CCNA Casp Security Architecture Questions

67 of 142 questions · Page 2/2 · Casp Security Architecture topic · Answers revealed

76
MCQmedium

A company uses Kubernetes for container orchestration. Which security control should be implemented to enforce that only specific images from a trusted registry can run in the cluster?

A.Pod security admission (PSA)
B.Admission controller (e.g., OPA/Gatekeeper)
C.Network policies
D.RBAC roles
AnswerB

Correct – admission controllers can validate image registry.

Why this answer

Admission controllers can intercept requests to the Kubernetes API server and enforce policies, such as allowing only images from a specific registry.

77
Multi-Selecthard

A company is developing a secure software development lifecycle (SDLC) and wants to integrate security testing early. Which THREE techniques should be used to find vulnerabilities in code during development? (Choose three.)

Select 3 answers
A.Penetration testing
B.Software Bill of Materials (SBOM) analysis
C.Threat modeling
D.Dynamic Application Security Testing (DAST)
E.Static Application Security Testing (SAST)
AnswersC, D, E

Threat modeling identifies potential threats during design.

Why this answer

Threat modeling identifies design issues, SAST finds vulnerabilities in source code, and DAST finds vulnerabilities in running applications.

78
Multi-Selectmedium

A security architect is implementing a zero trust architecture for a corporate network. Which TWO principles are fundamental to the zero trust approach? (Choose two.)

Select 2 answers
A.Grant access based on network location
B.Assume implicit trust for internal users
C.Use a single perimeter firewall
D.Verify every access request regardless of source
E.Implement least privilege access
AnswersD, E

All access must be authenticated and authorized.

Why this answer

Zero Trust requires verifying every request and limiting access to only what is needed, regardless of user location or network.

79
MCQhard

A security team is hardening a Kubernetes cluster. Which control should be implemented to restrict a container's system calls to only those required by the application?

A.Seccomp
B.AppArmor
C.Network policies
D.Pod security policies
AnswerA

Seccomp restricts system calls for containers.

Why this answer

seccomp (secure computing mode) filters system calls a process can make, reducing the kernel attack surface. It is a Linux kernel feature commonly used in container security.

80
MCQeasy

In the shared responsibility model for cloud security, which of the following is typically the responsibility of the customer?

A.Data classification and encryption
B.Physical security of data centers
C.Network infrastructure security
D.Hypervisor security
AnswerA

Customers are responsible for classifying and encrypting their own data.

Why this answer

The customer is responsible for securing their data, applications, and access management, while the provider secures the infrastructure.

81
Multi-Selecthard

A DevSecOps team is integrating security into the CI/CD pipeline. Which THREE practices should be included to ensure supply chain security?

Select 3 answers
A.Network segmentation
B.Dependency analysis
C.Container image scanning
D.Runtime application self-protection
E.Software Bill of Materials (SBOM)
AnswersB, C, E

Scans dependencies for known vulnerabilities.

Why this answer

SBOMs provide transparency of components, dependency scanning reveals known vulnerabilities, and image scanning ensures container images are free of malware. Together they strengthen supply chain security.

82
Multi-Selectmedium

A security architect is designing a cloud security strategy for a healthcare organization that uses a hybrid cloud environment with AWS and Azure. The organization must comply with HIPAA and needs to protect sensitive patient data. Which THREE cloud security controls should be prioritized? (Choose THREE.)

Select 3 answers
A.Virtual Private Cloud (VPC)
B.Cloud Workload Protection Platform (CWPP)
C.Cloud Access Security Broker (CASB)
D.Identity and Access Management (IAM)
E.Cloud Security Posture Management (CSPM)
AnswersB, C, E

CWPP secures workloads running in hybrid cloud, including vulnerability management and runtime protection.

Why this answer

Cloud Access Security Broker (CASB) provides visibility and data protection across cloud services, CSPM identifies misconfigurations that could lead to breaches, and Cloud Workload Protection Platform (CWPP) secures workloads in public clouds. IAM and VPC are important but are more basic controls; they are not the primary focus for this scenario.

83
MCQhard

A company is preparing for post-quantum cryptography migration. According to NIST PQC standards, which algorithm is a candidate for key encapsulation?

A.CRYSTALS-Dilithium
B.SPHINCS+
C.Falcon
D.CRYSTALS-Kyber
AnswerD

Kyber is the NIST standard for key encapsulation.

Why this answer

CRYSTALS-Kyber is a NIST-selected algorithm for key encapsulation, designed to resist quantum attacks. It is used for establishing symmetric keys.

84
MCQeasy

A security analyst is reviewing a Kubernetes cluster's security configuration. Which component should be used to ensure that only authorized pods can communicate with each other?

A.Pod Security Policies (PSP)
B.Seccomp profiles
C.Network Policies
D.RBAC roles
AnswerC

Network policies define how groups of pods can communicate with each other and other network endpoints.

Why this answer

Kubernetes Network Policies allow you to define ingress and egress rules for pods, controlling traffic at the IP address or port level, which is essential for micro-segmentation.

