CCNA Cloud Security Questions

75 of 95 questions · Page 1/2 · Cloud Security · Answers revealed

1
MCQmedium

A cloud security architect is designing a zero-trust architecture for an enterprise using AWS and Azure. They need to enforce micro-segmentation between application tiers. Which Cisco solution is most appropriate?

A.Cisco Umbrella SIG
B.Cisco Secure Firewall
C.Cisco Secure Workload
D.Cisco Secure Cloud Analytics
AnswerC

Designed for micro-segmentation in zero-trust.

Why this answer

B is correct because Cisco Secure Workload provides micro-segmentation based on application dependencies. A is for firewall, not workload-centric. C is for secure internet gateway.

D is for cloud security posture.

2
MCQhard

A company is connecting multiple VPCs in AWS to a shared services VPC using AWS Transit Gateway. They want to inspect east-west traffic between VPCs with a common security policy. Which design best achieves this using Cisco solutions?

A.Deploy a Cisco Firepower instance in each VPC
B.Use VPC peering with no inspection
C.Direct Connect to on-premises Cisco ASA
D.Use AWS Transit Gateway with a centralized Cisco Firepower instance for inspection
AnswerD

Centralized inspection simplifies policy management.

Why this answer

Option D is correct because AWS Transit Gateway allows you to route traffic between multiple VPCs through a centralized inspection VPC, where a Cisco Firepower instance can apply a consistent security policy to all east-west traffic. This design avoids deploying separate firewalls in each VPC and ensures that traffic between any two VPCs is inspected by a single, centrally managed policy engine.

Exam trap

Cisco often tests the misconception that deploying a firewall in each VPC (Option A) is the only way to inspect east-west traffic, but the trap here is that a centralized inspection model using Transit Gateway is more scalable and policy-consistent, and candidates may overlook the routing configuration required to force traffic through the inspection VPC.

How to eliminate wrong answers

Option A is wrong because deploying a Cisco Firepower instance in each VPC creates a distributed, per-VPC security model that is difficult to manage and does not enforce a common security policy across all east-west traffic; each VPC would require its own policy configuration and traffic would not be centrally inspected. Option B is wrong because VPC peering with no inspection provides direct connectivity between VPCs without any security appliance, meaning east-west traffic flows unmonitored and violates the requirement to inspect traffic with a common security policy. Option C is wrong because Direct Connect to an on-premises Cisco ASA forces all east-west traffic to hairpin through the on-premises network, which introduces unnecessary latency, bandwidth costs, and dependency on the on-premises link, and is not designed for native AWS VPC-to-VPC traffic inspection.

3
Multi-Selectmedium

A company uses Amazon Web Services (AWS) and wants to integrate with Cisco Defense Orchestrator (CDO) for centralized security management. Which THREE capabilities does CDO provide when managing AWS security services? (Choose three.)

Select 3 answers
A.Monitor AWS CloudTrail logs for security events.
B.Manage AWS Identity and Access Management (IAM) roles.
C.Deploy and manage Cisco virtual firewalls in AWS.
D.Create and modify AWS security group rules.
E.Provision and configure AWS VPC subnets.
AnswersA, C, D

Correct: CDO can ingest CloudTrail logs for analysis.

Why this answer

A is correct because Cisco Defense Orchestrator (CDO) can ingest and monitor AWS CloudTrail logs to detect security events, such as unauthorized API calls or policy violations. This integration allows CDO to correlate cloud-native audit logs with firewall events for centralized visibility and alerting, which is a key capability for cloud security management.

Exam trap

Cisco often tests the distinction between security management (CDO) and infrastructure provisioning (AWS native services), so candidates mistakenly assume CDO can manage IAM roles or VPC subnets, but CDO is strictly a security orchestration tool, not a cloud infrastructure manager.

4
MCQmedium

A company deploys a web application firewall (WAF) from Cisco on AWS Marketplace. They want to integrate with AWS CloudTrail for logging. What is the primary benefit?

A.Simplified compliance reporting
B.Elimination of false positives
C.Automatic WAF rule updates
D.Centralized logging of WAF events in CloudTrail
AnswerD

Enables centralized audit and monitoring.

Why this answer

Integrating a Cisco WAF deployed via AWS Marketplace with AWS CloudTrail provides centralized logging of all WAF events, including allowed and blocked requests, directly into CloudTrail. This enables a single, auditable log stream for security monitoring and compliance, as CloudTrail captures API calls and WAF events for analysis in AWS services like CloudWatch Logs or Amazon S3.

Exam trap

The trap here is that candidates may confuse the primary benefit of CloudTrail integration (centralized logging) with secondary benefits like compliance or automation, but Cisco specifically tests the understanding that CloudTrail's core function is logging and monitoring, not rule management or false positive reduction.

How to eliminate wrong answers

Option A is wrong because simplified compliance reporting is a potential benefit of centralized logging, but it is not the primary or direct benefit of CloudTrail integration; CloudTrail provides raw event logs, not pre-built compliance reports. Option B is wrong because false positive reduction is achieved through tuning WAF rules and signatures, not through logging integration with CloudTrail. Option C is wrong because automatic WAF rule updates are managed by Cisco or the WAF service itself, not by CloudTrail, which is solely a logging and monitoring service.

5
MCQhard

After deploying a Cisco Cloudlock policy, a user reports that a sanctioned application (Salesforce) is being blocked for file downloads. What is the most likely cause?

A.The Salesforce API token has expired
B.The file being downloaded contains sensitive data flagged by DLP
C.The user's browser is not configured with the corporate proxy
D.The Cloudlock policy for Salesforce is set to 'Block' due to misconfiguration
AnswerD

A misconfigured policy can block sanctioned applications.

Why this answer

Option D is correct because Cloudlock policies are configured to enforce actions such as 'Allow', 'Block', or 'Monitor' on sanctioned applications like Salesforce. If a policy is misconfigured to 'Block' for file downloads, Cloudlock will intercept the API call and deny the download regardless of the file's content. This is a common administrative error when setting granular controls for cloud app activities.

Exam trap

The trap here is that candidates may assume DLP is the only reason for blocking downloads, but Cisco tests whether you understand that Cloudlock policies have explicit actions (Allow/Block/Monitor) that can be misconfigured independently of DLP rules.

How to eliminate wrong answers

Option A is wrong because an expired Salesforce API token would cause authentication failures across all API interactions, not selectively block file downloads while other operations succeed. Option B is wrong because DLP-triggered blocking would only occur if the policy is set to 'Monitor' or 'Block' for sensitive data; the question states the policy is blocking all downloads, not just those with sensitive content. Option C is wrong because Cloudlock operates at the API level for sanctioned apps, not via browser proxy configuration; browser proxy settings affect web traffic interception, not API-based policy enforcement.

6
MCQeasy

A company uses Cisco Umbrella for cloud-delivered security. Users report that some websites are incorrectly blocked. The security team wants to allow a specific website temporarily while investigating. Which action should the administrator take?

A.Disable the Umbrella policy entirely.
B.Configure a Proxy Auto-Config (PAC) file to exclude the domain.
C.Create a custom policy rule to allow the specific domain.
D.Change the internal DNS servers to use a public resolver like 8.8.8.8.
AnswerC

Correct: This adds a targeted bypass without affecting other security.

Why this answer

The correct action is to create a custom policy rule to allow the specific domain. Cisco Umbrella uses policy-based rules to control DNS and web traffic; a custom allow rule overrides the default block for that domain without affecting other security settings. This provides a temporary, targeted exception while the investigation continues.

Exam trap

The trap here is that candidates may confuse PAC file configuration (a proxy bypass mechanism) with Umbrella's cloud-based policy enforcement, but PAC files only affect proxy traffic and cannot override DNS-layer filtering in Umbrella.

How to eliminate wrong answers

Option A is wrong because disabling the entire Umbrella policy removes all security controls, exposing the network to threats, which is excessive for a single domain issue. Option B is wrong because a PAC file controls proxy settings on endpoints, not Umbrella's cloud-based DNS or web filtering; it cannot bypass Umbrella's enforcement at the DNS layer. Option D is wrong because changing internal DNS servers to a public resolver like 8.8.8.8 bypasses Umbrella's DNS security entirely, breaking all cloud-delivered protection, not just for the specific domain.

7
MCQhard

Refer to the exhibit. Enter the command output from a Cisco Umbrella deployment. An administrator observes that 25 DNS queries were blocked. What does this indicate?

A.Successful DNS resolution for those queries
B.Internal DNS resolution failures
C.Network congestion causing queries to timeout
D.Policy enforcement blocking malicious or unwanted domains
AnswerD

Umbrella's security policy blocks malicious domains, resulting in blocked queries.

Why this answer

The command output from a Cisco Umbrella deployment shows that 25 DNS queries were blocked. In Umbrella, DNS queries are blocked due to policy enforcement, typically when the domain being queried matches a security category (e.g., malware, phishing, command-and-control) or a custom block list. This indicates that Umbrella's cloud-delivered security policy actively prevented resolution of those 25 domains, protecting the network from malicious or unwanted content.

Exam trap

The trap here is that candidates may confuse 'blocked' with 'failed to resolve' due to network issues (like timeouts or internal DNS failures), but Cisco specifically tests that Umbrella's block count is a deliberate policy enforcement action, not a connectivity or resolution error.

How to eliminate wrong answers

Option A is wrong because a blocked DNS query means the resolution was not successful; Umbrella returns a sinkhole IP or NXDOMAIN response, preventing the client from reaching the domain. Option B is wrong because internal DNS resolution failures (e.g., server timeout, misconfiguration) would not be logged as 'blocked' by Umbrella; Umbrella blocks based on policy, not internal infrastructure issues. Option C is wrong because network congestion causing timeouts would result in query failures or retransmissions, not a deliberate block count; Umbrella's block count specifically reflects policy-driven denials, not transport-layer timeouts.

8
Multi-Selectmedium

A company is implementing a cloud security posture management (CSPM) solution. Which TWO of the following are primary functions of CSPM?

Select 2 answers
A.Real-time inspection of network traffic for malicious patterns.
B.Vulnerability scanning of virtual machine operating systems.
C.Managing user identities and access permissions.
D.Detection and remediation of cloud resource misconfigurations (e.g., open S3 buckets).
E.Continuous monitoring of cloud infrastructure against compliance frameworks (e.g., CIS, PCI DSS).
AnswersD, E

CSPM detects misconfigurations such as publicly accessible storage.

Why this answer

CSPM is designed to detect and remediate cloud resource misconfigurations, such as publicly accessible S3 buckets, which are a leading cause of data breaches. It continuously assesses cloud infrastructure against security best practices and compliance frameworks like CIS and PCI DSS. Unlike network-based tools, CSPM focuses on the configuration state of cloud resources rather than inspecting traffic or managing identities.

Exam trap

Cisco often tests the distinction between CSPM (configuration and compliance monitoring) and CWPP (workload protection, including vulnerability scanning and runtime security), leading candidates to incorrectly select vulnerability scanning as a CSPM function.

9
Multi-Selecteasy

Which TWO of the following are features of Cisco Umbrella? (Choose two.)

Select 2 answers
A.Secure web gateway
B.Cloud access security broker
C.Next-generation firewall
D.Data loss prevention
E.DNS-layer security
AnswersA, E

Umbrella includes SWG capabilities.

Why this answer

Cisco Umbrella provides DNS-layer security as a core feature, which blocks requests to malicious domains before a connection is established, effectively preventing malware, phishing, and command-and-control callbacks. It also includes a Secure Web Gateway (SWG) that enforces URL filtering, application controls, and HTTPS inspection to protect users from web-based threats. These two capabilities are fundamental to Umbrella's cloud-delivered security architecture.

Exam trap

Cisco often tests the distinction between DNS-layer security and SWG as separate features of Umbrella, while tempting candidates to confuse Umbrella with a full NGFW or CASB, which are separate products in Cisco's security portfolio.

10
MCQeasy

A small business uses Cisco Duo for multi-factor authentication. They want to ensure that employees accessing cloud apps from personal devices are compliant with device security policies. Which Duo feature should they use?

A.Duo Mobile
B.Duo Device Health
C.Duo Network Gateway
D.Duo Access Gateway
AnswerB

Checks device compliance.

Why this answer

D is correct because Duo Device Health checks device security posture (OS version, encryption, etc.) before allowing access. A is for SSO. B is for VPN.

C is the authenticator app.

11
MCQhard

A DevOps team is deploying microservices in Azure Kubernetes Service (AKS). They need to enforce inter-container communication policies based on labels. Which Cisco solution provides micro-segmentation for containers in AKS?

A.Cisco Firepower
B.Cisco ACI
C.Cisco ISE
D.Cisco Secure Workload
AnswerD

Secure Workload provides micro-segmentation and visibility for containers.

Why this answer

Cisco Secure Workload (formerly Tetration) is the correct solution because it provides micro-segmentation for containers in Azure Kubernetes Service (AKS) by enforcing inter-container communication policies based on labels. It uses a Kubernetes-native approach, integrating with the Kubernetes API to discover pods and services, and applies label-based policies via eBPF or sidecar proxies to control traffic between containers without modifying the application.

Exam trap

Cisco often tests the distinction between network-level micro-segmentation (ACI) and workload-level micro-segmentation (Secure Workload), so the trap here is assuming ACI can natively enforce Kubernetes label-based policies, when in fact Secure Workload is the only option that directly integrates with Kubernetes labels for container micro-segmentation in AKS.

How to eliminate wrong answers

Option A is wrong because Cisco Firepower is a next-generation firewall (NGFW) designed for perimeter and network-layer security, not for container-level micro-segmentation within Kubernetes clusters; it cannot enforce policies based on Kubernetes labels. Option B is wrong because Cisco ACI (Application Centric Infrastructure) is a data center networking solution that provides micro-segmentation at the network fabric level using endpoint groups (EPGs), but it is not designed for container-native label-based policies in AKS and requires integration with a container networking interface (CNI) plugin, not direct Kubernetes label enforcement. Option C is wrong because Cisco ISE (Identity Services Engine) is a network access control (NAC) and policy management platform for user and device authentication on wired/wireless networks, not for container workload segmentation; it does not understand Kubernetes labels or container runtime contexts.

