CCNA Scripting Containers And Automation Questions

71 questions · Scripting Containers And Automation topic · All types, answers revealed

1
MCQmedium

An organization uses Ansible to automate server configuration for a hybrid cloud environment. The security team requires that sensitive data such as API keys and passwords are not exposed in the Ansible playbooks or logs. The Ansible control node is shared among several administrators. What is the best approach to protect these secrets?

A.Store secrets in plaintext in a separate file and set restrictive file permissions.
B.Remove all secrets from automation and require manual entry during each playbook run.
C.Use Ansible Vault to encrypt the secret variables and restrict access to the vault password file.
D.Define secrets as environment variables on the control node and reference them in playbooks.
AnswerC

Ansible Vault encrypts data at rest; only authorized users with the vault password can decrypt.

Why this answer

Ansible Vault encrypts sensitive data within playbooks. Option A is correct. Plaintext (B) is insecure.

Environment variables (C) can be logged. Removing secrets (D) is impractical.

2
MCQeasy

Which of the following best describes the primary security benefit of using immutable infrastructure in a containerized environment?

A.It reduces resource consumption by reusing containers.
B.It prevents unauthorized modifications to running containers.
C.It automates patching of container images.
D.It eliminates the need for container security scanning.
AnswerB

Why this answer

Immutable infrastructure ensures that once a container image is built and deployed, it is never modified in place. If a change is needed, a new image is built and deployed, replacing the old container entirely. This prevents unauthorized or unplanned modifications to running containers, which is the primary security benefit because it eliminates configuration drift and reduces the attack surface from runtime tampering.

Exam trap

The trap here is that candidates confuse immutability with automation of patching or resource efficiency, when in fact immutability is a security control against runtime modification, not a patch management or cost-saving mechanism.

Why the other options are wrong

A

Immutable infrastructure usually increases resource usage due to frequent replacement; reuse is not a security benefit.

C

Immutable infrastructure requires rebuilding images for patches, but it does not automate the patching itself.

D

Immutable infrastructure still requires scanning images for vulnerabilities before deployment.

3
Multi-Selectmedium

A company is adopting container security best practices. Which TWO actions should be implemented to reduce the attack surface of container images? (Select TWO.)

Select 2 answers
A.Set the container filesystem as read-only where possible.
B.Use signed images and verify signatures before deployment.
C.Disable vulnerability scanning to optimize build time.
D.Store secrets in environment variables.
E.Run containers with the root user to simplify permissions.
AnswersA, B

A read-only filesystem prevents attackers from writing malicious files.

Why this answer

Using signed images (A) ensures integrity, and read-only root filesystem (C) prevents runtime modifications. Distractors B and D are insecure, and E is good but not as critical for attack surface reduction.

4
MCQeasy

An analyst needs to automate the extraction of indicators of compromise (IOCs) from log files generated by various systems. Which scripting language is most commonly used for cross-platform log parsing and automation due to its extensive library support?

A.PowerShell
B.Bash
C.JavaScript
D.Python
AnswerD

Python is cross-platform with extensive libraries for data parsing and automation.

Why this answer

Python's rich library ecosystem (e.g., pandas, re, json) makes it ideal for log parsing across platforms. PowerShell is Windows-centric, Bash is Unix/Linux-specific, and JavaScript is not typical for log parsing tasks.

5
MCQeasy

Refer to the exhibit. A security administrator finds this IAM policy attached to a Lambda execution role. What is the most critical security risk?

A.The Lambda can invoke any other Lambda
B.The Lambda has full IAM management capabilities
C.The Lambda can assume any role
D.The Lambda can access any S3 bucket
AnswerB

iam:* on * allows any IAM action, including creating admin users.

Why this answer

The policy grants full IAM management capabilities (iam:*) on all resources, allowing the Lambda to create, modify, or delete IAM resources. This could lead to privilege escalation or resource destruction.

6
Multi-Selecthard

A container orchestration platform uses secrets management. Which two methods are recommended for injecting secrets into containers? (Choose two.)

Select 2 answers
A.Store secrets in environment variables in the container image.
B.Hardcode secrets in the application source code.
C.Use Kubernetes Secrets mounted as files.
D.Pass secrets via command-line arguments in the Dockerfile.
E.Use a volume mount from a secret store like HashiCorp Vault.
AnswersC, E

Mounted secrets are stored in tmpfs and not written to disk.

Why this answer

Options B and D are correct. Volume mounts from a secure store and Kubernetes Secrets mounted as files protect secrets at rest and in transit. A, C, and E embed secrets in images or commands, which is insecure.

7
MCQhard

Refer to the exhibit. A system administrator creates a systemd service to run a daily patching script. Which security concern is most prevalent?

A.The service restarts on failure
B.The script location is non-standard
C.The service depends on the network
D.The script runs as root
AnswerD

Executing automation as root increases blast radius; privilege separation is recommended.

Why this answer

Running the service as root grants the script full system privileges. If the patching script has vulnerabilities, an attacker could gain root access. Running as a non-root user with required permissions is better.

8
MCQmedium

A security analyst needs to write a script that detects changes to critical files across a fleet of Linux servers. Which approach is most efficient and secure?

A.Use a cron job on each server running a Python script that checks file hashes.
B.Enable Linux auditd on each server and forward logs to a SIEM for analysis.
C.Deploy a centralized log server and parse syslog for file modifications.
D.Use an agentless tool like OSSEC with a central manager to report file integrity changes.
AnswerD

OSSEC provides centralized, efficient monitoring.

Why this answer

Option C is correct because OSSEC provides centralized file integrity monitoring with agentless capability. Option A is distributed and harder to manage. Option B relies on syslog, which may not capture all changes.

Option D is more complex and not as efficient.

9
MCQmedium

A company uses a CI/CD pipeline with Jenkins to build and deploy containerized applications. Security scanning of container images is currently done manually after deployment, causing delays. Which of the following would be the most effective automation to improve security and efficiency?

A.Add a stage to the Jenkins pipeline that runs container image scanning using Trivy before pushing to the registry.
B.Schedule a weekly cron job to scan the container registry and generate reports.
C.Use Terraform to enforce that only images from a trusted registry are deployed.
D.Require developers to scan images locally using a Dockerfile HEALTHCHECK instruction.
AnswerA

Automated scanning in the pipeline catches vulnerabilities before deployment, enforcing security earlier.

Why this answer

Integrating image scanning into the CI pipeline ensures vulnerabilities are detected before deployment. Option C is correct because tools like Trivy or Clair can be run as pipeline stages. Option A is incorrect because relying on developers is inconsistent.

Option B is incorrect because scanning after deployment doesn't prevent vulnerabilities. Option D is incorrect because infrastructure as code does not directly address image scanning.

10
MCQhard

Match each container security concept with its correct description.