85
MCQhard

A company must protect cryptographic keys used to sign financial transactions. The solution must be FIPS 140-2 Level 3 compliant and provide tamper-resistant hardware. Which technology should be deployed?

A.Software-based key management system
B.Hardware security module
C.Cloud KMS
D.TPM
AnswerB

HSMs are tamper-resistant hardware meeting FIPS 140-2 Level 3.

Why this answer

HSMs (Hardware Security Modules) provide tamper-resistant, FIPS 140-2 Level 3+ certified hardware for key generation, storage, and signing operations.

86
Multi-Selectmedium

A security architect is evaluating an API security strategy for a SaaS application that supports OAuth 2.0. Which TWO controls should the architect recommend to protect against token interception and replay attacks?

Select 2 answers
A.Using long-lived access tokens to reduce authentication frequency
B.Enforcing short-lived access tokens with refresh token rotation
C.Encrypting JWT payloads with a symmetric key
D.Implementing token binding to bind tokens to a specific client session
E.Implementing rate limiting on the token endpoint
AnswersB, D

Short-lived tokens limit the time window for misuse, and rotating refresh tokens adds security.

Why this answer

Using short-lived access tokens reduces the window of opportunity for replay attacks. Token binding (proof-of-possession) ties the token to the client, making interception less useful. Rate limiting mitigates brute force but not token interception.

Long-lived tokens increase risk. JWT encryption protects content but not replay.

87
Multi-Selecteasy

A company is implementing API security for its web services. Which THREE of the following are considered best practices for securing APIs? (Select THREE).

Select 3 answers
A.Rely solely on symmetric encryption for data at rest
B.Validate all input
C.Use WPA3 for transport encryption
D.Implement rate limiting
E.Use OAuth 2.0 for authorization
AnswersB, D, E

Input validation prevents injection and other attacks.

Why this answer

API security best practices include using OAuth 2.0 for authentication/authorization, implementing rate limiting to prevent abuse, and validating input to prevent injection attacks. WPA3 is for Wi-Fi; symmetric encryption alone is not a complete API security practice.

88
Multi-Selectmedium

An organization is hardening its Kubernetes cluster. Which THREE of the following are effective controls to limit the blast radius of a compromised container?

Select 3 answers
A.Using RBAC to restrict service account permissions
B.Implementing Kubernetes network policies to restrict pod-to-pod communication
C.Performing regular container image scanning for vulnerabilities
D.Applying seccomp profiles to limit system call availability
E.Enforcing Pod Security Standards (PSS) such as 'restricted' policy
AnswersB, D, E

Network policies limit which pods can communicate, containing potential lateral movement.

Why this answer

Network policies restrict communication between pods, limiting lateral movement. Seccomp profiles restrict system calls, reducing attack surface. Pod Security Standards (PSS) enforce security contexts like not running as root.

RBAC controls user access, not container-to-container. Image scanning identifies vulnerabilities but does not limit blast radius.

89
Multi-Selectmedium

An organization is designing a PKI for certificate lifecycle management. Which TWO practices are critical for maintaining the security of the certificate authority (CA)? (Select TWO.)

Select 2 answers
A.Setting long certificate validity periods to reduce renewal frequency
B.Storing the root CA private key in a hardware security module (HSM)
C.Using certificate pinning to prevent man-in-the-middle attacks
D.Using self-signed certificates for all internal services
E.Implementing Online Certificate Status Protocol (OCSP) for revocation checking
AnswersB, E

HSMs provide tamper-resistant key storage.

Why this answer

HSMs protect private keys, and OCSP provides real-time revocation status. Both are essential for CA security.

90
MCQeasy

A security architect is designing a zero trust architecture for a financial institution. Which principle is fundamental to the zero trust model?

A.Trust but verify all network traffic
B.Use VPNs for all remote access
C.Perimeter-based security is sufficient
D.Assume breach and verify explicitly
AnswerD

This is the foundational principle of zero trust: never trust, always verify.

Why this answer

Zero trust assumes no implicit trust based on network location; all access requests must be authenticated and authorized regardless of origin. Micro-segmentation and identity-centric controls support this, but the core principle is 'trust no one by default'.

91
MCQmedium

An organization is designing a PKI to issue certificates to thousands of IoT devices. Which architectural decision will BEST support automated certificate lifecycle management?

A.Online root CA with self-signed certificates
B.Automated enrollment using SCEP
C.Using a public CA for all IoT devices
D.Offline root CA with manual issuance
AnswerB

SCEP automates certificate enrollment for large numbers of devices.

Why this answer

Automated certificate enrollment using SCEP or ACME protocols enables devices to request and renew certificates without manual intervention.

92
MCQmedium

An enterprise is implementing a cloud security posture management (CSPM) solution. What is the primary function of CSPM?

