Certified Cloud Security Professional CCSP (CCSP) — Questions 175

504 questions total · 7pages · All types, answers revealed

Page 1 of 7

Page 2
1
MCQhard

A multi-national corporation uses a cloud storage service to store files that are subject to data residency requirements. Data must remain within a specific geographic region. Which of the following controls provides the STRONGEST assurance that data does not leave the region?

A.Contractual clauses with the cloud provider
B.Implementing strict IAM policies to limit data access
C.Using the cloud provider's data residency policy with region-restricted storage buckets
D.Client-side encryption with keys managed on-premises
AnswerC

Technical enforcement provides strong assurance.

Why this answer

Option C is correct because using the cloud provider's data residency policy with region-restricted storage buckets enforces data at rest to be physically stored only in the specified geographic region. This is a technical control implemented at the infrastructure layer, ensuring that the cloud provider's storage service will not replicate or move data outside the designated region, providing the strongest assurance against data leaving the region.

Exam trap

ISC2 often tests the distinction between legal/administrative controls (contracts, IAM) and technical controls (region-restricted storage), where candidates mistakenly believe that encryption or access policies can enforce data residency, but only infrastructure-level location restrictions provide the strongest assurance.

How to eliminate wrong answers

Option A is wrong because contractual clauses are legal agreements that rely on trust and enforcement after a breach; they do not provide technical enforcement and cannot prevent accidental or malicious data movement. Option B is wrong because IAM policies control who can access data, not where data is stored or replicated; they do not restrict the geographic location of data. Option D is wrong because client-side encryption protects data confidentiality but does not control the physical storage location; encrypted data can still be stored or replicated in any region the cloud provider supports.

2
MCQmedium

A security analyst is using a cloud security posture management (CSPM) tool that reports a finding of "storage bucket publicly accessible." However, upon manual inspection, the bucket's ACL and bucket policy both restrict access to authorized users only. What is the most likely cause of the false positive?

A.The bucket is in a different region
B.The bucket policy has a syntax error
C.The bucket contains objects with public ACLs
D.The CSPM tool is misconfigured
AnswerC

Object-level ACLs can override bucket-level settings and cause a public access finding.

Why this answer

Option D is correct because individual objects within the bucket might have public ACLs, which CSPM might detect. Option A (CSPM misconfigured) is possible but less likely. Option B (policy syntax error) would cause error, not public access.

Option C (region mismatch) is irrelevant.

3
MCQhard

A financial institution is migrating sensitive transaction data to the cloud. They must comply with a regulation that requires data to be retained for 7 years, but also support immediate legal holds. The cloud storage service offers object lock with governance mode. What is the best practice to ensure compliance?

A.Use object lock in compliance mode with a 7-year retention period
B.Use object lock in governance mode with a 7-year retention period and grant legal hold permissions to authorized users
C.Apply a lifecycle policy to delete objects after 7 years and rely on backups
D.Encrypt all objects with a client-managed key and store deletion timestamps in a database
AnswerB

Governance mode allows users with special permissions to override for legal holds.

Why this answer

Option B is correct because governance mode allows authorized users to override retention settings for legal holds while still enforcing a 7-year minimum retention period. This balances compliance with the need for immediate legal holds, as users with appropriate permissions can place a legal hold on objects without extending the retention period for all data.

Exam trap

ISC2 often tests the distinction between governance mode and compliance mode, trapping candidates who assume compliance mode is always better for regulatory requirements without considering the need for legal hold flexibility.

How to eliminate wrong answers

Option A is wrong because compliance mode locks objects immutably and prevents any user, including cloud administrators, from shortening the retention period or removing legal holds, which would hinder the ability to support immediate legal holds that may require adjustments. Option C is wrong because lifecycle policies only manage deletion based on age and do not provide immutability or legal hold capabilities, risking data modification or deletion before the 7-year retention period ends. Option D is wrong because client-managed keys and deletion timestamps do not enforce retention or prevent data deletion; they only track when data should be deleted, leaving the data vulnerable to accidental or malicious deletion.

4
MCQmedium

A multinational corporation is migrating its customer data to a cloud provider that operates data centers in multiple jurisdictions. To comply with the General Data Protection Regulation (GDPR), the company must ensure that customer data remains within the European Economic Area (EEA) unless adequate safeguards are in place. The cloud provider offers data residency options but does not guarantee that data will never be accessed from outside the EEA. What is the BEST course of action for the company?

A.Enter into a Data Processing Agreement (DPA) that includes Standard Contractual Clauses (SCCs) with the provider.
B.Accept the provider's data residency feature as sufficient compliance.
C.Pseudonymize all customer data before uploading to the cloud.
D.Encrypt all data and store the keys on-premises.
AnswerA

SCCs are a valid GDPR transfer mechanism.

Why this answer

A Data Processing Agreement (DPA) with Standard Contractual Clauses (SCCs) is the correct mechanism under GDPR to lawfully transfer personal data outside the EEA when the cloud provider cannot guarantee that data will never be accessed from outside the EEA. SCCs are a set of contractual terms approved by the European Commission that impose obligations on both the data exporter and importer to ensure adequate data protection, even if the provider's data residency feature is not absolute. This approach directly addresses the GDPR requirement for adequate safeguards when data may be accessed from third countries.

Exam trap

ISC2 often tests the misconception that technical controls like encryption or pseudonymization alone can substitute for a legal transfer mechanism under GDPR, when in fact the regulation requires a recognized adequacy decision or appropriate safeguards (such as SCCs) regardless of the technical protections applied.

How to eliminate wrong answers

Option B is wrong because relying solely on the provider's data residency feature does not address the risk of data being accessed from outside the EEA, which would violate GDPR's transfer restrictions without an appropriate safeguard mechanism. Option C is wrong because pseudonymization alone does not constitute an adequate safeguard under GDPR for international data transfers; it reduces identifiability but does not prevent the data from being subject to foreign legal access or processing outside the EEA. Option D is wrong because while encryption with on-premises key storage can reduce exposure, it does not eliminate the legal requirement for a valid transfer mechanism under GDPR (such as SCCs or Binding Corporate Rules) when the cloud provider operates globally and data may be accessed from outside the EEA.

5
Multi-Selecthard

A cloud architect is designing a multi-cloud strategy to avoid vendor lock-in. Which three design considerations should be included? (Choose three.)

Select 3 answers
A.Implement abstraction layers such as containers or cloud-agnostic APIs
B.Design applications with portability in mind using microservices
C.Choose cloud-agnostic data formats and storage interfaces
D.Standardize on one cloud provider for core services
E.Use provider-specific APIs for optimal performance
AnswersA, B, C

Abstraction layers decouple the application from underlying cloud provider APIs.

Why this answer

Option A is correct because implementing abstraction layers such as containers (e.g., Docker, Kubernetes) or cloud-agnostic APIs (e.g., Terraform, OpenStack) decouples application code from underlying cloud infrastructure. This allows workloads to be migrated between providers without rewriting core logic, directly addressing vendor lock-in by standardizing deployment and orchestration interfaces.

Exam trap

ISC2 often tests the misconception that standardizing on a single provider's core services is part of a multi-cloud strategy, when in fact it increases lock-in, and that provider-specific APIs are acceptable for portability, when they directly undermine the abstraction goal.

6
MCQeasy

A healthcare organization is migrating to AWS and must protect electronic protected health information (ePHI) stored in S3. They use AWS KMS with a custom key policy that restricts key usage to specific IAM roles. The compliance team discovers that some S3 objects are encrypted with AWS managed keys (SSE-S3) instead of the required SSE-KMS using the custom key. The security architect needs to ensure all future uploads use the customer-managed KMS key. After implementing a bucket policy that denies s3:PutObject if the required encryption is not present, the development team reports that their existing automation scripts fail with access denied errors. The scripts use the AWS SDK and do not explicitly set encryption headers. The security architect must find a solution that enforces encryption with the custom key while minimizing disruption. Which course of action BEST resolves the issue?

A.Modify the bucket policy to use a Deny effect with a condition on the s3:x-amz-server-side-encryption-aws-kms-key-id header being null, and also enable S3 default encryption with the custom KMS key so that objects uploaded without explicit headers are automatically encrypted with the correct key.
B.Implement AWS Config rules to detect non-compliant objects and automatically re-encrypt them with the correct key, while keeping the bucket policy unchanged.
C.Remove the bucket policy and rely solely on S3 default encryption with the custom KMS key, because default encryption applies to all objects.
D.Create a new S3 bucket with the required policy and migrate all data using AWS DataSync, then delete the old bucket.
AnswerA

Correct: Default encryption catches objects without headers, and the bucket policy denies explicit mismatches, enforcing both backward compatibility and compliance.

Why this answer

Option A is correct because it combines a bucket policy that denies s3:PutObject when the s3:x-amz-server-side-encryption-aws-kms-key-id header is null (ensuring the custom KMS key ID is explicitly provided) with S3 default encryption configured to use the same custom KMS key. This dual approach ensures that even if the SDK scripts do not set encryption headers, the default encryption will automatically apply the required KMS key, making the policy condition pass and avoiding access denied errors. The Deny condition on the null header forces explicit encryption headers when they are set, while default encryption handles the case where no headers are provided, thus enforcing compliance without breaking existing automation.

