CCNA Casp Security Architecture Questions

75 of 142 questions · Page 1/2 · Casp Security Architecture topic · Answers revealed

1
MCQmedium

An organization is implementing a Secure Access Service Edge (SASE) architecture to support remote workers. Which key capability does SASE provide that traditional VPNs lack?

A.Software-defined WAN (SD-WAN) functionality
B.Network-layer encryption using IPsec
C.Identity-based access with zero trust principles
D.Web content filtering and DLP
AnswerC

SASE enforces access policies based on identity and context, aligning with zero trust, unlike traditional VPNs that grant broad network access.

Why this answer

SASE convergences network and security functions and includes identity-based access, allowing granular policy enforcement based on user identity, device posture, and context. Traditional VPNs typically provide network-layer access without identity-driven security policies. SD-WAN is a component of SASE, not a unique capability.

Web filtering is available separately. DLP is also available separately.

2
MCQmedium

A security engineer is designing a secure hybrid cloud connection between an on-premises data center and AWS. Which service provides a dedicated, private network connection that bypasses the public internet?

A.Site-to-Site VPN
B.Transit Gateway
C.Direct Connect
D.VPC Peering
AnswerC

Correct; Direct Connect is a dedicated private network connection.

Why this answer

AWS Direct Connect provides a dedicated private connection from on-premises to AWS.

3
MCQmedium

A security architect is designing a cryptographic system for a government agency that must protect classified data for the next 30 years. The agency is concerned about the threat from quantum computers. Which NIST post-quantum cryptography algorithm is recommended for key encapsulation?

A.ECDH with NIST P-384
B.CRYSTALS-Kyber
C.CRYSTALS-Dilithium
D.RSA-4096
AnswerB

CRYSTALS-Kyber is a NIST-selected PQC algorithm for key encapsulation, designed to resist quantum attacks.

Why this answer

CRYSTALS-Kyber is a key encapsulation mechanism (KEM) selected by NIST for general encryption. CRYSTALS-Dilithium is a digital signature algorithm. RSA and ECDH are vulnerable to quantum attacks.

4
MCQmedium

A security architect is designing a public key infrastructure (PKI). Which component is responsible for issuing and revoking certificates?

A.Validation Authority
B.Certificate Repository
C.Registration Authority
D.Certificate Authority
AnswerD

CA issues and revokes certificates.

Why this answer

The Certificate Authority (CA) is the trusted entity that issues digital certificates and maintains Certificate Revocation Lists (CRLs) or supports OCSP for revocation.

5
MCQmedium

A company uses an API gateway to manage their microservices. Which security control should the gateway enforce to prevent abuse from excessive API calls?

A.JWT verification
B.Input validation
C.Rate limiting
D.OAuth 2.0
AnswerC

Correct; rate limiting controls the volume of API calls.

Why this answer

Rate limiting restricts the number of requests a client can make in a given period, preventing abuse.

6
MCQeasy

Which of the following is a key principle of the zero trust security model?

A.Trust all internal traffic
B.Verify once, trust forever
C.Trust but verify
D.Never trust, always verify
AnswerD

This is the core principle of zero trust.

Why this answer

Zero trust operates on the principle of never trust, always verify, requiring continuous authentication and authorization for every access request, regardless of location.

7
MCQmedium

An organization is planning to adopt quantum-resistant cryptography. According to NIST PQC standards, which algorithm is recommended for digital signatures?

A.Falcon
B.CRYSTALS-Kyber
C.CRYSTALS-Dilithium
D.RSA-4096
AnswerC

Dilithium is a NIST-standardized post-quantum digital signature algorithm.

Why this answer

CRYSTALS-Dilithium is one of the NIST-selected post-quantum digital signature algorithms, providing security against quantum attacks.

8
MCQhard

A security engineer is deploying a Cloud Access Security Broker (CASB) to protect a SaaS application. Which deployment mode allows the CASB to inspect encrypted traffic without requiring client software?

A.API mode
B.Inline proxy
C.Forward proxy
D.Reverse proxy
AnswerA

API mode works directly with the cloud provider's APIs, no client software needed.

Why this answer

API mode uses the SaaS provider's APIs to access data and logs, enabling inspection without proxying traffic or installing agents. It can analyze encrypted data via API calls.

9
MCQeasy

A security analyst needs to ensure that only authorized containers run in a Kubernetes cluster. Which Kubernetes native security control should be configured?

A.Secrets management
B.Pod Security Policies
C.Network policies
D.RBAC
AnswerB

Pod Security Policies define constraints for pod creation.

Why this answer

Pod Security Policies (or Pod Security Admission) enforce security standards for pods, such as preventing privileged containers.

10
Multi-Selecteasy

A company is implementing a defense-in-depth strategy for its web application. Which THREE of the following are layers that should be included? (Select THREE.)

Select 3 answers
A.Application security controls (WAF, input validation)
B.Single sign-on (SSO) without MFA
C.Data encryption at rest and in transit
D.Network firewall and IDS/IPS
E.Physical security of the data center
AnswersA, C, D

Application layer controls protect against web attacks.

