CCNA Cloud Security Questions

20 of 95 questions · Page 2/2 · Cloud Security · Answers revealed

76
MCQeasy

Refer to the exhibit. A security administrator implements this S3 bucket policy to restrict access to the bucket 'my-bucket'. What type of condition is being used?

A.String condition
B.IpAddress condition
C.Bool condition
D.Numeric condition
AnswerB

Condition key is IpAddress.

Why this answer

The condition in the S3 bucket policy uses the `IpAddress` condition key to restrict access based on the requester's IP address. This is explicitly an IP address condition, which evaluates the source IP of the request against the specified CIDR range. Option B is correct because the `aws:SourceIp` key is only valid with the `IpAddress` (or `NotIpAddress`) condition operator.

Exam trap

Cisco often tests the distinction between the condition key (`aws:SourceIp`) and the condition operator (`IpAddress`), leading candidates to confuse it with a String condition because the IP address is a string value.

How to eliminate wrong answers

Option A is wrong because a String condition uses operators like `StringEquals` or `StringLike` to compare string values, not IP addresses. Option C is wrong because a Bool condition uses the `Bool` operator to check boolean values like `aws:SecureTransport` true/false, not IP ranges. Option D is wrong because a Numeric condition uses operators like `NumericEquals` or `NumericLessThan` to compare numbers, not IP addresses.

77
MCQhard

Refer to the exhibit. A security analyst notices this CloudTrail log entry. Which security best practice is being violated?

A.SSH access is allowed from a single IP
B.Port 22 is open to the internet
C.The user identity is an admin account
D.RDP access is allowed from any IP address (0.0.0.0/0)
AnswerD

0.0.0.0/0 means all IPs, a major security risk.

Why this answer

The CloudTrail log shows an `AuthorizeSecurityGroupIngress` API call that adds a rule allowing RDP (port 3389) from `0.0.0.0/0`, which means any IP on the internet. This violates the security best practice of restricting administrative access to trusted IP addresses only. Allowing RDP from all sources exposes the instance to brute-force attacks and unauthorized access attempts.

Exam trap

Cisco often tests the distinction between the port being open (which is not inherently a violation) versus the source being `0.0.0.0/0` (which is the violation), causing candidates to incorrectly focus on the protocol (RDP vs SSH) rather than the overly permissive source.

How to eliminate wrong answers

Option A is wrong because the log entry does not show any SSH (port 22) rule being modified; the rule added is for RDP (port 3389), and the issue is about overly permissive access, not a single IP. Option B is wrong because the log entry does not mention port 22 or SSH; the open port is 3389 (RDP), and the violation is about the source being 0.0.0.0/0, not the port itself. Option C is wrong because while the user identity is an admin account, the core violation is the overly permissive security group rule, not the use of an admin account; using an admin account for routine tasks is a separate best practice concern, but the direct violation in the log is the 0.0.0.0/0 rule.

78
Matchingmedium

Match each 802.1X component to its role.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Client requesting network access

Network device that enforces access control

RADIUS server that validates credentials

Extensible Authentication Protocol framework

Protocol used for AAA services

Why these pairings

These are key components of 802.1X authentication.

79
Multi-Selecteasy

A security architect is evaluating Cisco Cloud Security portfolio for SaaS access protection. Which two solutions provide inline traffic inspection for cloud applications? (Choose two.)

Select 2 answers
A.Cisco Secure Firewall
B.Cisco Umbrella SIG
C.Cisco Cloudlock
D.Cisco DUO
E.Cisco Secure Workload
AnswersA, B

Secure Firewall can be deployed as a virtual appliance in the cloud for inline traffic inspection.

Why this answer

Cisco Secure Firewall (A) provides inline traffic inspection for cloud applications through its Next-Generation Firewall (NGFW) capabilities, including Application Visibility and Control (AVC) and SSL/TLS decryption, allowing it to inspect and enforce policies on traffic to and from SaaS applications. Cisco Umbrella SIG (B) is a cloud-delivered Secure Internet Gateway (SIG) that performs inline proxy-based inspection of all web traffic, including SaaS applications, by intercepting DNS and HTTP/HTTPS requests to enforce security policies such as URL filtering, malware detection, and data loss prevention.