Exam trap

ISC2 often tests the misconception that S3 default encryption alone is sufficient to enforce encryption compliance, but the trap here is that default encryption does not prevent explicit overrides, so a bucket policy with a Deny condition is still needed to block non-compliant uploads.

How to eliminate wrong answers

Option B is wrong because AWS Config rules are reactive and can only detect and remediate non-compliant objects after they are uploaded; they do not prevent the initial upload failure caused by the bucket policy, so the access denied errors would still occur. Option C is wrong because relying solely on S3 default encryption without a bucket policy does not enforce that all uploads use the custom KMS key; a user or script could still override the default encryption by explicitly specifying SSE-S3 or another key, leading to non-compliant objects. Option D is wrong because migrating to a new bucket with AWS DataSync is unnecessarily disruptive, does not address the root cause of the automation scripts not setting encryption headers, and would still require a similar policy and default encryption setup on the new bucket.

7
Multi-Selectmedium

A company's cloud security policy mandates strict control over encryption keys used for data at rest. Which THREE practices are recommended for secure key management in the cloud?

Select 3 answers
A.Rotate encryption keys on a regular schedule.
B.Use a single master key for all encryption operations.
C.Store keys in the same cloud region as the data to reduce latency.
D.Store keys in a separate account from the data storage.
E.Use a hardware security module (HSM) to generate and protect keys.
AnswersA, D, E

Limits the amount of data exposed if a key is compromised.

Why this answer

Option A is correct because regular key rotation limits the window of exposure if a key is compromised and aligns with cryptographic best practices (e.g., NIST SP 800-57). In cloud environments, automated rotation policies (e.g., AWS KMS automatic yearly rotation or manual rotation for customer-managed keys) ensure that even if an attacker obtains an old key, it cannot decrypt current data.

Exam trap

ISC2 often tests the misconception that storing keys in the same region as data is acceptable for performance, but the CCSP emphasizes that security controls (like geographic separation) override minor latency concerns in key management.

8
Multi-Selecthard

Which THREE of the following are effective data sanitization methods for cloud environments?

Select 3 answers
A.Degaussing magnetic media
B.Truncating database tables
C.Cryptographic erasure
D.Overwriting with multiple patterns
E.Formatting storage volumes
AnswersA, C, D

Degaussing disrupts magnetic fields.

Why this answer

Degaussing (A) is effective because it uses a strong magnetic field to completely randomize the magnetic domains on hard disk drives (HDDs), rendering all stored data unrecoverable even with advanced forensic tools. This method is approved for the highest security classifications (e.g., NSA/CSS Policy Manual 9-12) but physically destroys the media's ability to store data, making it suitable only for end-of-life disposal.

Exam trap

ISC2 often tests the misconception that logical operations like truncation or formatting are sufficient for data sanitization, when in reality they leave data intact at the physical storage layer and require cryptographic erasure or overwriting to meet compliance standards like PCI DSS or HIPAA.

9
MCQmedium

Refer to the exhibit. An AWS CloudTrail log entry is shown. Which of the following can be determined from this log entry?

A.The instance launch was performed by user john.doe via the console
B.The instance was terminated immediately after launch
C.The instance was launched in eu-west-2
D.An S3 bucket policy was modified
AnswerA

User identity and user agent indicate console access.

Why this answer

Option C is correct because the log shows the event was initiated by the IAM user john.doe from IP 203.0.113.50 via the AWS Management Console. Option A is wrong because there is no indication of an S3 access. Option B is wrong because the region is us-east-1, not eu-west-2.

Option D is wrong because the event is RunInstances, not TerminateInstances.

10
Multi-Selectmedium

A cloud architect is designing a disaster recovery (DR) plan for a financial services application hosted on a public cloud. The plan must meet a Recovery Time Objective (RTO) of 4 hours and a Recovery Point Objective (RPO) of 1 hour. The application uses a relational database and stores files in object storage. Which TWO strategies should the architect recommend to meet these objectives?

Select 2 answers
A.Take daily snapshots of the database and object storage.
B.Deploy a hot standby environment in a different availability zone with automated failover.
C.Maintain a cold standby server that is provisioned only during a disaster.
D.Use asynchronous replication for the database to reduce latency.
E.Configure synchronous database replication to another cloud region.
AnswersB, E

Hot standby with automation meets RTO.

Why this answer

Option B is correct because a hot standby in a different availability zone with automated failover can achieve an RTO of 4 hours and an RPO of 1 hour. The standby environment is fully operational and synchronized, allowing near-instant failover to meet the RTO, while automated replication keeps data loss within the 1-hour RPO window. This strategy is suitable for financial services requiring high availability and minimal data loss.

Exam trap

ISC2 often tests the distinction between replication strategies (synchronous vs. asynchronous) and recovery environments (hot, warm, cold), tricking candidates into choosing synchronous replication alone without considering the RTO impact or the need for a fully provisioned standby.

11
MCQmedium

A company uses a cloud provider's key management service. They want to rotate keys automatically every 90 days. What is the correct way to achieve this?

A.Enable automatic key rotation in the KMS settings.
B.Manually update the key alias each quarter.
C.Create a new key and update all applications to use it.
D.Use a third-party HSM.
AnswerA

Automatic rotation meets the requirement with minimal effort.

Why this answer

Option A is correct because cloud KMS services (e.g., AWS KMS, Azure Key Vault, GCP Cloud KMS) offer a built-in automatic key rotation feature that can be configured to rotate the key material every 90 days without any manual intervention. Enabling this setting ensures that new cryptographic material is generated for the key, while the old key material remains available for decrypting data encrypted with it, maintaining seamless security compliance.

Exam trap

ISC2 often tests the misconception that updating a key alias or creating a new key manually is equivalent to automatic rotation, when in fact automatic rotation is a specific KMS feature that preserves key continuity and requires no application changes.

How to eliminate wrong answers

Option B is wrong because updating a key alias does not change the underlying key material; it only reassigns a friendly name to the same key, so it does not achieve rotation. Option C is wrong because creating a new key and updating all applications to use it is a manual, error-prone process that defeats the purpose of automated rotation and can cause decryption failures if old data is not re-encrypted. Option D is wrong because a third-party HSM (Hardware Security Module) is used for generating and storing keys outside the cloud KMS, but it does not provide automatic key rotation; rotation would still need to be implemented separately.

12
MCQhard

A cloud security engineer is reviewing incident response procedures for a hybrid cloud environment. During a security incident, the team needs to collect forensic evidence from a compromised virtual machine while preserving its state. Which of the following actions should be taken first?

A.Take a snapshot of the virtual machine's disk
B.Notify the cloud provider
C.Disconnect the virtual machine from the network
D.Install a forensic agent on the virtual machine
AnswerC

Isolation prevents ongoing compromise and preserves evidence.

Why this answer

Option A is correct because isolating the VM (disconnecting it from the network) prevents further damage or data exfiltration, and then a snapshot can be taken. Option B (snapshot) comes after isolation. Option C (install agent) may alter the evidence.

Option D (notify provider) is done in parallel but not first.

13
MCQhard

Refer to the exhibit. A cloud administrator sees this error when trying to provision an EC2 instance. Which is the best course of action?

A.Launch the instance in a different Availability Zone.
B.Create a new VPC and try again.
C.Wait 24 hours for capacity to become available.
D.Increase the instance size to a larger type.
AnswerA

Different AZs may have available capacity.

Why this answer

The error indicates an 'InsufficientInstanceCapacity' failure, which means the specific Availability Zone lacks enough resources (e.g., CPU, memory, or network capacity) to launch the requested EC2 instance type. The best course of action is to launch the instance in a different Availability Zone within the same region, as capacity constraints are typically zone-specific and not region-wide. This approach avoids unnecessary VPC creation or waiting, and it directly addresses the resource scarcity at the zone level.

Exam trap

ISC2 often tests the misconception that capacity errors are region-wide or can be fixed by modifying the VPC or instance size, when in fact the solution is to change the Availability Zone or instance family to access unused capacity pools.

How to eliminate wrong answers

Option B is wrong because creating a new VPC does not resolve the underlying capacity shortage; the VPC is a logical network container, and the error is a physical resource constraint in the specific Availability Zone. Option C is wrong because waiting 24 hours is not a reliable or recommended practice; capacity may not become available within that timeframe, and AWS does not guarantee replenishment on a fixed schedule. Option D is wrong because increasing the instance size (e.g., from t2.micro to t2.medium) would likely require even more resources, exacerbating the capacity issue rather than solving it, and the error is about the specific instance type requested, not its size.

14
Multi-Selecteasy

A cloud architect is designing a data classification scheme for a financial services firm. The data includes public marketing materials, internal emails, customer account numbers, and credit card information. Which two data categories should be classified as 'restricted' under PCI DSS and other regulations?

