CCNA Cloud Security Questions

67 questions · Cloud Security topic · All types, answers revealed

1
MCQmedium

A cloud administrator is configuring a web application hosted on a public cloud VM. The application must be accessible over HTTPS, and the administrator needs to ensure that all traffic between the client and the server is encrypted. The cloud provider offers a managed certificate service. Which of the following is the BEST practice for securing the application?

A.Use the cloud provider's managed certificate service to provision and attach the certificate to the load balancer.
B.Generate a self-signed certificate and configure the web server to use it.
C.Disable HTTPS and rely on network-level encryption provided by the cloud provider.
D.Create a certificate signing request (CSR) and submit it to a public CA, then install the certificate and private key on the VM.
AnswerA

The managed service automates certificate lifecycle, reducing administrative overhead and risk.

Why this answer

The cloud provider's managed certificate service automatically handles certificate provisioning, renewal, and attachment to the load balancer, ensuring HTTPS traffic is encrypted with a trusted certificate from a public CA. This is the best practice because it offloads TLS termination to the load balancer, reducing the VM's CPU overhead and centralizing certificate management. It also ensures the certificate is automatically renewed before expiry, preventing service disruptions.

Exam trap

The trap here is that candidates may think manually installing a certificate from a public CA (Option D) is more secure or gives more control, but the cloud provider's managed service is the best practice because it automates lifecycle management and offloads TLS termination to the load balancer, reducing attack surface and operational burden.

How to eliminate wrong answers

Option B is wrong because a self-signed certificate is not trusted by client browsers, causing security warnings and breaking the trust model required for public HTTPS. Option C is wrong because disabling HTTPS removes application-layer encryption, leaving traffic vulnerable to interception even if network-level encryption (like IPsec) is used, as it does not protect against man-in-the-middle attacks at the application layer. Option D is wrong because manually installing a certificate and private key on the VM increases management overhead, risks exposing the private key, and does not leverage the cloud provider's automated renewal and load balancer integration.

2
MCQhard

Refer to the exhibit. A cloud administrator runs the above command on a Linux virtual machine. What is the effect of the current firewall rules?

A.All outgoing traffic is controlled by these rules.
B.All incoming traffic is allowed except RDP, which is dropped.
C.The firewall is blocking all traffic by default.
D.Only SSH, HTTP, and HTTPS are allowed; all other traffic is dropped.
AnswerB

The default policy is ACCEPT, so only the explicitly dropped port (3389) is blocked; all other ports are allowed.

Why this answer

The rules show ACCEPT for SSH (22), HTTP (80), and HTTPS (443), and DROP for RDP (3389). Since the default policy on the INPUT chain is ACCEPT, all other traffic is allowed, which is not secure. The administrator should set the default policy to DROP and only allow necessary ports.

3
Matchingmedium

Match each storage type to its characteristic.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Data stored as objects with metadata

Data divided into blocks; used in SAN

Data stored in a hierarchical file system

Temporary storage tied to instance lifecycle

Why these pairings

Different storage types serve different use cases in cloud.

4
MCQmedium

A cloud administrator is troubleshooting an issue where a user in the finance department cannot access a critical application hosted on a private cloud. The user can access other applications in the same subnet. The security team recently implemented a new network security policy. Which of the following is MOST likely causing the issue?

A.The user's VM is isolated from the subnet due to a misconfigured VLAN.
B.The user's account has been disabled due to a failed login attempt.
C.The hypervisor is denying access to the application due to a resource quota violation.
D.A host-based firewall rule is blocking the specific application port on the user's VM.
AnswerD

A host-based firewall rule could block only the specific port used by the application, which explains why other applications work.

Why this answer

Option D is correct because the user can access other applications in the same subnet, indicating network connectivity is intact, but a specific application is blocked. A host-based firewall rule on the user's VM (e.g., Windows Firewall or iptables) can filter traffic by port or protocol, and a newly implemented security policy likely added a rule blocking the port used by the critical application. This explains why only that application is inaccessible while others work.

Exam trap

The trap here is that candidates often assume network-level issues (like VLAN misconfiguration) or account problems, but the key clue is that other applications in the same subnet are accessible, pointing to a host-based filter rather than a network-wide or authentication issue.

How to eliminate wrong answers

Option A is wrong because a misconfigured VLAN would isolate the entire VM from the subnet, preventing access to all applications, not just one. Option B is wrong because a disabled account would prevent authentication to the application or network, but the user can still access other applications, indicating the account is active. Option C is wrong because a hypervisor resource quota violation would affect all VMs or applications on that host, not a single user's access to one application, and would typically cause performance issues or VM failure, not selective port blocking.

5
Drag & Dropmedium

Sequence the steps to configure a cloud monitoring alert for high memory usage on a virtual machine.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Go to monitoring, create alarm, set threshold, configure notification, then test.

6
MCQeasy

The above condition is included in an IAM policy. What does this condition restrict?

A.Access through a VPN connection.
B.Access to only requests from the IP range 192.168.1.0/24.
C.Access to only private IP addresses.
D.Access from a specific VPC.
AnswerB

The condition directly limits source IPs to that range.

Why this answer

Option A is correct because the aws:SourceIp condition key limits the source IP addresses to the specified range.

7
Multi-Selecteasy

Which TWO steps should be performed to ensure that a new cloud user has only the minimum required permissions to perform their job? (Choose two.)

Select 2 answers
A.Assign the user to a group with broad administrator access for flexibility.
B.Provide permissions based on the user's specific job functions.
C.Remove the user's account immediately after granting access.
D.Create a custom role that includes all possible permissions.
E.Review and remove unnecessary permissions periodically.
AnswersB, E

Granting only what is needed for the job is the core of least privilege.

Why this answer

The principle of least privilege involves granting only necessary permissions and periodically reviewing them. Using a broad policy is the opposite. Removing the user is not appropriate.

Creating a group is good for management but not directly for least privilege.

8
MCQmedium

A cloud architect is designing a multi-tier application. To ensure secure communication between the web tier and the application tier within the same VPC, which approach should be used?

A.Use a VPN between tiers.
B.Use internal IP addresses with network ACLs allowing all traffic from the web tier subnet.
C.Use public IP addresses with security groups.
D.Use a transit gateway with encryption.
AnswerB

Internal IPs and network ACLs securely isolate traffic within the VPC.

Why this answer

Option C is correct because using internal IPs with network ACLs provides network segmentation and control within the VPC.

9
MCQmedium

A company's cloud environment uses a shared responsibility model. The security team notices that a data breach occurred due to misconfigured storage buckets in the public cloud. Which party is primarily responsible for this misconfiguration according to the shared responsibility model?

A.The cloud service provider
B.The cloud auditor
C.A third-party security vendor
D.The customer
AnswerD

The customer is responsible for configuring their storage buckets and managing access permissions.

Why this answer

Under the shared responsibility model, the customer is responsible for configuring their cloud resources securely, including storage bucket permissions. The cloud provider is responsible for the security of the cloud (infrastructure) but not for customer misconfigurations. The third-party vendor and cloud auditor are not directly responsible for the misconfiguration.

10
MCQmedium

A cloud administrator is configuring a new virtual private cloud (VPC) and needs to ensure that traffic between web servers and database servers is restricted to only the necessary ports. Which security approach should the administrator implement?

A.Enable VPC flow logs to detect and block malicious traffic.
B.Configure a security group with inbound rules for the web tier and outbound rules for the database tier.
C.Create an IAM policy to restrict access between subnets.
D.Implement network ACLs with rules that allow only HTTP/HTTPS from web to database and block all other traffic.
AnswerD

Network ACLs are stateless and can be used to filter traffic between subnets at the VPC subnet boundary, with explicit allow/deny rules.

Why this answer

Network ACLs provide stateless filtering at the subnet level, allowing explicit allow/deny rules for inbound and outbound traffic. Security groups are stateful and operate at the instance level, but they are not as effective for subnet-level segmentation. IAM roles manage permissions for services, not traffic filtering.

