Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Cloud Data Security practice sets

CCSP Cloud Data Security • Complete Question Bank

CCSP Cloud Data Security — All Questions With Answers

Complete CCSP Cloud Data Security question bank — all 0 questions with answers and detailed explanations.

120
Questions
Free
No signup
Certifications/CCSP/Practice Test/Cloud Data Security/All Questions
Question 1mediummultiple choice
Read the full Cloud Data Security explanation →

A company is storing sensitive customer data in an S3 bucket. They need to ensure data is encrypted at rest and that the encryption keys are managed by the cloud provider. Which encryption strategy should they use?

Question 2hardmultiple choice
Read the full Cloud Data Security explanation →

An organization is migrating a legacy application to the cloud and must comply with PCI DSS. The application currently logs credit card numbers in plaintext. Which data security control should be implemented FIRST?

Question 3easymultiple choice
Read the full Cloud Data Security explanation →

A cloud security architect is designing a key management strategy for a multi-cloud environment. Which of the following is a BEST practice for key management?

Question 4hardmultiple choice
Read the full Cloud Data Security explanation →

A company uses a cloud-based file storage service and wants to enable client-side encryption to prevent the cloud provider from accessing plaintext data. Which of the following MUST be implemented?

Question 5mediummultiple choice
Read the full NAT/PAT explanation →

A healthcare organization stores patient records in a cloud database. They need to ensure that database administrators cannot view sensitive columns like SSN and diagnosis. Which data masking technique should be applied?

Question 6easymultiple choice
Read the full Cloud Data Security explanation →

A company is deploying a cloud application that processes credit card transactions. Which standard must they comply with regarding data security?

Question 7mediummultiple choice
Read the full Cloud Data Security explanation →

An organization uses a cloud storage service to share files with external partners. They want to ensure that the files are automatically deleted after 30 days. Which data lifecycle control should be implemented?

Question 8hardmultiple choice
Read the full Cloud Data Security explanation →

A company uses a cloud key management service (KMS) and wants to ensure that keys can be used only within a specific geographic region. Which of the following should be configured?

Question 9easymultiple choice
Read the full Cloud Data Security explanation →

A cloud architect needs to protect data in transit between an on-premises data center and a cloud virtual private cloud (VPC). Which solution is MOST appropriate?

Question 10mediummultiple choice
Read the full NAT/PAT explanation →

A company is designing a data retention policy for cloud storage. Regulatory requirements mandate that certain records be kept for 7 years and then securely destroyed. Which combination of controls should be used?

Question 11mediummulti select
Read the full Cloud Data Security explanation →

Which TWO of the following are valid methods to protect data at rest in a cloud environment?

Question 12hardmulti select
Read the full Cloud Data Security explanation →

Which THREE of the following are key components of a cloud data governance framework?

Question 13easymulti select
Read the full Cloud Data Security explanation →

Which TWO of the following are benefits of using tokenization for credit card data?

Question 14hardmulti select
Read the full Cloud Data Security explanation →

Which THREE of the following are essential steps in a cloud data discovery process?

Question 15mediummultiple choice
Read the full Cloud Data Security explanation →

An administrator applies the above bucket policy to an S3 bucket containing sensitive data. What is the EFFECT of this policy?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}
Question 16hardmultiple choice
Read the full Cloud Data Security explanation →

A developer receives the above error when trying to encrypt an object using a customer-managed KMS key. What is the MOST likely cause?

Exhibit

Refer to the exhibit.

Error: Failed to create resource. Status: 403 Forbidden.
{
  "Code": "AccessDenied",
  "Message": "Access denied. Please ensure that the key policy grants the necessary permissions.",
  "Resource": "arn:aws:kms:us-east-1:123456789012:key/abc123"
}
Question 17easymultiple choice
Read the full Cloud Data Security explanation →

A DevOps engineer runs the above command and gets the error. What is the MOST likely missing permission?

Exhibit

Refer to the exhibit.

$ gsutil ls gs://my-bucket/
AccessDeniedException: 403 my-service-account@project.iam.gserviceaccount.com does not have storage.objects.list access to the Google Cloud Storage bucket.
Question 18hardmultiple choice
Read the full NAT/PAT explanation →

A multinational financial services company uses a hybrid cloud environment with workloads in AWS and Azure. They recently acquired a smaller firm and must integrate their data while maintaining compliance with GDPR and PCI DSS. The acquired firm stores customer payment data in an on-premises Oracle database and wants to migrate it to the cloud. During the migration, they must ensure that the data is encrypted at all times—at rest, in transit, and during processing. The security team has implemented TLS for data in transit and plans to use cloud-native encryption for at-rest data. However, they are concerned about data being processed in memory or temporary storage. They also need to maintain key separation so that the cloud provider cannot access the encryption keys. The CISO wants to implement a solution that minimizes performance impact while meeting compliance requirements. Which of the following is the BEST course of action?