A.Monitoring and remediating misconfigurations
B.Brokering access to cloud apps
C.Protecting workloads from malware
D.Encrypting data at rest
AnswerA

CSPM focuses on posture management via configuration assessment.

Why this answer

CSPM continuously monitors cloud infrastructure for misconfigurations, compliance violations, and security risks, providing automated remediation and reporting.

93
MCQhard

A security architect is designing an API security strategy for a microservices-based application. The architect needs to ensure that only authenticated and authorized clients can invoke APIs, and that rate limiting is enforced to prevent abuse. Which technology should be placed in front of the microservices?

A.API Gateway
B.Web Application Firewall (WAF)
C.Reverse proxy
AnswerA

API gateway can enforce authentication, authorization, rate limiting, and input validation.

Why this answer

An API gateway handles authentication, authorization, rate limiting, and routing, providing a central security control point.

94
MCQeasy

A security administrator needs to ensure that only authorized devices can access the corporate network. Which technology would best enforce this requirement at the network access layer?

A.TLS 1.3
D.DNSSEC
AnswerC

Correct; 802.1X authenticates devices before granting network access.

Why this answer

802.1X provides port-based authentication, allowing only authorized devices to connect to the network.

95
MCQhard

An organization wants to implement an immutable infrastructure for its containerized applications. Which security benefit is most directly achieved by immutability?

A.Eliminates need for runtime security monitoring
B.Prevents unauthorized modifications to running containers
C.Allows use of privileged containers securely
D.Reduces image scanning frequency
AnswerB

Correct – containers are replaced, not patched in place.

Why this answer

Immutable infrastructure ensures that once a container image is deployed, it is never modified. Any change requires a new image deployment, which prevents configuration drift and unauthorized changes.

96
MCQmedium

An organization is implementing SASE to secure remote user access. Which component of SASE is responsible for enforcing identity-based access policies and inspecting traffic?

A.SD-WAN
B.Cloud Access Security Broker
C.Next-Generation Firewall
D.Secure Web Gateway
AnswerD

SWG enforces web security policies and inspects traffic.

Why this answer

SWG (Secure Web Gateway) enforces security policies for web traffic, including URL filtering, malware detection, and data loss prevention.

97
MCQmedium

A company uses a hybrid cloud model with workloads on AWS and on-premises. They need to ensure secure connectivity between the two environments with high bandwidth and low latency, bypassing the public internet. Which solution should they implement?

A.Configure AWS Direct Connect for dedicated private connectivity
B.Implement SD-WAN with integrated security
C.Establish a site-to-site VPN over the internet
D.Use AWS PrivateLink to access VPC endpoints
AnswerA

Direct Connect provides a dedicated, private, high-bandwidth, low-latency connection that avoids the public internet.

Why this answer

AWS Direct Connect provides a dedicated private network connection from on-premises to AWS, bypassing the public internet for reliable and secure connectivity. VPN over the internet is less reliable and has higher latency. Private link exposes services privately but does not connect on-premises to cloud.

SD-WAN can manage traffic but does not provide a direct dedicated connection.

98
Multi-Selectmedium

A security architect is implementing network segmentation in a hybrid cloud environment. Which TWO controls are most effective for reducing east-west traffic risks?

Select 2 answers
A.Micro-segmentation
B.VPN concentrator
D.East-west traffic inspection
E.Perimeter firewall
AnswersA, D

Micro-segmentation isolates workloads and limits lateral movement.

Why this answer

Micro-segmentation allows granular policies per workload, and east-west traffic inspection detects lateral movement. Both are key to reducing risks inside the network.

99
MCQmedium

A company is migrating sensitive workloads to the cloud and must comply with FedRAMP requirements. Which of the following is the most appropriate cloud deployment model?

A.Hybrid cloud
B.Community cloud
C.Private cloud
D.Public cloud
AnswerB

A community cloud shared by several organizations with similar compliance needs (e.g., government) can be FedRAMP compliant.

Why this answer

FedRAMP requirements are stringent and often best met by a government community cloud or a dedicated cloud environment that has been FedRAMP authorized.

100
MCQmedium

A security architect is implementing a zero trust model for a financial services company. The goal is to prevent lateral movement in the data center. Which approach best achieves this objective?

A.Using a software-defined perimeter to hide network resources
B.Implementing identity-centric access controls across all resources
C.Applying defense-in-depth layering by adding multiple security controls
D.Deploying micro-segmentation to isolate workloads and enforce granular policies
AnswerD

Micro-segmentation creates small network segments, allowing fine-grained policy enforcement that restricts lateral movement between workloads.

Why this answer

Micro-segmentation divides the network into small, isolated segments to restrict lateral movement, which is a key zero trust principle. Software-defined perimeter (SDP) focuses on user-to-resource access, but micro-segmentation directly limits east-west traffic. Defense-in-depth is broader and not specific to lateral movement.

Identity-centric access controls user authentication but does not prevent lateral movement.