Exam trap

Cisco often tests the distinction between API-based CASB (like Cloudlock) and inline proxy-based SIG (like Umbrella), where candidates mistakenly assume all cloud security solutions perform inline inspection, but Cloudlock only provides out-of-band API access for compliance and data protection, not real-time traffic inspection.

80
Multi-Selectmedium

An organization is implementing Cisco Secure Cloud Insights (formerly CloudCenter). Which three capabilities does this tool provide? (Choose three.)

Select 3 answers
A.Cloud security posture management
B.Workload migration planning
C.User behavior analytics
D.Network traffic analysis
E.Cloud cost optimization
AnswersA, B, E

Identifies misconfigurations and compliance violations.

Why this answer

Cisco Secure Cloud Insights (formerly CloudCenter) provides cloud security posture management (CSPM) by continuously monitoring cloud environments for misconfigurations, compliance violations, and security risks. It helps organizations enforce security policies across multi-cloud deployments, ensuring alignment with frameworks like CIS and NIST.

Exam trap

Cisco often tests the distinction between cloud security posture management (CSPM) and cloud workload protection platform (CWPP) capabilities, leading candidates to confuse CloudCenter's CSPM and cost optimization features with unrelated tools like user behavior analytics or network traffic analysis.

81
MCQmedium

A company has 500 users who work remotely and connect to cloud-based SaaS applications. The security team is concerned about malware downloads from these applications. They have deployed Cisco Umbrella with the SIG feature. However, after deployment, a test shows that downloading a file from Dropbox is not being inspected by the cloud security stack. The Umbrella dashboard indicates that the policy is active and the SIG feature is enabled. The network team confirms that the users are using the Umbrella roaming client and that the traffic is correctly forwarding to Umbrella. What is the most likely issue?

A.The SIG inspection only applies to HTTP traffic, not HTTPS
B.The Dropbox application uses non-standard ports
C.The users' devices are not configured with the Umbrella roaming client
D.The traffic is bypassed because of an explicit bypass rule for Dropbox
AnswerD

Umbrella SIG includes automatic bypass for high-traffic cloud apps to optimize performance.

Why this answer

Option D is correct because Cisco Umbrella's SIG (Security Internet Gateway) feature can be configured with explicit bypass rules for specific applications or domains. Even when the SIG is enabled and traffic is forwarding correctly, an administrator may have inadvertently created a bypass rule for Dropbox, causing its traffic to skip cloud security inspection. This explains why the policy is active but downloads from Dropbox are not inspected.

Exam trap

Cisco often tests the concept that a feature being 'enabled' does not guarantee all traffic is inspected, as explicit bypass rules or policy misconfigurations can override the inspection, leading candidates to incorrectly assume the issue is with client configuration or protocol support.

How to eliminate wrong answers

Option A is wrong because Cisco Umbrella SIG supports HTTPS inspection via TLS/SSL decryption, so it can inspect HTTPS traffic, not just HTTP. Option B is wrong because Dropbox uses standard HTTPS ports (443) and Umbrella SIG inspects traffic based on domain and application, not just port numbers; non-standard ports would not cause a bypass unless explicitly configured. Option C is wrong because the question states the network team confirmed users are using the Umbrella roaming client and traffic is correctly forwarding to Umbrella, so the client is properly configured.

82
MCQhard

You are a security engineer for a multinational corporation that uses a hybrid cloud environment with AWS and Azure. The company has deployed Cisco Cloudlock for SaaS security and Cisco Umbrella for DNS-layer security. Recently, the incident response team detected that an employee's credentials were compromised, and the attacker used them to access the company's Office 365 tenant. The attacker exfiltrated sensitive data by sending emails with attachments to external addresses. Cloudlock logs show that the data exfiltration occurred because the policy for 'Outbound Email with Attachments' was set to 'Allow' for all users. The attacker also used a personal Google Drive account to store stolen data, which was not detected by Cloudlock because Google Drive is not sanctioned. You need to recommend a course of action to prevent similar incidents. Which action should you take first?

A.Reset the compromised user's password and revoke all active sessions
B.Implement multi-factor authentication for all Office 365 users
C.Modify the Cloudlock policy to block outbound emails with attachments containing sensitive data for all users
D.Sanction Google Drive and create a Cloudlock policy to monitor it
AnswerC

Directly addresses the exfiltration method used.