Question 19mediummultiple choice
Read the full Cloud Data Security explanation →

A software-as-a-service (SaaS) provider hosts customer data in a multi-tenant cloud environment. Each customer's data is stored in separate databases but shares a common infrastructure. A customer reports that they can see another customer's data in their application dashboard. The development team investigates and finds no application-level bugs. The security team suspects the issue is related to cloud data isolation. The provider uses a public cloud database service with separate schemas per customer. The database service uses shared compute resources. The provider's compliance team is concerned about data leakage between tenants. Which of the following is the MOST effective way to ensure data isolation in this environment?

Question 20mediummultiple choice
Read the full NAT/PAT explanation →

A healthcare organization stores patient records in a cloud-based object storage service. To comply with HIPAA, they must ensure that data is encrypted at rest and that encryption keys are managed by the organization itself. Which key management approach should they implement?

Question 21hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation uses a cloud CASB to enforce data loss prevention (DLP) policies across SaaS applications. The security team discovers that sensitive data is being exfiltrated via encrypted traffic that the CASB cannot inspect. What is the most effective design change to mitigate this risk?

Question 22easymulti select
Read the full Cloud Data Security explanation →

A cloud architect is designing a data classification scheme for a financial services firm. The data includes public marketing materials, internal emails, customer account numbers, and credit card information. Which two data categories should be classified as 'restricted' under PCI DSS and other regulations?

Question 23mediummulti select
Read the full Cloud Data Security explanation →

A company uses a cloud key management service (KMS) with automatic key rotation enabled. Which TWO statements about key rotation are true?

Question 24hardmultiple choice
Read the full Cloud Data Security explanation →

A security engineer applies the above bucket policy to an S3 bucket containing sensitive data. Which of the following best describes the effect of this policy?

Exhibit

Refer to the exhibit.

