution uses a multi-cloud strategy with AWS and Azure. They must comply with PCI DSS. The security team found that a developer accidentally stored a file with credit card numbers in an S3 bucket that is publicly readable. Which immediate action should be taken to contain the breach?
Delete the file immediately.
Enable default encryption on the bucket.
Remove the public read permission on the bucket.
This stops further exposure while preserving the file for forensic analysis.
Revoke the developer's IAM credentials.
A cloud service provider (CSP) offers a shared responsibility model. According to this model, who is responsible for patching the hypervisor?
The customer.
The regulatory authority.
The cloud service provider.
The CSP manages the hypervisor as part of the shared responsibility model.
A third-party auditor.
A company is migrating to the cloud and must comply with the Health Insurance Portability and Accountability Act (HIPAA). They plan to store electronic protected health information (ePHI) in a cloud database. Which of the following is a mandatory requirement for the cloud service agreement?
The CSP must store data in a specific geographic location.
The CSP must perform quarterly penetration tests.
The CSP must encrypt all data at rest using AES-256.
The CSP must sign a Business Associate Agreement (BAA).
A BAA is required to ensure the CSP safeguards ePHI.
An e-commerce company uses a cloud-based web application firewall (WAF) to protect against common web exploits. The security team notices that a specific IP address is sending a high volume of requests that appear to be a DDoS attack. What is the best immediate response to mitigate the attack while minimizing impact on legitimate users?
Change the DNS to point to a different IP address.
Increase the compute capacity of the web servers.
Block the IP address in the WAF.
Implement rate limiting on the IP address with a threshold that allows normal traffic.
Rate limiting can distinguish between human users and automated attacks, reducing impact.
A company is conducting a risk assessment for a new cloud service. They identify a vulnerability that could lead to a data breach. The likelihood is low, but the impact is high. According to common risk management frameworks, how should this risk be addressed?
Ignore the risk until it materializes.
Accept the risk because the likelihood is low.
Implement controls to reduce the risk.
Mitigation is appropriate for high-impact risks even if likelihood is low.
Transfer the risk to a third party.
Want more Legal, Risk and Compliance practice?
Practice this domainA healthcare organization is migrating sensitive patient data to a public cloud. The compliance team requires that data be encrypted at rest and in transit, and that the cloud provider cannot access the encryption keys. Which cloud service model should the organization use to maintain sole control over encryption keys?
Software as a Service (SaaS)
Infrastructure as a Service (IaaS)
IaaS gives the customer control over the OS, storage, and encryption keys.
Hybrid Cloud
Platform as a Service (PaaS)
A company is designing a multi-tier application in the cloud. The web tier must automatically scale based on CPU utilization, while the database tier should remain fixed to maintain data consistency. Which architectural pattern best meets these requirements?
Horizontal auto-scaling for the web tier and a fixed database tier
This pattern separates stateless and stateful components appropriately.
Manual scaling for both tiers
Vertical scaling of all tiers
Single-tier architecture with auto-scaling
A financial services firm is designing a cloud environment that must comply with PCI DSS. The security architect proposes using a virtual private cloud (VPC) with subnets, security groups, and network ACLs. However, the compliance officer is concerned about the risk of data exposure due to misconfiguration. Which additional control would BEST address this concern?
Use a Web Application Firewall (WAF)
Implement a Security Information and Event Management (SIEM) system
Integrate Cloud Security Posture Management (CSPM)
CSPM automates monitoring and remediation of misconfigurations.
Deploy Data Loss Prevention (DLP) tools
A cloud architect is tasked with designing a disaster recovery plan for a critical application. The recovery time objective (RTO) is 1 hour, and the recovery point objective (RPO) is 15 minutes. The application runs on IaaS with data stored in a relational database. Which replication strategy is MOST cost-effective while meeting the objectives?
Daily full backups to another region
Synchronous database mirroring across regions
Multi-region active-active deployment with load balancing
Asynchronous storage-level replication with 15-minute snapshots
Asynchronous replication with frequent snapshots meets the RPO cost-effectively.