A.Container runtime security
B.Image signing
C.Secrets management
D.Orchestration security
E.Enforces system call filtering and access controls at runtime
F.Ensures container images are not tampered with using cryptographic hashes
G.Safely injects credentials into containerized applications at runtime
H.Manages network segmentation and pod security policies in clusters

Why this answer

The correct pairs are: Container runtime security refers to tools like AppArmor and Seccomp that enforce system call restrictions. Image signing ensures integrity using cryptographic signatures. Secrets management involves tools like Vault to inject credentials.

Orchestration security includes network policies in Kubernetes. The PBQ requires matching each term to its description.

Exam trap

Candidates may confuse 'Image signing' with 'Vulnerability scanning' because both deal with images, but signing is about integrity, not vulnerability detection.

11
Multi-Selecteasy

A security analyst is reviewing a CI/CD pipeline configuration. The pipeline uses a containerized application and includes automated security scanning. Which TWO practices should be implemented to ensure container immutability and reduce the attack surface?

Select 2 answers
A.Run containers with read-only root filesystem.
B.Scan images for vulnerabilities at build time.
C.Use the same base image for all environments.
D.Run containers as root.
E.Store credentials in environment variables.
AnswersA, B

Enforces container immutability by preventing modifications at runtime.

Why this answer

Option B is correct because running containers with a read-only root filesystem enforces immutability, preventing any modifications at runtime. Option D is correct because scanning images for vulnerabilities at build time reduces the attack surface by catching issues before deployment. Option A is incorrect because using the same base image for all environments does not directly relate to immutability or attack surface reduction.

Option C is incorrect because storing credentials in environment variables is insecure and should be avoided. Option E is incorrect because running containers as root weakens security and increases attack surface.

12
MCQhard

Match each automation security concept with its correct description.

A.Immutable infrastructure
B.Infrastructure as Code
C.Secret management
D.Container orchestration

Why this answer

Immutable infrastructure prevents drift by never modifying deployed instances. Infrastructure as Code allows version-controlled, repeatable deployments. Secret management securely handles credentials.

Orchestration coordinates container deployment but is not specifically about drift prevention.

Exam trap

Candidates may confuse orchestration with immutable infrastructure or think infrastructure as code is about drift prevention.

Why the other options are wrong

A

Matched to correct description

B

Matched to correct description

C

Matched to correct description

D

Matched to correct description

13
MCQhard

An organization implements a CI/CD pipeline that automatically builds and deploys containerized microservices. Which of the following is the most effective method to ensure that only signed, trusted container images are deployed to production?

A.Implement a private container registry with access controls
B.Enable content trust and require signatures on all images
C.Run vulnerability scanning on all images before deployment
D.Use an admission controller that checks image labels
AnswerB

Why this answer

Option B is correct because enabling content trust (e.g., Docker Content Trust or Notary) cryptographically signs container images, ensuring that only images signed by a trusted publisher can be deployed. This directly enforces integrity and authenticity in the CI/CD pipeline, preventing unauthorized or tampered images from reaching production.

Exam trap

The trap here is that candidates confuse access control (registry permissions) or vulnerability scanning with cryptographic trust, failing to recognize that only content trust provides non-repudiation and tamper-evidence for container images.

Why the other options are wrong

A

Access controls prevent unauthorized pushes but do not verify the integrity or authenticity of images.

C

Scanning identifies vulnerabilities but does not verify the publisher's identity or prevent tampering.

D

Labels are metadata and can be easily spoofed; they do not provide cryptographic proof of origin.

14
Multi-Selectmedium

A security engineer is implementing container security controls. Which TWO practices are most effective in preventing privilege escalation within a container? (Choose two.)

Select 2 answers
A.Dropping all capabilities (CAP_DROP=ALL)
B.Enabling SELinux
C.Using host networking
D.Mounting /var/run/docker.sock
E.Setting USER to non-root in the Dockerfile
AnswersA, E

Removing capabilities eliminates potential escalation via Linux capabilities.

Why this answer

Setting USER to non-root prevents the container from running as root, and dropping all capabilities removes many known escalation vectors. Using host networking and mounting the Docker socket increase risk. SELinux helps but is not specific to privilege escalation.

15
Multi-Selectmedium

A DevOps team is automating the deployment of a containerized application to production. Which THREE practices are essential for maintaining security and reliability? (Select THREE.)

Select 3 answers
A.Use Helm charts to package and deploy Kubernetes applications.
B.Use Docker Compose files for production deployments.
C.Use infrastructure as code tools like Terraform to provision and manage container hosts.
D.Manually configure each environment to handle unique settings.
E.Implement continuous deployment pipelines with automated security testing.
AnswersA, C, E

Helm provides reusable, versioned deployment packages with rollback capabilities.

Why this answer

Helm charts (A) manage Kubernetes deployments, IaC (C) ensures reproducible environments, and CI/CD pipelines (D) automate testing and deployment. Manual configuration (B) and Docker Compose for production (E) are not recommended.

16
MCQmedium

A security team needs to implement a CI/CD pipeline that automatically scans container images for vulnerabilities before deployment. Which tool can be integrated into the pipeline for this purpose?

A.SonarQube
B.Prometheus
C.Trivy
D.Grafana
AnswerC

Trivy scans container images for known vulnerabilities.

Why this answer

Trivy is a vulnerability scanner for container images. SonarQube is for code quality, Prometheus monitors metrics, and Grafana visualizes data.

17
MCQeasy

A security administrator needs to automate the process of revoking access for terminated employees across multiple cloud services. Which scripting approach would best minimize the risk of errors and ensure consistent execution?

A.Create a shell script that relies on environment variables containing API keys.
B.Use a configuration management tool like Ansible with a playbook that calls cloud provider modules using encrypted vault files for credentials.
C.Write a Python script using separate API calls for each service with hardcoded credentials.
D.Manually execute commands each time an employee is terminated.
AnswerB

Ansible with vault securely automates and standardizes the process.

Why this answer

Option B is correct because using Ansible with encrypted vault files provides secure credential management and consistent execution. Option A hardcodes credentials, creating security risks. Option C uses environment variables, which are less secure.

Option D is manual and error-prone.

18
Multi-Selecteasy

Which two practices are essential for securing a CI/CD pipeline? (Choose two.)

Select 2 answers
A.Allow any developer to merge code into the main branch without review.
B.Implement code signing for all build artifacts.
C.Store credentials in plaintext within pipeline configuration files.
D.Use immutable tags for container images.
E.Scan container images for vulnerabilities before deployment.
AnswersB, E

Code signing ensures artifacts have not been tampered with.

Why this answer

Options B and C are correct. Code signing ensures artifact integrity, and vulnerability scanning prevents deploying insecure images. Option A is insecure.

Option D lacks necessary review. Option E is beneficial but not as essential as B and C.

19
MCQhard

In a CI/CD pipeline, a container image is built from a Dockerfile that uses a base image from a public registry. To minimize the attack surface, which of the following actions should be automated in the pipeline?