12
Drag & Dropmedium

Drag and drop the steps to configure a Cisco ISE as a RADIUS server for network access control into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First add the NAS, then define identity source, authentication policy, authorization policy, and finally test.

13
MCQmedium

A company is deploying a cloud-native application using microservices on AWS. They need to ensure that inter-service communication is encrypted and authenticated. The security team wants to use mutual TLS (mTLS) without managing individual certificates. Which solution should they implement?

A.Use AWS IAM roles for each microservice to authenticate via AWS Signature Version 4.
B.Store certificates in AWS Secrets Manager and configure sidecar proxies to retrieve them.
C.Deploy AWS CloudHSM to generate keys and certificates for each microservice.
D.Use AWS Certificate Manager Private CA with a service mesh (e.g., Istio) to issue and rotate certificates for each service.
AnswerD

ACM Private CA can issue certificates for mTLS, and service mesh can automate certificate distribution.

Why this answer

Option D is correct because AWS Certificate Manager Private CA can integrate with a service mesh like Istio to automatically issue, distribute, and rotate mTLS certificates for each microservice. This eliminates the need for manual certificate management while ensuring encrypted and authenticated inter-service communication via mutual TLS.

Exam trap

Cisco often tests the distinction between authentication mechanisms (IAM SigV4 vs. mTLS) and automation requirements, leading candidates to choose a manual certificate storage solution (like Secrets Manager) instead of an integrated PKI and service mesh approach.

How to eliminate wrong answers

Option A is wrong because AWS IAM roles and Signature Version 4 are used for signing HTTP requests to AWS APIs, not for encrypting or authenticating inter-service communication at the transport layer with mTLS. Option B is wrong because storing certificates in AWS Secrets Manager and having sidecar proxies retrieve them still requires manual certificate generation, renewal, and distribution, which does not meet the requirement of 'without managing individual certificates'. Option C is wrong because AWS CloudHSM provides hardware security module (HSM) capabilities for key generation and storage, but it does not automate certificate issuance, rotation, or distribution for microservices; it also requires significant operational overhead to manage certificates.

14
MCQhard

A company has a hybrid cloud environment with workloads in AWS and Azure, and an on-premises data center. They use Cisco Tetration for micro-segmentation and Cisco CloudCenter for orchestration. Recently, they deployed a new multi-tier application in AWS: a web tier, an application tier, and a database tier, all across multiple Availability Zones. After deployment, the application is unreachable. The security team reviews Tetration policies and finds that a policy is in place to allow traffic between tiers, but the web tier cannot communicate with the application tier. The Tetration agent status shows all agents are healthy. The administrator checks the AWS security groups and notices that the web tier's security group allows inbound HTTP from 0.0.0.0/0, but the application tier's security group does not allow inbound traffic from the web tier's subnet. The application tier's security group only allows inbound traffic from the on-premises CIDR block in error. The network team requests a fix that does not impact other ongoing audits. What should the administrator do?

A.Redeploy the application using Cisco CloudCenter to ensure proper security group association.
B.Configure Tetration to use 'full enforcement' mode for all policies, which overrides AWS security groups.
C.Update the AWS security group for the application tier to allow inbound traffic from the web tier's subnet.
D.Remove the Tetration policy for the application tier to allow all traffic.
AnswerC

Correct: This directly fixes the misconfigured security group blocking traffic.

Why this answer

Option C is correct because the root cause is that the AWS security group for the application tier is misconfigured to only allow inbound traffic from the on-premises CIDR block, rather than from the web tier's subnet. Cisco Tetration enforces micro-segmentation policies at the host level via agents, but it does not override or bypass native cloud security groups; both layers must permit the traffic. Updating the security group to allow inbound traffic from the web tier's subnet resolves the connectivity issue without affecting other audits, as it is a targeted, non-disruptive change.

Exam trap

Cisco often tests the misconception that Tetration's micro-segmentation policies can override or bypass cloud-native security groups, when in fact both layers must be correctly configured for traffic to flow.

How to eliminate wrong answers

Option A is wrong because redeploying the application with Cisco CloudCenter would not fix the existing security group misconfiguration; CloudCenter orchestrates deployment but does not automatically correct security group rules that were manually set or incorrectly applied. Option B is wrong because Tetration's 'full enforcement' mode enforces policies at the host level via agents, but it cannot override or bypass AWS security groups, which are enforced at the hypervisor/network level before traffic reaches the instance. Option D is wrong because removing the Tetration policy would disable micro-segmentation for the application tier, potentially exposing it to unauthorized traffic, and would not address the underlying security group misconfiguration that blocks legitimate inter-tier traffic.

15
Multi-Selectmedium

A security team is evaluating cloud security solutions. Which TWO of the following are core capabilities of a Cloud Access Security Broker (CASB)?

Select 2 answers
A.Provisioning and de-provisioning of cloud resources
B.Container image scanning
C.Shadow IT discovery and visibility
D.Intrusion prevention for virtual machines
E.Data loss prevention (DLP) for cloud applications
AnswersC, E

CASBs provide discovery of unauthorized cloud applications.

Why this answer

Option C is correct because Shadow IT discovery and visibility is a core CASB capability. CASBs discover unsanctioned cloud applications (Shadow IT) by analyzing network traffic logs, API integrations, or proxy data to identify cloud services used without IT approval, providing visibility into usage, risk posture, and user activity.

Exam trap

Cisco often tests the distinction between CASB capabilities (focused on cloud application security, DLP, and Shadow IT) and other security domains like cloud workload protection (CWPP) or cloud infrastructure security, leading candidates to confuse VM or container security features with CASB functions.

16
Multi-Selectmedium

A company is migrating critical workloads to AWS and wants to ensure secure connectivity between their on-premises network and the VPC. Which TWO actions should be taken to meet this requirement?

Select 2 answers
A.Attach an internet gateway to the VPC and allow all inbound traffic.
B.Configure a security group that allows all traffic from the on-premises network.
C.Provision an AWS Direct Connect connection for a private, dedicated link.
D.Use security groups to allow traffic from the on-premises IP range.
E.Deploy an AWS Site-to-Site VPN connection using IPsec.
AnswersC, E

Direct Connect provides a private, low-latency connection bypassing the internet.

Why this answer

Option C is correct because AWS Direct Connect provides a private, dedicated network link from on-premises to AWS, bypassing the public internet for consistent latency, higher bandwidth, and enhanced security. This meets the requirement for secure connectivity during a critical workload migration.

Exam trap

Cisco often tests the misconception that security groups or network ACLs alone can provide secure connectivity, when in fact they are only access control mechanisms that require an underlying transport (VPN or Direct Connect) to establish the link.

17
MCQeasy

A company is implementing cloud security posture management (CSPM). Which Cisco product provides CSPM capabilities?

A.Cisco Tetration
B.Cisco Firepower
C.Cisco ISE
D.Cisco Cloudlock
AnswerD

Cloudlock provides CSPM and CASB capabilities.

Why this answer

Cisco Cloudlock is the correct answer because it is Cisco's cloud-native cloud security posture management (CSPM) solution. It continuously monitors cloud infrastructure (e.g., AWS, Azure, GCP) for misconfigurations, compliance violations, and security risks, providing automated remediation and visibility into cloud security posture. This directly aligns with the CSPM use case described in the question.

Exam trap

Cisco often tests the distinction between network security products (Firepower, ISE) and cloud-native security tools (Cloudlock), so the trap here is assuming that a well-known network security product like Firepower or ISE can also handle cloud posture management, when in fact CSPM requires a dedicated cloud-integrated solution like Cloudlock.

How to eliminate wrong answers

Option A is wrong because Cisco Tetration is a workload security and micro-segmentation platform for on-premises data centers, not a cloud security posture management tool; it focuses on application dependency mapping and zero-trust segmentation, not cloud configuration monitoring. Option B is wrong because Cisco Firepower is a next-generation firewall (NGFW) and intrusion prevention system (IPS) for network security, not a CSPM solution; it does not provide cloud-native posture assessment or compliance monitoring. Option C is wrong because Cisco ISE (Identity Services Engine) is a network access control (NAC) and policy enforcement platform for on-premises networks, not a cloud security posture management tool; it handles authentication, authorization, and guest access, not cloud configuration auditing.

18
MCQhard

A security team is troubleshooting an incident where a compromised application running in a Kubernetes cluster on AWS EKS is being used to exfiltrate data to an external IP. They have deployed Cisco Secure Workload. How would the agent on the container report the exfiltration attempt?

A.By creating a violation for a policy that denies egress to unknown IPs
B.By generating a syslog alert for outbound traffic
C.By sending a NetFlow export to the controller
D.By blocking the traffic automatically and terminating the pod
AnswerA

Policy violation is the standard reporting mechanism.

Why this answer

Cisco Secure Workload uses a policy-based enforcement model where agents enforce micro-segmentation rules. When a container attempts egress to an external IP not permitted by an explicit allow policy, the agent creates a violation event for the deny rule that blocks unknown destinations. This violation is the primary reporting mechanism for policy violations, including exfiltration attempts.

Exam trap

Cisco often tests the distinction between reporting mechanisms (violation events) and data-plane telemetry (NetFlow, syslog), expecting candidates to know that Secure Workload's primary incident reporting is through policy violation events, not traditional logging or flow exports.

How to eliminate wrong answers

Option B is wrong because Cisco Secure Workload does not rely on syslog for reporting policy violations; it uses its own violation event system and API, not generic syslog alerts. Option C is wrong because NetFlow is a flow-level telemetry protocol used for traffic analysis, not for reporting policy violations; Secure Workload agents do not export NetFlow to the controller. Option D is wrong because Secure Workload can enforce policies to block traffic, but it does not automatically terminate pods; that action would require integration with Kubernetes admission controllers or separate automation.

19
MCQmedium

A company is migrating a web application to AWS and wants to protect against DDoS attacks at the application layer. Which Cisco security solution should they deploy?

A.Cisco Umbrella
B.Cisco WAF (Web Application Firewall)
C.Cisco Firepower NGFW
D.Cisco Stealthwatch
AnswerB

Cisco WAF protects web applications from application-layer DDoS attacks.

Why this answer

A Web Application Firewall (WAF) is the correct solution because it specifically inspects and filters HTTP/HTTPS traffic at the application layer (Layer 7), protecting against DDoS attacks such as HTTP floods, SQL injection, and cross-site scripting. Cisco WAF (often delivered via Cisco Secure Web Application or integrated with AWS WAF) can rate-limit requests, block malicious payloads, and enforce positive security models to mitigate application-layer DDoS. This directly addresses the requirement to protect a web application migrating to AWS against Layer 7 attacks.

Exam trap

The trap here is that candidates often confuse a network-layer DDoS mitigation solution (like Firepower NGFW or Umbrella) with an application-layer WAF, failing to recognize that only a WAF provides the deep HTTP inspection and rate-limiting needed for Layer 7 attacks.

How to eliminate wrong answers

Option A is wrong because Cisco Umbrella is a cloud-delivered DNS-layer security solution that protects against malicious domains and phishing, but it does not inspect application-layer HTTP traffic or mitigate DDoS attacks at Layer 7. Option C is wrong because Cisco Firepower NGFW is a network firewall that operates primarily at Layers 3 and 4, with some Layer 7 capabilities via IPS, but it is not optimized for web application-specific DDoS mitigation and lacks the granular HTTP inspection and rate-limiting features of a dedicated WAF. Option D is wrong because Cisco Stealthwatch is a network visibility and analytics tool that uses NetFlow/IPFIX to detect anomalies and threats, but it does not actively block or mitigate application-layer DDoS attacks; it is a detection-only solution.

20
MCQhard

An enterprise migrated its e-commerce application to AWS. They use Cisco Secure Workload (Tetration) for microsegmentation. After enabling enforcement, legitimate traffic between the web tier and database tier is being blocked. The security team verified that the policy allows the traffic based on labels. The Tetration console shows the enforcement mode as 'active blocking'. The database server is in a different VPC, and the web server is in a public subnet. The agents are running on both workloads and report correctly. Which configuration step is most likely missing?

A.The cloud connector (e.g., AWS cloud connector) is not configured
B.The enforcement scope does not include the VPC peering connection
C.The application dependency mapping needs to be refreshed
D.The agents on the database server are not running
AnswerA

Cloud connector provides metadata that allows Tetration to understand cloud networking and apply policies correctly across VPCs.

Why this answer

Cisco Secure Workload (Tetration) relies on cloud connectors to synchronize cloud infrastructure metadata (e.g., VPCs, subnets, instances) and enforce microsegmentation policies across VPC boundaries. Without a configured AWS cloud connector, Tetration cannot discover or enforce policies on resources in a different VPC, even if agents are running and labels are correctly assigned. The 'active blocking' enforcement mode indicates the policy is being applied, but the missing connector prevents the policy from being properly mapped to the database server in the separate VPC, causing legitimate traffic to be blocked.

Exam trap

Cisco often tests the misconception that agents alone are sufficient for policy enforcement across VPCs, when in fact the cloud connector is required to bridge the cloud infrastructure metadata gap.

How to eliminate wrong answers

Option B is wrong because the enforcement scope in Tetration is defined by labels and agent groupings, not by VPC peering connections; VPC peering is a network-layer construct that Tetration does not directly manage or require for policy enforcement. Option C is wrong because application dependency mapping is used for visibility and policy recommendation, not for the active enforcement of existing policies; refreshing it would not resolve a connectivity issue caused by a missing cloud connector. Option D is wrong because the question explicitly states that agents are running on both workloads and report correctly, so the agents are not the problem.

21
MCQmedium

An engineer is designing a cloud security solution using Cisco SD-WAN with cloud on-ramp. They want to ensure that traffic to a specific IaaS provider is inspected by the Cisco Umbrella SIG. Which configuration is necessary on the SD-WAN edge?

