Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Security Architecture practice sets

SY0-701 Security Architecture • Complete Question Bank

SY0-701 Security Architecture — All Questions With Answers

Complete SY0-701 Security Architecture question bank — all 0 questions with answers and detailed explanations.

221
Questions
Free
No signup
Certifications/SY0-701/Practice Test/Security Architecture/All Questions
Question 1mediummultiple choice
Read the full Security Architecture explanation →

A company is redesigning its network to host a public-facing web application that accesses a confidential database. The security team needs to minimize the risk of a direct attack against the database server while still allowing the web server to retrieve and update data. Which network architecture best achieves this objective?

Question 2mediummultiple choice
Read the full Security Architecture explanation →

A security architect is designing a new data center network that will host public-facing web servers and internal application servers handling confidential employee data. The architect places the web servers in a DMZ and the internal application servers on a separate internal network segment. A stateful firewall is configured to allow inbound HTTP/HTTPS traffic from the internet to the web servers only. The firewall also permits only the web servers to initiate outbound connections to the internal application servers on a specific TCP port, and all such traffic is encrypted using TLS. Which security architecture principle is this design primarily intended to enforce?

Question 3mediummultiple choice
Read the full VPN explanation →

A company's current remote access solution uses a traditional VPN that grants users full network-layer access to the internal LAN once authenticated. The security architect wants to adopt a zero trust architecture to reduce the risk of lateral movement by compromised endpoints. Which of the following implementations best aligns with zero trust principles?

Question 4mediummultiple choice
Study the full virtualization explanation →

A security architect is designing a solution to process highly sensitive financial transactions in a shared cloud environment. The architect needs to ensure that the processor and memory used to handle transaction data are isolated from the host operating system and other virtual machines, even if the hypervisor is compromised. Which technology is specifically designed to provide this level of isolation for code and data during runtime?

Question 5mediummultiple choice
Read the full NAT/PAT explanation →

A security architect is redesigning remote administration for a set of critical Linux servers in a private cloud. Currently, system administrators connect directly from their corporate laptops to the servers over the internet using SSH. The architect's primary goal is to eliminate direct inbound SSH connections from the internet while still allowing authorized administrators to perform maintenance tasks. Which of the following architectural changes would best achieve this objective?

Question 6mediummultiple choice
Read the full Security Architecture explanation →

A security architect is designing the network security for a web application hosted in a public cloud environment such as AWS. The application uses an Application Load Balancer (ALB) that distributes traffic to a fleet of web servers. The web servers must only accept traffic from the ALB, and all other inbound traffic must be blocked. The ALB itself needs to accept HTTP/HTTPS traffic from anywhere on the internet. Which of the following cloud security controls should the architect configure on the web servers' network interface to best meet this requirement, assuming the cloud provider offers both stateful and stateless network filtering options?

Question 7mediummultiple choice
Read the full Security Architecture explanation →

A security architect at a retail company is deploying a new e-commerce platform that processes credit card payments. The architect needs to minimize the scope of the PCI DSS assessment. The platform consists of a web server, an application server, and a database server. The cardholder data (credit card numbers) will be processed and stored only on the database server. Which of the following network architecture designs would best reduce the PCI DSS scope?

Question 8mediummultiple choice
Read the full Security Architecture explanation →

A security architect is designing a solution to securely store sensitive customer data in a cloud object storage service. The architect's primary concern is that if the storage bucket is accidentally configured as publicly accessible, the data should still be protected from unauthorized viewing. Which of the following architectural designs provides the strongest defense in depth to meet this concern?

Question 9mediummultiple choice
Read the full Security Architecture explanation →

A security architect is redesigning the network for a payment card processing environment. The goal is to create a cardholder data environment (CDE) that is isolated from the rest of the corporate network to reduce PCI DSS scope. The CDE will contain only the payment application servers and the database storing credit card numbers. The architect must allow authorized administrators in the corporate network to perform updates and monitoring on the CDE servers. Which of the following network architecture designs provides the strongest isolation while still meeting the requirement for authorized administrative access?

Question 10mediummultiple choice
Read the full wireless explanation →

A security architect is designing the wireless network for a new branch office. The branch will have two types of users: employees who need access to internal corporate resources, and guests who need internet-only access. The architect plans to use WPA3-Enterprise for the employee SSID and WPA3-SAE for the guest SSID. Which of the following additional configurations is MOST critical to prevent guests from accessing internal corporate resources?

Question 11mediummultiple choice
Read the full Security Architecture explanation →

A security operations center (SOC) analyst is overwhelmed by the volume of alerts. The management wants to implement a solution that can automatically respond to common threats, such as blocking an IP address or isolating a compromised endpoint, without requiring human intervention. Which of the following technologies best meets this requirement?

Question 12mediummultiple choice
Read the full wireless explanation →

A company is implementing network segmentation to isolate the guest wireless network from the internal corporate network. Which of the following technologies is most appropriate to enforce this separation at Layer 2?

Question 13mediummultiple choice
Study the full AAA explanation →

Based on the exhibit, which change best reduces the blast radius if a user workstation is compromised?

Exhibit

VLAN and ACL summary:
- VLAN 10 User PCs: access to file and print services
- VLAN 30 Backup network: access to BackupSrv only
- Current rule added last week: permit ip VLAN10 any -> VLAN30 any
- BackupSrv -> VLAN10 tcp/445 allowed for restore jobs
Concern: ransomware on a user PC could now reach backup repositories.
Question 14mediummultiple choice
Read the full Security Architecture explanation →

Based on the exhibit, which change should be made first to secure remote administration of the network device?

Exhibit

Device management config:
line vty 0 4
 transport input telnet ssh
 login local
SNMP community: public RO
Management IP: 198.51.100.14/32 reachable from WAN
Requirement: administrators must manage the device remotely without exposing credentials in transit.
Question 15mediummultiple choice
Read the full Security Architecture explanation →

Administrators need to manage internal switches from home. Management traffic must be encrypted, MFA must be used, and no switch management interface should be exposed directly to the internet. Which design is best?

Question 16mediummulti select
Read the full Security Architecture explanation →

Field staff use company-owned tablets that also run approved personal apps. Security needs business data isolated from personal data, the ability to wipe only corporate content, and enforcement of screen lock and encryption. Which two controls best fit? Select two.

Question 17mediummultiple choice
Read the full network assurance explanation →

A manufacturing company is redesigning its plant network. PLCs must communicate with a SCADA server for telemetry, but neither the PLCs nor the SCADA server should be reachable from employee laptops or the internet. Which architecture best meets the requirement?

Question 18hardmultiple choice
Read the full Security Architecture explanation →

A supplier portal is browser-based and used by external partner companies. Each partner already has its own identity provider. The portal must trust assertions from those IdPs and avoid creating separate local passwords for each partner. Which integration is best?

Question 19mediummultiple choice
Study the full virtualization explanation →

A team hosts a confidential document repository on an IaaS virtual machine. The provider secures the datacenter, hardware, and hypervisor. The organization wants to control who can decrypt the files and be able to revoke that access without changing providers. Which control is best?

Question 20mediummultiple choice
Read the full Security Architecture explanation →

An online retailer is redesigning its public web application so the web server can receive internet traffic, the application server can only be reached by the web tier, and the database server can only be reached by the application tier. Which placement best supports this design?

Question 21mediummultiple choice
Read the full Security Architecture explanation →

A manufacturer wants partner-company users to access a procurement portal using their own company identities. The manufacturer does not want to create local accounts for each partner user, but it still needs to control what those users can do in the portal. Which approach should be used?

Question 22mediummultiple choice
Read the full Security Architecture explanation →

A customer portal runs on a single application server behind a database cluster. Leadership wants the portal to keep working if that application server fails, but the budget is tight and the team wants the simplest design that can automatically fail over. What should they add?

Question 23easymulti select
Read the full Security Architecture explanation →

A company is building a public web app with three tiers. Internet users should reach only the web tier, and the app tier should never be reachable from the internet. Which two network design choices support this goal? Select two.

Question 24mediummultiple choice
Read the full Security Architecture explanation →

A web application needs to be internet-facing. The web tier must accept public traffic, the application tier should be reachable only from the web tier, and the database must be reachable only from the application tier. Which design best supports this?

