Back to Certified Cloud Security Professional CCSP

ISC2 exam questions

Certified Cloud Security Professional CCSP practice test

Practise questions on cloud computing concepts covering service models, deployment types, and essential characteristics for the CCSP exam.

504
practice questions
6
topics covered
CCSP
exam code
ISC2
vendor

Study modes

Three ways to study

Start with the Study Sheet to learn the material, switch to Practice Tests for active recall, then take a Mock Exam to simulate the real thing.

Study Sheet

All 504 questions with correct answers and explanations already visible. Read at your own pace — no time pressure.

Start reading →

Practice Test

Answer first, then see feedback and explanation. Tracks your score per session. Best for active recall and identifying weak areas.

Mock Exam

Full timed simulation with countdown. Answers hidden until the end. Includes all question types just like the real exam.

Start mock exam →

Study Sheet

All 504 CCSP questions with answers

Every question in the bank, paginated 75 per page. Correct answers and full explanations are revealed upfront — ideal for first-pass learning and pre-exam review.

7 pages · 75 questions per page · 504 total

Related practice questions

Study CCSP by topic

Topic pages go deep on individual concepts — each one covers a specific exam topic with questions, explanations, and study notes.

Courseiva uses original exam-style practice questions created for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps. Learn the difference →

Sample questions

Certified Cloud Security Professional CCSP practice questions

Start practice test

Refer to the exhibit. An administrator is reviewing an AWS S3 bucket policy. Based on the policy, which of the following is true?

Exhibit

Refer to the exhibit.

exhibit:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "StringEquals": {
          "aws:SourceIp": "192.0.2.0/24"
        }
      }
    }
  ]
}

Which TWO of the following are required for GDPR compliance when processing personal data in the cloud?

A cloud provider experiences a data breach affecting customer data. Which of the following laws most likely requires the provider to notify affected customers within 72 hours?

A company is performing a risk assessment of its cloud environment. They have identified a risk with a likelihood of 4 (on a scale of 1-5) and an impact of 3 (on a scale of 1-5). The company decides to implement controls that will reduce the likelihood to 2 and impact to 1. What is the residual risk score after controls?

Question 5easymultiple choice
Read the full NAT/PAT explanation →

A company is implementing a secure software development lifecycle (SSDLC) for its cloud-native applications. Which practice should be automated to detect vulnerabilities early in the development process?

A company wants to ensure that its cloud provider's data deletion process is verifiable. Which of the following should the company require in the service level agreement?

Refer to the exhibit. A security analyst reviews the S3 bucket policy shown. Which security issue should be flagged?

Exhibit

Refer to the exhibit.

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/MyAppRole"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-bucket/*"
    },
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::my-bucket/uploads/*"
    }
  ]
}
```

A cloud service provider stores customer data in a multi-tenant environment. A customer from the European Union requests that all personal data be encrypted at rest to comply with GDPR. What is the primary reason for this requirement?

Question 9hardmultiple choice
Review the full subnetting walkthrough →

Refer to the exhibit. A security engineer discovers that the S3 bucket policy allows public read access from the entire corporate network (10.0.0.0/16). However, the company wants to restrict access only to the security team's subnet (10.0.1.0/24). What modification should be made to the policy?

Exhibit

Refer to the exhibit.
Bucket: my-company-logs
Region: us-east-1
Policy:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-company-logs/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/16"
        }
      }
    }
  ]
}

Which TWO of the following are common risk treatment options in cloud risk management?

Which TWO of the following are required elements of a valid Business Continuity Plan (BCP) in the cloud?

A company is migrating to the cloud and must comply with the Health Insurance Portability and Accountability Act (HIPAA). They plan to store electronic protected health information (ePHI) in a cloud database. Which of the following is a mandatory requirement for the cloud service agreement?

A regional bank is migrating its customer data to a cloud provider that offers services in multiple jurisdictions. The bank's legal team is concerned about compliance with data protection regulations, specifically regarding the right to be forgotten. During a review, the bank discovers that the cloud provider's data deletion process takes up to 90 days for archived data. The bank needs to ensure it can comply with customer deletion requests within 30 days as required by GDPR. What should the bank do?

A financial services company uses a cloud-based logging service for audit trails. A regulatory investigation is initiated, and the company is required to preserve all logs from the past 18 months. The cloud provider's default retention policy is 12 months, and logs older than that are automatically deleted. The company did not configure custom retention. What is the most appropriate action to ensure compliance?

A cloud security architect is designing a data loss prevention (DLP) strategy for a multi-cloud environment. Which TWO actions are effective in preventing unauthorized exfiltration of sensitive data?

Question 16hardmultiple choice
Read the full NAT/PAT explanation →

A cloud security engineer reviews the S3 bucket policy shown in the exhibit. What is the net effect of this policy when a request originates from IP address 203.0.113.10 over HTTPS?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::company-data/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "true"
        }
      }
    },
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::company-data/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "203.0.113.0/24"
        }
      }
    }
  ]
}
Question 17hardmultiple choice
Read the full NAT/PAT explanation →

A company is migrating a critical application to the cloud and must ensure that its security operations center (SOC) can detect and respond to threats in real time. The application generates high volumes of logs. Which combination of services would provide the MOST efficient and cost-effective solution for centralized logging, analysis, and alerting?

Which TWO of the following are primary responsibilities of a cloud service customer under the shared responsibility model regarding compliance with regulations such as GDPR?

A cloud security engineer reviews the IAM policy shown in the exhibit, which is attached to an S3 bucket. The engineer finds that users from outside the 10.0.0.0/8 network can still download objects from the bucket. What is the most likely reason for this behavior?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:DeleteObject"
      ],
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/8"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject"
      ],
      "Resource": "arn:aws:s3:::example-bucket/*"
    }
  ]
}

Which TWO of the following are primary objectives of a cloud application security program?

A cloud security architect is designing a secure CI/CD pipeline for a containerized application deployed on a Kubernetes cluster. The pipeline must ensure that only approved images are deployed. Which TWO of the following controls should be implemented? (Choose two.)

An administrator applies the above S3 bucket policy to a bucket named 'data-bucket' that contains sensitive logs. The policy is intended to allow uploads only over HTTPS. After applying, the administrator finds that uploads using the AWS CLI without HTTPS still succeed. What is the most likely reason?

Exhibit

Refer to the exhibit.

---
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::data-bucket/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "true"
        }
      }
    },
    {
      "Effect": "Deny",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::data-bucket/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}
---

A company's security team is investigating an anomalous spike in outbound traffic from a cloud workload. The workload is a web server running in an IaaS environment. The team suspects data exfiltration. Which of the following is the BEST initial step to identify the source and type of traffic?

Refer to the exhibit. A cloud security analyst is reviewing an S3 bucket policy. The bucket contains sensitive data and must only be accessible over HTTPS from the internal network (10.0.0.0/24). Which of the following correctly describes the behavior of this policy?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/24"
        }
      }
    },
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

Exam question guide

How to use these CCSP questions

Use these questions as active recall, not passive reading. Try the question first, review the answer choices, then open the explanation and connect the result back to the exam topic.

Quick answer

Tests understanding of cloud service models, deployment types, and characteristics like scalability and elasticity.

IaaS, PaaS, SaaS service model definitions and use cases

Public, private, hybrid cloud deployment distinctions

Key cloud characteristics: on-demand, broad network access

Metered usage and resource pooling concepts

These CCSP practice questions are part of Courseiva's free ISC2 certification practice question bank. Courseiva provides original exam-style CCSP questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.