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}
```
Question 25mediummulti select
Read the full Cloud Data Security explanation →

A cloud security team is implementing tokenization for a payment system. Which THREE statements correctly describe tokenization characteristics?

Question 26hardmultiple choice
Read the full Cloud Data Security explanation →

A large e-commerce company uses a multi-cloud environment with workloads in AWS and Azure. They store customer payment data in an AWS S3 bucket and use Azure SQL Database for transactional data. The company requires that all data at rest be encrypted using keys managed by their on-premises HSM. They have implemented AWS KMS with custom key store (CloudHSM) for S3, and Azure SQL TDE with Azure Key Vault (using BYOK) for the database. Recently, the security team noticed that some S3 objects are not encrypted with the expected key, and there are intermittent access failures to the Azure SQL database. Investigation reveals that the AWS KMS key ID changed after a recent security incident, and the Azure Key Vault key has been disabled due to a misconfigured access policy. What is the most effective course of action to restore encryption compliance and service availability?

Question 27easymultiple choice
Read the full Cloud Data Security explanation →

A financial services company is migrating sensitive customer data to a cloud environment. The compliance team requires that all data at rest be encrypted using a key managed by the organization, not the cloud provider. Which solution should the company implement?

Question 28mediummulti select
Read the full Cloud Data Security explanation →

A cloud security architect is designing a data loss prevention (DLP) strategy for a multi-cloud environment. Which TWO actions are effective in preventing unauthorized exfiltration of sensitive data?

Question 29hardmultiple choice
Read the full NAT/PAT explanation →

A cloud security engineer reviews the S3 bucket policy shown in the exhibit. What is the net effect of this policy when a request originates from IP address 203.0.113.10 over HTTPS?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::company-data/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "true"
        }
      }
    },
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::company-data/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "203.0.113.0/24"
        }
      }
    }
  ]
}
Question 30mediumdrag order
Read the full Cloud Data Security explanation →

Drag and drop the steps for managing identity and access in a multi-cloud environment using a centralized identity provider (IdP) into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 31mediummatching
Read the full Cloud Data Security explanation →

Match each cloud incident response phase to its primary activity.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Develop incident response plan and tools

Identify potential security incidents

Isolate affected systems and prevent spread

Restore normal operations and verify integrity

Question 32easymultiple choice
Read the full Cloud Data Security explanation →

A company uses a cloud storage service to store sensitive customer data. They need to ensure that data is encrypted at rest using keys managed by the cloud provider. Which encryption model should they use?

Question 33mediummultiple choice
Read the full NAT/PAT explanation →

A cloud architect is designing a data loss prevention (DLP) solution for a SaaS application. The DLP must inspect data in transit between end users and the cloud as well as data at rest. Which combination of controls is most appropriate?

Question 34hardmultiple choice
Read the full Cloud Data Security explanation →

During a cloud migration, a company discovers that some sensitive data was inadvertently stored in an object storage bucket with public read access. The security team needs to determine the scope of exposure and remediate. What is the FIRST step they should take?

Question 35mediummultiple choice
Read the full Cloud Data Security explanation →

A company is implementing a cloud key management system (KMS) to control encryption keys for sensitive data. Which practice is essential to ensure the security of the keys?

Question 36easymultiple choice
Read the full Cloud Data Security explanation →

An organization is adopting a cloud-based data warehouse and needs to ensure data masking is applied to personally identifiable information (PII) for analysts who should not see actual values. Which technique is most appropriate?

Question 37mediummultiple choice
Read the full Cloud Data Security explanation →

A cloud security auditor is assessing a company's data classification policy for their cloud environment. Which finding would be considered a critical deficiency?

Question 38hardmultiple choice
Read the full Cloud Data Security explanation →

A SaaS provider stores customer data in a multi-tenant database. A new regulation requires that data of former customers be completely erased within 30 days of account closure. Which process should the provider implement?

Question 39easymultiple choice
Read the full Cloud Data Security explanation →

A cloud customer wants to ensure that their data is encrypted during transmission between their on-premises data center and the cloud provider's service. Which protocol should they use?

Question 40hardmultiple choice
Read the full Cloud Data Security explanation →

A company's cloud storage bucket policy inadvertently allowed anonymous users to list and read objects. After discovering the exposure, the security team has corrected the policy. Which additional step is critical to prevent recurrence?

Question 41mediummulti select
Read the full Cloud Data Security explanation →

Which TWO of the following are effective strategies for protecting sensitive data in a public cloud environment?

Question 42hardmulti select
Read the full Cloud Data Security explanation →

Which THREE of the following are required components of a cloud data lifecycle policy?

Question 43easymulti select
Read the full Cloud Data Security explanation →

Which TWO of the following are best practices for cloud key management?

Question 44mediummultiple choice
Read the full Cloud Data Security explanation →

The exhibit shows a bucket policy applied to a cloud storage bucket. After applying this policy, the security team notices that objects in the bucket are publicly accessible. Which additional condition should be added to restrict access to only authorized applications?

Network Topology
aws s3api put-bucket-policybucket my-company-datapolicy file://policy.jsonRefer to the exhibit.```"Version": "2012-10-17","Statement": ["Effect": "Allow","Principal": "*","Action": "s3:GetObject","Resource": "arn:aws:s3:::my-company-data/*"
Question 45hardmultiple choice
Read the full Cloud Data Security explanation →

The exhibit shows a key policy for a customer master key (CMK) in a cloud KMS. An administrator wants to prevent the AppRole from using the key to decrypt data. Which change to the policy would accomplish this?

Exhibit

Refer to the exhibit.

```
# Example of cloud KMS key policy (JSON)
{
  "Version": "2012-10-17",
  "Id": "key-default",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "Allow use of the key",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/AppRole"
      },
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource": "*"
    }
  ]
}
```
Question 46mediummultiple choice
Read the full Cloud Data Security explanation →

The exhibit shows a bucket policy that grants public read access. What is the most effective way to remove this public access?

Exhibit

Refer to the exhibit.

