Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Cloud Data Security practice sets

CCSP Cloud Data Security • Complete Question Bank

CCSP Cloud Data Security — All Questions With Answers

Complete CCSP Cloud Data Security question bank — all 0 questions with answers and detailed explanations.

101
Questions
Free
No signup
Certifications/CCSP/Practice Test/Cloud Data Security/All Questions
Question 1easymultiple choice
Read the full Cloud Data Security explanation →

A financial services company is migrating sensitive customer data to the cloud. They require that encryption keys be generated and stored on-premises in their own hardware security module (HSM), with the cloud provider never having access to the plaintext keys. Which key management model should they implement?

Question 2mediummultiple choice
Read the full Cloud Data Security explanation →

A healthcare organization is storing protected health information (PHI) in a cloud object storage service. They want to ensure that if a storage bucket is accidentally made public, the data remains unreadable. Which combination of controls best addresses this risk?

Question 3hardmultiple choice
Read the full Cloud Data Security explanation →

A multinational corporation must comply with GDPR and local data residency laws. They are designing a cloud storage architecture that will store customer data in the EU region. However, to improve disaster recovery, they want to replicate data to a secondary region outside the EU. Which approach meets compliance requirements?

Question 4mediummultiple choice
Read the full Cloud Data Security explanation →

A cloud security engineer is configuring a Data Loss Prevention (DLP) API to scan a cloud storage bucket for personally identifiable information (PII). Which of the following is a de-identification technique that replaces sensitive values with a token that can be mapped back to the original data using a secure lookup table?

Question 5easymultiple choice
Read the full Cloud Data Security explanation →

Which of the following is the most granular method to grant time-limited access to a specific object in a cloud storage bucket without requiring the requester to have AWS credentials?

Question 6mediummultiple choice
Read the full Cloud Data Security explanation →

An organization wants to use cloud KMS to manage encryption keys. They require automatic key rotation every 90 days and the ability to define granular access policies for who can use the keys. Which key management model should they choose?

Question 7hardmultiple choice
Read the full Cloud Data Security explanation →

A company is using client-side encryption to encrypt data before uploading to cloud storage. They want to ensure that the cloud provider cannot access the encryption keys. However, they need to allow a cloud-based analytics service to process the data. Which approach should they take?

Question 8mediummultiple choice
Read the full Cloud Data Security explanation →

A data classification scheme for a cloud environment defines labels such as Public, Internal, Confidential, and Restricted. Which label should be applied to data that, if disclosed, would cause severe damage to the organization and is subject to regulatory fines?

Question 9mediummultiple choice
Read the full Cloud Data Security explanation →

A cloud storage bucket is configured with versioning enabled. A ransomware attack encrypts all objects in the bucket. How can the organization recover the original data?

Question 10easymultiple choice
Read the full Cloud Data Security explanation →

When data is in transit between an on-premises data center and a cloud service, which of the following is the minimum encryption standard recommended by security best practices?

Question 11mediummultiple choice
Read the full Cloud Data Security explanation →

A data lifecycle policy requires that data be destroyed after a retention period. In a cloud object storage service, what is the most secure method to ensure that data is irretrievably destroyed?

Question 12hardmultiple choice
Read the full Cloud Data Security explanation →

An organization is deploying a cloud DLP solution to scan data at rest. They want to automatically classify and tag sensitive data, and then apply access controls based on the tags. Which cloud service capability is most directly used to enforce access decisions based on data classification tags?

Question 13mediummulti select
Read the full Cloud Data Security explanation →

A cloud security architect is designing a key management strategy to meet regulatory requirements for key separation and tamper evidence. Which TWO of the following are benefits of using hardware security modules (HSMs) backing a cloud KMS? (Select TWO.)

Question 14easymulti select
Read the full Cloud Data Security explanation →

A company is deploying a cloud application that processes customers' personal data. They need to ensure data in transit is protected. Which THREE of the following are appropriate controls for data in transit? (Select THREE.)

