Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Cloud Application Security practice sets

CCSP Cloud Application Security • Complete Question Bank

CCSP Cloud Application Security — All Questions With Answers

Complete CCSP Cloud Application Security question bank — all 0 questions with answers and detailed explanations.

111
Questions
Free
No signup
Certifications/CCSP/Practice Test/Cloud Application Security/All Questions
Question 1easymultiple choice
Read the full Cloud Application Security explanation →

A company is migrating a legacy application to the cloud. The application uses hardcoded database credentials. Which secure development practice should be implemented to address this?

Question 2mediummultiple choice
Read the full NAT/PAT explanation →

A security architect is designing a CI/CD pipeline for a cloud-native application. The team wants to automatically scan container images for vulnerabilities before deployment. Which of the following is the most effective approach?

Question 3hardmultiple choice
Read the full Cloud Application Security explanation →

A SaaS provider uses a customer-managed encryption key (CMEK) model for data-at-rest. The provider's application runs in a multi-tenant cloud environment. Which attack surface is MOST directly mitigated by this approach?

Question 4easymultiple choice
Read the full Cloud Application Security explanation →

An organization is developing a mobile app that communicates with a cloud API. To ensure secure authentication, which of the following should be used?

Question 5mediummultiple choice
Read the full Cloud Application Security explanation →

A cloud security team is implementing a Web Application Firewall (WAF) for a public-facing web application. The application uses a REST API with JSON payloads. Which of the following is the WAF's primary benefit?

Question 6hardmultiple choice
Read the full Cloud Application Security explanation →

A company deploys microservices in Kubernetes. Each service communicates via gRPC with mutual TLS. A security assessment reveals that some services use self-signed certificates. What is the primary risk?

Question 7easymultiple choice
Read the full Cloud Application Security explanation →

A developer is tasked with securely storing a session token in a browser-based web application. Which storage mechanism is most secure?

Question 8mediummultiple choice
Read the full Cloud Application Security explanation →

A cloud application uses a third-party identity provider (IdP) for SSO. The security team notices that tokens are being reused across different applications. Which token binding mechanism should be implemented?

Question 9hardmultiple choice
Read the full Cloud Application Security explanation →

A company is implementing a serverless application using AWS Lambda. The function processes S3 events and writes to a DynamoDB table. Which of the following is the MOST secure way to grant the necessary permissions?

Question 10easymulti select
Read the full Cloud Application Security explanation →

Which TWO of the following are common best practices for securing cloud application APIs? (Choose two.)

Question 11mediummulti select
Read the full Cloud Application Security explanation →

Which THREE of the following are essential components of a Secure Software Development Lifecycle (SSDLC) in the cloud? (Choose three.)

Question 12hardmulti select
Read the full Cloud Application Security explanation →

Which TWO of the following are effective methods to protect against server-side request forgery (SSRF) in a cloud application? (Choose two.)

Question 13mediummultiple choice
Read the full Cloud Application Security explanation →

Refer to the exhibit. A security administrator is reviewing an S3 bucket policy. What is the primary security concern with this policy?

Exhibit

Refer to the exhibit.

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject"
      ],
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "203.0.113.0/24"
        }
      }
    }
  ]
}
```
Question 14hardmultiple choice
Read the full Cloud Application Security explanation →

Refer to the exhibit. A Kubernetes pod is configured as shown. Which security enhancement should be added to follow cloud security best practices?

Exhibit

Refer to the exhibit.

```
apiVersion: v1
kind: Pod
metadata:
  name: web-app
spec:
  containers:
  - name: web
    image: nginx:latest
    securityContext:
      runAsUser: 1000
      runAsGroup: 3000
      allowPrivilegeEscalation: false
    ports:
    - containerPort: 80
```
Question 15easymultiple choice
Read the full Cloud Application Security explanation →

Refer to the exhibit. A log entry shows a suspected SQL injection attack. Which security control would have prevented this attack?

Exhibit

Refer to the exhibit.