101
Multi-Selecthard

A company is migrating critical applications to a multi-cloud architecture using AWS and Google Cloud Platform (GCP). The security team must ensure secure connectivity between on-premises data centers and cloud environments while meeting data residency requirements in the EU. Which TWO solutions should the architect implement to address these requirements? (Choose TWO.)

Select 2 answers
A.Dedicated physical connections (e.g., AWS Direct Connect, GCP Dedicated Interconnect)
B.Private link services (e.g., AWS PrivateLink, GCP Private Service Connect)
C.Cloud Access Security Broker (CASB)
D.Secure Access Service Edge (SASE)
E.Site-to-site VPN with IPsec
AnswersA, B

Dedicated connections provide high bandwidth, low latency, and help meet data residency by keeping traffic within trusted networks.

Why this answer

Private link services (AWS PrivateLink, GCP Private Service Connect) provide secure connectivity without traversing the internet, maintaining data privacy. Direct Connect (or equivalent dedicated connections) ensures reliable, low-latency connectivity with compliance benefits. VPNs are less secure and not preferred for high-performance workloads.

CASB and SASE are not direct connectivity solutions.

102
MCQmedium

A security architect is designing a secure connection between an on-premises data center and a cloud provider's virtual network. The connection must be private, low-latency, and not traverse the public internet. Which solution should they recommend?

A.Software-Defined WAN (SD-WAN)
B.Cloud Access Security Broker (CASB)
C.Site-to-site VPN over the internet
D.Direct Connect / ExpressRoute
AnswerD

This is a dedicated private connection that does not use the internet.

Why this answer

Direct Connect (or AWS Direct Connect, Azure ExpressRoute) provides a dedicated private network connection from on-premises to the cloud, bypassing the internet for lower latency and increased security.

103
MCQhard

A security architect is designing a hybrid cloud environment with workloads in AWS and on-premises. The architect needs to ensure secure, low-latency connectivity between the two environments without traversing the internet. Which solution should be used?

A.AWS Direct Connect
B.Site-to-site VPN over the internet
C.AWS Client VPN
D.AWS Transit Gateway with internet gateway
AnswerA

Direct Connect provides a dedicated private connection meeting the requirements.

Why this answer

AWS Direct Connect provides dedicated private network connectivity from on-premises to AWS, offering low latency and security without internet exposure.

104
MCQhard

An organization is concerned about future quantum computer attacks on their public key infrastructure. Which NIST-standardized algorithm is designed for digital signatures and is resistant to quantum attacks?

A.CRYSTALS-Dilithium
B.Falcon
C.RSA-4096
D.CRYSTALS-Kyber
AnswerA

Correct; Dilithium is a digital signature algorithm.

Why this answer

CRYSTALS-Dilithium is a NIST PQC standard for digital signatures.

105
MCQmedium

A security architect is designing a defense-in-depth strategy for a web application. Which combination of controls provides overlapping protection against SQL injection attacks?

A.Encryption and hashing
B.Input validation and parameterized queries
C.Intrusion detection system (IDS) and antivirus
D.Web application firewall (WAF) and network segmentation
AnswerB

Input validation prevents malicious input, and parameterized queries prevent injection in database calls; together they provide overlapping protection.

Why this answer

Defense-in-depth layers multiple controls. Input validation prevents malicious input from reaching the application, while parameterized queries ensure that SQL statements are safe even if validation fails. WAFs can detect and block injection attempts at the network layer.

106
Multi-Selectmedium

A financial institution is implementing a secure software development lifecycle (SSDLC) for a new web application that will handle sensitive transactions. The security architect must ensure that application security testing is integrated into the development process. Which THREE testing techniques should be used to identify vulnerabilities early and throughout the lifecycle? (Choose THREE.)

Select 3 answers
A.Static Application Security Testing (SAST)
B.Runtime Application Self-Protection (RASP)
C.Interactive Application Security Testing (IAST)
D.Dynamic Application Security Testing (DAST)
E.Threat modeling
AnswersA, C, D

SAST scans source code for vulnerabilities early in development, enabling low-cost remediation.

Why this answer

SAST (Static Application Security Testing) identifies vulnerabilities in source code early, DAST (Dynamic Application Security Testing) tests running applications for runtime vulnerabilities, and IAST (Interactive Application Security Testing) combines aspects of both for real-time analysis. RASP is a runtime protection tool, not a testing technique. Threat modeling is a design-phase activity, not a testing technique.

107
MCQmedium

A company uses a multi-cloud strategy with workloads in AWS and Azure. They need a centralized solution to enforce consistent security policies across both cloud environments. Which type of tool should they deploy?

A.Cloud Access Security Broker (CASB)
B.Cloud Security Posture Management (CSPM)
C.Cloud Workload Protection Platform (CWPP)
D.Security Information and Event Management (SIEM)
AnswerB

CSPM automates the identification and remediation of risks across cloud infrastructure configurations.

Why this answer

A Cloud Security Posture Management (CSPM) tool provides visibility and policy enforcement across multiple cloud providers, helping to ensure compliance with security best practices.

