CCNA Scor Cloud Security Questions

75 of 85 questions · Page 1/2 · Scor Cloud Security topic · Answers revealed

1
Multi-Selectmedium

An organization is adopting a zero trust model for cloud access. Which three principles should be implemented? (Select three.)

Select 3 answers
A.Deploy a VPN for all remote users
B.Grant permanent privileged access to administrators
C.Use conditional access policies based on user, device, and location
D.Implement MFA for all cloud access
E.Treat identity as the new perimeter
AnswersC, D, E

Conditional access enforces context-based policies.

Why this answer

Zero trust includes identity as the perimeter, MFA, and conditional access based on context.

2
MCQmedium

An organization wants to enforce conditional access policies for users accessing cloud applications. Which Azure AD feature should they use?

B.Privileged Identity Management (PIM)
C.Azure AD Conditional Access
D.Azure AD Identity Protection
AnswerC

Conditional Access enforces policies based on conditions.

Why this answer

Azure AD Conditional Access evaluates signals like user, device, location, and risk to enforce access policies.

3
MCQmedium

A DevOps team is integrating security into their CI/CD pipeline. They want to automatically scan Terraform scripts for misconfigurations before deployment. Which tool is specifically designed for this purpose?

A.SAST (Static Application Security Testing)
B.Container image scanner
C.DAST (Dynamic Application Security Testing)
D.Checkov
AnswerD

Checkov scans Terraform and other IaC for security misconfigurations.

Why this answer

Checkov is an open-source tool for static analysis of Infrastructure as Code (IaC) files, including Terraform. SAST and DAST analyze application code, not IaC. Container image scanning tools like Trivy focus on containers.

4
MCQhard

A cloud security architect is designing zero trust for a multi-cloud environment. Which principle is most critical?

A.Use of VPNs for all remote access
B.Encryption of all data in transit
C.Network segmentation using firewalls
D.Identity as the new perimeter
AnswerD

Correct. Zero trust uses identity and context for access decisions.

Why this answer

Zero trust assumes no implicit trust; identity becomes the primary perimeter for access control.

5
Multi-Selecthard

A security engineer is designing cloud workload protection (CWPP) for a hybrid environment with VMs and containers. Which TWO capabilities should a CWPP solution provide? (Choose two.)

Select 2 answers
A.Cloud security posture management (CSPM) for configuration
B.Intrusion prevention system (IPS) for workloads
C.DNS-layer security for user devices
D.Data loss prevention (DLP) for SaaS applications
E.Vulnerability scanning for OS and applications
AnswersB, E

IPS is a common CWPP feature.

Why this answer

CWPP solutions focus on workload protection including vulnerability scanning, intrusion detection, file integrity monitoring, and sometimes container security.

6
MCQhard

An organization is implementing a zero trust strategy for cloud access. They require that all access to cloud resources be authenticated and authorized based on user identity and device health, with session risk assessment. Which Azure AD feature should they primarily use?

A.Azure AD Identity Protection
B.Privileged Identity Management (PIM)
D.Conditional Access
AnswerD

Conditional Access enforces policies based on user, device, location, and risk signals, essential for zero trust.

Why this answer

Conditional Access policies in Azure AD evaluate signals (user, device, location, risk) to enforce access controls, aligning with zero trust principles.

7
MCQmedium

A company is deploying workloads in AWS and wants to ensure that the security groups are not overly permissive. They need to continuously monitor for misconfigurations and compare against the CIS AWS Foundations Benchmark. Which tool should be used?

A.AWS CloudTrail
B.AWS WAF
C.CASB
D.CSPM
AnswerD

CSPM is designed for posture management and compliance with benchmarks.

Why this answer

CSPM (Cloud Security Posture Management) tools continuously monitor cloud configurations and compare against benchmarks like CIS to detect misconfigurations.

8
MCQeasy

In the shared responsibility model for PaaS, which of the following is typically the customer's responsibility?

A.Securing the hypervisor
B.Patching the underlying operating system
C.Managing network firewall rules
D.Securing the application code and data
AnswerD

The customer develops and manages the application and its data.

Why this answer

In PaaS, the provider manages the runtime, middleware, OS, and infrastructure. The customer is responsible for the application code and data. Network controls and hypervisor are provider responsibilities.

9
Multi-Selectmedium

A security administrator is evaluating Cisco Umbrella for cloud-delivered security. Which TWO capabilities are provided by the Secure Internet Gateway (SIG) feature? (Choose two.)

Select 2 answers
A.Cloud-delivered firewall
B.Data loss prevention for SaaS
C.DNS-layer security
D.Site-to-site VPN connectivity
E.Web proxy with URL filtering
AnswersA, E

SIG includes a firewall to control traffic.

Why this answer

Cisco Umbrella SIG includes a cloud-delivered firewall and a web proxy for URL filtering. DNS-layer security is a separate feature, and VPN is not part of SIG. DLP is typically a CASB function.

10
MCQmedium

A security team wants to gain visibility into shadow IT usage of cloud applications and enforce data loss prevention policies. Which cloud security control should they deploy?

