Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Cloud Concepts, Architecture and Design practice sets

CCSP Cloud Concepts, Architecture and Design • Complete Question Bank

CCSP Cloud Concepts, Architecture and Design — All Questions With Answers

Complete CCSP Cloud Concepts, Architecture and Design question bank — all 0 questions with answers and detailed explanations.

44
Questions
Free
No signup
Certifications/CCSP/Practice Test/Cloud Concepts, Architecture and Design/All Questions
Question 1mediummultiple choice
Read the full NAT/PAT explanation →

A healthcare organization is migrating sensitive patient data to a public cloud. The compliance team requires that data be encrypted at rest and in transit, and that the cloud provider cannot access the encryption keys. Which cloud service model should the organization use to maintain sole control over encryption keys?

Question 2easymultiple choice
Read the full NAT/PAT explanation →

A company is designing a multi-tier application in the cloud. The web tier must automatically scale based on CPU utilization, while the database tier should remain fixed to maintain data consistency. Which architectural pattern best meets these requirements?

Question 3hardmultiple choice
Study the full ACL explanation →

A financial services firm is designing a cloud environment that must comply with PCI DSS. The security architect proposes using a virtual private cloud (VPC) with subnets, security groups, and network ACLs. However, the compliance officer is concerned about the risk of data exposure due to misconfiguration. Which additional control would BEST address this concern?

Question 4mediummultiple choice
Read the full Cloud Concepts, Architecture and Design explanation →

A cloud architect is tasked with designing a disaster recovery plan for a critical application. The recovery time objective (RTO) is 1 hour, and the recovery point objective (RPO) is 15 minutes. The application runs on IaaS with data stored in a relational database. Which replication strategy is MOST cost-effective while meeting the objectives?

Question 5hardmulti select
Read the full Cloud Concepts, Architecture and Design explanation →

Which THREE of the following are key characteristics of cloud computing as defined by NIST SP 800-145?

Question 6hardmultiple choice
Read the full Cloud Concepts, Architecture and Design explanation →

Refer to the exhibit. A security engineer is reviewing this S3 bucket policy. The bucket contains sensitive documents that should only be accessible from the internal network (10.0.0.0/24) and only over HTTPS. What is the most likely effect of this policy?

Exhibit

Refer to the exhibit.

