CCNA Clp Security Questions

75 of 110 questions · Page 1/2 · Clp Security topic · Answers revealed

1
MCQeasy

Which of the following is a stateless network access control that requires explicit allow rules for both inbound and outbound traffic?

A.Security group
B.Network ACL
C.DDoS protection
D.Web application firewall
AnswerB

NACLs are stateless and require rules for both directions.

Why this answer

Network ACLs (NACLs) are stateless; security groups are stateful.

2
MCQmedium

A cloud administrator needs to audit all API calls made in a GCP project for compliance purposes. Which service should be enabled to log these actions?

A.GCP Cloud Audit Logs
B.Azure Monitor
C.GCP Security Command Center
D.AWS CloudTrail
AnswerA

Cloud Audit Logs track API calls in GCP.

Why this answer

Cloud Audit Logs in GCP record administrative activities and data access. CloudTrail is AWS-specific, Azure Monitor is for Azure, and Security Command Center is a security dashboard.

3
MCQmedium

An organization is subject to PCI DSS compliance and must demonstrate that it is meeting security requirements. Which cloud service can aggregate compliance findings and provide a dashboard?

A.AWS CloudTrail
B.AWS Security Hub
C.AWS Shield
D.AWS Config
AnswerB

Security Hub provides a centralized view of security alerts and compliance status.

Why this answer

AWS Security Hub aggregates security findings from multiple AWS services and provides a compliance dashboard.

4
MCQhard

A company uses Google Cloud Platform and wants to enforce that all Compute Engine instances use a specific Customer-Managed Encryption Key (CMEK) for disk encryption. Which GCP service should be used to enforce this policy?

A.IAM Conditions
B.Organization Policies
C.Cloud Security Command Center
D.Cloud Key Management Service
AnswerB

Organization policies can enforce that only CMEK-protected disks are allowed.

Why this answer

Organization Policies (formerly known as 'Constraints') allow administrators to define and enforce guardrails for Google Cloud resources at the hierarchy level. The specific constraint `compute.requireCsekEncryption` (or the newer CMEK-based equivalent) can be applied to a folder or project to mandate that all Compute Engine disks use a Customer-Managed Encryption Key, rejecting any instance creation or disk attachment that does not comply.

Exam trap

The trap here is that candidates often confuse the key management service (Cloud KMS) with the policy enforcement service (Organization Policies), assuming that the service that creates keys also enforces their usage.

How to eliminate wrong answers

Option A is wrong because IAM Conditions control access to resources based on attributes like time or resource tags, but they cannot enforce encryption key requirements on Compute Engine instances. Option C is wrong because Cloud Security Command Center is a security and risk dashboard that provides visibility and threat detection, not a policy enforcement mechanism for resource configuration. Option D is wrong because Cloud Key Management Service is the service that creates, manages, and stores encryption keys, but it does not enforce policies that require their use on Compute Engine disks.

5
MCQmedium

A cloud security analyst is reviewing a compliance report and sees that the organization needs to ensure encryption keys are rotated periodically. Which of the following would best satisfy this requirement?

A.Disabling key rotation to prevent key loss
B.Storing keys in the application configuration file
C.Using customer-managed keys with a defined rotation policy
D.Using AWS managed keys with automatic rotation
AnswerC

Customer-managed keys allow custom rotation schedules.

Why this answer

Customer-managed keys (CMK) allow the customer to set rotation policies. AWS managed keys are automatically rotated but the customer cannot control the schedule. Storing keys in the application code violates security best practices.

Disabling rotation does not meet the requirement.

6
MCQmedium

A cloud engineer is configuring a web application that must comply with PCI DSS. The application runs on virtual machines in a public cloud. Which of the following security responsibilities falls under the customer's scope according to the shared responsibility model?

A.Replacing failed physical drives in the storage array
B.Patching the guest operating system of the virtual machines
C.Configuring the physical network firewall
D.Applying hypervisor patches
AnswerB

The customer is responsible for guest OS patching.

Why this answer

In the shared responsibility model, the customer is responsible for patching the guest OS, while the cloud provider manages the physical infrastructure and hypervisor.

7
MCQeasy

Which of the following is a best practice for managing secrets in cloud applications?

A.Embed secrets in application code
B.Store secrets in environment variables
C.Use a cloud secrets manager with automatic rotation
D.Share secrets via email
AnswerC

Secrets managers provide encrypted storage and rotation capabilities.

Why this answer

Secrets should be stored in a dedicated secrets manager and rotated regularly, never hard-coded.

8
MCQhard

An organization uses AWS and wants to control inbound traffic to its EC2 instances. They need a solution that automatically allows response traffic for any permitted inbound request. Which of the following should they use?

A.DDoS protection
B.Web Application Firewall
C.Security groups
D.Network ACLs
AnswerC

Security groups are stateful and automatically allow return traffic.

Why this answer

Security groups are stateful, meaning if you allow inbound traffic, the response is automatically allowed regardless of outbound rules. Network ACLs are stateless and require explicit rules for both directions.

9
Multi-Selecthard

A company is deploying a web application on GCP and needs to protect against OWASP Top 10 threats and DDoS attacks. Which THREE services should be combined to provide comprehensive protection?

Select 3 answers
B.Cloud NAT
C.Cloud CDN
D.Cloud VPN
E.Cloud Armor
AnswersA, C, E

Distributes traffic and integrates with Cloud Armor.

Why this answer

Cloud Load Balancing (A) is correct because it distributes incoming traffic across multiple backend instances, providing inherent DDoS resilience by absorbing and scaling with attack traffic. It also integrates directly with Cloud Armor to enforce OWASP Top 10 web application firewall (WAF) rules, such as SQL injection and XSS protections, at the edge before traffic reaches the application.

Exam trap

The trap here is that candidates often confuse Cloud NAT or Cloud VPN as security services for inbound traffic, but they are designed for outbound connectivity and encrypted tunnels, not for application-layer threat detection or DDoS mitigation.

10
MCQmedium

A cloud architect needs to ensure that all data transmitted between an on-premises data center and a cloud VPC is encrypted. Which solution should be implemented?

A.Security group
B.Cloud KMS
C.Direct Connect
AnswerD

VPN Gateway creates an encrypted tunnel over the internet.

Why this answer

A VPN connection encrypts traffic in transit using IPsec tunnels.

11
Multi-Selectmedium

A security engineer is implementing DDoS protection for a public-facing web application hosted in AWS. Which TWO services should be used together to provide comprehensive DDoS mitigation? (Choose two.)