Why this answer

Option C is correct because the incident occurred due to a misconfigured Cloudlock policy that allowed outbound emails with attachments. By modifying the policy to block outbound emails containing sensitive data, you directly address the exfiltration vector used by the attacker. This is the most immediate and effective control to prevent recurrence of the same attack method.

Exam trap

Cisco often tests the distinction between immediate remediation (blocking the exfiltration vector) versus long-term security improvements (MFA, password resets), and the trap here is that candidates may choose MFA or password reset because they focus on the credential compromise rather than the policy misconfiguration that allowed the data loss.

How to eliminate wrong answers

Option A is wrong because while resetting the compromised password and revoking sessions is a necessary remediation step, it does not prevent future incidents if the same policy misconfiguration remains. Option B is wrong because multi-factor authentication (MFA) would have helped prevent the initial compromise, but the question asks for the first action to prevent similar incidents, and the immediate vulnerability is the permissive Cloudlock policy that allowed the exfiltration. Option D is wrong because sanctioning Google Drive and creating a monitoring policy does not address the fact that the attacker already used an unsanctioned service; the primary exfiltration method was via Office 365 email, which was allowed by the existing policy.

83
MCQmedium

An organization is using Microsoft 365 and wants to prevent sensitive data from being shared externally via email and OneDrive. Which Cisco cloud security product should they deploy?

A.Cisco Cloudlock
B.Cisco Umbrella
C.Cisco Stealthwatch
D.Cisco Duo
AnswerA

Cloudlock offers DLP for cloud applications like M365.

Why this answer

Cisco Cloudlock is the correct choice because it is a cloud-native CASB (Cloud Access Security Broker) that integrates with Microsoft 365 to enforce data loss prevention (DLP) policies. It can inspect email attachments and OneDrive files for sensitive data patterns (e.g., credit card numbers, PII) and block external sharing based on policy. Cloudlock uses APIs to scan content at rest and in transit, providing granular control over data residency and sharing permissions.

Exam trap

Cisco often tests the distinction between CASB (Cloudlock) and other security products by listing multiple cloud-related tools, and the trap here is that candidates confuse Umbrella's broad web security capabilities with the specific DLP and data-sharing controls that only a CASB like Cloudlock provides.

How to eliminate wrong answers

Option B (Cisco Umbrella) is wrong because it is a DNS-layer security gateway focused on web filtering, threat intelligence, and blocking malicious domains—it does not provide content inspection or DLP for SaaS applications like Microsoft 365. Option C (Cisco Stealthwatch) is wrong because it is a network traffic analysis tool that uses NetFlow and behavioral analytics to detect anomalies and threats within the network, not for controlling data sharing in cloud applications. Option D (Cisco Duo) is wrong because it is a multi-factor authentication (MFA) and zero-trust access solution that verifies user identity but does not inspect or prevent data leakage in email or OneDrive.

84
MCQhard

Refer to the exhibit. A network engineer configures a site-to-site VPN between a Cisco router and an Azure VPN gateway. After configuration, the tunnel is not coming up. Which issue is most likely causing the problem?

A.The access list is not permitting the correct source/destination traffic
B.The tunnel mode is not set to transport
C.Missing IKEv2 proposal match on the Azure side
D.The crypto map does not specify the local identity
AnswerC

Azure VPN gateway requires matching IKE proposals; mismatch prevents tunnel establishment.

Why this answer

The most likely issue is a mismatch in IKEv2 proposals between the Cisco router and the Azure VPN gateway. Azure requires specific IKEv2 encryption (e.g., AES256), integrity (e.g., SHA256), and DH group (e.g., DH Group 14) parameters. If the Cisco router's crypto ikev2 proposal does not exactly match the Azure-side settings, the IKEv2 SA negotiation fails, preventing the tunnel from coming up.

Exam trap

Cisco often tests the concept that IKEv2 proposal mismatches are a frequent cause of tunnel failures when connecting to cloud providers like Azure, AWS, or GCP, and candidates mistakenly blame ACLs or crypto map issues instead of verifying the transform sets.