108
MCQeasy

During a secure SDLC, a development team wants to identify vulnerabilities in running code. Which type of testing should be performed?

A.IAST
B.SAST
C.DAST
D.RASP
AnswerC

DAST tests running code for vulnerabilities.

Why this answer

DAST (Dynamic Application Security Testing) tests running applications from the outside, simulating attacks to find vulnerabilities in runtime behavior.

109
MCQhard

An organization is implementing a hybrid cloud architecture and must ensure secure connectivity between its on-premises network and a public cloud VPC. The traffic includes sensitive data that must not traverse the internet. The solution must provide high bandwidth and low latency. Which connectivity option should the architect choose?

A.AWS Direct Connect
B.Site-to-Site VPN over the internet
C.AWS Client VPN
D.Internet gateway with encryption
AnswerA

Direct Connect provides a private, dedicated connection with high bandwidth and low latency.

Why this answer

Direct Connect provides a dedicated, private, high-bandwidth connection between on-premises and cloud, bypassing the internet.

110
Multi-Selectmedium

An organization is deploying a Kubernetes cluster and needs to harden security. Which THREE controls should be implemented? (Choose three.)

Select 3 answers
A.Role-Based Access Control (RBAC)
B.Admission controllers
C.Seccomp profiles
D.Network policies
E.Service mesh
AnswersA, B, D

RBAC restricts user and service account permissions.

Why this answer

RBAC controls access, network policies segment traffic, and admission controllers enforce policies before pods are created.

111
MCQeasy

A security architect is implementing defense-in-depth for a critical application. Which of the following is an example of a detective control?

AnswerD

Correct; IDS monitors and alerts on potential incidents.

Why this answer

Detective controls identify and record security events after they occur; an IDS monitors traffic for suspicious activity.

112
MCQhard

To protect against quantum computing attacks, a security architect is planning to transition to post-quantum cryptography. Which algorithm has been selected by NIST for general encryption (key encapsulation) in the PQC standard?

A.Falcon
B.CRYSTALS-Dilithium
C.CRYSTALS-Kyber
D.SPHINCS+
AnswerC

Correct – Kyber is the key encapsulation mechanism.

Why this answer

NIST selected CRYSTALS-Kyber for key encapsulation (encryption) and CRYSTALS-Dilithium for digital signatures.

113
MCQhard

An organization is implementing a CASB to secure their SaaS applications. Which CASB deployment mode is most appropriate for monitoring and controlling data in transit between users and cloud apps without modifying the user's device?

A.API-based
B.Reverse proxy
C.Forward proxy
D.Inline gateway
AnswerA

Correct; API-based CASB uses cloud provider APIs for visibility and control without modifying endpoints.

Why this answer

API-based CASB connects directly to the cloud app's API to monitor and control data, without requiring client software.

114
Multi-Selectmedium

A security architect is evaluating a CSPM tool for a multi-cloud environment. Which TWO capabilities should the architect consider essential for the CSPM? (Choose two.)

Select 2 answers
A.Continuous compliance monitoring against frameworks like CIS
B.Vulnerability scanning of container images
C.Configuration drift detection
D.Real-time web application firewall
E.Data loss prevention for cloud storage
AnswersA, C

Correct; CSPM monitors compliance.

Why this answer

CSPM automates security compliance and configuration monitoring across cloud environments.

115
MCQeasy

Which of the following is a core principle of the Zero Trust security model?

A.Perimeter-based trust
B.Never trust, always verify
C.Trust based on network location
D.Trust but verify
AnswerB

This is the key principle of Zero Trust.

Why this answer

Zero Trust assumes no implicit trust and requires verification for every access request, regardless of location.

116
MCQhard

An organization is migrating critical workloads to the cloud and must comply with FedRAMP. Which cloud service model provides the most customer control over security configuration while still leveraging the provider's FedRAMP authorization?

A.Software as a Service (SaaS)
B.Infrastructure as a Service (IaaS)
C.Platform as a Service (PaaS)
D.Function as a Service (FaaS)
AnswerB

Correct – IaaS offers maximum customer control over security.

Why this answer

IaaS gives the customer control over OS, applications, and security configurations, while the provider manages the physical infrastructure. FedRAMP authorization can cover the IaaS layer.

117
MCQmedium

An organization is concerned about quantum computer attacks on its current cryptographic infrastructure. Which of the following NIST-approved post-quantum cryptographic algorithms is designed for key encapsulation?

A.RSA-4096
B.CRYSTALS-Kyber
C.ECDHE
D.CRYSTALS-Dilithium
AnswerB

Correct NIST-selected KEM.

Why this answer

CRYSTALS-Kyber is a key encapsulation mechanism (KEM) selected by NIST for post-quantum cryptography.

118
MCQmedium

A security architect is evaluating a SASE solution. Which capability is expected to be part of a SASE platform?