```
[ERROR] 2025-03-01 12:34:56,789 - myapp - CRITICAL - SQL Injection detected on endpoint /api/login
Input: ' OR '1'='1
```
Question 16hardmultiple choice
Read the full Cloud Application Security explanation →

A financial services company uses a multi-region cloud deployment for its trading application. The application consists of a web frontend, a REST API, and a relational database. Recently, a penetration test revealed that an attacker could perform a time-based blind SQL injection through the API's search functionality. The injection allows the attacker to enumerate database contents by observing response times. The development team was already aware of the issue but had prioritized other features. The security team now demands immediate remediation. The application is critical and cannot be taken offline. Which of the following is the most effective immediate action to mitigate the risk without modifying the application code?

Question 17mediummultiple choice
Study the full AAA explanation →

A healthcare SaaS provider is deploying a new application that processes protected health information (PHI). The application uses a microservices architecture running on Kubernetes. Each microservice stores its data in a separate database. The compliance team requires that all data at rest be encrypted and that encryption keys be managed by the customer (CMEK). The cloud provider supports KMS with CMEK. However, the development team wants to use a single customer-managed key for all databases to simplify key management. The security architect is concerned about the blast radius if the key is compromised. Which of the following recommendations best balances security and operational efficiency?

Question 18hardmultiple choice
Read the full Cloud Application Security explanation →

A cloud security architect is designing a CI/CD pipeline for a serverless application using AWS Lambda. The application processes sensitive user data and requires encryption at rest and in transit. Which of the following is the BEST approach to securely manage database credentials used by the Lambda function?

Question 19mediummultiple choice
Read the full Cloud Application Security explanation →

A security team is implementing a web application firewall (WAF) for a cloud-based e-commerce application. The application is built on a microservices architecture and uses a RESTful API. Which of the following is the PRIMARY reason to deploy the WAF at the API gateway level rather than at the individual service level?

Question 20easymultiple choice
Read the full Cloud Application Security explanation →

A cloud application developer is using a containerized application with Docker. The security team requires that the application runs with the least privilege possible. Which of the following is the BEST practice to ensure the container does not run as root?

Question 21mediummultiple choice
Read the full NAT/PAT explanation →

A company is migrating a legacy monolithic application to a cloud-native microservices architecture. The security architect is concerned about securing inter-service communication. Which of the following should be implemented to ensure mutual authentication and encryption between services?

Question 22hardmulti select
Read the full Cloud Application Security explanation →

Which THREE of the following are essential components of a Secure Software Development Lifecycle (SSDLC) for cloud applications?

Question 23hardmultiple choice
Read the full Cloud Application Security explanation →

An AWS S3 bucket policy is configured as shown in the exhibit. The security team wants to ensure that only requests from the corporate IP range (203.0.113.0/24) can read objects in the bucket. However, they notice that a CloudFront distribution configured to serve content from this bucket is returning 403 Forbidden errors. What is the MOST likely cause?

Exhibit

Refer to the exhibit.

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-secure-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "203.0.113.0/24"
        }
      }
    }
  ]
}
```
Question 24mediummultiple choice
Read the full NAT/PAT explanation →

You are a cloud security engineer for a financial services company. The company has developed a cloud-native application that processes credit card transactions and stores sensitive financial data. The application is deployed on a Kubernetes cluster in a public cloud provider. The compliance team requires that all data at rest be encrypted using a customer-managed key (CMK) with automatic rotation. The application uses a managed database service (e.g., Amazon RDS) and object storage (e.g., Amazon S3) for storing transaction logs. The current configuration uses cloud-provider-managed keys for both services. The development team is concerned that enabling CMK with automatic rotation might cause application downtime due to key rotation latency. Additionally, the security team wants to ensure that access to the keys is auditable. Which course of action BEST addresses the compliance requirement while minimizing risk?

Question 25easymultiple choice
Read the full NAT/PAT explanation →

A company is implementing a secure software development lifecycle (SSDLC) for its cloud-native applications. Which practice should be automated to detect vulnerabilities early in the development process?