Question 25easymultiple choice
Read the full Security Architecture explanation →

A customer portal must continue operating if one application server fails. The business wants a simple, cost-conscious design that improves availability. What is the best approach?

Question 26mediummultiple choice
Read the full Security Architecture explanation →

A company uses four cloud applications and wants employees to sign in once with corporate credentials. The applications should trust the company’s identity platform, and disabling a user in the directory should remove access everywhere without separate password resets. Which architecture should the team implement?

Question 27easymulti select
Read the full Security Architecture explanation →

A web application must keep running if one application server fails. Management wants the simplest design that automatically switches traffic to a healthy server. Which two choices support that goal? Select two.

Question 28easymulti select
Read the full Security Architecture explanation →

A company uses a SaaS email platform. The provider manages the servers and application code. Which two tasks remain the company's responsibility? Select two.

Question 29mediummultiple choice
Read the full Security Architecture explanation →

Based on the exhibit, what is the best security change to address the exposed management access on the cloud VM?

Exhibit

Cloud deployment summary:
- Public API runs on an IaaS virtual machine
- Database runs on a managed PaaS service
- Object storage holds user uploads
- Provider responsibility: datacenter, hardware, hypervisor, managed DB platform
- Customer responsibility: guest OS, IAM, network rules, application code
Finding: TCP/22 on the API VM is reachable from 0.0.0.0/0.
Question 30hardmultiple choice
Read the full Security Architecture explanation →

An order-entry application must survive a single server failure and continue serving users if the primary site becomes unavailable. Management wants automatic failover, but does not want to pay for fully active production capacity in two regions. Which design is best?

Question 31easymultiple choice
Read the full Security Architecture explanation →

System administrators need to manage internal switches from home. The solution must encrypt management traffic, strongly authenticate users, and avoid exposing management ports directly to the internet. What should be used?

Question 32mediummulti select
Read the full Security Architecture explanation →

An online retailer is redesigning a network for a public web app. Customers must reach only the web tier from the internet. The web tier must reach the application tier, and the application tier must reach the database tier. Which two design changes best support this zoning model? Select two.

Question 33mediummultiple choice
Read the full Security Architecture explanation →

Network engineers need to manage switches in a data center from home. The solution must encrypt management traffic, strongly authenticate users, and avoid exposing management ports directly to the internet. Which approach is best?

Question 34mediummulti select
Read the full Security Architecture explanation →

A manufacturer wants partner-company users to access a procurement portal. The manufacturer does not want to create separate local accounts, and the partners want to authenticate their own users with existing corporate identities. Which two capabilities should be implemented? Select two.

Question 35mediummultiple choice
Read the full Security Architecture explanation →

An online ticketing system must survive a single server failure and continue operating after a primary site outage. The business wants the lowest-cost design that still improves availability. Which architecture is best?

Question 36mediummultiple choice
Read the full wireless explanation →

A hospital is redesigning its wireless network. Guest devices must reach only the internet. Staff laptops need access to internal applications. Medical devices must communicate with a monitoring server but never with guest devices or the broader employee LAN. What design best meets these goals with the least operational complexity?

Question 37mediummultiple choice
Read the full wireless explanation →

An organization is redesigning its office network. Guest Wi-Fi must reach the internet only, employee laptops need access to internal apps, and a payment-processing system must be separated from general user traffic but still reach one database server. Which design best meets these requirements?

Question 38mediummultiple choice
Read the full Security Architecture explanation →

Based on the exhibit, which architecture best meets the goal of keeping the order service running if one application server fails?

Exhibit

Order service topology:
Internet -> Load balancer -> App Server A
Internet -> Load balancer -> App Server B
Database -> Single instance in AZ1
Application servers are stateless.
Requirement: service must continue if one app server goes down, with no manual failover steps.
Question 39mediummultiple choice
Read the full Security Architecture explanation →

A manufacturer needs to grant a partner company access to a procurement portal. Partner users should authenticate with their own identity provider, and the manufacturer does not want to create local passwords for each partner employee. Which design best supports this?

Question 40easymulti select
Read the full wireless explanation →

A company wants guest laptops on Wi-Fi to reach the internet but not internal printers or servers. Which two changes best support this design? Select two.

Question 41mediummultiple choice
Read the full NAT/PAT explanation →

An enterprise is moving from on-prem identity to a SaaS HR platform. Employees should sign in with corporate credentials, and terminated users must lose access quickly without manually creating or deleting SaaS passwords. Which solution best fits?

Question 42easymultiple choice
Read the full wireless explanation →

A company wants guest Wi-Fi to reach only the internet, employee laptops to reach internal apps, and payment servers to remain isolated from both. What is the best design approach?

Question 43mediummultiple choice
Read the full Security Architecture explanation →

A customer portal must keep operating if one application server fails and also remain available if an entire site goes offline. Management is willing to pay more for automatic failover and the shortest possible interruption. Which design is best?

Question 44easymultiple choice
Study the full virtualization explanation →

A company runs a Linux virtual machine in an IaaS cloud service. The provider secures the physical datacenter and hypervisor. Which task remains the company's responsibility?

Question 45mediummultiple choice
Read the full Security Architecture explanation →

A customer portal must keep operating if one application server fails. Management wants the simplest and lowest-cost design that still improves availability. What should the team implement?

Question 46mediummultiple choice
Read the full Security Architecture explanation →

A SaaS vendor supports both browser access and a mobile app. The company wants employees to sign in with corporate credentials, avoid separate passwords for each app, and use token-based authentication that works well with modern APIs. Which integration should the architect choose?

Question 47mediummultiple choice
Read the full Security Architecture explanation →

Network engineers need to administer internal switches from home. The company wants encrypted management traffic, strong user verification, and no management ports exposed directly to the internet. Which approach is best?

Question 48mediummultiple choice
Study the full virtualization explanation →

A team deploys an e-commerce application on an IaaS virtual machine. The cloud provider secures the datacenter, hardware, and hypervisor. The company wants to reduce the chance that attackers exploit outdated software on the VM itself. Which responsibility remains with the company?

Question 49mediummultiple choice
Read the full Security Architecture explanation →

Based on the exhibit, which capability should be added so the SaaS app automatically creates, updates, and disables user accounts as directory changes occur?

Exhibit

Identity integration status:
- Corporate IdP SAML SSO: Enabled
- SaaS local accounts: Still manually managed
- HR termination event: User disabled in the IdP
- SaaS access after termination: Still active until help desk removes account
Requirement: access changes must flow to the app within minutes without manual ticket handling.
Question 50hardmultiple choice
Read the full Security Architecture explanation →

An online retailer is moving its public web app, internal API, and database into separate zones. Public users must reach only the web tier. The web tier must contact the app tier, and only the app tier may query the database. Admins should manage all servers from a hardened jump host. Which design best meets these goals and minimizes lateral movement?

Question 51mediummultiple choice
Study the full virtualization explanation →

A team runs a confidential document repository on an IaaS virtual machine. The cloud provider secures the datacenter, hardware, and hypervisor. Which task remains the organization’s responsibility?

Question 52mediummultiple choice
Read the full wireless explanation →

Sales staff use company laptops on public Wi-Fi and travel frequently. The company wants the disk contents unreadable if a laptop is stolen, even if the drive is removed and placed in another system. Which control is the best fit?

Question 53hardmultiple choice
Read the full Security Architecture explanation →

Company-owned tablets are used by field staff for both corporate email and approved personal apps. Security must isolate company data from personal data, allow remote wipe of only the corporate workspace, and block access if the device is rooted or encryption is disabled. Which approach best fits?

Question 54mediummulti select
Read the full NAT/PAT explanation →

A company uses a SaaS CRM platform. The provider patches the application and underlying infrastructure. Which two responsibilities remain with the company? Select two.

Question 55mediummulti select
Read the full NAT/PAT explanation →

Employees use a browser SaaS portal, a native mobile app, and an internal API. The company wants one corporate identity, reduced password reuse, and automated removal of access when HR terminates users. Which two solutions best meet the requirement? Select two.

