CCNA Clp Security Questions

35 of 110 questions · Page 2/2 · Clp Security topic · Answers revealed

76
MCQeasy

A cloud engineer is configuring encryption for data stored in an S3 bucket. The company requires that encryption keys be managed by the organization, not the cloud provider. Which encryption option should be used?

A.SSE-KMS
B.SSE-S3
C.SSE-C
D.Client-side encryption
AnswerC

SSE-C allows the customer to supply and manage their own keys.

Why this answer

SSE-C (Server-Side Encryption with Customer-Provided Keys) allows the organization to manage their own encryption keys while AWS handles the encryption and decryption process. The customer provides the encryption key in each request, and AWS discards the key after the operation, ensuring the cloud provider never stores the key. This meets the requirement that keys be managed by the organization, not the cloud provider.

Exam trap

The trap here is that candidates confuse SSE-KMS with customer-managed keys, but KMS keys are still managed by AWS as a service, whereas SSE-C requires the customer to provide the key directly with each request, giving the organization full control.

How to eliminate wrong answers

Option A (SSE-KMS) is wrong because AWS Key Management Service (KMS) manages the keys, meaning the cloud provider retains control over key lifecycle and policies, which does not satisfy the requirement for organization-managed keys. Option B (SSE-S3) is wrong because Amazon S3 manages the encryption keys entirely, with no customer control or visibility into key material. Option D (Client-side encryption) is wrong because encryption occurs on the client side before data is sent to S3, which is a different approach than server-side encryption and does not involve AWS handling the encryption process; the question specifies configuring encryption for data stored in an S3 bucket, implying server-side encryption.

77
MCQmedium

A cloud administrator is configuring encryption for data at rest in a cloud storage service. The administrator wants to use a key that is generated and managed by the cloud provider but stored in the customer's account. Which key management option is being described?

A.Customer-supplied keys (SSE-C)
B.No encryption
C.Cloud provider-managed keys (SSE-S3)
D.Customer-managed keys (CMK)
AnswerD

CMKs are generated and managed by the provider but stored in the customer's account, providing more control.

Why this answer

Cloud-managed keys (CMK) are generated and managed by the cloud provider but stored in the customer's account, giving the customer control over key usage. Cloud provider-managed keys (SSE-S3) are fully managed by the provider.

78
MCQeasy

An organization wants to audit all API calls made in their AWS account. Which AWS service should be enabled to capture these logs?

A.Amazon CloudWatch
B.AWS Trusted Advisor
C.AWS CloudTrail
D.AWS Config
AnswerC

CloudTrail records all API calls in the AWS account.

Why this answer

AWS CloudTrail records API activity for governance, compliance, and auditing.

79
MCQmedium

An organization uses Azure and wants to ensure that only authenticated users from its on-premises Active Directory can access cloud resources. The company has Azure AD Connect set up and wants to enable single sign-on (SSO) for cloud applications. Which federation standard should be used?

A.Kerberos
B.OAuth 2.0
C.SAML
D.OpenID Connect
AnswerC

SAML enables federation and SSO between identity providers and service providers.

Why this answer

SAML (Security Assertion Markup Language) is the correct federation standard because it enables browser-based single sign-on (SSO) by exchanging authentication and authorization assertions between an identity provider (on-premises Active Directory via Azure AD Connect) and a service provider (cloud applications). SAML 2.0 is specifically designed for federated identity scenarios where users authenticate on-premises and gain access to cloud resources without re-entering credentials.

Exam trap

The trap here is that candidates confuse OAuth 2.0 or OpenID Connect as the default for all SSO scenarios, but the question specifically describes a traditional on-premises AD federation with browser-based cloud applications, which is the classic SAML use case.