Question 26mediummulti select
Read the full Cloud Application Security explanation →

Which TWO of the following are primary objectives of a cloud application security program?

Question 27hardmultiple choice
Read the full Cloud Application Security explanation →

Refer to the exhibit. A security analyst reviews the S3 bucket policy shown. Which security issue should be flagged?

Exhibit

Refer to the exhibit.

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/MyAppRole"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-bucket/*"
    },
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::my-bucket/uploads/*"
    }
  ]
}
```
Question 28mediumdrag order
Read the full Cloud Application Security explanation →

Drag and drop the steps for implementing a cloud data encryption strategy using a customer-managed key (CMK) in AWS KMS into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 29mediumdrag order
Read the full Cloud Application Security explanation →

Drag and drop the steps for conducting a cloud security risk assessment using the NIST CSF framework into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 30mediummatching
Read the full Cloud Application Security explanation →

Match each cloud service model to its primary responsibility area according to the shared responsibility model.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Application security

Platform security

Infrastructure security

Full stack security

Question 31mediummatching
Read the full Cloud Application Security explanation →

Match each compliance framework to its primary jurisdiction or industry.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

European Union data protection

US healthcare information privacy

Payment card industry security

US financial reporting controls

Question 32easymultiple choice
Read the full Cloud Application Security explanation →

A cloud security architect is designing a multi-tier application that processes sensitive customer data. To protect data in transit between the web tier and the application tier, which of the following is the MOST appropriate approach?

Question 33mediummultiple choice
Read the full Cloud Application Security explanation →

A DevSecOps team is integrating static application security testing (SAST) into their CI/CD pipeline. Which of the following is the PRIMARY benefit of performing SAST during the build phase rather than later in the pipeline?

Question 34hardmultiple choice
Read the full Cloud Application Security explanation →

A company is deploying a containerized application on Kubernetes. The security team requires that containers run with the least privilege, and that any attempt to escalate privileges within a container is blocked. Which Kubernetes security context setting should be applied to the pod specification?

Question 35easymultiple choice
Read the full Cloud Application Security explanation →

A security analyst is reviewing application logs and notices that a large number of requests from a single IP address are attempting to access a REST API endpoint with invalid session tokens. Which cloud-based mitigation is MOST effective at blocking such automated attacks?

Question 36mediummultiple choice
Read the full NAT/PAT explanation →

A financial services company is adopting a cloud-native microservices architecture. They want to ensure that only authorized services can communicate with each other, and that all inter-service communication is encrypted. Which of the following is the BEST approach?

Question 37hardmultiple choice
Read the full Cloud Application Security explanation →

An organization is migrating a legacy application to the cloud and plans to use a cloud access security broker (CASB). Which of the following is the PRIMARY function of a CASB in securing cloud applications?

Question 38easymultiple choice
Read the full Cloud Application Security explanation →

A developer is writing code that will be deployed as a serverless function (e.g., AWS Lambda). The function needs to read data from an Amazon S3 bucket. According to the principle of least privilege, how should the developer grant access?

Question 39mediummultiple choice
Read the full Cloud Application Security explanation →

A company is adopting DevSecOps and wants to incorporate security testing into their continuous integration pipeline. They have decided to run SAST (static analysis) and SCA (software composition analysis) tools. Which of the following is the PRIMARY reason for including SCA in addition to SAST?

Question 40hardmultiple choice
Read the full Cloud Application Security explanation →

A cloud security engineer is configuring an AWS Lambda function that processes messages from an Amazon SQS queue. The function needs to write results to a DynamoDB table. Which of the following is the SECUREST way to manage the function's credentials?