Why this answer

Defense in depth uses multiple security layers: network controls, application security, and data protection are key layers.

11
MCQmedium

A security architect is reviewing a Secure Access Service Edge (SASE) implementation. Which component of SASE provides security inspection for all traffic, regardless of location?

A.ZTNA
B.CASB
C.SWG
D.SD-WAN
AnswerC

SWG provides security inspection for web traffic.

Why this answer

SWG (Secure Web Gateway) is a key SASE component that inspects web traffic, enforces policies, and protects against threats, whether users are on-premises or remote.

12
MCQmedium

An organization uses a hardware security module (HSM) to protect cryptographic keys. Which aspect of key management does an HSM primarily address?

A.Key rotation
B.Key escrow
C.Secure key storage and cryptographic operations
D.Digital certificate issuance
AnswerC

HSMs are designed to protect keys and perform crypto operations in a secure environment.

Why this answer

HSMs provide tamper-resistant hardware for secure key generation, storage, and operations, ensuring that private keys are never exposed in plaintext outside the device.

13
Multi-Selectmedium

A security architect is evaluating cryptographic agility for a system that must be resistant to quantum computing attacks. Which TWO algorithms are part of the NIST PQC standards? (Select TWO.)

Select 2 answers
A.RSA-4096
B.CRYSTALS-Dilithium
C.AES-256
D.SHA-256
E.CRYSTALS-Kyber
AnswersB, E

Dilithium is a lattice-based signature scheme.

Why this answer

CRYSTALS-Kyber is a key encapsulation mechanism, and CRYSTALS-Dilithium is a digital signature scheme; both are NIST-selected PQC algorithms.

14
MCQmedium

A company needs to connect its on-premises data center to a public cloud provider with low latency and high bandwidth while avoiding the public internet. Which connectivity method should be used?

A.Client VPN
B.Direct Connect
C.Site-to-site VPN
D.SD-WAN
AnswerB

Dedicated private connection for high bandwidth and low latency.

Why this answer

Direct Connect (or ExpressRoute) provides a dedicated private connection from on-premises to the cloud, bypassing the internet for better performance and security.

15
Multi-Selecteasy

Which TWO of the following are key benefits of using a software-defined perimeter (SDP) in a zero trust architecture? (Select TWO.)

Select 2 answers
A.Reduces the attack surface by hiding network resources
B.Automates patch management
C.Eliminates the need for encryption
D.Provides identity-based access control
E.Simplifies network architecture by removing firewalls
AnswersA, D

SDP makes resources invisible to unauthorized users.

Why this answer

SDP hides network infrastructure and enforces identity-based access, reducing the attack surface and preventing lateral movement.

16
Multi-Selectmedium

A security architect is designing a defense-in-depth strategy for a cloud-native application. Which TWO controls are most effective for protecting east-west traffic between microservices?

Select 2 answers
A.Service mesh with mutual TLS
B.Intrusion detection system (IDS) on the gateway
C.Micro-segmentation of virtual networks
D.Web application firewall (WAF)
E.Network access control lists (ACLs) at the perimeter
AnswersA, C

Correct – service mesh encrypts and authenticates service-to-service communication.

Why this answer

Micro-segmentation isolates traffic between services, and service mesh provides encrypted, authenticated communication. Both address east-west traffic.

17
Multi-Selectmedium

A security architect is designing a supply chain security program. Which TWO of the following are essential components of a software bill of materials (SBOM) strategy? (Select TWO.)

Select 2 answers
A.Penetration testing results
B.Employee background checks
C.List of all open-source components and their versions
D.Network flow logs
E.Dependency analysis to identify known vulnerabilities
AnswersC, E

This is the core of an SBOM.

Why this answer

An SBOM lists open-source components and their versions, enabling vulnerability tracking. Dependency analysis helps identify known vulnerabilities in those components.

18
Multi-Selecthard

An organization is architecting a hybrid cloud environment with AWS and on-premises resources. Which THREE considerations are essential for meeting data residency requirements? (Choose three.)

Select 3 answers
A.Selecting the correct AWS region for data storage
B.Using only on-premises storage for all data
C.Storing encryption keys in the same region as the data
D.Implementing data classification policies
E.Using a global AWS account without region constraints
AnswersA, C, D

Region selection ensures data stays within specific geographic boundaries.

Why this answer

Data residency requires control over data location. AWS region selection determines physical storage location. Data classification policies enforce where data can reside.

Encryption keys stored in a specific region ensure data remains under jurisdictional control.

19
MCQeasy

An organization is adopting a cloud-first strategy and needs to ensure compliance with SOC 2. Which cloud service model places the most responsibility on the customer for security?

B.FaaS
AnswerA

Customer responsibility is greatest in IaaS.

Why this answer

In IaaS, the customer manages the OS, applications, and data, while the provider secures the physical infrastructure. SOC 2 compliance requires customer to handle many controls.

20
MCQhard

An organization is migrating to an immutable infrastructure model for its containerized applications. Which practice is essential to ensure the integrity of the immutable infrastructure?

