Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

Certifications›CCSP›Objectives›Cloud Data Security
Objective 2.0

Cloud Data Security

CCSP Practice Questions

Use this page to practise Cloud Data Security questions for this certification. Focus on how the exam tests cloud data security in scenario format — understanding the why behind each answer builds more durable knowledge than memorising options.

Full Practice Test →All Objectives

What this objective tests

CCSP Cloud Data Security — Key Topics

Cloud Data Security questions on this certification test your ability to deploy and manage cloud data security concepts in scenario-based situations.

  • Core Cloud Data Security concepts and how they apply in real-world cloud scenarios.
  • How to deploy cloud data security correctly and verify the outcome.
  • Troubleshooting cloud data security issues by interpreting error output and system state.
  • Cloud best practices and Cloud Data Security design trade-offs tested by this certification.

Common exam traps

Where candidates lose marks on Cloud Data Security

  • ⚠Selecting the most expensive service when a simpler managed option meets the requirement.
  • ⚠Forgetting that cloud resources must be explicitly secured — defaults are rarely secure.
  • ⚠Choosing a global service fix when the issue is region-specific.
  • ⚠Overlooking cost implications of cross-region data transfer in architecture questions.

CCSP Cloud Data Security — Practice Questions

30 questions from this objective

Question 2mediummultiple choice
Full question →

A company is storing sensitive customer data in an S3 bucket. They need to ensure data is encrypted at rest and that the encryption keys are managed by the cloud provider. Which encryption strategy should they use?

Question 3hardmultiple choice
Full question →

An organization is migrating a legacy application to the cloud and must comply with PCI DSS. The application currently logs credit card numbers in plaintext. Which data security control should be implemented FIRST?

Question 4easymultiple choice
Full question →

A cloud security architect is designing a key management strategy for a multi-cloud environment. Which of the following is a BEST practice for key management?

Question 5hardmultiple choice
Full question →

A company uses a cloud-based file storage service and wants to enable client-side encryption to prevent the cloud provider from accessing plaintext data. Which of the following MUST be implemented?

Question 6mediummultiple choice
Read the full NAT/PAT explanation →

A healthcare organization stores patient records in a cloud database. They need to ensure that database administrators cannot view sensitive columns like SSN and diagnosis. Which data masking technique should be applied?

Question 7easymultiple choice
Full question →

A company is deploying a cloud application that processes credit card transactions. Which standard must they comply with regarding data security?

Question 8mediummultiple choice
Full question →

An organization uses a cloud storage service to share files with external partners. They want to ensure that the files are automatically deleted after 30 days. Which data lifecycle control should be implemented?

Question 9hardmultiple choice
Full question →

A company uses a cloud key management service (KMS) and wants to ensure that keys can be used only within a specific geographic region. Which of the following should be configured?

Question 10easymultiple choice
Full question →

A cloud architect needs to protect data in transit between an on-premises data center and a cloud virtual private cloud (VPC). Which solution is MOST appropriate?

Question 11mediummultiple choice
Read the full NAT/PAT explanation →

A company is designing a data retention policy for cloud storage. Regulatory requirements mandate that certain records be kept for 7 years and then securely destroyed. Which combination of controls should be used?

Question 12mediummulti select
Full question →

Which TWO of the following are valid methods to protect data at rest in a cloud environment?

Question 13hardmulti select
Full question →

Which THREE of the following are key components of a cloud data governance framework?

Question 14easymulti select
Full question →

Which TWO of the following are benefits of using tokenization for credit card data?

Question 15hardmulti select
Full question →

Which THREE of the following are essential steps in a cloud data discovery process?

Question 16mediummultiple choice
Full question →

An administrator applies the above bucket policy to an S3 bucket containing sensitive data. What is the EFFECT of this policy?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}
Question 17hardmultiple choice
Full question →

A developer receives the above error when trying to encrypt an object using a customer-managed KMS key. What is the MOST likely cause?

Exhibit

Refer to the exhibit.

Error: Failed to create resource. Status: 403 Forbidden.
{
  "Code": "AccessDenied",
  "Message": "Access denied. Please ensure that the key policy grants the necessary permissions.",
  "Resource": "arn:aws:kms:us-east-1:123456789012:key/abc123"
}
Question 18easymultiple choice
Full question →

A DevOps engineer runs the above command and gets the error. What is the MOST likely missing permission?

Exhibit

Refer to the exhibit.

