Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Cloud Security Operations practice sets

CCSP Cloud Security Operations • Complete Question Bank

CCSP Cloud Security Operations — All Questions With Answers

Complete CCSP Cloud Security Operations question bank — all 0 questions with answers and detailed explanations.

79
Questions
Free
No signup
Certifications/CCSP/Practice Test/Cloud Security Operations/All Questions
Question 1easymultiple choice
Read the full Cloud Security Operations explanation →

A security engineer needs to ensure that all API calls made to AWS resources are logged for auditing. Which AWS service should be enabled to capture management and data events?

Question 2mediummultiple choice
Read the full Cloud Security Operations explanation →

An organization is setting up a centralized logging solution across multiple AWS accounts. The security team requires that logs from all accounts be sent to a single security account, with lifecycle policies to transition logs to cheaper storage after 90 days. Which approach should be used?

Question 3hardmultiple choice
Read the full Cloud Security Operations explanation →

A security analyst is investigating a potential breach and needs to verify the integrity of CloudTrail logs stored in S3. Which CloudTrail feature should the analyst rely on to confirm that logs have not been tampered with?

Question 4easymultiple choice
Read the full Cloud Security Operations explanation →

An organization uses Azure Sentinel as its SIEM. Which Azure service provides native integration to stream audit logs into Sentinel?

Question 5mediummultiple choice
Read the full Cloud Security Operations explanation →

A SOC analyst notices an alert for 'impossible travel' where a user logged in from New York and then from London within 15 minutes. The SIEM correlation rule likely compares which log fields?

Question 6hardmultiple choice
Read the full Cloud Security Operations explanation →

During a cloud security incident, a security team needs to isolate a compromised EC2 instance that is performing outbound port scanning. Which containment action should be taken first?

Question 7mediummultiple choice
Read the full Cloud Security Operations explanation →

A security team needs to implement automated remediation for non-compliant resources in AWS. They want to automatically fix public S3 bucket policies. Which combination of services should be used?

Question 8mediummultiple choice
Read the full Cloud Security Operations explanation →

A cloud security architect is evaluating vulnerability management solutions for a hybrid cloud environment. The team needs to scan both on-premises servers and cloud workloads without installing agents on every system. Which approach is most suitable for cloud workloads?

Question 9hardmultiple choice
Read the full Cloud Security Operations explanation →

After a security incident involving a compromised IAM key, a security engineer needs to collect forensic evidence from the AWS environment. Which of the following actions would be most useful for determining the timeline of the compromise?

Question 10easymultiple choice
Read the full Cloud Security Operations explanation →

Which AWS service uses machine learning to detect threats such as crypto mining activity on EC2 instances and compromised IAM credentials?

Question 11mediummultiple choice
Read the full Cloud Security Operations explanation →

An organization uses GCP and wants to monitor for threats in real-time, including detecting malicious activity from compromised service accounts. Which GCP service should be used?

Question 12mediummultiple choice
Read the full Cloud Security Operations explanation →

A company uses Azure Defender for Cloud to protect its hybrid environment. Which of the following is a feature of Azure Defender that provides vulnerability assessment for virtual machines?

Question 13hardmultiple choice
Read the full Cloud Security Operations explanation →

During incident response in a cloud environment, a team needs to collect evidence from a compromised EC2 instance without altering the system. Which of the following is the best method to obtain a forensic memory dump?

Question 14easymultiple choice
Read the full Cloud Security Operations explanation →

An organization wants to implement a cloud security automation solution that can automatically remediate non-compliant resources in Azure. Which Azure service should be used to create remediation tasks?

Question 15hardmultiple choice
Read the full Cloud Security Operations explanation →

A security team is investigating a potential data exfiltration incident where a large volume of data was downloaded from an S3 bucket. Which log source would provide the most granular details about the S3 GET requests, including the requester identity and source IP?