Question 15mediummulti select
Read the full Cloud Data Security explanation →

An organization is implementing a data loss prevention (DLP) solution to protect sensitive data in cloud storage. Which TWO of the following are capabilities of a cloud DLP service? (Select TWO.)

Question 16easymultiple choice
Read the full Cloud Data Security explanation →

A financial services company stores customer transaction data in a cloud object storage bucket. The company requires that all data be encrypted at rest using keys that it generates and manages on-premises, with the cloud provider having no access to the keys. Which encryption approach should the company use?

Question 17mediummultiple choice
Read the full Cloud Data Security explanation →

A healthcare organization is migrating electronic health records to the cloud and must comply with data residency requirements that mandate all patient data remain within the European Union. The cloud provider offers multiple regions globally. Which of the following is the most appropriate action to ensure compliance?

Question 18mediummultiple choice
Read the full Cloud Data Security explanation →

A company uses a cloud KMS to manage encryption keys for its cloud storage buckets. The security team wants to ensure that keys are rotated automatically every 90 days and that access to keys is restricted based on user roles. Which key management feature should they configure?

Question 19hardmultiple choice
Read the full Cloud Data Security explanation →

A multinational corporation uses a cloud DLP service to scan data stored in cloud storage and BigQuery for personally identifiable information (PII). The DLP scan identifies credit card numbers in a dataset. According to the cloud data lifecycle, at which stage should the DLP scan ideally be performed to minimize exposure?

Question 20easymultiple choice
Read the full Cloud Data Security explanation →

A security engineer needs to provide temporary access to a specific object in a cloud storage bucket for a third-party auditor, without granting them any other permissions. The access should expire automatically after 24 hours. Which method should the engineer use?

Question 21mediummultiple choice
Read the full Cloud Data Security explanation →

An organization wants to protect its cloud storage data from ransomware attacks that might encrypt or delete objects. The security team decides to enable a feature that maintains previous versions of objects when changes are made. Which feature is being described?

Question 22mediummultiple choice
Read the full Cloud Data Security explanation →

A cloud architect is designing a data classification scheme for a SaaS provider. The provider handles customer data that includes public marketing materials, internal policies, and sensitive customer financial records. Which classification level should be assigned to customer financial records to enforce the highest level of protection?

Question 23hardmultiple choice
Read the full Cloud Data Security explanation →

A company is implementing a data loss prevention (DLP) strategy for cloud storage. They need to detect and mask credit card numbers in documents stored in a cloud storage bucket. The DLP service provides de-identification transforms including masking, tokenization, and pseudonymization. Which transform should the company use to irreversibly replace the credit card numbers with a placeholder while maintaining the original format for analytics?

Question 24easymultiple choice
Read the full Cloud Data Security explanation →

A small business uses a cloud provider's default server-side encryption (SSE) to encrypt data at rest in their cloud storage. They are concerned about key management overhead. Which statement best describes the key management responsibility for SSE?

Question 25mediummultiple choice
Read the full Cloud Data Security explanation →

A company is required by a data sovereignty law to ensure that all data generated by its EU customers is stored and processed within the EU. The company uses a cloud provider with data centers in multiple regions. Which cloud storage configuration should they implement?

Question 26mediummultiple choice
Read the full Cloud Data Security explanation →

A DevOps team is deploying an application that will store encryption keys in a cloud KMS. The security policy requires that keys be stored in a hardware security module (HSM) and that key material never leaves the HSM boundary. Which key management option should they choose?

Question 27hardmultiple choice
Read the full Cloud Data Security explanation →

A company uses cloud KMS with customer-managed keys (CMEK) to encrypt data in a cloud storage bucket. The security team wants to ensure that if a key is compromised, they can revoke the cloud service's ability to decrypt the data immediately. What should they do?

Question 28mediummulti select
Read the full Cloud Data Security explanation →

A cloud security architect is designing access controls for a cloud storage bucket that contains sensitive customer data. The architect needs to implement a solution that provides granular, time-limited access to specific objects for external auditors. Which TWO methods should the architect consider? (Select TWO.)

