CCSP Legal, Risk and Compliance • Complete Question Bank
Complete CCSP Legal, Risk and Compliance question bank — all 0 questions with answers and detailed explanations.
Refer to the exhibit.
Bucket: my-company-logs
Region: us-east-1
Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-company-logs/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "10.0.0.0/16"
}
}
}
]
}Refer to the exhibit. Error Log Entry: Timestamp: 2024-08-15T14:23:10Z User: [email protected] Action: PutObject Resource: s3://finance-reports/quarterly.xlsx Status: AccessDenied Source IP: 203.0.113.45 UserAgent: [ConsoleLogin] Additional: The user does not have permissions to write to this bucket.
Refer to the exhibit.
---
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::data-bucket/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "true"
}
}
},
{
"Effect": "Deny",
"Action": "s3:*",
"Resource": "arn:aws:s3:::data-bucket/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}
---Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag a concept onto its matching description — or click a concept then click the description.
Trust relationship between identity providers
Single authentication for multiple systems
Multiple authentication factors
Access based on role assignments
Drag a concept onto its matching description — or click a concept then click the description.
Cloud security posture management
Cloud workload protection platform
Cloud access security broker
Security information and event management
Refer to the exhibit. ``` Contract Clause: "The Provider shall ensure that all Sub-Processors adhere to a level of protection at least equivalent to that provided by this Agreement. Provider shall notify Customer of any intended changes concerning addition or replacement of Sub-Processors, thereby giving Customer the opportunity to object to such changes." ```
Refer to the exhibit.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::mybucket/*"
}
]
}
```Refer to the exhibit. ``` SOC 2 Type II Report Sections: 1. System Description 2. Control Criteria 3. Tests of Controls and Results (Audit period: Jan 1 - Dec 31, 2023) Report Issued: Feb 15, 2024 ```
[2023-10-05 14:23:11] ALERT: Unauthorized access attempt detected from IP 203.0.113.50 to customer data bucket. Access denied due to IAM policy restriction. Incident ID: INC-78901.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::123456789012:root"},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::company-data/*"
}
]
}{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::example-bucket/*",
"Condition": {
"StringEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
}
}
]
}{
"eventSource": "s3.amazonaws.com",
"eventName": "DeleteObject",
"requestParameters": {
"bucketName": "prod-customer-data",
"key": "records/2023/01/taxinfo.csv"
},
"userIdentity": {
"arn": "arn:aws:iam::123456789012:user/john.doe",
"accountId": "123456789012"
},
"sourceIPAddress": "10.0.0.5",
"responseElements": {
"x-amz-id-2": "example"
}
}{
"properties": {
"roleDefinitionId": "/subscriptions/.../providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
"principalId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"scope": "/subscriptions/.../resourceGroups/Finance/providers/Microsoft.Storage/storageAccounts/finance-data",
"condition": null
}
}Refer to the exhibit.
exhibit:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::example-bucket/*",
"Condition": {
"StringEquals": {
"aws:SourceIp": "192.0.2.0/24"
}
}
}
]
}Your organization, a healthcare provider subject to HIPAA, has migrated electronic protected health information (ePHI) to a public cloud IaaS provider. The cloud provider offers default encryption at rest using their managed key service. During a recent audit, it was discovered that the encryption keys are generated and stored by the cloud provider without any customer involvement. The auditor states that this arrangement may violate HIPAA requirements because the covered entity does not have exclusive control over the keys. You need to ensure compliance while maintaining cost efficiency. After discussing with the cloud provider, they suggest the following options: A. Enable client-side encryption using a custom key management system (KMS) on the customer's premises. B. Use the provider's default encryption and rely on their BAA that states they will protect the keys. C. Implement a third-party key management solution that stores keys in the cloud but is controlled by the customer. D. Disable encryption and rely on access controls and auditing only.
Which option best addresses the compliance requirement while considering the operational impact?
A multinational corporation uses a SaaS application for customer relationship management (CRM). The CRM application stores customer data including names, email addresses, and purchase history. The company has operations in the EU, California, and Japan. A new regulation in Japan requires that any transfer of personal data outside Japan must have the data subject's consent if the destination country does not have an adequacy decision. The company's cloud provider stores data in the United States. The company currently relies on the provider's data processing agreement that includes standard contractual clauses (SCCs). However, the Japanese regulator has stated that SCCs are not sufficient for transfers from Japan unless supplemented. You are tasked with ensuring compliance for Japanese data subjects. Which of the following is the most appropriate next step? A. Obtain explicit consent from each Japanese data subject for data transfer to the US. B. Move the data for Japanese subjects to a data center in Japan. C. Continue using SCCs as they are recognized internationally. D. Pseudonymize the data before transfer.
Which option best addresses the compliance requirement while considering the operational impact?
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {"AWS": "*"},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::confidential-data/*",
"Condition": {
"StringEquals": {
"aws:SourceIp": "203.0.113.0/24"
}
}
}
]
}