A.Cloud WAF
B.CWPP
C.CSPM
D.CASB
AnswerD

CASB provides visibility, DLP, and threat detection for cloud apps.

Why this answer

CASB provides visibility, DLP, and threat detection for sanctioned and unsanctioned cloud apps.

11
Multi-Selectmedium

A DevSecOps team is integrating security into their CI/CD pipeline. They want to scan infrastructure-as-code templates for misconfigurations and container images for vulnerabilities. Which two tools are appropriate? (Select two.)

Select 2 answers
A.SAST
B.Trivy
C.HashiCorp Vault
D.Checkov
E.DAST
AnswersB, D

Trivy scans container images for vulnerabilities.

Why this answer

IaC scanning can use Checkov or similar, and container scanning tools like Trivy or Clair are common.

12
MCQhard

A DevSecOps team is integrating security into their CI/CD pipeline. They want to scan Terraform configuration files for misconfigurations before deployment. Which tool is specifically designed for that purpose?

A.Checkov
B.DAST scanner
C.SAST scanner
D.Container image scanner
AnswerA

Correct. Checkov performs static analysis on Terraform files.

Why this answer

Checkov is an open-source static analysis tool for IaC (Terraform, CloudFormation) to detect security misconfigurations.

13
MCQhard

A company uses Azure NSGs to control traffic between subnets. They need to allow traffic from the frontend subnet to the backend subnet only on TCP 443. Which configuration correctly achieves this?

A.Outbound rule on frontend NSG allowing TCP 443 to backend subnet
B.Inbound rule on backend NSG allowing TCP 443 from frontend subnet
C.Outbound rule on frontend NSG allowing TCP 443 to backend subnet; inbound rule on backend NSG allowing TCP 443 from frontend subnet
D.Inbound rule on frontend NSG allowing TCP 443 from backend subnet
AnswerB

The stateful NSG automatically allows return traffic.

Why this answer

NSGs are stateful; an inbound rule on the backend subnet allowing TCP 443 from frontend subnet is sufficient. Outbound rules are not needed because stateful filtering allows return traffic.

14
MCQmedium

A company is moving workloads to Google Cloud and needs private connectivity between its on-premises data center and VPC without traversing the internet. Which service should be used?

A.Azure ExpressRoute
B.AWS Direct Connect
C.Google Cloud Dedicated Interconnect
D.Cloud VPN
AnswerC

This provides private connectivity to GCP.

Why this answer

Google Cloud Dedicated Interconnect provides direct private physical connections between on-premises and GCP VPCs.

15
Multi-Selecthard

A company uses AWS and Azure and wants to protect its cloud workloads (VMs and containers) from threats. Which TWO technologies are specifically designed for workload protection in the cloud?

Select 2 answers
A.CWPP (Cloud Workload Protection Platform)
B.CASB
C.Cloud WAF
D.Container image scanning
E.CSPM
AnswersA, D

CWPP provides workload security for VMs and containers.

Why this answer

CWPP (Cloud Workload Protection Platform) is specifically for workload security, and container image scanning is a key component of CWPP for containers.

16
Multi-Selecteasy

A cloud engineer is deploying a web application on AWS and needs to control inbound and outbound traffic at both the instance and subnet levels. Which two AWS security controls should they configure? (Select two.)

Select 2 answers
A.AWS PrivateLink
B.Security Groups
C.AWS WAF
D.AWS Shield
E.Network ACLs (NACLs)
AnswersB, E

Security groups are stateful instance-level firewalls.

Why this answer

Security groups act as instance-level firewalls, and NACLs provide stateless subnet-level filtering.

17
Multi-Selecthard

A security team is implementing CSPM to ensure cloud compliance. Which three checks would a CSPM tool typically perform? (Choose three.)

Select 3 answers
A.Verifying that EBS volumes are encrypted
B.Checking S3 buckets for public read access
C.Monitoring user behavior analytics
D.Scanning container images for vulnerabilities
E.Ensuring IAM roles follow least privilege
AnswersA, B, E

CSPM checks encryption settings.

Why this answer

CSPM checks cloud configurations against benchmarks like CIS, including public access to storage, encryption settings, and IAM policies.

18
MCQmedium

In AWS, which resource acts as a stateful firewall at the instance level to control inbound and outbound traffic?

A.Network ACL
B.Internet Gateway
C.VPC Flow Logs
D.Security Group
AnswerD

Security groups are stateful instance-level firewalls.

Why this answer

Security groups in AWS are stateful firewalls that operate at the instance level, while NACLs are stateless at the subnet level.

19
MCQmedium

An organization uses Cisco Umbrella's Secure Internet Gateway (SIG). Which two capabilities are typically included in a SIG solution?

A.Intrusion prevention system (IPS)
B.DLP for data at rest
C.DNS-layer security only
D.Cloud-delivered firewall and web proxy
AnswerD

Correct. SIG provides firewall and proxy.

Why this answer

SIG includes cloud-delivered firewall and web proxy to secure internet traffic from users.