Select 2 answers
A.AWS WAF
B.AWS Shield Advanced
C.Amazon Route 53
D.AWS Shield Standard
E.Amazon GuardDuty
AnswersA, B

WAF can block malicious HTTP requests at the application layer.

Why this answer

AWS Shield Advanced provides enhanced DDoS protection for EC2, ELB, CloudFront, etc. AWS WAF can be used to mitigate application-layer attacks like HTTP flood. Shield Standard is free but less comprehensive.

Route 53 is DNS and does not directly mitigate DDoS. GuardDuty is threat detection.

12
MCQmedium

A DevOps team is deploying containerized applications on Kubernetes. They want to ensure containers do not run with root privileges and that host filesystem access is restricted. Which Kubernetes feature should they use?

A.Service accounts
B.ConfigMaps
C.Network policies
D.Pod Security Standards
AnswerD

PSS enforces security contexts on pods.

Why this answer

Pod Security Standards (PSS) define security levels (privileged, baseline, restricted) to enforce security policies on pods, such as disallowing root access and restricting host filesystem access.

13
MCQmedium

A cloud architect is designing a security group for a web server in AWS. The server must receive HTTPS traffic from the internet. What is the most secure inbound rule?

A.Allow HTTPS from the VPC CIDR only
B.Allow HTTPS from 10.0.0.0/8
C.Allow all traffic from 0.0.0.0/0
D.Allow HTTPS from 0.0.0.0/0
AnswerD

This allows all inbound HTTPS traffic, which is standard for public web servers.

Why this answer

Security groups are stateful; specifying source IP range 0.0.0.0/0 for HTTPS is typical for public web servers.

14
MCQhard

A company uses Azure AD for identity federation with an on-premises Active Directory. They want to enable single sign-on (SSO) for cloud applications using an open standard. Which protocol should they use?

A.OAuth 2.0
B.SAML 2.0
C.LDAP
D.Kerberos
AnswerB

SAML is widely used for SSO federation.

Why this answer

SAML (Security Assertion Markup Language) and OIDC (OpenID Connect) are open standards for federation. SAML is commonly used for SSO with Azure AD. OAuth is for authorization, not authentication.

LDAP is a directory protocol. Kerberos is for on-premises.

15
MCQhard

A cloud architect is designing a DDoS protection strategy for a web application hosted on AWS. The application uses an Application Load Balancer (ALB). Which service provides automatic, always-on DDoS protection at no additional cost?

A.AWS WAF
B.AWS Network Firewall
C.AWS Shield Standard
D.AWS Shield Advanced
AnswerC

Shield Standard is included automatically and protects against common DDoS attacks.

Why this answer

AWS Shield Standard provides automatic protection against common DDoS attacks for all AWS customers at no additional cost.

16
MCQmedium

A security engineer is reviewing IAM policies and notices a policy that allows all actions on all resources for a user. Which principle of security is being violated?

A.Least privilege
B.Separation of duties
C.Need to know
D.Defense in depth
AnswerA

A policy with full access violates least privilege by granting excessive permissions.

Why this answer

The principle of least privilege states that users should be granted only the permissions necessary to perform their job functions.

17
Multi-Selecteasy

A cloud architect is designing identity and access management (IAM) for a multi-cloud environment. The architect wants to enforce least privilege and support federation with an on-premises Active Directory. Which TWO of the following should be implemented? (Select TWO).

Select 2 answers
A.Storing shared credentials in application code
B.Assigning full administrator roles to all users
C.Disabling multi-factor authentication (MFA)
D.Using service accounts for application authentication
E.Federation using SAML
AnswersD, E

Service accounts provide dedicated identities with minimal permissions for apps.

Why this answer

Federation with SAML allows SSO from on-prem AD, and service accounts provide non-human identities for applications, both supporting least privilege by granting only necessary permissions.

18
MCQhard

A cloud security team is reviewing audit logs and notices that a service account has been used to launch several high-risk API calls that are not part of its normal behavior. Which security control should be implemented to detect such anomalies in real time?

A.Enable CloudTrail logging
B.Implement an anomaly detection service
C.Use a static IAM policy
D.Configure a network ACL
AnswerB

Anomaly detection services analyze logs for unusual patterns.

Why this answer

Anomaly detection tools like GuardDuty or Azure Sentinel use machine learning to identify unusual API activity.

19
MCQhard

During a security audit, a cloud engineer discovers that a container image used in production has a known critical vulnerability in a base layer. Which practice should be implemented to prevent this in the future?

A.Enable Kubernetes pod security policies
B.Use only official images from Docker Hub
C.Perform container image scanning during CI/CD
D.Implement network segmentation
AnswerC

Scanning identifies vulnerabilities early in the pipeline.

Why this answer

Regular container image scanning in the CI/CD pipeline detects vulnerabilities before deployment.

20
MCQmedium

A company is migrating its on-premises applications to a public cloud. The security team wants to ensure that the cloud provider is responsible for physical security of data centers, while the company remains responsible for securing guest operating systems. Which concept does this describe?

A.Least privilege principle
B.Zero Trust architecture
C.Shared responsibility model
D.Defense in depth
AnswerC

Correctly describes the division of security responsibilities.

Why this answer

The shared responsibility model delineates security obligations between the cloud provider (physical infrastructure, hypervisor) and the customer (OS, applications, IAM).

21
MCQhard

A company has deployed a containerized application on a Kubernetes cluster. The security team wants to ensure that containers cannot run as the root user and that the container's root filesystem is read-only. Which Kubernetes security mechanism should be used?

A.Pod Security Standards
B.Network policies
C.Seccomp profiles
D.Resource quotas
AnswerA

PSS includes the restricted profile that enforces these requirements.

Why this answer

Pod Security Standards (PSS) provide predefined security profiles (privileged, baseline, restricted) that enforce policies like running as non-root and read-only root filesystem.

22
MCQhard

A security administrator is deploying a web application firewall (WAF) to protect a public-facing web application. The application experiences a high volume of traffic from a specific geographic region that is not part of the target customer base. Which WAF feature would best reduce the attack surface without impacting legitimate users?

A.IP whitelisting
B.Rate limiting
C.OWASP rule set
D.Geo-blocking
AnswerD

Geo-blocking blocks or allows traffic based on geographic location.

Why this answer

Geo-blocking allows the administrator to block traffic from specific regions, reducing the attack surface by eliminating traffic from non-target areas.

23
MCQmedium

A company's compliance team must provide evidence that their cloud environment meets PCI DSS requirements. Which AWS service can aggregate security findings and automate compliance checks?