Question 29hardmulti select
Read the full Cloud Data Security explanation →

A company is implementing a DLP strategy to protect PII in cloud storage. They need to discover sensitive data and then apply de-identification transforms. Which THREE de-identification transforms are appropriate for anonymizing PII while maintaining data utility for analytics? (Select THREE.)

Question 30easymulti select
Read the full Cloud Data Security explanation →

A company is planning to implement data classification for its cloud environment. Which TWO components are essential for an effective data classification scheme? (Select TWO.)

Question 31mediummultiple choice
Read the full Cloud Data Security explanation →

A financial services company stores customer transaction data in a cloud object storage service. The security team wants to ensure that if a malicious insider gains access to the storage bucket, they cannot read the data. Which encryption approach provides the highest level of protection against the cloud provider and insiders?

Question 32mediummultiple choice
Read the full Cloud Data Security explanation →

A healthcare organization is migrating electronic health records (EHR) to the cloud and must comply with HIPAA. They want to use cloud-native encryption but retain the ability to immediately revoke access to all encrypted data. Which key management strategy best meets this requirement?

Question 33hardmultiple choice
Read the full Cloud Data Security explanation →

An organization uses a cloud-based data analytics platform with data stored in a data warehouse. The security team discovers that some tables contain unencrypted personally identifiable information (PII). They need to automatically scan the data warehouse for PII and apply pseudonymization to protect sensitive columns. Which cloud service should be used?

Question 34easymultiple choice
Read the full Cloud Data Security explanation →

A company is implementing a data classification policy for cloud storage. They want to label objects with tags indicating the sensitivity level (e.g., 'Confidential'). Which benefit does tagging resources with classification labels provide?

Question 35mediummultiple choice
Read the full Cloud Data Security explanation →

A global e-commerce company must store customer payment data in a specific geographic region to comply with local data residency laws. Which cloud configuration ensures that data never leaves the required region?

Question 36mediummultiple choice
Read the full Cloud Data Security explanation →

A security architect is designing a multi-cloud data protection strategy. They need to give a third-party auditor time-limited, read-only access to a specific file in a cloud storage bucket. Which access control method is most appropriate?

Question 37hardmultiple choice
Read the full Cloud Data Security explanation →

A company uses a cloud key management service (KMS) with an HSM-backed key for encrypting sensitive data. They want to ensure that the key is automatically rotated every 90 days and that older key versions are retained for decryption of previously encrypted data. Which KMS feature should be configured?

Question 38easymultiple choice
Read the full Cloud Data Security explanation →

Which phase of the cloud data lifecycle involves making data available for processing by applications and users?

Question 39mediummultiple choice
Read the full Cloud Data Security explanation →

A cloud security engineer needs to protect a storage bucket from accidental deletion and ransomware attacks. Which two features should be enabled together for maximum protection?

Question 40easymultiple choice
Read the full Cloud Data Security explanation →

An organization wants to classify data in the cloud and assign labels such as 'Public', 'Internal', 'Confidential', and 'Restricted'. What is the primary purpose of this classification scheme?

Question 41hardmultiple choice
Read the full Cloud Data Security explanation →

A company needs to encrypt data in transit between its on-premises data center and a cloud virtual private cloud (VPC). They require a dedicated, encrypted tunnel with consistent throughput. Which solution should be used?

Question 42mediummultiple choice
Read the full Cloud Data Security explanation →

A cloud security team is implementing data loss prevention for a data lake that stores customer support logs. They need to redact credit card numbers from the logs before they are used for analytics. Which DLP de-identification technique should be applied?

Question 43mediummulti select
Read the full Cloud Data Security explanation →

A cloud architect is designing key management for a multi-tenant SaaS application. The architect must ensure that each customer's encryption keys are isolated and that the cloud provider cannot access the keys. Which TWO key management strategies meet these requirements? (Select TWO.)

Question 44hardmulti select
Read the full Cloud Data Security explanation →

A financial institution is migrating to the cloud and must comply with regulations requiring that sensitive data be stored only in specific geographic regions and that access to data is logged and monitored. Which THREE controls should be implemented? (Select THREE.)