How to eliminate wrong answers

Option A is wrong because the access list in a site-to-site VPN configuration is used to define interesting traffic (traffic to be encrypted), not to permit the tunnel itself; a misconfigured ACL would cause traffic to be sent in clear text or dropped, but would not prevent the IKE/IPsec tunnel from establishing. Option B is wrong because tunnel mode (transport vs. tunnel) is not relevant to IKEv2 proposal mismatches; for site-to-site VPNs, tunnel mode is the default and correct setting, and transport mode is used for host-to-host or L2L with special requirements. Option D is wrong because the crypto map does not need to specify a local identity; the local identity is derived from the IP address of the interface or the configured identity (e.g., FQDN) in the IKEv2 profile, and its absence would not cause a proposal mismatch.

85
MCQhard

Refer to the exhibit. An administrator in us-west-2 tries to launch an instance. The policy allows only us-east-1. What should the administrator do to successfully launch the instance?

A.Launch the instance in us-east-1
B.Modify the resource ARN to include us-west-2
C.Change the policy to allow all regions
D.Remove the condition from the policy
AnswerA

Complies with the policy condition.

Why this answer

Option A is correct because the IAM policy explicitly restricts the ec2:RunInstances action to the us-east-1 region using a Condition block with ec2:Region set to 'us-east-1'. Since the administrator is attempting to launch the instance in us-west-2, the only way to comply with the policy is to launch in us-east-1. AWS IAM policies are evaluated based on the principal, action, resource, and condition; if any condition is not met, the request is denied by default.

Exam trap

Cisco often tests the misconception that modifying the resource ARN or removing the condition is the solution, when in fact the condition key is the binding constraint that must be satisfied by choosing the correct region.

How to eliminate wrong answers

Option B is wrong because modifying the resource ARN to include us-west-2 would not override the Condition block that explicitly restricts the region; the condition must also be satisfied. Option C is wrong because changing the policy to allow all regions would violate the principle of least privilege and is not necessary; the administrator should work within the existing policy constraints. Option D is wrong because removing the condition from the policy would require modifying the policy itself, which the administrator may not have permissions to do, and it would also weaken security by removing the regional restriction.

86
MCQeasy

An enterprise wants to prevent data exfiltration from its SaaS applications to unauthorized personal cloud storage. Which Cisco solution should be deployed?

A.Cisco Umbrella
B.Cisco Cloudlock
C.Cisco Duo
D.Cisco Firepower NGFW
AnswerB

Cloudlock as a CASB can prevent data exfiltration to unauthorized cloud storage.

Why this answer

Cisco Cloudlock is the correct solution because it is a cloud-native CASB (Cloud Access Security Broker) specifically designed to protect SaaS applications like Office 365 and Salesforce. It provides data loss prevention (DLP) policies that can detect and block the exfiltration of sensitive data to unauthorized personal cloud storage services by inspecting API traffic and user activities in real time.

Exam trap

Cisco often tests the distinction between network-layer security tools (Umbrella, Firepower) and cloud-native API-based CASB solutions (Cloudlock), leading candidates to mistakenly choose a DNS or firewall product for SaaS DLP scenarios.

How to eliminate wrong answers

Option A (Cisco Umbrella) is wrong because it is a DNS-layer security solution focused on blocking malicious domains and enforcing web usage policies, not on inspecting SaaS application data flows or preventing data exfiltration to personal cloud storage. Option C (Cisco Duo) is wrong because it is a multi-factor authentication (MFA) and zero-trust access solution that secures user authentication but does not provide DLP or content inspection for SaaS data. Option D (Cisco Firepower NGFW) is wrong because it is a network firewall that inspects traffic at the network and application layers but lacks the native API integration with SaaS applications required to enforce granular DLP policies on data stored or shared within those apps.

87
MCQhard

An enterprise is migrating a critical application to AWS. The architecture includes an Application Load Balancer (ALB) in front of EC2 instances across multiple Availability Zones. The application must be protected against common web exploits such as SQL injection and cross-site scripting. The security team decides to use AWS WAF. They also need to ensure that only traffic from the company's corporate IP range (203.0.113.0/24) is allowed to reach the application, except for a partner integration that requires access from a specific IP (198.51.100.5). Additionally, all traffic must be inspected by a third-party NGFW for advanced threat detection. The NGFW is deployed in a separate VPC connected via VPC Peering. The current configuration: ALB is internet-facing, WAF is associated with the ALB, and the NGFW is not in the traffic path. After deployment, traffic from corporate users is not being inspected by the NGFW, and partner traffic is being blocked. What is the most efficient solution to meet all requirements?