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/24"
        }
      }
    },
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}
```
Question 7mediummultiple choice
Review the full routing breakdown →

Your company, a global e-commerce platform, operates on a multi-cloud environment with workloads in AWS and Azure. You are the lead cloud architect. The platform experiences peak traffic during promotional events, with traffic spikes up to 10x normal. The application is composed of microservices running in containers orchestrated by Kubernetes on both clouds. Each cloud provider's Kubernetes cluster uses cluster autoscaler and horizontal pod autoscaler. Recently, during a flash sale, the AWS cluster failed to scale adequately, causing latency spikes and timeouts. AWS support indicated that the cluster hit a service quota limit for EC2 instances. You need to prevent this from recurring. You have the following options: A) Implement a multi-region deployment on AWS to distribute load. B) Pre-warm the AWS environment by requesting a service quota increase and using a pod priority class to ensure critical pods scale first. C) Migrate all workloads to Azure to simplify management. D) Use a global load balancer to route traffic to the cloud with the most available capacity. Which option is the best course of action?

Question 8mediumdrag order
Read the full Cloud Concepts, Architecture and Design explanation →

Drag and drop the steps for performing a cloud migration using the 'lift and shift' strategy into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 9mediumdrag order
Read the full Cloud Concepts, Architecture and Design explanation →

Drag and drop the steps for implementing a data retention policy for cloud storage (e.g., Amazon S3) into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 10mediummatching
Read the full Cloud Concepts, Architecture and Design explanation →

Match each NIST SP 800-53 control family to its focus area.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Access Control

Audit and Accountability

System and Communications Protection

System and Information Integrity

Physical and Environmental Protection

Question 11mediummatching
Read the full Cloud Concepts, Architecture and Design explanation →

Match each cloud auditing term to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Service organization control report for security

Assessment of cloud provider controls

Analysis of logs for incident investigation

Real-time assessment of security controls

Question 12easymultiple choice
Read the full Cloud Concepts, Architecture and Design explanation →

A company is migrating to the cloud to reduce capital expenditures. They want to pay only for the resources they consume with no upfront investment. Which financial model does this describe?

Question 13mediummultiple choice
Read the full Cloud Concepts, Architecture and Design explanation →

A healthcare provider is subject to HIPAA regulations. They are planning to use a public cloud provider. Which design consideration is most important to ensure compliance?

Question 14hardmultiple choice
Read the full NAT/PAT explanation →

An organization is designing a cloud application that must remain available even if an entire AWS availability zone fails. Which architecture pattern should they implement?

Question 15easymultiple choice
Read the full Cloud Concepts, Architecture and Design explanation →

A company wants to ensure that their cloud deployment has the highest level of isolation between tenants. Which deployment model is most appropriate?

Question 16mediummultiple choice
Read the full NAT/PAT explanation →

A developer is designing a microservices-based application in the cloud. They need to ensure communication between services is loosely coupled and resilient to failures. Which design pattern should they implement?

Question 17hardmultiple choice
Read the full Cloud Concepts, Architecture and Design explanation →

An auditor is reviewing a cloud provider's SOC 2 Type II report. Which aspect of the report is most relevant for assessing the effectiveness of controls over a period?

Question 18mediummultiple choice
Read the full Cloud Concepts, Architecture and Design explanation →

A cloud architect is designing a disaster recovery plan for a financial application with RTO of 15 minutes and RPO of 5 minutes. Which recovery strategy is most appropriate?

Question 19easymultiple choice
Read the full Cloud Concepts, Architecture and Design explanation →

A small business wants to use a cloud service but has limited in-house IT expertise. Which cloud service model requires the least customer management responsibility?

Question 20hardmultiple choice
Read the full Cloud Concepts, Architecture and Design explanation →

During a cloud migration, a company decides to move a legacy application with no code changes. Which migration strategy are they using?

Question 21mediummulti select
Read the full Cloud Concepts, Architecture and Design explanation →

A cloud architect is evaluating cloud service models for a new application. Which two characteristics are advantages of PaaS over IaaS? (Choose two.)

Question 22easymulti select
Read the full Cloud Concepts, Architecture and Design explanation →

A company is implementing a hybrid cloud architecture. Which two components are essential for establishing a secure connection between on-premises and cloud environments? (Choose two.)

Question 23hardmulti select
Read the full Cloud Concepts, Architecture and Design explanation →

A cloud architect is designing a multi-cloud strategy to avoid vendor lock-in. Which three design considerations should be included? (Choose three.)

Question 24mediummultiple choice