$ gsutil ls gs://my-bucket/
AccessDeniedException: 403 my-service-account@project.iam.gserviceaccount.com does not have storage.objects.list access to the Google Cloud Storage bucket.
Question 19hardmultiple choice
Read the full NAT/PAT explanation →

A multinational financial services company uses a hybrid cloud environment with workloads in AWS and Azure. They recently acquired a smaller firm and must integrate their data while maintaining compliance with GDPR and PCI DSS. The acquired firm stores customer payment data in an on-premises Oracle database and wants to migrate it to the cloud. During the migration, they must ensure that the data is encrypted at all times—at rest, in transit, and during processing. The security team has implemented TLS for data in transit and plans to use cloud-native encryption for at-rest data. However, they are concerned about data being processed in memory or temporary storage. They also need to maintain key separation so that the cloud provider cannot access the encryption keys. The CISO wants to implement a solution that minimizes performance impact while meeting compliance requirements. Which of the following is the BEST course of action?

Question 20mediummultiple choice
Full question →

A software-as-a-service (SaaS) provider hosts customer data in a multi-tenant cloud environment. Each customer's data is stored in separate databases but shares a common infrastructure. A customer reports that they can see another customer's data in their application dashboard. The development team investigates and finds no application-level bugs. The security team suspects the issue is related to cloud data isolation. The provider uses a public cloud database service with separate schemas per customer. The database service uses shared compute resources. The provider's compliance team is concerned about data leakage between tenants. Which of the following is the MOST effective way to ensure data isolation in this environment?

Question 21mediummultiple choice
Read the full NAT/PAT explanation →

A healthcare organization stores patient records in a cloud-based object storage service. To comply with HIPAA, they must ensure that data is encrypted at rest and that encryption keys are managed by the organization itself. Which key management approach should they implement?

Question 22hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation uses a cloud CASB to enforce data loss prevention (DLP) policies across SaaS applications. The security team discovers that sensitive data is being exfiltrated via encrypted traffic that the CASB cannot inspect. What is the most effective design change to mitigate this risk?

Question 23easymulti select
Full question →

A cloud architect is designing a data classification scheme for a financial services firm. The data includes public marketing materials, internal emails, customer account numbers, and credit card information. Which two data categories should be classified as 'restricted' under PCI DSS and other regulations?

Question 24mediummulti select
Full question →

A company uses a cloud key management service (KMS) with automatic key rotation enabled. Which TWO statements about key rotation are true?

Question 25hardmultiple choice
Full question →

A security engineer applies the above bucket policy to an S3 bucket containing sensitive data. Which of the following best describes the effect of this policy?

Exhibit

Refer to the exhibit.

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}
```
Question 26mediummulti select
Full question →

A cloud security team is implementing tokenization for a payment system. Which THREE statements correctly describe tokenization characteristics?

Question 27hardmultiple choice
Full question →

A large e-commerce company uses a multi-cloud environment with workloads in AWS and Azure. They store customer payment data in an AWS S3 bucket and use Azure SQL Database for transactional data. The company requires that all data at rest be encrypted using keys managed by their on-premises HSM. They have implemented AWS KMS with custom key store (CloudHSM) for S3, and Azure SQL TDE with Azure Key Vault (using BYOK) for the database. Recently, the security team noticed that some S3 objects are not encrypted with the expected key, and there are intermittent access failures to the Azure SQL database. Investigation reveals that the AWS KMS key ID changed after a recent security incident, and the Azure Key Vault key has been disabled due to a misconfigured access policy. What is the most effective course of action to restore encryption compliance and service availability?

Question 28easymultiple choice
Full question →

A financial services company is migrating sensitive customer data to a cloud environment. The compliance team requires that all data at rest be encrypted using a key managed by the organization, not the cloud provider. Which solution should the company implement?

Question 29mediummulti select
Full question →

A cloud security architect is designing a data loss prevention (DLP) strategy for a multi-cloud environment. Which TWO actions are effective in preventing unauthorized exfiltration of sensitive data?

Question 30hardmultiple choice
Read the full NAT/PAT explanation →

A cloud security engineer reviews the S3 bucket policy shown in the exhibit. What is the net effect of this policy when a request originates from IP address 203.0.113.10 over HTTPS?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::company-data/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "true"
        }
      }
    },
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::company-data/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "203.0.113.0/24"
        }
      }
    }
  ]
}
Question 31mediumdrag order
Full question →

Drag and drop the steps for managing identity and access in a multi-cloud environment using a centralized identity provider (IdP) into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

More Cloud Data Security questions available in the full practice test.

Continue Practising →

All CCSP Objectives

  • 2.Cloud Data Security