Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Cloud Platform and Infrastructure Security practice sets

CCSP Cloud Platform and Infrastructure Security • Complete Question Bank

CCSP Cloud Platform and Infrastructure Security — All Questions With Answers

Complete CCSP Cloud Platform and Infrastructure Security question bank — all 0 questions with answers and detailed explanations.

44
Questions
Free
No signup
Certifications/CCSP/Practice Test/Cloud Platform and Infrastructure Security/All Questions
Question 1easymultiple choice
Read the full Cloud Platform and Infrastructure Security explanation →

A financial services company is migrating its on-premises data center to a public cloud IaaS environment. During the transition, the security team must ensure that the same network segmentation and firewall rules are maintained. Which of the following is the BEST approach to replicate the on-premises network security controls in the cloud?

Question 2mediummultiple choice
Read the full Cloud Platform and Infrastructure Security explanation →

A cloud architect is designing a multi-tier application in a public cloud. The web tier must be accessible from the internet, while the application and database tiers must only be reachable from the web tier. The architect needs to ensure that even if the web server is compromised, the attacker cannot directly access the database. Which architecture BEST meets this requirement?

Question 3hardmultiple choice
Read the full Cloud Platform and Infrastructure Security explanation →

During a cloud migration, a company discovers that its existing virtual machine images contain embedded credentials and proprietary software that must not be exposed to the cloud provider's administrators. Which of the following is the BEST strategy to protect this sensitive data while maintaining the ability to create new instances?

Question 4easymultiple choice
Read the full Cloud Platform and Infrastructure Security explanation →

A company's security policy requires that all data stored in the cloud must be encrypted at rest. The cloud provider offers server-side encryption with either cloud-managed keys or customer-managed keys (CMK). Which additional control should the company implement to ensure that the CMK is not compromised and that access is auditable?

Question 5mediummulti select
Read the full Cloud Platform and Infrastructure Security explanation →

A company is deploying a critical application on a public cloud IaaS platform. To ensure high availability and disaster recovery, which TWO of the following strategies should the company implement? (Choose two.)

Question 6hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is deploying a containerized microservices application on a public cloud Kubernetes cluster. The cluster spans three availability zones in a single region. The application consists of a front-end service, a payment service, and a database service. The security team requires that the payment service must not be directly accessible from the internet, but must be accessible from the front-end service. The database must only be accessible from the payment service. Additionally, all inter-service communication must be encrypted, and the cluster must be able to scale up to 500 nodes during peak load. The cloud provider's container orchestration service is used. After deployment, the security team discovers that the payment service is still reachable from the internet via a public load balancer that was configured for testing. The team needs to remediate this issue immediately without disrupting the front-end service. Which of the following actions should the team take FIRST?

Question 7easymulti select
Read the full Cloud Platform and Infrastructure Security explanation →

A security architect is designing a cloud workload protection platform (CWPP) for a hybrid cloud environment. The architect needs to ensure that security policies are consistently applied across virtual machines running in both on-premises and public cloud environments. Which TWO components are essential for achieving this goal?

Question 8mediummultiple choice
Read the full Cloud Platform and Infrastructure Security explanation →

A cloud security engineer reviews the IAM policy shown in the exhibit, which is attached to an S3 bucket. The engineer finds that users from outside the 10.0.0.0/8 network can still download objects from the bucket. What is the most likely reason for this behavior?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:DeleteObject"
      ],
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/8"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject"
      ],
      "Resource": "arn:aws:s3:::example-bucket/*"
    }
  ]
}
Question 9hardmultiple choice
Read the full NAT/PAT explanation →

A large financial institution hosts a critical application in a multi-cloud environment using AWS and Azure. The application processes sensitive customer data and requires low-latency access to a shared database. The database is deployed as a MySQL instance in AWS RDS, and the Azure application instances connect to it over the public internet using SSL. Recently, the security team discovered that the database connection traffic is being routed through an unencrypted proxy, exposing the data in transit. The network architect must redesign the connectivity to ensure encryption end-to-end and minimize latency. The current setup includes an AWS Direct Connect and an Azure ExpressRoute that both terminate at the same on-premises data center. The on-premises network has a firewall that inspects all traffic. The architect proposes using the on-premises data center as an intermediary to route traffic between clouds. Which of the following solutions best addresses the security and latency requirements?