Select 2 answers
A.Public marketing materials
B.Credit card information
C.Internal emails
D.Customer account numbers
AnswersB, D

Correct: Credit card information is subject to PCI DSS and must be classified as restricted.

Why this answer

Credit card information (Option B) is classified as 'restricted' because PCI DSS explicitly mandates strict controls for cardholder data, including primary account numbers (PANs), expiration dates, and CVV codes. This data requires encryption at rest and in transit, access controls, and regular security audits to comply with the Payment Card Industry Data Security Standard.

Exam trap

ISC2 often tests the misconception that all internal communications (like emails) are automatically 'restricted' under PCI DSS, when in fact only data containing specific regulated elements (e.g., PANs, SAD) qualifies for that classification.

15
MCQeasy

An analyst receives the above error when trying to download a file from an S3 bucket. The bucket policy and user permissions appear correct. What is the most likely cause?

A.The object is encrypted with SSE-S3, which requires additional grants
B.The bucket is configured to block all public access
C.The bucket policy denies all s3:GetObject actions
D.The user lacks permission to decrypt the object using the KMS key
AnswerD

The error indicates missing KMS decrypt permission.

Why this answer

When an S3 object is encrypted with a customer-managed KMS key (SSE-KMS), the s3:GetObject API call requires the user to have both s3:GetObject permission on the bucket policy and kms:Decrypt permission on the specific KMS key. Even if the bucket policy and user IAM permissions appear correct for S3 actions, the absence of the KMS decrypt grant will cause an access denied error. This is a common misconfiguration because the error message does not explicitly mention KMS, leading analysts to overlook the key permission.

Exam trap

ISC2 often tests the misconception that S3 bucket policies and IAM permissions alone control access to encrypted objects, ignoring the separate KMS permission layer required for SSE-KMS encrypted objects.

How to eliminate wrong answers

Option A is wrong because SSE-S3 (AES-256) uses server-side encryption with Amazon S3-managed keys, which do not require any additional grants or KMS permissions; the error would not occur due to missing grants. Option B is wrong because if the bucket were configured to block all public access, the error would typically be a 403 Access Denied, but the scenario states the bucket policy and user permissions appear correct, implying the bucket is not blocking all access. Option C is wrong because if the bucket policy denied all s3:GetObject actions, the user would consistently fail to download any object, but the analyst would likely see a different error or the policy would be obviously incorrect; the question states the policy 'appears correct,' so a blanket deny is not the most likely cause.

16
MCQhard

Refer to the exhibit. A cloud administrator is reviewing this bucket policy. What is the most significant security concern?

A.The policy does not include a condition for encryption
B.The policy allows GetObject to the entire bucket
C.The policy grants access to the entire AWS account root user
D.The policy does not specify a source IP
AnswerC

Root user access is dangerous because it cannot be limited by IAM.

Why this answer

Granting access to the root user of an AWS account is a major security risk because root user has unrestricted access and bypasses IAM controls. While the policy lacks conditions and allows GetObject, the principal being root is the most critical issue.

17
Multi-Selectmedium

Which TWO are effective strategies for securing cloud application data at rest?

Select 2 answers
A.Role-based access control
B.Database activity monitoring
C.File-level encryption
D.Transparent data encryption
E.Network segmentation
AnswersC, D

File-level encryption encrypts individual files or directories, protecting data at rest.

Why this answer

File-level encryption (C) encrypts individual files or directories, ensuring that data at rest remains protected even if the underlying storage is compromised. This is a direct data-at-rest security control because it applies cryptographic protection to the data itself, independent of the storage layer. Transparent data encryption (D) encrypts data at the database level, typically at the page or file level, without requiring changes to the application, making it another effective strategy for securing data at rest.

Exam trap

ISC2 often tests the distinction between access control (RBAC) and encryption, where candidates mistakenly think that restricting access is sufficient to secure data at rest, ignoring that encryption is required to protect against physical theft or unauthorized storage-level access.

18
MCQeasy

A company is migrating its customer database to a cloud object storage service. The database contains personally identifiable information (PII). The security team requires that all data be encrypted at rest and that the company retains exclusive control over the encryption keys. Which solution BEST meets these requirements?

A.Use server-side encryption with cloud provider-managed keys (SSE-S3).
B.Use SSL/TLS encryption for data in transit only.
C.Use client-side encryption with customer-managed keys stored on-premises.
D.Use server-side encryption with customer-provided keys (SSE-C).
AnswerC

Keys never leave the company; exclusive control maintained.

Why this answer

Option C is correct because client-side encryption with customer-managed keys stored on-premises ensures that the encryption keys never leave the company's control, and the data is encrypted before it is uploaded to the cloud object storage service. This satisfies both the requirement for encryption at rest and exclusive key control, as the cloud provider never has access to the plaintext keys or the ability to decrypt the data.

Exam trap

The trap here is that candidates often confuse SSE-C with client-side encryption, assuming that providing your own key to the server (SSE-C) gives you exclusive control, but in SSE-C the cloud provider still handles the encryption/decryption process and may retain the key in memory, whereas client-side encryption ensures the provider never sees the key at all.

How to eliminate wrong answers

Option A is wrong because server-side encryption with cloud provider-managed keys (SSE-S3) means the cloud provider generates, manages, and stores the encryption keys, giving the provider potential access to the keys and violating the requirement for exclusive customer control. Option B is wrong because SSL/TLS encryption only protects data in transit between the client and the cloud service; it does not provide encryption at rest for the stored database, so it fails the core requirement. Option D is wrong because server-side encryption with customer-provided keys (SSE-C) still involves the cloud provider performing the encryption and decryption operations using keys supplied by the customer, meaning the provider has temporary access to the keys in memory during operations, which does not meet the requirement for exclusive customer control over the keys.

19
MCQhard

A developer receives the above error when trying to encrypt an object using a customer-managed KMS key. What is the MOST likely cause?

A.The KMS key policy does not grant encrypt permission to the user
B.The S3 bucket policy denies KMS actions
C.The user is not in the same region as the key
D.The KMS key is disabled
AnswerA

Key policy controls who can use the key.

Why this answer

The error indicates the user lacks permission to encrypt with the specified KMS key. Since the key is customer-managed, its key policy must explicitly grant the `kms:Encrypt` action to the user or role. Without this permission, AWS KMS denies the request, even if the user has other IAM permissions.

Exam trap

ISC2 often tests the distinction between key policies and IAM policies, trapping candidates who assume IAM permissions alone are sufficient for KMS operations.

How to eliminate wrong answers

Option B is wrong because S3 bucket policies control access to S3 objects, not KMS encryption actions; KMS permissions are governed by key policies and IAM policies, not S3 bucket policies. Option C is wrong because KMS keys are regional resources, but a user can call KMS from any region as long as they specify the correct key ARN and have permissions; the error is not region-related. Option D is wrong because a disabled key would return a `DisabledException` or `KMSInvalidStateException`, not a generic access denied error.

20
Multi-Selecthard

Which TWO of the following are effective methods to protect against server-side request forgery (SSRF) in a cloud application? (Choose two.)

Select 2 answers
A.Use SSL inspection to check for malicious payloads
B.Whitelist allowed outbound destinations
C.Block all outbound network traffic from the application
D.Disable unused URL schemes such as file:// and dict://
E.Sanitize all user input for URL parameters
AnswersB, D

Whitelisting prevents requests to internal or malicious hosts.

Why this answer

Option B is correct because whitelisting allowed outbound destinations is a primary defense against SSRF. By explicitly permitting only trusted external hosts (e.g., specific API endpoints or internal services), the application cannot be tricked into making requests to arbitrary internal or external targets, even if an attacker controls the URL parameter.

Exam trap

ISC2 often tests the misconception that input sanitization alone is sufficient for SSRF protection, when in reality the attack exploits the server's trust in the destination, not the input format, making whitelisting and scheme restrictions the effective controls.

21
MCQhard

Refer to the exhibit. A security engineer discovers that the S3 bucket policy allows public read access from the entire corporate network (10.0.0.0/16). However, the company wants to restrict access only to the security team's subnet (10.0.1.0/24). What modification should be made to the policy?

A.Add a Deny statement for the 10.0.0.0/16 range.
B.Add a Deny statement for IP addresses outside 10.0.1.0/24.
C.Remove the Condition element to allow access from any IP.
D.Change the Condition value to "aws:SourceIp": "10.0.1.0/24".
AnswerD

This narrows the allowed IP range to the security subnet only.

Why this answer

Option D is correct because modifying the Condition value to "aws:SourceIp": "10.0.1.0/24" directly restricts the S3 bucket policy to allow read access only from the security team's subnet. The original policy uses the aws:SourceIp condition key with the broader 10.0.0.0/16 range, so narrowing it to 10.0.1.0/24 precisely enforces the required access control. This approach leverages AWS IAM policy evaluation logic where an explicit Allow with a condition must be satisfied for access to be granted.

Exam trap

ISC2 often tests the misconception that adding a Deny statement for the broader range (Option A) is the correct way to narrow access, but candidates fail to realize that Deny would block the intended subnet as well, whereas modifying the Condition value is the proper method to restrict an existing Allow.

