SY0-701 Security Architecture • Complete Question Bank
Complete SY0-701 Security Architecture question bank — all 0 questions with answers and detailed explanations.
VLAN and ACL summary: - VLAN 10 User PCs: access to file and print services - VLAN 30 Backup network: access to BackupSrv only - Current rule added last week: permit ip VLAN10 any -> VLAN30 any - BackupSrv -> VLAN10 tcp/445 allowed for restore jobs Concern: ransomware on a user PC could now reach backup repositories.
Device management config: line vty 0 4 transport input telnet ssh login local SNMP community: public RO Management IP: 198.51.100.14/32 reachable from WAN Requirement: administrators must manage the device remotely without exposing credentials in transit.
Cloud deployment summary: - Public API runs on an IaaS virtual machine - Database runs on a managed PaaS service - Object storage holds user uploads - Provider responsibility: datacenter, hardware, hypervisor, managed DB platform - Customer responsibility: guest OS, IAM, network rules, application code Finding: TCP/22 on the API VM is reachable from 0.0.0.0/0.
Order service topology: Internet -> Load balancer -> App Server A Internet -> Load balancer -> App Server B Database -> Single instance in AZ1 Application servers are stateless. Requirement: service must continue if one app server goes down, with no manual failover steps.
Identity integration status: - Corporate IdP SAML SSO: Enabled - SaaS local accounts: Still manually managed - HR termination event: User disabled in the IdP - SaaS access after termination: Still active until help desk removes account Requirement: access changes must flow to the app within minutes without manual ticket handling.
Guest WLAN uses VLAN 20. Current ACL on the VLAN 20 SVI: - permit udp any eq 53 any - permit udp any eq 67 any - permit ip 10.50.20.0/24 any - deny ip any 10.0.0.0/8 - deny ip any 172.16.0.0/12 - deny ip any 192.168.0.0/16 Default route sends remaining traffic to the ISP. Requirement: guests should have internet-only access.
SaaS sign-in settings: - Local accounts: Enabled - SAML SSO: Disabled - SCIM provisioning: Disabled - Password synchronization: Disabled Requirement: users from the acquired subsidiary must use their existing corporate identities without separate SaaS passwords.
MDM profile for field tablets: - Device encryption: Enabled - Work profile/container: Disabled - Corporate apps can access personal storage: Enabled - Selective wipe: Not configured User requirement: company email and ERP must be isolated from personal photos and apps.
Based on the exhibit, which network change best isolates finance workstations from general user PCs while still allowing printing and application access?
VLAN table:
- VLAN 20 Users: 10.20.20.0/24 - VLAN 30 Finance: 10.20.30.0/24 - VLAN 40 Printers: 10.20.40.0/24 - VLAN 50 Accounting App: 10.20.50.0/24
Current SVI routing policy:
permit ip any any
Management goal: Finance devices must not initiate traffic to User VLAN 20, but they must be able to print and access the accounting application.
VLAN table: - VLAN 20 Users: 10.20.20.0/24 - VLAN 30 Finance: 10.20.30.0/24 - VLAN 40 Printers: 10.20.40.0/24 - VLAN 50 Accounting App: 10.20.50.0/24 Current SVI routing policy: permit ip any any Management goal: Finance devices must not initiate traffic to User VLAN 20, but they must be able to print and access the accounting application.
Based on the exhibit, which logging capability should be enabled first to create an audit trail for cloud administration changes?
Exhibit: 2026-04-25 09:14:03 iam:AttachRolePolicy user=alice 2026-04-25 09:15:10 ec2:AuthorizeSecurityGroupIngress user=alice 2026-04-25 09:16:22 s3:PutBucketPolicy user=alice
Requirement: Security wants to track management-plane API calls and configuration changes across cloud resources.
2026-04-25 09:14:03 iam:AttachRolePolicy user=alice 2026-04-25 09:15:10 ec2:AuthorizeSecurityGroupIngress user=alice 2026-04-25 09:16:22 s3:PutBucketPolicy user=alice Requirement: Security wants to track management-plane API calls and configuration changes across cloud resources.