A.Intrusion prevention system (IPS) at the data center
B.Network segmentation via VLANs
C.Secure web gateway (SWG)
D.Virtual private network (VPN) concentrator
AnswerC

SWG is a core security function in SASE for filtering web traffic.

Why this answer

SASE converges network and security services, including secure web gateway (SWG), cloud access security broker (CASB), zero trust network access (ZTNA), and firewall as a service (FWaaS). SD-WAN is the networking component.

119
Multi-Selectmedium

A security architect is reviewing API security for a financial services platform that uses OAuth 2.0 for authorization and JWTs for token exchange. The platform must protect against common API threats such as token theft and injection attacks. Which TWO controls should be implemented to mitigate these specific threats? (Choose TWO.)

Select 2 answers
A.Implementing an API gateway
B.Using OAuth 2.0 scopes
C.Rate limiting on API endpoints
D.Input validation and sanitization
E.Short token expiration times
AnswersC, D

Rate limiting mitigates brute-force attacks on tokens and prevents denial of service.

Why this answer

Rate limiting helps prevent token brute-force and DoS attacks, while input validation prevents injection attacks (e.g., SQL injection, XSS) on API endpoints. OAuth 2.0 scopes define permissions but do not directly mitigate token theft. API gateways can enforce many policies but are not a specific control.

Short token lifetimes reduce the window of token theft but do not prevent injection.

120
MCQhard

An enterprise is securing a hybrid cloud environment with on-premises and AWS workloads. They need to ensure that on-premises systems can privately access VPC resources without traversing the public internet. Which AWS service should they use?

A.AWS VPN (site-to-site)
B.AWS Transit Gateway
C.AWS PrivateLink
D.AWS Direct Connect
AnswerD

Direct Connect provides a dedicated private connection from on-premises to AWS.

Why this answer

AWS Direct Connect provides a dedicated private network connection from on-premises to AWS, bypassing the internet for lower latency and increased security.

121
MCQhard

A security architect is designing a PKI for a large organization. The architect wants to ensure that private keys are stored securely and that cryptographic operations are performed in a tamper-resistant environment. Which solution should be used?

A.Trusted Platform Module (TPM)
B.Hardware Security Module (HSM)
C.Software-based keystore
D.Key Management Service (KMS) in the cloud
AnswerB

HSMs are designed for secure key generation, storage, and cryptographic operations.

Why this answer

Hardware Security Modules (HSMs) provide dedicated, tamper-resistant hardware for key storage and cryptographic operations.

122
MCQhard

An organization is adopting a SASE architecture to provide secure access to cloud applications. Which component is essential for enforcing security policies based on user identity and device posture?

A.Zero Trust Network Access (ZTNA)
B.Firewall as a Service (FWaaS)
C.Secure Web Gateway (SWG)
D.Cloud Access Security Broker (CASB)
AnswerA

ZTNA enforces access based on user identity, device posture, and context, aligning with zero trust principles.

Why this answer

SASE converges networking and security functions. A Cloud Access Security Broker (CASB) is not part of SASE; rather, the Security Service Edge (SSE) includes SWG, CASB, ZTNA, and FWaaS. The question specifically asks for identity- and device-based policy enforcement, which is a key function of ZTNA.

123
MCQeasy

Which of the following best describes the security benefit of using an API gateway in a microservices architecture?

A.It eliminates the need for input validation in individual microservices
B.It encrypts all data between the client and server using mTLS
C.It enforces security policies such as authentication and rate limiting centrally
D.It automatically load balances traffic to ensure high availability
AnswerC

The gateway centralizes cross-cutting security concerns, providing a single enforcement point.

Why this answer

An API gateway acts as a reverse proxy that can enforce security policies such as authentication, rate limiting, input validation, and logging. It centralizes security controls, reducing the attack surface. Client-side code does not run on the gateway.

Encryption is handled by TLS. It manages traffic but does not automatically load balance without configuration.

124
MCQmedium

A security architect is evaluating a SASE solution. Which component of SASE is primarily responsible for inspecting encrypted traffic for threats?

A.Zero Trust Network Access (ZTNA)
B.Next-generation firewall (NGFW)
C.Secure web gateway (SWG)
D.SD-WAN edge
AnswerC

Correct – SWG performs deep packet inspection on encrypted traffic.

Why this answer

SASE integrates SWG (Secure Web Gateway) for web filtering and threat inspection, including decryption and inspection of TLS traffic.

125
MCQmedium

A company is migrating its workloads to a public cloud and wants to ensure it understands the division of security responsibilities. Which model defines the demarcation of security controls between the cloud provider and the customer?

A.Cloud Security Posture Management (CSPM)
B.Zero trust architecture
C.Cloud Access Security Broker (CASB)
D.Shared responsibility model
AnswerD

This model defines security responsibilities between provider and customer.

Why this answer

The shared responsibility model clearly delineates which security tasks are handled by the cloud provider and which by the customer, varying by service type (IaaS, PaaS, SaaS).

126
MCQeasy

Which of the following is a cloud-native security control provided by a cloud service provider to manage user permissions and access to resources?