Question 10mediumdrag order
Read the full Cloud Platform and Infrastructure Security explanation →

Drag and drop the steps for implementing a disaster recovery plan using cross-region replication in AWS into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 11mediummatching
Read the full Cloud Platform and Infrastructure Security explanation →

Match each key management solution to its characteristic.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Hardware-based key generation and storage

Software-based key lifecycle management

Customer-managed keys in cloud provider HSM

Customer holds and manages own keys

Question 12easymultiple choice
Read the full Cloud Platform and Infrastructure Security explanation →

A company wants to enforce that all EC2 instances launched in a specific AWS account are tagged with the key "Environment" and "Owner". What is the most effective way to enforce this policy?

Question 13mediummultiple choice
Read the full Cloud Platform and Infrastructure Security explanation →

An organization requires that all data at rest in a cloud storage service be encrypted using a key that is managed entirely on-premises and never exposed to the cloud provider. The organization wants to use server-side encryption. Which approach should be used?

Question 14hardmultiple choice
Read the full Cloud Platform and Infrastructure Security explanation →

A multi-tier web application is deployed across two VPCs connected via VPC peering. The web tier in VPC A must communicate with the database tier in VPC B on port 3306. Security groups are used for instance-level security. Which security group configuration is MOST secure?

Question 15easymultiple choice
Read the full Cloud Platform and Infrastructure Security explanation →

A developer accidentally launched an EC2 instance with an overly permissive security group that allows SSH from 0.0.0.0/0. After a security review, the team wants to ensure this cannot happen again. What is the MOST effective preventive control?

Question 16mediummultiple choice
Read the full Cloud Platform and Infrastructure Security explanation →

A company is using AWS CloudTrail to log API calls. A security analyst needs to be alerted when an IAM user creates a new access key for another user. Which CloudTrail event should be monitored?

Question 17hardmultiple choice
Read the full Cloud Platform and Infrastructure Security explanation →

An organization has a cloud environment with many accounts. They want to prevent any account from using certain services that are not approved (e.g., outside of a defined list). What is the BEST way to enforce this at the organizational level?

Question 18easymultiple choice
Read the full Cloud Platform and Infrastructure Security explanation →

A cloud administrator needs to ensure that all data transferred between an on-premises data center and a cloud VPC is encrypted in transit. Which solution should be used?

Question 19mediummultiple choice
Read the full Cloud Platform and Infrastructure Security explanation →

A security engineer is reviewing logs and finds repeated failed login attempts to a cloud database instance. The database is accessible only from a specific security group. What is the BEST immediate action to reduce the attack surface?

Question 20hardmultiple choice
Read the full Cloud Platform and Infrastructure Security explanation →

A company uses AWS Organizations with multiple accounts. A security team wants to ensure that a specific S3 bucket in the production account cannot be deleted by anyone, including the root user of that account. Which control should be implemented?

Question 21mediummulti select
Read the full Cloud Platform and Infrastructure Security explanation →

A cloud security team is designing a defense-in-depth strategy for a web application. Which TWO of the following are effective network-level security controls? (Choose two.)

Question 22hardmulti select
Read the full Cloud Platform and Infrastructure Security explanation →

An organization is migrating critical workloads to the cloud and must ensure data confidentiality. Which THREE of the following practices help protect data in transit? (Choose three.)

Question 23easymulti select
Read the full Cloud Platform and Infrastructure Security explanation →

Which TWO of the following are recommended practices for securing cloud storage buckets? (Choose two.)

Question 24mediummultiple choice
Read the full Cloud Platform and Infrastructure Security explanation →

Refer to the exhibit. A security engineer attaches this bucket policy to an S3 bucket. What does this policy accomplish?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "BoolIfExists": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}
Question 25easymultiple choice
Read the full Cloud Platform and Infrastructure Security explanation →

Refer to the exhibit. A CloudFormation template defines a security group as shown. What is the security concern with this configuration?

Exhibit

Refer to the exhibit.