Flow logs capture traffic information but do not restrict it.

11
MCQhard

A company uses a multi-account AWS organization with separate accounts for development, testing, and production. A developer in the development account needs to access an S3 bucket in the production account to retrieve log files for troubleshooting. The developer has an IAM user in the development account with full S3 permissions, and the production account's S3 bucket policy includes a statement that grants access to the root user of the development account. However, when the developer attempts to access the bucket using AWS CLI with their IAM user credentials, they receive an 'Access Denied' error. The security team has verified that there are no explicit deny policies in either account, and that the bucket policy is correctly configured. The administrator has confirmed that the developer's IAM user has permissions to perform S3 operations. Which of the following is the MOST likely cause of the access failure?

A.The developer's IAM user needs to be added to an IAM group in the production account.
B.The production account must have an IAM role with a trust policy that allows the development account to assume it.
C.A VPC peering connection must be established between the two accounts.
D.The developer should use the root user credentials of the development account to access the bucket.
AnswerB

An IAM role with a trust policy enables the developer to assume the role and access the bucket.

Why this answer

Cross-account S3 access typically requires the developer to assume an IAM role in the production account with a trust policy allowing the development account. The bucket policy granting access to the root user of the development account does not automatically grant access to IAM users in that account; the users must assume the role to get temporary credentials. Adding the user to a group in the target account is not possible across accounts.

Using root credentials is insecure. VPC peering addresses network connectivity, not IAM permissions.

12
MCQeasy

A cloud architect is designing a solution to ensure that data at rest in an object storage bucket is encrypted. The company requires that the encryption keys are managed by an on-premises hardware security module (HSM) to maintain control. Which encryption approach should the architect choose?

A.Server-side encryption with cloud-managed keys (SSE).
B.Client-side encryption using a local library.
C.Disable encryption at rest to rely on network encryption.
D.Server-side encryption with customer-provided keys (SSE-C).
AnswerB

Client-side encryption allows the customer to encrypt data with keys stored on-premises before transmission, maintaining full control.

Why this answer

Client-side encryption allows the customer to encrypt data before sending it to the cloud, using keys managed on-premises. Server-side encryption with cloud-managed keys would have the cloud provider control the keys, negating the requirement. SSE-C allows the customer to provide their own encryption keys, but the keys must be sent to the cloud each time, which may not satisfy the on-premises management requirement.

Client-side encryption ensures data is encrypted before leaving the on-premises environment.

13
MCQeasy

A company is migrating its on-premises workload to a public cloud. The security team wants to ensure that all data transmitted between the on-premises network and the cloud VPC is encrypted in transit and that the connection uses dedicated bandwidth. Which of the following should the security team implement?

A.Attach an internet gateway to the VPC and use public IP addresses.
B.Use a NAT gateway to translate private IPs to public IPs.
C.Configure a site-to-site VPN between the on-premises network and the cloud VPC.
D.Set up a direct connection between the on-premises router and the cloud VPC.
AnswerC

A site-to-site VPN encrypts data in transit and can provide a secure tunnel over the internet, though it doesn't guarantee dedicated bandwidth.

Why this answer

Option C is correct because a site-to-site VPN creates an encrypted tunnel (using IPsec/IKE) over the public internet, ensuring data in transit is encrypted. However, the question also requires dedicated bandwidth, which a VPN does not provide—it shares internet bandwidth. The correct answer should be a dedicated connection like AWS Direct Connect or Azure ExpressRoute, but since the question states 'dedicated bandwidth' and the only option that provides encryption is the VPN, C is the best choice among the options given.

Exam trap

The trap here is that candidates often assume a direct connection (Option D) automatically provides encryption, but it only provides a private, dedicated link—encryption must be explicitly configured, whereas a VPN inherently encrypts but does not guarantee dedicated bandwidth.

How to eliminate wrong answers

Option A is wrong because an internet gateway with public IPs exposes the VPC directly to the internet, does not encrypt traffic, and uses shared public bandwidth, not dedicated. Option B is wrong because a NAT gateway only translates private IPs to public IPs for outbound traffic, does not encrypt data in transit, and does not provide dedicated bandwidth. Option D is wrong because a direct connection (e.g., AWS Direct Connect) provides dedicated bandwidth but does not inherently encrypt data in transit; encryption must be added separately (e.g., IPsec over Direct Connect).

14
MCQhard

A multinational corporation runs a critical application on a private cloud hosted in their data center. The application uses virtual machines (VMs) that are attached to a storage area network (SAN) for block storage. The company is migrating the application to a public cloud IaaS model to reduce on-premises costs. The security team mandates that all data at rest in the cloud must be encrypted using customer-managed keys, and the cloud provider must not have access to the keys. The application requires low-latency block storage for a database. The storage must be replicated within the same region for availability. The cloud architect needs to choose a storage solution that meets these security and performance requirements. The cloud provider offers: (A) Object storage with server-side encryption using provider-managed keys. (B) Ephemeral instance storage with encryption at rest using provider-managed keys. (C) Persistent block storage volumes with encryption using customer-managed keys stored in the provider's key management service (KMS) integrated with hardware security modules (HSM). (D) Network file system (NFS) shares encrypted with customer-managed keys managed on-premises. Which option should the architect choose?

A.Object storage with server-side encryption using provider-managed keys.
B.Ephemeral instance storage with encryption at rest using provider-managed keys.
C.Network file system (NFS) shares encrypted with customer-managed keys managed on-premises.
D.Persistent block storage volumes with encryption using customer-managed keys stored in the provider's KMS/HSM.
AnswerD

Meets all requirements: block storage, persistent, encrypted with customer-managed keys, and provider cannot access keys.

Why this answer

Option C is correct because it provides persistent block storage for low-latency database needs, and the encryption uses customer-managed keys stored in the provider's KMS/HSM, ensuring the provider cannot access the keys (the keys are encrypted by HSM and the customer retains control). Option A is wrong because object storage is not suitable for low-latency block storage, and the keys are provider-managed. Option B is wrong because ephemeral storage is not persistent and replication is not guaranteed; also provider-managed keys.

Option D is wrong because NFS is file storage, not block, and managing keys on-premises would add latency and complexity.

15
MCQmedium

A healthcare organization uses a cloud-based virtual private cloud (VPC) to host a web application that processes protected health information (PHI). The application consists of a public-facing load balancer, a web server tier in a public subnet, and a database tier in a private subnet. The database runs on a managed relational database service with encryption at rest enabled using a cloud provider-managed key. The security auditor requires that the database encryption key must be controlled by the organization and rotated every 90 days. Additionally, the database must only be accessible from the web server tier. The database is currently accessible from the entire VPC CIDR block. What should the cloud administrator do to meet these requirements?

A.Export the database, disable encryption, and import into a new database with a customer-managed key.
B.Enable encryption with a provider-managed key and restrict database access using a network ACL.
C.Re-encrypt the database using a customer-managed key in the cloud provider's key management service, and update the database security group to only allow traffic from the web server security group.
D.Encrypt the web server's storage with a customer-managed key and keep the database encryption as is.
AnswerC

Customer-managed keys allow rotation, and security groups restrict access to the web tier only.

Why this answer

Option B is correct because enabling encryption using a customer-managed key in the provider's KMS allows the organization to control and rotate the key, and updating the security group to allow traffic only from the web server tier's security group restricts access. Option A is wrong because provider-managed keys do not give the organization control. Option C is wrong because moving to an unencrypted database is not acceptable.

Option D is wrong because encrypting the web server does not address database encryption or access control.

16
MCQmedium

A cloud administrator notices that an IAM role in a public cloud environment has permissions to perform all actions on all resources. The principle of least privilege should be applied. What is the best first step to reduce the security risk?