Question 56mediummulti select
Read the full Security Architecture explanation →

A customer portal must keep serving users if one application server fails and also remain available if the primary site becomes unreachable. Management prefers automatic recovery over manual intervention. Which two design choices best satisfy the goal? Select two.

Question 57mediummulti select
Read the full Security Architecture explanation →

A team deploys a Linux virtual machine in IaaS and stores documents in a managed cloud object storage service. The provider secures datacenters, hardware, and the storage platform, but the organization still wants to reduce exposure. Which two tasks remain the organization's responsibility? Select two.

Question 58mediummultiple choice
Study the full virtualization explanation →

A development team deploys a Linux web server on an IaaS cloud VM. The cloud provider secures the datacenter, hardware, and hypervisor. Which control remains the organization's responsibility?

Question 59mediummultiple choice
Open the full VLAN trunking answer →

Based on the exhibit, which change best meets the requirement that guest devices can reach the internet but must not reach any internal subnets or printer VLANs?

Exhibit

Guest WLAN uses VLAN 20.
Current ACL on the VLAN 20 SVI:
- permit udp any eq 53 any
- permit udp any eq 67 any
- permit ip 10.50.20.0/24 any
- deny ip any 10.0.0.0/8
- deny ip any 172.16.0.0/12
- deny ip any 192.168.0.0/16
Default route sends remaining traffic to the ISP.
Requirement: guests should have internet-only access.
Question 60mediummultiple choice
Read the full NAT/PAT explanation →

Employees must sign in to several SaaS applications with corporate credentials, and terminated users should lose access quickly without manual changes in each app. Which solution best meets the requirement?

Question 61hardmultiple choice
Read the full NAT/PAT explanation →

Employees use a browser-based SaaS portal, a native expense app, and an internal API. The company wants one corporate identity, API access without separate passwords, and automatic account removal when HR disables a user. Which solution best fits?

Question 62easymultiple choice
Read the full Security Architecture explanation →

A company needs a public website that anyone on the internet can reach, but the application and database servers must stay off the internet. Where should the web server be placed?

Question 63easymultiple choice
Read the full Security Architecture explanation →

A company uses a SaaS file-sharing platform for employee documents. Which action is the company's responsibility, not the provider's?

Question 64easymultiple choice
Read the full NAT/PAT explanation →

Employees must sign in to several cloud applications with their corporate account, and terminated users should lose access without separate password resets in each app. What is the best solution?

Question 65hardmultiple choice
Open the full VLAN trunking answer →

An access point connected to a switch suddenly lets guest Wi-Fi users reach an internal printer VLAN, but only on the new wiring closet. The AP uplink is configured as a trunk with dynamic negotiation enabled, native VLAN 1, and allowed VLANs 10, 20, and 30. Guest traffic should be VLAN 40 and must not transit to internal segments. Which change best fixes the issue?

Question 66mediummultiple choice
Read the full Security Architecture explanation →

A company stores customer documents in cloud object storage. The provider already offers encryption at rest and physical security. Which action most directly reduces the risk of unauthorized access to the stored files?

Question 67easymulti select
Read the full Security Architecture explanation →

A company wants employees to sign in once with corporate credentials and access multiple SaaS apps without creating separate passwords for each service. Which two features best support this goal? Select two.

Question 68mediummultiple choice
Read the full NAT/PAT explanation →

An HR system marks employees as hired, transferred, or terminated. The security team wants those changes to create, update, or disable accounts in multiple SaaS apps automatically after the user authenticates through the company identity provider. Which capability should be added?

Question 69easymultiple choice
Read the full Security Architecture explanation →

Field staff use company-owned tablets that also run approved personal apps. Security wants corporate email and documents separated from personal data, with the ability to wipe only the work data if a device is lost. What is the best control?

Question 70hardmultiple choice
Read the full Security Architecture explanation →

Administrators must manage network switches from home. Requirements: encrypted management traffic, MFA for users, no management ports exposed to the Internet, and centralized logging of admin sessions. Which solution best meets the requirements?

Question 71hardmultiple choice
Read the full Security Architecture explanation →

A team stores sensitive archives on cloud block storage. The provider already encrypts disks at rest, but the company wants copies of the disks to remain unreadable even if a cloud administrator can snapshot and mount the volume. Which control is best?

Question 72mediummultiple choice
Read the full Security Architecture explanation →

Field technicians use company-owned tablets that also run approved personal apps. Security needs corporate email and documents isolated from personal data, selective wipe of only business content if a device is lost, and compliance checks before access is allowed. What should be deployed?

Question 73easymulti select
Read the full Security Architecture explanation →

Company-owned tablets run both business apps and approved personal apps. Which two controls best keep company data separated and support selective wipe? Select two.

Question 74mediummultiple choice
Read the full Security Architecture explanation →

Based on the exhibit, which integration best lets the SaaS application trust the company's existing identity provider so users can sign in with their corporate credentials?

Exhibit

SaaS sign-in settings:
- Local accounts: Enabled
- SAML SSO: Disabled
- SCIM provisioning: Disabled
- Password synchronization: Disabled
Requirement: users from the acquired subsidiary must use their existing corporate identities without separate SaaS passwords.
Question 75mediummultiple choice
Read the full Security Architecture explanation →

Based on the exhibit, which control should be enabled so corporate data stays separated from personal data on company-owned tablets?

Exhibit

MDM profile for field tablets:
- Device encryption: Enabled
- Work profile/container: Disabled
- Corporate apps can access personal storage: Enabled
- Selective wipe: Not configured
User requirement: company email and ERP must be isolated from personal photos and apps.
Question 76mediummultiple choice
Read the full Security Architecture explanation →

A manufacturer wants to give partner-company users access to a procurement portal. The partner wants to authenticate its own users, and the manufacturer does not want to create separate local passwords for them. What is the best solution?

Question 77easymulti select
Read the full Security Architecture explanation →

A network team must manage switches from home without exposing management ports to the internet. Which two controls best fit? Select two.

Question 78easymultiple choice
Read the full Security Architecture explanation →

A team manages virtual machines in a public cloud and wants an audit trail of who created instances, changed security groups, and modified IAM settings. What should be enabled first?

Question 79mediummultiple choice
Open the full VLAN trunking answer →

Based on the exhibit, which network change best isolates finance workstations from general user PCs while still allowing printing and application access?

VLAN table:

- VLAN 20 Users: 10.20.20.0/24 - VLAN 30 Finance: 10.20.30.0/24 - VLAN 40 Printers: 10.20.40.0/24 - VLAN 50 Accounting App: 10.20.50.0/24

Current SVI routing policy:

permit ip any any

Management goal: Finance devices must not initiate traffic to User VLAN 20, but they must be able to print and access the accounting application.

Exhibit

VLAN table:
- VLAN 20 Users: 10.20.20.0/24
- VLAN 30 Finance: 10.20.30.0/24
- VLAN 40 Printers: 10.20.40.0/24
- VLAN 50 Accounting App: 10.20.50.0/24

Current SVI routing policy:
permit ip any any

Management goal:
Finance devices must not initiate traffic to User VLAN 20, but they must be able to print and access the accounting application.
Question 80easymulti select
Read the full Security Architecture explanation →

An organization wants employees to sign in once and then access several SaaS applications without repeated logins. Which two technologies make this possible? Select two.

Question 81mediummulti select
Read the full Security Architecture explanation →

A regulated analytics workload is moving to a public cloud. The business wants the strongest practical tenant isolation without managing physical servers, and it also needs an audit trail for changes made to the cloud environment. Which two design choices best meet those requirements? Select two.

Question 82mediummulti select
Read the full Security Architecture explanation →

A help desk manager is hardening a fleet of Windows laptops. The goal is to prevent booting from untrusted external media and to ensure only approved software can run on the devices. Which two controls best address those goals? Select two.

Question 83mediummulti select
Read the full Security Architecture explanation →

A small enterprise is rebuilding its public customer portal. The web front end must be reachable from the internet, the application tier should never be directly exposed, and the database must remain private even if the web server is compromised. Which two design changes best meet those goals? Select two.