A.Use the 'latest' tag for the base image to get latest patches
B.Run a vulnerability scanner and fail the build on critical findings
C.Store the Dockerfile in a private repository only
D.Install all available packages inside the container
AnswerB

Why this answer

Option B is correct because integrating a vulnerability scanner into the CI/CD pipeline and failing the build on critical findings directly reduces the attack surface by preventing deployment of images with known exploitable vulnerabilities. This aligns with the principle of secure software supply chain management, where automated security gates are essential for containerized environments.

Exam trap

CompTIA often tests the misconception that using the 'latest' tag is a safe practice for security patching, when in fact it undermines deterministic builds and introduces supply chain risks.

Why the other options are wrong

A

'latest' can introduce breaking changes or untested versions.

C

Storage location does not reduce attack surface.

D

Installing extra packages increases attack surface.

20
MCQeasy

A small business uses Puppet for configuration management on Linux servers. They are now migrating to containers and want to maintain security. The operations team is unfamiliar with containers. The security team insists on automated vulnerability scanning of container images before deployment. What should be the company's first step?

A.Deploy a Kubernetes cluster and migrate all applications.
B.Discontinue using Puppet and switch entirely to container-based configurations.
C.Train the operations team on Docker and Kubernetes fundamentals.
D.Create a hardened base image standard, and set up a CI pipeline that automatically scans every image for vulnerabilities before it is pushed to the registry.
AnswerD

This establishes security controls early and automates the scanning requirement.

Why this answer

Creating a hardened base image standard and integrating scanning into CI is foundational. Option C is correct. Training (A) is premature without a plan.

Kubernetes (B) is too advanced initially. Discontinuing Puppet (D) is unnecessary.

21
Multi-Selectmedium

Which of the following are secure scripting practices when automating administrative tasks? (Choose two.)

Select 2 answers
A.Hardcode credentials in the script for convenience
B.Use a secrets management service to retrieve credentials at runtime
C.Run the script with the highest privileges required
D.Implement input validation to prevent injection attacks
AnswersB, D

Why this answer

Option B is correct because using a secrets management service (e.g., HashiCorp Vault, AWS Secrets Manager) retrieves credentials at runtime via secure APIs, avoiding hardcoded secrets in scripts. This practice ensures credentials are encrypted at rest and in transit, and supports rotation without modifying the script. It aligns with the principle of least privilege and reduces the risk of credential exposure in version control or logs.

Exam trap

Cisco often tests the misconception that running with elevated privileges is necessary for automation, when in fact least privilege and secrets management are the secure practices, and input validation is a separate but equally important control.

Why the other options are wrong

A

Hardcoding exposes secrets in version control.

C

Should run with least privilege, not highest.

22
MCQmedium

A security analyst discovers that container images in the company's private registry lack signatures. The development team uses a script to build and push images. The analyst wants to ensure image integrity and prevent tampering. Which solution should the analyst recommend?

A.Implement Docker Content Trust with a Notary server to require signatures on all images.
B.Restrict registry access to only the build servers.
C.Use SSH keys to sign the image tarball before pushing.
D.Encrypt the image filesystem layer using AES-256.
AnswerA

Docker Content Trust uses signing keys and a Notary server to verify image integrity at pull time.

Why this answer

Docker Content Trust (Notary) provides image signing and verification. Option A is correct. SSH keys (B) are not designed for image signing.

Encryption (C) does not provide integrity. Private registry only (D) does not prevent tampering after push.

23
MCQhard

An organization uses AWS, Azure, and GCP for different workloads. They want a single tool to manage infrastructure consistently across all providers. Which approach is most appropriate?

A.Use Terraform with provider plugins
B.Use Azure Resource Manager templates
C.Write provider-specific scripts in PowerShell
D.Use AWS CloudFormation
AnswerA

Terraform’s provider model allows unified management across clouds.

Why this answer

Terraform supports multiple providers via plugins, enabling consistent management. Provider-specific tools are limited to one cloud, and writing scripts for each is inefficient.

24
MCQmedium

A security engineer is writing a Python script to automate the revocation of compromised credentials across multiple cloud services. Which of the following is the most critical security consideration when implementing this script?

A.Ensure the script runs with the least privilege necessary.
B.Use a secrets management service to store API keys.
C.Log all actions performed by the script.
D.Run the script from a hardened bastion host.
AnswerB

Why this answer

Option B is correct because storing API keys in a secrets management service (e.g., HashiCorp Vault, AWS Secrets Manager) prevents hardcoding credentials in the script, which is a critical security practice for automation. Even with least privilege, if the API key is exposed in plaintext (e.g., in source code or logs), an attacker can reuse it across services. Secrets management also enables rotation, auditing, and dynamic access control, directly addressing the risk of credential compromise in multi-cloud revocation scripts.

Exam trap

Cisco often tests the misconception that least privilege (Option A) is the most critical control, but the trap here is that without secure credential storage, even a least-privilege key can be exfiltrated and reused, making secrets management the foundational security consideration for automation scripts.

Why the other options are wrong

A

Important but not the most critical; the script's credentials must be protected first.

C

Logging is good for auditing but does not protect the script's credentials.

D

While a hardened host reduces risk, the script's secrets are still exposed if hardcoded.

25
MCQhard

A security engineer is hardening a Kubernetes cluster. They want to reduce the risk of container escape attacks. Which combination of settings is most effective at the pod security context level?

A.Set runAsNonRoot: true, readOnlyRootFilesystem: true, and drop: ['ALL'].
B.Set runAsNonRoot: false and readOnlyRootFilesystem: true.
C.Set runAsUser: 1000 and capabilities.add: ['NET_ADMIN'].
D.Set privileged: true and readOnlyRootFilesystem: false.
AnswerA

Drops all capabilities, enforces non-root, and read-only filesystem – defense in depth against escapes.

Why this answer

Using read-only root filesystem and dropping all capabilities limits the attack surface. Option D is correct. Option A allows privileged access.

Option B keeps default capabilities. Option C runs as root, increasing risk.

26
MCQeasy

An organization uses Kubernetes to orchestrate containers. Which practice enhances the security of pod-to-pod communication?

A.Implement network policies that restrict ingress and egress traffic based on labels.
B.Expose all pods via NodePort services.
C.Use ClusterIP services for all internal traffic.
D.Rely on the default Kubernetes network configuration.
AnswerA

Network policies enforce least-privilege communication.

Why this answer

Option B is correct because Kubernetes Network Policies can restrict traffic based on labels, providing micro-segmentation. Option A (ClusterIP) is a service type, not a security control. Option C (NodePort) unnecessarily exposes pods.

Option D relies on default permissive settings.

27
MCQmedium

A systems administrator must automate the patching of 200 Windows servers. The environment has strict security requirements and change management. Which scripting approach best balances automation and control?