Question 45mediummulti select
Read the full Cloud Data Security explanation →

A security analyst is reviewing a cloud storage bucket that contains archived customer records. The analyst wants to ensure that no object in the bucket can be modified or deleted for 7 years to meet regulatory retention requirements. Which TWO features should be enabled? (Select TWO.)

Question 46easymultiple choice
Read the full Cloud Data Security explanation →

A healthcare organization is storing patient records in a cloud object storage service. They must encrypt data at rest with keys they control and rotate regularly, but they do not want to manage the encryption process themselves. Which encryption option should they use?

Question 47mediummultiple choice
Read the full Cloud Data Security explanation →

A financial services company uses a cloud DLP API to scan data stored in Cloud Storage and BigQuery. They need to reduce the risk of exposing credit card numbers in reports by replacing the first 12 digits with asterisks while preserving the last four. Which de-identification technique should they apply?

Question 48mediummultiple choice
Read the full Cloud Data Security explanation →

A multinational corporation must ensure that customer data from the European Union is stored and processed only within EU regions to comply with GDPR. They are using a cloud provider with data centers globally. What is the primary mechanism to enforce this requirement?

Question 49hardmultiple choice
Read the full Cloud Data Security explanation →

A cloud security architect is designing a key management strategy for a hybrid cloud environment. The organization requires that encryption keys never leave their on-premises hardware security module (HSM) due to strict regulatory mandates, yet cloud services must be able to perform encryption operations on data at rest. Which key management approach meets these requirements?

Question 50easymultiple choice
Read the full Cloud Data Security explanation →

A data governance team is developing a classification scheme for cloud-stored data. They want to label data based on sensitivity, from least to most restrictive. Which of the following is a typical classification category for highly sensitive data that could cause severe damage if disclosed?

Question 51mediummultiple choice
Read the full Cloud Data Security explanation →

An organization uses cloud object storage with versioning enabled. After a ransomware attack, they discover that many objects were encrypted by the attacker. How does versioning help in this scenario?

Question 52mediummultiple choice
Read the full Cloud Data Security explanation →

A cloud security team is implementing data loss prevention (DLP) for sensitive data in a cloud data warehouse. They need to detect and classify Social Security numbers (SSNs) stored in tables. Which cloud service capability is most appropriate for this task?

Question 53hardmultiple choice
Read the full Cloud Data Security explanation →

A cloud architect is designing a secure data sharing mechanism for a third-party partner. The partner needs temporary access to download a specific object from a private cloud storage bucket, but should not have broader access to the bucket. Which approach should be used?

Question 54easymultiple choice
Read the full Cloud Data Security explanation →

Which phase of the cloud data lifecycle involves the removal of data in a manner that ensures it cannot be reconstructed, typically using techniques like cryptographic erasure or degaussing?

Question 55mediummultiple choice
Read the full Cloud Data Security explanation →

A company is using a cloud provider's key management service (KMS) with HSM-backed keys. They want to ensure that key material is automatically replaced periodically to limit the impact of a potential key compromise. Which KMS feature should they configure?

Question 56hardmultiple choice
Read the full Cloud Data Security explanation →

An organization is required to use client-side encryption for all data uploaded to a cloud storage service to ensure that the cloud provider has no access to plaintext. However, they also need to allow the cloud provider to perform server-side operations like indexing and search on the encrypted data. Which technology can address this conflict?

Question 57easymultiple choice
Read the full Cloud Data Security explanation →

A cloud security analyst is reviewing access logs and notices that a pre-signed URL for an object was used after its expiration time. What should be the outcome of such an access attempt?

Question 58mediummulti select
Read the full Cloud Data Security explanation →

A cloud security team is evaluating DLP techniques to protect sensitive data in a cloud data warehouse. They want to replace sensitive values with realistic but fictitious data for non-production environments while preserving referential integrity. Which TWO de-identification techniques are suitable?