Which THREE of the following are key characteristics of cloud computing as defined by NIST SP 800-145?
Broad network access
Resources are available over the network and accessed through standard mechanisms.
On-demand self-service
Users can provision resources automatically without human interaction.
Location independence
Dedicated hardware per tenant
Rapid elasticity
Capabilities can be elastically provisioned and released to scale rapidly.
Refer to the exhibit. A security engineer is reviewing this S3 bucket policy. The bucket contains sensitive documents that should only be accessible from the internal network (10.0.0.0/24) and only over HTTPS. What is the most likely effect of this policy?
The policy allows access from any IP if the request uses HTTPS.
The policy allows GetObject from the internal network only when using HTTPS.
The Allow with IP condition permits internal requests, and the Deny on non-SecureTransport blocks HTTP requests, effectively requiring HTTPS.
The policy allows access from any IP in 10.0.0.0/24, but blocks access from the VPC.
The policy denies all access to the bucket because of the explicit Deny statement.
Want more Cloud Concepts, Architecture and Design practice?
Practice this domainA financial services company is migrating its on-premises data center to a public cloud IaaS environment. During the transition, the security team must ensure that the same network segmentation and firewall rules are maintained. Which of the following is the BEST approach to replicate the on-premises network security controls in the cloud?
Configure a site-to-site VPN between on-premises and cloud to extend the existing network.
Use virtual private clouds (VPCs) with subnets and security groups to enforce segmentation and firewall rules.
VPCs and security groups directly replicate network segmentation and firewall controls.
Implement an intrusion detection and prevention system (IDPS) to monitor traffic.
Deploy a software-defined WAN (SD-WAN) to manage network traffic between cloud resources.
A cloud architect is designing a multi-tier application in a public cloud. The web tier must be accessible from the internet, while the application and database tiers must only be reachable from the web tier. The architect needs to ensure that even if the web server is compromised, the attacker cannot directly access the database. Which architecture BEST meets this requirement?
Place all tiers in the same subnet and use a single security group to control inbound traffic.
Place all tiers in the same VPC but different subnets, and use network ACLs to restrict traffic.
Place the web tier in a public subnet with a security group allowing HTTP/HTTPS from 0.0.0.0/0, and place the app and database tiers in private subnets with security groups allowing traffic only from the web tier's security group.
This provides proper isolation: private subnets with security group references restrict access to the web tier only.
Use a VPN to connect the tiers and rely on IPsec policies for segmentation.
During a cloud migration, a company discovers that its existing virtual machine images contain embedded credentials and proprietary software that must not be exposed to the cloud provider's administrators. Which of the following is the BEST strategy to protect this sensitive data while maintaining the ability to create new instances?
Use a VPN to encrypt data in transit between the on-premises environment and the cloud.
Use a cryptographic hash of the image to ensure integrity, and store the image in object storage with access controls.
Encrypt the virtual machine images using a customer-provided key (CMK) integrated with the cloud provider's key management service.
Encryption with a CMK ensures the provider cannot decrypt the image without the key.
Tokenize the embedded credentials and replace them with placeholders in the image.
A company's security policy requires that all data stored in the cloud must be encrypted at rest. The cloud provider offers server-side encryption with either cloud-managed keys or customer-managed keys (CMK). Which additional control should the company implement to ensure that the CMK is not compromised and that access is auditable?
Enable automatic key rotation and configure detailed audit logging for the key management service.
Key rotation and audit logs are essential controls for CMK security.
Implement a VPN for all management traffic to the cloud provider's API.
Enable multi-factor authentication (MFA) for all cloud console users.
Use encryption in transit (TLS) for all data transfers to and from the cloud.
A company is deploying a critical application on a public cloud IaaS platform. To ensure high availability and disaster recovery, which TWO of the following strategies should the company implement? (Choose two.)
Deploy the application across multiple availability zones within a region.
This provides high availability within a region.
Use an active-passive configuration with both instances in the same availability zone.