Question 84easymultiple choice
Read the full Security Architecture explanation →

A laptop repeatedly starts with an unapproved bootloader, and the security team wants the firmware to refuse boot code that is not signed by a trusted key. Which feature should be used?

Question 85mediummultiple choice
Review the full subnetting walkthrough →

A small company is deploying a public web application with a front-end server, an API server, and a database. The web server must be reachable from the internet, the API must be reachable only from the web server, and the database must never be accessible from user subnets. Which design best meets the requirement?

Question 86mediummultiple choice
Read the full Security Architecture explanation →

A company wants employees to use one corporate login for multiple SaaS applications, require MFA when users sign in from unmanaged devices, and centralize account lifecycle management. Which design best meets these requirements?

Question 87mediummulti select
Read the full Security Architecture explanation →

A SaaS vendor hosts a customer relationship platform for multiple organizations. Your company wants to know which two responsibilities typically remain with the customer rather than the SaaS provider. Select two.

Question 88easymulti select
Read the full Security Architecture explanation →

A team is moving a workload to infrastructure as a service (IaaS). Which two items are usually the customer's responsibility? Select two.

Question 89mediummulti select
Read the full Security Architecture explanation →

A company wants employees to sign in once to several SaaS apps, while the security team also wants to require extra verification when users sign in from unmanaged devices or unusual locations. Which two architecture changes best satisfy both requirements? Select two.

Question 90mediummultiple choice
Read the full Security Architecture explanation →

Based on the exhibit, which logging capability should be enabled first to create an audit trail for cloud administration changes?

Exhibit: 2026-04-25 09:14:03 iam:AttachRolePolicy user=alice 2026-04-25 09:15:10 ec2:AuthorizeSecurityGroupIngress user=alice 2026-04-25 09:16:22 s3:PutBucketPolicy user=alice

Requirement: Security wants to track management-plane API calls and configuration changes across cloud resources.

Exhibit

2026-04-25 09:14:03  iam:AttachRolePolicy  user=alice
2026-04-25 09:15:10  ec2:AuthorizeSecurityGroupIngress  user=alice
2026-04-25 09:16:22  s3:PutBucketPolicy  user=alice

Requirement:
Security wants to track management-plane API calls and configuration changes across cloud resources.
Question 91mediummultiple choice
Read the full Security Architecture explanation →

A team moved a Linux VM to IaaS. They need OS login events, process activity, and network flow metadata sent to one central platform for alerting. What is the best first step?

Question 92mediummultiple choice
Read the full NAT/PAT explanation →

Based on the exhibit, which identity architecture change best addresses the repeated password resets and delayed offboarding across the company's SaaS applications?

Exhibit: - SaaS A uses local user accounts - SaaS B uses local user accounts - SaaS C supports SAML and automated provisioning - Help desk reports 120 password reset tickets per month - Former employees can remain active in two apps for up to 24 hours after termination

Management wants one sign-in and faster deprovisioning.

Exhibit

Exhibit:
- SaaS A uses local user accounts
- SaaS B uses local user accounts
- SaaS C supports SAML and automated provisioning
- Help desk reports 120 password reset tickets per month
- Former employees can remain active in two apps for up to 24 hours after termination

Management wants one sign-in and faster deprovisioning.
Question 93easymatching
Read the full Security Architecture explanation →

Match each cloud security concept to the best description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Defines which security tasks belong to the cloud provider and which remain with the customer

Separates one customer's cloud resources from another customer's resources

Uses the provider's logging service to record workload and control-plane activity

Places workload resources where they are not directly exposed to the internet

Question 94easymatching
Read the full Security Architecture explanation →

Match each network segment to the best use in a small enterprise.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Network segment for internet-facing services such as a public web proxy or reverse proxy

Segment for internal systems such as databases that should not be directly reachable from the internet

Restricted network used for switch, firewall, and server administration traffic

Internet-only network for visitors and unmanaged devices

Question 95easymulti select
Read the full Security Architecture explanation →

A branch office has users, finance workstations, and printers on the same LAN. Management wants finance devices isolated from general users while still allowing approved printing and internet access. Which two changes best meet this goal? Select two.

Question 96mediummultiple choice
Read the full Security Architecture explanation →

A branch office has users, finance workstations, printers, and IP phones on one flat network. The security team wants to reduce lateral movement if one user PC is compromised, but printers still need to receive print jobs from users. What is the best design change?

Question 97mediummultiple choice
Read the full Security Architecture explanation →

Based on the exhibit, which cloud deployment choice best satisfies the workload requirements?

Exhibit: Workload requirements: - Processes regulated customer records - Should not share underlying compute with other tenants if avoidable - Team wants provider-managed hardware maintenance - Application will run in a public cloud

Which deployment choice is the best fit?

Exhibit

Workload requirements:
- Processes regulated customer records
- Should not share underlying compute with other tenants if avoidable
- Team wants provider-managed hardware maintenance
- Application will run in a public cloud
Question 98easymulti select
Read the full Security Architecture explanation →

A company wants visibility into who changed settings in its cloud account and what commands ran on a cloud VM. Which two log sources should the team enable first? Select two.

Question 99mediummultiple choice
Read the full Security Architecture explanation →

A company wants employees to sign in once to access several SaaS applications, but it also wants to require MFA only when users connect from unmanaged devices or outside the corporate network. Which architecture best supports this goal?

Question 100mediummultiple choice
Open the full VLAN trunking answer →

A small company is moving its public web app to a new network. The front-end server must be reachable from the internet, the application server should only accept traffic from the front end, and the database must never be reachable from the internet or user VLANs. Which design best meets these requirements with the least exposure?

Question 101mediummulti select
Read the full Security Architecture explanation →

After a merger, dozens of laptops arrive with inconsistent settings and a history of unsupported utilities installed by the previous owner. The security team wants to establish a known-good configuration, reduce future drift, and accelerate remediation of newly discovered vulnerabilities. Which three actions best support that goal? Select three.

Question 102easymultiple choice
Read the full Security Architecture explanation →

An office wants finance workstations separated from general user PCs, but employees still need to print to a shared printer and access one accounting application. Which change best supports this?

Question 103mediummultiple choice
Read the full Security Architecture explanation →

Several company laptops were found to boot from a removable drive containing an untrusted pre-boot utility before the operating system loaded. The security team wants to prevent unsigned or tampered boot code from starting. Which control is the best fit?

Question 104easymultiple choice
Read the full Security Architecture explanation →

A manager can access the HR portal normally from a managed laptop, but if they sign in from an unmanaged tablet, the system should require extra verification before granting access. Which control best fits?

Question 105mediummultiple choice
Open the full VLAN trunking answer →

Based on the exhibit, which change best reduces exposure for the public web application while keeping the backend tiers protected?

The current design is: Internet -> Firewall -> DMZ VLAN 10: reverse proxy Private App VLAN 20: application server 10.10.20.20 Private DB VLAN 30: database server 10.10.30.30 User VLAN 40: internal workstations

ACL summary: 1. permit tcp any -> 10.10.10.10 eq 443 2. permit tcp 10.10.10.10 -> 10.10.20.20 eq 8443 3. permit tcp 10.10.20.20 -> 10.10.30.30 eq 1433 4. deny ip any -> 10.10.30.30

Exhibit

Topology and ACL summary:
Internet -> Firewall -> DMZ VLAN 10: reverse proxy
Private App VLAN 20: application server 10.10.20.20
Private DB VLAN 30: database server 10.10.30.30
User VLAN 40: internal workstations

ACL summary:
1. permit tcp any -> 10.10.10.10 eq 443
2. permit tcp 10.10.10.10 -> 10.10.20.20 eq 8443
3. permit tcp 10.10.20.20 -> 10.10.30.30 eq 1433
4. deny ip any -> 10.10.30.30
Question 106mediummultiple choice
Read the full Security Architecture explanation →

An organization is redesigning access for its HR portal. HR staff need to update employee records, managers need to approve leave requests, and payroll staff need access to salary data, but no single user should receive all of those permissions by default. What is the best access model?

Question 107easymultiple choice
Read the full Security Architecture explanation →

A small company is publishing an internal website to the internet. The security team wants the web server reachable from the internet while keeping the database and file share isolated from direct internet access. Which design is best?