```
{
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::public-bucket/*"
    }
  ]
}
```

After applying this bucket policy, the owner notices that the bucket is publicly accessible. Which additional configuration must be adjusted to make the bucket private?
Question 47mediummultiple choice
Read the full Cloud Data Security explanation →

A company is migrating sensitive customer data to the cloud. They need to classify data according to the organization's data classification policy, which includes public, internal, confidential, and restricted categories. Which of the following is the MOST important step to ensure data classification is effective in the cloud?

Question 48easymultiple choice
Read the full Cloud Data Security explanation →

A cloud consumer uses an IaaS provider for storage of archived financial records. Regulatory requirements mandate that data at rest be encrypted using a key that is under the consumer's sole control. Which encryption approach should the consumer implement?

Question 49hardmultiple choice
Read the full Cloud Data Security explanation →

A company uses a hybrid cloud architecture with on-premises key management and cloud services. They need to ensure that encryption keys used for cloud data are never exposed to the cloud provider. Which key management approach best meets this requirement?

Question 50mediummultiple choice
Read the full Cloud Data Security explanation →

A security team is implementing Data Loss Prevention (DLP) for a SaaS application that stores customer PII. They want to detect when sensitive data is shared externally via email. Which is the best approach?

Question 51easymultiple choice
Read the full Cloud Data Security explanation →

After decommissioning a cloud database, a company is concerned about data remanence. They have overwritten all storage blocks with zeros. However, regulatory auditors require proof that the data is unrecoverable. What additional step should the company take?

Question 52mediummultiple choice
Read the full Cloud Data Security explanation →

A financial services company is migrating to the cloud and must retain transaction records for seven years for regulatory compliance. They plan to use object storage with lifecycle policies. What is the most secure configuration for long-term data retention?

Question 53hardmultiple choice
Read the full Cloud Data Security explanation →

A cloud application processes credit card numbers. To reduce PCI DSS scope, the company wants to remove the original PAN from its databases and use a surrogate value that can be reversed only by a privileged application. Which data protection technique should they use?

Question 54easymultiple choice
Read the full Cloud Data Security explanation →

A development team is working with production-like data in a non-production cloud environment. To comply with data privacy regulations, sensitive fields must be obscured without being retrievable. Which technique should they apply?

Question 55mediummultiple choice
Read the full Cloud Data Security explanation →

A company uses a Cloud Access Security Broker (CASB) to enforce security policies on SaaS applications. They want to ensure that data uploaded to a file-sharing service does not contain Social Security numbers (SSNs). Which CASB capability is most effective?

Question 56mediummulti select
Read the full Cloud Data Security explanation →

Which TWO data states must be encrypted to meet common compliance requirements for data in the cloud? (Choose two.)

Question 57hardmulti select
Read the full Cloud Data Security explanation →

Which THREE controls help protect data in use within a cloud environment? (Choose three.)

Question 58easymulti select
Read the full Cloud Data Security explanation →

Which TWO data lifecycle stages are most critical for applying encryption controls in a cloud object storage service? (Choose two.)

Question 59mediummultiple choice
Read the full Cloud Data Security explanation →

An administrator configured the above key policy for a KMS key used to encrypt S3 backup data. The backup role 'BackupRole' is in the same account. However, when the backup service attempts to use the key to decrypt objects, the operation fails. What is the most likely cause?

Exhibit

Refer to the exhibit.

```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/BackupRole"
      },
      "Action": [
        "kms:Decrypt",
        "kms:ReEncrypt*"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "kms:CallerAccount": "123456789012",
          "kms:ViaService": "s3.us-west-2.amazonaws.com"
        }
      }
    }
  ]
}
```
Question 60hardmultiple choice
Read the full Cloud Data Security explanation →

An Azure application uses a key vault key for client-side encryption of data. The application also communicates with a cloud service over HTTPS. After deploying, the handshake failure occurs. Which of the following is the most likely cause?

Exhibit

Refer to the exhibit.

```
$ az keyvault key list --vault-name myVault
[ 
  {
    "kid": "https://myVault.vault.azure.net/keys/myKey/abc123",
    "attributes": {
      "enabled": true,
      "created": 1590000000,
      "updated": 1590000000
    },
    "tags": {
      "usage": "encryption"
    }
  }
]
$ openssl s_client -connect myserver.cloudapp.net:443 -servername myserver.cloudapp.net
CONNECTED(00000003)
140735123456:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1487:SSL alert number 40
```
Question 61easymultiple choice
Read the full Cloud Data Security explanation →

An analyst receives the above error when trying to download a file from an S3 bucket. The bucket policy and user permissions appear correct. What is the most likely cause?

Exhibit

Refer to the exhibit.