Configure the application to run in only one region to simplify management.
Implement automated snapshots and replicate data to a different geographic region.
This ensures disaster recovery and data durability.
Use a single, large virtual machine instance to handle all traffic.
A multinational corporation is deploying a containerized microservices application on a public cloud Kubernetes cluster. The cluster spans three availability zones in a single region. The application consists of a front-end service, a payment service, and a database service. The security team requires that the payment service must not be directly accessible from the internet, but must be accessible from the front-end service. The database must only be accessible from the payment service. Additionally, all inter-service communication must be encrypted, and the cluster must be able to scale up to 500 nodes during peak load. The cloud provider's container orchestration service is used. After deployment, the security team discovers that the payment service is still reachable from the internet via a public load balancer that was configured for testing. The team needs to remediate this issue immediately without disrupting the front-end service. Which of the following actions should the team take FIRST?
Change the payment service type from LoadBalancer to ClusterIP and update the front-end configuration.
Implement a Kubernetes NetworkPolicy that denies ingress to the payment service pods from all sources except the front-end service's pod label.
This immediately restricts access to only the front-end service, without changing the service type or affecting other components.
Delete the public load balancer that was used for testing.
Apply a security group to the node instances to block inbound traffic on the payment service port.
Want more Cloud Platform and Infrastructure Security practice?
Practice this domainA company is storing sensitive customer data in an S3 bucket. They need to ensure data is encrypted at rest and that the encryption keys are managed by the cloud provider. Which encryption strategy should they use?
SSE-C (Server-Side Encryption with Customer-Provided Keys)
Client-side encryption
SSE-KMS (Server-Side Encryption with AWS KMS)
SSE-S3 (Server-Side Encryption with S3-Managed Keys)
SSE-S3 uses keys managed by AWS, meeting the requirement.
An organization is migrating a legacy application to the cloud and must comply with PCI DSS. The application currently logs credit card numbers in plaintext. Which data security control should be implemented FIRST?
Implement tokenization for credit card numbers
Deploy a data loss prevention (DLP) solution
Encrypt the database at rest
Perform data discovery and classification
First step is to find and classify sensitive data to understand scope.
A cloud security architect is designing a key management strategy for a multi-cloud environment. Which of the following is a BEST practice for key management?
Use the same key for all data to simplify rotation
Store keys in each cloud provider's native KMS separately
Embed keys in application code for simplicity
Use a centralized key management system that integrates with all clouds
Centralized management ensures consistency and simplifies compliance.
A company uses a cloud-based file storage service and wants to enable client-side encryption to prevent the cloud provider from accessing plaintext data. Which of the following MUST be implemented?
Server-side encryption with customer-provided keys (SSE-C)
Envelope encryption with a master key stored on-premises
Envelope encryption allows client-side encryption; master key on-premises ensures provider cannot access.
Transport Layer Security (TLS) for all uploads
Key management service (KMS) with auto-rotation
A healthcare organization stores patient records in a cloud database. They need to ensure that database administrators cannot view sensitive columns like SSN and diagnosis. Which data masking technique should be applied?
Dynamic data masking
DDM masks data in query results based on user privileges.
Static data masking
Encryption at rest
Tokenization
A company is deploying a cloud application that processes credit card transactions. Which standard must they comply with regarding data security?
GDPR
PCI DSS
PCI DSS applies to credit card data handling.
HIPAA
ISO 27001
Want more Cloud Data Security practice?
Practice this domainThe CCSP exam has 150 questions and must be completed in 240 minutes. The passing score is 700/1000.
Scenario questions on cloud security architecture, governance, risk management, infrastructure security, application security, and operations.
The exam covers 6 domains: Cloud Application Security, Cloud Security Operations, Legal, Risk and Compliance, Cloud Concepts, Architecture and Design, Cloud Platform and Infrastructure Security, Cloud Data Security. Questions are weighted by domain — higher-weight domains appear more on your actual exam.
No. These are original exam-style practice questions written against the official ISC2 CCSP exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.
Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.