A.Delete the role and create a new one with minimal permissions immediately.
B.Create a new role with fewer permissions and ask users to switch roles.
C.Review the role's attached policies and identify unused or unnecessary permissions.
D.Modify the role's trust policy to restrict which users can assume it.
AnswerC

This allows targeted removal of excessive permissions while maintaining functionality.

Why this answer

Option A is correct because reviewing current permissions identifies specific unnecessary privileges before making changes, minimizing disruption. Other options are too drastic or do not address the root cause.

17
MCQhard

A company uses a cloud provider's identity federation to allow employees to sign in using their corporate Active Directory credentials. After a merger, employees from the acquired company need access. What must be modified to enable federated access for the new users without disrupting existing access?

A.Create a separate federation agreement for the new domain.
B.Manually create cloud IAM users for each employee.
C.Create a new identity provider in the cloud.
D.Update the trust policy to include the new Active Directory domain.
AnswerD

This seamlessly adds the new domain to the existing federation setup.

Why this answer

Option A is correct because updating the trust policy to include the new domain allows federation from both domains under the same identity provider.

18
MCQhard

A cloud engineer runs the commands shown in the exhibit. Based on the output, which security issue is present?

A.The bastion host is not used for SSH access.
B.The web servers are not running.
C.The firewall rule allows SSH access from any source IP.
D.There are too many firewall rules allowing SSH.
AnswerC

The sourceRanges is 0.0.0.0/0, meaning all IPs can SSH into the instances.

Why this answer

Option B is correct because the firewall rule allow-ssh allows SSH (tcp:22) from all IP addresses (0.0.0.0/0), which is a security risk. Option A is wrong because the bastion host is separate. Option C is wrong because there is only one rule shown.

Option D is wrong because the instances are running normally.

19
MCQmedium

A cloud security analyst finds the above JSON policy attached to an S3 bucket containing confidential customer data. What change must be made to comply with the principle of least privilege?

A.Restrict the Principal to a specific AWS account or user.
B.Change the Effect to 'Deny'.
C.Change the Action to 's3:PutObject'.
D.Remove the Resource field.
AnswerA

This limits access to only authorized identities.

Why this answer

Option D is correct because a wildcard Principal allows anonymous access; restricting to a specific principal ensures only authorized entities can access the data.

20
Multi-Selectmedium

Which TWO actions should a cloud administrator take to protect against data exfiltration from a cloud storage bucket? (Choose two.)

Select 2 answers
A.Implement server-side encryption with SSE-S3.
B.Enable object versioning on the bucket.
C.Configure bucket access logs for monitoring.
D.Block all public access by configuring bucket policies and ACLs.
E.Enable MFA delete on the bucket.
AnswersA, D

Encryption protects data at rest; even if exfiltrated, the data is unreadable without the key.

Why this answer

Enabling object versioning allows recovery if data is deleted or overwritten but does not prevent exfiltration. Requiring MFA for delete operations prevents unauthorized deletion but not reading. Restricting public access and encrypting data at rest are effective controls against exfiltration.

Audit logging is detective, not preventive.

21
MCQhard

Refer to the exhibit. A cloud security engineer is reviewing an S3 bucket policy that controls access to the 'example-bucket' bucket. The 'AdminRole' IAM role attempts to upload an object to the bucket using the AWS CLI without specifying the '--server-side-encryption' parameter. The object transfer uses HTTPS. What will be the outcome?

A.The upload succeeds but the object is stored without server-side encryption.
B.The upload succeeds because the request uses HTTPS and the role is allowed.
C.The upload fails because the condition in the Allow statement is not satisfied.
D.The upload fails because the Deny statement blocks all requests that are not using HTTPS.
AnswerC

The Allow requires the encryption header to equal AES256, which is not provided.

Why this answer

The S3 bucket policy includes an Allow statement with a condition that requires `s3:x-amz-server-side-encryption` to be `AES256`. Since the `AdminRole` IAM role did not specify the `--server-side-encryption` parameter, the condition is not satisfied, and the Allow statement does not grant permission. Without a matching Allow, the default implicit deny applies, causing the upload to fail.

Exam trap

CompTIA often tests the nuance that a condition in an Allow statement can cause a request to fail even when the principal and action are permitted, because the condition must be satisfied for the Allow to grant access.

How to eliminate wrong answers

Option A is wrong because the condition in the Allow statement explicitly requires server-side encryption with AES256; without it, the request is not allowed, so the upload does not succeed. Option B is wrong because HTTPS alone does not satisfy the condition for server-side encryption; the policy requires both the role to be allowed and the encryption header to be present. Option D is wrong because the Deny statement blocks requests not using HTTPS, but the request does use HTTPS, so the Deny does not apply; the failure is due to the Allow condition not being met.

22
MCQhard

A security analyst is investigating a potential data exfiltration from a cloud environment. The analyst finds that an instance IAM role was assumed by a compromised user, and the role has permissions to read from a sensitive database. What is the BEST way to prevent this type of attack in the future?

A.Enforce MFA for all users and require MFA when assuming the role.
B.Add a resource-based policy to the database to deny access from the role.
C.Rotate the IAM role's access keys every 30 days.
D.Remove the IAM role and use a service account instead.
AnswerA

MFA adds a second factor, making it much harder for attackers to use stolen credentials.

Why this answer

Option C is correct because using multi-factor authentication (MFA) for all users and requiring MFA for role assumption can prevent unauthorized access even if credentials are compromised. Option A is wrong because rotating keys after the fact does not prevent future compromise. Option B is wrong because resource policies do not prevent compromised users from assuming roles.

Option D is wrong because removing the role would break functionality.

23
MCQhard

A user attempted to copy an encrypted snapshot to a different region and received the above error. What is the most likely cause?

A.The snapshot size exceeds the regional limit.
B.The user does not have permission to create snapshots in the destination region.
C.The snapshot was created in a different region using a regional KMS key that is not present in the destination region.
D.The KMS key used to encrypt the snapshot has been deleted.
AnswerC

Regional keys cannot be used across regions by default.

Why this answer

Option B is correct because the error indicates the KMS key is not present in the destination region, which occurs when a regional key is used.

24
Multi-Selecteasy

A cloud administrator is configuring a new virtual private cloud (VPC) with a public subnet for a web application. The administrator must ensure that the web application can receive HTTPS traffic from the internet but cannot be directly accessed via SSH. Which TWO security controls should the administrator implement? (Choose two.)

Select 2 answers
A.Attach an internet gateway (IGW) to the VPC and enable auto-assign public IP on the subnet.
B.Configure a network ACL on the subnet to allow inbound TCP ports 80 and 443 from 0.0.0.0/0 and deny inbound TCP port 22.
C.Place the web server in a private subnet and use a NAT gateway for outbound traffic.
D.Configure a security group that allows inbound TCP port 443 from 0.0.0.0/0 and denies inbound TCP port 22.
E.Deploy a web application firewall (WAF) in front of the web server.
AnswersB, D

Network ACLs are stateless and provide subnet-level filtering; allowing HTTP/HTTPS and denying SSH adds defense.

Why this answer

Option B is correct because a network ACL (NACL) is a stateless firewall that operates at the subnet level, allowing you to explicitly deny inbound TCP port 22 (SSH) while allowing TCP ports 80 and 443 (HTTP/HTTPS) from 0.0.0.0/0. Option D is correct because a security group (SG) is a stateful firewall at the instance level; by default, SGs deny all inbound traffic, so you must explicitly allow TCP port 443 from 0.0.0.0/0, and since SSH (port 22) is not allowed, it is implicitly denied. Together, these provide defense-in-depth: the NACL blocks SSH at the subnet boundary, and the SG ensures only HTTPS is permitted to the web server.

Exam trap

CompTIA often tests the distinction between stateless (NACL) and stateful (security group) firewalls, and the trap here is that candidates may think a security group alone is sufficient to deny SSH, forgetting that a permissive NACL could allow SSH traffic to reach the subnet, or they may incorrectly assume a WAF can block SSH at the network layer.