Question 59hardmulti select
Read the full Cloud Data Security explanation →

A global enterprise is designing a cloud storage architecture with cross-region replication for disaster recovery. They must ensure that data replicated to a secondary region is encrypted with keys managed by the customer, and that those keys are stored in the secondary region's KMS. Which THREE capabilities must be enabled?

Question 60mediummulti select
Read the full Cloud Data Security explanation →

A cloud architect is designing a data classification strategy for a multi-cloud environment. The strategy must automatically tag resources with classification labels and enforce access controls based on those labels. Which THREE components are essential for this automated classification and enforcement?

Question 61easymultiple choice
Read the full Cloud Data Security explanation →

A healthcare company stores patient records in a cloud storage bucket. They need to encrypt the data at rest using encryption keys that they manage themselves, but they want to generate the keys within the cloud provider's key management service. Which encryption option should they choose?

Question 62mediummultiple choice
Read the full Cloud Data Security explanation →

A financial institution is implementing a data classification scheme for their cloud environment. They have data that, if exposed, could cause severe damage to the organization and is subject to strict regulatory requirements. Which classification level should be applied to this data?

Question 63hardmultiple choice
Read the full Cloud Data Security explanation →

An organization uses a cloud storage service with versioning enabled. They discover that a ransomware attack encrypted all current versions of their files. However, they can still recover the data. Which feature protects them?

Question 64mediummultiple choice
Read the full Cloud Data Security explanation →

A company wants to use a cloud KMS to encrypt data but requires that the encryption key never leaves their on-premises hardware security module (HSM) due to compliance. Which key management model should they adopt?

Question 65easymultiple choice
Read the full Cloud Data Security explanation →

An organization is moving sensitive customer data to the cloud and must ensure that data is encrypted before being sent to the cloud provider. They want to maintain full control over the encryption keys and not rely on the cloud provider for any key management. Which approach should they use?

Question 66hardmultiple choice
Read the full Cloud Data Security explanation →

A multinational corporation must comply with GDPR and store EU customer data only within the European Union. Which cloud storage security measure directly addresses this requirement?

Question 67mediummultiple choice
Read the full Cloud Data Security explanation →

A security team is setting up a DLP solution to scan cloud storage for credit card numbers. They want to automatically mask the detected credit card numbers so that only the last four digits are visible. Which DLP de-identification transform should they use?

Question 68mediummultiple choice
Read the full Cloud Data Security explanation →

An organization wants to share a large file from a cloud storage bucket with an external partner for a limited time. They need to ensure that the partner can only access the specific file and that the access expires automatically. Which method should they use?

Question 69hardmultiple choice
Read the full Cloud Data Security explanation →

A cloud architect is designing a data lifecycle policy for a SaaS application. According to the cloud data lifecycle, which phase immediately follows the 'Share' phase?

Question 70easymultiple choice
Read the full Cloud Data Security explanation →

An organization uses cloud storage and wants to protect against accidental deletion of objects. They also want to be able to recover previous versions of objects in case of unintended modifications. Which feature should they enable?

Question 71mediummultiple choice
Read the full Cloud Data Security explanation →

A company is required to encrypt all data in transit between its on-premises data center and its cloud environment. They have a hybrid cloud setup and need a secure tunnel for all traffic. Which solution should they implement?

Question 72mediummultiple choice
Read the full Cloud Data Security explanation →

An organization uses a cloud DLP API to scan data in Cloud Storage and BigQuery for sensitive information. They need to replace social security numbers (SSNs) with a non-reversible token that can be used for consistent mapping without exposing the original SSN. Which de-identification technique should they use?

Question 73mediummulti select
Read the full Cloud Data Security explanation →

A cloud security architect is designing a key management strategy for a multi-cloud environment. They want to ensure that encryption keys are generated and stored on-premises but can be used by cloud services for encryption operations. Which two key management models meet these requirements? (Choose two.)

Question 74hardmulti select
Read the full Cloud Data Security explanation →

A financial services company is implementing a data loss prevention (DLP) solution to protect sensitive data in cloud storage. They need to identify and classify data containing personally identifiable information (PII) such as credit card numbers and social security numbers. Which three capabilities should the DLP solution provide? (Choose three.)