How to eliminate wrong answers

Option A is wrong because adding a Deny statement for the 10.0.0.0/16 range would block all traffic from the corporate network, including the security team's subnet (10.0.1.0/24), which is the opposite of the desired outcome. Option B is wrong because adding a Deny for IP addresses outside 10.0.1.0/24 is overly broad and would deny access from any IP not in that subnet, but the original policy already has an Allow for 10.0.0.0/16; a Deny for all other IPs would not fix the over-permissive Allow and could cause unintended conflicts in policy evaluation (Deny always overrides Allow). Option C is wrong because removing the Condition element would allow access from any IP address, which completely violates the security requirement to restrict access to the security team's subnet.

22
MCQeasy

A company wants to enforce that all EC2 instances launched in a specific AWS account are tagged with the key "Environment" and "Owner". What is the most effective way to enforce this policy?

A.Use AWS Resource Groups to create a group that filters tagged instances.
B.Enable CloudTrail to monitor instance launches and alert on missing tags.
C.Apply a service control policy (SCP) that requires tags on resource creation.
D.Configure AWS Config rules to automatically tag untagged instances.
AnswerC

SCPs can use condition keys like aws:RequestTag to require tags, preventing creation of untagged resources.

Why this answer

Option C is correct because AWS Organizations Service Control Policies (SCPs) can be applied at the account level to deny the creation of EC2 instances that do not include the required 'Environment' and 'Owner' tags. SCPs are evaluated before the resource is created, providing a preventive control that blocks non-compliant launches at the API level, unlike detective or reactive approaches.

Exam trap

ISC2 often tests the distinction between preventive controls (SCPs) and detective/reactive controls (AWS Config, CloudTrail), and the trap here is that candidates confuse AWS Config's auto-remediation with true enforcement, not realizing that Config only acts after the resource is created.

How to eliminate wrong answers

Option A is wrong because AWS Resource Groups are used to organize and manage resources based on tags, but they do not enforce tagging policies or prevent untagged instances from being launched. Option B is wrong because CloudTrail is an auditing service that logs API calls; it can alert on missing tags after the fact but does not prevent the creation of untagged instances. Option D is wrong because AWS Config rules are detective and can trigger auto-remediation to tag instances after creation, but they do not enforce the policy at the time of launch, leaving a window where untagged instances exist and may be used.

23
MCQhard

Refer to the exhibit. An organization has attached this IAM policy to a role used by a backup application to access encrypted objects in an S3 bucket. The application is failing with an access denied error when trying to download objects. What is the most likely cause?

A.The policy uses wildcard resource for KMS, which is not allowed.
B.The policy does not specify the SSE-KMS key ARN in the KMS action.
C.The policy does not grant s3:GetObject on the bucket itself.
D.The policy omits kms:DescribeKey permission.
AnswerB

Correct: To decrypt objects, the policy must include the specific key ARN or the key's policy must grant the role permission.

Why this answer

The policy grants kms:Decrypt using a wildcard resource ("arn:aws:kms:*:*:key/*") instead of specifying the exact KMS key ARN used to encrypt the S3 objects. When an S3 object is encrypted with SSE-KMS, the backup application must have explicit permission to use that specific KMS key. Without the correct key ARN in the KMS action's Resource element, KMS denies the decryption request, causing the access denied error.

Exam trap

ISC2 often tests the nuance that KMS resource ARNs must be explicit for decrypt operations, not wildcarded, even though wildcards are syntactically valid in IAM policies.

How to eliminate wrong answers

Option A is wrong because AWS KMS does allow wildcard resources in IAM policies for KMS actions, though it is not a best practice; the real issue is that the wildcard does not match the specific key ARN required. Option B is correct as explained. Option C is wrong because the policy does grant s3:GetObject on the bucket (the Resource includes "arn:aws:s3:::bucket-name/*"), so the S3 permission is present.

Option D is wrong because kms:DescribeKey is not required for decrypting objects; only kms:Decrypt is needed, and the failure is due to the missing key ARN, not the absence of DescribeKey.

24
MCQmedium

A cloud application experiences intermittent failures during peak load. Logs show database connection timeouts. Which architecture change would best address this issue?

A.Implement connection pooling
B.Enable auto-scaling on the application tier
C.Use read replicas
D.Increase database instance size
AnswerA

Connection pooling reuses connections, reducing overhead and preventing timeouts under load.

Why this answer

Connection pooling reuses a set of established database connections, avoiding the overhead of repeatedly opening and closing connections during high concurrency. This directly resolves intermittent timeouts caused by connection exhaustion or slow connection establishment under peak load, without requiring additional infrastructure.

Exam trap

ISC2 often tests the misconception that scaling the application tier or database size alone solves connection management issues, when the real bottleneck is connection establishment overhead and pool limits.

How to eliminate wrong answers

Option B is wrong because auto-scaling the application tier adds more compute instances, which increases the number of concurrent database connection requests and can worsen connection exhaustion, not fix it. Option C is wrong because read replicas only offload read queries, not the connection management overhead or write-related timeouts. Option D is wrong because increasing database instance size provides more memory/CPU but does not address the fundamental issue of connection churn or exhaustion; the database may still hit its max_connections limit.

25
MCQhard

An organization uses a multi-cloud strategy and wants to perform a risk assessment that accounts for the shared responsibility model. Which approach is most appropriate?

A.Use ISO 27001 controls as the sole basis for assessment
B.Apply the NIST Cybersecurity Framework across all cloud providers
C.Use cloud-specific risk assessment frameworks like CSA STAR
D.Adopt COBIT for risk management alignment
AnswerC

CSA STAR provides cloud-specific controls and aligns with shared responsibility.

Why this answer

Option D is correct because cloud-specific frameworks like CSA STAR incorporate shared responsibility. Option A is wrong because NIST CSF is general, not cloud-specific. Option B is wrong because ISO 27001 is for an organization's ISMS, not cloud-specific risk.

Option C is wrong because COBIT is for governance and management of IT, not risk assessment.

26
Multi-Selecthard

Which TWO of the following are primary responsibilities of a cloud service customer under the shared responsibility model regarding compliance with regulations such as GDPR?

Select 2 answers
A.Conducting annual penetration tests on the provider's infrastructure
B.Ensuring the cloud provider's physical security controls are adequate
C.Implementing data encryption for sensitive data at rest
D.Verifying the provider's compliance certifications are current
E.Configuring access controls for their own user accounts
AnswersC, E

Data encryption is typically a customer control to protect data.

Why this answer

The customer is responsible for data encryption and access controls (B and E). Physical security and penetration testing are provider responsibilities. Verifying certifications is a customer due diligence task but not a primary responsibility compared to direct data protection measures.

27
MCQhard

A multinational corporation runs its critical applications on a cloud platform. The security team has implemented a Security Information and Event Management (SIEM) solution that collects logs from various cloud services, including virtual machines, storage, and databases. The SIEM is configured to generate alerts based on predefined rules. Recently, the team noticed an increase in false positive alerts, causing alert fatigue among the analysts. Additionally, there is a lack of context in the alerts, making it difficult to triage and prioritize incidents. The team wants to improve the efficiency of the SOC without increasing headcount. Which of the following is the BEST course of action to address these issues?

A.Deploy a user and entity behavior analytics (UEBA) tool to baseline normal behavior and generate alerts based on anomalies.
B.Assign more analysts to manually review and tune the alert rules.
C.Implement automated response playbooks for the most common alerts to reduce analyst workload.
D.Increase the threshold levels for all alert rules to reduce the number of alerts generated.
E.Create additional correlation rules to capture more specific attack patterns.
AnswerA

UEBA reduces false positives by focusing on deviations from normal behavior.

Why this answer

UEBA uses machine learning to establish baselines of normal user and entity behavior, then generates alerts only when deviations occur. This directly reduces false positives by filtering out benign anomalies and enriches alerts with behavioral context, enabling analysts to triage and prioritize incidents more efficiently without increasing headcount.

Exam trap

ISC2 often tests the distinction between reducing alert volume (e.g., tuning thresholds) and improving alert quality (e.g., adding context via UEBA), trapping candidates who choose threshold increases or additional rules without recognizing that false positives stem from static, context-free detection logic.

How to eliminate wrong answers

Option B is wrong because manually reviewing and tuning alert rules is labor-intensive, does not scale, and fails to address the root cause of false positives—static rules cannot adapt to evolving normal behavior. Option C is wrong because automated response playbooks reduce analyst workload for confirmed incidents but do not reduce false positive alerts or add context; they may even automate responses to false positives, worsening the problem. Option D is wrong because increasing threshold levels indiscriminately reduces all alerts, including true positives, and does not add context; it is a blunt approach that risks missing real attacks.

Option E is wrong because creating additional correlation rules increases the number of alerts and complexity, likely exacerbating false positives and alert fatigue without providing behavioral context.

28
Multi-Selectmedium

Which TWO of the following are best practices for implementing baseline configuration management in a cloud environment? (Choose two.)