25
MCQhard

A cloud administrator is troubleshooting connectivity to a web server running on a Linux VM. The web server is configured to listen on ports 80 (HTTP) and 443 (HTTPS). The administrator runs the iptables command shown in the exhibit. Based on the output, what is the MOST likely reason that external users cannot access the web server on port 443?

A.The web server is not configured to listen on port 443, so iptables rules are irrelevant.
B.The iptables default policy is ACCEPT, but the rule for port 443 explicitly drops traffic from external sources.
C.The rule for port 80 is placed before the rule for port 443, causing all HTTPS traffic to be evaluated as HTTP and dropped.
D.The iptables rule for port 443 only allows traffic from the 10.0.0.0/8 subnet, which does not include external IP addresses.
AnswerD

The rule for HTTPS only accepts from the private subnet, so external traffic is dropped by the default DROP policy.

Why this answer

Option D is correct because the iptables rule for port 443 specifies a source IP range of 10.0.0.0/8, which is a private RFC 1918 address space. External users have public IP addresses that do not fall within this subnet, so their HTTPS traffic is implicitly dropped by the rule's match condition. The default policy being ACCEPT does not override the explicit rule that only permits traffic from the 10.0.0.0/8 subnet.

Exam trap

The trap here is that candidates assume a default ACCEPT policy means all traffic is allowed, overlooking that an explicit rule with a restrictive source match will only permit traffic from that source, effectively denying all others by not matching.

How to eliminate wrong answers

Option A is wrong because the question states the web server is configured to listen on port 443, so the issue is not a misconfigured web server. Option B is wrong because the iptables output does not show an explicit DROP rule for port 443; instead, it shows an ACCEPT rule restricted to a specific source subnet, which implicitly drops all other traffic. Option C is wrong because iptables processes rules sequentially, but the rule for port 80 (HTTP) does not affect HTTPS traffic on port 443; each rule is evaluated independently based on protocol and port match.

26
MCQeasy

A small business uses a public cloud IaaS to host a single Windows virtual machine (VM) running a line-of-business application. The VM has a public IP address and is in a network security group that allows RDP (port 3389) from the internet (0.0.0.0/0). The administrator frequently connects from home and various client sites. The administrator is concerned about brute force attacks on the RDP service. The business does not have a VPN server. What is the best way to secure the RDP access without changing the public IP address or blocking all external access?

A.Remove the public IP address and use a bastion service like Azure Bastion or AWS Systems Manager Session Manager to access the VM via RDP over HTTPS.
B.Change the RDP port to a non-standard port (e.g., 3390).
C.Enable multi-factor authentication (MFA) on the local Windows user accounts.
D.Disable password authentication and require smart card certificates for RDP.
AnswerA

This eliminates direct public exposure of RDP and provides secure, audited access.

Why this answer

Option C is correct because using Azure Bastion or AWS Systems Manager Session Manager allows RDP access without exposing a public RDP port. Option A is wrong because changing the port is security through obscurity and does not prevent brute force. Option B is wrong because enabling MFA on the VM itself is not straightforward without domain join, and still leaves port open.

Option D is wrong because disabling password and using only certificates still leaves the port open to brute force on the certificate challenges.

27
MCQeasy

A company hosts its critical applications on a cloud provider's virtual machines within a virtual private cloud. The security team receives an alert from the intrusion detection system indicating that one of the VMs is exhibiting signs of a ransomware infection. The administrator connects to the VM via a bastion host and observes that several important files have been encrypted and a ransom note has been left. The incident response plan is still being developed, but the administrator knows the immediate priority is to contain the threat and prevent it from spreading to other VMs and storage resources. The company has daily backups stored in a separate cloud storage service that is not directly accessible from the production network. Which of the following actions should the administrator take FIRST to contain the incident and minimize further damage?

A.Restore the VM from the most recent backup.
B.Notify law enforcement about the ransomware attack.
C.Run a full antivirus scan on the infected VM.
D.Immediately disconnect the network interface of the infected VM.
AnswerD

This isolates the VM, preventing lateral movement and further encryption.

Why this answer

Isolating the infected VM by disconnecting its network interface stops the ransomware from communicating with command-and-control servers and prevents lateral movement. Restoring from backup without verification may reintroduce the infection. Notifying law enforcement is important but not the first step.

Running antivirus on the active VM could trigger further encryption or be ineffective.

28
MCQeasy

A company wants to protect data in transit between its on-premises data center and a public cloud environment. Which technology should be used to create a secure encrypted tunnel over the internet?

AnswerD

VPNs (IPsec or SSL VPNs) are designed to create secure tunnels over public networks.

Why this answer

A VPN (Virtual Private Network) creates an encrypted tunnel over the internet. TLS is used for web traffic, not for site-to-site tunnels. SSH is for remote admin, and a firewall is for filtering, not encrypting tunnels.

29
Drag & Dropmedium

Sequence the steps to troubleshoot a cloud-based application that is not accessible from the internet.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Start with basic checks: security groups, VM state, connectivity, then move to higher-level components and logs.

30
MCQhard

A company has deployed a multi-tier application on a public cloud platform. The security team discovers that a Compute Instance is communicating with an external IP address known for malicious activity. The instance is part of an auto scaling group. What is the BEST immediate action to contain the threat while minimizing downtime?

A.Suspend the auto scaling group to prevent additional instances from being launched.
B.Remove the instance from the auto scaling group and attach a security group that blocks all traffic.
C.Use a routing table blackhole to drop traffic from the instance.
D.Modify the network ACL for the subnet to deny traffic to the malicious IP.
AnswerB

This isolates the specific instance without affecting other instances, and blocking traffic stops the malicious communication.

Why this answer

Isolating the compromised instance by detaching it from the auto scaling group and applying a security group that denies all traffic can quickly contain the threat. Network ACLs are attached to subnets and changing them could affect other instances. Suspending the auto scaling group alone may not stop the current instance.

Updating routing tables is complex and could disrupt legitimate traffic.

31
Multi-Selecthard

Which THREE elements are required for a complete key lifecycle management strategy in a cloud environment? (Choose three.)

Select 3 answers
A.Secure key generation
B.Key destruction
C.Key backup and recovery
D.Key rotation
E.Key access control
AnswersA, B, D

Keys must be generated securely, often from a hardware security module or using cryptographically sound methods.

Why this answer

Secure key generation is the foundational first step in a key lifecycle management strategy. In a cloud environment, keys must be generated using a FIPS 140-2 validated hardware security module (HSM) or a cloud provider's equivalent (e.g., AWS CloudHSM, Azure Key Vault Premium) to ensure cryptographic strength and prevent exposure of the private key material during creation.

Exam trap

CompTIA often tests the distinction between the mandatory lifecycle phases (generation, rotation, destruction) and supporting security controls (access control, backup) to trap candidates who confuse operational best practices with the required lifecycle stages.

32
Multi-Selectmedium

Which TWO of the following are best practices for securing a cloud object storage bucket?

Select 2 answers
A.Enable bucket versioning.
B.Set the bucket ACL to public-read-write for ease of access.
C.Configure a lifecycle policy to delete objects after 30 days.
D.Use bucket policies to restrict access to specific AWS accounts or IAM roles.
E.Encrypt all objects using server-side encryption.
AnswersA, D

Versioning allows recovery from accidental deletion or ransomware.

Why this answer

Options A and D are correct. Enabling versioning helps protect against accidental deletion or overwrite, and bucket policies can restrict access to specific principals. Option B is wrong because public access is generally not recommended.

Option C is wrong because lifecycle policies are for management, not security. Option E is wrong because encryption is important but does not enforce access control.

33
MCQeasy

A company stores sensitive data in a cloud object storage. They want to ensure that data is automatically deleted after a retention period of 7 years to comply with legal requirements. Which feature should be used?