Based on the exhibit, which identity architecture change best addresses the repeated password resets and delayed offboarding across the company's SaaS applications?
Exhibit: - SaaS A uses local user accounts - SaaS B uses local user accounts - SaaS C supports SAML and automated provisioning - Help desk reports 120 password reset tickets per month - Former employees can remain active in two apps for up to 24 hours after termination
Management wants one sign-in and faster deprovisioning.
Exhibit: - SaaS A uses local user accounts - SaaS B uses local user accounts - SaaS C supports SAML and automated provisioning - Help desk reports 120 password reset tickets per month - Former employees can remain active in two apps for up to 24 hours after termination Management wants one sign-in and faster deprovisioning.
Drag a concept onto its matching description — or click a concept then click the description.
Defines which security tasks belong to the cloud provider and which remain with the customer
Separates one customer's cloud resources from another customer's resources
Uses the provider's logging service to record workload and control-plane activity
Places workload resources where they are not directly exposed to the internet
Drag a concept onto its matching description — or click a concept then click the description.
Network segment for internet-facing services such as a public web proxy or reverse proxy
Segment for internal systems such as databases that should not be directly reachable from the internet
Restricted network used for switch, firewall, and server administration traffic
Internet-only network for visitors and unmanaged devices
Based on the exhibit, which cloud deployment choice best satisfies the workload requirements?
Exhibit: Workload requirements: - Processes regulated customer records - Should not share underlying compute with other tenants if avoidable - Team wants provider-managed hardware maintenance - Application will run in a public cloud
Which deployment choice is the best fit?
Workload requirements: - Processes regulated customer records - Should not share underlying compute with other tenants if avoidable - Team wants provider-managed hardware maintenance - Application will run in a public cloud
Based on the exhibit, which change best reduces exposure for the public web application while keeping the backend tiers protected?
The current design is: Internet -> Firewall -> DMZ VLAN 10: reverse proxy Private App VLAN 20: application server 10.10.20.20 Private DB VLAN 30: database server 10.10.30.30 User VLAN 40: internal workstations
ACL summary: 1. permit tcp any -> 10.10.10.10 eq 443 2. permit tcp 10.10.10.10 -> 10.10.20.20 eq 8443 3. permit tcp 10.10.20.20 -> 10.10.30.30 eq 1433 4. deny ip any -> 10.10.30.30
Topology and ACL summary: Internet -> Firewall -> DMZ VLAN 10: reverse proxy Private App VLAN 20: application server 10.10.20.20 Private DB VLAN 30: database server 10.10.30.30 User VLAN 40: internal workstations ACL summary: 1. permit tcp any -> 10.10.10.10 eq 443 2. permit tcp 10.10.10.10 -> 10.10.20.20 eq 8443 3. permit tcp 10.10.20.20 -> 10.10.30.30 eq 1433 4. deny ip any -> 10.10.30.30
Drag a concept onto its matching description — or click a concept then click the description.
Tracks connection state and allows return traffic for approved sessions
Allows or denies traffic using source, destination, port, and protocol rules without tracking sessions
Blocks traffic unless a rule explicitly permits it
Limits traffic moving between internal subnets or tiers
Based on the exhibit, which action best addresses both the unsanctioned software problem and the need for consistent endpoint configuration?
Exhibit: Device group: Sales-Laptops Baseline check: - Approved browser: installed - Approved EDR: installed - Unapproved remote admin tool: detected on 14 endpoints - Local administrator rights: granted to all users in group - Patch compliance: 68%
Management wants to prevent unauthorized software from running and keep future builds consistent.
Exhibit: Device group: Sales-Laptops Baseline check: - Approved browser: installed - Approved EDR: installed - Unapproved remote admin tool: detected on 14 endpoints - Local administrator rights: granted to all users in group - Patch compliance: 68% Management wants to prevent unauthorized software from running and keep future builds consistent.
Based on the exhibit, which hardening change best prevents a laptop from booting unapproved tools from external media?
Exhibit: UEFI Setup - Secure Boot: Disabled - Boot order: USB, External NIC, Internal SSD - Firmware admin password: Not configured - BitLocker status: Enabled
Incident note: A technician confirmed the laptop was started from a USB recovery stick that bypassed the normal corporate login workflow.