A.Regular patching of running containers
B.Image scanning and signing in the CI/CD pipeline
C.Runtime security monitoring with seccomp
D.Use of configuration management tools like Ansible
AnswerB

Scanning for vulnerabilities and signing images ensures only trusted images are deployed.

Why this answer

Immutable infrastructure means that components are replaced rather than modified. Image scanning ensures that only secure, approved images are deployed, preventing tampered or vulnerable images from running.

21
MCQeasy

Which cryptographic best practice ensures that a private key remains protected even if the server it is stored on is compromised?

A.Storing keys in a hardware security module (HSM)
B.Encrypting keys with AES-256
C.Using short key rotation intervals
D.Using strong key derivation functions
AnswerA

Correct – HSMs protect keys in hardware.

Why this answer

Hardware Security Modules (HSMs) provide tamper-resistant hardware to protect private keys, preventing extraction even if the server is compromised.

22
MCQmedium

A company is migrating to AWS and needs to comply with SOC 2. Which cloud-native service would BEST help monitor and enforce security configurations across the AWS environment?

A.AWS CloudTrail
B.AWS WAF
C.AWS Config
D.AWS Shield
AnswerC

AWS Config monitors and evaluates resource configurations against compliance policies.

Why this answer

AWS Config continuously monitors and evaluates AWS resource configurations against desired policies, helping meet compliance requirements like SOC 2.

23
MCQeasy

In a zero trust architecture, which concept ensures that an attacker who compromises one segment cannot move laterally to other segments?

A.Software-defined perimeter
B.Defense-in-depth layering
C.Identity-centric access
D.Micro-segmentation
AnswerD

Correct – micro-segmentation isolates workloads and limits lateral movement.

Why this answer

Micro-segmentation divides the network into small, isolated segments and enforces granular access controls, preventing lateral movement.

24
Multi-Selecthard

A security architect is designing a Kubernetes cluster for a government agency that requires high security and compliance with FedRAMP. The cluster will host microservices processing sensitive data. Which TWO configurations are most critical for hardening the Kubernetes environment? (Choose TWO.)

Select 2 answers
A.Deploying runtime security with seccomp and AppArmor
B.Enabling container image scanning
C.Implementing Role-Based Access Control (RBAC)
D.Using admission controllers like PodSecurityPolicy
E.Configuring network policies to restrict pod communication
AnswersC, E

RBAC ensures that only authorized users and service accounts have appropriate permissions, a fundamental security control.

Why this answer

RBAC (Role-Based Access Control) restricts user and service account permissions, enforcing least privilege. Network policies control pod-to-pod communication, enabling micro-segmentation. Pod security policies (now replaced by Pod Security Standards) are important but less critical than RBAC and network policies.

Image scanning and runtime security are important but are container security measures, not Kubernetes-specific hardening.

25
MCQmedium

A company is implementing a zero trust architecture. Which of the following BEST describes the principle of micro-segmentation in this model?

A.Creating a single perimeter around the entire network
B.Isolating workloads at the virtual network interface level with granular security policies
C.Using VLANs to separate departments
D.Implementing a VPN for remote access
AnswerB

This accurately defines micro-segmentation in a zero trust model.

Why this answer

Micro-segmentation creates isolated zones for each workload, enabling granular security policies that restrict lateral movement even within the same network segment.

26
MCQmedium

A security team is hardening a Kubernetes cluster. Which resource should be used to define fine-grained rules for which pods can communicate with each other?

A.Admission Controller
B.PodSecurityPolicy
C.RBAC
D.NetworkPolicy
AnswerD

Correct; NetworkPolicy defines network access rules between pods.

Why this answer

Kubernetes NetworkPolicies allow ingress/egress rules controlling pod-to-pod communication.

27
Multi-Selectmedium

An organization is deploying a cloud workload protection platform (CWPP). Which TWO capabilities are essential for protecting workloads in a hybrid cloud?

Select 2 answers
A.Security information and event management
B.Identity and access management
C.Data loss prevention
D.Runtime protection
E.Vulnerability management
AnswersD, E

Monitors and protects workloads during execution.

Why this answer

CWPP should provide vulnerability management across different environments and runtime protection (e.g., intrusion detection) for workloads regardless of location.

28
MCQmedium

A security architect is designing a cloud security strategy for a company that uses multiple cloud providers. The architect needs a solution that provides visibility into cloud application usage, enforces security policies, and protects data. Which technology is most appropriate?

A.Cloud Workload Protection Platform (CWPP)
B.Cloud Access Security Broker (CASB)
C.Cloud Security Posture Management (CSPM)
D.Secure Access Service Edge (SASE)
AnswerB

CASB provides visibility, compliance, and data security for cloud applications.

Why this answer

A Cloud Access Security Broker (CASB) provides visibility, policy enforcement, and data protection across multiple cloud services.

29
Multi-Selecthard

An organization is implementing a zero trust architecture and needs to enforce identity-centric access for all resources. Which THREE components are essential to this approach?

Select 3 answers
A.User and entity behavior analytics (UEBA)
B.Network segmentation
C.Policy enforcement point (PEP)
D.Virtual private network (VPN)
E.Multi-factor authentication (MFA)
AnswersA, C, E

Correct – UEBA monitors for anomalous behavior.