Question 108mediummultiple choice
Read the full Security Architecture explanation →

A company wants to stop employees from running unauthorized tools downloaded from the internet on managed Windows laptops, but still allow approved internal apps and vendor-updated software. Which control is best?

Question 109easymultiple choice
Read the full Security Architecture explanation →

A help desk team wants users to be unable to install unsanctioned browser extensions or freeware on corporate Windows laptops, while approved business apps still run. Which endpoint control is best?

Question 110mediummulti select
Read the full Security Architecture explanation →

Several corporate laptops occasionally boot from a removable drive containing an untrusted recovery tool before Windows loads. The security team wants to reduce the chance of pre-boot tampering and unauthorized boot media use. Which two controls are most effective? Select two.

Question 111mediummultiple choice
Read the full Security Architecture explanation →

A security team discovers that several laptops occasionally boot from a removable drive before Windows loads, allowing unapproved recovery tools to run. Management wants to prevent this with the least impact on normal users. Which control is the best fit?

Question 112easymultiple choice
Read the full Security Architecture explanation →

A company uses several SaaS applications and wants employees to sign in once with a corporate account instead of maintaining separate passwords for each app. Which architecture is best?

Question 113mediummultiple choice
Read the full Security Architecture explanation →

A regulated analytics workload must run in the cloud with the strongest isolation from other customers, but the company does not want to manage its own physical server room. Which placement is most appropriate?

Question 114mediummultiple choice
Read the full NAT/PAT explanation →

The help desk can patch endpoints only after testing on a few pilot systems because one legacy app sometimes breaks after updates. What patching approach is most secure and least disruptive?

Question 115easymultiple choice
Read the full Security Architecture explanation →

A company moves a Linux server to infrastructure as a service (IaaS). Which task remains the customer's responsibility?

Question 116mediummultiple choice
Read the full Security Architecture explanation →

A small company is redesigning its network for a public web application. The web front end must be reachable from the internet, but the database should never be exposed directly to external or general user traffic. Which architecture is the best choice?

Question 117easymulti select
Read the full Security Architecture explanation →

A company wants employees to use their normal login from managed devices but require extra verification when they sign in from an unmanaged laptop or a new location. Which two controls should the team use? Select two.

Question 118mediummultiple choice
Read the full Security Architecture explanation →

A regulated workload must run in the cloud with the strongest possible isolation from other tenants, and the company wants to avoid managing its own physical hardware. Which placement is the best fit?

Question 119mediummultiple choice
Read the full Security Architecture explanation →

An HR portal has three job functions: HR staff update employee records, managers approve leave requests, and payroll views salary data. The security team wants to prevent any one role from having all capabilities. Which access design is the best fit?

Question 120mediummultiple choice
Read the full Security Architecture explanation →

An HR portal has three groups: HR staff can edit employee records, managers can approve leave, and payroll can view salary data. No one should have all functions. Which access model should the engineer implement?

Question 121easymatching
Read the full Security Architecture explanation →

Match each traffic control to the best description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Tracks connection state and allows return traffic for approved sessions

Allows or denies traffic using source, destination, port, and protocol rules without tracking sessions

Blocks traffic unless a rule explicitly permits it

Limits traffic moving between internal subnets or tiers

Question 122mediummultiple choice
Read the full NAT/PAT explanation →

A help desk team manages 300 Windows laptops. A legacy accounting app sometimes fails after updates, so the company wants to reduce patch risk while still preventing long-term exposure. Which patching strategy is the best balance?

Question 123mediummultiple choice
Read the full Security Architecture explanation →

A finance team deploys a regulated workload to a public cloud. They want operating system login events, process activity, and network flow metadata to be retained in one central place for detection and investigation. Which action best supports this requirement with the least operational overhead?

Question 124easymulti select
Read the full Security Architecture explanation →

A company wants its laptop fleet to start from a known configuration before shipping to users and to reduce exposure to newly discovered vulnerabilities over time. Which two actions are best? Select two.

Question 125mediummulti select
Read the full Security Architecture explanation →

A regulated analytics workload must run in a public cloud with the strongest practical tenant isolation while avoiding management of physical servers. The workload should also remain off the public internet. Which two deployment choices best fit? Select two.

Question 126mediummultiple choice
Read the full Security Architecture explanation →

A branch office uses a flat LAN, and a compromise on one user workstation could spread quickly to finance systems. Management wants finance workstations isolated from general users, but finance staff still need access to a central finance application and network printer. What is the best design change?

Question 127mediummultiple choice
Read the full Security Architecture explanation →

A company moved an internal application to a cloud virtual machine. The security team wants operating system login events, process activity, and network flow metadata to be available in the SIEM for investigations. Which action best supports that goal?

Question 128mediummultiple choice
Read the full NAT/PAT explanation →

A company manages 300 laptops and wants to reduce risk from missed patches while avoiding a widespread outage if an update has compatibility issues. Which patching approach is the best choice?

Question 129mediummultiple choice
Read the full Security Architecture explanation →

Employees use several SaaS applications, and the security team wants one corporate login, MFA for unmanaged devices, and centralized account provisioning. Which architecture should be used?

Question 130easymulti select
Read the full Security Architecture explanation →

A security team wants to reduce the chance that employees boot unmanaged tools from removable media and wants only approved software to run on laptops. Which two controls should they use? Select two.

Question 131mediummultiple choice
Read the full Security Architecture explanation →

A branch office has users, finance workstations, printers, and IP phones on one flat LAN. After a malware outbreak on a user PC, management wants to limit lateral movement without blocking printing or voice traffic. What should the network team implement?

Question 132mediummulti select
Read the full Security Architecture explanation →

A finance workflow currently lets one employee create a payment batch and approve it in the same session. Audit findings say the design increases fraud risk. Which two access architecture changes best reduce that risk while keeping the process functional? Select two.

Question 133easymulti select
Read the full Security Architecture explanation →

A small company is deploying a public web application with a front-end server, an application server, and a database. Which two design choices best reduce exposure of the backend systems? Select two.

Question 134mediummultiple choice
Read the full Security Architecture explanation →

A development team is moving a regulated application to a cloud platform. The security architect wants the strongest practical separation from other customers without buying and operating physical servers. Which hosting option is most appropriate?

Question 135mediummultiple choice
Read the full NAT/PAT explanation →

Based on the exhibit, which action best addresses both the unsanctioned software problem and the need for consistent endpoint configuration?

Exhibit: Device group: Sales-Laptops Baseline check: - Approved browser: installed - Approved EDR: installed - Unapproved remote admin tool: detected on 14 endpoints - Local administrator rights: granted to all users in group - Patch compliance: 68%

Management wants to prevent unauthorized software from running and keep future builds consistent.

Exhibit

Exhibit:
Device group: Sales-Laptops
Baseline check:
- Approved browser: installed
- Approved EDR: installed
- Unapproved remote admin tool: detected on 14 endpoints
- Local administrator rights: granted to all users in group
- Patch compliance: 68%

Management wants to prevent unauthorized software from running and keep future builds consistent.
Question 136mediummultiple choice
Read the full Security Architecture explanation →

Based on the exhibit, which hardening change best prevents a laptop from booting unapproved tools from external media?

Exhibit: UEFI Setup - Secure Boot: Disabled - Boot order: USB, External NIC, Internal SSD - Firmware admin password: Not configured - BitLocker status: Enabled

Incident note: A technician confirmed the laptop was started from a USB recovery stick that bypassed the normal corporate login workflow.

Exhibit

UEFI Setup
- Secure Boot: Disabled
- Boot order: USB, External NIC, Internal SSD
- Firmware admin password: Not configured
- BitLocker status: Enabled

Incident note:
A technician confirmed the laptop was started from a USB recovery stick that bypassed the normal corporate login workflow.
Question 137mediummultiple choice
Read the full Security Architecture explanation →

Based on the exhibit, which access design change best reduces fraud risk without stopping the payroll process?

Exhibit: Payroll application roles: - HR-Editor: can update employee records - Payroll-Approver: can release payment batches - Audit-Reader: can view reports only

Current assignment: User Lisa has both HR-Editor and Payroll-Approver because she "handles payroll end to end." Management wants to reduce the chance of one person creating and approving a fraudulent payment.