20
MCQmedium

A company uses Azure and wants to restrict network traffic between subnets. Which Azure resource should they use?

A.Network Security Group (NSG)
B.Azure DDoS Protection
C.Azure Policy
D.Azure Firewall
AnswerA

Correct. NSGs filter traffic between subnets.

Why this answer

Network Security Groups (NSGs) filter traffic between subnets based on rules.

21
MCQmedium

An organization uses multiple SaaS applications and wants to enforce data loss prevention (DLP) policies to prevent sensitive data from being shared externally. Which cloud security solution should be deployed?

A.Cloud Access Security Broker (CASB)
B.Web Application Firewall (WAF)
C.Cloud Security Posture Management (CSPM)
D.Cloud Workload Protection Platform (CWPP)
AnswerA

CASBs are designed to apply security policies including DLP across SaaS applications.

Why this answer

A CASB provides visibility and control over SaaS applications, including DLP policies to detect and block unauthorized sharing of sensitive data. CSPM focuses on cloud infrastructure posture, CWPP on workloads, and WAF on web application attacks.

22
Multi-Selectmedium

A security team is implementing a DevSecOps pipeline for containerized applications. Which TWO of the following practices should be included to ensure container security?

Select 2 answers
A.Secrets management (avoiding hardcoded secrets in images)
B.DAST (Dynamic Application Security Testing)
C.Container image scanning for vulnerabilities
D.IaC security scanning
E.Manual code review
AnswersA, C

Secrets management prevents exposure of credentials inside containers.

Why this answer

Container image scanning checks for vulnerabilities in images, and secrets management prevents exposure of sensitive data in code.

23
MCQmedium

A security team wants to enforce data loss prevention (DLP) policies across multiple sanctioned cloud applications used by employees. Which cloud security solution is best suited for this task?

A.CASB (Cloud Access Security Broker)
B.CWPP (Cloud Workload Protection Platform)
C.Cisco Umbrella SIG
D.CSPM (Cloud Security Posture Management)
AnswerA

CASB provides DLP, visibility, and threat detection for cloud applications.

Why this answer

A Cloud Access Security Broker (CASB) provides visibility into SaaS usage and can enforce DLP policies across cloud applications.

24
MCQeasy

In the shared responsibility model for cloud services, which layer is the customer responsible for managing in an IaaS environment?

A.Virtual machines and storage only
B.Only data and access policies
C.Operating system, applications, and data
D.Physical servers and networking
AnswerC

Correct. The customer manages everything above the hypervisor.

Why this answer

In IaaS, the cloud provider manages the physical infrastructure, while the customer manages the OS, applications, and data.

25
MCQhard

An organization uses AWS WAF to protect its web application. They need to block requests from a specific geographic region. What should they configure?

A.CloudFront geo restriction
B.AWS WAF geo match rule
C.Security group with IP-based deny rule
D.Network ACL with IP deny rule
AnswerB

AWS WAF has a geo match condition to block or allow traffic based on country.

Why this answer

AWS WAF allows creating rules based on geographic location (geo match) to allow or block requests from specific countries.

26
MCQmedium

An organization uses Cisco Umbrella to block malicious domains. What is the primary security benefit of DNS-layer security?

A.It performs deep packet inspection on all traffic
B.It blocks malicious domains before a connection is made
C.It provides SSL decryption for all web traffic
D.It encrypts all DNS traffic to prevent eavesdropping
AnswerB

DNS-layer security stops connections to malicious domains at the initial DNS request.

Why this answer

DNS-layer security blocks requests to malicious domains at the DNS level, preventing the connection from being established.

27
MCQhard

A security engineer needs to prevent secrets (e.g., API keys) from being stored in code repositories. Which DevSecOps practice should be implemented?

A.Implement secrets management using a tool like Vault
B.Use a SAST scanner to find secrets in code
C.Encrypt the code repository
D.Use a DAST tool to test for secrets
AnswerA

Vault securely stores and rotates secrets, preventing hardcoding.

Why this answer

Secrets management tools like HashiCorp Vault securely store and manage secrets, avoiding hardcoding in code.

28
MCQmedium

A security engineer is configuring Cisco Umbrella to block HTTPS traffic to malicious sites. However, they want to inspect SSL-encrypted traffic selectively to avoid breaking applications. Which Umbrella feature should they use?

A.DNS-layer security
B.Intelligent Proxy
C.Umbrella Roaming Client
D.Secure Internet Gateway (SIG)
AnswerB

Intelligent Proxy performs selective SSL inspection.

Why this answer

The Intelligent Proxy in Cisco Umbrella allows selective SSL decryption based on rules, enabling inspection of traffic to risky categories while bypassing trusted applications.

29
MCQmedium

A company uses Cisco Umbrella to protect remote users. They want to ensure that SSL-encrypted traffic to malicious websites is inspected, but without breaking compliance with privacy regulations. Which Umbrella feature should they enable?

A.Secure Internet Gateway (SIG)
B.Roaming Client
C.Intelligent Proxy
D.DNS-layer security
AnswerC

Intelligent Proxy selectively intercepts and inspects SSL traffic based on policy.

