A financial services company is migrating sensitive customer data to the cloud. They require that encryption keys be generated and stored on-premises in their own hardware security module (HSM), with the cloud provider never having access to the plaintext keys. Which key management model should they implement?
A healthcare organization is storing protected health information (PHI) in a cloud object storage service. They want to ensure that if a storage bucket is accidentally made public, the data remains unreadable. Which combination of controls best addresses this risk?
A multinational corporation must comply with GDPR and local data residency laws. They are designing a cloud storage architecture that will store customer data in the EU region. However, to improve disaster recovery, they want to replicate data to a secondary region outside the EU. Which approach meets compliance requirements?
A cloud security engineer is configuring a Data Loss Prevention (DLP) API to scan a cloud storage bucket for personally identifiable information (PII). Which of the following is a de-identification technique that replaces sensitive values with a token that can be mapped back to the original data using a secure lookup table?
Which of the following is the most granular method to grant time-limited access to a specific object in a cloud storage bucket without requiring the requester to have AWS credentials?
An organization wants to use cloud KMS to manage encryption keys. They require automatic key rotation every 90 days and the ability to define granular access policies for who can use the keys. Which key management model should they choose?
A company is using client-side encryption to encrypt data before uploading to cloud storage. They want to ensure that the cloud provider cannot access the encryption keys. However, they need to allow a cloud-based analytics service to process the data. Which approach should they take?
A data classification scheme for a cloud environment defines labels such as Public, Internal, Confidential, and Restricted. Which label should be applied to data that, if disclosed, would cause severe damage to the organization and is subject to regulatory fines?
A cloud storage bucket is configured with versioning enabled. A ransomware attack encrypts all objects in the bucket. How can the organization recover the original data?
When data is in transit between an on-premises data center and a cloud service, which of the following is the minimum encryption standard recommended by security best practices?
A data lifecycle policy requires that data be destroyed after a retention period. In a cloud object storage service, what is the most secure method to ensure that data is irretrievably destroyed?
An organization is deploying a cloud DLP solution to scan data at rest. They want to automatically classify and tag sensitive data, and then apply access controls based on the tags. Which cloud service capability is most directly used to enforce access decisions based on data classification tags?
A cloud security architect is designing a key management strategy to meet regulatory requirements for key separation and tamper evidence. Which TWO of the following are benefits of using hardware security modules (HSMs) backing a cloud KMS? (Select TWO.)
A company is deploying a cloud application that processes customers' personal data. They need to ensure data in transit is protected. Which THREE of the following are appropriate controls for data in transit? (Select THREE.)
An organization is implementing a data loss prevention (DLP) solution to protect sensitive data in cloud storage. Which TWO of the following are capabilities of a cloud DLP service? (Select TWO.)
A financial services company stores customer transaction data in a cloud object storage bucket. The company requires that all data be encrypted at rest using keys that it generates and manages on-premises, with the cloud provider having no access to the keys. Which encryption approach should the company use?
A healthcare organization is migrating electronic health records to the cloud and must comply with data residency requirements that mandate all patient data remain within the European Union. The cloud provider offers multiple regions globally. Which of the following is the most appropriate action to ensure compliance?
A company uses a cloud KMS to manage encryption keys for its cloud storage buckets. The security team wants to ensure that keys are rotated automatically every 90 days and that access to keys is restricted based on user roles. Which key management feature should they configure?
A multinational corporation uses a cloud DLP service to scan data stored in cloud storage and BigQuery for personally identifiable information (PII). The DLP scan identifies credit card numbers in a dataset. According to the cloud data lifecycle, at which stage should the DLP scan ideally be performed to minimize exposure?
A security engineer needs to provide temporary access to a specific object in a cloud storage bucket for a third-party auditor, without granting them any other permissions. The access should expire automatically after 24 hours. Which method should the engineer use?
An organization wants to protect its cloud storage data from ransomware attacks that might encrypt or delete objects. The security team decides to enable a feature that maintains previous versions of objects when changes are made. Which feature is being described?
A cloud architect is designing a data classification scheme for a SaaS provider. The provider handles customer data that includes public marketing materials, internal policies, and sensitive customer financial records. Which classification level should be assigned to customer financial records to enforce the highest level of protection?
A company is implementing a data loss prevention (DLP) strategy for cloud storage. They need to detect and mask credit card numbers in documents stored in a cloud storage bucket. The DLP service provides de-identification transforms including masking, tokenization, and pseudonymization. Which transform should the company use to irreversibly replace the credit card numbers with a placeholder while maintaining the original format for analytics?
A small business uses a cloud provider's default server-side encryption (SSE) to encrypt data at rest in their cloud storage. They are concerned about key management overhead. Which statement best describes the key management responsibility for SSE?