```
Error: Access Denied.
  status code: 403, request id: QWERTY1234, host id: ABCD5678
  User: arn:aws:iam::123456789012:user/data-analyst
  Action: s3:GetObject
  Resource: arn:aws:s3:::proprietary-data/reports/q4-2023.csv
  Additional detail: Encryption key access required.
```
Question 62easymultiple choice
Read the full Cloud Data Security explanation →

A company is migrating sensitive customer data to a public cloud storage service. They want to ensure that even the cloud provider cannot access the plaintext data. Which encryption strategy should they implement?

Question 63mediummultiple choice
Read the full Cloud Data Security explanation →

An organization uses a cloud database service and needs to protect data at rest. They enable Transparent Data Encryption (TDE) with a customer-managed key stored in the cloud provider's key management service. Which additional control should they implement to ensure the key cannot be used by unauthorized personnel?

Question 64hardmultiple choice
Read the full Cloud Data Security explanation →

A financial institution uses a cloud-based data warehouse to store customer transaction records. They must comply with a regulation that requires deletion of data after 7 years. Which approach should they use to ensure data is irrecoverably destroyed?

Question 65easymultiple choice
Read the full Cloud Data Security explanation →

A cloud architect is designing a data classification scheme for a SaaS application. Data must be classified based on sensitivity and regulatory requirements. Which of the following is the PRIMARY reason to classify data?

Question 66mediummultiple choice
Read the full Cloud Data Security explanation →

An organization uses a cloud-based DLP solution to monitor outbound traffic. They want to prevent the exfiltration of credit card numbers. Which detection technique is most appropriate for this requirement?

Question 67hardmultiple choice
Read the full NAT/PAT explanation →

A multi-national corporation uses a cloud storage service to store files that are subject to data residency requirements. Data must remain within a specific geographic region. Which of the following controls provides the STRONGEST assurance that data does not leave the region?

Question 68easymultiple choice
Read the full Cloud Data Security explanation →

A cloud security team is implementing a key management system for encrypting data in a multi-cloud environment. They need to ensure that keys are available even if one cloud provider experiences an outage. What is the BEST approach?

Question 69mediummultiple choice
Read the full Cloud Data Security explanation →

A company uses a cloud-based database that contains personally identifiable information (PII). They need to allow developers to run queries against the database for testing purposes without exposing actual PII. Which technique should they use?

Question 70hardmultiple choice
Read the full Cloud Data Security explanation →

A cloud security analyst is investigating a potential data breach. They discover that an employee's credentials were used to access a cloud storage bucket containing sensitive files. The access logs show the employee accessed the bucket from an IP address in a different country during the time of the incident. Which of the following is the MOST likely attack vector?

Question 71easymulti select
Read the full Cloud Data Security explanation →

Which TWO of the following are valid data states that must be protected in cloud computing?

Question 72mediummulti select
Read the full Cloud Data Security explanation →

Which THREE of the following are key considerations when designing a key management lifecycle for cloud data encryption?

Question 73hardmulti select
Read the full Cloud Data Security explanation →

Which THREE of the following are effective data sanitization methods for cloud environments?

Question 74easymultiple choice
Read the full Cloud Data Security explanation →

The exhibit shows the versioning configuration for an S3 bucket. What effect does enabling MFADelete have on data protection?

Network Topology
$ aws s3api get-bucket-versioningbucket my-bucketRefer to the exhibit.```"Status": "Enabled","MFADelete": "Enabled"
Question 75mediummultiple choice
Read the full Cloud Data Security explanation →

A cloud administrator applies the bucket policy shown in the exhibit to an S3 bucket. What is the expected outcome?

Exhibit

Refer to the exhibit.

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "AES256"
        }
      }
    }
  ]
}
```
Question 76hardmultiple choice
Read the full Cloud Data Security explanation →

An administrator notices the log entries in the exhibit from a cloud-hosted server. What is the MOST likely security concern indicated by these logs?

Exhibit

Refer to the exhibit.

```
Oct 12 09:15:22 cloudhost sshd[1234]: Failed password for admin from 203.0.113.55 port 2213 ssh2
Oct 12 09:15:25 cloudhost sshd[1234]: Accepted password for admin from 203.0.113.55 port 2213 ssh2
Oct 12 09:15:30 cloudhost sudo: admin : TTY=pts/0 ; PWD=/home/admin ; USER=root ; COMMAND=/usr/bin/mysql -h db-internal -u root -pS3cur3P@ss
Oct 12 09:16:00 cloudhost mysqld[2345]: 2023-10-12 9:16:00 2 [Note] Access denied for user 'root'@'cloudhost' (using password: YES)
```
Question 77mediummultiple choice
Read the full Cloud Data Security explanation →

A company uses cloud storage for sensitive data and wants to ensure that the cloud provider cannot access their encryption keys. Which approach should they implement?

Question 78hardmultiple choice
Read the full Cloud Data Security explanation →

A financial services company is migrating a critical database to the cloud. The database contains columns with PII that must be encrypted. Performance is the highest priority, and the system must support queries on encrypted data. Which technique should be used?

Question 79mediummulti select
Read the full Cloud Data Security explanation →

Which TWO statements about data classification are correct?

Question 80easymultiple choice
Read the full Cloud Data Security explanation →

What does this bucket policy enforce?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::mybucket/*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "aws:kms"
        }
      }
    }
  ]
}
Question 81easymultiple choice
Read the full Cloud Data Security explanation →

A customer requires complete control over encryption keys used to protect data at rest in the cloud. Which cloud service model provides the most direct control?

Question 82hardmulti select
Read the full Cloud Data Security explanation →

Which THREE statements about cryptographic key lifecycle management are correct?