Why this answer

Intelligent Proxy allows selective SSL inspection based on policy, balancing security and privacy.

30
MCQeasy

A company uses a SaaS application for customer relationship management. In the cloud shared responsibility model, which security controls are the customer's primary responsibility?

A.Patching the underlying operating system
B.Physical security of the data center
C.Network security for the application servers
D.Data classification and access policies
AnswerD

Data classification and access policies fall under data and access management, which is customer responsibility in SaaS.

Why this answer

In SaaS, the customer is responsible for managing data and access, while the provider handles the underlying infrastructure, application, and OS.

31
MCQmedium

A security team wants to gain visibility into shadow IT usage of SaaS applications and enforce DLP policies for data shared via cloud apps. Which cloud security solution should they deploy?

A.Cisco Umbrella Secure Internet Gateway (SIG)
B.Cloud Security Posture Management (CSPM)
C.Cloud Workload Protection Platform (CWPP)
D.Cloud Access Security Broker (CASB)
AnswerD

CASB provides visibility, compliance, and security controls for SaaS applications.

Why this answer

A CASB provides visibility, DLP, and threat detection for SaaS applications, helping control shadow IT and protect data.

32
MCQhard

A security engineer is configuring Cisco Umbrella to enforce web security for remote users. The requirement is to block threats by intercepting DNS requests and only perform SSL decryption on specific high-risk categories. Which Umbrella feature should be used for selective SSL inspection?

A.DNS-layer security
B.Secure Internet Gateway (SIG)
C.Intelligent Proxy
D.Umbrella Roaming Client
AnswerC

Intelligent Proxy allows selective proxying and SSL decryption based on policy.

Why this answer

Cisco Umbrella's Intelligent Proxy can selectively proxy traffic (including SSL inspection) based on categories, URL groups, or other policies. The roaming client enables off-network protection but does not handle selective SSL inspection. SIG includes firewall and proxy but selective inspection is via Intelligent Proxy.

33
MCQhard

A company is deploying Cisco Umbrella with the Intelligent Proxy feature. Under what condition does the Intelligent Proxy perform SSL decryption?

A.For all web traffic from the roaming client
B.Only for traffic to websites with low reputation or in high-risk categories
C.Only for traffic using non-standard ports
D.Only when the user is on-network
AnswerB

Intelligent Proxy decrypts only when risk is high or policy dictates.

Why this answer

Intelligent Proxy selectively decrypts SSL traffic for high-risk categories or domains, based on policy, to inspect content while preserving user privacy for safe sites.

34
MCQhard

A security architect is designing a zero-trust model for cloud access. Which of the following is a core principle of zero trust in the cloud?

A.Identity is the new perimeter
B.All traffic must be inspected by a next-generation firewall
C.Network segmentation is the primary security control
D.VPNs are required for all cloud access
AnswerA

Zero trust treats identity as the primary security boundary.

Why this answer

Zero trust assumes no implicit trust and requires identity verification for every access request, using identity as the primary perimeter.

35
MCQmedium

An organization wants to connect its on-premises data center to a GCP VPC privately, avoiding the public internet. Which GCP service provides a dedicated, private connection?

A.Cloud VPN
B.Dedicated Interconnect
C.Private Service Connect
D.Cloud NAT
AnswerB

Dedicated Interconnect provides a private, dedicated connection.

Why this answer

Dedicated Interconnect provides a direct physical connection between on-premises and GCP. VPN uses the internet, Private Service Connect is for accessing managed services, and Cloud NAT is for outbound internet.

36
MCQeasy

In the shared responsibility model, which is the customer's responsibility in a SaaS model?

A.Network security
B.Physical data center security
C.Data classification and access control
D.Application security patches
AnswerC

Customer manages data and who can access it.

Why this answer

In SaaS, the provider manages the application, runtime, OS, and infrastructure. The customer is responsible for data and access management.

37
Multi-Selectmedium

A company is using Cisco Umbrella for cloud security. Which two features are part of the Secure Internet Gateway (SIG) functionality? (Choose two.)

Select 2 answers
A.CASB functionality
B.CSPM capabilities
C.Cloud-delivered firewall
D.DNS-layer security
E.Web proxy
AnswersC, E

SIG includes cloud firewall.

Why this answer

SIG includes cloud-delivered firewall, web proxy, and DNS security. DNS-layer security is separate but often bundled.

38
MCQeasy

In the shared responsibility model for PaaS, which component is the customer responsible for managing?

A.Network infrastructure
B.Hypervisor
C.Operating system
D.Data and applications
AnswerD

Customer is responsible for data and applications in PaaS.

Why this answer

In PaaS, the customer manages applications and data, while the provider manages the runtime, infrastructure, and OS.

39
MCQeasy

Which of the following is the primary function of a Cloud Security Posture Management (CSPM) tool?