Question 16mediummulti select
Read the full Cloud Security Operations explanation →

A security architect is designing a logging strategy for a multi-cloud environment using AWS and Azure. Which TWO practices should be implemented to ensure log integrity and prevent tampering? (Choose two.)

Question 17hardmulti select
Read the full Cloud Security Operations explanation →

A cloud security analyst is configuring a SIEM correlation rule to detect mass data exfiltration from an AWS S3 bucket. Which THREE log sources should be ingested to create an effective detection? (Choose three.)

Question 18easymulti select
Read the full Cloud Security Operations explanation →

A security engineer is implementing automated incident response for common cloud threats. Which TWO AWS services can be used together to create a serverless orchestration workflow for incident response? (Choose two.)

Question 19mediummulti select
Read the full Cloud Security Operations explanation →

An organization is using GCP and wants to implement cloud security posture management (CSPM) to continuously monitor configurations against the CIS Benchmark. Which TWO GCP services can be used for this purpose? (Choose two.)

Question 20hardmulti select
Read the full Cloud Security Operations explanation →

During a cloud incident response, the security team needs to eradicate a malicious Lambda function that was created by an attacker. Which THREE steps should be part of the eradication process? (Choose three.)

Question 21mediummulti select
Read the full Cloud Security Operations explanation →

A security analyst is configuring Azure Defender for Cloud to protect a hybrid environment. Which THREE resource types can be protected by enabling Azure Defender plans? (Choose three.)

Question 22easymultiple choice
Read the full Cloud Security Operations explanation →

A security engineer needs to ensure that all API calls made to AWS resources are logged for auditing purposes. Which AWS service should be enabled to capture management events, data events, and provide log file validation?

Question 23mediummultiple choice
Read the full Cloud Security Operations explanation →

An organization is using Azure and wants to centrally collect activity logs from multiple subscriptions into a single Log Analytics workspace for cross-account analysis and retention management. What is the best approach?

Question 24hardmultiple choice
Read the full Cloud Security Operations explanation →

During a security incident in AWS, the security team suspects that an attacker has tampered with CloudTrail logs to cover their tracks. Which CloudTrail feature would the team use to verify that the log files have not been modified since they were delivered?

Question 25mediummultiple choice
Read the full Cloud Security Operations explanation →

A security analyst is configuring a SIEM solution and wants to ingest security findings from AWS Security Hub into Splunk. What is the most efficient method?

Question 26hardmultiple choice
Read the full Cloud Security Operations explanation →

A cloud security team implements correlation rules in their SIEM to detect 'impossible travel' scenarios. Which combination of log sources is essential for detecting a user logging in from two different countries within a short time frame?

Question 27easymultiple choice
Read the full Cloud Security Operations explanation →

An organization wants to detect potential crypto mining activity on their AWS EC2 instances. Which AWS service uses machine learning to identify such threats?

Question 28mediummultiple choice
Read the full Cloud Security Operations explanation →

A security engineer needs to scan all container images stored in Amazon Elastic Container Registry (ECR) for vulnerabilities. The scan must be automated whenever a new image is pushed. Which solution meets this requirement?

Question 29mediummultiple choice
Read the full Cloud Security Operations explanation →

During a cloud security incident, the incident response team needs to contain a compromised EC2 instance. Which action should be taken FIRST to prevent further malicious activity while preserving evidence?

Question 30hardmultiple choice
Read the full Cloud Security Operations explanation →

A security team is investigating a potential credential compromise in AWS. They have CloudTrail logs showing an IAM user's access key was used to launch instances in a region where the user has never operated. What is the BEST course of action to confirm and contain the incident?

Question 31mediummultiple choice
Read the full Cloud Security Operations explanation →

An organization uses Azure Defender for Cloud to protect their hybrid environment. They want to receive alerts about suspicious activities on their Azure Key Vault. Which Defender plan should they enable?

Question 32easymultiple choice
Read the full Cloud Security Operations explanation →

What is the primary purpose of cloud security posture management (CSPM) tools such as AWS Security Hub, Azure Secure Score, and GCP Security Command Center?