Question 83mediummultiple choice
Read the full Cloud Data Security explanation →

A company uses a cloud-based file sharing service and wants to prevent sensitive data from being shared externally. Which cloud data security capability is most appropriate?

Question 84hardmultiple choice
Read the full Cloud Data Security explanation →

Based on the CloudTrail log, why did the Decrypt call fail?

Exhibit

Refer to the exhibit.

CloudTrail log entry:
{
  "eventVersion": "1.05",
  "userIdentity": { "arn": "arn:aws:iam::123456789012:user/Alice" },
  "eventTime": "2023-08-15T14:30:00Z",
  "eventSource": "kms.amazonaws.com",
  "eventName": "Decrypt",
  "sourceIPAddress": "203.0.113.5",
  "resources": [{ "ARN": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab" }],
  "errorCode": "AccessDenied",
  "errorMessage": "User: arn:aws:iam::123456789012:user/Alice is not authorized to perform: kms:Decrypt on resource: arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
Question 85easymultiple choice
Read the full Cloud Data Security explanation →

An organization stores archival data in cloud cold storage and requires each customer's data to be encrypted with unique keys managed by the customer. Which encryption approach meets this requirement?

Question 86mediummulti select
Read the full Cloud Data Security explanation →

Which TWO statements about data masking are correct?

Question 87hardmultiple choice
Read the full Cloud Data Security explanation →

An enterprise uses a Cloud Access Security Broker (CASB) to monitor cloud application usage. The CASB generates alerts about potential data loss prevention events. What is the primary purpose of the CASB's DLP capabilities?

Question 88mediummultiple choice
Read the full Cloud Data Security explanation →

What additional security benefit does the VPC endpoint provide?

Exhibit

Refer to the exhibit.

Cloud storage architecture description:
"Data is stored in a bucket with default encryption using AES-256. Access is controlled via IAM policies and bucket policies. Additionally, a VPC endpoint is used to restrict access to the bucket only from a specific VPC."
Question 89easymultiple choice
Read the full Cloud Data Security explanation →

A company must ensure that cloud storage data is retained even if authorized users attempt to delete it, to comply with a legal hold. Which configuration is most effective?

Question 90easymultiple choice
Read the full Cloud Data Security explanation →

A developer accidentally uploaded a file containing API credentials to a public cloud storage bucket. The cloud provider states they cannot guarantee deletion of the object. Which practice could have prevented this incident?

Question 91hardmulti select
Read the full Cloud Data Security explanation →

Which THREE statements about tokenization compared to encryption are correct?

Question 92mediummultiple choice
Read the full Cloud Data Security explanation →

A company wants to encrypt data at rest in a cloud object storage service. They require that the cloud provider has no access to the encryption keys. Which key management approach should they use?

Question 93hardmultiple choice
Read the full Cloud Data Security explanation →

A financial institution is migrating sensitive transaction data to the cloud. They must comply with a regulation that requires data to be retained for 7 years, but also support immediate legal holds. The cloud storage service offers object lock with governance mode. What is the best practice to ensure compliance?

Question 94easymultiple choice
Read the full Cloud Data Security explanation →

A cloud security architect is implementing a data classification scheme. They need to ensure that data labeled 'confidential' is automatically encrypted when stored in cloud storage. Which approach best achieves this?

Question 95mediummultiple choice
Read the full Cloud Data Security explanation →

A company uses a cloud-based data loss prevention (DLP) tool to monitor data access. They notice that a user is bypassing DLP by accessing data directly via cloud APIs from a non-corporate device. What is the most effective way to prevent this?

Question 96hardmultiple choice
Read the full Cloud Data Security explanation →

An organization uses cloud databases and needs to protect sensitive fields such as credit card numbers. They want to preserve the ability to perform exact match searches and joins on these fields. Which data protection technique best meets these requirements?

Question 97easymultiple choice
Read the full Cloud Data Security explanation →

A cloud administrator is rotating encryption keys for a data storage service. The administrator wants to ensure that previously encrypted data remains accessible after the rotation. What is the best practice?

Question 98mediummultiple choice
Read the full Cloud Data Security explanation →

An organization uses cloud object storage for backup data and requires that once written, data cannot be modified or deleted for a specified retention period. Which feature should they enable?

Question 99hardmultiple choice
Read the full NAT/PAT explanation →

A healthcare organization wants to perform analytics on encrypted patient data without decrypting it first, to maintain privacy. Which cryptographic technique supports this use case?

Question 100easymultiple choice
Read the full Cloud Data Security explanation →

An enterprise uses a cloud access security broker (CASB) to protect data in cloud applications. They want to prevent users from uploading files containing credit card numbers to a cloud storage service. Which CASB feature should be configured?