Why this answer

Zero trust requires strong identity verification (MFA), dynamic policy enforcement (PEP), and continuous monitoring (UEBA).

30
MCQmedium

An organization is adopting a DevSecOps approach and wants to integrate security early in the development lifecycle. Which practice involves creating visual representations of threats and identifying potential attack vectors during the design phase?

A.Threat modeling
B.Dynamic application security testing (DAST)
C.Static application security testing (SAST)
D.Runtime application self-protection (RASP)
AnswerA

Threat modeling identifies threats during design.

Why this answer

Threat modeling is a structured approach to identify and prioritize potential threats, often using diagrams like data flow diagrams, during the design phase of the SDLC.

31
MCQhard

A DevOps team integrates security into the CI/CD pipeline. They want to identify vulnerabilities in open-source libraries used by their application. Which tool or practice is specifically designed for this purpose?

A.Software Bill of Materials (SBOM) and dependency analysis
B.Runtime Application Self-Protection (RASP)
C.Static Application Security Testing (SAST)
D.Dynamic Application Security Testing (DAST)
AnswerA

SBOM lists all components, and dependency analysis checks them against known vulnerability databases.

Why this answer

Software Bill of Materials (SBOM) is a list of all components in the application, including open-source libraries. Dependency analysis tools use SBOMs to identify known vulnerabilities. SAST analyzes source code, not libraries.

DAST tests running applications. RASP provides runtime protection.

32
MCQmedium

A company is migrating critical workloads to AWS and must secure data at rest. They need to maintain control over the encryption keys. Which service should they use to meet this requirement?

A.AWS Secrets Manager
B.AWS Certificate Manager (ACM)
C.AWS CloudHSM
D.AWS Shield
AnswerC

CloudHSM provides dedicated hardware security modules (HSMs) for key generation and storage, giving the customer full control over keys.

Why this answer

AWS Key Management Service (KMS) allows customers to create and manage their own keys, with options for customer-managed keys (CMKs) that give the customer control over key policies and lifecycle.

33
MCQeasy

Which of the following is a benefit of using an immutable infrastructure approach?

A.Reduced need for configuration management
B.Easier manual patching of running servers
C.Elimination of configuration drift
D.Lower cost due to reusable hardware
AnswerC

Since servers are replaced rather than modified, drift is eliminated.

Why this answer

Immutable infrastructure means servers are never modified after deployment; instead, they are replaced with new instances. This eliminates configuration drift and ensures consistency.

34
MCQmedium

A company is adopting a defense-in-depth strategy. Which of the following is an example of a preventive control at the network layer?

A.Intrusion Detection System (IDS)
B.Security Information and Event Management (SIEM)
C.Network segmentation
D.Penetration testing
AnswerC

Segmentation prevents unauthorized access between network zones.

Why this answer

Network segmentation limits lateral movement and reduces attack surface, making it a preventive network control.

35
MCQmedium

During a threat modeling exercise for a new web application, the team identifies a risk of API abuse due to lack of rate limiting. Which security control should be implemented at the API gateway to mitigate this risk?

A.Input validation
B.OAuth 2.0 scopes
C.Rate limiting policies
D.JWT token expiration
AnswerC

Rate limiting directly addresses API abuse by throttling requests.

Why this answer

Rate limiting at the API gateway restricts the number of requests per client over a specified time, preventing abuse and DoS attacks.

36
MCQhard

An organization is implementing network segmentation to limit lateral movement. It wants to isolate application tiers at the virtual network level in a cloud environment. Which technology enforces policies on east-west traffic between VMs in different subnets?

A.Micro-segmentation
B.Transport Layer Security (TLS)
C.Virtual Private Network (VPN)
D.Secure Access Service Edge (SASE)
AnswerA

It enables granular control of east-west traffic between workloads.

Why this answer

Micro-segmentation uses software-defined policies to control traffic between individual workloads, often implemented via distributed firewalls or network security groups in cloud environments.

37
MCQmedium

A security architect is designing a zero-trust architecture for a multi-cloud environment. Which principle is essential for enforcing identity-centric micro-segmentation?

A.Identity-based access policies
B.VPN concentrators
D.Perimeter firewalls
AnswerA

Identity-centric micro-segmentation relies on identity and attributes for granular access control.

Why this answer

In a zero-trust model, identity is the primary security boundary. Micro-segmentation uses identity and context to enforce least-privilege access, regardless of network location.

38
MCQmedium

An organization wants to enforce consistent security policies across multiple cloud providers (AWS, Azure, GCP). Which tool is designed to continuously monitor and remediate misconfigurations in cloud environments?

A.Cloud Access Security Broker (CASB)
B.Security Information and Event Management (SIEM)
C.Cloud Workload Protection Platform (CWPP)
D.Cloud Security Posture Management (CSPM)
AnswerD

CSPM is specifically for continuous compliance and misconfiguration detection.

Why this answer

Cloud Security Posture Management (CSPM) automates the detection and remediation of cloud misconfigurations across multiple providers.

39
MCQeasy

In the shared responsibility model for cloud security, which of the following is generally the responsibility of the cloud customer?

