20+ practice questions focused on Legal, Risk and Compliance — one of the most tested topics on the Certified Cloud Security Professional CCSP exam. Each question includes a detailed explanation so you learn why the right answer is correct.
Start Legal, Risk and Compliance PracticeA company's cloud infrastructure is subject to GDPR. The DPO requires that all customer personal data be encrypted at rest and in transit. The cloud provider offers SSE-S3 for object storage and enforces TLS 1.2 for API calls. Which additional control should the company implement to meet GDPR accountability requirements?
Explanation: While SSE-S3 and TLS 1.2 address encryption at rest and in transit, GDPR accountability requires the company to demonstrate compliance through audit trails. Enabling detailed logging of all access to encrypted data (Option B) provides the necessary records to prove who accessed personal data, when, and from where, fulfilling the 'demonstrate compliance' principle under Article 5(2) and Article 30 of the GDPR.
A financial institution uses a multi-cloud strategy with AWS and Azure. They must comply with PCI DSS. The security team found that a developer accidentally stored a file with credit card numbers in an S3 bucket that is publicly readable. Which immediate action should be taken to contain the breach?
Explanation: Option C is correct because removing the public read permission on the S3 bucket immediately stops unauthorized access to the file containing credit card numbers, containing the breach in accordance with PCI DSS incident response requirements. This action does not destroy evidence (unlike deletion) and directly addresses the root cause—the bucket's misconfigured access control list (ACL) or bucket policy that allowed public read access. It is the fastest way to prevent further data exfiltration while preserving the file for forensic analysis.
A cloud service provider (CSP) offers a shared responsibility model. According to this model, who is responsible for patching the hypervisor?
Explanation: Option A is correct because the hypervisor is part of the underlying infrastructure, which the CSP manages. Option B is wrong because the customer does not have access to patch the hypervisor. Option C is wrong because a third party is not involved. Option D is wrong because the hypervisor is not typically managed by a regulatory body.
A company is migrating to the cloud and must comply with the Health Insurance Portability and Accountability Act (HIPAA). They plan to store electronic protected health information (ePHI) in a cloud database. Which of the following is a mandatory requirement for the cloud service agreement?
Explanation: Under HIPAA, a covered entity or business associate must have a written Business Associate Agreement (BAA) with any cloud service provider (CSP) that creates, receives, maintains, or transmits electronic protected health information (ePHI) on their behalf. The BAA is a mandatory contractual requirement that establishes the CSP's permitted uses and disclosures of ePHI, as well as its obligations to safeguard the data. Without a signed BAA, the CSP cannot lawfully handle ePHI, making this the only option that is a direct regulatory mandate under HIPAA.
An e-commerce company uses a cloud-based web application firewall (WAF) to protect against common web exploits. The security team notices that a specific IP address is sending a high volume of requests that appear to be a DDoS attack. What is the best immediate response to mitigate the attack while minimizing impact on legitimate users?
Explanation: Option D is correct because rate limiting at the WAF allows the security team to restrict the volume of requests from the offending IP address without completely blocking it. This approach ensures that legitimate traffic from that IP (e.g., a shared NAT gateway or a user with a dynamic IP) can still pass through, while the DDoS attack traffic is throttled. WAFs typically support granular rate-limiting rules based on IP, session, or URI, making this the most precise and least disruptive immediate response.
+15 more Legal, Risk and Compliance questions available
Practice all Legal, Risk and Compliance questions1. Baseline your knowledge
Start with 10 questions to gauge your current understanding of Legal, Risk and Compliance. This tells you whether you need a concept refresher or just practice.
2. Review every explanation
For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.
3. Focus on exam traps
Legal, Risk and Compliance questions on the CCSP frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.
4. Reach 80% consistently
Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.
The exact number varies per candidate. Legal, Risk and Compliance is tested as part of the Certified Cloud Security Professional CCSP blueprint. Practicing with targeted Legal, Risk and Compliance questions ensures you can handle any format or difficulty that appears.
Yes. Courseiva provides free CCSP practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.
Difficulty is subjective, but Legal, Risk and Compliance is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.
Launch a full Legal, Risk and Compliance practice session with instant scoring and detailed explanations.
Start Legal, Risk and Compliance Practice →