A.AWS Config
B.AWS Security Hub
C.Amazon Inspector
D.AWS CloudTrail
AnswerB

Security Hub centralizes security findings and compliance checks.

Why this answer

AWS Security Hub provides a comprehensive view of security alerts and compliance status across AWS accounts, including automated checks against standards like PCI DSS.

24
MCQmedium

An organization is subject to PCI DSS compliance and must ensure that all data transmitted between its cloud application and users is encrypted. Which encryption method should be enforced?

A.AES-256
B.TLS 1.2 or higher
C.SHA-256
AnswerB

TLS 1.2+ provides secure encryption in transit and is required by PCI DSS.

Why this answer

TLS (Transport Layer Security) is the standard protocol for encrypting data in transit over networks, such as between a web browser and a server. PCI DSS requires strong encryption for cardholder data in transit.

25
MCQeasy

A cloud customer needs to ensure that data stored in an S3 bucket is encrypted at rest. The customer wants to manage the encryption keys themselves. Which encryption option should they choose?

A.SSE-S3 (S3-managed keys)
B.SSE-C (Customer-provided keys)
C.SSE-KMS (AWS KMS-managed keys)
D.Client-side encryption
AnswerB

SSE-C allows the customer to provide their own encryption keys, which AWS uses and then discards.

Why this answer

SSE-C (Server-Side Encryption with Customer-Provided Keys) allows the customer to manage their own encryption keys while AWS handles the encryption and decryption process. The customer provides the encryption key as part of the PUT request, and AWS uses it to encrypt the object at rest, then discards the key after the operation. This meets the requirement of managing the keys themselves while ensuring data is encrypted at rest on the server side.

Exam trap

Cisco often tests the distinction between server-side and client-side encryption, where candidates mistakenly choose client-side encryption because they think 'managing keys' means encrypting on the client, but the question explicitly requires encryption at rest in S3, which is server-side.

How to eliminate wrong answers

Option A (SSE-S3) is wrong because AWS manages the encryption keys entirely, not the customer. Option C (SSE-KMS) is wrong because while it allows customer control over key policies and rotation, the keys themselves are managed by AWS KMS, not directly by the customer. Option D (Client-side encryption) is wrong because the customer encrypts data before sending it to S3, meaning encryption happens on the client side, not at rest on the server, and the customer manages the keys entirely, but this does not meet the 'encrypted at rest in S3' requirement as the encryption is performed client-side.

26
MCQmedium

An organization needs to store database credentials and API keys securely in the cloud, with automatic rotation every 90 days. Which service should be used?

A.AWS CloudHSM
B.AWS Key Management Service (KMS)
C.AWS Systems Manager Parameter Store
D.AWS Secrets Manager
AnswerD

Secrets Manager stores secrets and supports automatic rotation.

Why this answer

AWS Secrets Manager manages secrets lifecycle, including automatic rotation.

27
Multi-Selectmedium

A cloud architect is designing network security for a VPC. The architect needs to implement both stateful and stateless firewalls. Which TWO of the following correctly describe these firewall types?

Select 3 answers
A.Network ACLs are stateful; they track connection state and allow return traffic automatically.
B.Security groups are stateful; they automatically allow return traffic for allowed inbound connections.
C.Security groups support allow rules only; deny rules are not supported.
D.Network ACLs support allow and deny rules, and rules are evaluated in order of priority.
E.Both security groups and network ACLs can be used to allow or deny traffic based on source IP and port.
AnswersB, C, D

Correct characteristic of security groups.

Why this answer

Security groups are stateful (allow outbound automatically if inbound allowed), while NACLs are stateless (explicit rules needed for both directions).

28
MCQmedium

A cloud administrator notices that an AWS IAM user has more permissions than necessary. Which principle should be applied to correct this?

A.Separation of duties
B.Defense in depth
C.Zero trust
D.Least privilege
AnswerD

Least privilege ensures users have minimal necessary permissions.

Why this answer

Least privilege means granting only the permissions required to perform a job function.

29
Multi-Selectmedium

A cloud architect is designing a secrets management solution for a microservices application. The solution must avoid hardcoding secrets in code and support automatic rotation. Which THREE of the following are best practices? (Select THREE.)

Select 3 answers
A.Use a dedicated secrets management service like AWS Secrets Manager.
B.Inject secrets into containers at runtime via volume mounts.
C.Use long-lived static keys for simplicity.
D.Enable automatic rotation of secrets.
E.Store secrets in environment variables for ease of access.
AnswersA, B, D

Centralized vault for secrets.

Why this answer

Best practices include using a dedicated vault, injecting secrets at runtime, and enabling rotation. Storing secrets in environment variables is not recommended. Using IAM roles avoids storing credentials.

30
Multi-Selectmedium

A cloud administrator is configuring network ACLs (NACLs) for a VPC subnet. The subnet hosts a web server that must accept HTTP (port 80) and HTTPS (port 443) from the internet, and the server needs to respond to clients. Which TWO rules are required?

Select 2 answers
A.Inbound rule: allow all ICMP from 0.0.0.0/0
B.Outbound rule: allow TCP port 80 and 443 to 0.0.0.0/0
C.Inbound rule: allow TCP ports 1024-65535 from 0.0.0.0/0
D.Outbound rule: allow TCP ports 1024-65535 to 0.0.0.0/0
E.Inbound rule: allow TCP port 80 and 443 from 0.0.0.0/0
AnswersD, E

Allows return traffic on ephemeral ports.

Why this answer

NACLs are stateless, so both inbound and outbound rules must be explicitly allowed. Inbound allows HTTP/HTTPS, outbound allows ephemeral ports for return traffic.

31
MCQmedium

A cloud engineer is deploying a containerized application on Kubernetes. The security team requires that containers run with reduced privileges and that certain capabilities are dropped. Which Kubernetes feature should be used to enforce these requirements?

A.Pod Security Standards
B.Network policies
C.ConfigMap
D.Horizontal Pod Autoscaler
AnswerA

Pod Security Standards enforce security context constraints.

Why this answer

Pod Security Standards (or Pod Security Policies) define security contexts and can restrict container capabilities.

32
MCQmedium

A security team needs to enforce multi-factor authentication (MFA) for all users accessing the cloud management console. Which IAM feature should be configured?

A.IAM role
B.Condition in IAM policy requiring MFA
C.Resource-based policy
D.Password policy
AnswerB

A condition like 'aws:MultiFactorAuthPresent' can enforce MFA.