Select 2 answers
A.Allow administrators to manually adjust configurations as needed to maintain flexibility
B.Disable configuration drift detection to reduce alert fatigue
C.Automate the deployment of baseline configurations using orchestration tools
D.Grant all users read/write access to configuration repositories for efficiency
E.Store and manage configuration templates in a version-controlled repository
AnswersC, E

Ensures consistent and repeatable deployments.

Why this answer

Automating the deployment of baseline configurations using orchestration tools (e.g., AWS CloudFormation, Terraform, or Ansible) ensures consistency, reduces human error, and enforces security controls across cloud resources. This aligns with the principle of immutable infrastructure, where configurations are deployed programmatically rather than manually adjusted.

Exam trap

ISC2 often tests the misconception that manual flexibility or disabling detection features are acceptable trade-offs for operational convenience, when in fact they directly violate cloud security operations best practices.

29
MCQmedium

Refer to the exhibit. A security auditor is reviewing the security group configuration for a web server. Which change would improve the security posture without breaking the application functionality?

A.Remove Rule 2 because HTTPS should be restricted to a specific IP range.
B.Remove Rule 1 because SSH should not be open to the internet.
C.Remove Rule 4 because outbound traffic should be restricted.
D.Remove Rule 3 because RDP should be allowed from anywhere.
AnswerB

Correct: Reduces attack surface without affecting web service.

Why this answer

Option B is correct because SSH (port 22) should never be open to the internet (0.0.0.0/0) on a web server. Removing Rule 1 eliminates this unnecessary exposure while the web server's HTTP/HTTPS rules remain intact, preserving application functionality. This aligns with the principle of least privilege and reduces the attack surface.

Exam trap

ISC2 often tests the misconception that all common ports (like HTTPS or outbound traffic) must be restricted to improve security, when in fact the critical mistake is leaving management protocols (SSH, RDP) open to the internet.

How to eliminate wrong answers

Option A is wrong because HTTPS (port 443) is typically required to be open to the internet for a public web server to serve encrypted traffic; restricting it to a specific IP range would break functionality for external users. Option C is wrong because outbound traffic (Rule 4) is necessary for the web server to fetch updates, resolve DNS, or communicate with backend services; removing it would likely break application functionality. Option D is wrong because RDP (port 3389) should never be allowed from anywhere (0.0.0.0/0) due to its high risk of brute-force attacks; the statement suggests allowing it, which worsens security posture.

30
MCQhard

A security analyst is conducting a forensic investigation of a compromised virtual machine in a public cloud. The VM is running in a production environment and cannot be stopped. Which of the following techniques is MOST appropriate to acquire volatile memory evidence?

A.Create a snapshot of the VM's disk and then analyze it.
B.Perform a network packet capture to capture memory data.
C.Use the cloud provider's API to take a memory snapshot of the VM.
D.Run `dd if=/dev/mem of=/tmp/mem.dump` from within the VM.
AnswerC

Many cloud providers offer memory acquisition APIs that do not require stopping the instance.

Why this answer

Option C is correct because cloud providers like AWS, Azure, and GCP offer APIs (e.g., AWS EC2 CreateSnapshot with memory flag, Azure Disk Snapshot with memory, or GCP VM memory snapshot) that capture the VM's volatile memory (RAM) without stopping the instance. This is the only technique that preserves the runtime state (processes, network connections, encryption keys) while respecting the production constraint that the VM cannot be stopped.

Exam trap

ISC2 often tests the misconception that `dd if=/dev/mem` is a valid forensic acquisition method in cloud environments, but the trap is that it requires root access, alters the system state, and is not supported in many cloud VM configurations, whereas the cloud provider's API is the only non-disruptive, forensically sound method for volatile memory capture in a production VM that cannot be stopped.

How to eliminate wrong answers

Option A is wrong because a disk snapshot captures only persistent storage (the virtual disk), not volatile memory (RAM), so it cannot acquire evidence like running processes, kernel modules, or active network connections. Option B is wrong because network packet capture collects traffic traversing the network interface, not the contents of system memory; it cannot capture in-memory data such as process memory or cached credentials. Option D is wrong because running `dd if=/dev/mem` from within the VM requires root access and modifies the system state (e.g., writing to /tmp), which can overwrite evidence and trigger anti-forensic mechanisms; moreover, it may not be supported in all cloud VM configurations (e.g., paravirtualized kernels) and violates the principle of minimal interference in a production environment.

31
MCQeasy

A financial services company uses a public IaaS provider to host its customer-facing applications. They have strict compliance requirements (e.g., PCI DSS) mandating that all customer data be encrypted at rest and in transit. The cloud provider recently performed a scheduled hypervisor update that required live migration of all customer VMs to different physical hosts to apply security patches. After the migration, the company's security team discovers that temporary files from one of their VMs remained on the original host's local storage and were accessible by another customer's VM that was subsequently provisioned on that host. Although the files did not contain actual customer data because the VM had encrypted its volumes, the security team is concerned about potential data remanence. Which of the following actions would BEST prevent such data remanence in future hypervisor migrations?

A.Request dedicated (single-tenant) hosts for all VMs.
B.Enable full-disk encryption on all VMs.
C.Perform a secure wipe of the original host after each migration.
D.Use encrypted live migration for all VM moves.
AnswerB

Full-disk encryption protects data at rest, making residual data unreadable even if not securely erased.

Why this answer

Option B is correct because full-disk encryption ensures that any residual data left on the original host's local storage after live migration is unreadable without the encryption key. Even if temporary files remain, encryption at rest renders the data inaccessible, directly addressing data remanence concerns without relying on the cloud provider's cleanup processes.

Exam trap

ISC2 often tests the distinction between data remanence prevention (encryption at rest) and data-in-transit protection (encrypted migration), leading candidates to mistakenly choose encrypted live migration when the real issue is residual data left on the source host.

How to eliminate wrong answers

Option A is wrong because dedicated (single-tenant) hosts isolate VMs from other customers but do not prevent data remanence on the host's local storage after migration; residual files can still persist and be accessible to the same tenant's future VMs or during host reuse. Option C is wrong because the customer cannot perform a secure wipe of the original host after each migration; in a public IaaS model, the cloud provider controls the hypervisor and physical host, and customers lack the privileges or access to execute such operations. Option D is wrong because encrypted live migration protects data in transit during the VM move but does not address data at rest left behind on the source host's local storage; it prevents interception of the migration stream, not residual files.

32
MCQeasy

A cloud security architect is designing a key management strategy for a multi-cloud environment. Which of the following is a BEST practice for key management?

A.Use the same key for all data to simplify rotation
B.Store keys in each cloud provider's native KMS separately
C.Embed keys in application code for simplicity
D.Use a centralized key management system that integrates with all clouds
AnswerD

Centralized management ensures consistency and simplifies compliance.

Why this answer

Option D is correct because a centralized key management system (KMS) that integrates with all cloud providers enables consistent key lifecycle management, reduces the risk of key sprawl, and ensures uniform access control policies across a multi-cloud environment. This approach aligns with the principle of separation of duties and allows for centralized auditing and rotation without vendor lock-in.

Exam trap

ISC2 often tests the misconception that using each cloud provider's native KMS separately is a best practice for multi-cloud, but the trap is that this ignores the need for centralized control, auditability, and cross-cloud interoperability, which are critical for enterprise security.

How to eliminate wrong answers

Option A is wrong because using the same key for all data violates the cryptographic isolation principle; if that single key is compromised, all data is exposed, and rotation becomes a massive operational burden. Option B is wrong because storing keys separately in each cloud provider's native KMS creates fragmented key management, increases complexity for cross-cloud data sharing, and makes consistent policy enforcement nearly impossible. Option C is wrong because embedding keys in application code is a severe security violation; keys can be extracted from code repositories, logs, or decompiled binaries, directly contradicting the NIST SP 800-57 recommendation to never store keys in plaintext or in code.

33
MCQeasy

A developer is writing code that will be deployed as a serverless function (e.g., AWS Lambda). The function needs to read data from an Amazon S3 bucket. According to the principle of least privilege, how should the developer grant access?

A.Store the AWS access key and secret key in environment variables in the function
B.Use the root user credentials of the AWS account
C.Set the S3 bucket policy to allow public read access
D.Create an IAM role with an S3 read policy and attach it to the function
AnswerD

This grants only the necessary permissions and follows least privilege.

Why this answer

Option D is correct because AWS Lambda functions should assume an IAM role that grants only the specific permissions needed—in this case, an S3 read policy. This follows the principle of least privilege by avoiding hardcoded credentials and instead using temporary, automatically rotated credentials provided by the AWS Security Token Service (STS) via the IAM role. The role is attached to the Lambda function at deployment, ensuring the function can securely access the S3 bucket without exposing long-term access keys.

Exam trap

ISC2 often tests the misconception that environment variables are a secure way to store credentials in serverless functions, but the trap is that AWS Lambda’s native IAM role integration provides temporary, automatically rotated credentials that are far more secure and align with least privilege, whereas static keys in environment variables introduce long-term exposure risks.