Read the full Cloud Concepts, Architecture and Design explanation →

What is the effective permission for a request coming from IP address 10.1.2.3?

Exhibit

Refer to the exhibit. The following is an excerpt from a cloud provider's access control policy:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/8"
        }
      }
    },
    {
      "Effect": "Deny",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "NotIpAddress": {
          "aws:SourceIp": "10.0.0.0/8"
        }
      }
    }
  ]
}
Question 25mediummultiple choice
Read the full Cloud Concepts, Architecture and Design explanation →

What is the most likely cause of the failure?

Network Topology
$ cloud-cli describe-instanceinstance-type compute.optimizedregion us-east-1Instance ID: i-0abcd1234efghType: compute.optimized.v3vCPU: 32Memory: 64 GBStatus: runningState: provisioning (failed: insufficient capacity)
Question 26hardmultiple choice
Read the full Cloud Concepts, Architecture and Design explanation →

Which type of threat is this log most likely indicating?

Exhibit

Refer to the exhibit. The following is a log entry from a cloud access security broker (CASB):
Event: Anomalous data transfer
User: user@example.com
Application: Salesforce
Data size: 2.5 GB
Time: 02:00 AM
Location: IP 203.0.113.45 (country: Unknown)
Action: Allow (policy exception)
Question 27easymultiple choice
Read the full Cloud Concepts, Architecture and Design explanation →

A company is migrating its on-premises workloads to a public cloud environment. The security team is concerned about maintaining visibility into network traffic between virtual machines in the same virtual network. Which cloud architecture component should be implemented to address this concern?

Question 28easymultiple choice
Read the full Cloud Concepts, Architecture and Design explanation →

A cloud architect is designing a multi-region application to ensure high availability. The application must automatically fail over to a secondary region if the primary region becomes unavailable. Which strategy best meets this requirement?

Question 29mediummultiple choice
Read the full Cloud Concepts, Architecture and Design explanation →

A company uses a cloud provider's object storage service for backup data. The security policy requires that data be encrypted at rest using keys managed by the company's on-premises hardware security module (HSM). Which encryption method should be used?

Question 30mediummultiple choice
Read the full Cloud Concepts, Architecture and Design explanation →

A cloud architect is designing a cost-optimized architecture for a batch processing job that runs once per day. The job requires high compute capacity for approximately 5 hours. Which cloud service model is most suitable?

Question 31hardmultiple choice
Read the full NAT/PAT explanation →

A company is deploying a new application that processes sensitive personal data. The cloud provider operates in a specific region that adheres to the EU General Data Protection Regulation (GDPR). The company requires that data never leave the region. Which combination of cloud architecture controls should be implemented?

Question 32hardmultiple choice
Read the full Cloud Concepts, Architecture and Design explanation →

A cloud architect is designing a disaster recovery (DR) solution for a critical application with a recovery time objective (RTO) of 30 minutes and a recovery point objective (RPO) of 5 minutes. The application runs on virtual machines in a private cloud. The architect is considering using a colocation facility as the DR site. Which replication method will meet the RPO requirement?

Question 33easymultiple choice
Read the full Cloud Concepts, Architecture and Design explanation →

A company wants to ensure that its cloud infrastructure can automatically add capacity during traffic spikes and remove capacity during low demand. Which cloud characteristic is primarily needed?

Question 34mediummulti select
Read the full Cloud Concepts, Architecture and Design explanation →

A company is moving a legacy application to a public cloud. The application requires low latency and high throughput between two application tiers. Which two cloud design principles should be applied? (Choose two.)

Question 35easymulti select
Read the full Cloud Concepts, Architecture and Design explanation →

An organization wants to ensure compliance with industry regulations by implementing data classification in the cloud. Which two actions should the organization take? (Choose two.)

Question 36hardmulti select
Read the full Cloud Concepts, Architecture and Design explanation →

A cloud architect is designing a multi-cloud solution that must maintain high availability and disaster recovery across two cloud providers. Which three key considerations should be included in the architecture? (Choose three.)

Question 37mediummultiple choice
Read the full Cloud Concepts, Architecture and Design explanation →

Refer to the exhibit. A security auditor is reviewing the security group configuration for a web server. Which change would improve the security posture without breaking the application functionality?

Exhibit

Security Group Rule Analysis:
Rule 1: Inbound | TCP | Port 22 | 0.0.0.0/0 | Allow
Rule 2: Inbound | TCP | Port 443 | 0.0.0.0/0 | Allow
Rule 3: Inbound | TCP | Port 3389 | 192.168.1.0/24 | Allow
Rule 4: Outbound | All Traffic | 0.0.0.0/0 | Allow
Question 38hardmultiple choice
Read the full Cloud Concepts, Architecture and Design explanation →

Refer to the exhibit. An organization has attached this IAM policy to a role used by a backup application to access encrypted objects in an S3 bucket. The application is failing with an access denied error when trying to download objects. What is the most likely cause?

Exhibit