A.Virtual Private Cloud (VPC)
B.CloudTrail
C.Key Management Service (KMS)
D.Identity and Access Management (IAM)
AnswerD

IAM controls authentication and authorization for cloud resources.

Why this answer

Identity and Access Management (IAM) is a fundamental cloud service for managing users, roles, and permissions.

127
MCQeasy

An organization wants to enforce that only signed container images are deployed in production. Which of the following should be implemented?

A.Network policies
B.Container runtime security (e.g., seccomp)
C.Image signing and verification in the registry
D.Admission controllers
AnswerC

Image signing ensures integrity and authenticity; verifying signatures before deployment enforces only signed images.

Why this answer

Image scanning verifies signatures and checks for vulnerabilities; however, to enforce only signed images, the registry must require signature verification.

128
MCQeasy

A security analyst is reviewing a Kubernetes cluster and wants to ensure that only authorized users can create or modify pods. Which Kubernetes object should be configured to enforce this?

A.Admission controllers
B.Pod security policies
C.RBAC
D.Network policies
AnswerC

RBAC grants or denies API access to users and service accounts.

Why this answer

RBAC (Role-Based Access Control) in Kubernetes controls access to API resources, including pod creation, based on roles and bindings.

129
Multi-Selecteasy

An organization is planning to modernize its cryptographic infrastructure to protect sensitive data for the next 10 years. The security architect must consider future threats from quantum computing. Which TWO quantum-resistant algorithms should the architect prioritize for key encapsulation and digital signatures? (Choose TWO.)

Select 2 answers
A.CRYSTALS-Dilithium
B.AES-256 with GCM
C.ECDSA with P-521
D.RSA-4096
E.CRYSTALS-Kyber
AnswersA, E

CRYSTALS-Dilithium is a NIST-selected digital signature algorithm for post-quantum security.

Why this answer

CRYSTALS-Kyber is a key encapsulation mechanism (KEM), and CRYSTALS-Dilithium is a digital signature algorithm. Both are NIST PQC standards for post-quantum security. RSA and ECDSA are not quantum-resistant, and AES-256 is symmetric but does not provide key encapsulation or digital signatures.

130
MCQeasy

A security engineer is integrating API security for a RESTful service. Which mechanism is used to verify that the API request has not been tampered with and originates from a legitimate client?

A.OAuth 2.0 authorization code
B.API key in query parameter
C.JWT
D.Rate limiting
AnswerC

JWT includes a signature that verifies integrity and authenticity.

Why this answer

JWT (JSON Web Token) is a compact, self-contained token that includes claims and a digital signature to verify integrity and authenticity.

131
Multi-Selectmedium

A security engineer is hardening a Kubernetes environment. Which THREE of the following are effective controls for securing the cluster? (Select THREE.)

Select 3 answers
A.Configuring load balancers for high availability
B.Enabling Pod Security Admission (PSA) to enforce pod security standards
C.Implementing RBAC for API server access
D.Using Network Policies to isolate workloads
E.Installing antivirus on all nodes
AnswersB, C, D

PSA prevents pods from running with excessive privileges.

Why this answer

RBAC controls API access, Pod Security Standards (or admission controllers) enforce pod security, and Network Policies restrict pod communication. All three are Kubernetes-native controls for cluster hardening.

132
MCQhard

A company is deploying containerized applications on Kubernetes and needs to ensure that only authorized images are run in the cluster. Which Kubernetes resource should be used to enforce policies on what containers can run, including image source restrictions?

A.Role-Based Access Control (RBAC)
B.Network policies
C.Seccomp profiles
D.Admission controllers
AnswerD

Admission controllers can enforce image policies, such as requiring images from a trusted registry.

Why this answer

Admission controllers intercept requests to the Kubernetes API server before object persistence, allowing policy enforcement such as ensuring images come from a trusted registry. Pod Security Policies are deprecated; Pod Security Admission or custom admission controllers are current.

133
Multi-Selectmedium

A multinational corporation is adopting a zero trust architecture for its enterprise network. The security team is evaluating mechanisms to enforce granular access controls and segment workloads. Which TWO components are most critical for implementing a zero trust model? (Choose TWO.)

Select 2 answers
A.Secure Access Service Edge (SASE)
B.Micro-segmentation
C.Perimeter-based firewalls
D.Identity-centric access controls
E.Software-defined perimeter (SDP)
AnswersB, D

Micro-segmentation creates isolated security zones for workloads, enforcing least privilege and containing lateral movement.

Why this answer

Micro-segmentation and identity-centric access controls are foundational to zero trust. Micro-segmentation isolates workloads, while identity-centric controls ensure that access is based on user/device identity rather than network location. SASE is a broader framework, and VPNs are often replaced by zero trust.

Perimeter firewalls contradict the zero trust principle of assuming no implicit trust.

134
MCQhard

During a threat modeling exercise for a new web application, the team identifies that the application uses JWT for authentication. Which vulnerability is most likely if the server does not properly verify the JWT signature?