Exhibit

Exhibit:
Payroll application roles:
- HR-Editor: can update employee records
- Payroll-Approver: can release payment batches
- Audit-Reader: can view reports only

Current assignment:
User Lisa has both HR-Editor and Payroll-Approver because she "handles payroll end to end."
Management wants to reduce the chance of one person creating and approving a fraudulent payment.
Question 138mediummulti select
Read the full Security Architecture explanation →

A finance portal lets one employee create a payment batch and approve it without review. Management wants to reduce fraud risk while keeping the workflow functional. Which two changes best achieve that goal? Select two.

Question 139mediummultiple choice
Read the full Security Architecture explanation →

After a server rebuild, an administrator notices that Remote Desktop, SMBv1, and Print Spooler are still enabled on a Windows file server even though the server only stores department documents. The security team also wants to know if future changes drift away from the approved build. What should be implemented?

Question 140easymultiple choice
Read the full Security Architecture explanation →

After building a new file server, an administrator reviews the security baseline and notices that a remote desktop service is enabled even though no one uses it. What is the best hardening action?

Question 141easymulti select
Read the full Security Architecture explanation →

A help desk team needs to reset passwords on servers during incidents, but they should not keep standing administrator rights all day. Which two controls best support this requirement? Select two.

Question 142easymulti select
Read the full Security Architecture explanation →

Employees need to sign in once to the corporate portal and then access email and the HR app without entering credentials again. Which two technologies make this possible in a secure design? Select two.

Question 143hardmultiple choice
Read the full Security Architecture explanation →

A contractor signs in to a project portal that fronts several SaaS tools. Access must be granted only if all of the following are true: the user is assigned to the project, the device is managed, and the request occurs during the approved maintenance window. Which access model best supports this requirement?

Question 144easymultiple choice
Read the full Security Architecture explanation →

A team is moving an application to a cloud provider. The cloud provider will secure the physical data center and core infrastructure, while the company must still secure its own application settings and user access. What concept does this describe?

Question 145easymultiple choice
Read the full NAT/PAT explanation →

Before applying a major patch to a virtual machine, the administrator wants a quick way to return the VM to its exact pre-change state if the patch fails. What should the administrator create?

Question 146easymultiple choice
Read the full Security Architecture explanation →

A security team wants to know whether a workstation has drifted away from the approved hardened configuration after several months of changes. What should they use to compare the current state against the approved setup?

Question 147hardmulti select
Read the full Security Architecture explanation →

A development team runs multiple customer workloads in a shared Kubernetes cluster. Security wants to reduce the risk that one compromised container can read another team's data or deploy an altered image. Which three actions best improve the design? Select three.

Question 148easymulti select
Read the full wireless explanation →

A company wants guest laptops on Wi-Fi to reach the internet, but not internal file servers or printers. Which two changes best support that design? Select two.

Question 149hardmulti select
Read the full NAT/PAT explanation →

A cloud support team is replacing separate logins for several internal apps. The new design must support one sign-in, reduce the chance that a stolen session remains valid too long, and let the identity team revoke access centrally after termination. Which three controls best fit? Select three.

Question 150hardmultiple choice
Open the full VLAN trunking answer →

A company runs payroll and HR application servers on the same VLAN because a redesign is not possible this quarter. Security wants to reduce lateral movement if one workload is compromised, but the team cannot renumber the environment or add new physical firewalls. Which control best fits the requirement?

Question 151hardmulti select
Read the full Security Architecture explanation →

A company is redesigning a customer portal. Internet users must reach only the web tier, the web tier must talk to the application tier, and the application tier must talk to the database tier. The security team also wants to reduce lateral movement if one server is compromised. Which three changes best meet these goals? Select three.

Question 152mediummatching
Read the full Security Architecture explanation →

A company is redesigning how systems are separated in its office and data center network. Match each network design element to the scenario it best supports. Use each term once.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

A subnet that hosts public-facing web servers while keeping them separated from the internal LAN.

Separating finance and engineering workstations on the same switches into different broadcast domains.

A rule set that allows only TCP 8443 from the web tier to the application tier and denies everything else.

Restricting east-west traffic between individual workloads inside the same data center or cloud cluster.

Grouping systems that share similar security requirements and access assumptions for policy design.

Question 153easymultiple choice
Read the full Security Architecture explanation →

Employees use one corporate login to sign in to email, the ticketing portal, and the HR application. After signing in once, the other apps accept the same identity without separate passwords. What capability is this?

Question 154easymultiple choice
Read the full Security Architecture explanation →

After a server rebuild, a Windows administrator notices several unneeded services are still enabled, including Remote Registry and Print Spooler on a server that only hosts a database. What should the administrator do to reduce attack surface and keep the build consistent?

Question 155hardmulti select
Read the full Security Architecture explanation →

A Windows file server was rebuilt from a gold image, but later troubleshooting re-enabled Remote Desktop, SMBv1, and the Print Spooler. The security team wants to harden the host and catch the same configuration changes early in the future. Which three actions are the best fit? Select three.

Question 156easymultiple choice
Read the full Security Architecture explanation →

A development team stores container images in a registry before deployment. Security wants to reduce the chance of shipping vulnerable libraries or packages inside the image. What should the team do before release?

Question 157easymultiple choice
Read the full Security Architecture explanation →

A customer portal must keep serving requests if one application server stops responding. The team wants traffic to be sent to whichever healthy server is available. Which design should they implement?

Question 158hardmulti select
Read the full Security Architecture explanation →

A customer portal must stay online if an entire site fails, and the company must also be able to recover if data is corrupted or encrypted by ransomware. Which two design choices best satisfy both requirements? Select two.

Question 159easymultiple choice
Review the full subnetting walkthrough →

Guest tablets in a conference room use the same physical switches as employee devices. The security team wants guests to have internet access only, with no route to internal subnets. Which design best meets the goal?

Question 160hardmulti select
Read the full Security Architecture explanation →

After a server rebuild, a Linux database host still has several unnecessary services enabled, including a graphical desktop, Telnet, and a printer service. The operations team wants a secure baseline that prevents the same drift from happening again after future maintenance. Which two actions best address the issue? Select two.

Question 161easymultiple choice
Read the full Security Architecture explanation →

Employees sign in once to the company portal and then can access email, the ticketing system, and the HR site without logging in again. What is this called?

Question 162easymulti select
Read the full Security Architecture explanation →

A web application must be reachable from the internet, but its database should be isolated from direct internet access. Which two placements or controls are most appropriate? Select two.

Question 163hardmultiple choice
Read the full Security Architecture explanation →

A Linux operations team has a standing need to restart services and edit protected configuration files on production servers, but administrators should not keep root privileges all day. Every elevation must be approved through a ticket and logged centrally. Which solution best meets this requirement?

Question 164easymultiple choice
Read the full Security Architecture explanation →

An organization is placing its public-facing website behind a new security design. The site must be reachable from the internet, but the database and file servers must stay isolated from direct external access. What design should the architect use?

Question 165easymultiple choice
Read the full wireless explanation →

A help desk team wants guest Wi-Fi users to access only the internet and nothing on the internal corporate network. Which control should the network team implement at the wireless edge?

Question 166mediummultiple choice
Read the full Security Architecture explanation →

A company is redesigning a customer portal. Internet users must reach only the web tier, the application tier must be reachable only from the web tier, and the database must be reachable only from the application tier. Administrators should manage servers from a dedicated jump host. Which design best meets these requirements?

Question 167easymultiple choice
Read the full Security Architecture explanation →

An HR assistant should be able to view employee records, but should not have access to payroll administration or IT server tools. Which access model is best for assigning permissions by job role?

Question 168hardmultiple choice
Read the full Security Architecture explanation →

A Windows file server was built from a gold image, but six months later a scan shows Remote Desktop enabled, SMBv1 re-enabled, and Print Spooler running. The same drift appears on several other servers after emergency troubleshooting. Security wants to return the environment to the approved baseline and prevent the changes from coming back. What is the best solution?