Resources:
  WebSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Web server security group
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 443
          ToPort: 443
          CidrIp: 0.0.0.0/0
Question 26hardmultiple choice
Read the full Cloud Platform and Infrastructure Security explanation →

Refer to the exhibit. A security analyst reviews this CloudTrail log entry. What is the most immediate concern?

Exhibit

Refer to the exhibit.

[CloudTrail Log Entry]
{
  "eventVersion": "1.08",
  "userIdentity": {
    "type": "IAMUser",
    "arn": "arn:aws:iam::123456789012:user/john.doe",
    "accountId": "123456789012"
  },
  "eventTime": "2024-04-01T14:30:00Z",
  "eventSource": "ec2.amazonaws.com",
  "eventName": "AuthorizeSecurityGroupIngress",
  "requestParameters": {
    "groupId": "sg-0123456789abcdef0",
    "ipPermissions": {
      "items": [
        {
          "ipProtocol": "tcp",
          "fromPort": 22,
          "toPort": 22,
          "ipRanges": [
            {"cidrIp": "0.0.0.0/0"}
          ]
        }
      ]
    }
  },
  "responseElements": {
    "requestId": "abc123",
    "_return": true
  }
}
Question 27mediummultiple choice
Read the full Cloud Platform and Infrastructure Security explanation →

A company is migrating on-premises workloads to IaaS. They need to ensure that virtual machine images are secure and free of malware. Which approach is best practice?

Question 28easymultiple choice
Read the full Cloud Platform and Infrastructure Security explanation →

A cloud administrator notices that a storage bucket containing sensitive data is publicly accessible. What is the most likely misconfiguration?

Question 29hardmultiple choice
Read the full VPN explanation →

A financial services firm uses a hybrid cloud architecture with a VPN connection to AWS. They need to comply with PCI DSS requirements for network segmentation. Which design is best?

Question 30mediummultiple choice
Read the full Cloud Platform and Infrastructure Security explanation →

A cloud security engineer is designing a disaster recovery plan for a critical application running on virtual machines. The RTO is 4 hours and RPO is 1 hour. Which approach meets these requirements?

Question 31easymultiple choice
Read the full Cloud Platform and Infrastructure Security explanation →

An organization wants to encrypt data at rest in a cloud object storage service. Which control is appropriate?

Question 32hardmultiple choice
Read the full Cloud Platform and Infrastructure Security explanation →

A DevOps team is deploying containers in a Kubernetes cluster. They need to ensure that container images are scanned for vulnerabilities before deployment. Which is the most effective approach?

Question 33mediummultiple choice
Read the full Cloud Platform and Infrastructure Security explanation →

A company uses a cloud provider's key management service. They want to rotate keys automatically every 90 days. What is the correct way to achieve this?

Question 34mediummulti select
Read the full Cloud Platform and Infrastructure Security explanation →

A security architect is designing network segmentation for a multi-tier application in the cloud. Which TWO configurations help enforce micro-segmentation? (Choose two.)

Question 35easymulti select
Read the full Cloud Platform and Infrastructure Security explanation →

A cloud security team is auditing a cloud environment and needs to ensure compliance with logging requirements. Which TWO actions are essential? (Choose two.)

Question 36hardmulti select
Read the full Cloud Platform and Infrastructure Security explanation →

A company is implementing a software-defined perimeter (SDP) for their cloud environment. Which THREE characteristics are typical of an SDP? (Choose three.)

Question 37mediummultiple choice
Read the full Cloud Platform and Infrastructure Security explanation →

Refer to the exhibit. A security analyst finds this IAM policy attached to an S3 bucket. What is the primary security issue?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Principal": "*"
    }
  ]
}
Question 38hardmultiple choice
Read the full Cloud Platform and Infrastructure Security explanation →

Refer to the exhibit. A cloud administrator sees this error when trying to provision an EC2 instance. Which is the best course of action?

Exhibit

[Error] Failed to launch instance i-123456: 
InsufficientInstanceCapacity – There is no capacity available for the requested instance type in this Availability Zone.
Question 39hardmultiple choice
Read the full Cloud Platform and Infrastructure Security explanation →

A large healthcare organization runs its electronic health records (EHR) system on a private cloud built with VMware vSphere. They have implemented a hybrid cloud strategy with a public cloud provider for disaster recovery. The EHR application is mission-critical and must maintain high availability with zero data loss. During a routine audit, the security team discovers that the replication between the private cloud and the public cloud uses asynchronous replication with a 15-minute recovery point objective (RPO). However, the application requires an RPO of less than 1 minute. Additionally, the replication data is not encrypted in transit. The compliance officer demands immediate remediation. The cloud architect must propose a solution that meets the RPO requirement and ensures encryption of data in transit. Which of the following actions is the most appropriate first step?