A.Configure a service insertion policy for the cloud security provider
B.Apply a DNS security policy
C.Set up a site-to-site VPN to the IaaS
D.Enable direct internet access for the branch
AnswerA

Service insertion redirects traffic to the cloud security service for inspection.

Why this answer

To direct specific traffic to Cisco Umbrella SIG for cloud security inspection, you must configure a service insertion policy on the SD-WAN edge. This policy intercepts traffic based on match criteria (e.g., destination IaaS provider IP/subnet) and forwards it to the cloud security service via a secure tunnel (e.g., IPsec or TLS). Without this policy, the SD-WAN edge will not redirect traffic to Umbrella for inspection.

Exam trap

Cisco often tests the distinction between DNS-layer security (Umbrella DNS) and full proxy-based SIG inspection; candidates mistakenly think DNS security alone provides the same traffic inspection as a service insertion policy.

How to eliminate wrong answers

Option B is wrong because DNS security policy only enforces DNS-layer filtering (e.g., blocking malicious domains) but does not redirect traffic to Umbrella SIG for full HTTP/HTTPS inspection. Option C is wrong because a site-to-site VPN to the IaaS provider would send traffic directly to the IaaS without passing through Umbrella SIG, bypassing cloud security inspection. Option D is wrong because enabling direct internet access (DIA) for the branch allows traffic to exit locally without being steered to the cloud security service; DIA alone does not enforce SIG inspection.

22
MCQhard

An organization uses AWS with a VPC and wants to inspect all traffic between instances in the same subnet using Cisco Firepower. What must be implemented?

A.Configure VPC Endpoints to route traffic through Firepower
B.AWS Traffic Mirroring to send traffic to a Firepower appliance
C.Use AWS Security Groups and log to Firepower
D.Deploy Firepower as a transparent bridge in the subnet
AnswerB

Traffic Mirroring copies packets to Firepower for east-west inspection.

Why this answer

AWS Traffic Mirroring captures and forwards network traffic from Elastic Network Interfaces (ENIs) to a security appliance, such as a Cisco Firepower instance, for inspection. This allows the organization to monitor all traffic between instances within the same subnet without requiring changes to the routing table or placing the Firepower inline, which is not possible in a VPC without a gateway appliance. Option B is correct because Traffic Mirroring is the native AWS feature designed for out-of-band traffic inspection.

Exam trap

Cisco often tests the misconception that you can deploy a transparent bridge or inline firewall within a VPC subnet, but AWS does not support Layer 2 bridging; Traffic Mirroring is the only way to achieve out-of-band inspection for intra-subnet traffic.

How to eliminate wrong answers

Option A is wrong because VPC Endpoints are used to privately connect a VPC to supported AWS services (e.g., S3, DynamoDB) via AWS PrivateLink, not to route inter-instance traffic through a security appliance. Option C is wrong because AWS Security Groups are stateful firewalls that control traffic at the instance level but cannot log traffic to an external appliance like Firepower; they only provide flow logs at the VPC level, not per-packet inspection. Option D is wrong because a transparent bridge deployment requires Layer 2 adjacency and is not supported in an AWS VPC, which is a Layer 3 overlay network; you cannot bridge instances in the same subnet through an external appliance without breaking the VPC's routing architecture.

23
MCQhard

A cloud operations team reports that after enabling Cisco Secure Cloud Analytics (CSCA) for an AWS account, some legitimate traffic is being flagged as suspicious. The team has fine-tuned the ML models but false positives persist. Which additional step should they take?

A.Disable ML-based detection
B.Increase the severity threshold
C.Customize alert rules based on known good behavior
D.Deploy additional sensors in VPC subnets
AnswerC

Whitelists known good traffic to reduce false positives.

Why this answer

C is correct because Cisco Secure Cloud Analytics (CSCA) uses machine learning to establish a baseline of normal traffic behavior. When false positives persist despite fine-tuning ML models, the next logical step is to customize alert rules to explicitly whitelist known good behavior, such as trusted IP ranges or specific application flows. This reduces noise without disabling detection or lowering sensitivity, and it directly addresses the root cause: legitimate traffic that deviates from the baseline but is actually benign.

Exam trap

The trap here is that candidates often confuse 'fine-tuning ML models' with 'adjusting alert thresholds' or 'adding more sensors,' when the correct approach is to use explicit whitelisting via custom alert rules to suppress false positives without compromising detection fidelity.

How to eliminate wrong answers

Option A is wrong because disabling ML-based detection would remove the core anomaly detection capability of CSCA, leaving the environment blind to real threats and defeating the purpose of the deployment. Option B is wrong because increasing the severity threshold would only change the alerting level, not reduce false positives; it might even cause high-severity alerts to be missed for actual attacks. Option D is wrong because deploying additional sensors in VPC subnets would increase visibility into network traffic but does not address the false positive issue; false positives are a tuning problem, not a coverage problem.

24
MCQmedium

An organization uses Cisco Umbrella to secure remote users. The security team wants to ensure that all DNS queries from endpoints are forwarded to Umbrella even when users are off the corporate network. Which deployment method achieves this?

A.Configure a network-based proxy
B.Use a PAC file to redirect traffic
C.Use BGP injection to advertise Umbrella IPs
D.Deploy the Cisco Umbrella Roaming Client on endpoints
AnswerD

Roaming client ensures off-net DNS forwarding.

Why this answer

The Cisco Umbrella Roaming Client is specifically designed to enforce DNS security on endpoints regardless of their network location. It installs a local DNS forwarder that intercepts all DNS queries and sends them to Umbrella's cloud resolvers, ensuring protection even when users are off the corporate network. This method does not rely on network-level configurations that are ineffective for remote users.

Exam trap

Cisco often tests the distinction between network-level controls (proxy, BGP) and endpoint-level controls (roaming client), leading candidates to incorrectly choose a network-based solution for remote users who are not on the corporate network.

How to eliminate wrong answers

Option A is wrong because a network-based proxy requires traffic to be routed through a central proxy server, which is not feasible for remote users who are not connected to the corporate network. Option B is wrong because a PAC file directs web traffic to a proxy based on URL patterns but does not enforce DNS forwarding to Umbrella; it only affects HTTP/HTTPS traffic, not all DNS queries. Option C is wrong because BGP injection is a routing technique used to influence traffic paths at the network level, typically for on-premises or data center environments, and cannot be applied to individual remote endpoints.

25
MCQmedium

Refer to the exhibit. A Cisco ASA firewall is deployed in a cloud environment. After applying this ACL to an interface, users report that they cannot access cloud instances from on-premises. What is the most likely cause?

A.The ACL allows all traffic but users need NAT
B.The ACL is applied to the wrong interface
C.The ACL blocks all RFC 1918 private addresses, which may include the cloud VPC CIDR
D.The ACL permits only private addresses
AnswerC

Cloud VPCs often use private IP ranges, which are denied.

Why this answer

Option C is correct because the ACL shown in the exhibit (which is not provided but implied by the question) blocks RFC 1918 private address ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). Cloud VPCs commonly use these private IP ranges for their instances. If the cloud VPC CIDR falls within an RFC 1918 range, the ACL will deny traffic to those cloud instances, preventing on-premises users from accessing them.

Exam trap

The trap here is that candidates assume RFC 1918 blocks are safe for cloud environments, but cloud VPCs frequently use these private ranges, so blocking them breaks connectivity to cloud instances.

How to eliminate wrong answers

Option A is wrong because NAT is not required for traffic that is already routed correctly; the issue is an ACL blocking traffic, not a lack of NAT. Option B is wrong because the question states the ACL was applied to an interface, and there is no indication it was applied to the wrong interface; the problem is the ACL content, not its placement. Option D is wrong because the ACL does not permit only private addresses; it explicitly denies RFC 1918 addresses, which is the opposite of permitting them.

26
MCQhard

A company uses Microsoft Azure and has deployed Cisco CloudCenter for workload lifecycle management. They also use Cisco Firepower NGFW in Azure. A security analyst notices that the Firepower logs show outbound connections from a workload to an IP address in a known threat feed. The workload is a Linux server that runs a custom application. The analyst checks Azure Network Security Groups (NSGs) and finds that outbound traffic is not restricted. The company's policy requires that all outbound traffic be inspected and logged. The analyst wants to block the specific IP while allowing other outbound traffic. Which action should be taken?

A.Configure the NSG to deny all outbound traffic and then add allow rules for known good destinations.
B.Create a Firepower Access Control policy rule to block traffic to the threat IP and log it.
C.Add a network security group rule to block the specific IP address.
D.Modify the route table to send all outbound traffic through a firewall, bypassing the NSG.
AnswerB

Correct: Firepower can use dynamic threat intelligence to block.

Why this answer

Option B is correct because Cisco Firepower NGFW is the inline security enforcement point in this Azure deployment, and it can inspect and log all outbound traffic. Creating a Firepower Access Control policy rule to block the specific threat IP and log it directly enforces the security policy at the firewall layer, which is the only device capable of deep packet inspection and logging as required by company policy. NSGs operate at Layer 3/4 and cannot inspect application-layer traffic or integrate with threat feeds for granular IP blocking without affecting other traffic.

Exam trap

Cisco often tests the misconception that Azure NSGs can replace a dedicated firewall for outbound traffic inspection and logging, but NSGs lack application-layer visibility and cannot enforce granular threat-feed-based blocking while maintaining required logging.

How to eliminate wrong answers

Option A is wrong because denying all outbound traffic in an NSG and then adding allow rules for known good destinations is overly restrictive, breaks the custom application's ability to communicate with unknown but legitimate destinations, and NSGs cannot perform the required logging and inspection of outbound traffic as mandated by policy. Option C is wrong because Azure NSGs are stateless or stateful at Layer 3/4 only; they cannot inspect application-layer traffic, integrate with threat feeds, or provide the detailed logging required for outbound connections, and blocking a single IP in an NSG would still allow other outbound traffic without inspection. Option D is wrong because modifying the route table to send all outbound traffic through a firewall bypasses the NSG but does not itself block the specific IP; it would require additional firewall rules, and the question asks for a direct action to block the IP while allowing other traffic, not a routing change that could introduce complexity and potential misconfiguration.

27
Multi-Selecthard

A cloud security team is deploying Cisco Tetration (Secure Workload) in a hybrid cloud environment. Which three are prerequisites for workload discovery and policy enforcement? (Choose three.)

Select 3 answers
A.Configuration of flow export from network devices
B.Deployment of sensors on all workloads
C.Integration with cloud provider APIs
D.Setup of global enforcement scopes
E.Registration with Cisco Smart Licensing
AnswersB, C, D

Sensors collect flow and process data needed for discovery and enforcement.

Why this answer

B is correct because Cisco Tetration (Secure Workload) relies on sensors installed on each workload to collect granular telemetry, including process, network, and flow data. Without sensors, the platform cannot discover workload dependencies or enforce micro-segmentation policies, as sensors are the primary data source for the agent-based architecture.

Exam trap

Cisco often tests the misconception that flow export from network devices is a core requirement for Tetration, but the platform's sensor-based architecture makes workload-level telemetry the mandatory foundation, with network device exports being optional and supplementary.

28
MCQeasy

An organization wants to enforce granular data loss prevention (DLP) policies for SaaS applications like Google Drive and Salesforce. Which Cisco product provides cloud access security broker (CASB) functionality with DLP capabilities?

A.Cisco Firepower Threat Defense
B.Cisco Umbrella
C.Cisco Stealthwatch
D.Cisco Cloudlock
AnswerD

Cloudlock is a CASB that offers DLP for SaaS apps.

Why this answer

Cisco Cloudlock is the correct answer because it is a cloud access security broker (CASB) that provides granular data loss prevention (DLP) for SaaS applications like Google Drive and Salesforce. It uses API-based inspection to scan data at rest and in motion, applying policies to prevent unauthorized sharing or leakage of sensitive information.

Exam trap

The trap here is that candidates often confuse network-based security tools (like FTD or Umbrella) with cloud-native CASB solutions, assuming that any Cisco security product can enforce DLP for SaaS apps, but only Cloudlock provides the necessary API-level integration for granular control.

How to eliminate wrong answers

Option A is wrong because Cisco Firepower Threat Defense (FTD) is a next-generation firewall (NGFW) that focuses on network traffic inspection and intrusion prevention, not on API-based DLP for SaaS applications. Option B is wrong because Cisco Umbrella is a DNS-layer security solution for web filtering and threat intelligence, lacking the deep content inspection and DLP capabilities for cloud applications. Option C is wrong because Cisco Stealthwatch is a network visibility and analytics tool that uses NetFlow and behavioral analysis for threat detection, not a CASB with DLP for SaaS data.

29
Multi-Selecthard

Which THREE of the following are common challenges when securing multi-cloud environments? (Choose three.)

Select 3 answers
A.Limited storage capacity in public clouds
B.Reducing cloud infrastructure costs
C.Meeting compliance requirements across jurisdictions
D.Lack of unified visibility across cloud providers
E.Inconsistent security policies between clouds
AnswersC, D, E

Compliance across clouds is a significant challenge.

Why this answer

Option C is correct because multi-cloud environments span multiple jurisdictions with differing data protection laws (e.g., GDPR, CCPA, LGPD). Meeting compliance requirements becomes a challenge as each cloud provider may have different compliance certifications and data residency controls, requiring careful mapping of data flows and contractual agreements to avoid legal penalties.

Exam trap

Cisco often tests the distinction between security challenges and operational/financial challenges, so candidates mistakenly pick options like 'reducing costs' or 'storage capacity' because they sound like common cloud problems, but they are not security-specific.

30
MCQmedium

Refer to the exhibit. This JSON policy is part of a Cisco Cloudlock DLP configuration. What will happen when a user attempts to upload a file containing the word 'secret' to a cloud storage service?