A company is required by a data sovereignty law to ensure that all data generated by its EU customers is stored and processed within the EU. The company uses a cloud provider with data centers in multiple regions. Which cloud storage configuration should they implement?
A DevOps team is deploying an application that will store encryption keys in a cloud KMS. The security policy requires that keys be stored in a hardware security module (HSM) and that key material never leaves the HSM boundary. Which key management option should they choose?
A company uses cloud KMS with customer-managed keys (CMEK) to encrypt data in a cloud storage bucket. The security team wants to ensure that if a key is compromised, they can revoke the cloud service's ability to decrypt the data immediately. What should they do?
A cloud security architect is designing access controls for a cloud storage bucket that contains sensitive customer data. The architect needs to implement a solution that provides granular, time-limited access to specific objects for external auditors. Which TWO methods should the architect consider? (Select TWO.)
A company is implementing a DLP strategy to protect PII in cloud storage. They need to discover sensitive data and then apply de-identification transforms. Which THREE de-identification transforms are appropriate for anonymizing PII while maintaining data utility for analytics? (Select THREE.)
A company is planning to implement data classification for its cloud environment. Which TWO components are essential for an effective data classification scheme? (Select TWO.)
A financial services company stores customer transaction data in a cloud object storage service. The security team wants to ensure that if a malicious insider gains access to the storage bucket, they cannot read the data. Which encryption approach provides the highest level of protection against the cloud provider and insiders?
A healthcare organization is migrating electronic health records (EHR) to the cloud and must comply with HIPAA. They want to use cloud-native encryption but retain the ability to immediately revoke access to all encrypted data. Which key management strategy best meets this requirement?
An organization uses a cloud-based data analytics platform with data stored in a data warehouse. The security team discovers that some tables contain unencrypted personally identifiable information (PII). They need to automatically scan the data warehouse for PII and apply pseudonymization to protect sensitive columns. Which cloud service should be used?
A company is implementing a data classification policy for cloud storage. They want to label objects with tags indicating the sensitivity level (e.g., 'Confidential'). Which benefit does tagging resources with classification labels provide?
A global e-commerce company must store customer payment data in a specific geographic region to comply with local data residency laws. Which cloud configuration ensures that data never leaves the required region?
A security architect is designing a multi-cloud data protection strategy. They need to give a third-party auditor time-limited, read-only access to a specific file in a cloud storage bucket. Which access control method is most appropriate?
A company uses a cloud key management service (KMS) with an HSM-backed key for encrypting sensitive data. They want to ensure that the key is automatically rotated every 90 days and that older key versions are retained for decryption of previously encrypted data. Which KMS feature should be configured?
A cloud security engineer needs to protect a storage bucket from accidental deletion and ransomware attacks. Which two features should be enabled together for maximum protection?
An organization wants to classify data in the cloud and assign labels such as 'Public', 'Internal', 'Confidential', and 'Restricted'. What is the primary purpose of this classification scheme?
A company needs to encrypt data in transit between its on-premises data center and a cloud virtual private cloud (VPC). They require a dedicated, encrypted tunnel with consistent throughput. Which solution should be used?
A cloud security team is implementing data loss prevention for a data lake that stores customer support logs. They need to redact credit card numbers from the logs before they are used for analytics. Which DLP de-identification technique should be applied?
A cloud architect is designing key management for a multi-tenant SaaS application. The architect must ensure that each customer's encryption keys are isolated and that the cloud provider cannot access the keys. Which TWO key management strategies meet these requirements? (Select TWO.)
A financial institution is migrating to the cloud and must comply with regulations requiring that sensitive data be stored only in specific geographic regions and that access to data is logged and monitored. Which THREE controls should be implemented? (Select THREE.)
A security analyst is reviewing a cloud storage bucket that contains archived customer records. The analyst wants to ensure that no object in the bucket can be modified or deleted for 7 years to meet regulatory retention requirements. Which TWO features should be enabled? (Select TWO.)
A healthcare organization is storing patient records in a cloud object storage service. They must encrypt data at rest with keys they control and rotate regularly, but they do not want to manage the encryption process themselves. Which encryption option should they use?
A financial services company uses a cloud DLP API to scan data stored in Cloud Storage and BigQuery. They need to reduce the risk of exposing credit card numbers in reports by replacing the first 12 digits with asterisks while preserving the last four. Which de-identification technique should they apply?
A multinational corporation must ensure that customer data from the European Union is stored and processed only within EU regions to comply with GDPR. They are using a cloud provider with data centers globally. What is the primary mechanism to enforce this requirement?
A cloud security architect is designing a key management strategy for a hybrid cloud environment. The organization requires that encryption keys never leave their on-premises hardware security module (HSM) due to strict regulatory mandates, yet cloud services must be able to perform encryption operations on data at rest. Which key management approach meets these requirements?