Question 41easymulti select
Read the full Cloud Application Security explanation →

Which TWO of the following are secure coding practices that help prevent injection attacks?

Question 42mediummulti select
Read the full Cloud Application Security explanation →

Which THREE of the following are common challenges in securing serverless applications?

Question 43hardmulti select
Read the full Cloud Application Security explanation →

Which THREE of the following are effective controls to secure a RESTful API in the cloud?

Question 44easymultiple choice
Read the full Cloud Application Security explanation →

A developer is implementing a cloud application that stores sensitive user data. To minimize the risk of data exposure during transit, which security control should be enforced as a baseline requirement?

Question 45mediummultiple choice
Read the full Cloud Application Security explanation →

A security team is reviewing a cloud application's CI/CD pipeline. They want to ensure that only approved open-source libraries are used in production builds. Which approach best addresses this requirement?

Question 46hardmultiple choice
Read the full Cloud Application Security explanation →

An organization uses a multi-cloud architecture with applications running on both AWS and Azure. They need to implement a secrets management solution that works across both platforms and supports automated rotation. Which approach best meets these requirements?

Question 47easymultiple choice
Read the full Cloud Application Security explanation →

A cloud application is being designed to handle highly sensitive financial data. The security architect wants to ensure that encryption keys are managed outside the application's memory space. Which service model should they use?

Question 48mediummultiple choice
Read the full Cloud Application Security explanation →

During a security audit, a cloud application is found to have numerous container images with critical vulnerabilities. The DevOps team wants to prevent vulnerable images from being deployed to production. Which two controls should be implemented? (Select TWO)

Question 49hardmultiple choice
Read the full Cloud Application Security explanation →

A security engineer is investigating an incident where an attacker exploited a server-side request forgery (SSRF) vulnerability in a cloud application. The application runs on AWS and uses internal metadata endpoints. Which mitigation should be prioritized to prevent future SSRF attacks?

Question 50easymultiple choice
Read the full NAT/PAT explanation →

A cloud application processes data subject to GDPR. The security team needs to ensure that all personally identifiable information (PII) is encrypted at rest and that access is logged. Which combination of controls should be implemented? (Select THREE)

Question 51mediummultiple choice
Read the full Cloud Application Security explanation →

A company is adopting a serverless architecture using AWS Lambda. The security team is concerned about potential injection attacks via event payloads. Which practice is most effective at mitigating such attacks?

Question 52hardmultiple choice
Read the full Cloud Application Security explanation →

A cloud application uses containers orchestrated by Kubernetes. The security team wants to enforce that containers cannot run as root and that file systems are read-only at runtime. Which Kubernetes security context configuration should be applied?

Question 53easymultiple choice
Read the full Cloud Application Security explanation →

A cloud application uses a RESTful API that handles payment transactions. The security team identifies that the API is vulnerable to brute-force attacks on the authentication endpoint. Which control should be implemented to mitigate this?

Question 54mediummultiple choice
Read the full Cloud Application Security explanation →

An organization uses infrastructure as code (IaC) to deploy cloud resources. The security team wants to prevent misconfigurations such as open security groups from being deployed. Which two practices should be integrated into the IaC pipeline? (Select TWO)

Question 55hardmultiple choice
Read the full Cloud Application Security explanation →

A cloud application uses a service mesh for inter-service communication. The security team wants to enforce mutual TLS (mTLS) between all services and ensure that service identities are verified. What is the most effective way to achieve this?

Question 56mediummultiple choice
Review the full routing breakdown →

A developer receives the above error when trying to create a route in an API Gateway. Which action should the developer take to resolve the issue?

Exhibit

Refer to the exhibit.

Exhibit:

Error: Error creating API Gateway v2: BadRequestException: Failed to create route because the requested route key is already in use
