Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCCSPTopicsCloud Platform and Infrastructure Security
Free · No Signup RequiredISC2 · CCSP

CCSP Cloud Platform and Infrastructure Security Practice Questions

20+ practice questions focused on Cloud Platform and Infrastructure Security — one of the most tested topics on the Certified Cloud Security Professional CCSP exam. Each question includes a detailed explanation so you learn why the right answer is correct.

Start Cloud Platform and Infrastructure Security Practice

Exam Domains

Cloud Application SecurityCloud Security OperationsLegal, Risk and ComplianceCloud Concepts, Architecture and DesignCloud Platform and Infrastructure SecurityCloud Data SecurityAll domains →

Study Tools

Practice TestMock ExamFlashcardsAll Topics

Sample Cloud Platform and Infrastructure Security Questions

Practice all 20+ →
1.

A financial services company is migrating its on-premises data center to a public cloud IaaS environment. During the transition, the security team must ensure that the same network segmentation and firewall rules are maintained. Which of the following is the BEST approach to replicate the on-premises network security controls in the cloud?

A.Configure a site-to-site VPN between on-premises and cloud to extend the existing network.
B.Use virtual private clouds (VPCs) with subnets and security groups to enforce segmentation and firewall rules.
C.Implement an intrusion detection and prevention system (IDPS) to monitor traffic.
D.Deploy a software-defined WAN (SD-WAN) to manage network traffic between cloud resources.

Explanation: Option B is correct because VPCs with subnets and security groups provide native, software-defined network segmentation and stateful firewall rules that directly replicate on-premises network segmentation and ACLs. Security groups act as virtual firewalls at the instance level, while network ACLs provide subnet-level stateless filtering, together enabling granular control without extending the on-premises network.

2.

A cloud architect is designing a multi-tier application in a public cloud. The web tier must be accessible from the internet, while the application and database tiers must only be reachable from the web tier. The architect needs to ensure that even if the web server is compromised, the attacker cannot directly access the database. Which architecture BEST meets this requirement?

A.Place all tiers in the same subnet and use a single security group to control inbound traffic.
B.Place all tiers in the same VPC but different subnets, and use network ACLs to restrict traffic.
C.Place the web tier in a public subnet with a security group allowing HTTP/HTTPS from 0.0.0.0/0, and place the app and database tiers in private subnets with security groups allowing traffic only from the web tier's security group.
D.Use a VPN to connect the tiers and rely on IPsec policies for segmentation.

Explanation: Option C is correct because it implements defense-in-depth by placing the web tier in a public subnet with a security group that allows inbound HTTP/HTTPS from the internet, while the app and database tiers reside in private subnets with security groups that only permit traffic from the web tier's security group. This ensures that even if the web server is compromised, the attacker cannot directly reach the database because the database security group explicitly denies traffic from any source other than the web tier's security group, and the private subnets have no direct internet route.

3.

During a cloud migration, a company discovers that its existing virtual machine images contain embedded credentials and proprietary software that must not be exposed to the cloud provider's administrators. Which of the following is the BEST strategy to protect this sensitive data while maintaining the ability to create new instances?

A.Use a VPN to encrypt data in transit between the on-premises environment and the cloud.
B.Use a cryptographic hash of the image to ensure integrity, and store the image in object storage with access controls.
C.Encrypt the virtual machine images using a customer-provided key (CMK) integrated with the cloud provider's key management service.
D.Tokenize the embedded credentials and replace them with placeholders in the image.

Explanation: Option C is correct because encrypting the virtual machine images with a customer-provided key (CMK) integrated with the cloud provider's key management service ensures that the cloud provider's administrators cannot access the embedded credentials and proprietary software. The encryption is performed client-side or using envelope encryption where the CMK wraps a data encryption key, and only the customer holds the master key material. This allows the customer to create new instances from the encrypted image while maintaining full control over access to the sensitive data.

4.

A company's security policy requires that all data stored in the cloud must be encrypted at rest. The cloud provider offers server-side encryption with either cloud-managed keys or customer-managed keys (CMK). Which additional control should the company implement to ensure that the CMK is not compromised and that access is auditable?

A.Enable automatic key rotation and configure detailed audit logging for the key management service.
B.Implement a VPN for all management traffic to the cloud provider's API.
C.Enable multi-factor authentication (MFA) for all cloud console users.
D.Use encryption in transit (TLS) for all data transfers to and from the cloud.

Explanation: Option A is correct because enabling automatic key rotation reduces the risk of key compromise by limiting the exposure window of any single key, while detailed audit logging for the key management service (e.g., AWS CloudTrail for KMS, Azure Monitor for Key Vault) provides an immutable record of all key usage and administrative actions. This combination ensures that even if a CMK is exposed, the window of vulnerability is minimized, and any unauthorized access or misuse is detectable through logs. Without these controls, the customer-managed key could remain static for long periods, increasing risk, and access events would not be auditable, violating the policy requirement.

5.

A company is deploying a critical application on a public cloud IaaS platform. To ensure high availability and disaster recovery, which TWO of the following strategies should the company implement? (Choose two.)

A.Deploy the application across multiple availability zones within a region.
B.Use an active-passive configuration with both instances in the same availability zone.
C.Configure the application to run in only one region to simplify management.
D.Implement automated snapshots and replicate data to a different geographic region.

Explanation: Deploying across multiple availability zones (AZs) within a region ensures that if one AZ experiences an outage, the application can continue serving traffic from another AZ, providing high availability. This is a fundamental cloud architecture pattern for fault tolerance, as each AZ is an isolated data center with independent power, cooling, and networking.

+15 more Cloud Platform and Infrastructure Security questions available

Practice all Cloud Platform and Infrastructure Security questions

How to master Cloud Platform and Infrastructure Security for CCSP

1. Baseline your knowledge

Start with 10 questions to gauge your current understanding of Cloud Platform and Infrastructure Security. This tells you whether you need a concept refresher or just practice.

2. Review every explanation

For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.

3. Focus on exam traps

Cloud Platform and Infrastructure Security questions on the CCSP frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.

4. Reach 80% consistently

Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.

Frequently asked questions

How many CCSP Cloud Platform and Infrastructure Security questions are on the real exam?

The exact number varies per candidate. Cloud Platform and Infrastructure Security is tested as part of the Certified Cloud Security Professional CCSP blueprint. Practicing with targeted Cloud Platform and Infrastructure Security questions ensures you can handle any format or difficulty that appears.

Are these CCSP Cloud Platform and Infrastructure Security practice questions free?

Yes. Courseiva provides free CCSP practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.

Is Cloud Platform and Infrastructure Security one of the harder CCSP topics?

Difficulty is subjective, but Cloud Platform and Infrastructure Security is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.

Ready to practice?

Launch a full Cloud Platform and Infrastructure Security practice session with instant scoring and detailed explanations.

Start Cloud Platform and Infrastructure Security Practice →

Topic Info

Topic

Cloud Platform and Infrastructure Security

Exam

CCSP

Questions available

20+