How to eliminate wrong answers

Option A is wrong because Kerberos is a network authentication protocol that uses tickets and is designed for on-premises environments, not for federated SSO across cloud boundaries; it cannot pass assertions to cloud applications. Option B is wrong because OAuth 2.0 is an authorization framework, not an authentication protocol; it does not provide identity assertions or user authentication information by itself. Option D is wrong because OpenID Connect is built on top of OAuth 2.0 for authentication but is primarily used for modern web and mobile applications with RESTful APIs, not for the traditional browser-based SAML federation pattern that Azure AD Connect uses for SSO with on-premises AD.

80
MCQmedium

A cloud administrator notices that a security group rule allowing SSH (port 22) from any IP address (0.0.0.0/0) was created for a Linux server. The server is used for administrative purposes only. Which security best practice should be applied to reduce the attack surface?

A.Disable password authentication and use SSH keys only
B.Change the SSH port to a non-standard port
C.Add a deny rule for SSH in the network ACL
D.Restrict the source IP address to the company's public IP range
AnswerD

This limits SSH access to trusted IPs only.

Why this answer

Restricting the source IP address to the company's public IP range (option D) directly reduces the attack surface by limiting SSH access to only trusted administrative networks. This is the most effective security best practice because it prevents unauthorized external hosts from even attempting to connect to port 22, regardless of authentication method or port obscurity. In cloud environments like AWS, security group rules are stateful and evaluated before any packet reaches the instance, making source IP restriction a fundamental layer of defense.

Exam trap

The trap here is that candidates often confuse authentication hardening (option A) or port obfuscation (option B) with network-layer access control, failing to recognize that the most fundamental security best practice is to limit the source IP range to trusted administrative networks.

How to eliminate wrong answers

Option A is wrong because disabling password authentication and using SSH keys only addresses authentication strength, not the exposure of SSH to the entire internet; an attacker can still attempt to exploit SSH service vulnerabilities or perform brute-force attacks on the key exchange. Option B is wrong because changing the SSH port to a non-standard port relies on security through obscurity, which does not prevent automated scanners or targeted attackers from discovering the open port; it also complicates management and may violate compliance policies. Option C is wrong because adding a deny rule for SSH in the network ACL (NACL) is redundant and less effective than a security group rule; NACLs are stateless and require explicit allow rules for return traffic, and the existing security group rule allowing 0.0.0.0/0 would still permit inbound SSH traffic unless the NACL is properly configured, but the best practice is to restrict the source at the security group level.

81
MCQeasy

Which of the following is the cloud provider's responsibility under the shared responsibility model?

A.Encrypting data stored in cloud resources
B.Configuring identity and access management policies
C.Securing the physical data center
D.Patching guest operating systems
AnswerC

Physical security is always provider's responsibility.

Why this answer

The cloud provider is responsible for physical infrastructure, hypervisor, and global network. Customer manages OS, apps, IAM, data, and network security groups.

82
MCQhard

A security administrator needs to enforce least privilege for a Kubernetes cluster in a cloud environment. Which approach should be used to restrict permissions for pods that need to access the cloud provider's API?

A.Assign the pod a static cloud IAM user credential
B.Disable cloud API access for all pods
C.Use a service account with a role that has only the required permissions
D.Grant the pod cluster-admin privileges in Kubernetes
AnswerC

Service accounts provide secure, scoped access for pods.

Why this answer

Using a service account with a role that has minimal permissions and attaching it to the pod ensures least privilege for pod-to-cloud API access.

83
MCQmedium

A company uses AWS and wants to centralize security monitoring across multiple accounts. Which service should they use to aggregate security findings and check compliance against standards like CIS AWS Foundations?

A.AWS CloudTrail
B.Amazon GuardDuty
C.AWS Security Hub
D.AWS Config
AnswerC

Security Hub is designed for centralized security and compliance management.

Why this answer

AWS Security Hub aggregates security alerts from various AWS services and third-party tools, and provides compliance checks against standards like CIS, PCI DSS, and AWS Foundational Security Best Practices.

84
MCQeasy

Which of the following compliance frameworks is specifically designed for handling healthcare information in the United States?

A.SOC 2 Type II
B.ISO 27001
C.PCI DSS
D.HIPAA
AnswerD

HIPAA is for healthcare information privacy and security.