A.Configuration of network access controls
B.Hardware maintenance of servers
C.Hypervisor vulnerability patching
D.Physical security of data centers
AnswerA

Correct – customer configures firewalls, security groups.

Why this answer

The customer is responsible for security 'in' the cloud, including guest OS, applications, and access management, while the provider secures the infrastructure.

40
MCQmedium

A company is deploying containers in a Kubernetes cluster and needs to enforce that containers run with reduced capabilities. Which Linux security feature should be configured to drop unnecessary capabilities?

A.PodSecurityPolicy
B.Seccomp
C.AppArmor
D.SELinux
AnswerB

Correct; seccomp can filter system calls and drop capabilities.

Why this answer

Capabilities can be dropped using seccomp, but specifically for limiting kernel capabilities, Capabilities (or seccomp profiles) are used; however, the question asks for reducing capabilities, which is done via capability drops or seccomp. But typical exam answer is seccomp or AppArmor. Let's choose seccomp as it restricts system calls.

41
MCQmedium

An organization uses a multi-cloud strategy with workloads on AWS, Azure, and GCP. They need a single tool to monitor and enforce security configurations across all cloud environments. Which cloud security solution is best suited for this requirement?

A.Secure Access Service Edge (SASE)
B.Cloud Access Security Broker (CASB)
C.Cloud Workload Protection Platform (CWPP)
D.Cloud Security Posture Management (CSPM)
AnswerD

CSPM continuously monitors cloud configurations against best practices and compliance standards across multi-cloud environments.

Why this answer

Cloud Security Posture Management (CSPM) automates the monitoring and remediation of security misconfigurations across multiple cloud providers. CASB focuses on application access. CWPP protects workloads.

SASE is for network and security convergence.

42
MCQmedium

An organization is implementing a Secure Access Service Edge (SASE) architecture. Which of the following is a key component of SASE?

A.Demilitarized Zone (DMZ)
B.Cloud Access Security Broker (CASB)
C.Intrusion Prevention System (IPS)
D.Virtual Private Network (VPN)
AnswerB

CASB is a core component of SASE.

Why this answer

SASE converges SD-WAN and security functions, including SWG, CASB, ZTNA, and FWaaS, delivered from the cloud.

43
MCQhard

During an API security review, an assessor finds that the API uses JSON Web Tokens (JWT) with a symmetric key shared among multiple services. Which of the following is the MOST significant security concern?

A.The token is not encrypted
B.Multiple services share the same symmetric key
C.The token does not include audience claim
D.Token expiration is not set
AnswerB

Shared symmetric keys increase the attack surface and risk of token forgery.

Why this answer

Using a shared symmetric key means any service with the key can forge tokens, compromising authentication integrity.

44
MCQeasy

Which of the following is a primary function of a Cloud Access Security Broker (CASB)?

A.Scan container images for vulnerabilities
B.Provide IAM for cloud infrastructure
C.Enforce security policies between users and cloud applications
D.Monitor network traffic at the packet level
AnswerC

CASBs enforce policies for cloud application access and usage.

Why this answer

A CASB acts as an intermediary between users and cloud services, enforcing security policies such as access control, data loss prevention, and visibility into cloud application usage.

45
MCQmedium

Which of the following is a key feature of TLS 1.3 compared to earlier versions?

A.Mandatory use of static RSA key exchange
B.Support for RC4 cipher
C.Backward compatibility with SSL 3.0
D.Reduced handshake latency
AnswerD

TLS 1.3 requires one round trip (or zero with pre-shared keys) compared to two in TLS 1.2.

Why this answer

TLS 1.3 reduces handshake latency by eliminating unnecessary round trips and removing insecure cipher suites, improving both security and performance.

46
MCQmedium

A company is required to comply with FedRAMP for its cloud deployment. Which of the following is a key requirement for FedRAMP compliance?

A.Continuous monitoring and incident response
B.Third-party assessment by an accredited organization
C.Implementation of AES-256 encryption for all data
D.Annual penetration testing by internal team
AnswerB

A 3PAO must conduct the initial and periodic assessments.

Why this answer

FedRAMP requires third-party assessment by an accredited organization (3PAO) to verify that the cloud service provider meets the security controls.

47
Multi-Selecthard

A company is implementing a secure SDLC and wants to integrate application security testing early. Which THREE tools are most appropriate for shift-left security? (Select THREE.)

Select 3 answers
A.Runtime Application Self-Protection (RASP)
B.Static Application Security Testing (SAST)
C.Interactive Application Security Testing (IAST)
D.Software Composition Analysis (SCA)
E.Dynamic Application Security Testing (DAST)
AnswersB, C, D

SAST can be integrated into the IDE or build pipeline.

Why this answer

SAST scans source code early, SCA identifies open-source vulnerabilities, and IAST combines static and dynamic analysis within the CI/CD pipeline. DAST and RASP are typically run later or in production.

48
MCQeasy

An organization is adopting a cloud-first strategy and wants to ensure proper security responsibilities are understood. Which concept defines the division of security responsibilities between the cloud provider and the customer?