A.Versioning with delete markers.
B.Object lock with retention mode.
C.Lifecycle policy with expiration.
D.AWS Config rules.
AnswerC

Lifecycle policies automate object expiration based on age.

Why this answer

Option C is correct because lifecycle policies can automatically expire objects after a specified number of days.

34
MCQmedium

Refer to the exhibit. What is the effect of this bucket policy?

A.It requires users to authenticate with AWS IAM before accessing the bucket.
B.It allows anyone to read objects in example-bucket only if they come from the specified IP range.
C.It allows only the specified IP range to write objects.
D.It denies all access to the bucket except from the specified IP range.
AnswerB

The effect is Allow, principal is *, action is GetObject, and condition restricts by source IP.

Why this answer

The policy allows s3:GetObject to any principal (*) but only if the request originates from the IP range 203.0.113.0/24. This is a common way to restrict access to a specific network. It does not deny other IPs explicitly; it just doesn't allow them.

It does not require authentication; the principal is *.

35
MCQeasy

A cloud administrator is tasked with ensuring that only encrypted connections are used to transfer files to a cloud storage bucket. Which of the following should the administrator enforce?

A.Use HTTP with a custom header.
B.Allow FTP but restrict to specific IPs.
C.Require HTTPS for all uploads.
D.Enable SFTP access to the bucket.
AnswerC

HTTPS encrypts data in transit.

Why this answer

HTTPS (HTTP over TLS) encrypts data in transit using TLS, ensuring that files uploaded to a cloud storage bucket are protected from eavesdropping and tampering. By requiring HTTPS for all uploads, the administrator enforces encrypted connections as mandated by the security policy, which is a standard practice for cloud storage services like AWS S3 or Azure Blob Storage.

Exam trap

The trap here is that candidates may confuse SFTP (which is encrypted) with FTP (which is not), and incorrectly assume that enabling SFTP is the correct answer, but the question specifically targets the standard encrypted protocol for cloud storage bucket uploads, which is HTTPS.

How to eliminate wrong answers

Option A is wrong because HTTP with a custom header does not provide encryption; the data is still transmitted in plaintext, making it vulnerable to interception. Option B is wrong because FTP transmits data and credentials in cleartext, and restricting by IP does not encrypt the connection, leaving it susceptible to packet sniffing. Option D is wrong because SFTP (SSH File Transfer Protocol) encrypts the connection, but the question specifically asks for encrypted connections to transfer files to a cloud storage bucket; while SFTP is encrypted, it is not the standard protocol for cloud storage bucket uploads (which typically use HTTPS), and enabling it may introduce unnecessary complexity or security risks if not properly managed.

36
Multi-Selectmedium

A cloud administrator notices that an IAM user has permissions that are not explicitly assigned. The administrator suspects that the user is inheriting permissions through group membership or role assignment. Which TWO methods can the administrator use to identify all effective permissions for this user? (Choose TWO.)

Select 2 answers
A.List the user's group memberships and examine the policies attached to those groups and any roles the user can assume.
B.Review the user's recent access logs to see which actions were allowed.
C.Check the resource-based policies on each resource the user might access.
D.Use a 'simulate principal policy' API call to evaluate the user's effective permissions.
E.Log in as the root user and run a permissions report.
AnswersA, D

This helps in understanding the inherited permissions.

Why this answer

Option A is correct because group memberships and assumable roles are common sources of inherited permissions. By listing the user's groups and examining the policies attached to those groups, as well as any roles the user can assume, the administrator can trace the origin of the unexpected permissions. This method directly identifies the inheritance chain that grants permissions not explicitly assigned to the user.

Exam trap

CompTIA often tests the distinction between inherited permissions (from groups/roles) and explicit permissions, and the trap here is that candidates may confuse reviewing access logs (which show past actions) with evaluating effective permissions (which shows potential actions).

37
MCQmedium

A company's IaaS environment has a high rate of failed login attempts to a critical database server. The security team wants to temporarily block the source IPs after 5 failed attempts within 10 minutes. Which security control should be implemented?

A.Enable TLS mutual authentication for the database.
B.Deploy a web application firewall (WAF) with rate-limiting rules.
C.Implement a cloud access security broker (CASB).
D.Configure host-based firewall rules on each database server.
AnswerB

WAF can inspect traffic and block IPs after a threshold of failed attempts.

Why this answer

Option C is correct because a web application firewall (WAF) can rate-limit and block IPs based on failed login attempts. Option A is wrong because host-based firewalls are not centrally managed. Option B is wrong because WAF is not for cloud access management.

Option D is wrong because TLS encryption does not prevent brute force.

38
MCQeasy

Which of the following is the best practice for securely storing secrets such as database passwords in a cloud environment?

A.Hard-code the secrets in the application code.
B.Store secrets in a configuration file in the repository.
C.Encrypt secrets and store them in a shared storage.
D.Use a dedicated secrets management service.
AnswerD

Services like AWS Secrets Manager or Azure Key Vault are purpose-built for secure secret storage.

Why this answer

Option D is correct because dedicated secrets management services provide secure storage, rotation, and access control.

39
Multi-Selecteasy

Which TWO of the following are common security concerns specific to a public cloud infrastructure?

Select 2 answers
A.Exposure of insecure application programming interfaces (APIs).
B.Physical theft of servers from data centers.
C.Packet sniffing on the provider's internal network.
D.Misconfiguration of cloud resources leading to data exposure.
E.Hypervisor-level malware.
AnswersA, D

APIs are often targeted by attackers if not properly secured.

Why this answer

Options A and C are correct. Insecure APIs are a top cloud security concern because they allow programmatic access, and misconfigured storage can lead to data exposure. Option B is wrong because physical security is the provider's responsibility.

Option D is wrong because packet sniffing is unlikely in multitenant clouds. Option E is wrong because hypervisor vulnerabilities are rare and quickly patched.

40
MCQhard

During a security audit, it is discovered that a cloud application can be accessed using a shared service account that has elevated privileges. The audit recommends implementing a just-in-time (JIT) access model. What is the primary benefit of JIT access in this scenario?

A.Automates auditing of third-party access.
B.Allows for easier management of user identities.
C.Reduces the attack surface by minimizing persistent privileged access.
D.Eliminates the need for user authentication.
AnswerC

JIT ensures that elevated permissions are granted only for specific times and tasks, so compromised credentials have limited window of opportunity.

Why this answer

JIT access grants temporary elevated privileges only when needed, reducing the risk of standing privileged access. It enables real-time approval workflows. It does not directly manage identities nor automate audits of third-party access; those are secondary benefits.

41
MCQmedium

A mid-sized company is migrating its on-premises applications to a public cloud. The security team has implemented a cloud access security broker (CASB) to monitor and enforce policies for sensitive data. The company uses a multi-cloud environment with both AWS and Azure. After deployment, the security team receives alerts that a developer accidentally exposed a set of credentials in a public GitHub repository. The credentials were associated with a service account that has read-write access to an AWS S3 bucket containing customer PII (personally identifiable information). The team immediately revokes the credentials and rotates the access keys. The security team wants to prevent such incidents in the future and ensure that any exposed credentials are promptly detected without relying solely on manual GitHub scans. The company also wants to maintain a least-privilege model for all cloud resources. Given this scenario, which of the following actions should the security team take FIRST to reduce the risk of credential exposure and improve detection?

A.Implement a periodic secret scanning tool that runs every 24 hours and reports any found credentials to the security team.
B.Configure the CASB to integrate with the GitHub API to continuously scan for exposed secrets and automatically trigger alerts.
C.Disable all public repositories and require all code to be stored in private repositories with strict branch protection rules.
D.Require all developers to use a password manager to store secrets and set up a process to manually review GitHub commits.
AnswerB

CASB can monitor SaaS applications like GitHub for policy violations, including exposed credentials, and provide real-time alerts.