Question 40mediummultiple choice
Read the full Cloud Platform and Infrastructure Security explanation →

A medium-sized e-commerce company uses a cloud provider's container orchestration service (e.g., Amazon ECS or Google Kubernetes Engine). They have a security requirement to ensure that all containers run with the least privilege principle. The development team often requests containers to run as root for debugging purposes. The security team wants to enforce a policy that prevents containers from running as root in the production environment. However, the development team still needs the ability to troubleshoot occasionally. The cloud security architect must design a solution that restricts root privilege in production but allows controlled troubleshooting. Which of the following approaches is the most effective?

Question 41easymultiple choice
Study the full ACL explanation →

A small business recently migrated its file server to a cloud storage service like Amazon S3. They use bucket policies to control access. The IT manager, who is not a security expert, configured the bucket policy to allow all users within the company's AWS account to have read and write access. During an internal audit, it was discovered that the bucket also had a public ACL that allowed 'Everyone' to read objects. The security analyst needs to fix the misconfiguration and prevent future occurrences. Which of the following actions should the analyst take first?

Question 42mediummulti select
Study the full virtualization explanation →

A cloud security architect is concerned about potential side-channel attacks against VMs running on a shared hypervisor. Which TWO of the following measures would be most effective in mitigating such attacks?

Question 43hardmultiple choice
Read the full Cloud Platform and Infrastructure Security explanation →

Refer to the exhibit. A cloud security administrator is reviewing the following security group configuration associated with a web server instance. What security best practice is being violated?

Exhibit

{
  "SecurityGroup": {
    "GroupName": "sg-web",
    "IngressRules": [
      { "Protocol": "TCP", "PortRange": "443", "SourceCIDR": "10.0.0.0/8" },
      { "Protocol": "TCP", "PortRange": "22", "SourceCIDR": "0.0.0.0/0" }
    ],
    "EgressRules": [
      { "Protocol": "TCP", "PortRange": "443", "DestinationCIDR": "0.0.0.0/0" }
    ]
  }
}
Question 44easymultiple choice
Study the full virtualization explanation →

A financial services company uses a public IaaS provider to host its customer-facing applications. They have strict compliance requirements (e.g., PCI DSS) mandating that all customer data be encrypted at rest and in transit. The cloud provider recently performed a scheduled hypervisor update that required live migration of all customer VMs to different physical hosts to apply security patches. After the migration, the company's security team discovers that temporary files from one of their VMs remained on the original host's local storage and were accessible by another customer's VM that was subsequently provisioned on that host. Although the files did not contain actual customer data because the VM had encrypted its volumes, the security team is concerned about potential data remanence. Which of the following actions would BEST prevent such data remanence in future hypervisor migrations?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CCSP Practice Test 1 — 10 Questions→CCSP Practice Test 2 — 10 Questions→CCSP Practice Test 3 — 10 Questions→CCSP Practice Test 4 — 10 Questions→CCSP Practice Test 5 — 10 Questions→CCSP Practice Exam 1 — 20 Questions→CCSP Practice Exam 2 — 20 Questions→CCSP Practice Exam 3 — 20 Questions→CCSP Practice Exam 4 — 20 Questions→Free CCSP Practice Test 1 — 30 Questions→Free CCSP Practice Test 2 — 30 Questions→Free CCSP Practice Test 3 — 30 Questions→CCSP Practice Questions 1 — 50 Questions→CCSP Practice Questions 2 — 50 Questions→CCSP Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Cloud Application SecurityCloud Security OperationsLegal, Risk and ComplianceCloud Concepts, Architecture and DesignCloud Platform and Infrastructure SecurityCloud Data Security

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Cloud Platform and Infrastructure Security setsAll Cloud Platform and Infrastructure Security questionsCCSP Practice Hub