Question 101mediummulti select
Read the full Cloud Data Security explanation →

A company is designing a data at rest encryption strategy for their cloud environment. Which TWO of the following are valid approaches? (Choose two.)

Question 102hardmulti select
Read the full Cloud Data Security explanation →

An organization is implementing data masking to protect sensitive data in non-production environments. Which THREE of the following are common data masking techniques? (Choose three.)

Question 103easymulti select
Read the full Cloud Data Security explanation →

A company needs to ensure that data stored in the cloud is securely deleted when no longer needed. Which TWO of the following are secure deletion methods? (Choose two.)

Question 104mediummultiple choice
Read the full Cloud Data Security explanation →

Refer to the exhibit. An administrator applies this S3 bucket policy. What is the overall effect?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "StringNotEquals": {
          "aws:SourceVpc": "vpc-12345678"
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "StringEquals": {
          "aws:SourceVpc": "vpc-12345678"
        }
      }
    }
  ]
}
Question 105hardmultiple choice
Read the full Cloud Data Security explanation →

A healthcare organization uses a cloud-based electronic health record (EHR) system that stores protected health information (PHI). They recently enabled direct API access for a new mobile application. Shortly after, the security team detected that a large volume of PHI was being exfiltrated through the API by an attacker who obtained valid API keys from a compromised developer workstation. The organization has data loss prevention (DLP) tools but they were not inspecting API traffic. The EHR system supports attribute-based access control (ABAC) and has logging for all API calls. The organization needs to prevent similar incidents while maintaining the functionality of the mobile app. Which course of action should be taken first?

Question 106mediummultiple choice
Read the full NAT/PAT explanation →

A multinational corporation operates across multiple cloud providers (AWS, Azure, GCP) and uses a variety of data storage services. They have a requirement to enforce a consistent encryption policy across all providers: all data at rest must be encrypted using a centrally managed key that is rotated every 90 days. The cloud security team is evaluating different key management solutions. They want to minimize operational overhead and avoid vendor lock-in. The team has experience with configuring cloud-native key management services (KMS) but is concerned about managing keys across different regions and providers. Which solution best meets the requirements?

Question 107easymultiple choice
Read the full Cloud Data Security explanation →

A company is migrating its customer database to a cloud object storage service. The database contains personally identifiable information (PII). The security team requires that all data be encrypted at rest and that the company retains exclusive control over the encryption keys. Which solution BEST meets these requirements?

Question 108hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation uses a cloud access security broker (CASB) to enforce data protection policies across multiple SaaS applications. They discover that sensitive data tagged with 'Confidential' is being shared externally via a file-sharing application. The CASB currently only logs activities. Which action should the security team take to prevent such data loss in the future?

Question 109mediummulti select
Study the full virtualization explanation →

An organization is evaluating techniques to protect data while it is being processed in memory. The goal is to prevent unauthorized access even if the operating system or hypervisor is compromised. Which TWO techniques are suitable for protecting data in use?

Question 110mediummulti select
Read the full Cloud Data Security explanation →

A company's cloud security policy mandates strict control over encryption keys used for data at rest. Which THREE practices are recommended for secure key management in the cloud?

Question 111easymultiple choice
Read the full Cloud Data Security explanation →

A startup provides a cloud-based document collaboration platform. They store user-uploaded documents in a cloud object storage bucket. Compliance with data privacy laws requires that when a user deletes an account, all their documents must be permanently deleted within 30 days. The current process uses object versioning and lifecycle policies to expire objects after 30 days. However, during a recent audit, it was discovered that deleted user documents were still accessible via the bucket's previous versions for months after the deletion. The security team needs to ensure that all traces of a user's data are removed immediately upon account deletion. Which solution should be implemented?

Question 112mediummultiple choice
Read the full NAT/PAT explanation →

A healthcare organization uses a cloud-based electronic health record system. Patient data is encrypted at rest using server-side encryption with AWS KMS keys. The security team notices that during a recent security incident, an attacker used compromised credentials to decrypt and exfiltrate a large number of patient records. The attacker performed decryption operations using the KMS API, which was logged in CloudTrail. The organization wants to implement additional controls to prevent such bulk decryption in the future while still allowing authorized access. Which of the following is the BEST course of action?

Question 113mediummultiple choice
Read the full Cloud Data Security explanation →

A financial institution uses a cloud data warehouse to store transaction data. The data is classified into three tiers: public, internal, and confidential. The current architecture stores all data in a single dataset with column-level encryption for confidential fields. A recent internal penetration test revealed that an analyst with access to the data warehouse could query aggregated statistics that inadvertently revealed confidential individual transactions. The security team needs to implement a solution that prevents such data leakage while preserving analytical capabilities. Which solution BEST addresses this?