Why this answer

Option B is correct because a condition in an IAM policy can require the `aws:MultiFactorAuthPresent` key to be `true`, which enforces MFA for all API calls made to the cloud management console. This is the standard AWS mechanism to mandate MFA at the IAM policy level, ensuring that users must authenticate with a second factor before accessing the console.

Exam trap

Cisco often tests the misconception that a password policy can enforce MFA, but password policies only control password attributes, not the second authentication factor required by MFA.

How to eliminate wrong answers

Option A is wrong because an IAM role is used to delegate permissions to entities (like EC2 instances or federated users) and does not inherently enforce MFA; it can be assumed without MFA unless a condition is added. Option C is wrong because a resource-based policy (e.g., an S3 bucket policy) controls access to specific resources, not the cloud management console itself, and cannot enforce MFA for console login. Option D is wrong because a password policy only governs password complexity and rotation rules, not multi-factor authentication; MFA enforcement requires a separate IAM policy condition.

33
MCQhard

A company's cloud environment uses Azure Active Directory for identity management. They want to allow employees to sign in using their existing on-premises Active Directory credentials without synchronizing passwords to the cloud. Which federation protocol should they use?

A.LDAP
B.Kerberos
C.OAuth 2.0
D.SAML 2.0
AnswerD

SAML 2.0 is commonly used for federated identity with Azure AD, enabling single sign-on without password sync.

Why this answer

Federation allows identity federation without password synchronization. AD FS can be configured to use SAML 2.0 or OIDC to authenticate against on-premises AD and issue tokens to access cloud resources.

34
MCQmedium

A cloud administrator needs to ensure that a set of AWS EC2 instances can only be accessed via SSH from the corporate office IP range 203.0.113.0/24. Which configuration should the administrator implement?

A.Create a security group with an inbound rule allowing TCP port 22 from 203.0.113.0/24
B.Deploy a VPN and require all SSH traffic to go through it
C.Configure a network ACL with an inbound allow rule for TCP port 22 from 203.0.113.0/24
D.Use AWS WAF to block SSH traffic except from 203.0.113.0/24
AnswerA

Security groups are stateful and can restrict inbound SSH to the specific IP range.

Why this answer

A security group acts as a stateful virtual firewall for EC2 instances. By specifying the source IP range 203.0.113.0/24 on the inbound SSH rule, only traffic from that range is allowed. Security groups are stateful, so return traffic is automatically permitted.

35
MCQmedium

A company has a requirement to enforce least privilege for its cloud resources. The cloud engineer is configuring IAM policies. Which of the following best describes least privilege?

A.Granting permissions based on the user's job title rather than specific needs
B.Granting permissions only to senior managers
C.Granting only the permissions necessary to perform specific tasks
D.Granting full administrator access to all users to simplify management
AnswerC

This is the principle of least privilege.

Why this answer

Least privilege means granting only the permissions required to perform a job function, minimizing potential damage from compromised accounts.

36
Multi-Selecteasy

A company is adopting a shared responsibility model for a PaaS cloud deployment. Which THREE responsibilities belong to the customer?

Select 3 answers
A.Management of the runtime environment
B.Physical security of data centers
C.Data classification and encryption
D.Application code security
E.User access and identity management
AnswersC, D, E

The customer decides how to classify and encrypt data.

Why this answer

Option C is correct because in a PaaS shared responsibility model, the customer is responsible for data classification and encryption of data at rest and in transit. The cloud provider manages the underlying infrastructure, but the customer must classify data according to sensitivity and apply encryption mechanisms, such as using TLS 1.2/1.3 for data in transit and AES-256 for data at rest, as the provider cannot access or classify customer data.

Exam trap

Cisco often tests the misconception that the customer manages the runtime environment in PaaS, but the trap here is that PaaS abstracts the runtime, so the provider handles it, while the customer's responsibilities are limited to data, application code, and access control.

37
Multi-Selectmedium

A cloud architect is designing a container security strategy. Which TWO of the following should be implemented to secure containers? (Choose two.)

Select 2 answers
A.Runtime security monitoring for anomalous behavior
B.Disabling all security contexts in Kubernetes
C.Image scanning for vulnerabilities
D.Using the latest base images without scanning
E.Implementing network ACLs at the hypervisor level
AnswersA, C

Runtime security detects threats during container execution.

Why this answer

Image scanning detects vulnerabilities in container images, and runtime security monitors containers for anomalous behavior. Network ACLs are not container-specific. Using the latest base image reduces vulnerabilities.

Disabling security controls is wrong.

38
Multi-Selectmedium

A cloud engineer is tasked with securing network traffic in a VPC. Which TWO of the following are stateful security mechanisms? (Choose two.)

Select 2 answers
A.Web Application Firewall (WAF)
B.Network ACLs
C.Route tables
D.DDoS protection services
E.Security groups
AnswersA, E

WAF can maintain state for session tracking.

Why this answer

Security groups are stateful, automatically allowing return traffic. WAF can be stateful in some implementations (e.g., tracking sessions). Network ACLs are stateless.

DDoS protection is not stateful in this context. Route tables are stateless.

39
MCQmedium

A company stores sensitive customer data in an S3 bucket and must encrypt the data at rest using a key managed by the company (not AWS). Which encryption option should the company use?

A.Client-side encryption
B.SSE-C
C.SSE-KMS
D.SSE-S3
AnswerB

SSE-C uses customer-provided keys; the customer manages the keys outside of AWS.

Why this answer

SSE-C allows customers to provide their own encryption keys; AWS performs encryption/decryption but does not store the keys.

40
Multi-Selecthard

A company is implementing a secrets management solution. The security team wants to ensure that secrets are protected and rotated regularly. Which THREE of the following are best practices for secrets management?

Select 3 answers
A.Audit access to secrets to detect unauthorized usage.
B.Hard-code secrets in application source code for simplicity.
C.Use a dedicated secrets management service like AWS Secrets Manager or Azure Key Vault.
D.Enable automatic rotation of secrets on a regular schedule.
E.Store secrets in environment variables for easy access by applications.
AnswersA, C, D

Auditing helps identify and respond to potential breaches.

Why this answer

Best practices include using a dedicated vault, rotating secrets, avoiding hard-coded secrets, and auditing access.

41
MCQhard

A company uses AWS and needs to enforce that all S3 buckets are encrypted at rest with customer-managed keys stored in AWS KMS. Which IAM policy condition would ensure this?

A.s3:x-amz-server-side-encryption-aws-kms-key-id
B.s3:x-amz-server-side-encryption with value AES256
C.aws:SourceVpce
D.s3:versioning
AnswerA

This condition allows requiring a specific KMS key ARN for encryption.