A data governance team is developing a classification scheme for cloud-stored data. They want to label data based on sensitivity, from least to most restrictive. Which of the following is a typical classification category for highly sensitive data that could cause severe damage if disclosed?
An organization uses cloud object storage with versioning enabled. After a ransomware attack, they discover that many objects were encrypted by the attacker. How does versioning help in this scenario?
A cloud security team is implementing data loss prevention (DLP) for sensitive data in a cloud data warehouse. They need to detect and classify Social Security numbers (SSNs) stored in tables. Which cloud service capability is most appropriate for this task?
A cloud architect is designing a secure data sharing mechanism for a third-party partner. The partner needs temporary access to download a specific object from a private cloud storage bucket, but should not have broader access to the bucket. Which approach should be used?
Which phase of the cloud data lifecycle involves the removal of data in a manner that ensures it cannot be reconstructed, typically using techniques like cryptographic erasure or degaussing?
A company is using a cloud provider's key management service (KMS) with HSM-backed keys. They want to ensure that key material is automatically replaced periodically to limit the impact of a potential key compromise. Which KMS feature should they configure?
An organization is required to use client-side encryption for all data uploaded to a cloud storage service to ensure that the cloud provider has no access to plaintext. However, they also need to allow the cloud provider to perform server-side operations like indexing and search on the encrypted data. Which technology can address this conflict?
A cloud security analyst is reviewing access logs and notices that a pre-signed URL for an object was used after its expiration time. What should be the outcome of such an access attempt?
A cloud security team is evaluating DLP techniques to protect sensitive data in a cloud data warehouse. They want to replace sensitive values with realistic but fictitious data for non-production environments while preserving referential integrity. Which TWO de-identification techniques are suitable?
A global enterprise is designing a cloud storage architecture with cross-region replication for disaster recovery. They must ensure that data replicated to a secondary region is encrypted with keys managed by the customer, and that those keys are stored in the secondary region's KMS. Which THREE capabilities must be enabled?
A cloud architect is designing a data classification strategy for a multi-cloud environment. The strategy must automatically tag resources with classification labels and enforce access controls based on those labels. Which THREE components are essential for this automated classification and enforcement?
A healthcare company stores patient records in a cloud storage bucket. They need to encrypt the data at rest using encryption keys that they manage themselves, but they want to generate the keys within the cloud provider's key management service. Which encryption option should they choose?
A financial institution is implementing a data classification scheme for their cloud environment. They have data that, if exposed, could cause severe damage to the organization and is subject to strict regulatory requirements. Which classification level should be applied to this data?
An organization uses a cloud storage service with versioning enabled. They discover that a ransomware attack encrypted all current versions of their files. However, they can still recover the data. Which feature protects them?
A company wants to use a cloud KMS to encrypt data but requires that the encryption key never leaves their on-premises hardware security module (HSM) due to compliance. Which key management model should they adopt?
An organization is moving sensitive customer data to the cloud and must ensure that data is encrypted before being sent to the cloud provider. They want to maintain full control over the encryption keys and not rely on the cloud provider for any key management. Which approach should they use?
A multinational corporation must comply with GDPR and store EU customer data only within the European Union. Which cloud storage security measure directly addresses this requirement?
A security team is setting up a DLP solution to scan cloud storage for credit card numbers. They want to automatically mask the detected credit card numbers so that only the last four digits are visible. Which DLP de-identification transform should they use?
An organization wants to share a large file from a cloud storage bucket with an external partner for a limited time. They need to ensure that the partner can only access the specific file and that the access expires automatically. Which method should they use?
A cloud architect is designing a data lifecycle policy for a SaaS application. According to the cloud data lifecycle, which phase immediately follows the 'Share' phase?
An organization uses cloud storage and wants to protect against accidental deletion of objects. They also want to be able to recover previous versions of objects in case of unintended modifications. Which feature should they enable?
A company is required to encrypt all data in transit between its on-premises data center and its cloud environment. They have a hybrid cloud setup and need a secure tunnel for all traffic. Which solution should they implement?
An organization uses a cloud DLP API to scan data in Cloud Storage and BigQuery for sensitive information. They need to replace social security numbers (SSNs) with a non-reversible token that can be used for consistent mapping without exposing the original SSN. Which de-identification technique should they use?
A cloud security architect is designing a key management strategy for a multi-cloud environment. They want to ensure that encryption keys are generated and stored on-premises but can be used by cloud services for encryption operations. Which two key management models meet these requirements? (Choose two.)
A financial services company is implementing a data loss prevention (DLP) solution to protect sensitive data in cloud storage. They need to identify and classify data containing personally identifiable information (PII) such as credit card numbers and social security numbers. Which three capabilities should the DLP solution provide? (Choose three.)