A.Block malicious domains at the DNS layer
B.Protect workloads from malware
C.Monitor and remediate cloud misconfigurations against benchmarks
D.Provide DLP for SaaS applications
AnswerC

CSPM checks configurations against standards like CIS.

Why this answer

CSPM tools continuously monitor cloud infrastructure for compliance with security best practices and benchmarks (e.g., CIS). They identify misconfigurations but do not typically enforce DLP, block threats, or protect workloads directly.

40
Multi-Selectmedium

An organization is adopting zero trust principles for cloud access. Which THREE components should be implemented to enforce identity as the new perimeter?

Select 3 answers
A.Network segmentation via VLANs
B.Multi-Factor Authentication (MFA) for all cloud access
C.Privileged Identity Management (PIM) for just-in-time access
D.Conditional access policies based on user and device context
E.Firewall rules based on source IP
AnswersB, C, D

MFA is essential to verify identity.

Why this answer

MFA ensures strong authentication, PIM manages privileged access, and conditional access policies enforce context-based controls.

41
MCQmedium

A security team is implementing secure access for remote users connecting from untrusted networks. They want to enforce DNS-layer security even when users are off the corporate network. Which Cisco Umbrella feature should be deployed on the endpoints?

A.Secure Internet Gateway (SIG)
B.Umbrella Roaming Client
C.Intelligent Proxy
D.Virtual Appliance
AnswerB

The roaming client provides DNS-layer security on endpoints everywhere.

Why this answer

The Cisco Umbrella Roaming Client provides DNS-layer security for endpoints regardless of their network location, including off-network protection.

42
Multi-Selectmedium

Which two controls are considered part of a zero-trust architecture for cloud access? (Choose two.)

Select 2 answers
A.Multi-factor authentication for all cloud access
B.Static firewall rules based on IP addresses
C.Permanent privileged role assignments
D.Network-based VPN for all users
E.Conditional access policies based on user and device
AnswersA, E

MFA is a key zero-trust control.

Why this answer

Zero trust relies on identity verification (MFA) and granular access policies (conditional access) rather than network location.

43
MCQhard

An organization uses Azure for its cloud workloads. To protect web applications from common exploits like SQL injection and cross-site scripting, they need to deploy a web application firewall (WAF) that integrates with Azure Application Gateway. Which Azure WAF SKU should they choose?

A.Azure Firewall Premium
B.Azure DDoS Protection
C.Azure Application Gateway WAF_v2
D.Azure WAF on Azure Front Door
AnswerC

WAF_v2 SKU of Application Gateway includes WAF capabilities.

Why this answer

Azure WAF can be deployed with Application Gateway (WAF_v2 SKU) or Front Door. The WAF_v2 SKU of Application Gateway provides integrated WAF capabilities.

44
MCQmedium

A company wants to privately connect an on-premises network to an Azure virtual network without traversing the internet. Which Azure service should they use?

A.Azure VPN Gateway
B.Azure Front Door
C.Azure ExpressRoute
D.Azure Private Link
AnswerC

ExpressRoute offers dedicated private connectivity.

Why this answer

Azure ExpressRoute provides dedicated private connectivity from on-premises to Azure, bypassing the internet.

45
Multi-Selectmedium

A security team is implementing DevSecOps practices. Which TWO actions should be taken to secure secrets (e.g., API keys, passwords) in a CI/CD pipeline? (Choose two.)

Select 2 answers
A.Share secrets via email to team members
B.Hardcode secrets in the source code with comments to remind developers
C.Use a secrets management tool like HashiCorp Vault
D.Implement scanning for secrets in code repositories using tools like git-secrets
E.Store secrets in environment variables in the pipeline configuration
AnswersC, D

Vault securely stores and controls access to secrets.

Why this answer

Secrets should never be hardcoded in code; instead, use a secrets management tool like HashiCorp Vault or cloud-native secret stores. Also, scan for leaked secrets using tools like git-secrets.

46
MCQhard

A security engineer is configuring Cisco Umbrella Intelligent Proxy to selectively decrypt and inspect HTTPS traffic. The goal is to balance security and user privacy by only inspecting traffic to high-risk domains. How does Intelligent Proxy decide which traffic to inspect?

A.It inspects all HTTPS traffic by default.
B.It evaluates domains against Cisco's security categories and only inspects domains that match certain categories.
C.It uses a list of manually configured domains.
D.It inspects traffic based on the user's identity.
AnswerB

Intelligent Proxy leverages Cisco's threat intelligence to decide which traffic to inspect.

Why this answer

Intelligent Proxy uses Cisco Umbrella's security intelligence to categorize domains and selectively apply SSL inspection to those classified as high risk or based on policy.

47
MCQhard

A company is deploying a multi-tier application on AWS. The web servers must be accessible from the internet only on ports 80 and 443, while the database servers should be accessible only from the web servers on port 3306. Which combination of cloud network security controls should be used?

A.Only security groups for both tiers, no NACLs
B.Only Network ACLs for both subnets, no security groups
C.Security groups for each tier and a Network ACL on the database subnet
D.Network ACLs for the web tier and security groups for the database tier
AnswerC

Security groups control instance-level traffic; NACLs add subnet-level filtering.