Why this answer

Option B is correct because a CASB is designed to integrate with cloud services like GitHub via APIs to provide continuous monitoring and policy enforcement. By configuring the CASB to scan GitHub repositories in real-time, the security team can detect exposed credentials immediately upon commit, rather than relying on periodic scans or manual reviews. This aligns with the requirement for prompt detection without manual intervention and leverages the existing CASB investment for multi-cloud environments.

Exam trap

CompTIA often tests the distinction between periodic and continuous detection mechanisms, where candidates may choose a periodic scanning tool (Option A) because it seems simpler, but the question explicitly requires prompt detection without relying solely on manual scans, making real-time CASB integration the correct first action.

How to eliminate wrong answers

Option A is wrong because a periodic secret scanning tool that runs every 24 hours introduces a detection delay, which contradicts the requirement for prompt detection of exposed credentials; real-time detection is needed to minimize the window of exposure. Option C is wrong because disabling all public repositories and requiring private repositories with branch protection rules reduces the attack surface but does not address the detection of already-exposed credentials or prevent accidental commits of secrets to private repositories; it also ignores the need for continuous monitoring. Option D is wrong because requiring developers to use a password manager and manually review commits is a procedural control that lacks automation and scalability, failing to meet the requirement for prompt detection without relying solely on manual scans.

42
Multi-Selecteasy

Which TWO of the following are effective methods to protect data in transit within a cloud environment? Select two.

Select 2 answers
A.Object-level ACLs
B.Server-side encryption with AES-256
C.Data masking
D.VPN overlay networks
E.TLS/SSL encryption
AnswersD, E

VPNs encrypt traffic between endpoints or networks.

Why this answer

Options A and B are correct because TLS and VPN encrypt data during transmission. The other options are for data at rest or data masking.

43
MCQmedium

A security team wants to implement host-based intrusion detection on their virtual machines in a public cloud. Which approach provides the most effective detection while minimizing performance impact?

A.Install an antivirus agent on each VM.
B.Enable network traffic logging at the hypervisor level.
C.Enable VPC flow logs and analyze them.
D.Use a cloud-native security service that deploys an agent to monitor system logs and file integrity.
AnswerD

These services are purpose-built for host-based intrusion detection and are optimized for cloud environments.

Why this answer

Option B is correct because cloud-native security services with agents are optimized for host-based detection with minimal overhead.

44
MCQhard

A company is migrating a legacy application to a public cloud. The application requires a static IP address for licensing. The security team insists on encrypting all traffic between the application and the database. Which of the following should the cloud architect implement?

A.Create a VPN connection between the application and database subnets.
B.Assign an elastic IP and use NAT.
C.Use TLS certificates on the web server.
D.Deploy a site-to-site VPN from the cloud to the on-premises data center.
AnswerA

A VPN encrypts traffic between the two subnets, and a static IP can be assigned to the application.

Why this answer

Option A is correct because creating a VPN connection between the application and database subnets establishes an encrypted tunnel (using IPsec or TLS-based VPN protocols) that ensures all traffic between the two subnets is encrypted, meeting the security team's requirement. Additionally, the application's need for a static IP address can be satisfied by assigning a static private IP to the application instance within its subnet, while the VPN provides secure communication without exposing traffic to the public internet.

Exam trap

The trap here is that candidates may confuse encrypting traffic between application and database with encrypting external web traffic (TLS) or assume that a site-to-site VPN is needed, but the key is that both components are in the cloud and the encryption must cover internal subnet-to-subnet communication, not just internet-facing connections.

How to eliminate wrong answers

Option B is wrong because assigning an elastic IP and using NAT only provides a static public IP address for outbound internet access and does not encrypt traffic between the application and database; NAT translates IP addresses but does not provide encryption. Option C is wrong because TLS certificates on the web server only encrypt traffic between clients and the web server (typically HTTPS), not the internal traffic between the application and the database, which is a different communication path. Option D is wrong because a site-to-site VPN connects the cloud VPC to an on-premises data center, but the question specifies that the application and database are both in the public cloud, so this would not encrypt traffic between them within the same cloud environment.

45
MCQeasy

A cloud security team needs to ensure that all API calls made to the cloud provider are logged and monitored for suspicious activity. Which service should be enabled?

A.Deploy a web application firewall (WAF).
B.Configure an intrusion detection system (IDS) on the network.
C.Enable cloud audit logging for the management console and API calls.
D.Implement a security information and event management (SIEM) system.
AnswerC

Audit logs capture every API call for compliance and monitoring.

Why this answer

Option A is correct because a cloud audit log (e.g., AWS CloudTrail, Azure Monitor) records all API calls. Option B is wrong because WAF inspects web traffic, not API calls. Option C is wrong because SIEM is a separate system that ingests logs.

Option D is wrong because IDS/IPS focuses on network traffic, not API-level actions.

46
MCQhard

During a security audit, an organization discovers their cloud-based database is accessible from any public IP address due to a firewall rule allowing 0.0.0.0/0 on port 3306 (MySQL). The database must remain accessible to remote developers working from home. What is the most effective remediation?

A.Remove the firewall rule entirely and rely on database IAM authentication.
B.Enable encryption in transit using TLS and keep the rule as is.
C.Change the firewall rule to allow only specific known developer IP ranges.
D.Move the database to a private subnet without a NAT gateway.
AnswerC

This minimizes attack surface while preserving access.

Why this answer

Option C is correct because restricting to specific trusted IP ranges reduces exposure while maintaining remote access.

47
MCQmedium

A company is migrating a legacy on-premises application to a cloud VM. The application requires a static private IP address for compliance. During a disaster recovery failover, the VM must automatically retain the same IP address in the secondary region. Which solution should be used?

A.Provision a reserved static private IP address that can be reassigned to the new VM.
B.Use a dynamic IP address and update DNS after failover.
C.Use a load balancer with a fixed IP and point it to the VM's current private IP.
D.Assign an elastic IP (public) and configure a VPN.
AnswerA

Reserved static IPs are portable and can be assigned to another VM in another region.

Why this answer

Option B is correct because a reserved IP address can be assigned to a VM and can be moved between regions for failover. Option A is wrong because dynamic IP will change. Option C is wrong because elastic IPs are public.

Option D is wrong because a load balancer may change the backend IP.

48
Multi-Selecthard

Which THREE of the following are valid methods to manage identity and access in a multi-cloud environment?

Select 3 answers
A.Set up a site-to-site VPN between the on-premises network and each cloud.
B.Implement a federation using SAML 2.0 between the corporate identity provider and each cloud.
C.Assign resource tags and use them in attribute-based access control (ABAC) policies.
D.Use a single shared API key for all clouds to simplify automation.
E.Deploy a cloud access security broker (CASB) to enforce access policies across clouds.
AnswersB, C, E

Federation allows SSO and centralized identity management.

Why this answer

Options A, B, and D are correct. A single sign-on (SSO) with federation allows centralized access control, cloud access security brokers (CASB) enforce policies across clouds, and resource tags combined with access policies can automate access. Option C is wrong because shared keys are not identity-based.

Option E is wrong because VPNs are for network, not identity.

49
MCQhard

A company experiences a data breach where an attacker exfiltrated data from a cloud storage bucket. The security team discovers that the bucket had a policy allowing public access. The cloud administrator had previously set the bucket to be private. Which of the following is the MOST likely reason the bucket became public?

A.An IAM role with administrative privileges applied a bucket policy that overrode the private setting.
B.The bucket had versioning enabled, which reverted to a previous public state.
C.Access logs were not enabled, so the change was not recorded.
D.Server-side encryption was disabled, causing the bucket to become public.
AnswerA

A bucket policy can supersede the block public access settings if the role has sufficient permissions.

Why this answer

A bucket policy that grants public access (e.g., `Principal: "*"` with `Effect: "Allow"`) can override the private block public access setting at the bucket level. Even if the cloud administrator set the bucket to private via the console or ACLs, an IAM role with administrative privileges can apply a bucket policy that explicitly allows public access, effectively making the bucket public. This is because bucket policies are evaluated separately and can grant permissions that supersede other access controls.