A.An alert is generated but the file is not blocked
B.The file upload is blocked if the content contains the word 'secret'
C.Only files with 'secret' in the title are blocked
D.All files are blocked regardless of content
AnswerB

Condition checks for 'contains' and action is 'block'.

Why this answer

The JSON policy shown in the exhibit is a Cisco Cloudlock DLP policy that uses a data pattern to match the word 'secret' in file content. The action specified is 'block', which means when a user attempts to upload a file containing 'secret' to a cloud storage service, the upload is blocked and an alert is generated. Option B correctly identifies that the file upload is blocked if the content contains the word 'secret', aligning with the policy's enforcement action.

Exam trap

The trap here is that candidates often confuse the 'alert' and 'block' actions in DLP policies, assuming that a content match only generates an alert without enforcement, but the exhibit explicitly shows the action is 'block', which means the upload is prevented.

How to eliminate wrong answers

Option A is wrong because the policy action is 'block', not just 'alert'; an alert is generated but the file is also blocked, not merely flagged. Option C is wrong because the policy matches content (body) for the word 'secret', not the file title or metadata; the pattern is applied to the file's data, not its name. Option D is wrong because the policy is content-specific, targeting files containing 'secret', not all files; only files matching the pattern are blocked, not every upload.

31
MCQeasy

An organization is migrating to AWS and wants to ensure that all internet-bound traffic from VPCs is inspected by a central security appliance. Which AWS service should be used to redirect this traffic?

A.AWS Direct Connect
B.VPC Peering
C.Internet Gateway
D.Transit Gateway
AnswerD

Transit Gateway can route traffic through a security VPC for inspection.

Why this answer

Transit Gateway is correct because it acts as a central hub that can route traffic between VPCs and on-premises networks, and it supports route tables that can direct all internet-bound traffic to a central security appliance (such as a firewall or IDS/IPS) via a VPC attachment or a Network Virtual Appliance. This enables traffic inspection and policy enforcement without requiring individual VPCs to manage their own internet gateways or NAT devices.

Exam trap

Cisco often tests the misconception that VPC Peering can be used for transitive routing or central traffic inspection, but VPC Peering is non-transitive and cannot route traffic through a central hub without additional components like a Transit Gateway.

How to eliminate wrong answers

Option A is wrong because AWS Direct Connect is a dedicated network connection from on-premises to AWS, not a service for redirecting internet-bound traffic within VPCs. Option B is wrong because VPC Peering provides direct one-to-one connectivity between two VPCs but does not support transitive routing or central inspection of internet-bound traffic. Option C is wrong because an Internet Gateway is a VPC component that allows outbound internet traffic but does not redirect that traffic to a central security appliance; it simply provides a path to the internet.

32
MCQhard

A company uses Cisco Secure Workload to enforce microsegmentation across multiple AWS accounts. After enabling enforcement, they find that the policies are only applied to workloads in the primary account. What is the most likely reason?

A.The policy labels are not propagated
B.The agents in secondary accounts are not registered
C.The enforcement scope is limited to a single VPC
D.The cloud connector is not configured for the secondary accounts
AnswerD

Without a cloud connector for each account, Secure Workload cannot discover or enforce policies on those workloads.

Why this answer

Cisco Secure Workload (formerly Tetration) uses cloud connectors to integrate with AWS accounts and discover workloads. When enforcement is enabled, the policies are applied only to workloads in the primary account because the cloud connector has not been configured for the secondary AWS accounts. Without the connector, the platform cannot manage or enforce policies on workloads outside the primary account.

Exam trap

Cisco often tests the misconception that agent registration alone is sufficient for enforcement across accounts, but the cloud connector is the critical component for multi-account discovery and policy application.

How to eliminate wrong answers

Option A is wrong because policy labels are propagated automatically once the cloud connector is configured and agents are registered; labels not propagating would affect policy matching, not enforcement scope. Option B is wrong because agents in secondary accounts can be registered independently, but without a cloud connector, the platform cannot discover or manage those accounts to enforce policies. Option C is wrong because the enforcement scope is not limited to a single VPC; Cisco Secure Workload can enforce across multiple VPCs and accounts if the cloud connector is properly configured.

33
MCQeasy

Refer to the exhibit. What is the effect of this NAT rule on the Cisco FTD device deployed in the cloud?

A.Performs identity NAT between the two networks without port translation
B.Translates source IP when traffic goes from outside to inside
C.Enables Port Address Translation (PAT)
D.Translates destination IP from 192.168.1.0 to a public IP
AnswerA

The 'static' keyword with same IP on both sides indicates identity NAT.

Why this answer

The NAT rule shown in the exhibit is a static identity NAT (also known as NAT exempt or no-translation NAT) that translates the source IP address of traffic from the 192.168.1.0/24 network to the same IP address when going to the 10.0.0.0/24 network. This is achieved by specifying the source address as both the original and translated address, effectively bypassing any address translation while still being processed by the NAT engine. Since no port translation is configured, it performs identity NAT without PAT, which is why option A is correct.

Exam trap

Cisco often tests the distinction between identity NAT and dynamic PAT, where candidates mistakenly assume that any NAT rule must involve address translation or PAT, but identity NAT explicitly preserves the original IP without port translation.

How to eliminate wrong answers

Option B is wrong because identity NAT translates the source IP when traffic goes from inside to outside (not outside to inside), and the rule specifically applies to traffic originating from the 192.168.1.0/24 network. Option C is wrong because identity NAT explicitly disables Port Address Translation (PAT) by mapping the source address to itself, so no port translation occurs. Option D is wrong because the rule translates the source IP (not destination IP) from 192.168.1.0 to itself, and the destination network 10.0.0.0/24 remains untranslated.

34
MCQmedium

A DevOps team is deploying containers in Kubernetes and needs to enforce network security policies between pods. Which Cisco solution is designed for this?

A.Cisco Cloudlock
B.Cisco Umbrella
C.Cisco Secure Workload (Tetration)
D.Cisco Firepower NGFW
AnswerC

Tetration provides micro-segmentation and policy enforcement for containers.

Why this answer

Cisco Secure Workload (formerly Tetration) is the correct answer because it provides micro-segmentation and network policy enforcement for containerized environments like Kubernetes. It uses agent-based and agentless sensors to map all inter-pod traffic flows and enforce whitelist-based policies at the kernel level via eBPF or iptables, ensuring zero-trust between pods without requiring changes to the underlying network fabric.

Exam trap

Cisco often tests the distinction between cloud-native workload security (Secure Workload) and perimeter or DNS-layer security (Firepower, Umbrella) — the trap here is assuming a traditional firewall or DNS filter can enforce pod-level micro-segmentation in Kubernetes.

How to eliminate wrong answers

Option A is wrong because Cisco Cloudlock is a cloud access security broker (CASB) focused on securing SaaS applications and user access, not on enforcing network policies between Kubernetes pods. Option B is wrong because Cisco Umbrella is a DNS-layer cloud security solution that provides internet threat protection and web filtering, not micro-segmentation or pod-to-pod policy enforcement. Option D is wrong because Cisco Firepower NGFW is a physical or virtual firewall designed for perimeter and data center network segmentation, not for granular, workload-level policy enforcement within a Kubernetes cluster's overlay network.

35
MCQeasy

A DevOps team is deploying containerized applications on Kubernetes and needs to ensure that only authorized images are run. Which solution should they integrate with Kubernetes to enforce image trust and scanning?

A.Cisco Stealthwatch Cloud
B.Cisco Cloud Workload Protection (CWP)
C.Cisco Firepower Next-Generation Firewall
D.Cisco Umbrella
AnswerB

CWP provides image scanning and admission control for containers.

Why this answer

Cisco Cloud Workload Protection (CWP) is the correct solution because it provides integrated image scanning, vulnerability assessment, and trust enforcement for containerized workloads in Kubernetes. CWP uses a policy-based admission controller to block deployments of unauthorized or vulnerable images before they run, directly addressing the requirement to ensure only authorized images are executed.

Exam trap

Cisco often tests the distinction between network security tools (Stealthwatch, Firepower, Umbrella) and workload-specific security solutions (CWP), leading candidates to pick a familiar name like Firepower or Umbrella instead of the correct container-focused product.

How to eliminate wrong answers

Option A is wrong because Cisco Stealthwatch Cloud is a network traffic analysis and anomaly detection tool for cloud environments, not an image trust or scanning solution for Kubernetes. Option C is wrong because Cisco Firepower Next-Generation Firewall is a network security appliance focused on perimeter traffic inspection and intrusion prevention, not container image authorization. Option D is wrong because Cisco Umbrella is a cloud-delivered DNS-layer security and web gateway service, not a container image trust enforcement mechanism.

36
MCQeasy

A security engineer is configuring a cloud access security broker (CASB) to protect a SaaS application used by employees. The primary concern is to prevent sensitive data from being uploaded to the application. Which deployment mode should the engineer choose?

A.Forward proxy mode, which intercepts user traffic and inspects it before it reaches the SaaS application.
B.API-based mode, which connects directly to the SaaS application's APIs to scan and block sensitive data.
C.Reverse proxy mode, which sits in front of the SaaS application and inspects incoming traffic.
D.Web application firewall (WAF) mode, which filters HTTP traffic to the application.
AnswerB

API mode allows data inspection at rest and can block uploads via API calls.

Why this answer

Option B is correct because API-based mode connects directly to the SaaS application's APIs, allowing the CASB to scan data at rest and in transit using the application's native APIs (e.g., REST or Graph APIs). This mode can block uploads by enforcing data loss prevention (DLP) policies directly within the SaaS application, without requiring traffic redirection or proxy configuration. It is the most effective deployment mode for preventing sensitive data from being uploaded, as it can inspect and block data at the point of storage.

Exam trap

Cisco often tests the misconception that forward proxy mode is the best for all data protection scenarios, but the trap here is that API-based mode is specifically designed for deep integration with SaaS applications to prevent data uploads, while forward proxy mode is limited to inline traffic inspection and cannot block data already submitted via API calls.

How to eliminate wrong answers

Option A is wrong because forward proxy mode intercepts user traffic before it reaches the SaaS application, but it requires client-side configuration (e.g., PAC files or browser proxy settings) and cannot inspect data already encrypted by the SaaS application's API calls; it is better suited for shadow IT discovery and inline traffic inspection, not for blocking uploads via API-level controls. Option C is wrong because reverse proxy mode sits in front of the SaaS application and inspects incoming traffic from users, but it does not have direct access to the SaaS application's internal APIs and cannot block data uploads at the storage layer; it is typically used for access control and threat protection. Option D is wrong because Web application firewall (WAF) mode filters HTTP traffic to the application at the network layer, focusing on web-based attacks (e.g., SQL injection, XSS) rather than data loss prevention; it cannot inspect or block sensitive data within API payloads or file uploads.

37
MCQeasy

A security analyst wants to detect misconfigurations in cloud storage buckets using Cisco Secure Cloud Analytics (formerly Stealthwatch Cloud). What must be configured first?

A.Enable flow log export to the analytics platform
B.Install a sensor in the cloud VPC
C.Deploy a syslog collector
D.Connect to the cloud provider's API
AnswerD

API integration retrieves metadata and configuration for misconfiguration detection.

Why this answer

Cisco Secure Cloud Analytics (formerly Stealthwatch Cloud) relies on API integration with the cloud provider (AWS, Azure, GCP) to pull metadata about cloud resources, including storage bucket configurations. By connecting to the cloud provider's API, the platform can continuously monitor for misconfigurations such as public read/write access, unencrypted buckets, or improper logging settings. Without this API connection, the platform cannot access the cloud provider's resource inventory or configuration state, making bucket misconfiguration detection impossible.

Exam trap

Cisco often tests the distinction between telemetry collection (flow logs, sensors) and cloud control plane integration (API), leading candidates to mistakenly choose a network-based option when the question specifically asks about configuration detection.

How to eliminate wrong answers

Option A is wrong because flow log export (e.g., VPC Flow Logs to S3) provides network traffic metadata, not storage bucket configuration data; Cisco Secure Cloud Analytics uses flow logs for traffic analysis, not for detecting bucket misconfigurations. Option B is wrong because installing a sensor in the cloud VPC captures network flows and host telemetry, but it does not have visibility into cloud control plane APIs or storage bucket settings; sensors are for traffic monitoring, not configuration auditing. Option C is wrong because a syslog collector ingests log messages from network devices or servers, but it does not interface with cloud provider APIs to retrieve bucket configurations; syslog is for event logging, not cloud resource metadata.

38
MCQhard

During a cloud migration, an organization notices increased latency in AWS workloads when using Cisco Firepower for traffic inspection. What is the most likely cause?

A.The Firepower instance is undersized for the traffic volume
B.The VPC routing table is misconfigured, causing traffic to hairpin
C.AWS WAF is conflicting with Firepower rules
D.Firepower is inspecting encrypted traffic without SSL decryption
AnswerA

Undersized instance leads to high CPU and latency.

Why this answer

When using Cisco Firepower for traffic inspection in AWS, the Firepower instance must process all traffic traversing the virtual appliance. If the instance type (e.g., m5.large) is undersized relative to the throughput demands (e.g., exceeding 1 Gbps), packet processing will queue, causing increased latency. This is a common scaling issue in cloud migrations where on-premises traffic patterns are replicated without adjusting instance sizing.

Exam trap

Cisco often tests the misconception that latency in cloud inspection is always due to routing misconfigurations (Option B), but the real trap is that undersized virtual appliances are the primary cause when traffic volume exceeds instance capacity, not network topology errors.

How to eliminate wrong answers

Option B is wrong because a misconfigured VPC routing table causing hairpinning would result in asymmetric routing or packet loss, not simply increased latency, and the symptom would be connectivity failures rather than gradual latency increase. Option C is wrong because AWS WAF operates at Layer 7 (HTTP/HTTPS) and does not conflict with Firepower's network-layer inspection; they can coexist without causing latency unless explicitly chained. Option D is wrong because inspecting encrypted traffic without SSL decryption means Firepower cannot inspect payloads, which reduces CPU load and would not increase latency; latency from encryption inspection only occurs when decryption is enabled.