IAM Policy Document:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:GetObject", "s3:ListBucket"],
      "Resource": ["arn:aws:s3:::example-db-backup", "arn:aws:s3:::example-db-backup/*"]
    },
    {
      "Effect": "Allow",
      "Action": "kms:Decrypt",
      "Resource": "*"
    }
  ]
}
Question 39easymultiple choice
Read the full NAT/PAT explanation →

A multinational corporation operates a cloud-based application that stores customer data across multiple regions to comply with local data residency laws. The application is deployed on virtual machines in a Infrastructure as a Service (IaaS) environment. Recently, the compliance team discovered that some user data from the European region was accidentally stored in a storage bucket located in the United States due to a misconfigured storage class. The company needs to immediately ensure that no further data breaches occur and that all future data storage actions comply with regional restrictions. The cloud architect proposes implementing a data loss prevention (DLP) solution, but the compliance team wants a more preventative approach. Which of the following is the BEST course of action to prevent this issue?

Question 40mediummultiple choice
Read the full NAT/PAT explanation →

A software development company is migrating its development and test environments to a public cloud. The security team has identified that many developers have assigned overly permissive IAM roles to the resources they create, such as giving full administrative access to databases and virtual machines. The company wants to enforce least privilege without impeding development agility. The cloud architect suggests using a combination of permission boundaries and service control policies. Which of the following approaches BEST enforces least privilege while maintaining development flexibility?

Question 41hardmultiple choice
Read the full Cloud Concepts, Architecture and Design explanation →

A financial services company is required to maintain audit trails of all user activities in its cloud environment for regulatory compliance. The company uses multiple cloud services and wants a centralized logging solution. The current architecture sends logs to a central storage bucket, but some logs are being lost due to high volume and insufficient throughput. Additionally, the logs must be immutable to prevent tampering. The company needs to ensure that all logs are captured and stored in a tamper-proof manner. Which of the following solutions BEST meets the requirements?

Question 42mediummultiple choice
Read the full Cloud Concepts, Architecture and Design explanation →

A cloud security analyst is troubleshooting an access denied error when an application attempts to read an object from an S3 bucket. The application uses an IAM user that is not associated with the role specified in the policy. Which of the following is the most likely cause of the error?

Exhibit

Refer to the exhibit.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::example-bucket/*",
            "Condition": {
                "StringNotEquals": {
                    "aws:PrincipalArn": "arn:aws:iam::123456789012:role/DataAccessRole"
                }
            }
        },
        {
            "Effect": "Allow",
            "Principal": "arn:aws:iam::123456789012:role/DataAccessRole",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::example-bucket/*"
        }
    ]
}
Question 43easymulti select
Read the full Cloud Concepts, Architecture and Design explanation →

Which THREE of the following are essential characteristics of cloud computing as defined by NIST SP 800-145?

Question 44hardmultiple choice
Read the full NAT/PAT explanation →

A healthcare organization recently migrated a patient records management application from on-premises infrastructure to a cloud environment using Infrastructure as a Service (IaaS). The application was originally designed as a monolithic workload running on bare-metal servers. After migration, the application is deployed on a fleet of virtual machines (VMs) of the same instance type. The organization is using a combination of Reserved Instances for baseline capacity and On-Demand instances to handle spikes. However, two months after the migration, the cloud bill is 40% higher than the estimated on-premises total cost of ownership. Additionally, performance reports indicate that the application experiences inconsistent latency and occasional timeouts during peak hours. The operations team has confirmed that the application code has not changed, and the cloud provider's infrastructure is healthy. There is no issue with network bandwidth or storage I/O. The team is considering several options to address both cost and performance issues. What should the team do first?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CCSP Practice Test 1 — 10 Questions→CCSP Practice Test 2 — 10 Questions→CCSP Practice Test 3 — 10 Questions→CCSP Practice Test 4 — 10 Questions→CCSP Practice Test 5 — 10 Questions→CCSP Practice Exam 1 — 20 Questions→CCSP Practice Exam 2 — 20 Questions→CCSP Practice Exam 3 — 20 Questions→CCSP Practice Exam 4 — 20 Questions→Free CCSP Practice Test 1 — 30 Questions→Free CCSP Practice Test 2 — 30 Questions→Free CCSP Practice Test 3 — 30 Questions→CCSP Practice Questions 1 — 50 Questions→CCSP Practice Questions 2 — 50 Questions→CCSP Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Cloud Application SecurityCloud Security OperationsLegal, Risk and ComplianceCloud Concepts, Architecture and DesignCloud Platform and Infrastructure SecurityCloud Data Security

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Cloud Concepts, Architecture and Design setsAll Cloud Concepts, Architecture and Design questionsCCSP Practice Hub