Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Cloud Application Security practice sets

CCSP Cloud Application Security • Complete Question Bank

CCSP Cloud Application Security — All Questions With Answers

Complete CCSP Cloud Application Security question bank — all 0 questions with answers and detailed explanations.

84
Questions
Free
No signup
Certifications/CCSP/Practice Test/Cloud Application Security/All Questions
Question 1mediummultiple choice
Read the full Cloud Application Security explanation →

During a code review, a developer discovers hardcoded AWS access keys in a configuration file that was committed to the repository. Which tool is specifically designed to detect such secrets in code repositories?

Question 2easymultiple choice
Read the full Cloud Application Security explanation →

Which cloud-specific vulnerability involves an attacker making a server-side request to the cloud metadata endpoint (e.g., 169.254.169.254) to retrieve temporary credentials?

Question 3mediummultiple choice
Read the full Cloud Application Security explanation →

An organization is implementing a DevSecOps pipeline for cloud-native applications. Which security testing method should be integrated early in the CI/CD pipeline to analyze source code for vulnerabilities without executing the application?

Question 4hardmultiple choice
Read the full Cloud Application Security explanation →

A security engineer is reviewing a Terraform configuration and wants to prevent deployment of an S3 bucket with public read access. Which IaC scanning tool is best suited for this task?

Question 5mediummultiple choice
Read the full Cloud Application Security explanation →

Which OWASP Top 10 vulnerability is most directly related to cloud API security when an attacker can modify parameters to access another user's data?

Question 6mediummultiple choice
Read the full Cloud Application Security explanation →

A cloud application uses an IAM role with a policy that allows 's3:*' on all buckets. This is an example of which cloud security issue?

Question 7easymultiple choice
Read the full Cloud Application Security explanation →

Which practice is essential for securing cloud application secrets such as database passwords and API tokens?

Question 8mediummultiple choice
Read the full Cloud Application Security explanation →

A security team wants to detect container image vulnerabilities before they are pushed to a registry. Which stage of the CI pipeline should container image scanning occur?

Question 9hardmultiple choice
Read the full Cloud Application Security explanation →

An attacker publishes a malicious package to a public registry using the same name as an internal package used by a cloud application. This is known as:

Question 10easymultiple choice
Read the full Cloud Application Security explanation →

What is a Software Bill of Materials (SBOM) primarily used for?

Question 11mediummultiple choice
Read the full Cloud Application Security explanation →

An API endpoint returns user profile data including fields like 'credit_card_number' even when the client application does not need it. Which OWASP API security risk does this represent?

Question 12hardmultiple choice
Read the full Cloud Application Security explanation →

A security engineer is reviewing an S3 bucket policy that grants 's3:GetObject' access to 'Principal: *' and 'Condition: {IpAddress: {aws:SourceIp: ["1.2.3.4/32"]}}'. Despite the IP restriction, why is this policy still considered risky?

Question 13mediummulti select
Read the full Cloud Application Security explanation →

A cloud security team is implementing a DevSecOps pipeline. Which TWO of the following are examples of shift-left security practices? (Select two.)

Question 14hardmulti select
Read the full Cloud Application Security explanation →

Which TWO of the following are effective measures to prevent dependency confusion attacks? (Select two.)

Question 15mediummulti select
Read the full Cloud Application Security explanation →

Which THREE of the following are recommended practices for securing cloud application APIs? (Select three.)

Question 16easymultiple choice
Read the full Cloud Application Security explanation →

A cloud security team wants to integrate security testing early in the development lifecycle to reduce vulnerabilities. Which approach best describes this concept?

Question 17mediummultiple choice
Read the full Cloud Application Security explanation →

A cloud-native application is deployed on AWS. During a security review, the team discovers that if an attacker can send a crafted request to the application, the application will make an HTTP request to http://169.254.169.254/latest/meta-data/iam/security-credentials/. Which vulnerability is being exploited?

Question 18mediummultiple choice
Read the full Cloud Application Security explanation →

A DevOps team is implementing a CI/CD pipeline for a cloud application. They want to automatically scan source code for security vulnerabilities before building the application. Which type of scanning should they integrate?

Question 19hardmultiple choice
Read the full Cloud Application Security explanation →

During a security audit of a Kubernetes deployment, a team finds that containers are allowed to run as root with full privilege escalation. Which IaC scanning tool would have detected this misconfiguration before deployment?

Question 20easymultiple choice
Read the full Cloud Application Security explanation →

Which practice helps prevent hardcoded cloud credentials from being committed to source code repositories?