A.Use PowerShell DSC (Desired State Configuration) with a pull server and authorized users via JEA.
B.Write a Python script that uses WMI to apply patches and reboot servers.
C.Create a scheduled task on each server that runs a script from a network share.
D.Use Group Policy to install updates during the next restart.
AnswerA

DSC ensures desired state, JEA provides least privilege, and pull server allows control and auditing.

Why this answer

PowerShell with Just Enough Administration (JEA) provides both automation and secure access. Option B is correct. Option A is unreliable for enterprise.

Option C bypasses change management. Option D is too manual.

28
Multi-Selecthard

A DevOps engineer is automating container orchestration using Kubernetes. Which of the following are security best practices to include in the automation? (Choose two.)

Select 2 answers
A.Disable RBAC to simplify automation scripts
B.Enforce Pod Security Policies to restrict privileged containers
C.Allow all network traffic between pods for simplicity
D.Implement network policies to restrict pod-to-pod communication
AnswersB, D

Why this answer

Enforcing Pod Security Policies (PSPs) is a critical security best practice in Kubernetes because it restricts the creation of privileged containers, prevents host namespace sharing, and enforces read-only root filesystems. This reduces the attack surface by ensuring that containers run with the least privilege necessary, mitigating risks of container breakout or host compromise. Disabling PSPs or failing to enforce them would allow developers to deploy containers with excessive capabilities, violating the principle of least privilege.

Exam trap

CompTIA often tests the misconception that disabling security features like RBAC or network policies simplifies automation and is acceptable in a DevOps pipeline, when in fact automation should enforce security controls, not bypass them.

Why the other options are wrong

A

RBAC is a critical security control.

C

Network policies should restrict traffic.

29
MCQmedium

A development team is using Docker containers for microservices. The security team wants to scan containers for vulnerabilities during the CI/CD pipeline. Which approach is most effective?

A.Use a runtime security tool that scans containers only when they are running.
B.Scan the container image only after deployment to production.
C.Rely on the developers to manually check for vulnerabilities.
D.Integrate image scanning into the pipeline before promoting images to the registry, using a tool like Trivy.
AnswerD

Early scanning prevents vulnerable images from being stored or deployed.

Why this answer

Option B is correct because integrating image scanning early in the pipeline prevents vulnerable images from being deployed. Option A scans too late. Option C relies on unreliable manual checks.

Option D only catches runtime issues, not build-time vulnerabilities.

30
MCQhard

An organization is migrating its on-premises monolithic application to a containerized microservices architecture on a Kubernetes cluster. The development team has created a set of Docker images that are stored in a private registry. The security team requires that all container images be scanned for vulnerabilities before deployment. The current CI/CD pipeline uses Jenkins to build images, push them to the registry, and then deploy to Kubernetes via kubectl. The scanning is performed by a tool that generates a report, but developers have been ignoring critical vulnerabilities and deploying anyway. The security team wants to enforce a policy that blocks deployment if the image has any critical or high-severity vulnerabilities. Additionally, the cluster must ensure that containers run with the least privilege and that secrets are not exposed in environment variables. The operations team is concerned about performance overhead from runtime security monitoring. Which of the following approaches best addresses these requirements while minimizing operational overhead?

A.Implement admission controller webhooks that check vulnerability scan results from the registry before allowing pod creation, and use a service mesh with mutual TLS to encrypt secrets.
B.Use a custom script in Jenkins to parse the scan report and abort the build if vulnerabilities are found, and store secrets in Kubernetes secrets mounted as volumes.
C.Deploy a runtime security agent that monitors container activity and rejects pods that contain known vulnerability signatures, and use Kubernetes RBAC to limit permissions.
D.Configure a network policy in Kubernetes to restrict pod-to-pod communication, and use a static analysis tool during development to find coding flaws.
AnswerA

Admission webhooks enforce policy at pod creation without runtime overhead; service mesh mTLS protects secrets.

Why this answer

Option A is correct because admission controller webhooks can enforce vulnerability policies at deployment time, blocking pods with critical/high vulnerabilities without runtime overhead. Service mesh with mTLS encrypts secrets in transit, reducing exposure. Option B is incorrect because aborting the Jenkins build does not prevent deployment from other sources (e.g., direct kubectl) and secrets mounted as volumes are still vulnerable to compromise.

Option C is incorrect because network policies do not address vulnerability scanning or secret protection. Option D is incorrect because runtime security agents incur performance overhead and do not block deployment upfront.

31
Matchingmedium

Match each acronym to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Cloud Access Security Broker

Data Loss Prevention

Identity and Access Management

Security Information and Event Management

Security Orchestration, Automation, and Response

Why these pairings

These are common security acronyms relevant to CAS-004.

32
MCQhard

A company's Jenkins pipeline builds container images by mounting the Docker socket from the host into the Jenkins container (Docker-in-Docker). An auditor flags this as a security risk because it gives the Jenkins container root access to the host's Docker daemon. The development team wants to maintain the same functionality without the risk. Which alternative should they implement?

A.Configure the Jenkins Kubernetes plugin to launch dynamic pod agents that build images without needing a Docker socket.
B.Replace Jenkins with Ansible to build and deploy containers.
C.Disable the pipeline and require manual builds on a dedicated build server.
D.Use Docker-outside-of-Docker (DooD) by mounting the Docker socket into a sibling container.
AnswerA

The Kubernetes plugin uses the Kubernetes API to spawn build pods that can use Docker inside the pod or via other tools, avoiding host socket access.

Why this answer

Using the Kubernetes plugin with dynamic agents isolates builds without exposing the host Docker socket. Option B is correct. Option A (DooD) still requires Docker socket access.

Option C stops automation. Option D is a different approach but doesn't solve the immediate issue.

33
MCQmedium

A security analyst is writing a Python script to parse network logs and automatically block IP addresses that exceed a threshold of failed login attempts. Which security consideration is most critical when implementing this automation?

A.Using the most efficient parsing algorithm
B.Ensuring the script runs with root privileges
C.Validating and sanitizing all input from logs
D.Writing detailed audit logs of script actions
AnswerC

Why this answer

Option C is correct because log files can contain maliciously crafted entries designed to exploit parsing logic. Without input validation and sanitization, an attacker could inject commands or manipulate the script into blocking legitimate IPs or executing unintended actions, leading to a denial-of-service or compromise of the automation system itself.

Exam trap

CompTIA often tests the misconception that automation security is about efficiency or privilege escalation, when the real trap is that log data is untrusted input that must be validated to prevent injection attacks.

Why the other options are wrong

A

Efficiency is secondary; security is paramount.

B

Least privilege principle suggests non-root.

D

Auditing is important but not the most critical.

34
MCQhard

During a red team exercise, an attacker exploits a vulnerability in a containerized web application to gain a shell. The container is running with a read-only root filesystem. What is the most likely persistence mechanism the attacker will use?