	status code: 400, request id: c6a1b2c3-d4e5-f6a7-b8c9-d0e1f2a3b4c5

Cause: The route key '/api/orders' already exists in the API.
Question 57hardmultiple choice
Read the full Cloud Application Security explanation →

A security analyst reviews the above S3 bucket policy. The bucket stores sensitive application data. What is the primary security issue with this policy?

Exhibit

Refer to the exhibit.

Exhibit:

JSON Policy (AWS S3 bucket policy):
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::myapp-data/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/8"
        }
      }
    },
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::myapp-data/*"
    }
  ]
}
Question 58mediummultiple choice
Read the full Cloud Application Security explanation →

A security analyst is reviewing CloudTrail logs and sees the above event. The analyst suspects that the AMI used may be outdated and vulnerable. Which action should the analyst take to verify the security posture of the launched instance?

Exhibit

Refer to the exhibit.

Exhibit:

CloudTrail log (JSON):
{
  "eventVersion": "1.08",
  "userIdentity": {
    "type": "IAMUser",
    "arn": "arn:aws:iam::123456789012:user/app-admin",
    "accountId": "123456789012"
  },
  "eventSource": "ec2.amazonaws.com",
  "eventName": "RunInstances",
  "resources": [
    {
      "resourceType": "AWS::EC2::Instance",
      "resourceName": "i-0abcdef1234567890"
    }
  ],
  "userAgent": "console.amazonaws.com",
  "sourceIPAddress": "203.0.113.50",
  "responseElements": {
    "instancesSet": {
      "items": [
        {
          "instanceId": "i-0abcdef1234567890",
          "imageId": "ami-0c55b159cbfafe1f0"
        }
      ]
    }
  }
}
Question 59mediummultiple choice
Read the full Cloud Application Security explanation →

A security architect is designing access controls for a cloud-based microservices application. Which approach best aligns with the principle of least privilege for service-to-service authentication?

Question 60easymultiple choice
Read the full Cloud Application Security explanation →

A development team is migrating a legacy application to the cloud. Which security testing approach should be adopted early in the CI/CD pipeline to catch vulnerabilities as code is written?

Question 61hardmultiple choice
Read the full Cloud Application Security explanation →

A cloud security engineer needs to ensure that a containerized application running in a Kubernetes cluster securely stores and rotates database credentials. Which is the most appropriate solution?

Question 62mediummultiple choice
Read the full Cloud Application Security explanation →

During a code review, a developer identifies that an application uses input from an HTTP request to generate a SQL query string. What is the primary security concern?

Question 63hardmultiple choice
Read the full Cloud Application Security explanation →

An organization deploys a serverless application using AWS Lambda functions that access an RDS database. Which practice best ensures that the database credentials are protected?

Question 64easymultiple choice
Read the full Cloud Application Security explanation →

Which of the following is a key benefit of using a software composition analysis (SCA) tool in a cloud application security program?

Question 65mediummultiple choice
Read the full NAT/PAT explanation →

A company wants to enforce that all API calls to its cloud services are authenticated and authorized. Which design pattern should be implemented?

Question 66hardmultiple choice
Read the full Cloud Application Security explanation →

A security auditor is reviewing a cloud application's data encryption strategy. The application stores sensitive data in a cloud database. Which configuration would best ensure data confidentiality in the event of a database dump?

Question 67easymultiple choice
Read the full Cloud Application Security explanation →

A DevOps team wants to prevent insecure code from being deployed to production. Which gate should be implemented in the CI/CD pipeline?

Question 68mediummulti select
Read the full Cloud Application Security explanation →

Which TWO measures are effective for securing container images in a cloud environment?

Question 69hardmulti select
Read the full Cloud Application Security explanation →

Which THREE are best practices for implementing secrets management in cloud applications?

Question 70mediummulti select
Read the full Cloud Application Security explanation →

Which TWO practices help protect against insecure deserialization attacks in cloud applications?

Question 71mediummultiple choice
Read the full Cloud Application Security explanation →

An IAM policy named S3ReadOnlyAccess has DefaultVersionId v3. What does this indicate?

Exhibit

Refer to the exhibit.