Question 75mediummulti select
Read the full Cloud Data Security explanation →

An organization is designing a data residency strategy for compliance with data sovereignty laws. They must ensure that customer data remains within specific geographic boundaries. Which three measures should they implement? (Choose three.)

Question 76easymultiple choice
Read the full Cloud Data Security explanation →

A company is moving its data to the cloud and must ensure that all data at rest is encrypted using keys that are generated and managed on-premises, with the cloud provider having no access to the keys. Which encryption method should be used?

Question 77mediummultiple choice
Read the full Cloud Data Security explanation →

A healthcare organization stores patient records in a cloud object storage bucket. The compliance team requires that all files containing Protected Health Information (PHI) be automatically identified and classified. Which service should the organization implement to scan the bucket for PHI and label the data accordingly?

Question 78mediummultiple choice
Read the full Cloud Data Security explanation →

A financial services company must comply with a regulation that requires encryption keys used for cloud services to be generated and stored on-premises in a Hardware Security Module (HSM). The cloud provider must not have any access to the keys. Which key management approach should the company adopt?

Question 79hardmultiple choice
Read the full Cloud Data Security explanation →

A multinational corporation is migrating its data to the cloud and needs to ensure that data belonging to EU residents never leaves the EU region due to GDPR data sovereignty requirements. Additionally, the company wants to prevent accidental deletion and protect against ransomware. Which combination of cloud storage features should be implemented to meet these requirements?

Question 80easymultiple choice
Read the full Cloud Data Security explanation →

Which of the following is the correct order of phases in the cloud data lifecycle?

Question 81mediummultiple choice
Read the full Cloud Data Security explanation →

A company uses a cloud object storage service to host a public website. The website content is static and needs to be accessible to anyone on the internet, but the company wants to prevent direct listing of the bucket contents. Which combination of access controls should be configured?

Question 82hardmultiple choice
Read the full Cloud Data Security explanation →

An organization must implement encryption for data in transit between its on-premises data center and a cloud provider. The data is sensitive and the organization requires a dedicated, encrypted tunnel. Which solution should be used?

Question 83easymultiple choice
Read the full Cloud Data Security explanation →

Which data classification level typically includes information that, if disclosed, could cause serious damage to an organization, such as trade secrets or personally identifiable information (PII)?

Question 84mediummultiple choice
Read the full Cloud Data Security explanation →

A cloud security engineer needs to de-identify a dataset containing credit card numbers before sharing it with a third-party analytics team. The engineer wants to replace each credit card number with a unique token that can be used for correlation but cannot be reversed to obtain the original number. Which de-identification technique should be used?

Question 85hardmultiple choice
Read the full Cloud Data Security explanation →

A company uses a cloud KMS service with an HSM backing for key storage. The security policy requires that keys be rotated automatically every 90 days and that old keys be retained for at least one year to decrypt archived data. Which key management feature should be configured to meet these requirements?

Question 86easymultiple choice
Read the full Cloud Data Security explanation →

Which of the following is the primary benefit of using client-side encryption for data stored in the cloud?

Question 87mediummultiple choice
Read the full Cloud Data Security explanation →

A company has enabled object versioning on its cloud storage bucket to protect against accidental deletion. A ransomware attack encrypts all objects and creates new versions. To recover the data, the company needs to restore the previous unencrypted versions. What is the most efficient recovery method?

Question 88mediummulti select
Read the full Cloud Data Security explanation →

A cloud security architect is designing a data loss prevention (DLP) strategy for a cloud environment that stores sensitive customer data. Which TWO techniques should be implemented to proactively identify and protect sensitive data? (Select TWO.)

Question 89hardmulti select
Read the full Cloud Data Security explanation →

A multinational corporation must comply with data residency requirements that mandate certain data must remain within the European Union. Additionally, the company needs to ensure high availability and disaster recovery for this data. Which THREE measures should be implemented? (Select THREE.)