A.Zero trust
B.Shared responsibility model
C.Software-defined perimeter
D.Defense in depth
AnswerB

Correctly describes the division of security responsibilities in cloud computing.

Why this answer

The shared responsibility model defines which security tasks are handled by the provider (e.g., physical security) and which by the customer (e.g., data access).

49
MCQmedium

A company is deploying a cloud access security broker (CASB) to gain visibility into shadow IT. Which mode of operation would allow the CASB to inspect traffic without requiring proxy configuration on endpoints?

A.Reverse proxy mode
B.Inline mode
C.API-based mode
D.Forward proxy mode
AnswerC

API-based mode uses cloud provider APIs for out-of-band visibility.

Why this answer

API-based mode uses cloud provider APIs to access logs and metadata, providing visibility without inline traffic interception or endpoint changes.

50
MCQhard

An organization is deploying a containerized application on Kubernetes and must enforce that only approved container images are allowed to run, and that containers cannot escalate privileges. Which combination of controls should the architect implement?

A.Seccomp and AppArmor profiles with RBAC
B.Kubernetes network policies and RBAC
C.Admission controllers with image signing and PodSecurityPolicy
D.Container image scanning and network policies
AnswerC

Admission controllers can validate image signatures and PodSecurityPolicy restricts privilege escalation. Together they enforce image approval and prevent privilege escalation.

Why this answer

Admission controllers intercept requests to the Kubernetes API server; PodSecurityPolicy (now replaced by Pod Security Standards) can enforce privilege escalation restrictions. Image signing ensures only approved images are run. Seccomp and AppArmor are runtime security profiles, but they don't enforce image approval.

RBAC controls user access, not image approval. Network policies control traffic, not image approval.

51
Multi-Selectmedium

A security architect is reviewing supply chain security for a software product. Which TWO artifacts are most important for verifying the integrity and provenance of third-party components?

Select 2 answers
A.Penetration test results
B.Software bill of materials (SBOM)
C.Dependency analysis report
D.Network flow logs
E.Database encryption configuration
AnswersB, C

Correct – SBOM provides component inventory.

Why this answer

SBOMs list all components and their versions; dependency analysis identifies vulnerabilities in those components.

52
Multi-Selecthard

An organization is implementing a software-defined perimeter (SDP) for zero trust network access. Which THREE characteristics are typical of an SDP architecture? (Choose three.)

Select 3 answers
A.Relies on IP-based allowlists
B.Applications are invisible to unauthorized users
C.Creates encrypted tunnels per session
D.Uses a single shared firewall for all traffic
E.Requires device authentication before granting network access
AnswersB, C, E

Correct; SDP hides applications until authenticated.

Why this answer

SDP hides infrastructure, requires authentication before connectivity, and creates per-session encrypted tunnels.

53
MCQeasy

A security architect is designing a zero trust architecture for a corporate network. Which principle is fundamental to the zero trust model?

A.Trust based on device compliance
B.Never trust, always verify
C.Trust based on network location
D.Trust but verify
AnswerB

Correct; this is the core principle of zero trust.

Why this answer

Zero trust assumes no implicit trust; every access request must be verified regardless of origin.

54
MCQmedium

A security architect is designing a PKI for an organization that requires high assurance certificates. The architect needs to protect the root CA private key. Which solution provides the highest level of security for the root CA key?

A.Store the key in an encrypted file on a secure server
B.Generate the key on a dedicated virtual machine
C.Use a Hardware Security Module (HSM) for key management
D.Keep the key on a smart card stored in a safe
AnswerC

HSMs provide physical tamper protection and dedicated cryptographic processing, meeting high assurance requirements.

Why this answer

Hardware Security Modules (HSMs) provide tamper-resistant, dedicated hardware for key generation and storage, offering the highest security for root CA keys. Smart cards are less secure for large-scale root CA operations. Encrypted files on a server are vulnerable.

A dedicated VM provides software-based isolation but is less secure than HSM.

55
MCQmedium

An organization wants to implement infrastructure as code (IaC) with immutable infrastructure. Which security benefit does immutable infrastructure provide?

A.Better performance through caching
B.Reduced attack surface due to consistent configurations
C.Simpler network segmentation
D.Easier patch management
AnswerB

Immutable infrastructure ensures consistent, known-good configurations, reducing drift and vulnerabilities.

Why this answer

Immutable infrastructure enforces that servers are never modified after deployment; updates are made by replacing the entire server, reducing configuration drift and vulnerabilities.

56
MCQhard

A security architect is designing a secure connectivity solution between an on-premises data center and a public cloud provider. The solution must provide low latency, high bandwidth, and avoid traversing the public internet. Which approach BEST meets these requirements?

B.SD-WAN over internet
C.Direct Connect
D.Site-to-site VPN over internet
AnswerC

Direct Connect is a dedicated private connection that avoids the internet.

Why this answer

Direct Connect provides a dedicated private network connection from on-premises to AWS, bypassing the internet for low latency and high bandwidth.

57
MCQhard

An organization must comply with FedRAMP requirements for a cloud service. Which aspect of cloud security is most directly assessed under FedRAMP?