Exam trap

CompTIA often tests the misconception that setting a bucket to private in the console or via ACLs is sufficient to prevent public access, ignoring that a bucket policy can independently grant public access and override those settings.

How to eliminate wrong answers

Option B is wrong because enabling versioning does not revert bucket policies or access settings to a previous state; versioning only preserves object versions and does not affect access control configurations. Option C is wrong because access logs record actions but do not prevent or cause changes to bucket permissions; the lack of logging is a monitoring issue, not a cause of the bucket becoming public. Option D is wrong because disabling server-side encryption affects data encryption at rest, not access permissions; encryption settings have no impact on whether a bucket is public or private.

50
MCQeasy

A cloud engineer is responsible for securing a multi-tier application deployed on IaaS. The application consists of web servers, application servers, and database servers. The engineer needs to implement network segmentation to minimize the attack surface. Which of the following is the BEST approach?

A.Use a single security group for all instances and define rules to allow traffic between tiers.
B.Create separate subnets for each tier and configure security groups to allow only required traffic between them.
C.Place web servers in a public subnet and application and database servers in the same private subnet with a common security group.
D.Place all instances in the same subnet and use network ACLs to restrict traffic between tiers.
AnswerB

Separate subnets with security groups enforce network segmentation and least privilege.

Why this answer

Option B is correct because creating separate subnets for each tier enforces network segmentation at the IP layer, which is a fundamental security best practice for multi-tier applications. By configuring security groups (stateful firewalls) to allow only the specific required traffic (e.g., HTTP/HTTPS from web to app, SQL from app to database), the engineer minimizes the attack surface by preventing lateral movement if one tier is compromised. This approach aligns with the principle of least privilege and is the most effective method in IaaS environments like AWS, Azure, or GCP.

Exam trap

The trap here is that candidates often confuse security groups with network ACLs or assume that placing servers in the same subnet with restrictive rules is sufficient, but Cisco tests the understanding that true network segmentation requires separate subnets (or VLANs) to prevent layer-2 adjacency and lateral movement.

How to eliminate wrong answers

Option A is wrong because using a single security group for all instances violates network segmentation; any instance can potentially communicate with any other if rules are too permissive, and it does not isolate tiers, increasing the blast radius. Option C is wrong because placing application and database servers in the same private subnet with a common security group fails to isolate the database tier from the application tier, allowing an attacker who compromises the app server to directly access the database without additional network-level controls. Option D is wrong because placing all instances in the same subnet and relying solely on network ACLs (stateless) is insufficient; network ACLs evaluate rules in order and require explicit allow rules for return traffic, making them more complex to manage and easier to misconfigure, and they do not provide the same granular, stateful control as security groups.

51
MCQeasy

A cloud administrator notices that a storage bucket in a cloud object storage service is publicly accessible. The bucket contains sensitive customer data. What is the most likely cause of this issue?

A.The bucket policy or ACL was set to allow public access.
B.The bucket has versioning enabled.
C.The bucket has a lifecycle policy to transition objects to archival storage.
D.The bucket is using server-side encryption with customer-provided keys.
AnswerA

Misconfigured permissions are the typical cause of public buckets.

Why this answer

Option B is correct because misconfigured bucket policies or ACLs often lead to public access. Option A is wrong because encryption does not affect access control. Option C is wrong because versioning does not cause public access.

Option D is wrong because lifecycle policies do not change access permissions.

52
Matchingmedium

Match each troubleshooting command to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Test network connectivity

Trace path to destination

Query DNS records

Display network connections and ports

Transfer data using various protocols

Why these pairings

Common CLI tools for network troubleshooting.

53
MCQmedium

A company's compliance policy requires that all virtual machine (VM) instances must have security patches applied within 30 days of release. The cloud environment automatically deploys VMs from a golden image. Which strategy would BEST ensure compliance without manual intervention?

A.Use a configuration management tool like Ansible to apply patches on boot.
B.Schedule a nightly job to scan each VM for missing patches and apply them.
C.Update the golden image with the latest patches and redeploy all VMs from it.
D.Install a patch management server and configure VMs to update from it on startup.
AnswerC

This ensures that any VM provisioned from the image is compliant at launch, meeting the 30-day requirement.

Why this answer

Regularly updating the golden image and using it to create new VMs ensures that all new instances are patched within the required timeframe. Automated patch scanning per instance is reactive and may not enforce the golden image. Using a configuration management tool to apply patches after VM creation can work but may cause a delay; updating the golden image is proactive and ensures consistency.

A patch management server is good but not as comprehensive as updating the baseline.

54
MCQmedium

During a security assessment, a cloud auditor discovers that a virtual machine has a publicly accessible SSH port (22) open to the entire internet (0.0.0.0/0). The VM is a bastion host intended for administration. What should be done to reduce risk?

A.Remove the security group rule for SSH and rely on the operating system firewall.
B.Disable SSH and use a serial console for administration.
C.Enable SSH key authentication and disable password login.
D.Remove the network security group rule allowing SSH from 0.0.0.0/0 and add a rule allowing only the corporate VPN's public IP range.
AnswerD

This restricts access to authorized users only.

Why this answer

Option C is correct because a bastion host should only be accessible from trusted IPs, typically the corporate VPN or a specific IP range. Option A is wrong because security groups are the proper tool. Option B is wrong because closing SSH externally would block administration.

Option D is wrong because disabling password auth alone does not limit access.

55
MCQhard

A DevOps team uses infrastructure as code to deploy cloud resources. Security policy requires that all storage buckets have versioning enabled and are not publicly accessible. How can these requirements be enforced automatically?

A.Add pre-commit hooks to check the IAC templates for compliance.
B.Use security group rules to restrict access to the storage buckets.
C.Implement a cloud policy that disallows public access and requires versioning on all storage resources.
D.Configure a manual approval gate in the deployment pipeline for any storage changes.
AnswerC

Cloud policies provide preventive governance at the resource level.

Why this answer

Option D is correct because using a cloud policy service (e.g., AWS Service Control Policy or Azure Policy) can enforce rules like 'deny public access' and 'require versioning' at the account level. Option A is wrong because it relies on manual review. Option B is wrong because the CI/CD pipeline can be bypassed.

Option C is wrong because security groups do not apply to storage.

56
MCQhard

During a penetration test, a cloud security engineer discovers that a storage bucket is publicly accessible because of a misconfigured block public access setting. The bucket contains encrypted data. Which of the following is the primary risk?

A.The bucket name is exposed to enumeration.
B.Data is unreadable because it is encrypted.
C.The encryption key is exposed.
D.Unauthorized users can list and download objects, but encryption at rest protects content if the key is also not accessible.
AnswerD

This accurately describes the primary risk: data exfiltration is possible, but encryption provides a layer of protection if the key is secure.

Why this answer

Option D is correct because unauthorized users can list and download encrypted objects, even if the data is encrypted at rest. The primary risk is data exfiltration if the encryption key is compromised or the data is not properly encrypted.

57
MCQeasy

Refer to the exhibit. This log message is from a cloud security scanner. Which principle did the scanner likely detect?

A.Separation of duties
B.Defense in depth
C.Fail securely
D.Least privilege
AnswerD

Storing credentials where many users can access them gives more privilege than necessary.

Why this answer

The message indicates that user credentials were stored in user data (such as instance metadata) and are accessible to all users with read access to that metadata. This violates the principle of least privilege because credentials should not be widely accessible.

58
Multi-Selectmedium

A cloud administrator is designing a hybrid cloud environment that connects on-premises resources to a public cloud. To ensure data protection, the administrator needs to implement controls for data in transit and data at rest. Which TWO security controls should the administrator implement? (Choose two.)

Select 2 answers
A.TLS 1.2
B.AES-256
C.MFA
E.RBAC
AnswersA, B

TLS 1.2 encrypts data in transit, ensuring confidentiality over networks (e.g., HTTPS).