Why this answer

The 'aws:RequestTag' condition (or similar) can enforce that resources are created with specific tags, but to enforce encryption key usage, the condition 's3:x-amz-server-side-encryption-aws-kms-key-id' is used.

42
MCQeasy

An organization is moving sensitive data to the cloud and must ensure it is encrypted while stored on disk. Which type of encryption should be implemented?

A.Encryption in transit
B.Encryption at rest
C.Hashing
D.Tokenization
AnswerB

Encryption at rest secures data stored on persistent media.

Why this answer

Encryption at rest protects data stored on disk, typically using AES-256.

43
MCQmedium

A company is migrating to a public cloud and wants to understand security responsibilities. According to the shared responsibility model, which of the following is the customer responsible for in an IaaS deployment?

A.Patching the guest operating system
B.Network infrastructure security
C.Physical security of data centers
D.Hypervisor security
AnswerA

The customer manages the guest OS and must apply patches.

Why this answer

In IaaS, the customer is responsible for securing the operating system, applications, and data, including patching the guest OS.

44
MCQhard

A company running a critical web application on AWS wants to protect against SQL injection and cross-site scripting attacks. The application is behind an Application Load Balancer. Which service should be deployed to provide this protection?

A.AWS Network Firewall
B.AWS Shield Advanced
C.AWS GuardDuty
D.AWS WAF
AnswerD

WAF provides rule-based filtering for OWASP Top 10 threats.

Why this answer

AWS WAF is a web application firewall that helps protect web applications from common web exploits like SQL injection and cross-site scripting (XSS). It integrates directly with Application Load Balancers (ALB) to inspect HTTP/HTTPS traffic and filter malicious requests based on customizable rules. This makes it the correct choice for the described threat scenario.

Exam trap

The trap here is that candidates often confuse AWS WAF with AWS Shield Advanced, thinking Shield provides application-layer attack protection, but Shield focuses on DDoS mitigation while WAF handles web-specific exploits like SQL injection and XSS.

How to eliminate wrong answers

Option A is wrong because AWS Network Firewall is a stateful managed firewall for VPC network traffic, operating at layers 3-4 and 7 for network protocols, but it does not provide application-layer inspection for SQL injection or XSS payloads in HTTP requests. Option B is wrong because AWS Shield Advanced provides DDoS protection against volumetric and state-exhaustion attacks, not against application-layer threats like SQL injection or XSS. Option C is wrong because AWS GuardDuty is a threat detection service that analyzes VPC flow logs, DNS logs, and CloudTrail events for malicious activity, but it does not actively block or filter web application attacks like SQL injection or XSS.

45
MCQmedium

A company uses a SaaS application for customer relationship management (CRM). The security team wants to monitor user activities and enforce data loss prevention (DLP) policies. Which type of security tool should be deployed?

A.Intrusion Detection System (IDS)
B.Security Information and Event Management (SIEM)
C.Cloud Access Security Broker (CASB)
D.Web Application Firewall (WAF)
AnswerC

CASB is designed for SaaS security and governance.

Why this answer

A Cloud Access Security Broker (CASB) provides visibility into SaaS usage, monitors user activities, and can enforce DLP policies across cloud applications.

46
Multi-Selectmedium

A company is implementing multi-factor authentication (MFA) for cloud console access. Which TWO of the following are valid MFA methods? (Select TWO.)

Select 2 answers
A.A password and a hardware TOTP token
B.Two different passwords
C.A password and a security question
D.A username and password
E.A fingerprint and a smart card
AnswersA, E

Combines something you know (password) with something you have (token).

Why this answer

A hardware TOTP token generates a time-based one-time password (RFC 6238) that changes every 30 or 60 seconds, providing a second factor independent of the user's password. Combining this with a password satisfies the MFA requirement of using two different authentication factors (something you know and something you have).

Exam trap

Cisco often tests the distinction between multi-step authentication (e.g., password then security question) and true multi-factor authentication, where candidates mistakenly believe any two sequential credentials count as MFA.

47
Multi-Selecthard

A company is migrating to AWS and needs to meet PCI DSS compliance. Which THREE of the following should be implemented? (Choose three.)

Select 3 answers
A.Encrypting cardholder data at rest and in transit
B.Using single-factor authentication for all administrative access
C.Implementing a vulnerability management program
D.Enabling audit logging for all access to cardholder data
E.Using default VPC settings without changes
AnswersA, C, D

PCI DSS mandates encryption of cardholder data.

Why this answer

PCI DSS requires encryption of cardholder data, regular security testing (like vulnerability scanning), and audit logging. Using default VPC settings may not be secure. Single-factor authentication is insufficient.

48
MCQmedium

A security analyst is reviewing logs and finds that an unauthorized user accessed a storage blob in Azure. The analyst needs to determine which permissions allowed the access. Which Azure feature provides a detailed view of effective permissions for a user?

A.Azure AD Privileged Identity Management
B.Azure RBAC (Role-Based Access Control)
C.Azure Blueprints
D.Azure Policy
AnswerB

RBAC provides tools like 'Check access' to view effective permissions.

Why this answer

Azure RBAC (Role-Based Access Control) provides the 'Check access' feature (formerly 'Effective permissions') that allows an administrator to evaluate the cumulative permissions assigned to a specific user, group, or service principal for a given scope (e.g., storage blob container). This feature calculates the net effect of all role assignments, including inherited permissions from management groups, subscriptions, and resource groups, enabling the analyst to pinpoint exactly which role granted the unauthorized access.

Exam trap

The trap here is that candidates often confuse Azure RBAC's 'effective permissions' feature with Azure AD PIM, assuming PIM shows current permissions, when in fact PIM only manages role activation and does not compute the cumulative effective permissions across multiple role assignments.

How to eliminate wrong answers

Option A is wrong because Azure AD Privileged Identity Management (PIM) manages just-in-time activation and oversight of privileged roles, but it does not provide a detailed view of effective permissions for a specific user on a resource. Option C is wrong because Azure Blueprints is used for defining and deploying repeatable sets of Azure resources and policies (like compliance templates), not for evaluating effective user permissions. Option D is wrong because Azure Policy enforces rules and effects (e.g., deny, audit) on resource configurations, but it does not evaluate or display the effective RBAC permissions assigned to a user.

49
MCQhard

A cloud security team is implementing a secrets management solution for applications running on AWS. They need to automatically rotate database credentials every 30 days and avoid hardcoding secrets. Which service should they use?