Question 169easymultiple choice
Read the full Security Architecture explanation →

An HR department wants each employee to access only the systems required for their job. A new hire should receive the same permissions as other HR specialists, and changes to the role should update access centrally. Which access model should be used?

Question 170easymulti select
Read the full Security Architecture explanation →

A system administrator is creating a secure baseline for a new Linux application server. Which two actions are appropriate hardening steps? Select two.

Question 171mediummultiple choice
Read the full Security Architecture explanation →

A legacy finance application cannot yet support multifactor authentication. The security team still wants administrators to use separate privileged accounts, receive elevated access only when a ticket is approved, and have those privileges removed automatically after the maintenance window ends. Which solution best fits?

Question 172hardmulti select
Study the full ACL explanation →

A router interface connects the DMZ subnet 10.10.10.0/24 to the internal network. A web server at 10.10.10.25 must reach an application server at 10.10.20.20 on TCP 8443, and all other DMZ-to-internal traffic must be blocked. Which two ACL entries should be applied inbound on the DMZ-facing interface? Select two.

Question 173easymultiple choice
Read the full Security Architecture explanation →

A customer-facing website must stay available if one of two application servers fails. Which design should the team implement?

Question 174easymulti select
Read the full Security Architecture explanation →

A DevOps team stores container images in a registry before deployment. Which two practices reduce the chance of deploying a risky image? Select two.

Question 175mediummultiple choice
Read the full Security Architecture explanation →

A Linux server is being prepared for production as a database host. The build team notices that a graphical desktop environment, an unused FTP service, and an open mail submission port are present on the image, even though none of them are required. The organization wants future builds to be consistent and easy to verify. What is the best approach?

Question 176easymultiple choice
Read the full Security Architecture explanation →

A company is placing its public web server so internet users can reach it, but the database server must stay hidden from the internet and be reachable only by the web server. Which design best supports this goal?

Question 177mediummultiple choice
Study the full virtualization explanation →

In a virtualized environment, several workloads share the same physical host and the same IP subnet. After one payroll VM is compromised, the security team wants to prevent that VM from freely scanning or reaching the other workloads on the host. Which control best addresses this lateral-movement risk?

Question 178hardmultiple choice
Study the full ACL explanation →

A stateless firewall sits between a DMZ subnet 10.10.10.0/24 and an internal subnet 10.10.20.0/24. Only the web server at 10.10.10.25 should be allowed to initiate TCP sessions to the app server at 10.10.20.20 on port 8443. All other DMZ-to-internal traffic must remain blocked. Which ACL entry is the best fit on the DMZ-facing interface?

Question 179easymulti select
Read the full Security Architecture explanation →

A security team wants to verify that a server has not drifted from its approved hardened configuration after several months of changes. Which two actions help most? Select two.

Question 180hardmulti select
Read the full Security Architecture explanation →

A contractor signs in to a project portal that integrates several SaaS apps. Access should be granted only while the user is on a managed device, assigned to the project, and using a fresh second factor. The business also wants the contractor to avoid separate logins to each app. Which three controls best fit this design? Select three.

Question 181mediummultiple choice
Read the full Security Architecture explanation →

A DevOps team builds container images in a CI/CD pipeline. Security wants to reduce the chance of deploying vulnerable libraries and also wants the cluster to reject images that have not been approved. Which approach best meets both requirements?

Question 182mediummultiple choice
Read the full Security Architecture explanation →

A customer portal runs from a primary data center. Management wants the secondary site to take over within minutes if the primary site loses power, and the secondary site should already have current systems and data ready to serve users. Which design best fits this requirement?

Question 183mediummultiple choice
Read the full Security Architecture explanation →

Employees sign in once to the corporate portal and then open email, the ticketing system, and an HR application without entering credentials again. The external SaaS providers should trust the company's identity provider rather than creating separate user databases. What architecture is being used?

Question 184easymulti select
Read the full Security Architecture explanation →

A customer portal must stay online if one application server fails. Which two design choices improve availability? Select two.

Question 185hardmulti select
Open the full VLAN trunking answer →

An architect reviews a design where an internet-facing reverse proxy in a DMZ forwards HTTPS to a web application tier, and the web tier queries a database on a protected internal subnet. The current firewall plan allows the DMZ subnet to reach the database subnet on any TCP port, and the admins want to manage the proxy without exposing it to the user VLAN. Which two changes best improve the design? Select two.

Question 186mediummultiple choice
Read the full Security Architecture explanation →

Based on the exhibit, which change would best reduce the attack surface of the public web server while preserving remote administration from the internal network?

Exhibit

Current firewall policy excerpt:
1. Allow any source -> WEB01 tcp/443
2. Allow any source -> WEB01 tcp/80
3. Allow ADMIN-SUBNET -> WEB01 tcp/22
4. Deny all other inbound traffic

Topology note:
WEB01 currently sits on the same subnet as internal application servers.
Question 187mediummultiple choice
Read the full Security Architecture explanation →

Based on the exhibit, which cloud service model best fits the application's operational and security requirements?

Exhibit

Application requirements summary:
- Developers want to deploy code without managing operating system patches.
- The platform must auto-scale during seasonal traffic spikes.
- Security wants the provider to handle runtime patching and host hardening.
- The team still needs control over the application code and database schema.
Question 188mediummultiple choice
Read the full Security Architecture explanation →

A company is publishing an internet-facing customer portal that must also query an internal database containing order history. Security wants to reduce the chance that a compromise of the portal exposes the database directly. Which design is the best choice?

Question 189mediummultiple choice
Read the full Security Architecture explanation →

Based on the exhibit, what is the best next control to prevent noncompliant mobile devices from accessing corporate email while still allowing IT to wipe company data from lost phones?

Exhibit

MDM dashboard excerpt:
- iOS device compliance: 84%
- Android device compliance: 79%
- Email app access policy: Allow if credentials are valid
- Noncompliance reasons: outdated OS, no passcode, jailbreak/root indicators
- Lost device action: Full factory reset only

Security request:
Block risky devices from email access and protect employee personal data on BYOD devices.
Question 190mediummultiple choice
Read the full wireless explanation →

A company wants all corporate laptops to authenticate to Wi-Fi using device certificates instead of shared passwords. It also wants to deny network access to systems that do not meet the baseline requirement for disk encryption and current endpoint protection. Which approach best satisfies both goals?

Question 191mediummultiple choice
Read the full NAT/PAT explanation →

Based on the exhibit, what is the best cloud identity control to ensure terminated users lose access to the SaaS application quickly and consistently?

Exhibit

Identity review notes:
- HR termination events are exported daily from the HR system.
- SaaS Admin Console shows 17 inactive contractor accounts still enabled.
- The application supports SAML SSO.
- SCIM provisioning is currently disabled.
- Deactivation requests are handled through email tickets.
Question 192mediummultiple choice
Read the full NAT/PAT explanation →

A development team wants to deploy a new internal application without managing operating system patching, runtime updates, or automatic scaling. The security team still wants the company to control the application code and its data access settings. Which cloud service model best fits this need?

Question 193mediummultiple choice
Read the full Security Architecture explanation →

A payment processor stores full card numbers in its transaction database, but developers and analysts should never see the real numbers in nonproduction reports or troubleshooting tools. The business still needs to correlate the same card across multiple records. Which technique is the best fit?

Question 194mediummultiple choice
Read the full Security Architecture explanation →

Based on the exhibit, which data protection control best allows analysts to work with the records without exposing full card numbers?

Exhibit

Data export sample:
CustomerName, CardNumber, OrderTotal, Region
A. Lee, 4532 1100 8822 7744, 158.22, West
B. Patel, 6011 9009 1044 2219, 41.88, East
C. Jones, 6011 9010 3321 1197, 92.10, South

Business requirement:
- Analytics team needs repeated values for reporting and joins
- Full card numbers must not appear in reports or test data
Question 195mediummultiple choice
Read the full Security Architecture explanation →

A hospital has clinical workstations, badge readers, and building cameras all connected to the same switching infrastructure. After a workstation infection, the security team wants to prevent those endpoints from laterally reaching the badge readers while still allowing the cameras to report to a recording server. What should be implemented first?