Why this answer

HIPAA (Health Insurance Portability and Accountability Act) sets standards for protecting sensitive patient data. PCI DSS is for payment card data, SOC 2 is for service organizations, ISO 27001 is for information security management.

85
MCQmedium

A company requires multi-factor authentication (MFA) for all users accessing the cloud management console. Which IAM policy element should be used to enforce this?

A.Action
B.Effect
C.Resource
D.Condition
AnswerD

Condition can require MFA by using the aws:MultiFactorAuthPresent key.

Why this answer

A Condition element in an IAM policy can require MFA by checking the aws:MultiFactorAuthPresent key.

86
Multi-Selecthard

A cloud security team is implementing encryption for data at rest using customer-managed keys in a cloud KMS. Which THREE practices should be followed?

Select 3 answers
A.Use IAM policies to restrict who can use and manage the keys.
B.Enable automatic key rotation.
C.Store the key material in plaintext in the application code.
D.Use a default cloud provider key to simplify management.
E.Back up the key material securely in a separate location.
AnswersA, B, E

IAM controls access to KMS keys.

Why this answer

Option A is correct because IAM policies are essential for enforcing the principle of least privilege in cloud KMS. By restricting who can use (encrypt/decrypt) and manage (rotate/disable/destroy) customer-managed keys, the security team ensures that only authorized principals can access the key material. This prevents unauthorized users or services from compromising data at rest, which is a core requirement for compliance frameworks like PCI DSS or HIPAA.

Exam trap

Cisco often tests the misconception that storing keys in code is acceptable if the code is in a private repository, but the trap here is that any plaintext key in code is a critical vulnerability, regardless of repository access controls.

87
MCQeasy

A cloud architect is designing a multi-tenant SaaS application on AWS. Which of the following security responsibilities is the CUSTOMER responsible for under the shared responsibility model?

A.Global network infrastructure
B.Patching the hypervisor
C.Physical security of data centers
D.Configuring security groups
AnswerD

Security groups are a customer-configurable network security control.

Why this answer

Under the shared responsibility model, the customer is responsible for data encryption, OS patching, and IAM configuration, while the provider secures the physical infrastructure.

88
MCQhard

A DevOps team deploys a containerized application on Amazon EKS. The security team wants to ensure that containers do not run as root and that read-only root filesystems are enforced. Which Kubernetes mechanism should be used?

A.Pod Security Standards
B.Kubernetes RBAC
C.Network Policies
D.Secrets management
AnswerA

Pod Security Standards enforce security constraints at the pod level.

Why this answer

Pod Security Standards (formerly PSP) define security contexts, including runAsNonRoot and readOnlyRootFilesystem, to enforce these policies.

89
MCQhard

During a security audit, it is discovered that a cloud storage bucket contains sensitive data that should have been encrypted at rest. The bucket was created with default settings. Which step must be taken to encrypt the data that is already stored?

A.Encrypt the objects using client-side encryption before upload
B.Copy the objects to a new bucket that has default encryption enabled, then delete the original bucket
C.Use a server-side encryption with customer-provided keys (SSE-C) on each existing object
D.Enable default encryption on the bucket; all existing objects will be automatically encrypted
AnswerB

Copying objects applies the new bucket's encryption settings.

Why this answer

Enabling default encryption only affects new objects. Existing objects must be re-encrypted by copying them, which applies the new encryption settings.

90
MCQmedium

A cloud administrator needs to provide external partners with access to a cloud application using their existing corporate credentials. Which federation protocol should be used?

B.Kerberos
C.SAML
D.LDAP
AnswerC

SAML allows identity federation and SSO with external identity providers.

Why this answer

SAML is a standard federation protocol that enables single sign-on using existing identity providers.

91
MCQeasy

Which encryption standard is most commonly used for data at rest in cloud storage services?

A.Blowfish
B.DES
C.AES-256
D.RSA
AnswerC

AES-256 is widely used for encrypting data at rest.

Why this answer

AES-256 is the industry standard for encrypting data at rest in cloud environments.

