CAS-004 · topic practice

Security Architecture practice questions

Use this page to practise secure architecture questions. The most common mistake is confusing the responsibility boundary — know which security controls AWS manages and which are your responsibility.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Security Architecture

What the exam tests

What to know about Security Architecture

Secure architecture questions test IAM policies, VPC security controls, encryption at rest and in transit, and the right AWS security service for a given threat.

IAM policies: identity-based, resource-based, permission boundaries.

VPC security: security groups vs NACLs, route tables, VPC endpoints.

Encryption: KMS, SSE-S3, SSE-KMS, client-side encryption.

AWS security services: GuardDuty, Inspector, Macie, Shield, WAF.

Watch out for

Common Security Architecture exam traps

  • Security groups are stateful; NACLs are stateless.
  • KMS manages keys; it does not encrypt data directly.
  • GuardDuty detects threats; Inspector assesses vulnerabilities; Macie finds sensitive data.
  • A VPC endpoint keeps traffic off the public internet; it does not encrypt traffic.

Practice set

Security Architecture questions

20 questions · select your answer, then reveal the explanation

A security architect is designing a new DMZ for an e-commerce platform. The DMZ must host a web server, an API gateway, and a database server. The architect needs to minimize the attack surface while ensuring the web server can communicate with the API gateway, and the API gateway can communicate with the database. Which network segmentation approach best meets these requirements?

Question 2hardmultiple choice
Read the full VPN explanation →

An organization is implementing a zero trust architecture (ZTA). The security architect proposes using a software-defined perimeter (SDP) to replace the traditional VPN for remote access. Which of the following best describes the primary security benefit of SDP over VPN in a zero trust model?

A security architect is evaluating cloud security architectures. The company requires that all data at rest in a public cloud object storage bucket be encrypted with a key that is managed by the company's own hardware security module (HSM) on-premises. Which encryption approach should the architect recommend?

Question 4mediummultiple choice
Review the full subnetting walkthrough →

A security architect is designing a secure remote access solution for a global workforce. The company requires that all remote connections be authenticated using certificates issued by the company's internal PKI, and that the connection be encrypted and integrity-protected. Additionally, the solution must support IP-based network access control to restrict access to specific internal subnets based on the user's role. Which of the following should the architect recommend?

A security architect is reviewing the network architecture of a financial trading system. The system uses a time-sensitive order matching engine that must process trades with minimal latency. The architect is concerned about the risk of a DDoS attack on the matching engine. Which of the following architectural changes would best mitigate DDoS risk while preserving low latency?

A security architect is designing a hybrid cloud environment where a web application hosted in AWS needs to securely access an on-premises database. The architect wants to minimize exposure to the internet and ensure encryption in transit. Which TWO techniques should the architect consider? (Choose two.)

A security architect is planning the migration of a legacy application to a containerized microservices architecture on Kubernetes. The architect must ensure that the architecture supports secrets management, service-to-service authentication, and encryption of data in transit between microservices. Which THREE components should the architect include in the design? (Choose three.)

A security architect is designing a zero-trust network architecture for a hybrid cloud environment. The company uses on-premises servers and AWS. Which of the following best implements the principle of least privilege for inter-component communication?

A company is migrating from a legacy three-tier architecture to a microservices architecture on Kubernetes. The security team wants to ensure that service-to-service communication is encrypted and mutually authenticated. Which approach best meets these requirements with minimal operational overhead?

A security administrator needs to secure remote access for employees using personal devices. The company requires that company data be encrypted and that the device be wiped if lost. Which solution best meets these requirements?

A company is designing a secure web application that processes credit card payments. The architect needs to ensure that the application is resilient against SQL injection attacks. Which of the following is the most effective defense?

A large enterprise is designing a disaster recovery site that must support rapid failover with minimal data loss. The primary data center is 50 miles away. The RPO is 1 minute, and RTO is 15 minutes. Which replication strategy best meets these requirements?

Which TWO of the following are essential characteristics of a hardware security module (HSM)? (Select TWO.)

A security architect is evaluating a new cloud-based application that will process sensitive customer data. The architect must ensure compliance with GDPR and PCI DSS. Which THREE of the following controls should be implemented? (Select THREE.)

A security architect is designing a segmentation strategy for a multi-tier web application. The public-facing web servers must communicate only with application servers, and application servers must communicate only with database servers. The architect wants to use a firewall that can inspect application-layer traffic to prevent SQL injection attacks. Which firewall type should be deployed between the application tier and the database tier?

A security architect is evaluating a new cloud SaaS application that will handle sensitive customer data. The SaaS provider offers a shared responsibility model where the customer is responsible for data classification, access management, and encryption of data at rest using customer-managed keys. The architect must ensure that the organization retains the ability to revoke access to the data if the provider is compromised. Which key management strategy best meets this requirement?

Question 17easymultiple choice
Read the full wireless explanation →

An organization is deploying a new wireless network for employees and guests. The security policy requires that all wireless traffic be encrypted using AES-CCMP, and that clients must authenticate using 802.1X with EAP-TLS. Which of the following wireless security standards should be implemented?

A security architect is reviewing the network security controls for a critical industrial control system (ICS) environment. The architect must select two controls that are most effective at preventing unauthorized access to the ICS network from the corporate IT network, while still allowing necessary monitoring traffic. Which TWO controls should be implemented? (Choose two.)

Question 19mediummulti select
Study the full ACL explanation →

A network administrator is troubleshooting connectivity to a server at 192.168.1.100. The ACL shown is applied inbound on GigabitEthernet0/0. Which THREE statements are true regarding this ACL configuration? (Choose three.)

Exhibit

Refer to the exhibit.

```
interface GigabitEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip access-group ACL-IN in
!
interface GigabitEthernet0/1
 ip address 10.0.0.1 255.255.255.0
!
access-list 100 deny tcp any host 192.168.1.100 eq 22
access-list 100 deny tcp any host 192.168.1.100 eq 3389
access-list 100 permit ip any any
```
Question 20hardmultiple choice
Read the full VPN explanation →

A large healthcare organization has implemented a zero-trust network architecture (ZTNA) to secure access to its electronic health record (EHR) system. The architecture uses a software-defined perimeter (SDP) where all users must authenticate and be authorized before accessing the EHR. The EHR system is hosted in a private cloud and communicates with a legacy billing system that cannot support modern authentication protocols. The billing system is accessed by a small number of finance employees via a dedicated VPN. Recently, an auditor discovered that a finance employee's credentials were compromised, and the attacker used the VPN to access the billing system and exfiltrate patient billing data. The security architect must prevent such lateral movement while maintaining access for legitimate users. Which of the following is the BEST course of action?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Security Architecture sessions

Start a Security Architecture only practice session

Every question in these sessions is drawn from the Security Architecture domain — nothing else.

Related practice questions

Related CAS-004 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the CAS-004 exam test about Security Architecture?
Secure architecture questions test IAM policies, VPC security controls, encryption at rest and in transit, and the right AWS security service for a given threat.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Security Architecture questions in a focused session?
Yes — the session launcher on this page draws every question from the Security Architecture domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CAS-004 topics?
Use the topic links above to move to related areas, or go back to the CAS-004 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CAS-004 exam covers. They are not copied from any real exam or dump site.