Question 196hardmulti select
Read the full wireless explanation →

An office is replacing WPA2-PSK. The new design must ensure only company-managed laptops can join the wireless network, and any device that falls out of compliance must be blocked or quarantined until remediated. Which two controls best meet the requirement? Select two.

Question 197hardmulti select
Read the full Security Architecture explanation →

An organization stores full payment card numbers, analysts need the last four digits for investigation, and the backup team is worried about ransomware and stolen backup media. Which three controls best address these requirements? Select three.

Question 198mediummultiple choice
Read the full Security Architecture explanation →

Based on the exhibit, which backup protection change best improves ransomware resilience and protects the backup media if it is stolen?

Exhibit

Backup job summary:
- Nightly backups land on a network-attached storage device joined to the domain
- Weekly copies are exported to a USB drive and kept in a cabinet in the server room
- Backup administrators use the same privileged domain accounts as server admins
- No immutable or offline copy exists
- Restore tests occur quarterly
Question 199hardmulti select
Read the full Security Architecture explanation →

A company is evaluating a multi-tenant SaaS document platform. The security team wants to reduce the impact of another tenant’s breach and ensure employees who leave are removed from the app within minutes. Which two requirements should the team prioritize? Select two.

Question 200mediummultiple choice
Read the full Security Architecture explanation →

A company is concerned about ransomware and insider tampering with backups. It wants daily restore points, monthly archives, and protection if a backup drive is stolen from the storage room. Which backup design is the best answer?

Question 201mediummultiple choice
Read the full NAT/PAT explanation →

A company uses a third-party expense application and wants employees to sign in with their corporate identity once, then automatically lose access in the expense app when they are terminated in the HR system. Which solution best meets both requirements?

Question 202mediummultiple choice
Read the full wireless explanation →

Based on the exhibit, which wireless security change best addresses both unauthorized device access and the risk of a lost laptop connecting to corporate resources?

Exhibit

Wireless configuration review:
SSID: CORP-WIFI
Security: WPA2-Personal
PSK age: 14 months
NAC integration: Disabled
Allowed devices: Any device with the shared passphrase

Mobile device policy:
- Corporate email is available from personal devices
- Lost-device wipe is not configured
- Device certificates are not issued
Question 203mediummultiple choice
Read the full Security Architecture explanation →

Based on the exhibit, which network redesign would best limit lateral movement between user endpoints and building systems after a workstation compromise?

Exhibit

Access switch VLAN table:
VLAN 10 - Corporate workstations - 126 devices
VLAN 10 - VoIP phones - 41 devices
VLAN 10 - Badge readers - 18 devices
VLAN 10 - Cameras - 24 devices
VLAN 20 - Guest Wi-Fi - Internet only

Incident note:
A compromised workstation was able to reach a badge reader and a camera using internal IP addresses.
Question 204mediummultiple choice
Read the full Security Architecture explanation →

Sales representatives use company-managed smartphones for email, CRM, and document access. If a phone is lost, IT must remove only the corporate apps and work data without erasing the employee's personal photos and contacts. Which control should be used?

Question 205hardmulti select
Read the full Security Architecture explanation →

A platform team runs production, staging, and developer containers on the same Kubernetes cluster. After a staging compromise, the team wants to reduce the chance of access to production secrets or lateral movement to other namespaces. Which two architecture changes are most effective? Select two.

Question 206hardmulti select
Read the full Security Architecture explanation →

A team is deploying a containerized API to a public cloud. The service must be reachable only by internal corporate applications, and secrets must not be embedded in images or readable as plaintext by administrators of the underlying host. Which two actions best fit the design? Select two.

Question 207hardmulti select
Read the full Security Architecture explanation →

A payment application must keep running if one application server fails, and the business can tolerate no more than 5 minutes of lost transactions and 30 minutes of downtime during a site outage. Which two controls best match the availability requirements? Select two.

Question 208hardmulti select
Read the full NAT/PAT explanation →

A company is redesigning a three-tier customer portal. Internet users must reach only the web tier, the application tier must never be directly reachable from the internet, database traffic must flow only from the app tier, and administrators need a protected path to manage servers. Which two design choices best meet these requirements? Select two.

Question 209hardmulti select
Read the full Security Architecture explanation →

An operations team manages Linux servers over SSH. The security team wants to stop direct management access from employee laptops, reduce lateral movement if one admin endpoint is compromised, and keep a log of every administrative session. Which two design choices best fit? Select two.

Question 210hardmulti select
Read the full Security Architecture explanation →

A company distributes update packages through a web portal. Users must verify the portal's identity over the network, and the downloaded packages must be trusted even if the web server is later compromised. Which two controls best satisfy these goals? Select two.

Question 211hardmulti select
Open the full VLAN trunking answer →

A virtualization host connects to an access switch through one Ethernet link. It must carry only VLAN 30 for production VMs and VLAN 40 for management VMs. A review finds the link currently accepts every VLAN, uses VLAN 1 as the native VLAN, and a guest VLAN can accidentally be added later. Which two changes best harden the design? Select two.

Question 212hardmatching
Read the full Security Architecture explanation →

Match each design requirement to the best security architecture control. Use each control once.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

DMZ

Bastion host

Microsegmentation

Zero Trust Network Access (ZTNA)

Load balancer

Question 213hardmulti select
Read the full NAT/PAT explanation →

A manufacturing floor uses barcode scanners and a kiosk terminal that cannot support full endpoint agents or frequent manual patching. USB storage has previously introduced malware, and the devices only need to run one approved application and reach a backend system. Which two controls best reduce risk while preserving function? Select two.

Question 214mediummulti select
Read the full Security Architecture explanation →

A security architect is designing a multi-tier web application that must meet strict compliance requirements for data confidentiality and integrity. Which three of the following security architecture principles should be applied? (Choose three.)

Question 215mediummulti select
Read the full Security Architecture explanation →

An organization is migrating its on-premises infrastructure to a hybrid cloud model. Which three of the following considerations are most important for maintaining a secure security architecture? (Choose three.)

Question 216mediummulti select
Read the full Security Architecture explanation →

A company is designing a secure industrial control system (ICS) network that must be isolated from the corporate IT network. Which three of the following architectural controls should be implemented? (Choose three.)

Question 217mediummulti select
Read the full Security Architecture explanation →

A security architect is evaluating a zero trust architecture (ZTA) for a remote workforce. Which three of the following components are essential to the implementation? (Choose three.)

Question 218mediummulti select
Read the full Security Architecture explanation →

Which four of the following are key principles of secure network architecture design that help enforce defense-in-depth? (Choose four.)

Question 219mediummulti select
Read the full Security Architecture explanation →

Which four of the following are essential considerations when designing a secure cloud architecture in a hybrid environment? (Choose four.)

Question 220mediumdrag order
Read the full Security Architecture explanation →

Drag and drop the steps to implement a new firewall rule in an iptables-based Linux firewall into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 221mediumdrag order
Read the full Security Architecture explanation →

Drag and drop the steps for the TLS 1.3 handshake process into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Practice tests

Scored 10-question sessions with instant feedback and explanations.

SY0-701 Practice Test 1 — 10 Questions→SY0-701 Practice Test 2 — 10 Questions→SY0-701 Practice Test 3 — 10 Questions→SY0-701 Practice Test 4 — 10 Questions→SY0-701 Practice Test 5 — 10 Questions→SY0-701 Practice Exam 1 — 20 Questions→SY0-701 Practice Exam 2 — 20 Questions→SY0-701 Practice Exam 3 — 20 Questions→SY0-701 Practice Exam 4 — 20 Questions→Free SY0-701 Practice Test 1 — 30 Questions→Free SY0-701 Practice Test 2 — 30 Questions→Free SY0-701 Practice Test 3 — 30 Questions→SY0-701 Practice Questions 1 — 50 Questions→SY0-701 Practice Questions 2 — 50 Questions→SY0-701 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

General Security ConceptsThreats, Vulnerabilities, and MitigationsSecurity ArchitectureSecurity OperationsSecurity Program Management and Oversight

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Security Architecture setsAll Security Architecture questionsSY0-701 Practice Hub