```
{
    "Policy": {
        "PolicyName": "S3ReadOnlyAccess",
        "PolicyId": "ANPAY6TVEXAMPLE",
        "Arn": "arn:aws:iam::123456789012:policy/S3ReadOnlyAccess",
        "Path": "/",
        "DefaultVersionId": "v3",
        "AttachmentCount": 0,
        "PermissionsBoundaryUsageCount": 0,
        "IsAttachable": true,
        "CreateDate": "2021-01-01T12:00:00Z",
        "UpdateDate": "2021-06-01T12:00:00Z"
    }
}
```
Question 72hardmultiple choice
Read the full Cloud Application Security explanation →

An architect reviews this S3 bucket policy. What security concern should be raised?

Exhibit

Refer to the exhibit.

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::my-bucket/*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "192.0.2.0/24"
                }
            }
        }
    ]
}
```
Question 73easymultiple choice
Read the full Cloud Application Security explanation →

A cloud security engineer reviews this Terraform configuration for a security group. Which change is necessary to improve security?

Exhibit

Refer to the exhibit.

```
resource "aws_security_group" "web_sg" {
  name        = "web-sg"
  description = "Security group for web servers"
  vpc_id      = aws_vpc.main.id

  ingress {
    description = "HTTP from VPC"
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = ["10.0.0.0/8"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}
```
Question 74mediummultiple choice
Read the full Cloud Application Security explanation →

A company develops a microservices application and wants to ensure secrets such as API keys and database credentials are not exposed in container images. Which approach best meets this requirement?

Question 75hardmultiple choice
Read the full NAT/PAT explanation →

During a security review, a cloud security architect discovers that a PaaS database service has public network access enabled. The application team claims they need it for external integrations. What is the most secure alternative to allow necessary access?

Question 76mediummultiple choice
Read the full Cloud Application Security explanation →

A SaaS application allows users to upload profile pictures. The development team wants to prevent upload of malicious files that could compromise the server. Which control is most effective?

Question 77easymultiple choice
Read the full Cloud Application Security explanation →

A cloud application uses OAuth 2.0 for authorization. What is the primary purpose of using a refresh token in this flow?

Question 78hardmultiple choice
Read the full Cloud Application Security explanation →

An organization uses a CI/CD pipeline that automatically builds and deploys container images to a Kubernetes cluster. A security scanner flags that the base image contains a critical vulnerability. What is the best course of action to prevent vulnerable images from being deployed?

Question 79easymultiple choice
Read the full Cloud Application Security explanation →

A developer wants to ensure that sensitive data in a cloud database is protected even if the database backup files are stolen. Which best practice should be implemented?

Question 80mediummultiple choice
Read the full Cloud Application Security explanation →

A cloud security engineer is reviewing the authentication mechanism for a web application. The application currently uses API keys transmitted in the URL query string. What is the primary security concern with this approach?

Question 81easymultiple choice
Read the full Cloud Application Security explanation →

Which of the following is the best way to protect a web application from cross-site scripting (XSS) attacks?

Question 82hardmultiple choice
Read the full Cloud Application Security explanation →

A company uses a serverless architecture with AWS Lambda to process user-uploaded files. The Lambda function is triggered by an S3 bucket event. While reviewing security, the architect wants to ensure that the Lambda function cannot be invoked by unauthorized S3 buckets or accounts. What is the most secure configuration?

Question 83mediummulti select
Read the full Cloud Application Security explanation →

Which TWO of the following are considered best practices for securing containerized applications in a cloud environment?

Question 84hardmulti select
Read the full Cloud Application Security explanation →

Which THREE of the following are valid techniques to protect application programming interfaces (APIs) from abuse?

Question 85easymulti select
Read the full Cloud Application Security explanation →

Which TWO of the following are key components of a secure software development lifecycle (SSDLC) in a cloud environment?

Question 86easymultiple choice
Read the full Cloud Application Security explanation →

A company is moving a legacy application to the cloud. The application uses hard-coded passwords for database connections. Which secure development practice should be implemented to address this issue?

Question 87mediummultiple choice
Read the full Cloud Application Security explanation →

A cloud application experiences intermittent failures during peak load. Logs show database connection timeouts. Which architecture change would best address this issue?

Question 88hardmultiple choice
Read the full Cloud Application Security explanation →

A financial services company uses a CI/CD pipeline to deploy microservices to a Kubernetes cluster. The security team wants to ensure container images are scanned for vulnerabilities before deployment. Which integration point in the pipeline is most effective?