A.Modify the container's entrypoint script in the image.
B.Write a cron job to the container's writable /tmp directory.
C.Create a new user account in /etc/passwd.
D.Install a kernel module on the host.
AnswerB

/tmp is often writable and can be used for persistence.

Why this answer

Option A is correct because /tmp is typically writable even with a read-only root filesystem. Option B and C require writable /etc or image modification. Option D requires host access, which is not given.

35
MCQeasy

Which of the following is the primary security benefit of using immutable infrastructure in automated deployments?

A.Reduces operational costs by reusing existing servers
B.Eliminates configuration drift and unauthorized changes
C.Increases system performance through hardware acceleration
D.Simplifies monitoring by reducing the number of servers
AnswerB

Why this answer

Immutable infrastructure ensures that servers are never modified after deployment; instead, updates are made by replacing the entire instance with a new, pre-configured image. This eliminates configuration drift because any unauthorized or unintended changes are wiped out on the next deployment cycle, enforcing a consistent, known-good state across all environments.

Exam trap

The trap here is that candidates confuse immutable infrastructure with traditional configuration management (e.g., Puppet, Ansible) that corrects drift by modifying existing servers, whereas immutable infrastructure prevents drift entirely by never modifying servers in place.

Why the other options are wrong

A

Immutable infrastructure typically increases costs because new instances are spun up instead of patching old ones.

C

Immutable infrastructure is about deployment methodology, not hardware performance.

D

Immutable infrastructure may actually increase server count due to frequent redeployments.

36
MCQhard

A Kubernetes pod is defined with the above manifest. Which security concern is most critical?

A.The image tag "latest" might pull an outdated image.
B.The pod has added capabilities NET_ADMIN and SYS_ADMIN, which could allow network manipulation and system administration.
C.The readOnlyRootFilesystem prevents logging.
D.The pod runs as root by default.
AnswerB

These capabilities can lead to container escape or host compromise.

Why this answer

Option B is correct because NET_ADMIN and SYS_ADMIN capabilities allow significant host-level manipulation, such as network configuration and system administration. Option A is not explicitly set but default root user is a concern, but less critical than capabilities. Option C is a limitation, not a security risk.

Option D is a best-practice issue but less critical than capability escalation.

37
MCQeasy

Which of the following is the primary benefit of using infrastructure as code (IaC) for automating security configurations?

A.It eliminates the need for security testing
B.It ensures consistent and repeatable security configurations
C.It allows unapproved changes to be deployed faster
D.It increases manual oversight of security settings
AnswerB

Why this answer

Infrastructure as code (IaC) enables security configurations to be defined in declarative or procedural scripts (e.g., Terraform, AWS CloudFormation, Ansible). This ensures that every deployment applies the exact same security settings (e.g., firewall rules, IAM policies, encryption at rest) without drift, making configurations consistent and repeatable across environments. The primary benefit is eliminating manual, error-prone processes that lead to configuration inconsistencies.

Exam trap

The trap here is that candidates may think IaC eliminates the need for security testing (Option A) because automation implies perfection, but in reality, IaC code itself must be tested for security flaws, just like application code.

Why the other options are wrong

A

IaC does not eliminate testing; it automates deployment.

C

Unapproved changes are a risk, not a benefit.

D

IaC reduces manual oversight.

38
Matchingmedium

Match each security tool to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Protects web applications from attacks

Detects intrusions and alerts

Detects and blocks intrusions in real-time

Host-based intrusion detection system

Network-based intrusion detection system

Why these pairings

These tools are fundamental to network and host security monitoring.

39
MCQeasy

A web application generates an Ansible playbook from user input as shown. What is the primary security risk?

A.The application is vulnerable to SQL injection.
B.The user input could be crafted to execute arbitrary Ansible modules.
C.The application is vulnerable to LDAP injection.
D.The playbook may fail to run if input contains special characters.
AnswerB

YAML injection can lead to arbitrary module execution, compromising hosts.

Why this answer

Option B is correct because replacing the placeholder with user input can allow YAML injection, enabling arbitrary module execution. Option A is operational, not security. Option C is SQL injection, irrelevant here.

Option D is LDAP injection, not applicable.

40
MCQhard

Match each automation security concept (left) with its corresponding best practice (right).

Immutable infrastructure.Never modify a running instance; redeploy instead
Infrastructure as Code.Store all configuration files in version control
Secret management.Use a dedicated vault service to store credentials
CI/CD pipeline security scanning.Scan container images for vulnerabilities before deployment

Why this answer

This matching pairs key concepts with their best practices: Immutable infrastructure -> never modify after deployment, Infrastructure as Code -> version control all configurations, Secret management -> use vault for credentials, CI/CD pipeline scanning -> scan images before deployment.

Exam trap

Candidates might confuse 'immutable infrastructure' with 'infrastructure as code'.

41
MCQhard

A company uses Terraform to deploy infrastructure on AWS. They have a compliance requirement that all containers running on Amazon ECS must have a read-only root filesystem and must not run as root. The security team needs an automated way to enforce this policy and provide an audit trail for any violations. Which solution best meets these requirements?

A.Review all container definitions manually during the change management process.
B.Add a Terraform policy that validates container definitions at deployment time.
C.Write a custom Python script that periodically scans running ECS tasks and reports violations.
D.Use Open Policy Agent (OPA) with Gatekeeper as an admission controller on Amazon EKS, and deploy EKS instead of ECS.
AnswerD

OPA/Gatekeeper enforces policies at runtime on Kubernetes, blocking non-compliant pods and providing audit logs. EKS replaced ECS to leverage this capability.

Why this answer

Kubernetes admission controllers like OPA/Gatekeeper enforce policies on pods at runtime. Option C is correct. Terraform (A) is for provisioning but cannot enforce runtime behavior.

Custom scripts (B) are reactive. Manual review (D) is not automated.

42
MCQeasy

A development team wants to deploy a microservices application using containers. They need a solution to automate the deployment, scaling, and management of the containers across a cluster. Which technology is most suitable?

A.VMware vSphere with container support.
B.Jenkins with Docker plugins.
C.Docker Compose with manual scaling.
D.Kubernetes with Helm charts.
AnswerD

Kubernetes provides automated deployment, scaling, and management; Helm simplifies configuration.

Why this answer

Kubernetes is designed for orchestrating containerized applications at scale. Option D is correct. Option A is for single hosts.

Option B is for VMs. Option C is for CI/CD.

43
MCQeasy

A Windows administrator needs to automate the retrieval of failed login events from the Security log. Which scripting language is most native and efficient for this task?

A.Bash
B.Ruby
C.PowerShell
D.Python
AnswerC

PowerShell natively supports querying Windows Event Log.

Why this answer

PowerShell has built-in cmdlets like Get-WinEvent to interact with Windows Event Log. Bash and Python require extra modules, and JavaScript is not suited.