A.Configure AWS WAF rate-based rules to block non-corporate IPs and enable managed rules for SQL injection.
B.Change the ALB scheme to internal, update DNS to point to the NGFW's public IP, and configure the NGFW to forward traffic to the ALB after inspection. Create WAF rules to block non-corporate traffic except partner IP.
C.Deploy an additional ALB as a reverse proxy in front of the NGFW, and configure the WAF on the front ALB.
D.Set up a site-to-site VPN between the corporate network and the VPC, and route partner traffic through the VPN.
AnswerB

This ensures all traffic is inspected by the NGFW and only allowed IPs reach the ALB.

Why this answer

Option B is correct because it restructures the traffic flow so that all traffic first hits the NGFW (via its public IP) for advanced threat inspection, then the NGFW forwards clean traffic to the internal ALB. By changing the ALB to internal, it no longer accepts direct internet traffic, ensuring the NGFW is in the path. WAF rules on the ALB then enforce the IP allowlist (corporate range plus partner IP) and protect against SQL injection and XSS, meeting all requirements efficiently.

Exam trap

Cisco often tests the misconception that WAF alone can enforce IP allowlisting and that the NGFW can be placed after the ALB without changing the ALB scheme, but in reality, an internet-facing ALB receives traffic directly from the internet, bypassing any inline NGFW unless the ALB is made internal and traffic is routed through the NGFW first.

How to eliminate wrong answers

Option A is wrong because rate-based rules limit request rates, not enforce IP allowlisting; they would not block non-corporate IPs except the partner IP, and they do not address the NGFW inspection requirement. Option C is wrong because deploying an additional ALB as a reverse proxy in front of the NGFW adds unnecessary complexity and cost; the NGFW itself can receive traffic directly, and the WAF should be on the ALB that serves the application, not on a front-end ALB that would still bypass NGFW inspection if not properly routed. Option D is wrong because a site-to-site VPN only secures traffic between the corporate network and the VPC; it does not solve the partner traffic access issue (partner IP is external, not over VPN) and does not place the NGFW in the traffic path for inspection.

88
MCQmedium

A large enterprise is migrating legacy applications to AWS. The security team requires that all data in transit between the applications and the on-premises data center be encrypted and inspected for threats. They have deployed a Cisco Firepower NGFW on-premises and are using Amazon VPC with a VPN connection. The team is concerned about east-west traffic within the VPC also being inspected. They consider deploying Cisco Secure Firewall in the cloud (cFMC). However, budget constraints limit the number of virtual firewalls. Which design best meets the requirements while optimizing cost?

A.Inspect all traffic at the on-premises Firepower by routing all cloud traffic through a VPN.
B.Deploy a Cisco Secure Firewall virtual instance in each VPC.
C.Use AWS Network Firewall for east-west inspection and keep Firepower on-premises for north-south.
D.Deploy a single Cisco Secure Firewall virtual instance in a transit VPC and route all inter-VPC traffic through it.
AnswerD

Correct: Central inspection reduces cost while covering east-west.

Why this answer

Option D is correct because deploying a single Cisco Secure Firewall virtual instance in a transit VPC allows centralized inspection of all inter-VPC (east-west) traffic while minimizing costs. By routing traffic through the transit VPC, you avoid the expense of deploying a firewall in every VPC, and the on-premises Firepower NGFW handles north-south traffic (VPN and internet-bound). This design meets the encryption and threat inspection requirements for both east-west and north-south traffic within the budget constraint.

Exam trap

Cisco often tests the concept that a single virtual firewall in a transit VPC can inspect east-west traffic cost-effectively, and the trap here is that candidates mistakenly think AWS Network Firewall (Option C) can replace Cisco Secure Firewall for unified threat inspection across hybrid environments, but it lacks the deep integration with on-premises Firepower and advanced threat detection features required by the scenario.