39
MCQmedium

An organization uses AWS and Azure. They deploy Cisco Secure Workload to enforce microsegmentation. They discover that after deploying agents on EC2 instances, some traffic is misclassified due to overlapping IPs across multiple VPCs. Which configuration change best resolves this?

A.Reassign unique labels for each workload
B.Enable VRF-like segmentation within Secure Workload
C.Use Cloud Connector to map instance metadata
D.Configure separate enforcement scopes for each VPC
AnswerC

Cloud Connector enriches workload identity with cloud metadata, disambiguating overlapping IPs.

Why this answer

C is correct because Cloud Connector in Cisco Secure Workload (formerly Tetration) integrates with AWS and Azure APIs to retrieve instance metadata, such as VPC ID, subnet, and instance ID. This metadata allows Secure Workload to uniquely identify workloads even when they have overlapping IP addresses across different VPCs, enabling accurate traffic classification and policy enforcement.

Exam trap

Cisco often tests the misconception that labels or enforcement scopes alone can solve IP overlap issues, but the correct answer requires understanding that cloud-native metadata integration (Cloud Connector) is the designed solution for disambiguating overlapping IPs in multi-cloud environments.

How to eliminate wrong answers

Option A is wrong because reassigning unique labels for each workload does not resolve the underlying issue of overlapping IPs; labels are user-defined tags for grouping, not a mechanism to disambiguate IP address conflicts across VPCs. Option B is wrong because VRF-like segmentation within Secure Workload is not a native feature; Secure Workload uses software-defined segmentation based on labels and metadata, not VRF instances, and enabling such a feature would not directly map overlapping IPs to their correct VPC context. Option D is wrong because configuring separate enforcement scopes for each VPC does not automatically resolve IP overlap; enforcement scopes define policy boundaries but still rely on unique workload identification, which requires metadata mapping to distinguish workloads with identical IPs in different VPCs.

40
MCQmedium

An enterprise uses multiple IaaS providers (AWS, Azure, GCP). They need a single solution to enforce consistent security policies across all cloud environments. Which Cisco product provides multi-cloud security posture management?

A.Cisco Defense Orchestrator
B.Cisco Secure Cloud Analytics
C.Cisco ISE
D.Cisco Firepower NGFW
AnswerB

Provides multi-cloud monitoring and policy enforcement.

Why this answer

Cisco Secure Cloud Analytics (formerly Stealthwatch Cloud) is the correct answer because it provides multi-cloud security posture management by ingesting flow logs, API telemetry, and configuration data from AWS, Azure, and GCP to detect misconfigurations, anomalous behavior, and compliance violations. It uses machine learning to establish baselines and alert on deviations, enabling consistent policy enforcement across heterogeneous cloud environments without requiring agents or changes to existing infrastructure.

Exam trap

Cisco often tests the distinction between 'policy orchestration' (Defense Orchestrator) and 'posture management' (Secure Cloud Analytics), so the trap here is assuming that a firewall management tool can also perform multi-cloud security posture assessment without native cloud API integrations.

How to eliminate wrong answers

Option A is wrong because Cisco Defense Orchestrator is a centralized policy management tool for on-premises and cloud firewalls (e.g., FTD, ASA, Meraki), but it does not provide multi-cloud security posture management or analyze cloud-native telemetry from AWS, Azure, and GCP. Option C is wrong because Cisco ISE is a network access control (NAC) and identity management platform for on-premises wired/wireless networks, not designed to ingest cloud API logs or assess cloud security posture. Option D is wrong because Cisco Firepower NGFW is a next-generation firewall appliance for perimeter and data center traffic inspection, lacking the cloud-native API integrations and multi-cloud visibility required for posture management across IaaS providers.

41
MCQmedium

A network engineer is designing a multi-cloud architecture with AWS and Azure. The company needs consistent security policies across both cloud providers and on-premises data centers. Which Cisco solution should the engineer recommend?

A.Cisco Umbrella SIG.
B.Cisco Firepower NGFW.
C.Cisco Tetration.
D.Cisco Stealthwatch Enterprise.
AnswerC

Correct: Tetration provides micro-segmentation and consistent policies across hybrid/multi-cloud.

Why this answer

Option B is correct because Cisco Tetration provides workload protection and micro-segmentation across multicloud environments. Option A is wrong because Stealthwatch is for network traffic visibility, not policy orchestration. Option C is wrong because Firepower is more focused on on-premises.

Option D is wrong because Umbrella is cloud-delivered security but not for workload segmentation.

42
Multi-Selecthard

An organization is deploying Cisco Cloud Workload Protection (CWP) in AWS. Which THREE of the following components are part of a standard CWP architecture?

Select 3 answers
A.Cloud Security Posture Management (CSPM) scanner
B.Workload sensor (agent or agentless)
C.Policy enforcement point (e.g., network enforcement)
D.Cisco Umbrella DNS connector
E.Centralized aggregation and analysis server
AnswersB, C, E

Sensors collect telemetry from workloads.

Why this answer

The workload sensor (agent or agentless) is a core component of Cisco Cloud Workload Protection (CWP) because it provides visibility into workload activity, including process execution, network connections, and file integrity. This sensor collects telemetry data from workloads running in AWS and forwards it to the centralized analysis engine for threat detection and policy enforcement.

Exam trap

Cisco often tests the distinction between CWP's workload-specific components (sensor, enforcement point, analysis server) and other Cisco cloud security products like CSPM or Umbrella, so candidates mistakenly include CSPM or DNS connectors as part of CWP.

43
MCQeasy

A company is deploying cloud workload protection for their Azure VMs. They want to ensure that security policies are automatically adjusted based on workload changes. Which technology should they implement?

A.Cisco Firepower NGFW
B.Cisco Secure Workload
C.Cisco Umbrella
D.Cisco Stealthwatch
AnswerB

Provides automatic policy adjustment based on workload changes.

Why this answer

Cisco Secure Workload (formerly Tetration) is the correct choice because it provides workload protection for Azure VMs with automatic policy adjustment based on workload changes. It uses agent-based and agentless sensors to collect telemetry, builds a dependency map, and enforces micro-segmentation policies that dynamically adapt as workloads scale, migrate, or change, meeting the requirement for automated security policy adjustment.

Exam trap

The trap here is that candidates often confuse Cisco Secure Workload with Cisco Stealthwatch, assuming both provide similar workload visibility, but Stealthwatch lacks the automated policy enforcement and micro-segmentation capabilities that Secure Workload offers for dynamic cloud environments.

How to eliminate wrong answers

Option A is wrong because Cisco Firepower NGFW is a network firewall that provides perimeter and east-west traffic inspection but does not natively integrate with Azure VM workload changes to automatically adjust security policies; it requires manual policy updates or external orchestration. Option C is wrong because Cisco Umbrella is a cloud-delivered DNS-layer security and secure web gateway (SWG) that protects against internet threats but does not provide workload-level policy automation or micro-segmentation for Azure VMs. Option D is wrong because Cisco Stealthwatch is a network traffic analysis and visibility tool that uses NetFlow/IPFIX for anomaly detection but does not automatically adjust security policies based on workload changes; it focuses on monitoring rather than enforcement.

44
Multi-Selectmedium

Which TWO of the following are benefits of using Cisco Cloudlock for cloud security? (Choose two.)

Select 2 answers
A.Shadow IT discovery
B.DDoS protection
C.Network firewall capabilities
D.Identity and access management
E.Data loss prevention for cloud apps
AnswersA, E

Cloudlock can discover unsanctioned cloud applications.

Why this answer

Cisco Cloudlock is a cloud access security broker (CASB) that provides visibility into cloud application usage. Option A is correct because Cloudlock's Shadow IT discovery feature identifies unauthorized cloud applications being used by employees, allowing administrators to assess risk and enforce policies. This is a core CASB function that discovers and categorizes cloud apps based on user traffic patterns.

Exam trap

Cisco often tests the distinction between CASB functions (Shadow IT, DLP) and traditional network security functions (firewall, DDoS), leading candidates to mistakenly associate Cloudlock with network-layer protections.

45
MCQmedium

An ASA firewall is configured as shown. A web server is behind the ASA with IP 10.1.1.100. Which additional configuration is required to allow HTTPS traffic from the internet to the web server?

A.Add a route to the web server's subnet
B.Configure static NAT for the web server
C.Increase the security level of the inside interface
D.Apply the access-group to the inside interface
AnswerB

Static NAT is necessary to map the public IP to the internal server.

Why this answer

Option B is correct because the ASA firewall requires static NAT to translate the public IP address (typically the ASA's outside interface IP or a dedicated public IP) to the private IP address of the web server (10.1.1.100). Without static NAT, the ASA will not perform the necessary destination address translation for inbound HTTPS traffic, and the web server's private IP is not routable on the internet.

Exam trap

The trap here is that candidates often assume a route or security level adjustment is sufficient, but Cisco specifically tests that NAT is mandatory for translating private addresses to public addresses in ASA firewall configurations.

How to eliminate wrong answers

Option A is wrong because adding a route to the web server's subnet is unnecessary; the ASA already has a directly connected route to the 10.1.1.0/24 subnet via its inside interface. Option C is wrong because increasing the security level of the inside interface does not affect inbound traffic from a lower-security interface (outside) to a higher-security interface (inside); security levels control default traffic flow direction, not NAT or access control. Option D is wrong because applying the access-group to the inside interface would filter traffic exiting the inside interface, not inbound traffic from the internet; the access-group must be applied to the outside interface to permit HTTPS traffic inbound.

46
Multi-Selecteasy

A company wants to implement Zero Trust principles in their cloud environment. Which THREE of the following are key Zero Trust tenets?

Select 3 answers
A.Assume breach (minimize blast radius)
B.Implement multifactor authentication (MFA) everywhere
C.Use least privilege access
D.Verify explicitly (authenticate and authorize every request)
E.Assume that the perimeter is secure
AnswersA, C, D

Design with the expectation that breach will occur, and segment accordingly.

Why this answer

Option A is correct because 'Assume breach' is a core Zero Trust tenet that minimizes the blast radius by segmenting access and continuously monitoring for threats, even within the cloud environment. This principle assumes that an attacker may already be present, so it enforces micro-segmentation and real-time analytics to limit lateral movement, aligning with NIST SP 800-207 Zero Trust Architecture guidelines.

Exam trap

Cisco often tests the distinction between 'security controls' (like MFA) and 'core tenets' (like verify explicitly), leading candidates to incorrectly select MFA as a tenet rather than recognizing it as an implementation tool.

47
Multi-Selecteasy

Which TWO Cisco solutions provide virtual firewall capabilities in public cloud environments? (Choose two.)

Select 2 answers
A.Cisco ASAv
B.Cisco DNA Center
C.Cisco Umbrella
D.Cisco Firepower Threat Defense (FTD) for AWS
E.Cisco ISE
AnswersA, D

ASAv is the virtual ASA firewall, available in AWS, Azure, GCP.

Why this answer

Cisco ASAv (Adaptive Security Virtual Appliance) is a virtualized version of the Cisco ASA firewall that can be deployed in public cloud environments such as AWS, Azure, and GCP. It provides stateful firewall, VPN, and threat defense capabilities natively within the cloud infrastructure. Option A is correct because ASAv is explicitly designed for virtual firewall functions in public clouds.

Exam trap

Cisco often tests the distinction between cloud-delivered security services (like Umbrella) and virtualized network security appliances (like ASAv/FTDv), causing candidates to mistakenly select Umbrella as a virtual firewall when it is actually a cloud-based security service.

48
MCQhard

A financial services company uses a multi-cloud strategy with workloads in AWS and Azure. They must comply with PCI DSS, which requires encryption of cardholder data at rest and in transit. The security team has implemented the following: 1) AWS S3 buckets use server-side encryption with AWS KMS (SSE-KMS). 2) Azure Blob Storage uses Azure Storage Service Encryption (SSE) with Azure Key Vault. 3) All traffic between VPCs and VNets uses IPsec VPN tunnels. During an audit, the assessor notes that data stored in AWS S3 is encrypted with a key that is also used for a development environment. Additionally, logs from Azure Blob Storage are accessible to a group of developers with read-only permissions. Which action should the security team take to address the compliance gaps?

A.Change the encryption method to AWS S3 SSE-C and Azure client-side encryption to maintain separate keys.
B.Implement a cloud DLP solution to monitor access to encrypted data and alert on unauthorized use.
C.Use a third-party VPN appliance to ensure encryption in transit between all cloud environments.
D.Create separate KMS keys for production and development in AWS, and restrict Azure Blob Storage log access to only authorized security auditors.
AnswerD

Separate keys satisfy PCI DSS requirement for key separation; restricting log access meets access control requirements.

Why this answer

Option D is correct because PCI DSS requires strict separation of cryptographic keys between production and non-production environments, and logging access must be restricted to authorized personnel. Using the same KMS key for production S3 data and a development environment violates this requirement, and granting developers read-only access to Azure Blob Storage logs exposes sensitive audit data. Creating separate KMS keys for production and development in AWS ensures key isolation, while restricting Azure Blob Storage log access to only authorized security auditors enforces the principle of least privilege required by PCI DSS.

Exam trap

Cisco often tests the distinction between encryption methods (SSE-S3, SSE-KMS, SSE-C) and key management controls, leading candidates to focus on encryption algorithms rather than the PCI DSS requirement for key separation and access control to audit logs.

How to eliminate wrong answers

Option A is wrong because changing to SSE-C or client-side encryption does not address the key reuse issue (the same key could still be used) and introduces key management complexity without solving the access control problem for logs. Option B is wrong because a cloud DLP solution monitors data patterns but does not enforce cryptographic key separation or restrict log access; it is a detective control, not a corrective one for the specific compliance gaps. Option C is wrong because the existing IPsec VPN tunnels already provide encryption in transit between VPCs and VNets; the audit findings are about key reuse and log access, not about the encryption method for data in transit.