44
MCQmedium

Refer to the exhibit. A security analyst notices that the pod is running with a service account token mounted. Which security best practice should be implemented to reduce the risk of token theft in container environments?

A.Store the token in a Kubernetes secret and mount it.
B.Use a different container runtime.
C.Disable the service account for the pod.
D.Set automountServiceAccountToken to false in the pod spec.
AnswerD

This prevents automatic mounting of the token, reducing theft risk while allowing explicit mounting if needed.

Why this answer

Option B is correct because setting automountServiceAccountToken to false in the pod spec prevents the automatic mounting of the service account token, reducing the risk of theft. Option A is incorrect because disabling the entire service account may break functionality if the pod needs API access; the goal is to prevent token exposure while still allowing explicit token mounting if necessary. Option C is incorrect because changing the container runtime does not address token mounting.

Option D is incorrect because storing the token in a secret and mounting it increases exposure rather than reducing it.

45
MCQhard

A SOC analyst notices that a containerized application is making unexpected outbound connections. The container runs with minimal privileges. Which step should the analyst take first to investigate without compromising the environment?

A.Restore the container from a trusted image and re-deploy.
B.Use `docker exec` to attach a shell and run network diagnostic commands.
C.Immediately kill the container and analyze its filesystem from a backup.
D.Capture a network packet dump from the host and correlate with container logs.
AnswerD

This approach gathers evidence without interfering with the container.

Why this answer

Option C is correct because capturing packet dumps from the host and correlating with logs provides forensic evidence without altering the container state. Option A destroys evidence. Option B may alert the attacker or change state.

Option D skips investigation entirely.

46
Multi-Selectmedium

Which two of the following are best practices for securing container orchestration platforms (e.g., Kubernetes)? (Select two.)

Select 2 answers
A.Apply network policies to isolate workloads.
B.Use privileged containers for system services.
C.Disable all security contexts to avoid restrictions.
D.Enable Role-Based Access Control (RBAC).
AnswersA, D

Why this answer

Network policies in Kubernetes act as a firewall for pods, controlling ingress and egress traffic at the IP address or port level (OSI layer 3 or 4). By default, all pods can communicate with each other; applying network policies enforces least-privilege segmentation, which is a core security best practice for container orchestration platforms.

Exam trap

Cisco often tests the misconception that privileged containers are necessary for system services, when in fact they should be avoided and replaced with specific capability grants (e.g., CAP_NET_ADMIN) or security context constraints.

Why the other options are wrong

B

Privileged containers should be avoided as they have nearly unrestricted access to the host.

C

Security contexts enforce necessary restrictions; disabling them weakens security.

47
MCQhard

A security team is auditing a Kubernetes cluster. They find a pod running with `securityContext`: `privileged: true` and `runAsUser: 0`. Which of the following is the most critical risk?

A.The pod cannot communicate with other pods.
B.The pod cannot mount volumes.
C.The pod can access all node resources and potentially escape to the host.
D.The pod will be killed by Kubernetes if it consumes too much memory.
AnswerC

Privileged mode grants unrestricted host access.

Why this answer

Option A is correct because a privileged container with root user can escape to the host and access all node resources. Options B and D are not necessarily true. Option C is a resource management issue, not a security risk.

48
MCQhard

A security engineer is writing a Python script to automate the revocation of compromised certificates using the ACME protocol. The script uses the `acme` library and requires secure credential storage. Which method is MOST appropriate for storing the ACME account private key used for authentication?

A.Store the key in the operating system's keychain (e.g., macOS Keychain, Windows Credential Manager) or a HSM
B.Store the key in a configuration file with 600 permissions
C.Embed the key directly in the script as a string variable
D.Store the key in an environment variable
AnswerA

Why this answer

The ACME account private key is a highly sensitive cryptographic credential used to authenticate against the ACME server (RFC 8555). Storing it in the OS keychain or a Hardware Security Module (HSM) provides encryption at rest, access control via OS-level permissions, and protection against accidental exposure. This aligns with the principle of least privilege and secure key management required for automation scripts handling certificate revocation.

Exam trap

Cisco often tests the misconception that file permissions (e.g., 600) or environment variables are sufficient for secure credential storage, when in fact they lack encryption at rest and are vulnerable to broader system-level access.

Why the other options are wrong

B

The key remains in plaintext on disk; even with restricted permissions, it can be read by any process running as the same user or through privilege escalation.

C

The key is exposed in source code, version control, and accessible to anyone who can read the script.

D

Environment variables are often written to logs, process dumps, and are not encrypted at rest; they are not designed for long-term cryptographic key storage.

49
MCQhard

An organization uses a CI/CD pipeline that builds Docker images and pushes them to a private registry. A security analyst discovers that some images contain environment variables with database credentials. Which of the following is the most effective way to prevent this in the future?

A.Use a .dockerignore file to exclude credential files.
B.Implement multi-stage builds to separate build and runtime environments.
C.Scan images with a vulnerability scanner after build.
D.Reduce the base image size to minimize attack surface.
AnswerB

Why this answer

The best approach is to use multi-stage builds: build the application in one stage, then copy only the artifact to a final, clean image. This avoids including build-time secrets in the final image. Additionally, using Docker BuildKit's --secret flag can inject secrets without persisting them.

Exam trap

Candidates often choose 'Use .dockerignore to exclude files' because it can prevent some files from being copied, but environment variables set via ENV or passed at build time are not files. Multi-stage builds address the root cause.

Why the other options are wrong

A

.dockerignore prevents copying files but does not eliminate secrets set via ENV or build args.

C

Scanning detects known vulnerabilities, not embedded secrets.

D

Size reduction does not remove secrets already embedded.

50
Multi-Selectmedium

A DevOps engineer is automating the deployment of a web application using containers. Which of the following security practices should be implemented to reduce the attack surface of the containers? (Select TWO.)

Select 2 answers
A.Run containers as a non-root user
B.Build images with embedded database credentials
C.Use minimal base images like Alpine or distroless
D.Expose port 22 for SSH debugging
E.Grant all Linux capabilities to the container
AnswersA, C

Why this answer

Running containers as a non-root user (option A) is a fundamental security best practice because it limits the privileges available to processes inside the container. If an attacker compromises the application, they will not have root access to the host or the container runtime, reducing the potential for privilege escalation or host-level damage. This aligns with the principle of least privilege, which is critical for container security.

Exam trap

CompTIA often tests the misconception that containers are inherently secure because they are isolated, but the trap here is that default root execution and bloated base images are common misconfigurations that dramatically increase the attack surface, and candidates may overlook the need to explicitly drop privileges and minimize image content.

Why the other options are wrong

B

Embedding secrets in images is insecure; they should be injected at runtime.

D

Exposing SSH adds an attack vector and is unnecessary in production.

E

Granting all capabilities weakens isolation; should drop all unnecessary capabilities.

51
Multi-Selecthard

A security team is automating incident response using playbooks. Which two of the following are critical considerations when designing automated response actions? (Select two.)

