350-701 · topic practice

Cloud Security practice questions

Use this page to practise Cloud Security questions for this certification. Focus on how the exam tests cloud security in scenario format — understanding the why behind each answer builds more durable knowledge than memorising options.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Cloud Security

What the exam tests

What to know about Cloud Security

Cloud Security questions on this certification test your ability to deploy and manage cloud security concepts in scenario-based situations.

Core Cloud Security concepts and how they apply in real-world cloud scenarios.

How to deploy cloud security correctly and verify the outcome.

Troubleshooting cloud security issues by interpreting error output and system state.

Cloud best practices and Cloud Security design trade-offs tested by this certification.

Watch out for

Common Cloud Security exam traps

  • Selecting the most expensive service when a simpler managed option meets the requirement.
  • Forgetting that cloud resources must be explicitly secured — defaults are rarely secure.
  • Choosing a global service fix when the issue is region-specific.
  • Overlooking cost implications of cross-region data transfer in architecture questions.

Practice set

Cloud Security questions

20 questions · select your answer, then reveal the explanation

Question 1mediummultiple choice
Read the full Cloud Security explanation →

A company is migrating a web application to AWS and wants to protect against DDoS attacks at the application layer. Which Cisco security solution should they deploy?

Question 2hardmultiple choice
Review the full subnetting walkthrough →

An organization uses AWS with a VPC and wants to inspect all traffic between instances in the same subnet using Cisco Firepower. What must be implemented?

A company is implementing cloud security posture management (CSPM). Which Cisco product provides CSPM capabilities?

Question 4mediummultiple choice
Read the full Cloud Security explanation →

A security architect is designing a hybrid cloud with AWS and on-premises data center. They need to enforce consistent security policies across both environments. Which approach is most effective?

After deploying a Cisco Cloudlock policy, a user reports that a sanctioned application (Salesforce) is being blocked for file downloads. What is the most likely cause?

An enterprise wants to prevent data exfiltration from its SaaS applications to unauthorized personal cloud storage. Which Cisco solution should be deployed?

Question 7mediummultiple choice
Read the full Cloud Security explanation →

A DevOps team is deploying containers in Kubernetes and needs to enforce network security policies between pods. Which Cisco solution is designed for this?

During a cloud migration, an organization notices increased latency in AWS workloads when using Cisco Firepower for traffic inspection. What is the most likely cause?

Which TWO of the following are benefits of using Cisco Cloudlock for cloud security? (Choose two.)

Which THREE of the following are common challenges when securing multi-cloud environments? (Choose three.)

Which TWO of the following are features of Cisco Umbrella? (Choose two.)

Question 12mediummultiple choice
Read the full Cloud Security explanation →

Refer to the exhibit. A user is unable to access Dropbox, which is a high-risk application. The administrator wants to allow Dropbox but still block other high-risk apps. What is the most efficient way to achieve this?

Exhibit

Refer to the exhibit.

Cisco Cloudlock Policy:
Policy Name: Block High-Risk Apps
Application: Any
Action: Block
Risk Level: High
User: All Users

Cloudlock Activity Log:
User: [email protected]
Application: Dropbox
Action: Blocked
Reason: Risk Level (High)
Question 13hardmultiple choice
Read the full Cloud Security explanation →

Refer to the exhibit. A security analyst notices this CloudTrail log entry. Which security best practice is being violated?

Exhibit

Refer to the exhibit.

AWS CloudTrail Log:
{
  "eventVersion": "1.08",
  "userIdentity": {
    "arn": "arn:aws:iam::123456789012:user/Admin",
    "accountId": "123456789012"
  },
  "eventTime": "2025-03-28T14:35:00Z",
  "eventSource": "ec2.amazonaws.com",
  "eventName": "AuthorizeSecurityGroupIngress",
  "requestParameters": {
    "groupId": "sg-0abcd1234",
    "ipPermissions": {
      "ipProtocol": "tcp",
      "fromPort": 3389,
      "toPort": 3389,
      "ipRanges": [{"cidrIp": "0.0.0.0/0"}]
    }
  }
}
Question 14hardmultiple choice
Read the full DNS explanation →

You are a security engineer for a multinational corporation that uses a hybrid cloud environment with AWS and Azure. The company has deployed Cisco Cloudlock for SaaS security and Cisco Umbrella for DNS-layer security. Recently, the incident response team detected that an employee's credentials were compromised, and the attacker used them to access the company's Office 365 tenant. The attacker exfiltrated sensitive data by sending emails with attachments to external addresses. Cloudlock logs show that the data exfiltration occurred because the policy for 'Outbound Email with Attachments' was set to 'Allow' for all users. The attacker also used a personal Google Drive account to store stolen data, which was not detected by Cloudlock because Google Drive is not sanctioned. You need to recommend a course of action to prevent similar incidents. Which action should you take first?

Question 15mediummultiple choice
Read the full Cloud Security explanation →

You are tasked with securing a new cloud deployment on AWS. The environment consists of a web application running on EC2 instances behind an Application Load Balancer (ALB), with data stored in an RDS database. The security requirements include: (1) protect against web application attacks (SQL injection, XSS), (2) ensure only authorized users can access the application, (3) monitor for anomalous behavior. You have decided to use AWS WAF for web application protection, AWS Cognito for user authentication, and Amazon GuardDuty for threat detection. However, the CISO also wants to integrate with Cisco's security portfolio for centralized management and visibility. Which Cisco product would best integrate with these AWS services to provide centralized security management?

Question 16mediummultiple choice
Read the full NAT/PAT explanation →

A company is deploying a cloud-native application using microservices on AWS. They need to ensure that inter-service communication is encrypted and authenticated. The security team wants to use mutual TLS (mTLS) without managing individual certificates. Which solution should they implement?

Question 17hardmultiple choice
Open the full BGP breakdown →

A multinational corporation is migrating its on-premises data center to a public cloud provider. The security policy requires that all traffic between cloud VPCs and the on-premises network must be inspected by a next-generation firewall (NGFW) deployed in the cloud. The on-premises network uses BGP for dynamic routing. Which design meets the requirement while minimizing latency and administrative overhead?

Question 18easymultiple choice
Read the full Cloud Security explanation →

A security engineer is configuring a cloud access security broker (CASB) to protect a SaaS application used by employees. The primary concern is to prevent sensitive data from being uploaded to the application. Which deployment mode should the engineer choose?

Question 19mediummultiple choice
Read the full DNS explanation →

An organization uses Cisco Umbrella for DNS-layer security. They want to block access to a newly discovered malicious domain (malware.example.com) immediately. Which action should the administrator take in the Umbrella dashboard?

A company is implementing a cloud security posture management (CSPM) solution. Which TWO of the following are primary functions of CSPM?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Cloud Security sessions

Start a Cloud Security only practice session

Every question in these sessions is drawn from the Cloud Security domain — nothing else.

Related practice questions

Related 350-701 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the 350-701 exam test about Cloud Security?
Cloud Security questions on this certification test your ability to deploy and manage cloud security concepts in scenario-based situations.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Cloud Security questions in a focused session?
Yes — the session launcher on this page draws every question from the Cloud Security domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other 350-701 topics?
Use the topic links above to move to related areas, or go back to the 350-701 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the 350-701 exam covers. They are not copied from any real exam or dump site.