49
Multi-Selecthard

Which THREE are key components of Cisco's Cloud Security architecture? (Choose three.)

Select 3 answers
A.Cisco Duo
B.Cisco Catalyst switches
C.Cisco Secure Firewall (virtual)
D.Cisco Meraki access points
E.Cisco Secure Cloud Analytics (Stealthwatch Cloud)
AnswersA, C, E

Duo provides multi-factor authentication for cloud access.

Why this answer

Cisco Duo is a key component of Cisco's Cloud Security architecture because it provides multi-factor authentication (MFA) as a cloud-delivered service, enforcing zero-trust access policies for users connecting to cloud applications and resources. It integrates with various identity providers and applications via SAML, RADIUS, and OAuth, ensuring that only authenticated and authorized users gain access, which is fundamental to securing cloud environments.

Exam trap

Cisco often tests the distinction between cloud-managed hardware (like Meraki APs) and actual cloud security architecture components, so candidates mistakenly select Meraki access points because they are 'cloud-managed,' but they are not part of the cloud security architecture—they are endpoint connectivity devices.

50
MCQmedium

A company deploys a Cisco ASAv in AWS for VPN termination. They need to enforce multi-factor authentication (MFA) for remote access VPN users. Which Cisco solution integrates with ASAv to provide MFA?

A.Cisco Duo
B.Cisco Umbrella
C.Cisco ISE
D.Cisco Cloudlock
AnswerA

Duo integrates with ASAv for MFA via RADIUS or other methods.

Why this answer

Cisco Duo is the correct solution because it is a cloud-based MFA platform that integrates directly with the Cisco ASAv via the AnyConnect VPN client or the ASA's authentication proxy. Duo acts as a RADIUS or LDAP proxy, intercepting authentication requests and prompting users for a second factor (e.g., push notification, OTP) after primary credentials are validated. This provides the required multi-factor authentication for remote access VPN users without requiring additional on-premises infrastructure.

Exam trap

The trap here is that candidates often confuse Cisco ISE's ability to enforce MFA policies with it being a native MFA provider, when in fact ISE requires an external MFA solution like Duo to actually generate and validate second-factor tokens.

How to eliminate wrong answers

Option B (Cisco Umbrella) is wrong because it is a cloud-delivered DNS security and web filtering solution, not an MFA platform; it does not provide second-factor authentication for VPN logins. Option C (Cisco ISE) is wrong because while ISE can enforce MFA via integration with Duo or other identity providers, it is a policy and access control platform that requires significant on-premises deployment and does not natively provide MFA itself—it relies on external MFA services. Option D (Cisco Cloudlock) is wrong because it is a cloud access security broker (CASB) focused on protecting cloud applications and data, not on authenticating VPN users with multi-factor authentication.

51
MCQeasy

A company is moving its data to AWS and wants to use Cisco Cloudlock for cloud access security broker (CASB) capabilities. Which deployment mode is required for Cloudlock to inspect traffic for shadow IT discovery?

A.Proxy-based (forward proxy)
B.API-based
C.Log collection
D.Reverse proxy
AnswerB

Cloudlock uses API connections to cloud providers to scan data at rest for shadow IT.

Why this answer

For shadow IT discovery, Cloudlock uses an API-based deployment mode to connect directly to cloud service providers (e.g., AWS, Office 365) via their APIs. This allows Cloudlock to pull metadata, user activity logs, and application usage data without requiring traffic redirection, enabling identification of unsanctioned cloud applications. Proxy-based modes are not used for shadow IT discovery because they require traffic to be routed through the proxy, which is not feasible for cloud-to-cloud traffic.

Exam trap

Cisco often tests the misconception that proxy-based modes are required for all CASB functions, but for shadow IT discovery, the API-based mode is specifically designed to work without traffic interception by querying cloud provider APIs directly.

How to eliminate wrong answers

Option A is wrong because proxy-based (forward proxy) deployment requires traffic to be explicitly routed through the proxy, which is impractical for discovering shadow IT in cloud environments where traffic may not traverse the corporate network. Option C is wrong because log collection relies on ingesting logs from existing infrastructure (e.g., firewalls, web proxies) and does not provide the direct API integration needed for real-time shadow IT discovery across multiple cloud providers. Option D is wrong because reverse proxy is used to protect and inspect traffic to sanctioned applications (e.g., as a web application firewall), not for discovering unsanctioned cloud services.

52
MCQmedium

A security engineer is configuring Cisco Umbrella to block malicious domains. They need to ensure that internal DNS queries from remote users using Cisco AnyConnect are protected. Which deployment method should they use?

A.Configure DNS Layer Security in the office firewall
B.Enable Cisco Cloudlock integration
C.Install the Umbrella Roaming Client on all endpoints
D.Deploy the Umbrella virtual appliance at headquarters
AnswerC

The Roaming Client secures DNS queries regardless of user location.

Why this answer

The Umbrella Roaming Client (now part of Cisco Secure Client) is the correct deployment method because it provides DNS-layer security directly on endpoints, including remote users connecting via AnyConnect. It intercepts DNS queries on the local machine and forwards them to Umbrella's cloud-based DNS resolvers, ensuring protection even when the user is off-network or behind a VPN. This is the only option that covers remote users without relying on network-level appliances or firewalls.

Exam trap

Cisco often tests the misconception that VPN-based protection (like AnyConnect) inherently secures DNS traffic, but the trap here is that without a local agent like the Umbrella Roaming Client, DNS queries from remote users may bypass the corporate DNS policy and use the local ISP's DNS resolver.

How to eliminate wrong answers

Option A is wrong because configuring DNS Layer Security in the office firewall only protects DNS queries that traverse that firewall, not those from remote users who are off-network or whose traffic is tunneled via AnyConnect. Option B is wrong because Cisco Cloudlock is a cloud access security broker (CASB) for SaaS applications, not a DNS-layer security solution for blocking malicious domains. Option D is wrong because deploying the Umbrella virtual appliance at headquarters only protects DNS queries originating from within the corporate network, not from remote endpoints.

53
Multi-Selecthard

A security administrator is configuring a Cisco CloudLock policy for a SaaS application. The policy must detect and alert on sharing of files containing personally identifiable information (PII) with external users. Which TWO actions should the administrator take? (Choose two.)

Select 2 answers
A.Configure a policy to automatically block all external sharing of files containing PII.
B.Disable external sharing for the entire SaaS application.
C.Create a data loss prevention (DLP) rule with a PII pattern.
D.Create a policy that triggers an alert when a file with PII is shared externally.
E.Enable transparent proxy to inspect all traffic.
AnswersC, D

Correct: DLP rules identify sensitive content like PII.

Why this answer

Option C is correct because Cisco CloudLock uses DLP rules to scan files for sensitive content like PII patterns. Creating a DLP rule with a PII pattern enables the policy to identify files containing PII, which is the first step in detecting and alerting on such sharing events.

Exam trap

Cisco often tests the distinction between detection/alerting and automated blocking, so candidates may mistakenly choose a blocking action (Option A) when the question explicitly asks for detection and alerting.

54
Multi-Selecteasy

A company is deploying a cloud-based web application and wants to protect against OWASP Top 10 attacks. Which THREE security controls should they implement? (Select three.)

Select 3 answers
A.Input validation
B.Rate limiting
C.Data loss prevention (DLP)
D.Network segmentation at the hypervisor level
E.Web application firewall (WAF)
AnswersA, B, E

Prevents injection attacks.

Why this answer

Input validation (A) is correct because it is a fundamental security control that sanitizes and validates user-supplied data before processing, directly mitigating injection attacks (e.g., SQLi, XSS) listed in the OWASP Top 10. By enforcing whitelist-based validation on the cloud-based web application, it prevents malformed or malicious input from reaching the application logic, which is critical for cloud environments where the application is exposed to the internet.

Exam trap

Cisco often tests the distinction between application-layer controls (input validation, WAF, rate limiting) and infrastructure-layer controls (DLP, hypervisor segmentation), leading candidates to mistakenly select DLP or hypervisor segmentation as protections against OWASP Top 10 attacks.

55
MCQhard

A security engineer reviews the security group rules for an EC2 instance. Based on the exhibit, which security concern should be addressed immediately?

A.SSH is allowed from the entire internet because it uses TCP port 22
B.There is no deny rule to block malicious traffic
C.RDP is allowed from all sources (0.0.0.0/0)
D.SSH access is allowed from two separate IP ranges
AnswerC

Exposing RDP to the internet is a critical security risk.

Why this answer

Option C is correct because allowing RDP (TCP port 3389) from 0.0.0.0/0 exposes the EC2 instance to brute-force attacks and unauthorized remote access from the entire internet. Security groups are stateful and only support allow rules, so this overly permissive ingress rule is a critical security risk that must be removed or restricted to trusted IP ranges.

Exam trap

Cisco often tests the misconception that security groups need explicit deny rules or that allowing SSH from multiple IP ranges is automatically a security issue, when the real immediate concern is an overly permissive RDP rule from all sources.

How to eliminate wrong answers

Option A is wrong because SSH (TCP port 22) is not shown as allowed from the entire internet in the exhibit; the question states SSH is allowed from two separate IP ranges, which is a common practice for administrative access. Option B is wrong because security groups are stateful firewalls that only support allow rules; they do not have explicit deny rules, and the absence of a deny rule is not a security concern—traffic not matching any allow rule is implicitly denied. Option D is wrong because SSH access from two separate IP ranges is not inherently a security concern; it is a typical configuration for redundant or geographically distributed administrative access, and the question asks for the immediate concern, which is the RDP exposure.

56
MCQmedium

Refer to the exhibit. A user is unable to access Dropbox, which is a high-risk application. The administrator wants to allow Dropbox but still block other high-risk apps. What is the most efficient way to achieve this?

A.Add the user to a group that is exempt from the policy
B.Delete the existing policy and create separate policies for each high-risk app
C.Create a new Cloudlock policy that allows Dropbox for all users, placed with higher priority
D.Modify the existing policy to change risk level to 'Medium'
AnswerC

Higher priority policy overrides the block.

Why this answer

Option C is correct because Cisco Cloudlock uses a policy-based approach where policies are evaluated in order of priority. By creating a new policy with higher priority that explicitly allows Dropbox, the administrator can override the existing block policy for that specific application while maintaining the block on all other high-risk apps. This is the most efficient method as it avoids modifying or deleting the original policy.

Exam trap

The trap here is that candidates may think modifying the risk level or using exemptions is the simplest approach, but Cisco tests the understanding that policy priority allows selective overrides without disrupting the original rule set.

How to eliminate wrong answers

Option A is wrong because adding the user to an exemption group would bypass the entire policy, allowing all high-risk apps, not just Dropbox, which does not meet the requirement to block other high-risk apps. Option B is wrong because deleting the existing policy and creating separate policies for each high-risk app is inefficient and unnecessary; it adds administrative overhead and does not leverage Cloudlock's priority-based policy evaluation. Option D is wrong because changing the risk level to 'Medium' would affect the classification of all high-risk apps, potentially allowing other high-risk apps to be treated as medium risk, which is not the intended outcome.

57
Multi-Selectmedium

A cloud security engineer is evaluating CSPM (Cloud Security Posture Management) solutions. Which TWO capabilities are essential for a CSPM tool? (Select two.)

Select 2 answers
A.Vulnerability scanning of container images
B.Incident response automation with playbooks
C.Continuous compliance monitoring with industry standards
D.Real-time network traffic analysis
E.Misconfiguration detection based on best practices
AnswersC, E

Core CSPM capability.

Why this answer

Option C is correct because CSPM tools are fundamentally designed to continuously monitor cloud environments against industry standards such as CIS, NIST, and PCI DSS. This ensures that the cloud infrastructure remains compliant with regulatory and security frameworks, which is a core requirement for cloud security posture management.

Exam trap

Cisco often tests the distinction between CSPM (configuration and compliance) and other cloud security tools (container scanning, SOAR, NTA), so the trap here is confusing adjacent security functions with the specific scope of CSPM.

58
MCQeasy

A multinational company needs to gain centralized visibility into cloud security posture across AWS, Azure, and GCP. Which Cisco product provides multi-cloud security posture management (CSPM) capabilities?

A.Cisco Cloudlock
B.Cisco Firepower Threat Defense
C.Cisco Stealthwatch Cloud
D.Cisco Umbrella
AnswerA

Cloudlock offers CSPM, DLP, and access governance for multi-cloud.

Why this answer

Cisco Cloudlock is the correct answer because it provides Cloud Security Posture Management (CSPM) capabilities across multi-cloud environments, including AWS, Azure, and GCP. It continuously monitors cloud infrastructure for misconfigurations, compliance violations, and security risks, offering centralized visibility and remediation guidance. This aligns directly with the requirement for multi-cloud CSPM in the question.

Exam trap

Cisco often tests the distinction between CSPM and cloud workload protection (CWP) or network security tools; the trap here is that candidates may confuse Stealthwatch Cloud (network visibility) or Umbrella (DNS security) with cloud security posture management, but only Cloudlock directly addresses multi-cloud configuration and compliance monitoring.

How to eliminate wrong answers

Option B (Cisco Firepower Threat Defense) is wrong because it is a next-generation firewall (NGFW) and intrusion prevention system (IPS) focused on network traffic inspection and threat prevention, not cloud security posture management. Option C (Cisco Stealthwatch Cloud) is wrong because it provides network traffic analysis and visibility for cloud and on-premises environments using NetFlow/IPFIX data, but it does not perform CSPM functions like configuration assessment or compliance monitoring. Option D (Cisco Umbrella) is wrong because it is a cloud-delivered DNS security and secure web gateway (SWG) solution that protects against internet-based threats, not a CSPM tool for multi-cloud posture management.

59
MCQhard

A security team notices that an AWS Lambda function is allowed to access an S3 bucket containing PII. The Lambda role has an attached policy that grants s3:PutObject and s3:GetObject to the bucket. Which action would be the most effective to ensure least privilege?