Question 21mediummultiple choice
Read the full Cloud Application Security explanation →

An organization uses a private artifact registry for approved package sources. A developer accidentally publishes a package with a similar name to an internal package to the public registry. This could lead to which type of attack?

Question 22hardmultiple choice
Read the full Cloud Application Security explanation →

A cloud application uses an API that allows users to view other users' profile details by changing the user ID in the request. Which vulnerability is this?

Question 23mediummultiple choice
Read the full Cloud Application Security explanation →

A security team wants to ensure that only signed container images are deployed in production. Which practice should they implement?

Question 24easymultiple choice
Read the full Cloud Application Security explanation →

Which of the following is a cloud-specific vulnerability that can lead to exposure of IAM credentials through the metadata service?

Question 25mediummultiple choice
Read the full Cloud Application Security explanation →

A developer configures an AWS S3 bucket to allow public access by setting a bucket policy that grants 's3:GetObject' to 'Principal: *'. Which vulnerability does this introduce?

Question 26hardmultiple choice
Read the full Cloud Application Security explanation →

Which runtime security control monitors application behavior and can block attacks by analyzing application logic and context?

Question 27mediummultiple choice
Read the full Cloud Application Security explanation →

What is the primary purpose of a Software Bill of Materials (SBOM) in cloud application security?

Question 28mediummulti select
Read the full Cloud Application Security explanation →

A cloud security engineer is reviewing an AWS IAM policy that includes the following statement: 'Effect: Allow, Action: iam:*, Resource: *'. Which two security concerns does this configuration create? (Choose TWO.)

Question 29hardmulti select
Read the full Cloud Application Security explanation →

A security team is implementing a DevSecOps pipeline for a cloud-native application. Which three practices should be included to enhance application security? (Choose THREE.)

Question 30mediummulti select
Read the full Cloud Application Security explanation →

An organization wants to prevent secrets from being exposed in source code. Which two practices should they adopt? (Choose TWO.)

Question 31mediummultiple choice
Read the full Cloud Application Security explanation →

A security engineer is integrating security into a cloud application's CI/CD pipeline. Which practice is an example of 'shift-left' security?

Question 32hardmultiple choice
Read the full Cloud Application Security explanation →

During a threat modeling session for a cloud-native application, which cloud-specific attack path is most critical to identify?

Question 33easymultiple choice
Read the full Cloud Application Security explanation →

Which tool is specifically designed to scan Infrastructure as Code (IaC) templates for cloud misconfigurations before deployment?

Question 34mediummultiple choice
Read the full Cloud Application Security explanation →

A developer accidentally commits AWS access keys to a public GitHub repository. Which tool would be most effective in detecting this secret exposure?

Question 35mediummultiple choice
Read the full Cloud Application Security explanation →

Which vulnerability is considered a cloud-specific API security issue?

Question 36hardmultiple choice
Read the full Cloud Application Security explanation →

An organization uses a private artifact registry for approved packages. What attack does this practice primarily defend against?

Question 37easymultiple choice
Read the full Cloud Application Security explanation →

Which of the following is a key benefit of using a Software Bill of Materials (SBOM)?

Question 38mediummultiple choice
Read the full Cloud Application Security explanation →

A cloud application uses IAM roles to grant permissions to compute instances. What is the primary security advantage of this approach over hardcoding credentials?

Question 39hardmultiple choice
Read the full Cloud Application Security explanation →

During a security audit, a cloud security architect discovers that an S3 bucket is configured with a bucket policy that allows 's3:GetObject' from any principal. What is the most likely risk?

Question 40easymultiple choice
Read the full Cloud Application Security explanation →

Which of the following is an example of a runtime application self-protection (RASP) capability?

Question 41mediummultiple choice
Read the full Cloud Application Security explanation →

A cloud application allows users to upload profile pictures. The application stores the files in an S3 bucket with public read access. An attacker uploads a malicious script that executes when other users view the image. Which type of attack is this?

Question 42mediummultiple choice
Read the full Cloud Application Security explanation →

Which of the following is a best practice for managing secrets in cloud-native applications?

Question 43mediummulti select
Read the full Cloud Application Security explanation →

A security team is implementing container image scanning in a CI pipeline. Which TWO of the following actions should be performed? (Select TWO)

Question 44mediummulti select
Read the full Cloud Application Security explanation →

Which THREE of the following are effective measures to prevent unauthorized access to cloud storage buckets? (Select THREE)

Question 45hardmulti select
Read the full Cloud Application Security explanation →

A cloud security architect is designing a DevSecOps pipeline for a multi-cloud environment. Which THREE practices should be included to ensure security is integrated early? (Select THREE)

Question 46easymultiple choice
Read the full Cloud Application Security explanation →

Which security testing technique is most effective at identifying vulnerabilities early in the development lifecycle by analyzing source code without executing it?