A.Data residency compliance
B.Cost optimization of cloud resources
C.Security controls of the cloud service provider
D.Performance SLA
AnswerC

FedRAMP evaluates the effectiveness of security controls per NIST SP 800-53.

Why this answer

FedRAMP is a US government program that standardizes security assessment, authorization, and continuous monitoring for cloud products and services, focusing on the security controls implemented by the cloud service provider.

58
MCQmedium

A security architect is designing a zero trust architecture for a financial services company. Which component is MOST critical to enforce identity-centric access control in a zero trust model?

A.Network firewall
C.Software-defined perimeter
D.VPN concentrator
AnswerC

SDP creates identity-based, micro-segmented access.

Why this answer

In zero trust, every access request is authenticated, authorized, and encrypted. A software-defined perimeter (SDP) provides identity-centric, micro-segmented access that hides network resources and enforces least privilege.

59
Multi-Selectmedium

A security architect is designing a zero trust network architecture and needs to implement micro-segmentation. Which TWO of the following techniques are commonly used to achieve micro-segmentation? (Select TWO).

Select 2 answers
A.Network Access Control (NAC)
B.Software-defined networking (SDN) policies
C.IPsec VPN tunnels between subnets
D.Host-based firewalls
E.VLAN segmentation
AnswersB, D

SDN enables dynamic, granular policy enforcement between workloads.

Why this answer

Micro-segmentation can be implemented using software-defined networking (SDN) policies and host-based firewalls (e.g., via agents) to control traffic between workloads at a granular level. VLANs are too coarse; IPsec VPNs are for site-to-site, not internal segmentation.

60
MCQmedium

An organization is adopting SASE to converge network and security functions. Which component of SASE provides secure web gateway (SWG) capabilities?

A.ZTNA
B.SD-WAN
C.Secure Web Gateway
D.CASB
AnswerC

Correct; SWG provides web filtering and threat protection.

Why this answer

SWG is a key SASE component that protects users from web-based threats by filtering traffic.

61
Multi-Selecthard

An organization is migrating to a zero trust model and wants to implement identity-centric security. Which THREE of the following are key principles of an identity-centric zero trust approach? (Select THREE.)

Select 3 answers
A.Implicit trust based on network location
B.Least privilege access with just-in-time privileges
C.Continuous verification of identity and device health
D.Multi-factor authentication (MFA) for all users
E.Single static firewall perimeter
AnswersB, C, D

Least privilege is fundamental.

Why this answer

Identity-centric zero trust focuses on strong authentication, least privilege, and continuous verification of identity for every access request.

62
MCQmedium

A security architect is designing a hybrid cloud environment. The organization requires low-latency, private connectivity between on-premises and a public cloud provider, bypassing the public internet. Which solution best meets this requirement?

A.Site-to-site VPN over the internet
B.Private link (e.g., AWS PrivateLink)
C.Direct Connect / ExpressRoute
D.SD-WAN with internet breakout
AnswerC

Correct – dedicated private connection with low latency.

Why this answer

Direct Connect (AWS) or Azure ExpressRoute provide dedicated private network connections from on-premises to the cloud, offering low latency and security.

63
MCQeasy

In the shared responsibility model for cloud security, which of the following is typically the responsibility of the customer when using an Infrastructure as a Service (IaaS) model?

A.Configuration of the hypervisor
B.Network infrastructure maintenance
C.Physical security of data centers
D.Encryption of data at rest within the environment
AnswerD

Customers are responsible for encrypting their own data, including data at rest, as they control the encryption keys and policies.

Why this answer

In IaaS, the customer is responsible for securing the operating system, applications, and data. The cloud provider is responsible for the physical infrastructure, hypervisor, and network. Encryption of data at rest is typically a customer responsibility, as they control the data.

Physical security is the provider's responsibility. Network infrastructure is the provider's responsibility.

64
MCQeasy

A security analyst is investigating an API that uses JSON Web Tokens (JWT) for authentication. Which field in a JWT contains the token expiration time?

A.exp
B.iss
C.iat
D.sub
AnswerA

exp is expiration time.

Why this answer

The 'exp' (expiration) claim in the JWT payload specifies the time after which the token is no longer valid, preventing replay attacks.

65
MCQmedium

During a secure SDLC, a security architect wants to identify design flaws early. Which activity is most appropriate for the design phase?

A.Threat modeling
B.Penetration testing
C.Dynamic application security testing (DAST)
D.Static application security testing (SAST)
AnswerA

Correct – threat modeling identifies design flaws.

Why this answer

Threat modeling is performed during the design phase to identify potential security threats and vulnerabilities before code is written.

66
MCQmedium

An organization is deploying containerized applications and needs to enforce security policies that restrict the system calls a container can make. Which Linux security module should be used?

A.seccomp
B.AppArmor
C.chroot
D.SELinux
AnswerA

seccomp can restrict system calls available to a container.

Why this answer

seccomp (secure computing mode) allows filtering of system calls, reducing the kernel attack surface.

67
MCQhard

A container security team wants to enforce that containers run with the least privileges possible. Which Linux security module can be used to restrict system calls available to a container?