Question 89mediummultiple choice
Read the full Cloud Application Security explanation →

A software company develops an API for third-party integrations. They want to ensure that only authorized partners can access the API. Which authentication mechanism is most appropriate?

Question 90easymultiple choice
Read the full Cloud Application Security explanation →

A developer needs to store session state for a cloud-based web application. Which of the following is the most secure approach?

Question 91mediummultiple choice
Read the full Cloud Application Security explanation →

A company uses a cloud-based identity provider for single sign-on. An application needs to verify the user's identity without storing credentials. Which token type should the application validate?

Question 92hardmultiple choice
Read the full Cloud Application Security explanation →

During a security audit, it is discovered that a cloud application's API endpoints are vulnerable to injection attacks. Which defense in depth measure would be most effective in preventing such attacks?

Question 93easymultiple choice
Read the full Cloud Application Security explanation →

A team is adopting DevSecOps. Which practice best integrates security into the development lifecycle?

Question 94mediummultiple choice
Read the full Cloud Application Security explanation →

A cloud application uses customer-managed encryption keys (CMK) stored in a cloud HSM. The application needs to decrypt data on demand. How should the key be accessed?

Question 95easymulti select
Read the full Cloud Application Security explanation →

Which TWO best practices help secure a cloud application's runtime environment?

Question 96mediummulti select
Read the full Cloud Application Security explanation →

Which TWO are effective strategies for securing cloud application data at rest?

Question 97hardmulti select
Read the full Cloud Application Security explanation →

Which THREE are key considerations when designing a secure software development lifecycle (SSDLC) for cloud applications?

Question 98mediummultiple choice
Read the full Cloud Application Security explanation →

Refer to the exhibit. A developer reports that users are being denied access to a cloud application. The error log shows the above. What is the most likely cause of the denial?

Exhibit

Error: Exception in thread "main" java.lang.SecurityException: Unauthorized access
    at com.cloudapp.auth.TokenValidator.validate(SourceFile:112)
    at com.cloudapp.api.ApiGateway.handleRequest(SourceFile:45)
Caused by: com.cloudapp.auth.InvalidTokenException: Token expired at 2024-11-20T10:30:00Z
    at com.cloudapp.auth.JwtParser.parse(SourceFile:78)
Question 99mediummultiple choice
Read the full Cloud Application Security explanation →

A company runs a multi-tier cloud application with a web frontend, an API layer, and a database. The application uses OAuth 2.0 for authentication. Recently, users have been experiencing session hijacking attacks. Upon investigation, the security team finds that session tokens are being intercepted in transit. The application uses HTTPS for all communications, but a developer discovers that the application is also accessible via HTTP due to a misconfiguration. The team wants to implement additional security controls to prevent token theft. Which course of action should be taken first?

Question 100hardmultiple choice
Read the full Cloud Application Security explanation →

A financial organization is migrating a critical application to a cloud environment. The application processes sensitive customer data and must comply with PCI DSS. The security architect proposes using serverless functions for the compute layer. Which security control is essential to protect the application from injection attacks?

Question 101mediummultiple choice
Read the full Cloud Application Security explanation →

A company uses a cloud-based CI/CD pipeline with GitLab. Developers push code to a repository, triggering a build. The security team notices that sensitive API keys are being logged in build output. Which practice best prevents this?

Question 102hardmultiple choice
Read the full NAT/PAT explanation →

A security architect is designing a cloud-native application using microservices. They decide to implement mutual TLS (mTLS) for service-to-service communication in a Kubernetes cluster with hundreds of services. What is the primary challenge in managing mTLS certificates in this dynamic environment?

Question 103easymulti select
Read the full Cloud Application Security explanation →

A security team is reviewing controls for a cloud application that transmits personally identifiable information (PII) over the internet. Which TWO controls are essential for protecting data in transit?