Select 2 answers
A.Execute all actions immediately to minimize damage.
B.Include a manual approval step for high-impact actions.
C.Ensure automated actions are reversible.
D.Use the same playbook for all incident types.
AnswersB, C

Why this answer

Option B is correct because high-impact automated actions, such as blocking a critical server or deleting user accounts, can cause significant collateral damage if triggered by a false positive. Including a manual approval step ensures a human verifies the alert before irreversible or disruptive actions are taken, aligning with the principle of least privilege and incident response best practices.

Exam trap

CompTIA often tests the misconception that speed is always the priority in automation, tempting candidates to select 'execute all actions immediately' without considering the need for validation and reversibility in high-stakes environments.

Why the other options are wrong

A

Immediate execution without validation can cause collateral damage.

D

Different incidents require tailored responses; one-size-fits-all is ineffective.

52
Multi-Selecthard

A DevOps team is automating server configuration using configuration management tools. Which THREE principles should be followed to ensure secure automation? (Choose three.)

Select 3 answers
A.Store secrets in encrypted variables or vaults
B.Implement least privilege for automation agents
C.Use idempotent scripts to ensure consistent state
D.Hardcode credentials in automation scripts
E.Perform unit testing on scripts
AnswersA, B, C

Encrypting secrets prevents exposure in scripts or logs.

Why this answer

Storing secrets encrypted, ensuring idempotency, and applying least privilege to automation agents are key security practices. Hardcoding credentials is insecure. While unit testing is good, it is not specifically a security principle.

53
Drag & Dropmedium

Drag and drop the steps to perform a secure code review for a web application into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Secure code review: understand code, automated scan, manual review, document, and communicate findings.

54
MCQmedium

A DevOps team uses Ansible to automate server configuration. They need to ensure that sensitive variables like passwords are not exposed in playbook logs or version control. What is the recommended approach?

A.Use Ansible Vault to encrypt sensitive variables
B.Use environment variables only
C.Store secrets in plain text within the playbook
D.Encrypt the entire playbook file
AnswerA

Ansible Vault encrypts specific variables or files, protecting secrets.

Why this answer

Ansible Vault encrypts sensitive data, preventing exposure. Storing in plain text is insecure, environment variables can leak in logs, and encrypting the whole playbook is unnecessary and hampers readability.

55
MCQeasy

What is the primary benefit of using infrastructure as code (IaC) tools like Terraform for cloud resource provisioning?

A.It reduces cloud costs by optimizing resource usage.
B.It eliminates the need for manual configuration management.
C.It provides a declarative language to define resources, enabling version control and repeatability.
D.It automatically applies security patches to resources.
AnswerC

Declarative IaC ensures consistent and tracked deployments.

Why this answer

Option B is correct because IaC allows declarative definition of resources, enabling version control, repeatability, and consistency. Option A is exaggerated; manual configuration is still needed. Option C is not automatic.

Option D is not a primary benefit.

56
MCQhard

A security team needs to automate the enforcement of cloud security policies across multiple accounts in AWS. They want a solution that uses code to define policies and automatically remediate violations. Which approach best meets these requirements?

A.Write Python boto3 scripts that run on a schedule to check and update security groups.
B.Use AWS Config with managed rules and custom Lambda functions for auto-remediation.
C.Enable AWS GuardDuty and rely on its threat detection alerts.
D.Deploy a third-party cloud security posture management (CSPM) tool like Prisma Cloud.
AnswerB

AWS Config rules are defined in code (JSON) and remediation via Lambda automates enforcement.

Why this answer

AWS Config Rules with custom Lambda functions can automate remediation. Option C is correct. Option A is manual.

Option B is a separate tool. Option D is reactive, not automated.

57
MCQeasy

A company wants to automate the creation of IAM roles and policies in AWS using infrastructure as code. Which tool is specifically designed for provisioning cloud infrastructure across multiple providers?

A.Terraform
B.Jenkins
C.Docker
D.Ansible
AnswerA

Terraform is a declarative IaC tool for cloud provisioning.

Why this answer

Terraform is a IaC tool focused on provisioning resources across cloud providers. Docker handles containers, Ansible is configuration management, and Jenkins is CI/CD.

58
MCQmedium

The Docker container `myservice` has the mount configuration shown. What is the most significant security implication of this configuration?

A.The container can modify files on the host at /data/config.
B.The container has full access to the host's filesystem.
C.The container can read host files at /data/config, but not write.
D.The container can mount additional filesystems using the bind mount.
AnswerC

Read-only bind mount allows reading, no writing.

Why this answer

Option B is correct because the mount is read-only (ro), so the container can read host files but not write. Option A is false. Options C and D are incorrect as the mount is a bind mount, not allowing additional mounts or full filesystem access.

59
MCQmedium

In a CI/CD pipeline, a security gate fails because a high-severity vulnerability is found in the base image of a container. The pipeline is configured to block deployment on such findings. What is the appropriate remediation step?

A.Update the base image to a patched version
B.Override the security gate and proceed with deployment
C.Rebuild the image using the same base image
D.Add the vulnerability to an exception list
AnswerA

Using a patched base image resolves the vulnerability.

Why this answer

Updating the base image to a patched version ensures the vulnerability is fixed. Overriding the gate or adding exceptions bypasses security, and rebuilding with the same base retains the issue.

60
MCQhard

A security auditor reviews this Kubernetes pod configuration. Which security vulnerability is most critical?

A.The container image is from a public registry and should use a private one.
B.The container runs as non-root, but root access is required for certain operations.
C.The container allows privilege escalation, which should be disabled.
D.The hostPath volume mount provides direct filesystem access to the host, enabling potential container escape.
AnswerD

HostPath mounts give the container access to the host filesystem; if compromised, the attacker can manipulate host files.

Why this answer

The pod mounts a hostPath volume, which allows the container to access and potentially modify host filesystem, leading to container escape. Option C is correct. Options A and B are mitigated by the security context.

Option D is false.

61
MCQmedium

A security engineer is writing a Python script to parse system logs and alert on suspicious patterns. What is the best practice to ensure the script remains secure when handling log data?

A.Store all logs in a database and query directly.
B.Use `eval()` to dynamically evaluate log content.
C.Sanitize log input and use safe parsing functions like `json.loads()` for structured logs.
D.Run the script with root privileges to access all logs.
AnswerC

Safe parsing prevents injection and handles data securely.

Why this answer

Option B is correct because sanitizing input and using safe parsing functions like `json.loads()` prevents injection attacks. Option A (`eval()`) is dangerous. Option C is not a scripting best practice.

Option D runs with excessive privileges.

62
MCQmedium

Refer to the exhibit. A security analyst reviews this pod specification. Which attack surface is most increased by the added capabilities?

A.The container can modify network settings
B.The container can kill other processes
C.The container can read all host files
D.The container can install new kernel modules
AnswerD

SYS_ADMIN capability allows loading kernel modules, potentially compromising the host.