Question 33mediummultiple choice
Read the full Cloud Security Operations explanation →

A security engineer needs to automate the remediation of any S3 bucket that is publicly accessible. The solution should work within a single AWS account and not require manual intervention. Which combination of services is MOST appropriate?

Question 34hardmulti select
Read the full Ansible explanation →

A cloud security team is designing an incident response playbook for a suspected data exfiltration via an AWS S3 bucket. Which TWO actions should be included for containment and evidence collection? (Choose two.)

Question 35mediummulti select
Read the full Cloud Security Operations explanation →

A company uses GCP and wants to implement agentless vulnerability scanning for their Compute Engine instances. Which TWO services can provide this capability? (Choose two.)

Question 36mediummulti select
Read the full Cloud Security Operations explanation →

An organization is implementing a SOAR solution for cloud incident response. Which THREE capabilities are essential for automating incident response workflows? (Choose three.)

Question 37mediummultiple choice
Read the full Cloud Security Operations explanation →

A security team is configuring AWS CloudTrail to enable detection of unauthorized API calls. They want to ensure that log files cannot be tampered with after delivery. Which CloudTrail feature should they enable?

Question 38easymultiple choice
Read the full Cloud Security Operations explanation →

An organization uses AWS GuardDuty for threat detection. A finding indicates that an EC2 instance is communicating with a known cryptocurrency mining pool. What type of threat does this represent?

Question 39hardmultiple choice
Read the full Cloud Security Operations explanation →

During a cloud security incident, the response team needs to collect evidence from a compromised AWS EC2 instance. Which method is most appropriate for capturing volatile data while preserving forensic integrity?

Question 40mediummultiple choice
Read the full Cloud Security Operations explanation →

A company uses Azure Policy with remediation tasks to automatically fix non-compliant resources. Which scenario can be automatically remediated using a built-in policy?

Question 41easymultiple choice
Read the full Cloud Security Operations explanation →

A security analyst reviews GCP Security Command Center findings and sees a high-severity alert for Event Threat Detection indicating that a service account key was used from an unexpected location. What is the best immediate action to contain the threat?

Question 42mediummultiple choice
Read the full Cloud Security Operations explanation →

An organization ingests AWS CloudTrail logs into a centralized SIEM for correlation. They want to detect an attacker who exfiltrates data by downloading large volumes from an S3 bucket. Which SIEM correlation rule would best detect this?

Question 43hardmultiple choice
Read the full Cloud Security Operations explanation →

A cloud security engineer needs to implement a solution to detect configuration drift against CIS benchmarks for AWS workloads. Which tool or service is specifically designed for cloud security posture management (CSPM) in AWS?

Question 44easymultiple choice
Read the full Cloud Security Operations explanation →

A company uses Azure Sentinel as its SIEM. To ingest Azure Activity Logs and correlate with other data sources, which connector should be configured?

Question 45mediummultiple choice
Read the full Cloud Security Operations explanation →

A security team is implementing vulnerability management in a hybrid cloud environment. They need to scan virtual machines without installing an agent. Which approach is most suitable?

Question 46mediummultiple choice
Read the full Ansible explanation →

An incident response playbook for a cloud environment includes containment steps. For a compromised IAM user in AWS, which action is least likely to be effective for containment?

Question 47hardmultiple choice
Read the full Cloud Security Operations explanation →

A cloud security architect is designing a log aggregation strategy for a multi-account AWS environment. The security team needs to ensure logs from all accounts are stored centrally and cannot be altered. Which combination of services meets these requirements?

Question 48mediummultiple choice
Read the full Cloud Security Operations explanation →

An organization is using GCP Security Command Center with Event Threat Detection. Which type of event is most likely to generate a finding for 'exfiltration'?

Question 49mediummulti select
Read the full Cloud Security Operations explanation →

A cloud security analyst is investigating a potential credential compromise in AWS. Which TWO CloudTrail events would be most relevant to establishing a timeline of the compromise?