How to eliminate wrong answers

Option A is wrong because storing AWS access key and secret key in environment variables violates the principle of least privilege by introducing long-term, static credentials that must be managed, rotated, and could be exposed in logs or function output; AWS Lambda natively supports IAM roles for temporary credentials. Option B is wrong because using root user credentials grants unrestricted, full administrative access to the entire AWS account, which is a severe security risk and directly contradicts least privilege; root credentials should never be used for programmatic access. Option C is wrong because setting the S3 bucket policy to allow public read access makes the data accessible to anyone on the internet, bypassing authentication and authorization entirely, which is the opposite of least privilege and could lead to data exposure.

34
MCQmedium

An organization uses a cloud database service and needs to protect data at rest. They enable Transparent Data Encryption (TDE) with a customer-managed key stored in the cloud provider's key management service. Which additional control should they implement to ensure the key cannot be used by unauthorized personnel?

A.Enable SSL/TLS for all database connections
B.Enable audit logging on key management operations
C.Implement key rotation with a short rotation interval
D.Disable automatic key rotation and rely on manual rotation
AnswerC

Regular key rotation limits the impact of a compromised key.

Why this answer

Option C is correct because implementing key rotation with a short interval ensures that even if a customer-managed key is compromised or accessed by unauthorized personnel, the window of exposure is minimized. TDE with a customer-managed key in a cloud KMS relies on the key's secrecy; frequent rotation invalidates older key material, reducing the risk of long-term unauthorized decryption of data at rest.

Exam trap

ISC2 often tests the distinction between preventive and detective controls, and candidates mistakenly choose audit logging (Option B) thinking it prevents unauthorized use, when it only records it after the fact.

How to eliminate wrong answers

Option A is wrong because SSL/TLS protects data in transit between clients and the database, not data at rest or the key used for TDE; it does not prevent unauthorized use of the key stored in the KMS. Option B is wrong because audit logging on key management operations is a detective control that records unauthorized access attempts after they occur, but does not prevent the key from being used by unauthorized personnel. Option D is wrong because disabling automatic key rotation and relying on manual rotation increases the risk of human error and delays in key refresh, leaving the key vulnerable for longer periods and failing to ensure it cannot be used by unauthorized personnel.

35
MCQhard

Refer to the exhibit. A cloud security analyst reviews the bucket policy for example-bucket. Based on the policy, which of the following is true?

A.Requests from IP 192.0.2.10 over HTTPS are allowed.
B.Access is denied because the Principal is set to "*", which is insecure.
C.Requests from IP 192.0.2.10 over HTTP are allowed because the deny statement only applies when SecureTransport is false.
D.Any IP address can perform GetObject requests if they use HTTPS.
AnswerA

The allow statement permits GetObject from that IP range, and the deny does not apply because HTTPS is used.

Why this answer

Option A is correct because the bucket policy includes an explicit Allow statement granting s3:GetObject to all principals (Principal: "*") from the IP address 192.0.2.10, and the condition "Bool": {"aws:SecureTransport": "true"} ensures that only HTTPS requests are allowed. Since the request originates from the specified IP and uses HTTPS, it satisfies both the Allow condition and is not blocked by the Deny statement, which only denies requests when SecureTransport is false (i.e., HTTP). Thus, the request is permitted.

Exam trap

ISC2 often tests the nuance that an explicit Deny overrides an Allow, but here the Deny only applies to HTTP (SecureTransport false), so HTTPS requests from the allowed IP are still permitted, leading candidates to mistakenly think the Deny blocks all requests.

How to eliminate wrong answers

Option B is wrong because setting Principal to "*" is not inherently insecure; AWS S3 bucket policies commonly use "*" to grant public access, and security is enforced through conditions like IP restrictions and SecureTransport requirements. Option C is wrong because the Deny statement applies when SecureTransport is false, but the Allow statement explicitly requires SecureTransport to be true; therefore, a request from IP 192.0.2.10 over HTTP would be denied by the Deny statement (since SecureTransport is false) and also would not satisfy the Allow condition. Option D is wrong because the Allow statement is restricted to the specific IP address 192.0.2.10; any other IP address attempting GetObject over HTTPS would not match the Allow condition and would be implicitly denied (or explicitly denied if another Deny statement exists).

36
MCQmedium

Refer to the exhibit. A security analyst discovers this bucket policy attached to an S3 bucket containing sensitive customer data. What is the MOST significant security risk posed by this policy?

A.The policy does not require encryption in transit, so data could be intercepted.
B.The Condition block is misconfigured and will allow access from any IP address.
C.The policy allows any AWS user to read objects if they are within the specified IP range.
D.The policy does not include a NotPrincipal element to restrict access further.
AnswerC

This is correct; the combination of Principal: '*' and IP condition means anyone from that IP range can access the data, which is a significant risk if the range includes untrusted networks.

Why this answer

The policy allows any AWS user (Principal: "*") to read objects if they are from the specified IP range. This is overly permissive, granting access to the entire internet at that range, which could include malicious actors. The condition is correctly applied (B is false), encryption is not the main issue (C), and NotPrincipal is not required (D).

37
MCQmedium

A company uses a cloud-based data loss prevention (DLP) tool to monitor data access. They notice that a user is bypassing DLP by accessing data directly via cloud APIs from a non-corporate device. What is the most effective way to prevent this?

A.Deploy a virtual private network (VPN) and require all API traffic to originate from within the VPN
B.Configure the cloud service to require all API requests to go through a proxy that enforces DLP
C.Implement a conditional access policy to block non-corporate devices
D.Use tokenization to replace sensitive data before allowing API access
AnswerB

Forces all API traffic through a proxy that can apply DLP rules.

Why this answer

Option B is correct because routing all API traffic through a proxy that enforces DLP ensures that every API request is inspected for sensitive data before reaching the cloud service. This approach closes the gap where a user bypasses the DLP tool by accessing data directly via cloud APIs from a non-corporate device, as the proxy acts as a mandatory intermediary that can apply content inspection, policy enforcement, and logging regardless of the device or network.

Exam trap

ISC2 often tests the misconception that network-level controls like VPNs or device-based conditional access are sufficient to prevent data exfiltration via APIs, when in fact only content-aware inspection at the API layer can enforce DLP on the actual data being transferred.

How to eliminate wrong answers

Option A is wrong because a VPN only encrypts traffic and provides a corporate IP address; it does not inspect API payloads for sensitive data, so DLP policies are not enforced on the content of API requests. Option C is wrong because blocking non-corporate devices via conditional access does not prevent the user from accessing data from a corporate device that is compromised or from using a different method to bypass DLP; it also does not address the core issue of API-level data exfiltration. Option D is wrong because tokenization replaces sensitive data with tokens, but if the user already has access to the original sensitive data via API calls, tokenization does not prevent them from retrieving the actual data; it is a data masking technique, not a DLP enforcement mechanism for API traffic.

38
MCQmedium

A healthcare organization is migrating sensitive patient data to a public cloud. The compliance team requires that data be encrypted at rest and in transit, and that the cloud provider cannot access the encryption keys. Which cloud service model should the organization use to maintain sole control over encryption keys?

A.Software as a Service (SaaS)
B.Infrastructure as a Service (IaaS)
C.Hybrid Cloud
D.Platform as a Service (PaaS)
AnswerB

IaaS gives the customer control over the OS, storage, and encryption keys.

Why this answer

IaaS provides the customer with full control over the underlying infrastructure, including virtual machines, storage, and networking. This allows the organization to implement their own encryption mechanisms and manage their own keys using a Hardware Security Module (HSM) or a key management service (KMS) that the cloud provider cannot access. In contrast, SaaS and PaaS typically abstract away the infrastructure, limiting customer control over encryption key management.

Exam trap

ISC2 often tests the distinction between service models (IaaS, PaaS, SaaS) and deployment models (public, private, hybrid), so the trap here is that candidates mistakenly choose Hybrid Cloud (Option C) because they think it allows key control, but it is a deployment model that does not guarantee sole key management in the public cloud component.

How to eliminate wrong answers

Option A is wrong because SaaS delivers a fully managed application where the cloud provider controls the entire stack, including encryption key management, making it impossible for the customer to maintain sole control over keys. Option C is wrong because Hybrid Cloud is a deployment model (not a service model) that combines on-premises and cloud resources; it does not inherently grant sole control over encryption keys in the public cloud portion. Option D is wrong because PaaS abstracts the underlying infrastructure, and while it may offer some encryption options, the provider often retains access to the keys or manages them on behalf of the customer, violating the requirement for sole customer control.

39
MCQhard

A multinational financial services company uses a hybrid cloud environment with workloads in AWS and Azure. They recently acquired a smaller firm and must integrate their data while maintaining compliance with GDPR and PCI DSS. The acquired firm stores customer payment data in an on-premises Oracle database and wants to migrate it to the cloud. During the migration, they must ensure that the data is encrypted at all times—at rest, in transit, and during processing. The security team has implemented TLS for data in transit and plans to use cloud-native encryption for at-rest data. However, they are concerned about data being processed in memory or temporary storage. They also need to maintain key separation so that the cloud provider cannot access the encryption keys. The CISO wants to implement a solution that minimizes performance impact while meeting compliance requirements. Which of the following is the BEST course of action?