Why this answer

Security groups act as instance-level firewalls, allowing stateful filtering. NACLs are stateless and applied at the subnet level. Typically, security groups for each tier and NACLs for subnet-level filtering are used.

48
MCQmedium

A security administrator wants to enforce a policy that blocks upload of sensitive data to unauthorized cloud applications. Which technology should be used to gain visibility and control over sanctioned and unsanctioned SaaS applications?

A.Cisco Umbrella SIG
B.CASB
C.CWPP
D.CSPM
AnswerB

CASB is specifically designed for visibility and control over SaaS applications, including DLP.

Why this answer

A CASB (Cloud Access Security Broker) provides visibility into SaaS usage and enables data loss prevention (DLP) policies to control data uploads to cloud apps.

49
MCQmedium

An organization wants to enforce MFA for all administrative access to their Azure environment and also require that access from non-compliant devices be blocked. Which Azure feature should they use?

A.Azure Security Center
B.Azure AD Conditional Access
C.Azure AD Privileged Identity Management
D.Azure Firewall
AnswerB

Correct. Conditional Access enforces MFA and device compliance.

Why this answer

Azure AD Conditional Access allows policies based on user, device, location, and risk to enforce MFA and block non-compliant devices.

50
MCQeasy

Which Cisco Umbrella feature provides off-network protection by intercepting DNS requests on a user's device?

A.Secure Internet Gateway (SIG)
B.Cisco AnyConnect
C.Intelligent Proxy
D.Umbrella Roaming Client
AnswerD

It provides DNS-layer security on and off the network.

Why this answer

The Umbrella Roaming Client is installed on endpoints and redirects DNS queries to Cisco Umbrella even when the device is off the corporate network.

51
MCQeasy

A company is using a SaaS application like Office 365. Which security responsibility falls on the customer according to the shared responsibility model?

A.Operating system patching
B.Data classification and access policies
C.Physical security of servers
D.Network firewall management
AnswerB

The customer is responsible for data and access management.

Why this answer

In SaaS, the provider manages the application and infrastructure, while the customer manages data and access control.

52
MCQhard

A company uses Azure AD Conditional Access policies to enforce security for cloud applications. They need to require MFA for all external users accessing a sensitive SaaS app, but only when the access is from an untrusted network. Which condition should be configured in the policy?

A.Use device compliance condition
B.Use risk-based conditional access
C.Configure the policy for 'All locations'
D.Configure the policy for 'Any location' and exclude 'All trusted locations'
AnswerD

This ensures MFA is required only when not from a trusted location.

Why this answer

Conditional Access can use network location conditions, such as 'All trusted locations' or 'Any location'. To enforce MFA only from untrusted networks, the policy should target 'Any location' and exclude 'All trusted locations'. The other options are less precise.

53
MCQeasy

An organization wants to implement zero trust principles for cloud access. Which of the following is a key component of a zero trust architecture in the cloud?

A.Site-to-site VPN to cloud
B.Strong perimeter firewall
C.Multi-factor authentication (MFA) for all access
D.Single sign-on with one password
AnswerC

MFA verifies identity regardless of location, aligning with zero trust.

Why this answer

Zero trust assumes no implicit trust and requires continuous verification. Identity is the new perimeter, and MFA is a core enforcement mechanism. VPNs create a trusted network model, which is contrary to zero trust.

Perimeter firewalls are less relevant. Single password only is inadequate.

54
MCQmedium

A security team is implementing AWS WAF to protect a web application. They want to block requests that contain SQL injection patterns in the query string. Which AWS WAF component should be used?

A.Security group allowing only HTTPS
B.Network ACL with deny rule for port 80
C.Managed rule group for SQL injection
D.Custom rule matching on source IP
AnswerC

AWS WAF managed rules detect SQL injection in requests.

Why this answer

AWS WAF uses managed rule groups (e.g., the SQL injection rule group) to detect common attack patterns. Custom rules can also be written but the easiest is to use the managed rule group. NACLs and security groups operate at network level, not application layer.

55
MCQeasy

In a DevSecOps pipeline, which tool would be used to scan Infrastructure as Code (IaC) templates for security misconfigurations?

A.SAST tool
B.Container image scanner
C.DAST tool
D.Checkov
AnswerD

Checkov scans IaC for misconfigurations.

Why this answer

Checkov is an open-source tool that scans Terraform, CloudFormation, and other IaC templates for security issues.

56
MCQmedium

A company uses Azure NSGs to filter network traffic to VMs. They want to allow RDP access (port 3389) only from the company's public IP range. Which type of NSG rule should be created?

A.Outbound security rule allowing traffic from any source to port 3389
B.Azure Load Balancer rule
C.Inbound security rule with source set to the company's IP range and destination port 3389
D.Inbound security rule with destination set to the company's IP range and source port 3389
AnswerC

This allows inbound RDP only from the specified IP range.

Why this answer

An inbound rule on the NSG applied to the subnet or VM NIC can allow traffic from the company's IP range to port 3389. Outbound rules control traffic leaving the resource. Load balancer rules are different.