Question 50hardmulti select
Read the full Cloud Security Operations explanation →

An organization is implementing automated remediation for common cloud security misconfigurations using AWS Config and Lambda. Which THREE misconfigurations can be automatically remediated using this approach?

Question 51mediummulti select
Read the full Cloud Security Operations explanation →

A company is deploying a SIEM solution in Azure. Which THREE data sources should be ingested to provide comprehensive visibility into the cloud environment?

Question 52easymultiple choice
Read the full Cloud Security Operations explanation →

A cloud security engineer is tasked with ensuring that all API calls made to AWS resources are logged for audit purposes. Which AWS service should be enabled to capture management events such as creating or deleting EC2 instances?

Question 53mediummultiple choice
Read the full Cloud Security Operations explanation →

A security analyst notices that an IAM user from a cloud account has logged in from two different countries within a span of 10 minutes. Which type of detection mechanism is most likely to flag this activity as suspicious?

Question 54hardmultiple choice
Read the full Cloud Security Operations explanation →

During a forensic investigation of a suspected data exfiltration incident in AWS, a security team needs to analyze network traffic to identify the destination IP addresses and volume of data transferred. Which data source is most appropriate for this analysis?

Question 55mediummultiple choice
Read the full Cloud Security Operations explanation →

A company uses Azure and wants to ensure that all activity log events are retained for seven years to meet compliance requirements. What is the most efficient way to implement this?

Question 56easymultiple choice
Read the full Cloud Security Operations explanation →

A cloud security team wants to automatically detect and remediate S3 buckets that are publicly accessible. Which combination of AWS services can achieve this?

Question 57mediummultiple choice
Read the full Cloud Security Operations explanation →

A security analyst is investigating a potential compromise of an AWS EC2 instance. Which step should be taken FIRST to contain the incident and prevent further damage?

Question 58hardmultiple choice
Read the full Cloud Security Operations explanation →

An organization uses GCP and wants to detect container threats such as privilege escalation attempts within Kubernetes Engine. Which GCP service is designed specifically for this purpose?

Question 59mediummultiple choice
Read the full Cloud Security Operations explanation →

A company is implementing a SIEM solution and needs to ingest security logs from multiple AWS accounts into a centralized security account. Which AWS service can best aggregate findings from all accounts?

Question 60easymultiple choice
Read the full Cloud Security Operations explanation →

Which of the following is a benefit of enabling CloudTrail log file validation?

Question 61mediummultiple choice
Read the full Cloud Security Operations explanation →

A security engineer is evaluating vulnerability management options for cloud workloads and wants to identify vulnerabilities without installing agents on the operating system. Which approach should be used?

Question 62hardmultiple choice
Read the full Cloud Security Operations explanation →

During a cloud incident response, a security team needs to collect memory from a compromised EC2 instance for forensic analysis. Which method is most appropriate for acquiring a memory dump?

Question 63mediummultiple choice
Read the full Cloud Security Operations explanation →

An organization is using Azure and wants to ensure that all resources are compliant with CIS benchmarks. Which Azure service provides a unified view of compliance posture and recommendations?

Question 64easymultiple choice
Read the full Cloud Security Operations explanation →

Which of the following is a primary purpose of a SOAR (Security Orchestration, Automation and Response) platform in cloud security operations?

Question 65mediummultiple choice
Read the full Cloud Security Operations explanation →

A security team wants to detect when the root user account is used in AWS. Which service can generate an alert for this activity?

Question 66hardmultiple choice
Read the full Cloud Security Operations explanation →

During a security incident in GCP, a forensic analyst needs to determine the exact timeline of events leading to a credential compromise. Which log source provides the most detailed information about IAM policy changes and authentication events?

Question 67mediummulti select
Read the full Cloud Security Operations explanation →

A security team is enhancing logging in AWS to capture detailed data events for S3 buckets. Which TWO of the following should be enabled to achieve comprehensive monitoring of S3 data access? (Choose two.)