92
MCQeasy

A cloud customer is deploying a virtual machine (VM) in a public IaaS environment. According to the shared responsibility model, which of the following security tasks is the customer responsible for?

A.Securing the hypervisor
B.Patching the guest operating system
C.Physical security of the data center
D.Network infrastructure integrity
AnswerB

The customer manages the guest OS and its patches.

Why this answer

Under the shared responsibility model, the customer is responsible for securing the operating system, applications, and data within the VM. The cloud provider secures the physical host and hypervisor.

93
Multi-Selecthard

A company is deploying a web application in a cloud environment and needs to protect against SQL injection and cross-site scripting (XSS) attacks. Additionally, the company wants to block traffic from specific geographic regions. Which TWO services should be used? (Select TWO.)

Select 2 answers
A.Web Application Firewall (WAF)
B.Geo-blocking feature in WAF
C.Network Access Control List (NACL)
D.DDoS protection service
E.Security Group
AnswersA, B

WAF protects against SQL injection, XSS, and can geo-block.

Why this answer

WAF can inspect HTTP requests for SQL injection and XSS, and also provide geo-blocking. DDoS protection is for volumetric attacks, not application-layer threats. Network ACLs and Security Groups do not inspect application payloads.

94
Multi-Selecthard

A security engineer is designing a data classification policy for a cloud environment. The policy must identify sensitive data, apply appropriate controls, and monitor access. Which THREE of the following should be included in the policy? (Select THREE.)

Select 3 answers
A.Cloud Access Security Broker (CASB) for all data
B.Encryption at rest for classified data
C.Access logging and monitoring for sensitive data
D.Network security groups to isolate data
E.Data discovery and classification tools
AnswersB, C, E

Protects data in storage.

Why this answer

Data classification includes identifying where data resides, encrypting it, and monitoring access. DLP tools help enforce policies. Security groups are network controls, not data classification.

CASB is for SaaS, but not necessarily part of a classification policy.

95
MCQeasy

Which of the following is a benefit of using a Cloud Access Security Broker (CASB) for SaaS applications?

A.It encrypts data at rest in cloud storage.
B.It provides a virtual private network (VPN) for remote access.
C.It replaces the need for a web application firewall.
D.It gives visibility and control over Shadow IT and data protection.
AnswerD

CASBs are designed to discover and control SaaS applications.

Why this answer

CASBs provide visibility into SaaS usage and enforce security policies, such as data loss prevention (DLP) and access control.

96
MCQhard

A DevOps team deploys a containerized application to a Kubernetes cluster. They need to ensure that containers cannot run with privileged access. Which Kubernetes security mechanism should be applied?

A.Pod Security Standards
B.Network policies
C.ConfigMaps
D.Service accounts
AnswerA

These enforce security contexts including privilege settings.

Why this answer

Pod Security Standards define policies like 'restricted' that prevent privileged containers.

97
MCQeasy

Which of the following is a benefit of using a Web Application Firewall (WAF)?

A.Filtering malicious HTTP/HTTPS traffic to a web application
B.Encrypting data at rest in a database
C.Protecting against DDoS attacks at the network layer
D.Managing user identities and access
AnswerA

WAFs analyze HTTP/HTTPS requests and block malicious ones.

Why this answer

WAFs protect web applications from common attacks like SQL injection, cross-site scripting, and other OWASP Top 10 threats by filtering and monitoring HTTP/HTTPS traffic.

98
MCQeasy

A cloud architect is designing a network to protect a web application from common attacks such as SQL injection and cross-site scripting. Which cloud service should be used?

A.DDoS Protection
B.Network ACL
C.Web Application Firewall (WAF)
D.Security Group
AnswerC

WAF protects against OWASP top 10 attacks at the application layer.

Why this answer

A Web Application Firewall (WAF) inspects HTTP traffic and blocks web exploits like SQL injection and XSS.

