350-701 · topic practice

Cloud Security practice questions

Practise Cisco SCOR / CCNP Security Core 350-701 Cloud Security practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Cloud Security

What the exam tests

What to know about Cloud Security

Cloud concepts questions usually test the service model (IaaS/PaaS/SaaS) and deployment model (public/private/hybrid/community) appropriate for a given scenario.

IaaS, PaaS and SaaS responsibilities and examples.

Public, private, hybrid and community cloud deployment models.

On-premises vs cloud trade-offs: cost, control, scalability.

How cloud connectivity options (VPN, Direct Connect, ExpressRoute) work.

Watch out for

Common Cloud Security exam traps

  • IaaS gives you infrastructure control; SaaS gives you only the application.
  • Hybrid cloud combines on-premises and public cloud — not two public clouds.
  • Cloud does not automatically mean cheaper or more secure.
  • Management responsibility shifts with each service model (IaaSPaaSSaaS).

Practice set

Cloud Security questions

20 questions · select your answer, then reveal the explanation

A company is moving its on-premises applications to AWS EC2 instances. According to the shared responsibility model, which of the following is the customer's responsibility?

Question 2mediummultiple choice
Read the full Cloud Security explanation →

An organization uses multiple SaaS applications and wants to enforce data loss prevention (DLP) policies to prevent sensitive data from being shared externally. Which cloud security solution should be deployed?

Question 3hardmultiple choice
Read the full DNS explanation →

A security engineer is configuring Cisco Umbrella to enforce web security for remote users. The requirement is to block threats by intercepting DNS requests and only perform SSL decryption on specific high-risk categories. Which Umbrella feature should be used for selective SSL inspection?

Question 4mediummultiple choice
Read the full Cloud Security explanation →

A company is deploying a multi-tier application in AWS. The web servers must be accessible from the internet, but the database servers should only be reachable from the web servers. Which AWS security controls should be used to enforce this?

An organization wants to implement zero trust principles for cloud access. Which of the following is a key component of a zero trust architecture in the cloud?

Question 6mediummultiple choice
Read the full Cloud Security explanation →

A DevOps team is integrating security into their CI/CD pipeline. They want to automatically scan Terraform scripts for misconfigurations before deployment. Which tool is specifically designed for this purpose?

A company uses Azure AD Conditional Access policies to enforce security for cloud applications. They need to require MFA for all external users accessing a sensitive SaaS app, but only when the access is from an untrusted network. Which condition should be configured in the policy?

Question 8mediummultiple choice
Read the full Cloud Security explanation →

An organization wants to connect its on-premises data center to a GCP VPC privately, avoiding the public internet. Which GCP service provides a dedicated, private connection?

Which of the following is the primary function of a Cloud Security Posture Management (CSPM) tool?

Question 10mediummultiple choice
Read the full DNS explanation →

A company uses Cisco Umbrella to provide DNS-layer security. An employee tries to visit a website that is hosting malware, but the domain is not yet categorized. How does Umbrella handle this request?

Question 11hardmultiple choice
Read the full Cloud Security explanation →

An organization is deploying containerized applications in a Kubernetes cluster on AWS EKS. They need to ensure that container images are scanned for vulnerabilities before deployment. Which approach aligns with DevSecOps best practices?

Question 12mediummultiple choice
Read the full Cloud Security explanation →

A security team is implementing AWS WAF to protect a web application. They want to block requests that contain SQL injection patterns in the query string. Which AWS WAF component should be used?

Question 13easymultiple choice
Read the full Cloud Security explanation →

In the shared responsibility model for PaaS, which of the following is typically the customer's responsibility?

Question 14mediummultiple choice
Read the full Cloud Security explanation →

A company uses Azure NSGs to filter network traffic to VMs. They want to allow RDP access (port 3389) only from the company's public IP range. Which type of NSG rule should be created?

Question 15hardmultiple choice
Read the full Cloud Security explanation →

A DevSecOps team is implementing secrets management for a cloud-native application. They want to avoid storing secrets in environment variables or code. Which solution should they use?

A security administrator is evaluating Cisco Umbrella for cloud-delivered security. Which TWO capabilities are provided by the Secure Internet Gateway (SIG) feature? (Choose two.)

An organization is adopting zero trust principles for cloud access. Which THREE measures are essential for implementing identity-centric security? (Choose three.)

A company is using Azure and wants to enforce security compliance across their cloud resources. Which TWO services are part of CSPM (Cloud Security Posture Management) in Azure? (Choose two.)

Question 19easymultiple choice
Read the full Cloud Security explanation →

In the shared responsibility model for cloud services, which layer is the customer responsible for managing in an IaaS environment?

Question 20mediummultiple choice
Read the full Cloud Security explanation →

A security team wants to gain visibility into Shadow IT usage of SaaS applications and enforce data loss prevention policies. Which cloud security solution should they deploy?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Cloud Security sessions

Start a Cloud Security only practice session

Every question in these sessions is drawn from the Cloud Security domain — nothing else.

Related practice questions

Related 350-701 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the 350-701 exam test about Cloud Security?
Cloud concepts questions usually test the service model (IaaS/PaaS/SaaS) and deployment model (public/private/hybrid/community) appropriate for a given scenario.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Cloud Security questions in a focused session?
Yes — the session launcher on this page draws every question from the Cloud Security domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other 350-701 topics?
Use the topic links above to move to related areas, or go back to the 350-701 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the 350-701 exam covers. They are not copied from any real exam or dump site.