Question 68hardmulti select
Read the full Ansible explanation →

An organization is designing an incident response playbook for a compromised AWS IAM user. Which THREE actions should be included in the containment phase? (Choose three.)

Question 69mediummulti select
Read the full Cloud Security Operations explanation →

A company is using Azure and wants to implement cloud security posture management (CSPM) to detect misconfigurations. Which TWO services can provide CSPM capabilities? (Choose two.)

Question 70easymulti select
Read the full Cloud Security Operations explanation →

A cloud security engineer needs to ensure that logs from multiple AWS accounts are centrally stored in a security account for analysis. Which TWO services can be used to aggregate logs across accounts? (Choose two.)

Question 71hardmulti select
Read the full Cloud Security Operations explanation →

An organization is using GCP and wants to implement automated remediation of security misconfigurations. Which TWO services can be used together to achieve this? (Choose two.)

Question 72mediummultiple choice
Read the full Cloud Security Operations explanation →

A security engineer is investigating a potential data exfiltration incident involving an Amazon S3 bucket. Which set of logs would provide the most relevant information to identify the source IP and API calls made to the bucket?

Question 73hardmultiple choice
Read the full Cloud Security Operations explanation →

A company uses AWS CloudTrail with log file validation enabled. An auditor wants to verify that a specific log file has not been tampered with. Which process should the auditor use to confirm the integrity of the CloudTrail log file?

Question 74mediummultiple choice
Read the full Cloud Security Operations explanation →

An organization is implementing a cloud SIEM solution to centralize security monitoring across multiple AWS accounts. Which service should be used to aggregate security findings and send them to a third-party SIEM like Splunk?

Question 75easymultiple choice
Read the full Cloud Security Operations explanation →

A security analyst notices a spike in failed login attempts from an IP address in a country where the company has no operations. Which SIEM correlation rule would be most effective in detecting this type of activity?

Question 76hardmultiple choice
Read the full Cloud Security Operations explanation →

During a cloud incident response, a security team needs to isolate a compromised EC2 instance to prevent further communication with an external command-and-control server. Which step should be taken first?

Question 77mediummultiple choice
Read the full Cloud Security Operations explanation →

A cloud security team wants to automatically remediate misconfigured S3 buckets that are publicly accessible. Which combination of AWS services can be used to detect and automatically fix this issue?

Question 78easymultiple choice
Read the full Cloud Security Operations explanation →

An organization is using GCP and wants to collect audit logs for all API calls made within the project. Which GCP service should be enabled to capture these logs?

Question 79hardmultiple choice
Read the full Cloud Security Operations explanation →

During a forensic investigation of a compromised AWS account, the incident response team needs to determine the exact time an attacker created a new IAM user and what permissions were assigned. Which log source would provide the most reliable evidence?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CCSP Practice Test 1 — 25 Questions→CCSP Practice Test 2 — 25 Questions→CCSP Practice Test 3 — 25 Questions→CCSP Practice Test 4 — 25 Questions→CCSP Practice Test 5 — 25 Questions→CCSP Practice Exam 1 — 20 Questions→CCSP Practice Exam 2 — 20 Questions→CCSP Practice Exam 3 — 20 Questions→CCSP Practice Exam 4 — 20 Questions→Free CCSP Practice Test 1 — 30 Questions→Free CCSP Practice Test 2 — 30 Questions→Free CCSP Practice Test 3 — 30 Questions→CCSP Practice Questions 1 — 50 Questions→CCSP Practice Questions 2 — 50 Questions→CCSP Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Cloud Platform and Infrastructure SecurityCloud Security OperationsLegal, Risk, and ComplianceLegal, Risk and ComplianceCloud Data SecurityCloud Concepts, Architecture, and DesignCloud Application SecurityCloud Concepts, Architecture and Design

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Cloud Security Operations setsAll Cloud Security Operations questionsCCSP Practice Hub