A.Enable S3 default encryption using AWS KMS
B.Apply AWS WAF rules to the Lambda function
C.Remove the role and create a new role with full S3 access
D.Add a bucket policy that restricts access to the Lambda execution role and includes conditions
AnswerD

Resource policies with conditions can restrict based on role and source.

Why this answer

Option D is correct because adding a bucket policy that restricts access to the Lambda execution role and includes conditions (such as aws:SourceArn or aws:SourceAccount) enforces least privilege at the resource level. This ensures that only the specific Lambda function can perform s3:PutObject and s3:GetObject on the S3 bucket, preventing any other principal or service from abusing the role's permissions.

Exam trap

The trap here is that candidates often confuse resource-based policies (bucket policies) with identity-based policies (IAM roles) and think that modifying the IAM role alone is sufficient, but Cisco tests that least privilege requires restricting access at both the identity and resource levels, especially for cross-service scenarios.

How to eliminate wrong answers

Option A is wrong because enabling S3 default encryption using AWS KMS protects data at rest but does not restrict which principals or roles can access the bucket; it addresses confidentiality, not authorization. Option B is wrong because AWS WAF is a web application firewall that protects HTTP/HTTPS endpoints (like API Gateway or CloudFront), not Lambda functions or S3 bucket access; it cannot control IAM permissions or S3 API calls. Option C is wrong because creating a new role with full S3 access (s3:*) would grant excessive permissions, violating the principle of least privilege and potentially allowing the Lambda function to list, delete, or modify all objects in the bucket.

60
MCQeasy

A company wants to enforce consistent security policies for Office 365, Salesforce, and Box. Which Cisco product provides CASB functionality with policy enforcement for SaaS applications?

A.Cisco Stealthwatch
B.Cisco Firepower Threat Defense
C.Cisco Umbrella
D.Cisco Cloudlock
AnswerD

Cloudlock is a CASB with DLP and policy enforcement.

Why this answer

Cisco Cloudlock is the correct answer because it is Cisco's Cloud Access Security Broker (CASB) solution specifically designed to enforce consistent security policies across SaaS applications like Office 365, Salesforce, and Box. It provides visibility, data loss prevention (DLP), threat protection, and compliance monitoring by acting as a policy enforcement point between users and cloud services, using API-based integration to inspect and control data in transit and at rest.

Exam trap

The trap here is that candidates often confuse Cisco Umbrella's cloud-delivered security (DNS filtering, web proxy) with CASB functionality, but Umbrella lacks the deep API-level integration and policy enforcement for SaaS applications that Cloudlock provides.

How to eliminate wrong answers

Option A is wrong because Cisco Stealthwatch is a network visibility and security analytics tool that focuses on traffic flow analysis using NetFlow/IPFIX, not CASB functionality for SaaS policy enforcement. Option B is wrong because Cisco Firepower Threat Defense (FTD) is a next-generation firewall (NGFW) that provides intrusion prevention and application control at the network perimeter, but it does not offer native CASB capabilities for SaaS applications like Office 365 or Salesforce. Option C is wrong because Cisco Umbrella is a cloud-delivered DNS-layer security solution that provides threat intelligence and web filtering, but it lacks the deep API-based policy enforcement and data-level controls required for CASB functionality in SaaS environments.

61
MCQhard

During a cloud migration, the security team uses Cisco CloudLock for DLP. They notice that the DLP engine is not scanning certain files in Google Drive shared with external users. The CloudLock admin console shows the connector status as 'connected'. What is the most likely cause?

A.The connector lacks permission to scan external files
B.The files are too large (over 100 MB)
C.The external sharing is disabled in CloudLock policy
D.The files are in Google Drive 'My Drive' not 'Shared Drive'
AnswerA

CloudLock requires specific OAuth scopes to access files shared outside the organization; if missing, scanning is incomplete.

Why this answer

Cisco CloudLock requires explicit permissions to scan files shared with external users. Even though the connector status shows 'connected', the default OAuth scopes granted during initial setup may not include access to files shared outside the organization. The DLP engine can only inspect files it has read access to; without the 'drive.readonly' scope extended to externally shared items, those files are invisible to scanning.

Exam trap

Cisco often tests the misconception that a 'connected' status implies full functionality, when in reality the connector may lack the necessary OAuth permissions to access certain file categories like externally shared items.

How to eliminate wrong answers

Option B is wrong because CloudLock supports scanning files up to 5 GB in size, and the 100 MB threshold is not a limitation for Google Drive DLP scanning. Option C is wrong because disabling external sharing in CloudLock policy would prevent DLP actions (like blocking or alerting) but does not prevent the engine from scanning the files; the issue is that the files are not being scanned at all. Option D is wrong because CloudLock scans both 'My Drive' and 'Shared Drive' files; the location does not affect the scanning capability, only the permission scope does.

62
MCQmedium

An organization deploys Cisco Secure Firewall (formerly Firepower) in a public cloud environment (AWS). They need to inspect traffic between VPCs. What is the recommended deployment model?

A.Deploy firewall as a centralized virtual appliance in a transit VPC
B.Install firewall software on each EC2 instance
C.Deploy firewall in each VPC with VPC peering
D.Use AWS Network Firewall instead
AnswerA

Centralized inspection in a transit VPC provides consistent policy enforcement for inter-VPC traffic.

Why this answer

In a public cloud environment like AWS, deploying Cisco Secure Firewall as a centralized virtual appliance in a transit VPC is the recommended model because it allows traffic between multiple VPCs to be routed through a single inspection point. This architecture leverages VPC peering or AWS Transit Gateway to funnel inter-VPC traffic to the firewall, ensuring consistent policy enforcement and visibility without requiring per-VPC firewall instances. Centralized inspection simplifies management, reduces costs, and avoids the complexity of distributed firewall deployments.

Exam trap

Cisco often tests the misconception that deploying a firewall in each VPC with VPC peering is sufficient, but the trap is that VPC peering does not support transitive routing, so traffic between two peered VPCs cannot be forced through a firewall in a third VPC without complex and unsupported routing hacks.

How to eliminate wrong answers

Option B is wrong because installing firewall software on each EC2 instance is impractical for inter-VPC traffic inspection—it would require agent-based controls that cannot inspect traffic at the network layer between VPCs, and it violates the principle of centralized security management. Option C is wrong because deploying a firewall in each VPC with VPC peering creates a mesh of point-to-point connections that does not scale, introduces asymmetric routing challenges, and makes policy management cumbersome; VPC peering does not support transitive routing, so traffic between VPCs would not automatically pass through a firewall in another VPC. Option D is wrong because while AWS Network Firewall is a native service, the question specifically asks about deploying Cisco Secure Firewall, and using AWS Network Firewall would replace the Cisco solution rather than deploy it; Cisco Secure Firewall can be deployed as a virtual appliance in a transit VPC to provide advanced threat inspection and integration with Cisco security ecosystem.

63
MCQeasy

A company uses Cisco Umbrella for DNS-layer security. They want to block access to known malicious IPs that may be resolved by non-DNS traffic. Which feature should they enable?

A.File Analysis
B.Application Discovery
C.IP Layer Enforcement
D.HTTPS Inspection
AnswerC

Blocks malicious IPs for non-DNS traffic.

Why this answer

IP Layer Enforcement is the correct feature because it allows Cisco Umbrella to block traffic to known malicious IP addresses even when the traffic does not originate from a DNS query. This is essential for blocking threats that use hardcoded IPs or non-DNS protocols like direct IP connections, ensuring protection beyond DNS-layer filtering.

Exam trap

Cisco often tests the distinction between DNS-layer security (which only blocks based on domain names) and IP-layer enforcement (which blocks based on IP addresses), leading candidates to mistakenly choose HTTPS Inspection or File Analysis as they associate them with security inspection rather than IP-based blocking.

How to eliminate wrong answers

Option A is wrong because File Analysis is a feature for inspecting and sandboxing files for malware, not for blocking traffic to malicious IPs. Option B is wrong because Application Discovery is used to identify and categorize applications in use, not to enforce IP-based blocking. Option D is wrong because HTTPS Inspection decrypts and inspects encrypted web traffic for threats, but it does not directly block traffic to known malicious IPs resolved outside of DNS.

64
MCQeasy

A company wants to use Cisco DUO for MFA to protect access to its Azure AD applications. Which authentication method should be configured for cloud applications?

A.Secondary authentication via DUO after Azure AD
B.DUO for RADIUS authentication
C.DUO as a SAML identity provider
D.Primary authentication via DUO
AnswerA

DUO provides MFA as a second factor after Azure AD validates the user identity.

Why this answer

When integrating Cisco DUO with Azure AD for MFA, the recommended approach is to configure DUO as a secondary authentication provider after Azure AD handles primary authentication. This is achieved by using DUO's Azure AD integration, which acts as a custom control or a conditional access policy that triggers DUO MFA after the user has already authenticated against Azure AD. This ensures that Azure AD remains the identity provider (IdP) for primary authentication, while DUO provides an additional layer of security via a secondary push, phone call, or passcode.

Exam trap

Cisco often tests the misconception that DUO can serve as a primary identity provider for cloud applications, but the trap here is that DUO is strictly a secondary authentication factor and must be layered after the primary IdP (Azure AD) to protect existing cloud applications without breaking the authentication chain.

How to eliminate wrong answers

Option B is wrong because DUO for RADIUS authentication is used for on-premises VPNs, network devices, or legacy applications that support RADIUS, not for cloud-native Azure AD applications that use modern authentication protocols like SAML or OpenID Connect. Option C is wrong because configuring DUO as a SAML identity provider would replace Azure AD as the primary IdP, which is not the goal; the requirement is to protect access to Azure AD applications, meaning Azure AD must remain the IdP. Option D is wrong because primary authentication via DUO would bypass Azure AD entirely, which contradicts the requirement to protect access to Azure AD applications; DUO is designed for secondary MFA, not as a primary authentication source.

65
MCQhard

During a cloud migration, an administrator notices that a workload in Azure is generating outbound traffic that is being blocked by the cloud security group. The workload requires connectivity to a specific SaaS application (Office 365) using TLS. The security group denies all outbound traffic except to specific IP ranges. Which action should the administrator take?

A.Implement a proxy server
B.Use Azure Private Link
C.Add the Office 365 IP ranges and FQDNs to the allowed list
D.Disable the security group temporarily
AnswerC

Allows required traffic while maintaining security.

Why this answer

Option C is correct because the administrator needs to allow outbound traffic to Office 365, which uses TLS over TCP/443. Since the security group denies all outbound traffic except to specific IP ranges, the most direct and secure method is to add the published Office 365 IP ranges and FQDNs to the allowed list. This ensures the workload can reach the SaaS application without bypassing security controls or introducing additional latency.

Exam trap

The trap here is that candidates often confuse Azure Private Link (which is for private connectivity to Azure services) with general SaaS connectivity, or they incorrectly assume a proxy server is always required for outbound traffic control, when in fact the simplest solution is to update the security group rules with the correct IP ranges and FQDNs.

How to eliminate wrong answers

Option A is wrong because implementing a proxy server would add an unnecessary intermediary, increasing complexity and latency, and does not address the root cause of the security group blocking traffic; the proxy itself would still need its outbound traffic allowed. Option B is wrong because Azure Private Link is used to privately connect to Azure PaaS services (e.g., Azure SQL, Storage) over the Microsoft backbone, not to external SaaS applications like Office 365, which are not hosted in Azure and cannot be accessed via Private Link. Option D is wrong because disabling the security group temporarily removes all outbound restrictions, exposing the workload to potential security risks and violating the principle of least privilege; it is a poor operational practice that should never be recommended.

66
MCQmedium

A security architect is designing a hybrid cloud with AWS and on-premises data center. They need to enforce consistent security policies across both environments. Which approach is most effective?

A.Deploy separate Cisco Firepower instances in AWS and on-prem, each with independent policies
B.Use Cisco Secure Cloud Analytics (Stealthwatch) with AWS Cloud integration
C.Use AWS CloudTrail and AWS Config for on-premises resources
D.Establish a site-to-site VPN and use AWS Security Groups for both environments
AnswerB

Provides unified visibility and policy enforcement across hybrid environments.

Why this answer

Option B is correct because Cisco Secure Cloud Analytics (Stealthwatch) integrates with AWS Cloud via API to ingest flow logs, VPC logs, and NetFlow, enabling centralized visibility and consistent policy enforcement across hybrid environments. This approach avoids policy fragmentation by applying a unified security analytics layer that can detect anomalies and enforce responses in both AWS and on-premises networks without requiring separate policy management.

Exam trap

Cisco often tests the misconception that VPN connectivity alone (Option D) or separate firewalls (Option A) can achieve consistent policy enforcement, when in reality they require a centralized analytics and orchestration layer like Stealthwatch to unify policy management across hybrid clouds.

How to eliminate wrong answers

Option A is wrong because deploying separate Cisco Firepower instances with independent policies creates policy silos, leading to inconsistent security enforcement and increased administrative overhead, which defeats the goal of consistent policies. Option C is wrong because AWS CloudTrail and AWS Config are designed for auditing and compliance of AWS resources, not for managing or enforcing security policies on on-premises resources; they lack the capability to apply policies to non-AWS environments. Option D is wrong because a site-to-site VPN provides encrypted connectivity but does not enforce security policies; AWS Security Groups are stateful firewalls that only apply to AWS VPC resources and cannot extend to on-premises hosts or networks.

67
MCQhard

A security analyst discovers that a user downloaded a CSV file containing social security numbers from a sanctioned cloud storage app, but no alert was generated. The DLP policy shown in the exhibit was applied. What is the most likely reason the policy failed to trigger?

A.The user bypassed the DLP policy using an API call.
B.The policy was not applied to the cloud storage app used by the user.
C.The policy only notifies the admin and does not block the download.
D.The social security numbers in the file did not contain dashes, so the regex did not match.
AnswerD

The regex specifically requires dashes; numbers without dashes would not match.