Question 90mediummulti select
Read the full Cloud Data Security explanation →

A cloud security team is implementing encryption for data at rest in a cloud storage service. They require that the encryption keys be managed by the customer and that the cloud provider has access to the keys only when authorized by the customer. Which TWO key management options meet these requirements? (Select TWO.)

Question 91mediummultiple choice
Read the full Cloud Data Security explanation →

A healthcare organization stores patient records in a cloud object storage service. They require that all data be encrypted at rest using keys that they generate and manage on-premises, but they want to minimize operational overhead. Which encryption approach should they choose?

Question 92hardmultiple choice
Read the full Cloud Data Security explanation →

A financial institution must ensure that sensitive data processed in the cloud cannot be decrypted by the cloud provider under any circumstances. They also need low latency for data operations. Which encryption model best meets these requirements?

Question 93easymultiple choice
Read the full Cloud Data Security explanation →

A company wants to enforce data classification in its cloud environment. They need to automatically identify and label sensitive data such as credit card numbers in cloud storage. Which service should they use?

Question 94mediummultiple choice
Read the full Cloud Data Security explanation →

A multinational corporation must store customer data in specific geographic regions to comply with data sovereignty laws. Which cloud storage feature should they configure to ensure data does not leave a designated region?

Question 95mediummulti select
Read the full Cloud Data Security explanation →

A security architect is designing a key management strategy for a cloud environment. They need to ensure that keys are rotated automatically and that the cloud service cannot access the key without explicit authorization. Which TWO options should they consider? (Choose two.)

Question 96hardmulti select
Read the full Cloud Data Security explanation →

A cloud architect is implementing data loss prevention (DLP) for a data lake containing PII. They want to automatically detect and transform sensitive data like Social Security numbers and medical record numbers. Which THREE actions should they take? (Choose three.)

Question 97mediummulti select
Read the full Cloud Data Security explanation →

A company stores sensitive data in cloud object storage and wants to protect against ransomware attacks that could encrypt or delete objects. Which TWO measures should they implement? (Choose two.)

Question 98easymulti select
Read the full Cloud Data Security explanation →

A cloud security team needs to ensure that all data in transit between on-premises systems and the cloud is encrypted. Which TWO options should they consider? (Choose two.)

Question 99mediummulti select
Read the full Cloud Data Security explanation →

A data governance officer wants to classify all data in a cloud environment using a classification scheme. They need to tag resources automatically and enforce access controls based on the tags. Which THREE steps should they take? (Choose three.)

Question 100hardmulti select
Read the full Cloud Data Security explanation →

A company uses a cloud KMS with HSM-backed keys for regulatory compliance. They need to allow a cloud service to use a key for encryption while retaining the ability to revoke access at any time. Which TWO key management models satisfy this? (Choose two.)

Question 101easymulti select
Read the full Cloud Data Security explanation →

A cloud storage administrator wants to ensure that only authorized users can access objects in a bucket, and they need to provide time-limited access to a specific object for an external partner. Which TWO access control methods should they use? (Choose two.)

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CCSP Practice Test 1 — 25 Questions→CCSP Practice Test 2 — 25 Questions→CCSP Practice Test 3 — 25 Questions→CCSP Practice Test 4 — 25 Questions→CCSP Practice Test 5 — 25 Questions→CCSP Practice Exam 1 — 20 Questions→CCSP Practice Exam 2 — 20 Questions→CCSP Practice Exam 3 — 20 Questions→CCSP Practice Exam 4 — 20 Questions→Free CCSP Practice Test 1 — 30 Questions→Free CCSP Practice Test 2 — 30 Questions→Free CCSP Practice Test 3 — 30 Questions→CCSP Practice Questions 1 — 50 Questions→CCSP Practice Questions 2 — 50 Questions→CCSP Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Cloud Platform and Infrastructure SecurityCloud Security OperationsLegal, Risk, and ComplianceLegal, Risk and ComplianceCloud Data SecurityCloud Concepts, Architecture, and DesignCloud Application SecurityCloud Concepts, Architecture and Design

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Cloud Data Security setsAll Cloud Data Security questionsCCSP Practice Hub