A.AWS Identity and Access Management (IAM) roles
B.AWS Key Management Service (KMS)
C.AWS Secrets Manager
D.AWS Systems Manager Parameter Store
AnswerC

Secrets Manager manages secrets and supports automatic rotation.

Why this answer

AWS Secrets Manager allows automatic rotation of secrets (e.g., database credentials) and integration with AWS services. Parameter Store can store secrets but does not natively support automatic rotation. KMS is for encryption keys.

IAM roles are for AWS service permissions.

50
MCQmedium

An organization uses multiple SaaS applications and wants to enforce data loss prevention policies and gain visibility into user activity. Which technology should they implement?

A.Security information and event management (SIEM)
B.Web Application Firewall (WAF)
C.Virtual private network (VPN)
D.Cloud Access Security Broker (CASB)
AnswerD

CASBs provide visibility and control over SaaS applications.

Why this answer

A Cloud Access Security Broker (CASB) provides visibility, compliance, data security, and threat protection for SaaS applications. WAF protects web applications, VPN provides remote access, and SIEM aggregates logs.

51
MCQmedium

A company is using a SaaS application and wants to gain visibility into user activity and enforce data loss prevention policies. Which technology should be deployed?

A.Intrusion Detection System (IDS)
B.Web Application Firewall (WAF)
C.Cloud Access Security Broker (CASB)
D.Network Access Control (NAC)
AnswerC

CASB sits between users and SaaS to monitor and enforce policies.

Why this answer

A Cloud Access Security Broker (CASB) provides visibility, compliance, and data security controls for SaaS applications.

52
Multi-Selectmedium

A cloud security engineer is hardening a Kubernetes cluster. Which TWO measures should be implemented to improve container security? (Choose two.)

Select 2 answers
A.Implement runtime security monitoring
B.Store secrets in ConfigMaps
C.Disable audit logging to reduce overhead
D.Use default service accounts for all pods
E.Enable image scanning for vulnerabilities
AnswersA, E

Runtime security detects suspicious container behavior.

Why this answer

A is correct because runtime security monitoring (e.g., using Falco, Sysdig, or Aqua Security) detects and alerts on anomalous behavior within running containers, such as unexpected system calls, privilege escalations, or file system changes. This is a critical layer of defense that complements image scanning by catching threats that bypass static checks, such as zero-day exploits or compromised containers. Without runtime monitoring, malicious activity inside a container can go undetected until significant damage occurs.

Exam trap

Cisco often tests the misconception that ConfigMaps are a secure place for secrets, but ConfigMaps lack encryption and access control features, making them unsuitable for sensitive data.

53
MCQmedium

A security team discovers that a container image used in production contains a known vulnerability in one of its base image layers. Which action should be taken to remediate this issue?

A.Rebuild the container image using an updated base image
B.Delete the container and recreate it from the same image
C.Apply a security patch to the running container
D.Enable runtime security monitoring to detect exploitation attempts
AnswerA

Rebuilding with a patched base image resolves the vulnerability at the image level.

Why this answer

The vulnerability is in the base image, so rebuilding the image using an updated base image that includes the security fix is the correct remediation. Additionally, scanning images in a CI/CD pipeline can catch vulnerabilities before deployment.

54
MCQhard

A company is migrating a legacy application to a Kubernetes cluster in the cloud. The application requires a database password to be accessible at runtime. Which approach aligns with cloud security best practices for secrets management?

A.Store the password as a Kubernetes Secret and mount it as a volume
B.Hardcode the password in the application code
C.Use a secrets management solution like HashiCorp Vault with a sidecar container to inject the password
D.Inject the password as an environment variable in the pod spec
AnswerC

Vault provides secure, audited access to secrets and integrates well with Kubernetes.

Why this answer

Storing secrets in a dedicated secrets manager like HashiCorp Vault or AWS Secrets Manager is recommended. Kubernetes Secrets should be avoided if possible, and secrets should never be hardcoded or stored in environment variables directly.

55
MCQmedium

A cloud administrator is designing network security for a three-tier application. The web tier must be accessible from the internet, but the application and database tiers should only be reachable from the web tier. Which security group configuration should be used?

A.Use separate security groups: web allows HTTP/HTTPS from 0.0.0.0/0; app allows traffic from web security group; db allows traffic from app security group
B.Assign the same security group to all tiers and use a single inbound rule
C.Place all tiers in the same subnet and use a network ACL to permit all traffic
D.Configure a network ACL for each subnet with allow rules for the required traffic
AnswerA

Security groups can reference other security groups as sources, providing fine-grained control.

Why this answer

Option A is correct because it uses separate security groups for each tier, implementing the principle of least privilege. The web tier security group allows HTTP/HTTPS from 0.0.0.0/0 for internet access, while the app tier security group references the web tier security group as its source, ensuring only traffic from the web tier can reach the application tier. Similarly, the database tier security group references the app tier security group, restricting access exclusively to the application tier.

This configuration enforces strict east-west traffic control and prevents direct internet access to the internal tiers.

Exam trap

Cisco often tests the distinction between stateful security groups and stateless network ACLs, and the trap here is that candidates may choose network ACLs (Option D) thinking they provide similar control, without realizing that security groups support logical references to other security groups, which is essential for dynamic tier-to-tier access in a three-tier architecture.

How to eliminate wrong answers

Option B is wrong because assigning the same security group to all tiers with a single inbound rule would allow all tiers to communicate with each other without restriction, violating the principle of least privilege and potentially exposing the database tier to the web tier or the internet. Option C is wrong because placing all tiers in the same subnet and using a network ACL to permit all traffic eliminates subnet-level segmentation, allowing any instance in the subnet to reach any other instance, and network ACLs are stateless, requiring explicit return rules, which adds complexity and risk. Option D is wrong because while network ACLs can provide subnet-level filtering, they are stateless and do not support security group references as sources; they require manual IP address management and cannot dynamically reference the web tier's security group, making them less precise and harder to maintain for tier-to-tier access control.

56
Multi-Selecthard

A cloud security analyst is investigating a potential container security incident. The analyst notices that a container is sending outbound traffic to a known malicious IP address. The container was deployed from an image that passed a vulnerability scan. Which TWO of the following should the analyst implement to detect and prevent such behavior in the future? (Select TWO).

Select 2 answers
A.Use a static IP address for all containers
B.Disable outbound network access for all containers
C.Enable runtime security monitoring for anomalous container behavior
D.Store container secrets in environment variables
E.Scan the container image layers for vulnerabilities during CI/CD
AnswersC, E

Runtime security detects behavioral anomalies such as unexpected outbound connections.