How to eliminate wrong answers

Option A is wrong because routing all cloud traffic through an on-premises VPN for inspection introduces significant latency, bandwidth bottlenecks, and single points of failure, and it does not efficiently inspect east-west traffic within the VPC (traffic between VPCs would hairpin through the VPN, violating AWS best practices). Option B is wrong because deploying a Cisco Secure Firewall virtual instance in each VPC would exceed the budget constraint and is overkill for east-west inspection; it also creates management complexity without centralizing policy. Option C is wrong because AWS Network Firewall is a managed service that can inspect east-west traffic, but it does not integrate with the on-premises Cisco Firepower NGFW for unified threat intelligence or policy management, and it cannot inspect traffic that is already encrypted end-to-end between applications (it lacks the same deep packet inspection capabilities as Cisco Secure Firewall).

89
MCQhard

A cloud security team is investigating a possible data exfiltration incident involving an AWS S3 bucket configured with cross-region replication. Which Cisco Cloudlock feature can detect unusual replication patterns that may indicate data theft?

A.Umbrella threat intelligence
B.Stealthwatch Cloud flow logs
C.Firepower IPS signatures
D.Cloudlock User and Entity Behavior Analytics (UEBA)
AnswerD

UEBA detects behavioral anomalies in cloud services.

Why this answer

Cloudlock UEBA is the correct answer because it establishes behavioral baselines for user and entity activities, such as S3 bucket replication patterns. When cross-region replication deviates from the learned baseline—e.g., unusual volume, frequency, or destination—UEBA generates an anomaly alert, directly detecting potential data exfiltration. This is a core capability of Cisco Cloudlock's cloud access security broker (CASB) functionality.

Exam trap

The trap here is that candidates often confuse UEBA with network-based detection tools (like IPS or flow logs) or general threat intelligence feeds, failing to recognize that UEBA specifically addresses anomalous user and entity behavior in cloud environments like AWS S3.

How to eliminate wrong answers

Option A is wrong because Umbrella threat intelligence provides DNS-layer security and web proxy filtering, not behavioral analysis of cloud storage replication patterns. Option B is wrong because Stealthwatch Cloud flow logs analyze network traffic flows and IP behaviors, not S3 bucket replication events within AWS. Option C is wrong because Firepower IPS signatures detect known network-based attack patterns via deep packet inspection, not anomalous user or entity behavior in cloud APIs.

90
MCQeasy

A company has deployed Cisco Umbrella with a virtual appliance (VA) for content filtering. Users report that some websites are not loading properly, and the helpdesk suspects that the VA is blocking legitimate traffic. The network administrator checks the VA dashboard and sees that the VA is passing traffic normally. However, the administrator notices that the VA's upstream DNS server is set to a public resolver (208.67.222.222) instead of the company's internal DNS servers. This causes internal hostnames to resolve incorrectly. The company uses Active Directory with domain-joined computers. What should the administrator do to resolve the issue?

A.Add a conditional forwarder in the internal DNS for all .local domains.
B.Configure the clients to use Umbrella's DNS directly instead of the VA.
C.Disable Umbrella content filtering for internal domain names.
D.Change the upstream DNS server in the VA configuration to point to the internal DNS servers.
AnswerD

Correct: This enables proper resolution of internal names.

Why this answer

The virtual appliance (VA) acts as a forwarding proxy; it receives DNS queries from clients, forwards them to its configured upstream DNS server, and applies content filtering policies. When the upstream DNS is set to a public resolver like 208.67.222.222 (OpenDNS), the VA cannot resolve internal Active Directory domain names (e.g., .local or internal FQDNs) because the public resolver has no knowledge of the private DNS zone. Changing the upstream DNS server to the company's internal DNS servers allows the VA to resolve both internal and external names correctly, while still applying Umbrella's content filtering policies to external traffic.

Exam trap

Cisco often tests the misconception that content filtering policies are the root cause of resolution failures, when in fact the underlying DNS forwarding chain is misconfigured, leading candidates to incorrectly focus on filtering rules or client-side changes rather than the upstream DNS server setting.

How to eliminate wrong answers

Option A is wrong because adding a conditional forwarder in the internal DNS for .local domains does not affect the VA's upstream DNS configuration; the VA itself must be pointed to the internal DNS servers to resolve internal hostnames. Option B is wrong because configuring clients to use Umbrella's DNS directly bypasses the VA entirely, removing the content filtering enforcement that the company has deployed. Option C is wrong because disabling Umbrella content filtering for internal domain names is not a configuration option in the VA; the issue is DNS resolution, not filtering policy, and the VA must be able to resolve internal names before any filtering can be applied.