57
MCQmedium

A security team wants to inspect SSL-encrypted traffic from users accessing SaaS applications through Cisco Umbrella. Which feature should they enable?

A.Roaming client
B.DNS-layer blocking
C.Intelligent Proxy
D.SIG cloud firewall
AnswerC

Correct. Intelligent Proxy performs SSL inspection for selected traffic.

Why this answer

Intelligent Proxy allows selective SSL inspection based on policies.

58
MCQmedium

A security team wants to gain visibility into Shadow IT usage of SaaS applications and enforce data loss prevention policies. Which cloud security solution should they deploy?

A.CSPM
B.CASB
C.Cisco Umbrella
D.CWPP
AnswerB

Correct. CASB provides visibility, DLP, and threat detection for cloud apps.

Why this answer

CASB provides visibility, DLP, and threat detection for sanctioned and unsanctioned SaaS apps.

59
MCQeasy

In the shared responsibility model for cloud computing, which responsibility is managed by the customer in all service models (IaaS, PaaS, SaaS)?

A.Data and access management
B.Network infrastructure maintenance
C.Physical security of data centers
D.Hypervisor patching
AnswerA

Data and access management are customer responsibilities across IaaS, PaaS, and SaaS.

Why this answer

In all cloud service models, the customer is always responsible for their own data and access management, including who has access to the data and how it is protected.

60
Multi-Selectmedium

A company is adopting a zero-trust security model for its cloud environment. Which THREE practices align with zero-trust principles? (Choose three.)

Select 3 answers
A.Use privileged identity management (PIM) for just-in-time access
B.Trust all traffic from within the corporate network
C.Grant permanent administrative privileges for convenience
D.Require multi-factor authentication (MFA) for all cloud access
E.Implement conditional access policies based on user and device posture
AnswersA, D, E

PIM provides time-bound access to privileged roles.

Why this answer

Zero trust assumes no implicit trust; verify every request. MFA, conditional access, and privileged identity management are key components.

61
Multi-Selecthard

An organization is adopting zero trust principles for cloud access. Which THREE measures are essential for implementing identity-centric security? (Choose three.)

Select 3 answers
A.Site-to-site VPN for connectivity
B.Conditional access policies based on user, device, and location
C.Network segmentation using VLANs
D.Privileged Identity Management (PIM) with just-in-time access
AnswersB, D, E

Conditional access enforces policies dynamically based on identity context.

Why this answer

Zero trust relies on strong identity verification: MFA, privileged identity management (PIM) for just-in-time access, and conditional access policies that enforce context-based controls. VPN and network segmentation are network-centric, not identity-centric.

62
MCQmedium

A company wants to establish private connectivity between its on-premises data center and a VPC in AWS, avoiding the public internet. Which AWS service should be used?

A.AWS VPN
B.AWS Transit Gateway
C.AWS Direct Connect
D.AWS PrivateLink
AnswerD

PrivateLink enables private connectivity to services across VPCs and on-premises.

Why this answer

AWS PrivateLink allows private connectivity between VPCs and on-premises via interface endpoints, without traversing the internet.

63
MCQhard

An organization uses Cisco Umbrella to protect remote users. The security team notices that some malicious domains are not blocked because users are bypassing the DNS layer by using direct IP connections or non-DNS protocols. Which Cisco Umbrella feature should be enabled to inspect all traffic, including non-web traffic, and enforce policies regardless of DNS resolution?

A.Secure Internet Gateway (SIG)
B.Intelligent Proxy
C.Umbrella Roaming Client
D.DNS-layer Security
AnswerA

SIG includes a cloud firewall that can inspect all traffic and enforce policies beyond DNS.

Why this answer

The Cisco Umbrella Secure Internet Gateway (SIG) provides a cloud-delivered firewall that can inspect all traffic (including non-web) and enforce policies without relying solely on DNS blocking.

64
MCQmedium

An organization uses Cisco Umbrella to block malicious domains. The security team notices that some malware traffic bypasses DNS-layer blocking because the malware uses hardcoded IP addresses. Which Umbrella feature should be enabled to additionally inspect traffic at the IP layer?

A.Intelligent Proxy
B.Secure Internet Gateway (SIG)
C.DNS-layer security
D.Umbrella Roaming Client
AnswerB

SIG includes a cloud-delivered firewall that can block traffic based on IP addresses.

Why this answer

Cisco Umbrella's Secure Internet Gateway (SIG) provides cloud-delivered firewall and web proxy that can inspect IP-based traffic, not just DNS.

65
MCQmedium

An organization is adopting a zero-trust model for cloud access. Which component enforces conditional access policies based on user, device, location, and risk level in Azure AD?

A.Azure AD Identity Protection
B.Azure AD Conditional Access
C.Azure Security Center
D.Privileged Identity Management (PIM)
AnswerB

Conditional Access enforces policies based on conditions.

Why this answer

Azure AD Conditional Access evaluates signals (user, device, location, risk) and enforces policies like requiring MFA or blocking access.