An organization is designing a data residency strategy for compliance with data sovereignty laws. They must ensure that customer data remains within specific geographic boundaries. Which three measures should they implement? (Choose three.)
A company is moving its data to the cloud and must ensure that all data at rest is encrypted using keys that are generated and managed on-premises, with the cloud provider having no access to the keys. Which encryption method should be used?
A healthcare organization stores patient records in a cloud object storage bucket. The compliance team requires that all files containing Protected Health Information (PHI) be automatically identified and classified. Which service should the organization implement to scan the bucket for PHI and label the data accordingly?
A financial services company must comply with a regulation that requires encryption keys used for cloud services to be generated and stored on-premises in a Hardware Security Module (HSM). The cloud provider must not have any access to the keys. Which key management approach should the company adopt?
A multinational corporation is migrating its data to the cloud and needs to ensure that data belonging to EU residents never leaves the EU region due to GDPR data sovereignty requirements. Additionally, the company wants to prevent accidental deletion and protect against ransomware. Which combination of cloud storage features should be implemented to meet these requirements?
A company uses a cloud object storage service to host a public website. The website content is static and needs to be accessible to anyone on the internet, but the company wants to prevent direct listing of the bucket contents. Which combination of access controls should be configured?
An organization must implement encryption for data in transit between its on-premises data center and a cloud provider. The data is sensitive and the organization requires a dedicated, encrypted tunnel. Which solution should be used?
Which data classification level typically includes information that, if disclosed, could cause serious damage to an organization, such as trade secrets or personally identifiable information (PII)?
A cloud security engineer needs to de-identify a dataset containing credit card numbers before sharing it with a third-party analytics team. The engineer wants to replace each credit card number with a unique token that can be used for correlation but cannot be reversed to obtain the original number. Which de-identification technique should be used?
A company uses a cloud KMS service with an HSM backing for key storage. The security policy requires that keys be rotated automatically every 90 days and that old keys be retained for at least one year to decrypt archived data. Which key management feature should be configured to meet these requirements?
A company has enabled object versioning on its cloud storage bucket to protect against accidental deletion. A ransomware attack encrypts all objects and creates new versions. To recover the data, the company needs to restore the previous unencrypted versions. What is the most efficient recovery method?
A cloud security architect is designing a data loss prevention (DLP) strategy for a cloud environment that stores sensitive customer data. Which TWO techniques should be implemented to proactively identify and protect sensitive data? (Select TWO.)
A multinational corporation must comply with data residency requirements that mandate certain data must remain within the European Union. Additionally, the company needs to ensure high availability and disaster recovery for this data. Which THREE measures should be implemented? (Select THREE.)
A cloud security team is implementing encryption for data at rest in a cloud storage service. They require that the encryption keys be managed by the customer and that the cloud provider has access to the keys only when authorized by the customer. Which TWO key management options meet these requirements? (Select TWO.)
A healthcare organization stores patient records in a cloud object storage service. They require that all data be encrypted at rest using keys that they generate and manage on-premises, but they want to minimize operational overhead. Which encryption approach should they choose?
A financial institution must ensure that sensitive data processed in the cloud cannot be decrypted by the cloud provider under any circumstances. They also need low latency for data operations. Which encryption model best meets these requirements?
A company wants to enforce data classification in its cloud environment. They need to automatically identify and label sensitive data such as credit card numbers in cloud storage. Which service should they use?
A multinational corporation must store customer data in specific geographic regions to comply with data sovereignty laws. Which cloud storage feature should they configure to ensure data does not leave a designated region?
A security architect is designing a key management strategy for a cloud environment. They need to ensure that keys are rotated automatically and that the cloud service cannot access the key without explicit authorization. Which TWO options should they consider? (Choose two.)
A cloud architect is implementing data loss prevention (DLP) for a data lake containing PII. They want to automatically detect and transform sensitive data like Social Security numbers and medical record numbers. Which THREE actions should they take? (Choose three.)
A company stores sensitive data in cloud object storage and wants to protect against ransomware attacks that could encrypt or delete objects. Which TWO measures should they implement? (Choose two.)
A cloud security team needs to ensure that all data in transit between on-premises systems and the cloud is encrypted. Which TWO options should they consider? (Choose two.)
A data governance officer wants to classify all data in a cloud environment using a classification scheme. They need to tag resources automatically and enforce access controls based on the tags. Which THREE steps should they take? (Choose three.)
A company uses a cloud KMS with HSM-backed keys for regulatory compliance. They need to allow a cloud service to use a key for encryption while retaining the ability to revoke access at any time. Which TWO key management models satisfy this? (Choose two.)
A cloud storage administrator wants to ensure that only authorized users can access objects in a bucket, and they need to provide time-limited access to a specific object for an external partner. Which TWO access control methods should they use? (Choose two.)