UEFI Setup - Secure Boot: Disabled - Boot order: USB, External NIC, Internal SSD - Firmware admin password: Not configured - BitLocker status: Enabled Incident note: A technician confirmed the laptop was started from a USB recovery stick that bypassed the normal corporate login workflow.
Based on the exhibit, which access design change best reduces fraud risk without stopping the payroll process?
Exhibit: Payroll application roles: - HR-Editor: can update employee records - Payroll-Approver: can release payment batches - Audit-Reader: can view reports only
Current assignment: User Lisa has both HR-Editor and Payroll-Approver because she "handles payroll end to end." Management wants to reduce the chance of one person creating and approving a fraudulent payment.
Exhibit: Payroll application roles: - HR-Editor: can update employee records - Payroll-Approver: can release payment batches - Audit-Reader: can view reports only Current assignment: User Lisa has both HR-Editor and Payroll-Approver because she "handles payroll end to end." Management wants to reduce the chance of one person creating and approving a fraudulent payment.
Drag a concept onto its matching description — or click a concept then click the description.
A subnet that hosts public-facing web servers while keeping them separated from the internal LAN.
Separating finance and engineering workstations on the same switches into different broadcast domains.
A rule set that allows only TCP 8443 from the web tier to the application tier and denies everything else.
Restricting east-west traffic between individual workloads inside the same data center or cloud cluster.
Grouping systems that share similar security requirements and access assumptions for policy design.
Current firewall policy excerpt: 1. Allow any source -> WEB01 tcp/443 2. Allow any source -> WEB01 tcp/80 3. Allow ADMIN-SUBNET -> WEB01 tcp/22 4. Deny all other inbound traffic Topology note: WEB01 currently sits on the same subnet as internal application servers.
Application requirements summary: - Developers want to deploy code without managing operating system patches. - The platform must auto-scale during seasonal traffic spikes. - Security wants the provider to handle runtime patching and host hardening. - The team still needs control over the application code and database schema.
MDM dashboard excerpt: - iOS device compliance: 84% - Android device compliance: 79% - Email app access policy: Allow if credentials are valid - Noncompliance reasons: outdated OS, no passcode, jailbreak/root indicators - Lost device action: Full factory reset only Security request: Block risky devices from email access and protect employee personal data on BYOD devices.
Identity review notes: - HR termination events are exported daily from the HR system. - SaaS Admin Console shows 17 inactive contractor accounts still enabled. - The application supports SAML SSO. - SCIM provisioning is currently disabled. - Deactivation requests are handled through email tickets.
Data export sample: CustomerName, CardNumber, OrderTotal, Region A. Lee, 4532 1100 8822 7744, 158.22, West B. Patel, 6011 9009 1044 2219, 41.88, East C. Jones, 6011 9010 3321 1197, 92.10, South Business requirement: - Analytics team needs repeated values for reporting and joins - Full card numbers must not appear in reports or test data
Backup job summary: - Nightly backups land on a network-attached storage device joined to the domain - Weekly copies are exported to a USB drive and kept in a cabinet in the server room - Backup administrators use the same privileged domain accounts as server admins - No immutable or offline copy exists - Restore tests occur quarterly
Wireless configuration review: SSID: CORP-WIFI Security: WPA2-Personal PSK age: 14 months NAC integration: Disabled Allowed devices: Any device with the shared passphrase Mobile device policy: - Corporate email is available from personal devices - Lost-device wipe is not configured - Device certificates are not issued
Access switch VLAN table: VLAN 10 - Corporate workstations - 126 devices VLAN 10 - VoIP phones - 41 devices VLAN 10 - Badge readers - 18 devices VLAN 10 - Cameras - 24 devices VLAN 20 - Guest Wi-Fi - Internet only Incident note: A compromised workstation was able to reach a badge reader and a camera using internal IP addresses.
Drag a concept onto its matching description — or click a concept then click the description.
DMZ
Bastion host
Microsegmentation
Zero Trust Network Access (ZTNA)
Load balancer
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.