66
MCQmedium

A company uses Cisco Umbrella to provide DNS-layer security. An employee tries to visit a website that is hosting malware, but the domain is not yet categorized. How does Umbrella handle this request?

A.The request is redirected to a captive portal for user awareness
B.The request is allowed because the domain is not categorized
C.The request is blocked if the domain is identified as malicious by Umbrella's threat intelligence
D.The request is proxied through the intelligent proxy for inspection
AnswerC

Umbrella uses threat intelligence to block malicious domains regardless of category.

Why this answer

Umbrella's DNS-layer security can block domains based on intelligence feeds, including newly observed malicious domains. It does not need categorization; it uses real-time threat intelligence. The intelligent proxy is separate.

67
MCQeasy

A company is moving its on-premises applications to AWS EC2 instances. According to the shared responsibility model, which of the following is the customer's responsibility?

A.Hypervisor security
B.Network infrastructure hardening
C.Patching the guest operating system
D.Physical security of the data center
AnswerC

The customer controls the guest OS and must apply patches.

Why this answer

In IaaS, the cloud provider manages the physical infrastructure (hosts, network, hypervisor), while the customer is responsible for securing the guest OS, applications, and data. Patching the OS is a customer responsibility.

68
MCQmedium

An organization uses Cisco Umbrella to block malicious domains. Which layer does Umbrella primarily operate at to prevent connections before they are established?

A.Network layer (IP filtering)
B.Application layer
C.Transport layer
D.DNS layer
AnswerD

Correct. Umbrella blocks DNS requests to malicious domains.

Why this answer

Cisco Umbrella operates at the DNS layer to block requests to malicious domains before any connection is made.

69
MCQeasy

Which cloud security control is specifically designed to protect workloads such as VMs and containers from threats?

A.CSPM
B.CASB
C.CWPP
D.SIG
AnswerC

Correct. CWPP protects workloads.

Why this answer

CWPP (Cloud Workload Protection Platform) provides security for workloads across clouds.

70
MCQmedium

A company uses multiple SaaS applications and wants to enforce data loss prevention (DLP) policies to prevent sensitive data from being shared externally. Which technology provides the ability to scan data in transit and at rest within these SaaS applications?

A.Cisco Umbrella
B.CASB
C.CSPM
D.CWPP
AnswerB

CASB provides DLP capabilities for SaaS applications.

Why this answer

CASB solutions can inspect data in transit and at rest within SaaS applications to enforce DLP policies.

71
MCQeasy

In the shared responsibility model for PaaS, which of the following is the customer responsible for?

A.Operating system patching
B.Runtime environment
C.Applications and data
D.Physical infrastructure
AnswerC

Correct. The customer is responsible for their apps and data.

Why this answer

In PaaS, the provider manages the runtime, middleware, and OS; the customer manages applications and data.

72
Multi-Selectmedium

A company is using Azure and wants to enforce security compliance across their cloud resources. Which TWO services are part of CSPM (Cloud Security Posture Management) in Azure? (Choose two.)

Select 2 answers
A.Azure Security Center (Defender for Cloud)
B.Azure Policy
C.Azure Active Directory
D.Azure Monitor
E.Azure WAF
AnswersA, B

Provides security posture management and recommendations.

Why this answer

Azure Security Center (now Defender for Cloud) provides CSPM capabilities including continuous assessment and secure score. Azure Policy enforces compliance rules. Azure AD is identity, WAF is application protection, and Monitor is monitoring.

73
MCQmedium

Which cloud workload protection platform (CWPP) capability is essential for protecting containerized applications?

A.Web application firewall
B.Container image vulnerability scanning
C.Network micro-segmentation
D.Identity and access management
AnswerB

Image scanning is a core CWPP capability for containers.

Why this answer

CWPP for containers includes image scanning for vulnerabilities and runtime security, but image scanning is a fundamental capability.

74
MCQmedium

To enforce zero trust principles in a cloud environment, an administrator requires all access to cloud resources to be authenticated and authorized based on user identity and device health. Which Azure AD feature enables policies that consider conditions such as location, device compliance, and risk level?

A.Multi-Factor Authentication (MFA)
B.Azure AD Identity Protection
C.Privileged Identity Management (PIM)
D.Azure AD Conditional Access
AnswerD

Conditional Access policies evaluate multiple conditions to enforce access controls.

Why this answer

Azure AD Conditional Access allows administrators to create policies that enforce access controls based on conditions like user location, device compliance, and sign-in risk.

75
MCQhard

In a DevSecOps pipeline, a team wants to prevent secrets (e.g., API keys) from being stored in source code. Which approach is most effective?

A.Store secrets in environment variables
B.Use container image scanning
C.Encrypt secrets in code
D.Use a secrets management tool like Vault
AnswerD

Correct. Vault securely stores and manages access to secrets.

Why this answer

Using a secrets management tool like HashiCorp Vault ensures secrets are stored securely and not in code.

Page 1 of 2 · 85 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Scor Cloud Security questions.