Why this answer

The DLP policy uses a regex pattern that expects dashes in the social security numbers (e.g., \d{3}-\d{2}-\d{4}). If the CSV file contained SSNs without dashes (e.g., 123456789), the regex would not match, and no alert would be generated. This is the most likely reason the policy failed to trigger, as the data format did not meet the policy's detection criteria.

Exam trap

Cisco often tests the nuance that DLP regex patterns are literal and do not automatically account for formatting variations (like missing dashes), leading candidates to overlook the mismatch and incorrectly assume a policy misapplication or bypass.

How to eliminate wrong answers

Option A is wrong because bypassing DLP via an API call would require the user to have direct API access and the policy to lack API inspection, but the scenario describes a download from a sanctioned cloud storage app, which typically uses HTTPS and is subject to DLP inspection; there is no evidence of API bypass. Option B is wrong because the policy is explicitly applied to the cloud storage app (as shown in the exhibit), and the app is sanctioned, so the policy should cover it. Option C is wrong because the policy's action (notify admin vs. block) does not affect whether an alert is generated; the policy would still trigger an alert if the content matched, but it failed to match due to the regex issue.

68
MCQeasy

A company is planning to use Cisco Umbrella to secure internet access for branch offices. They already have Cisco Meraki MX appliances at each branch. What is the best way to send DNS traffic from the branches to Umbrella?

A.Enable the Umbrella integration in Meraki dashboard
B.Deploy the Umbrella virtual appliance at each branch
C.Install the Umbrella Roaming Client on each user device
D.Configure IPSec tunnels between branches and Umbrella data centers
AnswerA

Meraki MX has built-in connector to Umbrella for DNS forwarding.

Why this answer

Option D is correct because Meraki MX can automatically integrate with Umbrella via the built-in connector. Option A is wrong because IPSec tunnel is more complex and not native. Option B is wrong because an on-premises virtual appliance adds infrastructure.

Option C is wrong because the roaming client is for endpoints, not branch networks.

69
MCQhard

A cloud architect is designing a hybrid network between on-premises and AWS. They need to ensure traffic to the internet from the VPC uses the on-premises security stack for inspection. The VPC has an Internet Gateway (IGW). What must be configured to force outbound traffic to the on-premises firewall?

A.Use VPC Endpoints for all services
B.Deploy a NAT Gateway and assign it to the route table
C.Update the VPC route table to point 0.0.0.0/0 to the virtual private gateway or transit gateway attachment
D.Configure security groups to block direct internet access
AnswerC

This routes internet traffic through the VPN to on-premises.

Why this answer

Option C is correct because to force all outbound internet traffic from the VPC through the on-premises firewall, the VPC route table must have a default route (0.0.0.0/0) pointing to the virtual private gateway (VPG) or transit gateway (TGW) attachment. This directs traffic over the VPN or Direct Connect to the on-premises network, where the security stack inspects it before reaching the internet. The Internet Gateway (IGW) remains present but is not used for this traffic because the route table entry overrides it.

Exam trap

Cisco often tests the misconception that a NAT Gateway or VPC Endpoints can redirect traffic to on-premises, but the correct mechanism is a route table entry pointing to the virtual private gateway or transit gateway attachment.

How to eliminate wrong answers

Option A is wrong because VPC Endpoints provide private connectivity to AWS services without traversing the internet, but they do not force general outbound internet traffic through an on-premises firewall; they only handle traffic to specific AWS services. Option B is wrong because a NAT Gateway enables outbound internet access from private subnets but sends traffic directly to the IGW, bypassing the on-premises security stack; it does not route traffic through a VPN or Direct Connect. Option D is wrong because security groups are stateful firewalls that control inbound and outbound traffic at the instance level, but they cannot redirect traffic to an on-premises firewall; they only allow or deny traffic, not route it.

70
MCQmedium

An organization uses Cisco Umbrella for DNS-layer security. They want to block access to a newly discovered malicious domain (malware.example.com) immediately. Which action should the administrator take in the Umbrella dashboard?

A.Add the domain to the 'Global Block List' under 'Managed Networks'.
B.Add the domain to the 'Temporary Block List' under 'Security Settings'.
C.Add the domain to the 'Block List' under the policy's 'Destination Lists'.
D.Add the domain to the 'IP Layer Enforcement' list.
AnswerC

Policy block list immediately blocks DNS queries to the domain for users under that policy.

Why this answer

Option C is correct because in Cisco Umbrella, the most immediate way to block a specific malicious domain is to add it to the 'Block List' under the policy's 'Destination Lists'. This list is evaluated in real-time for DNS queries, allowing the administrator to enforce the block without waiting for threat intelligence updates or affecting other policies.

Exam trap

The trap here is that candidates confuse the 'Global Block List' (which applies to IP addresses at the network layer) with the policy-specific 'Block List' (which applies to domains at the DNS layer), leading them to select Option A instead of C.

How to eliminate wrong answers

Option A is wrong because the 'Global Block List' under 'Managed Networks' is used for blocking IP addresses or networks at the network layer, not for domain-level DNS blocking. Option B is wrong because there is no 'Temporary Block List' under 'Security Settings' in Cisco Umbrella; temporary blocks are typically handled via the 'Block List' within a policy or via the 'Temporary Block' feature in the Investigate console, not under Security Settings. Option D is wrong because 'IP Layer Enforcement' is used for blocking traffic based on IP addresses, not domain names, and it applies after DNS resolution, not at the DNS layer.

71
MCQhard

A multinational corporation is migrating its on-premises data center to a public cloud provider. The security policy requires that all traffic between cloud VPCs and the on-premises network must be inspected by a next-generation firewall (NGFW) deployed in the cloud. The on-premises network uses BGP for dynamic routing. Which design meets the requirement while minimizing latency and administrative overhead?

A.Deploy a transit VPC with an NGFW instance and configure BGP dynamic routing between the transit VPC, other VPCs, and the on-premises network.
B.Use AWS Transit Gateway with static routes pointing to the NGFW instance for inspection.
C.Create a site-to-site VPN between each VPC and the on-premises network, and configure the NGFW on-premises.
D.Use AWS Direct Connect to connect all VPCs to the on-premises network and place the NGFW on-premises.
AnswerA

Transit VPC with NGFW and BGP allows traffic inspection and dynamic route exchange.

Why this answer

Option A is correct because a transit VPC with an NGFW instance allows centralized traffic inspection while using BGP dynamic routing to exchange routes between the transit VPC, other VPCs, and the on-premises network. This design minimizes administrative overhead by avoiding static route management and reduces latency by keeping inspection within the cloud, rather than hair-pinning traffic on-premises. BGP enables automatic failover and route propagation, meeting the dynamic routing requirement.

Exam trap

Cisco often tests the misconception that a cloud-native service like AWS Transit Gateway inherently supports dynamic routing with NGFW inspection, but the trap is that Transit Gateway uses static routes for traffic steering unless integrated with a transit VPC and BGP, leading candidates to choose Option B incorrectly.

How to eliminate wrong answers

Option B is wrong because AWS Transit Gateway with static routes pointing to the NGFW instance introduces administrative overhead from manual route updates and does not leverage BGP dynamic routing as required, leading to potential misconfigurations and higher latency due to forced traffic paths. Option C is wrong because creating a site-to-site VPN between each VPC and the on-premises network with the NGFW on-premises forces all traffic to hair-pin through the on-premises network, increasing latency and failing to inspect traffic within the cloud; it also does not centralize inspection in the cloud as required. Option D is wrong because using AWS Direct Connect to connect all VPCs to the on-premises network and placing the NGFW on-premises violates the requirement that inspection must occur in the cloud, and it introduces significant latency by routing all cloud traffic back to the on-premises NGFW.

72
MCQeasy

A small business uses Cisco Umbrella for DNS-layer security. They recently enabled multi-factor authentication (MFA) for all administration accounts. The IT manager is unable to log into the Umbrella dashboard; the login page accepts his password but then asks for an MFA code. However, he never set up MFA. He checks his email and finds no registration email. He is the only administrator. How should he regain access to the Umbrella dashboard?

A.Create a new Umbrella account and transfer the organization.
B.Use the Umbrella API to programmatically disable MFA.
C.Have another administrator in the organization disable MFA for his account.
D.Contact Cisco TAC and prove ownership of the account to have MFA reset.
AnswerD

Correct: TAC can verify identity and reset MFA.

Why this answer

When an administrator is locked out of Cisco Umbrella due to MFA that was never configured, and there is no other administrator to assist, the only recovery path is to contact Cisco TAC. TAC can verify account ownership through a proof-of-ownership process and then reset the MFA enrollment, allowing the administrator to set it up fresh. This is the standard escalation procedure for Umbrella when self-service recovery options are unavailable.

Exam trap

Cisco often tests the misconception that API or self-service options can bypass MFA recovery, but in reality, MFA is a security boundary that requires administrative or TAC-level intervention to reset.

How to eliminate wrong answers

Option A is wrong because creating a new Umbrella account and transferring the organization is not a supported feature; Umbrella organizations are tied to a single primary account and cannot be transferred without TAC involvement. Option B is wrong because the Umbrella API does not expose an endpoint to disable MFA for an administrator account; MFA settings are managed through the dashboard or by TAC only. Option C is wrong because the scenario states the IT manager is the only administrator, so there is no other administrator to perform the disable action.

73
MCQeasy

A network engineer is configuring Cisco Umbrella to secure remote users connecting to a SaaS application. The users are not assigned a static public IP and often connect from various locations. Which deployment method best protects these users?

A.Roaming Client
B.Virtual Appliances
C.DNS forwarding with Network Device binding
D.IP layer enforcement with Anycast
AnswerA

Installs a lightweight client that routes traffic through Umbrella regardless of network.

Why this answer

The Roaming Client (Cisco Umbrella Roaming Security Module) is the correct deployment method because it provides DNS-layer security directly on the endpoint, regardless of the user's location or IP address. This ensures that remote users without a static public IP are protected by Umbrella's DNS filtering and threat intelligence, even when connecting from various networks (e.g., home, coffee shop, hotel). The client automatically selects the closest Umbrella data center via Anycast and encrypts DNS queries over HTTPS (DoH) to prevent tampering.

Exam trap

Cisco often tests the misconception that DNS forwarding or IP-based enforcement can protect roaming users, but the trap here is that those methods require a stable, known source IP or a managed network device, which fails when users connect from arbitrary locations without a static public IP.

How to eliminate wrong answers

Option B (Virtual Appliances) is wrong because virtual appliances are deployed on-premises within a corporate network and cannot protect remote users who are not connected to the corporate VPN or network. Option C (DNS forwarding with Network Device binding) is wrong because DNS forwarding relies on a specific network device (e.g., router, firewall) with a static public IP or a configured IP binding, which fails when users roam and their source IP changes. Option D (IP layer enforcement with Anycast) is wrong because IP layer enforcement (e.g., using policy based on source IP) is ineffective for roaming users whose IP addresses are dynamic and unpredictable; Anycast alone does not provide per-user identity or enforcement without a client.

74
Multi-Selectmedium

A company is implementing zero trust architecture in the cloud. Which TWO principles are fundamental to zero trust? (Choose two.)

Select 2 answers
A.Assume breach
B.Implicit trust for internal traffic
C.Use static passwords
D.Use perimeter firewalls only
E.Verify explicitly
AnswersA, E

Design systems assuming an attacker is present.

Why this answer

Option A is correct because zero trust architecture operates on the principle of 'never trust, always verify,' which includes assuming that a breach has already occurred or is inevitable. This assumption drives continuous validation of every access request, regardless of source, and enforces least-privilege access to limit lateral movement. In cloud environments, this means treating every API call, workload, and user session as potentially compromised until proven otherwise.

Exam trap

Cisco often tests the misconception that zero trust still allows implicit trust for internal traffic or that traditional perimeter defenses are sufficient, leading candidates to select 'Implicit trust for internal traffic' or 'Use perimeter firewalls only' instead of recognizing that zero trust requires explicit verification for all traffic.

75
MCQmedium

A company uses multiple cloud providers (AWS and Azure) and wants to unify security monitoring and policy enforcement. They have on-premises data centers as well. Which Cisco solution is best suited for this?

A.Cisco Secure Cloud Analytics
B.Cisco Secure Firewall Cloud Native
C.Cisco Secure Workload
D.Cisco Secure Network Analytics
AnswerA

Unified monitoring and policy enforcement for multi-cloud and on-prem.

Why this answer

Cisco Secure Cloud Analytics (formerly Stealthwatch Cloud) is designed to provide unified visibility and security monitoring across multi-cloud environments (AWS, Azure, GCP) and on-premises data centers. It uses NetFlow/IPFIX data and cloud-native API integrations to detect anomalies and enforce consistent security policies, making it the best fit for the company's requirement to unify security monitoring and policy enforcement across hybrid and multi-cloud deployments.

Exam trap

Cisco often tests the distinction between 'monitoring and policy enforcement across multiple clouds' (Secure Cloud Analytics) versus 'micro-segmentation for workloads' (Secure Workload) or 'on-premises network analytics' (Secure Network Analytics), leading candidates to confuse the scope of each solution.

How to eliminate wrong answers

Option B (Cisco Secure Firewall Cloud Native) is wrong because it is a virtual firewall appliance specifically for public cloud environments, focusing on network segmentation and threat inspection, but it does not provide unified monitoring or policy enforcement across multiple cloud providers and on-premises. Option C (Cisco Secure Workload) is wrong because it is a micro-segmentation and workload protection solution that focuses on application-level visibility and policy enforcement within data centers and clouds, but it is not designed for unified security monitoring across disparate cloud providers and on-premises. Option D (Cisco Secure Network Analytics) is wrong because it is an on-premises network traffic analysis tool that relies on NetFlow/IPFIX from physical network devices, lacking native multi-cloud API integrations and the ability to monitor cloud-native workloads without additional agents.

Page 1 of 2 · 95 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Cloud Security questions.