91
MCQeasy

An S3 bucket policy is shown. What does the condition "aws:SecureTransport": "true" enforce?

A.Only requests from specific IP ranges are allowed
B.Only requests using server-side encryption with KMS are allowed
C.All requests must be authenticated using AWS IAM and MFA
D.All requests to the bucket must use HTTPS
AnswerD

SecureTransport ensures the connection is encrypted via SSL/TLS.

Why this answer

The condition `"aws:SecureTransport": "true"` in an S3 bucket policy enforces that all requests to the bucket must be made over HTTPS (TLS). This ensures that data in transit is encrypted, preventing man-in-the-middle attacks or eavesdropping. The condition evaluates the `aws:SecureTransport` key, which is `true` only when the request uses SSL/TLS.

Exam trap

Cisco often tests the distinction between encryption in transit (HTTPS) and encryption at rest (SSE), so candidates mistakenly associate `aws:SecureTransport` with server-side encryption or KMS rather than the transport layer security.

How to eliminate wrong answers

Option A is wrong because restricting requests to specific IP ranges is enforced using the `aws:SourceIp` condition key, not `aws:SecureTransport`. Option B is wrong because server-side encryption with KMS is enforced using the `s3:x-amz-server-side-encryption-aws-kms-key-id` condition key, not `aws:SecureTransport`. Option C is wrong because requiring IAM authentication and MFA is enforced using the `aws:MultiFactorAuthPresent` condition key, not `aws:SecureTransport`.

92
MCQmedium

A company uses Cisco Stealthwatch Cloud for network visibility in AWS. They notice a spike in encrypted traffic from an EC2 instance to an unknown external IP. Which Stealthwatch Cloud feature can analyze this traffic for threats without decrypting it?

A.NetFlow generation
B.Encrypted Traffic Analytics (ETA)
C.Deep Packet Inspection (DPI)
D.SSL Decryption
AnswerB

ETA uses ML to analyze encrypted traffic patterns for threats.

Why this answer

Encrypted Traffic Analytics (ETA) is the correct feature because it uses machine learning and behavioral analysis to inspect metadata (e.g., flow records, packet lengths, timing) of encrypted traffic without decrypting it. This allows Stealthwatch Cloud to detect anomalies like command-and-control communication or data exfiltration even when the payload is encrypted.

Exam trap

The trap here is that candidates often confuse 'Encrypted Traffic Analytics' with 'SSL Decryption' or 'DPI,' assuming that threat analysis of encrypted traffic always requires decryption, when in fact ETA uses metadata and machine learning to bypass that need.

How to eliminate wrong answers

Option A is wrong because NetFlow generation provides basic flow metadata (IPs, ports, protocols) but lacks the advanced behavioral analysis needed to detect threats in encrypted traffic without decryption. Option C is wrong because Deep Packet Inspection (DPI) requires access to unencrypted payloads, which is not possible with encrypted traffic and would require decryption. Option D is wrong because SSL Decryption explicitly decrypts the traffic, which violates the requirement to analyze without decrypting and introduces privacy and compliance concerns.

93
Multi-Selecthard

An organization is adopting a cloud-first strategy and wants to ensure least-privilege access for cloud resources. Which THREE measures should be implemented as part of a cloud IAM strategy? (Select three.)

Select 3 answers
A.Use managed identities for access
B.Regularly review and remove unused roles
C.Store secrets in source code repositories for ease of deployment
D.Enable single sign-on with multi-factor authentication
E.Implement role-based access control with scoping
AnswersA, B, E

Avoids long-term credentials and provides temporary permissions.

Why this answer

Managed identities (such as Azure Managed Identities or AWS IAM Roles for EC2) eliminate the need to store credentials in code or configuration files. The cloud provider automatically rotates the credentials and binds the identity to the compute resource, enforcing least-privilege by granting only the permissions required for that resource to function.

Exam trap

Cisco often tests the distinction between authentication mechanisms (like SSO/MFA) and authorization mechanisms (like RBAC with scoping), leading candidates to incorrectly select SSO/MFA as a least-privilege measure when it only addresses identity verification, not permission restriction.

