CCNA Scor Cloud Security Questions

10 of 85 questions · Page 2/2 · Scor Cloud Security topic · Answers revealed

76
MCQeasy

In a DevSecOps pipeline, a security engineer wants to automatically scan Infrastructure as Code (IaC) templates for security misconfigurations before deployment. Which tool is commonly used for static analysis of Terraform templates?

A.SAST scanner
B.Checkov
C.DAST scanner
D.Container image scanner
AnswerB

Checkov scans IaC templates for security issues.

Why this answer

Checkov is a static analysis tool specifically designed for scanning IaC files like Terraform to find security misconfigurations.

77
MCQhard

An organization is deploying containerized applications in a Kubernetes cluster on AWS EKS. They need to ensure that container images are scanned for vulnerabilities before deployment. Which approach aligns with DevSecOps best practices?

A.Scan container images after deployment using a runtime scanner
B.Integrate image scanning into the CI/CD pipeline before pushing to registry
C.Manually review images before deployment
D.Only scan base images, not application layers
AnswerB

Early detection in the pipeline prevents vulnerable images from being deployed.

Why this answer

Integrating image scanning into the CI/CD pipeline (e.g., using tools like Trivy or Amazon ECR scanning) ensures vulnerabilities are caught before deployment. Scanning after deployment or manually is less effective, and only scanning base images ignores application layer vulnerabilities.

78
MCQhard

A DevSecOps team is implementing secrets management for a cloud-native application. They want to avoid storing secrets in environment variables or code. Which solution should they use?

A.Embed secrets in the container image
B.Pass secrets via command-line arguments
C.Use HashiCorp Vault to dynamically generate and manage secrets
D.Store secrets in a configuration file in the repository
AnswerC

Vault provides secure secrets storage and rotation.

Why this answer

A dedicated secrets management tool like HashiCorp Vault securely stores and provides access to secrets (API keys, passwords) without embedding them in code or environment variables. Azure Key Vault and AWS Secrets Manager are also valid, but Vault is a common cross-platform solution. The other options are insecure.

79
MCQhard

A company uses AWS and wants to ensure that no EC2 instance has a public IP address attached to a security group that allows inbound SSH from 0.0.0.0/0. Which service can continuously monitor and alert on such misconfigurations?

A.Cisco Umbrella
B.CSPM
C.AWS CloudTrail
D.AWS WAF
AnswerB

Correct. CSPM checks cloud configurations against best practices.

Why this answer

CSPM tools continuously monitor cloud configurations against security benchmarks and alert on violations like open SSH.

80
MCQeasy

In the shared responsibility model for cloud security, which of the following is the customer responsible for in an IaaS deployment?

A.Hypervisor security
B.Operating system and application security
C.Network infrastructure security
D.Physical security of the data center
AnswerB

The customer is responsible for the OS, applications, and data.

Why this answer

In IaaS, the cloud provider manages the physical infrastructure, virtualization, and network, while the customer manages the operating system, applications, and data.

81
MCQmedium

A DevOps team is building a CI/CD pipeline for a cloud-native application. They want to automatically check Terraform scripts for insecure configurations before deployment. Which tool should be integrated into the pipeline?

A.Container image scanner
B.SAST scanner
C.DAST scanner
D.Checkov
AnswerD

Checkov scans Terraform, CloudFormation, etc., for security issues.

Why this answer

Checkov is a static analysis tool specifically designed to scan Infrastructure as Code (IaC) files like Terraform for security misconfigurations.

82
MCQeasy

In the shared responsibility model for cloud security, which responsibility is the customer's in an IaaS deployment?

A.Physical security of data centers
B.Operating system security patches and updates
C.Network infrastructure including switches and routers
D.Hypervisor vulnerability management
AnswerB

The customer manages the OS, including patches.

Why this answer

In IaaS, the cloud provider manages the physical infrastructure and hypervisor, while the customer manages the operating system, applications, and data.

83
MCQmedium

A company uses Google Cloud and needs to securely connect their on-premises data center to a VPC without traversing the public internet. Which solution should they use?

A.Cloud NAT
B.Cloud VPN
C.Private Service Connect
D.Dedicated Interconnect
AnswerD

Correct. Dedicated Interconnect provides a private connection from on-premises to GCP.

Why this answer

Private connectivity options like Dedicated Interconnect or Partner Interconnect provide direct, private connections to GCP.

84
MCQmedium

A company is deploying a multi-tier application in AWS. The web servers must be accessible from the internet, but the database servers should only be reachable from the web servers. Which AWS security controls should be used to enforce this?

A.Use network ACLs to allow inbound traffic to web servers from 0.0.0.0/0 and deny all traffic to database servers
B.Assign a security group to web servers allowing HTTP/S from 0.0.0.0/0, and a separate security group for databases allowing traffic only from the web server security group
C.Place web servers in a public subnet and database servers in a private subnet, and use a network ACL to block all traffic to the private subnet
D.Use AWS WAF to restrict access to database servers based on source IP
AnswerB

Security groups support referencing other security groups, enabling this granular control.

Why this answer

Security groups act as virtual firewalls for EC2 instances, and network ACLs provide subnet-level filtering. Security groups are stateful and can be used to allow traffic from web servers to database servers based on source security group. NACLs are stateless and less granular for this purpose.

85
MCQmedium

An organization wants to protect their web application hosted on AWS from common exploits like SQL injection. Which AWS service should they use?

A.AWS Security Groups
B.AWS Shield
C.AWS CloudTrail
D.AWS WAF
AnswerD

Correct. WAF filters web traffic for exploits.

Why this answer

AWS WAF (Web Application Firewall) protects against web exploits.

← PreviousPage 2 of 2 · 85 questions total

Ready to test yourself?

Try a timed practice session using only Scor Cloud Security questions.