99
MCQmedium

A security engineer is configuring a network security group (NSG) in Azure to allow inbound HTTPS traffic to a web server. The engineer creates an inbound rule allowing TCP port 443 from the Internet. What must be done to ensure the web server can respond to clients?

A.Create an outbound rule allowing all traffic to the Internet.
B.Create an inbound rule allowing TCP port 443 from the web server.
C.Create an outbound rule allowing TCP port 443 to the Internet.
D.No additional rule is needed because the NSG is stateful.
AnswerD

Stateful firewalls track connection state and allow return traffic.

Why this answer

NSGs are stateful; allowing inbound traffic automatically allows the corresponding outbound response traffic.

100
MCQmedium

A security engineer is configuring an AWS IAM policy for a new application. The policy must allow the application to read objects from a specific S3 bucket. Which IAM policy element determines whether the action is allowed or denied?

A.Effect
B.Action
C.Resource
D.Condition
AnswerA

Effect is set to 'Allow' or 'Deny' to permit or block the action.

Why this answer

The Effect element in an IAM policy specifies whether the policy allows or denies the requested action.

101
MCQeasy

According to the shared responsibility model, which of the following is the cloud provider responsible for?

A.Operating system patching
B.Physical infrastructure security
C.Application code security
D.Identity and access management configuration
AnswerB

The provider secures the physical data centers.

Why this answer

The cloud provider is responsible for the physical infrastructure, hypervisor, and global network, while the customer is responsible for OS patching, IAM, data encryption, etc.

102
Multi-Selectmedium

A cloud security team is implementing the principle of least privilege for IAM roles. Which TWO actions are consistent with this principle?

Select 2 answers
A.Grant full administrative access to all users to simplify management
B.Regularly review and revoke unused permissions
C.Create custom roles with only the specific permissions needed for each job function
D.Use wildcard (*) permissions to allow all actions on a resource
E.Assign root user access to all developers
AnswersB, C

Removing unused permissions reduces attack surface.

Why this answer

Least privilege means granting only the permissions necessary for a task and periodically reviewing access.

103
MCQmedium

A security auditor is reviewing the IAM configuration for a cloud account. The auditor finds that a user has permissions to create and delete resources in all services. Which principle of security is being violated?

A.Need to know
B.Defense in depth
C.Least privilege
D.Separation of duties
AnswerC

Least privilege requires minimal permissions; full access is a clear violation.

Why this answer

The principle of least privilege dictates that users should only have the minimum permissions necessary to perform their job functions. Granting full access to all services violates this principle.

104
MCQeasy

Which of the following is a key benefit of using a Cloud Access Security Broker (CASB)?

A.Automates resource provisioning
B.Provides DDoS protection
C.Manages encryption keys for on-premises data
D.Discovers and controls use of unauthorized cloud applications
AnswerD

CASBs can detect shadow IT and enforce policies.

Why this answer

CASBs provide visibility and control over SaaS applications, including shadow IT discovery.

105
MCQmedium

A company is migrating a financial application to the cloud and must comply with PCI DSS. Which of the following cloud compliance programs is most relevant to demonstrate compliance?

A.PCI DSS Level 1
B.ISO 27001
C.SOC 2 Type II
D.HIPAA BAA
AnswerA

PCI DSS is the standard for payment card data security.

Why this answer

PCI DSS Level 1 is the highest level of compliance for organizations handling credit card data. Cloud providers offer PCI DSS attestations to support customer compliance.

106
Multi-Selectmedium

A cloud administrator is configuring a CASB (Cloud Access Security Broker) for SaaS applications. Which TWO capabilities should the administrator expect from the CASB? (Choose two.)

Select 2 answers
A.Discover and control shadow IT usage
B.Manage on-premises server patches
C.Apply data loss prevention (DLP) policies
D.Provide local DNS resolution
E.Replace the cloud provider's infrastructure
AnswersA, C

CASBs discover unauthorized cloud services and enforce policies.

Why this answer

CASBs provide visibility into shadow IT, enforce data loss prevention policies, and control access to SaaS applications.

