20+ practice questions focused on Cloud Platform and Infrastructure Security — one of the most tested topics on the Certified Cloud Security Professional CCSP exam. Each question includes a detailed explanation so you learn why the right answer is correct.
Start Cloud Platform and Infrastructure Security PracticeA financial services company is migrating its on-premises data center to a public cloud IaaS environment. During the transition, the security team must ensure that the same network segmentation and firewall rules are maintained. Which of the following is the BEST approach to replicate the on-premises network security controls in the cloud?
Explanation: Option B is correct because VPCs with subnets and security groups provide native, software-defined network segmentation and stateful firewall rules that directly replicate on-premises network segmentation and ACLs. Security groups act as virtual firewalls at the instance level, while network ACLs provide subnet-level stateless filtering, together enabling granular control without extending the on-premises network.
A cloud architect is designing a multi-tier application in a public cloud. The web tier must be accessible from the internet, while the application and database tiers must only be reachable from the web tier. The architect needs to ensure that even if the web server is compromised, the attacker cannot directly access the database. Which architecture BEST meets this requirement?
Explanation: Option C is correct because it implements defense-in-depth by placing the web tier in a public subnet with a security group that allows inbound HTTP/HTTPS from the internet, while the app and database tiers reside in private subnets with security groups that only permit traffic from the web tier's security group. This ensures that even if the web server is compromised, the attacker cannot directly reach the database because the database security group explicitly denies traffic from any source other than the web tier's security group, and the private subnets have no direct internet route.
During a cloud migration, a company discovers that its existing virtual machine images contain embedded credentials and proprietary software that must not be exposed to the cloud provider's administrators. Which of the following is the BEST strategy to protect this sensitive data while maintaining the ability to create new instances?
Explanation: Option C is correct because encrypting the virtual machine images with a customer-provided key (CMK) integrated with the cloud provider's key management service ensures that the cloud provider's administrators cannot access the embedded credentials and proprietary software. The encryption is performed client-side or using envelope encryption where the CMK wraps a data encryption key, and only the customer holds the master key material. This allows the customer to create new instances from the encrypted image while maintaining full control over access to the sensitive data.
A company's security policy requires that all data stored in the cloud must be encrypted at rest. The cloud provider offers server-side encryption with either cloud-managed keys or customer-managed keys (CMK). Which additional control should the company implement to ensure that the CMK is not compromised and that access is auditable?
Explanation: Option A is correct because enabling automatic key rotation reduces the risk of key compromise by limiting the exposure window of any single key, while detailed audit logging for the key management service (e.g., AWS CloudTrail for KMS, Azure Monitor for Key Vault) provides an immutable record of all key usage and administrative actions. This combination ensures that even if a CMK is exposed, the window of vulnerability is minimized, and any unauthorized access or misuse is detectable through logs. Without these controls, the customer-managed key could remain static for long periods, increasing risk, and access events would not be auditable, violating the policy requirement.
A company is deploying a critical application on a public cloud IaaS platform. To ensure high availability and disaster recovery, which TWO of the following strategies should the company implement? (Choose two.)
Explanation: Deploying across multiple availability zones (AZs) within a region ensures that if one AZ experiences an outage, the application can continue serving traffic from another AZ, providing high availability. This is a fundamental cloud architecture pattern for fault tolerance, as each AZ is an isolated data center with independent power, cooling, and networking.
+15 more Cloud Platform and Infrastructure Security questions available
Practice all Cloud Platform and Infrastructure Security questions1. Baseline your knowledge
Start with 10 questions to gauge your current understanding of Cloud Platform and Infrastructure Security. This tells you whether you need a concept refresher or just practice.
2. Review every explanation
For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.
3. Focus on exam traps
Cloud Platform and Infrastructure Security questions on the CCSP frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.
4. Reach 80% consistently
Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.
The exact number varies per candidate. Cloud Platform and Infrastructure Security is tested as part of the Certified Cloud Security Professional CCSP blueprint. Practicing with targeted Cloud Platform and Infrastructure Security questions ensures you can handle any format or difficulty that appears.
Yes. Courseiva provides free CCSP practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.
Difficulty is subjective, but Cloud Platform and Infrastructure Security is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.
Launch a full Cloud Platform and Infrastructure Security practice session with instant scoring and detailed explanations.
Start Cloud Platform and Infrastructure Security Practice →