Why this answer

Runtime security tools monitor container behavior for anomalies like outbound connections to malicious IPs, and scanning base image layers helps catch vulnerabilities that might allow such behavior.

57
MCQmedium

A cloud engineer is deploying a new application and needs to securely store database credentials. The credentials must be automatically rotated every 90 days. Which service should be used?

A.AWS Key Management Service (KMS)
B.AWS Systems Manager Parameter Store
C.AWS Secrets Manager
D.AWS Identity and Access Management (IAM)
AnswerC

Secrets Manager supports automatic rotation of secrets.

Why this answer

AWS Secrets Manager allows secure storage and automatic rotation of secrets such as database credentials, with configurable rotation intervals.

58
Multi-Selectmedium

A cloud administrator is implementing network security for a VPC. The administrator needs to create a stateless firewall that filters traffic based on source and destination IP, port, and protocol. Which TWO of the following are characteristics of this type of firewall? (Select TWO.)

Select 2 answers
A.It is stateful and tracks connection state.
B.Rules are evaluated in order, starting with the lowest rule number.
C.It operates at the application layer (Layer 7).
D.Explicit outbound rules are required to allow return traffic.
E.It automatically allows response traffic for allowed inbound connections.
AnswersB, D

Stateless firewalls like NACLs evaluate rules in order.

Why this answer

Network ACLs are stateless, meaning they do not track connection state and require explicit rules for both inbound and outbound traffic. They evaluate rules in order by rule number.

59
MCQmedium

A company needs to meet PCI DSS compliance requirements for storing credit card data in the cloud. Which compliance certification should they verify their cloud provider has?

A.PCI DSS Level 1
B.ISO 27001
C.SOC 2 Type II
D.HIPAA BAA
AnswerA

PCI DSS Level 1 is required for entities handling large volumes of cardholder data.

Why this answer

PCI DSS Level 1 is the highest level for handling cardholder data.

60
Multi-Selectmedium

A cloud administrator is configuring network security for a multi-tier application. Which TWO statements about security groups and network ACLs are correct?

Select 2 answers
A.Network ACLs evaluate rules before security groups.
B.Security groups can be used to deny traffic from specific IP addresses.
C.Security groups are stateless.
D.Network ACLs are stateless and require explicit allow rules for both inbound and outbound traffic.
E.Security groups support allow rules only.
AnswersD, E

Stateless means each direction must be explicitly allowed.

Why this answer

Option D is correct because network ACLs are stateless, meaning they do not automatically allow return traffic; you must explicitly define allow rules for both inbound and outbound traffic. Option E is correct because security groups are stateful and support only allow rules; you cannot create a deny rule within a security group, and any traffic not explicitly allowed is implicitly denied.

Exam trap

The trap here is confusing stateful security groups with stateless network ACLs, leading candidates to incorrectly think security groups can deny specific IPs or that network ACLs are evaluated first, when in fact security groups are evaluated at the instance level before network ACLs at the subnet boundary.

61
Multi-Selectmedium

A security team is implementing encryption for a cloud-based database. The compliance requirements mandate that encryption keys be managed by the customer and rotated every 90 days. Which THREE of the following should the team use? (Select THREE).

Select 3 answers
A.Store the encryption key in a configuration file
B.Use TLS 1.2+ for data in transit
C.Integrate with the cloud KMS using customer-managed keys
D.Enable encryption at rest using AES-256
E.Configure automatic key rotation every 90 days
AnswersC, D, E

Customer-managed keys give the customer control over key rotation.

Why this answer

Encryption at rest with AES-256, a cloud KMS with customer-managed keys, and automated key rotation meet the requirements. TLS secures data in transit but is not about key management.

62
MCQmedium

A cloud architect is designing a multi-tier application. The application tier needs to access a database, but the database should not be reachable from the internet. Which network security control should be used?

A.Place the database in a private subnet and use a security group to allow traffic only from the application tier
B.Encrypt the database connection using TLS
C.Use a VPN to connect the application tier to the database
D.Place the database in a public subnet with restrictive security groups
AnswerA

Private subnets have no internet gateway, and security groups can restrict access to only the application tier.

Why this answer

Placing the database in a private subnet with no direct internet route ensures it is not reachable from the internet. Security groups can then allow inbound traffic only from the application tier's security group.

63
MCQmedium

An organization wants to ensure that only authenticated users from their corporate Active Directory can access cloud resources. Which federation protocol is most commonly used for this purpose?

A.LDAP
B.OAuth 2.0
D.SAML
AnswerD

SAML enables browser-based SSO with corporate IdPs.

Why this answer

SAML is widely used for federation between corporate identity providers (e.g., Active Directory) and cloud services.

64
MCQeasy

In the shared responsibility model, which of the following is the cloud customer responsible for?

A.Operating system patching on virtual machines
B.Network infrastructure under the hypervisor
C.Hypervisor security
D.Physical hardware maintenance
AnswerA

Customers manage guest OS patching.

Why this answer

The shared responsibility model states that customers are responsible for OS patching, application code, IAM, data encryption, and network security groups.

65
Multi-Selecthard

A company is deploying a cloud-native application that uses containers orchestrated by Kubernetes. The security team wants to enforce the principle of least privilege at the Kubernetes level. Which THREE measures should be implemented? (Choose three.)

Select 3 answers
A.Apply Pod Security Standards (e.g., restricted policy)
B.Implement Kubernetes RBAC to restrict permissions to namespaces and resources
C.Implement network policies to restrict pod-to-pod communication
D.Create service accounts with only the necessary permissions for each application
E.Use namespaces to separate environments
AnswersA, B, D

Pod Security Standards enforce security contexts that limit pod capabilities.

Why this answer

Pod Security Standards (PSS) define security contexts for pods, with the 'restricted' policy enforcing the principle of least privilege by disallowing privileged containers, host network access, and other high-risk capabilities. This directly prevents pods from running with unnecessary permissions, aligning with the security team's goal at the pod level.

Exam trap

Cisco often tests the distinction between network-level controls (network policies) and identity/privilege controls (RBAC, Pod Security Standards), leading candidates to mistakenly select network policies as a least-privilege measure when they only restrict traffic, not permissions.

66
MCQmedium

An organization's compliance policy requires that all access to cloud resources be logged and that logs be immutable. Which service should be used to meet these requirements?

A.AWS CloudWatch Logs
B.AWS CloudTrail
C.AWS Trusted Advisor
D.AWS Config
AnswerB

CloudTrail records API calls and can store logs immutably.