Question 47mediummultiple choice
Read the full Cloud Application Security explanation →

A security engineer discovers that a cloud application can access the metadata service endpoint at 169.254.169.254. Which vulnerability is most likely being exploited?

Question 48mediummultiple choice
Read the full Cloud Application Security explanation →

During a CI/CD pipeline, a developer wants to automatically block builds if Terraform configuration files contain security misconfigurations. Which tool is best suited for this task?

Question 49hardmultiple choice
Read the full Cloud Application Security explanation →

A company uses a private artifact registry for internal packages. An attacker publishes a malicious package with the same name as an internal package to a public registry. Which attack is being described?

Question 50easymultiple choice
Read the full Cloud Application Security explanation →

Which of the following is a key practice for secure management of cloud credentials in application code?

Question 51mediummultiple choice
Read the full Cloud Application Security explanation →

An API allows users to access their own profile data by providing a user ID. However, an attacker can change the user ID parameter to access another user's data. Which OWASP API Security vulnerability is this?

Question 52mediummultiple choice
Read the full Cloud Application Security explanation →

Which practice is most effective for preventing the deployment of container images with known vulnerabilities in a DevSecOps pipeline?

Question 53hardmultiple choice
Read the full Cloud Application Security explanation →

A cloud application uses an IAM role with the policy "Action: s3:*" and "Resource: *". Which principle is violated?

Question 54easymultiple choice
Read the full Cloud Application Security explanation →

What is the primary purpose of a Software Bill of Materials (SBOM) in cloud application security?

Question 55mediummultiple choice
Read the full Cloud Application Security explanation →

A company is adopting shift-left security. Which action best exemplifies this approach?

Question 56hardmultiple choice
Read the full Cloud Application Security explanation →

An attacker exploits a cloud application to make HTTP requests to an internal metadata service and retrieve temporary credentials. Which control would be most effective in preventing this attack?

Question 57mediummultiple choice
Read the full Cloud Application Security explanation →

Which of the following is a cloud-specific threat that should be included in a threat model for a cloud application?

Question 58mediummulti select
Read the full Cloud Application Security explanation →

Which TWO of the following are effective methods for preventing hardcoded credentials from being committed to a cloud application's source code repository? (Select TWO)

Question 59mediummulti select
Read the full Cloud Application Security explanation →

Which TWO of the following are recommended practices for securing container images in a cloud environment? (Select TWO)

Question 60hardmulti select
Read the full Cloud Application Security explanation →

Which THREE of the following are key components of a secure cloud SDLC that support shift-left security? (Select THREE)

Question 61easymultiple choice
Read the full Cloud Application Security explanation →

Which security testing approach is most effective at identifying vulnerabilities early in the cloud software development lifecycle (SDLC) by analyzing source code without executing the application?

Question 62mediummultiple choice
Read the full Cloud Application Security explanation →

A cloud-native application stores sensitive user files in an Amazon S3 bucket. Which misconfiguration poses the greatest risk of data exposure?

Question 63hardmultiple choice
Read the full Cloud Application Security explanation →

A developer accidentally hardcodes AWS access keys in a public GitHub repository. Which tool is specifically designed to detect such secrets in code repositories?

Question 64mediummultiple choice
Read the full Cloud Application Security explanation →

In a DevSecOps pipeline for a cloud application, which practice best ensures that only approved open-source components are used?

Question 65mediummultiple choice
Read the full Cloud Application Security explanation →

A cloud application allows users to upload profile pictures that are stored in Azure Blob Storage. Which vulnerability is most likely if the application does not validate the content type or size of uploaded files?

Question 66easymultiple choice
Read the full Cloud Application Security explanation →

Which cloud-specific attack involves an application making HTTP requests to internal metadata endpoints such as 169.254.169.254 to retrieve cloud instance credentials?

Question 67mediummultiple choice
Read the full Cloud Application Security explanation →

A cloud security team wants to automatically block malicious requests to a web application before they reach the application servers. Which solution should they implement?

Question 68hardmultiple choice
Read the full Cloud Application Security explanation →

A company uses Terraform to manage cloud infrastructure. Which infrastructure-as-code (IaC) security scanner can detect misconfigurations such as overly permissive security group rules before deployment?