Question 114hardmultiple choice
Read the full Cloud Data Security explanation →

A large enterprise is migrating its data center workloads to a public cloud. The security policy requires that all sensitive data stored in cloud storage services be encrypted with keys managed by the enterprise's on-premises HSM. The cloud storage service offers server-side encryption with customer-provided keys (SSE-C). However, compliance regulations prohibit the transmission of encryption keys over the public internet. The enterprise also has a dedicated network connection to the cloud provider (e.g., AWS Direct Connect). The security team is considering several options. Which solution meets all requirements: (1) data encrypted at rest on the cloud service, (2) keys controlled by the enterprise, (3) keys never transmitted over the internet?

Question 115hardmultiple choice
Read the full NAT/PAT explanation →

A cloud security architect is designing a data classification and labeling solution for a multinational corporation with offices in multiple countries. The corporation uses various SaaS applications (Office 365, Salesforce, etc.) and IaaS services. They require automatic classification of documents based on content (e.g., credit card numbers, social security numbers) and enforcement of protection policies (e.g., encryption, access restrictions) based on the classification. The solution must work across all cloud services and provide a unified management console. The corporation also needs to maintain data residency—data must not be stored in a different geographic region than where it was classified. Which cloud security solution BEST meets these requirements?

Question 116easymultiple choice
Read the full Cloud Data Security explanation →

A small business uses a cloud file storage service to share project files with external partners. They have enabled versioning on the bucket, and each partner has a unique folder. The security team discovers that a former employee, who had administrative access, deleted all files in a partner's folder and then deleted the folder. The bucket's versioning allows restoration of the files, but the folder deletion cannot be undone. The business wants to prevent similar incidents in the future while still allowing external partners to upload and download files. Which approach should be taken?

Question 117mediummultiple choice
Read the full Cloud Data Security explanation →

An enterprise uses a cloud-based relational database service (e.g., AWS RDS) to store customer order data. The database is encrypted at rest using the cloud provider's default encryption. The security team is concerned about the risk of a rogue database administrator (DBA) exfiltrating data by creating unencrypted backups or snapshots and moving them to a different account. Which of the following controls would BEST mitigate this risk while maintaining operational efficiency?

Question 118mediummulti select
Read the full Cloud Data Security explanation →

A cloud security team is implementing a data discovery and classification program for their SaaS applications. Which TWO statements accurately describe best practices for data classification in the cloud?

Question 119hardmultiple choice
Read the full Cloud Data Security explanation →

A security architect applies the above bucket policy to an Amazon S3 bucket containing sensitive data. What is the net effect of this policy?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "Null": {
          "s3:x-amz-server-side-encryption": "true"
        }
      }
    }
  ]
}
Question 120easymultiple choice
Read the full Cloud Data Security explanation →

A healthcare organization is migrating to AWS and must protect electronic protected health information (ePHI) stored in S3. They use AWS KMS with a custom key policy that restricts key usage to specific IAM roles. The compliance team discovers that some S3 objects are encrypted with AWS managed keys (SSE-S3) instead of the required SSE-KMS using the custom key. The security architect needs to ensure all future uploads use the customer-managed KMS key. After implementing a bucket policy that denies s3:PutObject if the required encryption is not present, the development team reports that their existing automation scripts fail with access denied errors. The scripts use the AWS SDK and do not explicitly set encryption headers. The security architect must find a solution that enforces encryption with the custom key while minimizing disruption. Which course of action BEST resolves the issue?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CCSP Practice Test 1 — 10 Questions→CCSP Practice Test 2 — 10 Questions→CCSP Practice Test 3 — 10 Questions→CCSP Practice Test 4 — 10 Questions→CCSP Practice Test 5 — 10 Questions→CCSP Practice Exam 1 — 20 Questions→CCSP Practice Exam 2 — 20 Questions→CCSP Practice Exam 3 — 20 Questions→CCSP Practice Exam 4 — 20 Questions→Free CCSP Practice Test 1 — 30 Questions→Free CCSP Practice Test 2 — 30 Questions→Free CCSP Practice Test 3 — 30 Questions→CCSP Practice Questions 1 — 50 Questions→CCSP Practice Questions 2 — 50 Questions→CCSP Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Cloud Application SecurityCloud Security OperationsLegal, Risk and ComplianceCloud Concepts, Architecture and DesignCloud Platform and Infrastructure SecurityCloud Data Security

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Cloud Data Security setsAll Cloud Data Security questionsCCSP Practice Hub