A.Pod Security Policy
B.AppArmor
C.SELinux
D.seccomp
AnswerD

seccomp enables filtering of system calls to reduce attack surface.

Why this answer

seccomp allows filtering system calls, enabling a whitelist of allowed calls to reduce the kernel attack surface.

68
Multi-Selecthard

A security team is implementing a secure SDLC for a new application. Which THREE activities should be included as part of the development phase? (Choose three.)

Select 3 answers
A.Runtime application self-protection (RASP) deployment
B.Penetration testing on production environment
C.Static application security testing (SAST)
D.Threat modeling
E.Dependency analysis for open-source libraries
AnswersC, D, E

Correct; SAST analyzes source code for vulnerabilities during development.

Why this answer

During development, SAST scans source code, dependency analysis checks libraries, and threat modeling identifies design flaws.

69
Multi-Selecthard

An organization is planning to adopt quantum-resistant cryptography. According to NIST PQC standards, which THREE algorithms are currently selected for standardization? (Select THREE).

Select 3 answers
A.Elliptic Curve Diffie-Hellman (ECDH)
B.CRYSTALS-Kyber
C.FALCON
D.CRYSTALS-Dilithium
E.RSA-4096
AnswersB, C, D

CRYSTALS-Kyber is the selected KEM.

Why this answer

NIST has selected CRYSTALS-Kyber (for key encapsulation), CRYSTALS-Dilithium (for digital signatures), and FALCON (for digital signatures, with SPHINCS+ as a backup) for standardization. RSA and ECDH are not quantum-resistant.

70
MCQmedium

A company is migrating to a public cloud and wants to ensure they understand their security responsibilities. According to the shared responsibility model, which of the following is typically the responsibility of the cloud customer?

A.Hypervisor security
B.Physical security of data centers
C.Network infrastructure security
D.Identity and access management
AnswerD

Correct; IAM is a customer responsibility.

Why this answer

The customer is responsible for securing data, applications, and access management even in IaaS/PaaS/SaaS.

71
MCQmedium

A company uses a CASB to monitor cloud application usage. Which primary function does a CASB provide for enforcing security policies between users and cloud services?

A.Encryption key management for cloud storage
B.Vulnerability scanning of cloud infrastructure
C.Policy enforcement point for cloud services
D.Workload protection runtime monitoring
AnswerC

Correct – CASB enforces policies for cloud usage.

Why this answer

A CASB acts as an intermediary to enforce security policies such as access control, data loss prevention, and threat protection between users and cloud services.

72
Multi-Selectmedium

A security architect is evaluating Cloud Security Posture Management (CSPM) tools. Which TWO capabilities are typically provided by CSPM? (Choose two.)

Select 2 answers
A.Detection of compliance violations
B.Web application firewall (WAF) management
C.Vulnerability scanning of container images
D.DDoS protection
E.Continuous monitoring of cloud resource configurations
AnswersA, E

CSPM identifies violations against frameworks like SOC 2, ISO 27001.

Why this answer

CSPM tools continuously monitor cloud environments for misconfigurations and compliance violations, and they provide remediation guidance.

73
MCQhard

A company is migrating to immutable infrastructure for its production environment. The security architect needs to ensure that any changes to the infrastructure are made by replacing instances, not by modifying existing ones. Which security advantage does immutable infrastructure provide?

A.It eliminates all security vulnerabilities in the infrastructure
B.It removes the need for vulnerability scanning of base images
C.It simplifies compliance by eliminating the need for patching
D.It prevents attackers from establishing persistence by modifying system files
AnswerD

Since instances are replaced rather than updated, any unauthorized changes are lost when the instance is replaced.

Why this answer

Immutable infrastructure ensures that servers are never modified after deployment. This prevents configuration drift and makes it harder for attackers to persist. It also facilitates rapid recovery.

It does not eliminate vulnerabilities or remove the need for patching; instead, patching is done by replacing instances. It simplifies forensics because instances are ephemeral and can be analyzed post-incident.

74
MCQhard

During a security assessment, a penetration tester discovers that a web application fails to validate the size of user input, leading to a buffer overflow. Which application security control would have BEST prevented this vulnerability?

A.Input validation
B.Static application security testing (SAST)
C.Web application firewall (WAF)
D.Rate limiting
AnswerA

Input validation directly prevents malformed input from causing buffer overflows.

Why this answer

Input validation ensures that data conforms to expected formats and sizes, preventing malformed input from causing overflows.

75
MCQmedium

A security architect is designing a PKI for a large enterprise. Which component is used to protect private keys and perform cryptographic operations in a tamper-resistant environment?

A.Hardware Security Module (HSM)
B.Certificate Revocation List (CRL)
C.Key Management Service (KMS)
D.Certificate Authority (CA)
AnswerA

HSM is designed for tamper-resistant key protection and cryptographic operations.

Why this answer

A hardware security module (HSM) provides secure generation, storage, and management of cryptographic keys in a tamper-resistant device.

Page 1 of 2 · 142 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Casp Security Architecture questions.

CCNA Casp Security Architecture Questions — Page 1 of 2 | Courseiva