Why this answer

TLS 1.2 (option B) protects data in transit (e.g., HTTPS), and AES-256 (option D) protects data at rest (e.g., encrypted storage). IPsec also protects transit but is less commonly used for general data transfer; RBAC and MFA address access control, not data encryption.

59
MCQeasy

A cloud administrator is tasked with ensuring that all API requests to the cloud management plane are encrypted. Which protocol should be enforced to meet this requirement?

AnswerA

TLS encrypts HTTP traffic (HTTPS) and is the standard for API security.

Why this answer

TLS (Transport Layer Security) encrypts data in transit and is the standard protocol for securing API communications. SSH is for remote shell access, SSL (deprecated) is similar but newer is TLS, and IPsec is used for VPN tunnels.

60
Multi-Selecthard

Which THREE of the following are essential components of a cloud incident response plan? Select three.

Select 3 answers
A.Data backup schedule
B.Cost optimization strategies
C.Root cause analysis
D.Communication plan
E.Containment procedures
AnswersC, D, E

Identifies the underlying cause to prevent recurrence.

Why this answer

Options A, B, and D are correct because communication, root cause analysis, and containment are critical to incident response. Cost optimization and backup schedule are operational concerns.

61
Multi-Selectmedium

Which TWO of the following are common vulnerabilities in cloud environments that can lead to unauthorized access? Select two.

Select 2 answers
A.Enabling automatic patching
B.Lack of encryption for data in transit
D.Properly scoped IAM roles
E.Misconfigured security groups allowing overly permissive inbound rules
AnswersB, E

Unencrypted data can be intercepted.

Why this answer

Options A and D are correct because misconfigured security groups and lack of encryption in transit are common vulnerabilities. B, C, and E are security best practices.

62
MCQeasy

A company uses a cloud provider's key management service to encrypt data at rest. The security team wants to ensure that encryption keys are automatically rotated every 90 days to meet compliance requirements. Which feature should be enabled?

A.Key import scheduling
B.Key automatic rotation
C.Key revocation
D.Key policy enforcement
AnswerB

This automates key replacement at specified intervals.

Why this answer

Option B is correct because automatic rotation replaces key material periodically without manual intervention, meeting compliance needs.

63
MCQhard

An organization uses a private cloud and wants to implement multifactor authentication (MFA) for administrative access to the hypervisor. However, due to legacy system constraints, the hypervisor does not support MFA directly. What is the BEST alternative to achieve MFA for administrative logins?

A.Configure SSH key-based authentication for all hypervisor logins.
B.Implement a certificate-based authentication scheme for the hypervisor.
C.Set up a VPN that requires MFA and allow only VPN traffic to reach the hypervisor.
D.Deploy a jump host (bastion host) with MFA, and restrict hypervisor access to only that host.
AnswerD

This layers MFA at the entry point, and the hypervisor access is limited to a secured intermediary.

Why this answer

A jump host (bastion host) can be placed in a separate network segment that requires MFA for access. Administrators log into the jump host first and then connect to the hypervisor from it. Direct SSH keys still rely on single-factor authentication.

A VPN without MFA is insufficient. Using a certificate alone is also single factor.

64
MCQhard

A cloud architect is designing a multi-tier application in a public cloud that must comply with PCI DSS. The web tier must be accessible from the internet, but the application tier should not have any public IP addresses. Which architecture meets these requirements?

A.Assign public IP addresses to both tiers and use security group rules to restrict traffic.
B.Deploy both tiers in private subnets and use a VPC peering connection to the corporate data center.
C.Use a site-to-site VPN between the cloud VPC and an on-premises network for all traffic.
D.Place the web tier in a public subnet behind an internet-facing load balancer, and the app tier in a private subnet with a NAT gateway for outbound traffic.
AnswerD

This provides internet access to the web tier while keeping the app tier isolated from direct internet.

Why this answer

Option A is correct because placing the web tier in a public subnet with a load balancer and the app tier in a private subnet with no public IPs fulfills the requirement. Option B is wrong because a direct VPC peering does not restrict public access. Option C is wrong because a VPN adds unnecessary complexity.

Option D is wrong because the app tier should not have public IPs.

65
MCQeasy

An organization wants to ensure that only authorized personnel can access the cloud management console. Which of the following is the BEST method to achieve this?

A.Enable multi-factor authentication (MFA) for all console users.
B.Implement strong password policies with complex passwords.
C.Disable the web console and require API access only.
D.Restrict console access to a specific IP address range.
AnswerA

MFA provides strong authentication by requiring two or more factors.

Why this answer

Multi-factor authentication (MFA) is the best method because it adds an additional layer of security beyond just a password, requiring a second factor (e.g., a time-based one-time password from an authenticator app or a hardware token). This significantly reduces the risk of unauthorized access even if credentials are compromised, as the attacker would also need the second factor. In cloud environments like AWS, Azure, or GCP, MFA is a fundamental security best practice for protecting the management console.

Exam trap

The trap here is that candidates often choose strong password policies (Option B) as the best method, overlooking that MFA is the industry-standard defense against credential compromise, not just password complexity.

How to eliminate wrong answers

Option B is wrong because while strong password policies are important, they are insufficient on their own; passwords alone can be phished, guessed, or brute-forced, and MFA provides a critical additional layer. Option C is wrong because disabling the web console and requiring API access only does not inherently improve security—API access still requires authentication and can be just as vulnerable if not protected with MFA or proper IAM roles, and it reduces operational flexibility. Option D is wrong because restricting console access to a specific IP address range can be bypassed by attackers using VPNs or compromised machines within that range, and it does not protect against credential theft or insider threats; it is a network-level control, not an identity-level control.

66
Multi-Selectmedium

A company is implementing a cloud-based SIEM solution. Which TWO of the following are essential data sources that should be integrated to ensure comprehensive security monitoring?

Select 2 answers
A.Physical access logs from the data center.
B.Firewall configuration backup files.
C.Employee vacation schedule.
D.DNS query logs from the cloud DNS service.
E.Network flow logs from virtual network appliances.
AnswersD, E

DNS logs can reveal C2 communications.

Why this answer

DNS query logs from the cloud DNS service (Option D) are essential because they provide visibility into domain resolution activities, which can reveal command-and-control (C2) communications, data exfiltration via DNS tunneling, or connections to malicious domains. In a cloud-based SIEM, these logs are critical for detecting threats that leverage DNS as a covert channel, as they capture the source IP, queried domain, and response codes in real time.

Exam trap

The trap here is that candidates often mistake static configuration files (like firewall backups) or non-security data (like vacation schedules) as valid SIEM sources, overlooking that a SIEM requires real-time, event-driven logs (e.g., DNS queries and network flows) to perform effective threat detection and correlation.

67
Multi-Selecthard

A cloud administrator is designing a secure multi-tenant environment. Which THREE of the following are best practices for isolating tenant workloads?

Select 3 answers
A.Use a single virtual switch for all tenants.
B.Deploy tenant workloads on dedicated hypervisors.
C.Implement micro-segmentation using virtual firewalls.
D.Use separate VLANs for each tenant.
E.Place all tenants on the same storage array for efficiency.
AnswersB, C, D

Dedicated hypervisors prevent hypervisor-level attacks.

Why this answer

Deploying tenant workloads on dedicated hypervisors provides strong physical isolation, preventing a compromised hypervisor from affecting other tenants. This approach eliminates the risk of side-channel attacks or resource contention that could cross tenant boundaries, ensuring each tenant's virtual machines run on separate hardware with no shared compute resources.

Exam trap

CompTIA often tests the misconception that a single virtual switch can be securely partitioned using VLANs alone, but the trap is that VLANs only provide Layer 2 isolation and do not protect against misconfigurations or attacks within the shared virtual switch control plane.

Ready to test yourself?

Try a timed practice session using only Cloud Security questions.