94
MCQmedium

You are tasked with securing a new cloud deployment on AWS. The environment consists of a web application running on EC2 instances behind an Application Load Balancer (ALB), with data stored in an RDS database. The security requirements include: (1) protect against web application attacks (SQL injection, XSS), (2) ensure only authorized users can access the application, (3) monitor for anomalous behavior. You have decided to use AWS WAF for web application protection, AWS Cognito for user authentication, and Amazon GuardDuty for threat detection. However, the CISO also wants to integrate with Cisco's security portfolio for centralized management and visibility. Which Cisco product would best integrate with these AWS services to provide centralized security management?

A.Cisco Firepower NGFW
B.Cisco Secure Cloud Analytics (Stealthwatch)
C.Cisco Cloudlock
D.Cisco Tetration
AnswerB

Provides centralized visibility and integrates with AWS services.

Why this answer

Cisco Secure Cloud Analytics (Stealthwatch) is the correct choice because it provides centralized visibility and threat detection across hybrid cloud environments, including AWS. It integrates with AWS CloudWatch and VPC Flow Logs to ingest network telemetry, and it can correlate alerts from AWS GuardDuty, WAF, and Cognito into a single pane of glass for security operations. This aligns with the CISO's requirement for centralized management and visibility using Cisco's security portfolio.

Exam trap

Cisco often tests the distinction between products that provide centralized visibility (Stealthwatch) versus those that enforce inline security (Firepower NGFW) or focus on SaaS security (Cloudlock) or micro-segmentation (Tetration), leading candidates to confuse 'integration with AWS services' with 'deployment in AWS'.

How to eliminate wrong answers

Option A is wrong because Cisco Firepower NGFW is a network firewall appliance designed for on-premises or virtual deployments (e.g., AWS Marketplace), but it does not natively aggregate logs or alerts from AWS-native services like WAF, Cognito, or GuardDuty into a centralized management console; it focuses on inline traffic inspection and policy enforcement, not multi-service log correlation. Option C is wrong because Cisco Cloudlock is a cloud access security broker (CASB) focused on SaaS application security (e.g., Office 365, Salesforce) and data loss prevention, not on integrating with AWS infrastructure services like EC2, ALB, or RDS for centralized threat monitoring. Option D is wrong because Cisco Tetration is a workload security and micro-segmentation platform that uses agents and flow data to enforce zero-trust policies, but it does not provide centralized management of AWS-native security services; it is more about application dependency mapping and segmentation, not log aggregation from WAF, Cognito, or GuardDuty.

95
MCQhard

A company uses AWS Organizations with multiple accounts. They need to enforce that all S3 buckets have encryption enabled. Which AWS service can centrally audit and automatically remediate non-compliant buckets?

A.Amazon GuardDuty
B.AWS CloudTrail
C.AWS Config conformance packs
D.AWS Security Hub
AnswerC

Config can evaluate rules and trigger remediation actions.

Why this answer

AWS Config conformance packs allow you to deploy a collection of AWS Config rules and remediation actions as a single entity. By using a conformance pack that includes the 's3-bucket-server-side-encryption-enabled' managed rule, you can continuously audit all S3 buckets across your AWS Organization for encryption compliance and automatically trigger remediation (e.g., via AWS Systems Manager Automation) to enable encryption on non-compliant buckets.

Exam trap

Cisco often tests the distinction between services that detect threats (GuardDuty), log API calls (CloudTrail), aggregate findings (Security Hub), and those that enforce configuration compliance (Config conformance packs), so the trap here is confusing Security Hub's aggregation role with Config's direct auditing and remediation capability.

How to eliminate wrong answers

Option A is wrong because Amazon GuardDuty is a threat detection service that monitors for malicious activity and unauthorized behavior, not a compliance auditing or remediation service for S3 bucket encryption. Option B is wrong because AWS CloudTrail records API activity for auditing and governance, but it does not evaluate resource configurations or enforce compliance policies. Option D is wrong because AWS Security Hub aggregates security findings from multiple services (like GuardDuty, Inspector, and Config) and provides a centralized view, but it does not itself perform configuration auditing or automated remediation of non-compliant resources.

← PreviousPage 2 of 2 · 95 questions total

Ready to test yourself?

Try a timed practice session using only Cloud Security questions.