Why this answer

SYS_ADMIN grants many powerful privileges including loading kernel modules, which can lead to host compromise. NET_ADMIN allows network configuration but is less critical. The combination significantly increases attack surface.

63
Drag & Dropmedium

Drag and drop the steps to configure a site-to-site IPsec VPN on a firewall into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

IPsec VPN configuration follows a logical order: first define IKE policy, then IPsec policy, create tunnel, permit traffic, and finally apply crypto map.

64
Multi-Selectmedium

Which three options are best practices for writing secure scripts? (Choose three.)

Select 3 answers
A.Log all errors and warnings for debugging.
B.Use parameterized inputs to prevent injection attacks.
C.Validate all external input before processing.
D.Hardcode sensitive credentials in the script.
E.Run scripts with the least privilege necessary.
AnswersB, C, E

Parameterization separates code from data.

Why this answer

Options A, C, and D are correct. Parameterized inputs prevent injection, least privilege limits damage, and input validation stops malformed data. B is insecure.

E is a good general practice but not specifically a security best practice.

65
MCQhard

A security engineer is reviewing a Kubernetes deployment where the pod spec includes `securityContext: { privileged: true }`. What is the primary security concern of this configuration?

A.The container can access host resources like the filesystem
B.The container can run as root
C.The container has unrestricted network access
D.The container can modify the host's kernel
AnswerD

Privileged mode grants direct access to host kernel functions and devices.

Why this answer

Privileged containers have almost all capabilities of the host, including access to host devices and kernel modules. This significantly increases the attack surface compared to running as root alone.

66
MCQhard

A security audit reveals that Docker containers are built with multiple unnecessary layers and utilities. Which practice reduces the attack surface of the container image?

A.Use multi-stage builds
B.Use a base image with only the required packages
C.Combine multiple RUN commands into one
D.Delete the apt cache in the Dockerfile
AnswerB

Minimizing installed packages reduces the attack surface.

Why this answer

Using a minimal base image with only required packages reduces the number of potential vulnerabilities. Multi-stage builds help but don't directly reduce the base image size.

67
Multi-Selecthard

An organization is automating cloud security group management across AWS, Azure, and GCP. Which TWO approaches provide centralized, auditable control? (Select TWO.)

Select 2 answers
A.Leverage infrastructure as code tools (e.g., Terraform) to define and enforce security group rules.
B.Require manual approval for every security group change through a ticketing system.
C.Disable logging on security group changes to reduce performance impact.
D.Use cloud provider CLI commands (e.g., AWS CLI, Azure CLI) in scripts to update security groups.
E.Store service account credentials directly in automation scripts for simplicity.
AnswersA, D

IaC provides a single source of truth and automates enforcement across multiple clouds.

Why this answer

Cloud provider CLI scripts (A) can automate changes, and IaC (C) enforces security baselines as code. Storing credentials in scripts (D) is insecure, and manual review (E) defeats automation. Disabling logging (B) is prohibited.

68
Multi-Selecthard

A security administrator is reviewing a Python script used to automate compliance checks across cloud resources. The script uses environment variables for API tokens. Which of the following are secure coding practices that should be implemented in this script? (Select TWO.)

Select 2 answers
A.Use try-except blocks to handle exceptions gracefully
B.Use os.system() to run shell commands for resource management
C.Hardcode API tokens as fallback if environment variables are missing
D.Validate that required environment variables exist before proceeding
E.Log the API tokens for troubleshooting purposes
AnswersA, D

Why this answer

Option A is correct because using try-except blocks in Python allows the script to catch and handle exceptions (e.g., missing environment variables, API call failures) gracefully without crashing. This is a fundamental secure coding practice that prevents unhandled errors from exposing sensitive information or causing unpredictable behavior in automated compliance checks.

Exam trap

Cisco often tests the misconception that hardcoding fallback values or logging sensitive data is acceptable for troubleshooting, but the trap here is that both practices directly violate secure coding principles by exposing secrets, while os.system() is a known anti-pattern for command execution in Python.

Why the other options are wrong

B

os.system is vulnerable to injection; prefer subprocess with parameterized commands.

C

Hardcoding tokens is insecure and defeats the purpose of using environment variables.

E

Logging credentials exposes them in logs, which is a security risk.

69
Multi-Selecteasy

An analyst wants to automate incident response tasks in a SOC environment. Which THREE scripting languages are commonly used for automation? (Choose three.)

Select 3 answers
A.Python
B.PowerShell
C.Java
D.COBOL
E.Bash
AnswersA, B, E

Python is popular for its rich libraries and cross-platform support.

Why this answer

Python, Bash, and PowerShell are widely used for security automation due to cross-platform support, extensive libraries, and native system integration. Java is less common for quick automation, and COBOL is obsolete.

70
MCQmedium

A security analyst is writing a script to scan container images for known vulnerabilities before deployment. Which of the following best practices should the analyst implement to ensure the script runs securely?

A.Hardcode API keys into the script for simplicity
B.Use parameterized queries or input sanitization for any user-supplied data
C.Run the script with root privileges to ensure it has access to all images
D.Store credentials in a world-readable configuration file
AnswerB

Why this answer

Option B is correct because input sanitization and parameterized queries prevent injection attacks when the script processes user-supplied data, such as image names or tags. In the context of container scanning, unsanitized input could lead to command injection or SQL injection if the script queries a vulnerability database. This aligns with secure coding practices for automation scripts, ensuring that the script does not inadvertently execute malicious commands or expose sensitive data.

Exam trap

Cisco often tests the principle of least privilege and secure credential handling in automation contexts, and the trap here is that candidates may choose root privileges (Option C) thinking it ensures full access to all images, overlooking the security risk of excessive permissions.

Why the other options are wrong

A

Hardcoding credentials is a major security risk; they can be exposed in version control.

C

Running with least privilege is a security best practice; root access increases the attack surface.

D

Credentials should be stored securely (e.g., vault, environment variables), not world-readable.

71
MCQeasy

An organization needs to ensure consistent configuration across multiple Linux servers. They want to automate this process with a solution that requires minimal agent installation and uses push-based communication. Which approach is most appropriate?

A.Use PowerShell Desired State Configuration (DSC) with Linux extensions.
B.Use Ansible playbooks to define and enforce server configurations.
C.Run a Docker container on each server with a configuration management tool inside.
D.Deploy Puppet with a master server and agents on each system.
AnswerB

Ansible is agentless, uses SSH for push, and is widely used for configuration management.

Why this answer

Ansible is agentless and push-based via SSH. Option A is correct. Option B (Puppet) is pull-based and requires agents.

Option C (Docker) is for containers, not direct server config. Option D (PowerShell DSC) works well in Windows but is less common for Linux.

Ready to test yourself?

Try a timed practice session using only Scripting Containers And Automation questions.