Question 104mediummulti select
Read the full Cloud Application Security explanation →

A cloud application uses AWS Lambda functions in a serverless architecture. The security team wants to enforce least privilege access for these functions. Which THREE practices should be implemented?

Question 105easymultiple choice
Read the full Cloud Application Security explanation →

A fintech startup deploys a customer-facing web application on Azure App Service. The application uses OAuth 2.0 with Azure AD for authentication. Recently, users report being logged out unexpectedly during active sessions. Security logs show multiple token refresh attempts failing with 'invalid_grant' errors. The application uses a standard library for token management. What is the most likely cause and recommended action?

Question 106mediummultiple choice
Read the full Cloud Application Security explanation →

A healthcare SaaS company runs containerized microservices on Google Kubernetes Engine (GKE). The security team scans containers with a vulnerability scanner and finds that base images have several critical vulnerabilities. The container build process uses a Dockerfile that pulls the latest Ubuntu image from Docker Hub. The team wants to reduce the attack surface without delaying feature releases. What is the best approach?

Question 107mediummultiple choice
Read the full NAT/PAT explanation →

A global e-commerce platform uses AWS API Gateway to expose REST APIs to third-party developers. The security team notices that a malicious user is repeatedly sending large payloads to a /submit endpoint, causing high CPU usage on backend Lambda functions. The API uses a simple API key for authentication. Which combination of controls should be implemented to mitigate this attack while preserving legitimate access?

Question 108mediummultiple choice
Read the full Cloud Application Security explanation →

A large enterprise is migrating a legacy .NET application to Azure App Service. The application currently stores session state in-memory on the web server. During the migration, the team plans to horizontally scale the application across multiple instances. The security team requires that session data remain confidential and be available even if an instance fails. Which solution should the team implement?

Question 109hardmultiple choice
Read the full Cloud Application Security explanation →

A media streaming company uses a multi-cloud strategy with AWS and GCP. Their application uses a message queue (Amazon SQS and Google Pub/Sub) for asynchronous processing. The security team discovers that messages contain sensitive user data (e.g., email addresses) that are not encrypted at the broker level. The compliance team mandates encryption of data at rest and in transit for all sensitive data. However, the application already uses TLS for message delivery. What is the most secure and operationally efficient way to meet compliance?

Question 110hardmultiple choice
Read the full Cloud Application Security explanation →

A financial services company deploys a containerized application on Amazon ECS with Fargate. The application needs to access an encrypted RDS database. The security policy mandates that database credentials must never be stored in the application code or configuration files and must be rotated automatically every 90 days. Which solution should the DevOps team implement to satisfy these requirements?

Question 111hardmultiple choice
Read the full Cloud Application Security explanation →

A software company develops a mobile application that communicates with a cloud backend using REST APIs. The application uses OAuth 2.0 with the authorization code grant and PKCE for authentication. After a security audit, the team identifies that the backend API accepts both a client secret (from the authorization code grant) and a PKCE code verifier. The security team wants to remove unnecessary attack surface. Which change should be made?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CCSP Practice Test 1 — 10 Questions→CCSP Practice Test 2 — 10 Questions→CCSP Practice Test 3 — 10 Questions→CCSP Practice Test 4 — 10 Questions→CCSP Practice Test 5 — 10 Questions→CCSP Practice Exam 1 — 20 Questions→CCSP Practice Exam 2 — 20 Questions→CCSP Practice Exam 3 — 20 Questions→CCSP Practice Exam 4 — 20 Questions→Free CCSP Practice Test 1 — 30 Questions→Free CCSP Practice Test 2 — 30 Questions→Free CCSP Practice Test 3 — 30 Questions→CCSP Practice Questions 1 — 50 Questions→CCSP Practice Questions 2 — 50 Questions→CCSP Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Cloud Application SecurityCloud Security OperationsLegal, Risk and ComplianceCloud Concepts, Architecture and DesignCloud Platform and Infrastructure SecurityCloud Data Security

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Cloud Application Security setsAll Cloud Application Security questionsCCSP Practice Hub