A.Cross-site scripting
B.SQL injection
C.JWT tampering
D.Insecure direct object reference
AnswerC

Correct; missing signature verification allows tampering with the JWT payload.

Why this answer

If signature verification is missing, an attacker can forge a JWT with arbitrary payload (e.g., admin role).

135
MCQmedium

A company is deploying a SASE architecture. Which component is responsible for securing web traffic and enforcing acceptable use policies at the edge?

A.Zero Trust Network Access (ZTNA)
B.Secure Web Gateway (SWG)
C.Cloud Access Security Broker (CASB)
D.SD-WAN
AnswerB

SWG is designed for web traffic filtering and policy enforcement.

Why this answer

A Secure Web Gateway (SWG) is a core SASE function that filters web traffic and enforces security policies like URL filtering and malware detection.

136
MCQeasy

Which technology is used to discover and control cloud applications, enforce security policies, and provide visibility into cloud usage?

A.Cloud Workload Protection Platform (CWPP)
B.Cloud Access Security Broker (CASB)
C.Cloud Security Posture Management (CSPM)
D.Secure Access Service Edge (SASE)
AnswerB

CASB provides visibility, compliance, data security, and threat protection for cloud services.

Why this answer

A Cloud Access Security Broker (CASB) is a security policy enforcement point that sits between cloud service consumers and providers to monitor activity and enforce policies. CSPM focuses on cloud configuration posture. CWPP protects cloud workloads.

SASE combines network and security functions.

137
MCQmedium

An organization wants to protect cryptographic keys used for TLS termination. Which hardware solution should be deployed to prevent key extraction?

A.KMS
B.TPM
C.UEFI
D.HSM
AnswerD

HSMs are purpose-built for key protection and cryptographic operations.

Why this answer

Hardware Security Modules (HSMs) are dedicated hardware that securely generate, store, and manage cryptographic keys, making them resistant to extraction even if the host is compromised.

138
MCQeasy

In a cloud shared responsibility model, which of the following is typically the customer's responsibility for IaaS?

A.Hypervisor security
B.Guest OS patch management
C.Hardware maintenance
D.Physical security of data centers
AnswerB

The customer is responsible for securing the guest OS and applications.

Why this answer

In IaaS, the customer manages the guest OS, applications, and data, while the cloud provider secures the physical hosts and hypervisor.

139
Multi-Selectmedium

A company is implementing a defense-in-depth strategy for its web application. Which THREE security controls should be included in the architecture? (Choose three.)

Select 3 answers
A.Web application firewall (WAF)
B.Load balancer with SSL termination
C.Runtime application self-protection (RASP)
D.Single sign-on (SSO)
E.Network segmentation
AnswersA, C, E

WAF inspects HTTP traffic for attacks like SQL injection.

Why this answer

Defense-in-depth uses multiple layers. WAF filters malicious traffic, network segmentation limits lateral movement, and RASP protects the application at runtime.

140
Multi-Selecthard

A global company must comply with data residency regulations that require customer data to stay within specific geographic boundaries. The company uses a multi-cloud architecture. Which THREE strategies should the architect implement to ensure compliance?

Select 3 answers
A.Using cloud provider's region-specific services and data centers
B.Encrypting all data at rest and in transit
C.Implementing strict identity and access management (IAM) policies
D.Configuring data classification tags to identify regulated data
E.Deploying data loss prevention (DLP) policies to block cross-border data transfers
AnswersA, D, E

Choosing specific regions ensures data is stored and processed within the desired geography.

Why this answer

To meet data residency requirements, data must be stored and processed locally. Encryption alone does not prevent data from leaving the region. Private links keep traffic within the cloud provider's network but do not guarantee data stays in region.

Access controls do not prevent data movement. Data classification helps identify regulated data. Cloud provider's region-specific services ensure data remains in that region.

141
MCQmedium

A security architect is implementing an API gateway to protect microservices. Which security capability is uniquely provided by an API gateway compared to a traditional web application firewall (WAF)?

A.TLS termination
B.SQL injection prevention
C.Cross-site scripting (XSS) filtering
D.Rate limiting per API consumer
AnswerD

Correct – API gateways can throttle requests per API key or user.

Why this answer

An API gateway can enforce rate limiting and authentication (e.g., OAuth) at the API level, while a WAF typically focuses on HTTP-layer attacks like SQLi.

142
MCQmedium

During a secure SDLC, a development team is reviewing code for security flaws early in the development process. Which type of testing is MOST appropriate for identifying vulnerabilities in source code before it is compiled?

A.DAST
B.SAST
C.IAST
D.RASP
AnswerB

SAST analyzes source code before compilation.

Why this answer

SAST (Static Application Security Testing) analyzes source code at rest to find vulnerabilities like injection flaws, without executing the code.

← PreviousPage 2 of 2 · 142 questions total

Ready to test yourself?

Try a timed practice session using only Casp Security Architecture questions.