107
Multi-Selecthard

A company is migrating to GCP and needs to ensure data encryption in transit for all external communications. Which THREE measures should be implemented? (Choose three.)

Select 3 answers
A.Configure load balancer to redirect HTTP to HTTPS
B.Disable TLS for internal VPC traffic
C.Use TLS 1.2 or higher for all API endpoints
D.Enable AES-256 encryption at rest
E.Implement certificate management with auto-renewal
AnswersA, C, E

Redirecting HTTP to HTTPS enforces encrypted communications.

Why this answer

TLS 1.2+ ensures strong encryption in transit. Certificate management ensures valid certificates. Enforcing HTTPS via load balancer policies redirects HTTP traffic.

108
MCQhard

A company uses Azure and wants to centrally audit all management operations across subscriptions. Which service should be used to collect and analyze these logs?

A.GCP Cloud Audit Logs
B.Azure Monitor
C.AWS CloudTrail
D.Azure Security Center
AnswerB

Azure Monitor collects and analyzes activity logs and metrics.

Why this answer

Azure Monitor is the correct service because it provides a centralized platform for collecting, analyzing, and acting on telemetry data from Azure resources, including management operations across subscriptions. Specifically, the Azure Activity Log within Azure Monitor captures all control-plane events (e.g., resource creation, deletion, policy changes) at the subscription level, enabling auditing and alerting. This directly meets the requirement for centrally auditing management operations across multiple subscriptions.

Exam trap

The trap here is that candidates may confuse Azure Security Center (now Defender for Cloud) with a logging and auditing service, but it is a security management tool, not a centralized log collection and analysis platform like Azure Monitor.

How to eliminate wrong answers

Option A is wrong because GCP Cloud Audit Logs is a Google Cloud Platform service, not an Azure service, and cannot collect or analyze Azure management logs. Option C is wrong because AWS CloudTrail is an Amazon Web Services service for auditing AWS API calls, and it has no integration with Azure subscriptions. Option D is wrong because Azure Security Center (now Microsoft Defender for Cloud) focuses on security posture management, threat detection, and vulnerability assessment, not on collecting and analyzing all management operation logs for auditing purposes.

109
MCQeasy

A cloud administrator needs to protect a web application from common attacks such as SQL injection and cross-site scripting (XSS). Which cloud service should be implemented?

A.DDoS protection service
B.Network ACL
C.Security group
D.Web Application Firewall (WAF)
AnswerD

WAF inspects HTTP requests and can block SQL injection, XSS, etc.

Why this answer

A Web Application Firewall (WAF) is specifically designed to filter and monitor HTTP traffic, blocking common web exploits like SQL injection and XSS. Cloud providers offer WAF services (e.g., AWS WAF, Azure WAF, Cloud Armor).

110
Multi-Selectmedium

A cloud administrator is configuring an Azure environment for a healthcare application that must comply with HIPAA. Which TWO configurations are required to meet HIPAA security and privacy rules? (Choose two.)

Select 2 answers
A.Implement audit logging for access to ePHI
B.Configure network security groups to allow only HTTPS traffic
C.Enable multi-factor authentication for all administrative accounts
D.Configure automatic patching for all virtual machines
E.Enable encryption at rest for all storage accounts containing ePHI
AnswersA, E

HIPAA requires audit controls to record access to ePHI.

Why this answer

Audit logging for access to ePHI is required by HIPAA to track who accessed, modified, or deleted protected health information. In Azure, this is implemented through Azure Monitor and Log Analytics, which capture detailed audit trails for storage accounts, databases, and applications. Without audit logs, the organization cannot demonstrate compliance with the HIPAA Security Rule's requirement for activity monitoring and accountability.

Exam trap

The trap here is that candidates often confuse 'best practices' (like MFA and automatic patching) with 'required configurations' under HIPAA, leading them to select options that are recommended but not explicitly mandated by the Security Rule.

← PreviousPage 2 of 2 · 110 questions total

Ready to test yourself?

Try a timed practice session using only Clp Security questions.