A.Use the cloud provider's native KMS with automatic key rotation and rely on encryption at rest.
B.Implement a cloud-based HSM (Hardware Security Module) for key management and use confidential computing for processing.
C.Encrypt data with client-side encryption before upload and store keys in the cloud KMS.
D.Use tokenization for all sensitive data and store tokens in a separate cloud database.
AnswerB

HSM provides key separation; confidential computing protects data in use.

Why this answer

Option B is correct because it addresses the requirement for data to be encrypted during processing (in memory) via confidential computing, which uses hardware-based trusted execution environments (TEEs) to protect data in use. A cloud-based HSM ensures key separation by keeping encryption keys under the customer's exclusive control, preventing the cloud provider from accessing them, and minimizes performance impact compared to software-based encryption.

Exam trap

ISC2 often tests the misconception that encryption at rest and in transit is sufficient for compliance, ignoring the requirement for data to be protected during processing, and that cloud KMS alone provides key separation when it does not prevent provider access to keys.

How to eliminate wrong answers

Option A is wrong because relying solely on cloud-native KMS and encryption at rest does not protect data during processing (in memory or temporary storage), and the cloud provider may have access to the keys, violating key separation. Option C is wrong because storing keys in the cloud KMS still gives the provider potential access to the keys, failing key separation, and client-side encryption does not protect data during processing. Option D is wrong because tokenization replaces sensitive data with tokens but does not encrypt the data during processing; the original data must still be processed somewhere, and storing tokens in a separate cloud database does not address in-memory protection or key separation.

40
MCQeasy

A cloud security team is implementing a key management system for encrypting data in a multi-cloud environment. They need to ensure that keys are available even if one cloud provider experiences an outage. What is the BEST approach?

A.Implement a multi-cloud key management system that replicates keys across providers
B.Use a single cloud provider's key management service
C.Store encryption keys in the same storage as encrypted data
D.Use hardware security modules (HSMs) in one data center
AnswerA

Replication ensures availability.

Why this answer

Option A is correct because a multi-cloud key management system that replicates keys across providers ensures high availability and fault tolerance. If one cloud provider experiences an outage, the keys remain accessible from another provider, preventing data decryption failures. This approach aligns with the principle of avoiding a single point of failure in key distribution, which is critical for maintaining continuous data access in a multi-cloud architecture.

Exam trap

ISC2 often tests the misconception that storing keys with data or using a single provider's KMS is acceptable for availability, but the trap here is that candidates overlook the need for geographic and provider-level redundancy to ensure continuous key access during an outage.

How to eliminate wrong answers

Option B is wrong because using a single cloud provider's key management service creates a single point of failure; if that provider experiences an outage, all keys become unavailable, blocking access to encrypted data. Option C is wrong because storing encryption keys in the same storage as encrypted data violates the fundamental security principle of separation of duties and key management best practices, as an attacker who compromises the storage can access both the ciphertext and the keys. Option D is wrong because using hardware security modules (HSMs) in one data center still presents a single point of failure; if that data center goes offline, keys are inaccessible, and this approach does not address multi-cloud availability requirements.

41
MCQhard

Refer to the exhibit. A security engineer is reviewing this S3 bucket policy. The bucket contains sensitive documents that should only be accessible from the internal network (10.0.0.0/24) and only over HTTPS. What is the most likely effect of this policy?

A.The policy allows access from any IP if the request uses HTTPS.
B.The policy allows GetObject from the internal network only when using HTTPS.
C.The policy allows access from any IP in 10.0.0.0/24, but blocks access from the VPC.
D.The policy denies all access to the bucket because of the explicit Deny statement.
AnswerB

The Allow with IP condition permits internal requests, and the Deny on non-SecureTransport blocks HTTP requests, effectively requiring HTTPS.

Why this answer

The policy includes an explicit Deny for any request that does not use HTTPS (i.e., aws:SecureTransport is false), which overrides any Allow. The Allow statement grants s3:GetObject only when the source IP is within 10.0.0.0/24. Therefore, the effective result is that GetObject is allowed only from the internal network and only over HTTPS, making option B correct.

Exam trap

ISC2 often tests the interplay between explicit Deny and Allow statements, where candidates mistakenly think a Deny only applies to the specific action listed, or they overlook that the Deny for non-HTTPS effectively blocks all requests that are not encrypted, even if the IP condition is met.

How to eliminate wrong answers

Option A is wrong because the Deny statement explicitly blocks any request that does not use HTTPS, regardless of the source IP, so access is not allowed from any IP even with HTTPS unless the IP is also in 10.0.0.0/24. Option C is wrong because the policy does not block access from the VPC; it allows access from the 10.0.0.0/24 IP range, which could include VPC resources, and there is no VPC-specific condition. Option D is wrong because the explicit Deny only applies to requests without HTTPS; requests with HTTPS from the allowed IP range are permitted, so not all access is denied.

42
MCQmedium

A cloud architect is designing a disaster recovery plan for a financial application with RTO of 15 minutes and RPO of 5 minutes. Which recovery strategy is most appropriate?

A.Multi-region active-active
B.Backup and restore
C.Pilot light
D.Warm standby
AnswerA

Multi-region active-active provides continuous replication and instant failover, meeting both RTO and RPO.

Why this answer

Multi-region active-active is the only strategy that can meet both a 15-minute RTO and a 5-minute RPO because it maintains synchronous or near-synchronous replication between two or more regions, allowing traffic to be instantly redirected with zero or minimal data loss. This approach eliminates the recovery time needed to spin up infrastructure or restore data, as the application is already fully operational in multiple regions.

Exam trap

ISC2 often tests the distinction between RTO and RPO by presenting a scenario where candidates confuse warm standby (which can meet a low RTO but not a tight RPO) with active-active, leading them to choose warm standby despite its inability to guarantee the 5-minute RPO.

How to eliminate wrong answers

Option B (Backup and restore) is wrong because restoring from backups typically takes hours, far exceeding the 15-minute RTO, and the RPO of 5 minutes cannot be guaranteed with periodic backups. Option C (Pilot light) is wrong because while it can achieve a low RTO, the RPO is often higher than 5 minutes due to the need to replicate data and start application servers, and the failover process introduces delay. Option D (Warm standby) is wrong because even though it has a reduced recovery time compared to pilot light, the RPO of 5 minutes is difficult to achieve consistently without active-active replication, and the failover still requires time to promote the standby environment.

43
MCQmedium

A healthcare SaaS provider is deploying a new application that processes protected health information (PHI). The application uses a microservices architecture running on Kubernetes. Each microservice stores its data in a separate database. The compliance team requires that all data at rest be encrypted and that encryption keys be managed by the customer (CMEK). The cloud provider supports KMS with CMEK. However, the development team wants to use a single customer-managed key for all databases to simplify key management. The security architect is concerned about the blast radius if the key is compromised. Which of the following recommendations best balances security and operational efficiency?

A.Use the cloud provider's default encryption keys for all databases
B.Use a separate customer-managed key for each database, with automated key rotation
C.Disable encryption to improve performance and use network segmentation instead
D.Use one customer-managed key for all databases, but enable automatic key rotation
AnswerB

Separate keys limit blast radius and rotation reduces risk.

Why this answer

Option B is correct because it minimizes the blast radius by ensuring that compromise of one key does not expose data in other databases, while automated key rotation reduces the window of vulnerability and operational overhead. This aligns with the principle of least privilege and the compliance requirement for customer-managed encryption keys (CMEK). Using separate keys per database is a standard security best practice for microservices architectures, especially when handling PHI.

Exam trap

ISC2 often tests the tension between operational simplicity and security blast radius, where candidates may choose a single key with rotation (Option D) thinking it balances both, but fail to recognize that rotation does not shrink the blast radius of a compromised key that has already been used to encrypt data.

How to eliminate wrong answers

Option A is wrong because using the cloud provider's default encryption keys violates the compliance requirement that encryption keys be managed by the customer (CMEK), and it does not allow the customer to control key lifecycle or rotation. Option C is wrong because disabling encryption for PHI at rest is a direct violation of compliance mandates (e.g., HIPAA) and security best practices; network segmentation alone does not protect data at rest. Option D is wrong because using a single customer-managed key for all databases creates a single point of failure and a large blast radius—if that key is compromised, all databases are exposed, and automatic rotation does not mitigate the risk of a key already being compromised.

44
MCQmedium

A cloud security engineer is reviewing the authentication mechanism for a web application. The application currently uses API keys transmitted in the URL query string. What is the primary security concern with this approach?

A.API keys in URLs are often logged in plaintext in server logs and browser history.
B.API keys in query strings are not encrypted, even with HTTPS.
C.API keys provide weak authentication because they are not tied to a user session.
D.API keys are not valid for use in query strings; they require a certificate.
AnswerA

Logging exposes the key to anyone with log access.