Why this answer

AWS CloudTrail is the correct service because it records all API calls made to AWS resources, providing a detailed audit log of who made the request, from which IP address, and when. CloudTrail logs can be stored in an S3 bucket with S3 Object Lock enabled, which enforces a write-once-read-many (WORM) model to make logs immutable, meeting the compliance requirement for both logging and immutability.

Exam trap

Cisco often tests the distinction between logging API calls (CloudTrail) and monitoring resource configurations (Config) or operational logs (CloudWatch Logs), leading candidates to confuse CloudWatch Logs as the logging service without considering immutability requirements.

How to eliminate wrong answers

Option A is wrong because AWS CloudWatch Logs is a monitoring service for collecting log data from various sources, but it does not natively provide immutability features; logs can be deleted or overwritten without additional configuration. Option C is wrong because AWS Trusted Advisor is an advisory tool that inspects your AWS environment for best practices in cost, performance, security, and fault tolerance, but it does not log API calls or provide immutable logs. Option D is wrong because AWS Config is a service for evaluating and auditing resource configurations against desired policies, but it does not capture API activity logs or offer immutability; it records configuration changes, not access logs.

67
MCQeasy

A security administrator needs to store database credentials and API keys securely in AWS. The credentials must be automatically rotated every 90 days. Which service should the administrator use?

A.AWS Systems Manager Parameter Store
B.AWS KMS
C.AWS Secrets Manager
D.AWS Certificate Manager
AnswerC

Secrets Manager stores secrets and supports automatic rotation.

Why this answer

AWS Secrets Manager is designed to store secrets and provides built-in rotation capabilities.

68
MCQhard

A security administrator is configuring a Web Application Firewall (WAF) to protect a public-facing web application. The application experiences a high volume of traffic from certain geographic regions that are not serving customers. Which WAF feature should be used to block this traffic?

A.Rate limiting
B.OWASP rule set
C.Geo-blocking
D.IP reputation lists
AnswerC

Geo-blocking restricts traffic by country or region.

Why this answer

Geo-blocking allows the WAF to block or allow traffic based on geographic location, reducing unwanted traffic and potential attacks.

69
MCQhard

A company uses Azure RBAC to manage access to resources. A user is assigned a Contributor role at the subscription scope. Which of the following is true regarding the scope of this role?

A.The user will have Contributor permissions only on resources created after the assignment.
B.The user will have Contributor permissions on the subscription itself but not its resources.
C.The user will have Contributor permissions only on resource groups within the subscription.
D.The user will have Contributor permissions on all resources within the subscription.
AnswerD

Role assignment at subscription scope applies to all resources in that subscription.

Why this answer

RBAC roles in Azure are inherited from higher scopes to lower scopes (management group → subscription → resource group → resource).

70
MCQeasy

A cloud administrator needs to grant a developer read-only access to a specific storage bucket in AWS. Which IAM component should the administrator modify?

A.IAM policy
B.Security group
C.AWS WAF
D.Network ACL
AnswerA

IAM policies define permissions for AWS resources.

Why this answer

IAM policies are JSON documents that define permissions for AWS resources like S3 buckets.

71
MCQhard

A company uses Azure and wants to enforce multi-factor authentication (MFA) for all administrative users. The solution must be centrally managed and apply to all Azure subscriptions. Which approach should be used?

A.Create a Conditional Access policy in Azure AD requiring MFA for all cloud apps
B.Configure MFA on each individual Azure subscription
C.Assign MFA to each user individually in Azure AD
D.Use Azure Policy to require MFA for admin roles
AnswerA

Conditional Access policies can enforce MFA tenant-wide.

Why this answer

Option A is correct because Conditional Access policies in Azure AD are centrally managed and can enforce MFA for all cloud apps across all Azure subscriptions by targeting the 'Microsoft Azure Management' cloud app. This approach applies to all administrative users regardless of subscription, as Azure AD is the identity provider for Azure resources.

Exam trap

The trap here is confusing Azure Policy (resource compliance) with Azure AD Conditional Access (identity security), leading candidates to select Option D, even though Azure Policy cannot enforce authentication requirements.

How to eliminate wrong answers

Option B is wrong because MFA cannot be configured on individual Azure subscriptions; MFA is an Azure AD feature, not a subscription-level setting. Option C is wrong because assigning MFA per user is not centrally managed and does not scale to apply to all subscriptions automatically; it also lacks the granularity of Conditional Access policies. Option D is wrong because Azure Policy is used for resource compliance (e.g., tagging, encryption) and cannot enforce MFA, which is an identity-level control managed by Azure AD.

72
MCQhard

A company uses Google Cloud Platform (GCP) and wants to enforce that all service accounts used by applications have only the permissions necessary to perform their tasks. Which IAM concept should the administrator apply?

A.Separation of duties
B.Privileged access management (PAM)
C.Role-based access control (RBAC)
D.Least privilege
AnswerD

Least privilege is the principle of granting minimal necessary permissions.

Why this answer

The principle of least privilege dictates granting only the required permissions. In GCP, this is achieved by assigning predefined roles that are narrowly scoped to specific services, and by using conditions to further restrict access.

73
MCQeasy

A cloud engineer is configuring a web application on AWS and needs to ensure that only HTTP and HTTPS traffic from the internet is allowed to reach the EC2 instances. Which AWS service should be used to control inbound traffic at the instance level?

A.Security Group
B.AWS Shield
C.AWS WAF
D.Network ACL
AnswerA

Security groups are stateful instance-level firewalls that can allow HTTP/HTTPS inbound traffic.

Why this answer

Security groups are stateful virtual firewalls that control inbound and outbound traffic at the instance level. Network ACLs operate at the subnet level and are stateless.

74
MCQmedium

A security administrator is configuring a web application firewall (WAF) to protect against SQL injection attacks. Which WAF feature should be enabled?

A.Geo-blocking
B.Rate limiting
C.OWASP rule set
D.DDoS protection
AnswerC

OWASP rules include SQL injection detection/prevention.

Why this answer

OWASP rules include protections against SQL injection, XSS, and other common web vulnerabilities.

75
MCQmedium

An organization uses multiple cloud providers and wants to centralize secrets management. Which solution would best meet this requirement?

A.Azure Key Vault
B.AWS Secrets Manager
C.HashiCorp Vault
D.Google Cloud Secret Manager
AnswerC

Vault is cloud-agnostic and supports multiple backends.

Why this answer

HashiCorp Vault is a multi-cloud secrets management solution that can store and rotate secrets across different providers.

Page 1 of 2 · 110 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Clp Security questions.

CCNA Clp Security Questions — Page 1 of 2 | Courseiva