Question 69mediummultiple choice
Read the full Cloud Application Security explanation →

An API endpoint returns user profile details including email, phone, and address. The response includes fields that are not needed for the client application. Which OWASP API Security risk does this represent?

Question 70easymultiple choice
Read the full Cloud Application Security explanation →

Which of the following is a best practice for managing secrets in a cloud-native application?

Question 71mediummultiple choice
Read the full Cloud Application Security explanation →

A container image is built and scanned in a CI pipeline. Which practice should be implemented to ensure that the image has not been tampered with before deployment?

Question 72hardmultiple choice
Read the full Cloud Application Security explanation →

An attacker publishes a malicious package to a public registry using the same name as an internal package used by a cloud application. This attack is known as:

Question 73mediummulti select
Read the full Cloud Application Security explanation →

A cloud application is deployed on Kubernetes and uses an IAM role for service accounts. Which TWO practices should be implemented to ensure least privilege?

Question 74mediummulti select
Read the full Cloud Application Security explanation →

A DevSecOps team is implementing security scanning in the CI/CD pipeline for a cloud application. Which THREE tools or practices should be included to shift security left?

Question 75hardmulti select
Read the full Cloud Application Security explanation →

A cloud application exposes an API that allows users to view their own orders. Which TWO vulnerabilities could allow an attacker to view another user's orders?

Question 76easymultiple choice
Read the full Cloud Application Security explanation →

A development team is adopting a DevSecOps approach for a cloud-native application. Which practice best exemplifies the shift-left security principle?

Question 77mediummultiple choice
Read the full Cloud Application Security explanation →

A security engineer is reviewing a cloud application that uses AWS S3 buckets. Which vulnerability is most specific to cloud environments and is often exploited to access sensitive data?

Question 78hardmultiple choice
Read the full Cloud Application Security explanation →

During a threat modeling session for a cloud application, the team identifies a risk where an attacker could trick the application into making HTTP requests to the cloud metadata endpoint (e.g., http://169.254.169.254). What is the most critical impact of this attack?

Question 79mediummulti select
Read the full Cloud Application Security explanation →

A cloud security architect is implementing a CI/CD pipeline for a containerized application on AWS. Which TWO practices should be integrated to enforce container image security?

Question 80mediummulti select
Read the full Cloud Application Security explanation →

A development team builds a serverless application using AWS Lambda. The security team wants to prevent hardcoded credentials. Which TWO methods should they enforce for secure secrets management?

Question 81mediummulti select
Read the full Cloud Application Security explanation →

A security auditor is reviewing a cloud application's API endpoints. Which THREE OWASP API Security risks are particularly relevant to cloud applications due to their reliance on APIs for resource access?

Question 82hardmulti select
Read the full Cloud Application Security explanation →

A company uses a private artifact registry for internal packages. An attacker could perform a dependency confusion attack by uploading a malicious package to a public registry with the same name as an internal package. Which THREE measures help mitigate this attack?

Question 83hardmulti select
Read the full Cloud Application Security explanation →

A cloud security team is implementing a DevSecOps pipeline for a Kubernetes-based application. Which THREE scanning tools should be integrated to detect IaC misconfigurations before deployment?

Question 84mediummulti select
Read the full Cloud Application Security explanation →

A cloud application uses IAM roles with wildcard permissions (e.g., iam:* or *:*). Which TWO risks are directly associated with such over-permissive IAM policies?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CCSP Practice Test 1 — 25 Questions→CCSP Practice Test 2 — 25 Questions→CCSP Practice Test 3 — 25 Questions→CCSP Practice Test 4 — 25 Questions→CCSP Practice Test 5 — 25 Questions→CCSP Practice Exam 1 — 20 Questions→CCSP Practice Exam 2 — 20 Questions→CCSP Practice Exam 3 — 20 Questions→CCSP Practice Exam 4 — 20 Questions→Free CCSP Practice Test 1 — 30 Questions→Free CCSP Practice Test 2 — 30 Questions→Free CCSP Practice Test 3 — 30 Questions→CCSP Practice Questions 1 — 50 Questions→CCSP Practice Questions 2 — 50 Questions→CCSP Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Cloud Platform and Infrastructure SecurityCloud Security OperationsLegal, Risk, and ComplianceLegal, Risk and ComplianceCloud Data SecurityCloud Concepts, Architecture, and DesignCloud Application SecurityCloud Concepts, Architecture and Design

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Cloud Application Security setsAll Cloud Application Security questionsCCSP Practice Hub