Why this answer

The primary security concern with transmitting API keys in URL query strings is that URLs are frequently logged in plaintext by web servers, proxies, and browsers. This means the API key can be inadvertently exposed in server access logs, browser history, and referrer headers, making it accessible to anyone with access to those logs. Even with HTTPS encrypting the data in transit, the URL itself is often logged before decryption or after encryption at the termination point, so the key remains visible in log files.

Exam trap

ISC2 often tests the misconception that HTTPS fully protects the URL from all exposure, but the trap here is that while HTTPS encrypts data in transit, it does not prevent logging, caching, or referrer leakage of the URL.

How to eliminate wrong answers

Option B is wrong because HTTPS does encrypt the entire HTTP request, including the query string, during transit; the issue is not lack of encryption on the wire but exposure in logs and history. Option C is wrong because API keys are a valid authentication method and can be tied to a user session or application identity; the weakness here is not about session binding but about exposure in URLs. Option D is wrong because API keys are valid for use in query strings; they do not require a certificate, and certificates are used for TLS mutual authentication, not for API key transmission.

45
MCQmedium

A company uses a cloud-based file sharing service and wants to prevent sensitive data from being shared externally. Which cloud data security capability is most appropriate?

A.Inspecting data in use within applications
B.Monitoring network traffic for data exfiltration
C.Scanning data at rest in cloud storage with DLP
D.Encrypting data in transit
AnswerC

DLP scanning identifies sensitive data and can enforce policies to block external sharing.

Why this answer

Option C is correct because Data Loss Prevention (DLP) scanning of data at rest in cloud storage directly identifies and blocks sensitive content (e.g., PII, PCI-DSS data) stored in files before it can be shared externally. This capability is purpose-built for preventing unauthorized sharing by inspecting the actual content of files in the cloud repository, such as Amazon S3 or Azure Blob Storage, using pattern matching and fingerprinting.

Exam trap

ISC2 often tests the distinction between preventive controls (DLP at rest) and detective/monitoring controls (network traffic analysis), leading candidates to choose network monitoring because it sounds like 'data exfiltration prevention' but fails to address the sharing action itself.

How to eliminate wrong answers

Option A is wrong because inspecting data in use within applications (e.g., via runtime application self-protection) focuses on protecting data while it is being processed in memory, not on preventing external sharing of stored files. Option B is wrong because monitoring network traffic for data exfiltration (e.g., via network DLP or IDS/IPS) detects data leaving the network after it has been shared, but does not prevent the initial sharing action at the storage layer. Option D is wrong because encrypting data in transit (e.g., TLS 1.3) protects data during transmission but does not prevent authorized users from sharing encrypted files externally or control access to the stored content.

46
Multi-Selecteasy

A security team is reviewing controls for a cloud application that transmits personally identifiable information (PII) over the internet. Which TWO controls are essential for protecting data in transit?

Select 2 answers
A.Use of signed certificates from a trusted CA
B.Regular penetration testing
C.Implementation of IPsec VPNs
D.Use of TLS 1.2 or higher
E.Encryption at rest using AES-256
AnswersA, D

Certificates provide authentication and enable trust in TLS connections.

Why this answer

Signed certificates from a trusted Certificate Authority (CA) are essential for authenticating the server's identity and establishing a chain of trust. Without them, a client cannot verify that it is communicating with the legitimate server, making the connection vulnerable to man-in-the-middle (MITM) attacks. This is a foundational requirement for any secure communication channel over the internet.

Exam trap

ISC2 often tests the distinction between 'essential' controls for data in transit versus 'helpful' or 'related' controls, so candidates mistakenly pick IPsec VPNs (Option C) because they associate VPNs with secure transmission, even though TLS is the standard and essential control for web-based cloud applications.

47
Drag & Dropmedium

Drag and drop the steps for implementing a disaster recovery plan using cross-region replication in AWS into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Start with enabling replication, then IAM roles, automation templates, testing, and documentation.

48
MCQhard

An incident response team is investigating a potential breach in a cloud environment. They have collected logs from various sources. Which of the following is the MOST critical factor to ensure the admissibility of digital evidence in court?

A.Maintaining a documented chain of custody for all evidence
B.Encrypting all evidence during collection and transport
C.Using automated tools for log analysis
D.Ensuring logs are in their original format
AnswerA

Chain of custody is crucial for admissibility.

Why this answer

Option A is correct because maintaining the chain of custody ensures evidence integrity and admissibility. Option B is wrong while important for investigation, admissibility depends on custody. Option C is wrong because logs may not be original but certified copies can be used if chain of custody is maintained.

Option D is wrong because encryption does not guarantee authenticity.

49
MCQeasy

A company wants to use a cloud service to store financial records. Which compliance framework most likely applies?

A.PCI DSS
B.GDPR
C.HIPAA
D.Sarbanes-Oxley Act (SOX)
AnswerD

SOX mandates controls over financial reporting and records.

Why this answer

SOX applies to financial records of publicly traded companies in the US. GDPR is for EU personal data, HIPAA for healthcare, PCI for payment card data.

50
MCQeasy

A company wants to ensure that its cloud provider's data deletion process is verifiable. Which of the following should the company require in the service level agreement?

A.Service level credits
B.Certificate of destruction
C.Annual penetration testing
D.Right to audit
AnswerB

Correct. A certificate of destruction provides verifiable proof that data has been securely deleted.

Why this answer

Option A is correct (Certificate of destruction) provides evidence of secure deletion. Option B (Annual penetration testing) is for security testing, not deletion. Option C (Right to audit) is broad.

Option D (Service level credits) are for availability.

51
MCQeasy

A development team is working with production-like data in a non-production cloud environment. To comply with data privacy regulations, sensitive fields must be obscured without being retrievable. Which technique should they apply?

A.Format-preserving encryption
B.Reversible masking
C.Irreversible masking
D.Tokenization
AnswerC

Irreversible masking prevents reconstruction.

Why this answer

Irreversible masking (C) is correct because it transforms sensitive data into a non-reversible format, ensuring that the original values cannot be retrieved. This meets the requirement of obscuring production-like data in a non-production environment while complying with data privacy regulations that prohibit reversible transformations. Unlike encryption or tokenization, irreversible masking does not provide any decryption or mapping mechanism, making it suitable for scenarios where data must be permanently de-identified.

Exam trap

ISC2 often tests the distinction between reversible and irreversible data protection methods, and the trap here is that candidates confuse 'masking' (which can be reversible or irreversible) with 'encryption' or 'tokenization,' assuming any transformation that hides data is sufficient, without recognizing the critical requirement of non-retrievability.

How to eliminate wrong answers

Option A is wrong because format-preserving encryption (FPE) is a reversible cryptographic technique that allows the original data to be recovered with the correct key, which violates the requirement that sensitive fields must be obscured without being retrievable. Option B is wrong because reversible masking, by definition, includes a method to restore the original data (e.g., via a lookup table or deterministic algorithm), which does not satisfy the 'not retrievable' condition. Option D is wrong because tokenization replaces sensitive data with a token that is mapped back to the original value in a secure vault, providing reversibility and thus failing the requirement for irreversible obscuration.

52
MCQhard

A healthcare organization uses a cloud-based electronic health record (EHR) system that stores protected health information (PHI). They recently enabled direct API access for a new mobile application. Shortly after, the security team detected that a large volume of PHI was being exfiltrated through the API by an attacker who obtained valid API keys from a compromised developer workstation. The organization has data loss prevention (DLP) tools but they were not inspecting API traffic. The EHR system supports attribute-based access control (ABAC) and has logging for all API calls. The organization needs to prevent similar incidents while maintaining the functionality of the mobile app. Which course of action should be taken first?

A.Rotate all API keys and implement key management best practices such as regular rotation and short-lived keys
B.Enable DLP on API gateway to inspect outgoing data
C.Restrict API access to specific IP addresses used by the mobile app's backend
D.Implement ABAC policies to limit which data each API key can access
AnswerA

Stops current exfiltration and reduces future risk.

Why this answer

The immediate priority is to revoke the compromised API keys and prevent further unauthorized access. Rotating all keys and implementing key management best practices, such as short-lived keys and regular rotation, directly addresses the root cause—the attacker's possession of valid keys from a compromised workstation. This action stops the exfiltration immediately while preserving the mobile app's functionality, as new keys can be issued to legitimate clients.

Exam trap

The trap here is that candidates often choose a long-term preventive control (like DLP or ABAC) first, failing to recognize that the immediate, critical step is to invalidate the compromised credentials to stop the active breach.

How to eliminate wrong answers

Option B is wrong because enabling DLP on the API gateway is a detective control that would inspect outgoing data but does not stop the ongoing exfiltration using already compromised keys; it also requires time to configure and tune, leaving the attack active. Option C is wrong because restricting API access to specific IP addresses used by the mobile app's backend is ineffective if the attacker can spoof those IPs or if the mobile app communicates directly from user devices with dynamic IPs, and it does not address the compromised key issue. Option D is wrong because implementing ABAC policies to limit data access per API key is a preventive measure that should be applied after key rotation, but it does not revoke the already stolen keys, so the attacker can continue exfiltration until the keys are invalidated.

53
MCQhard

A cloud security operations team is evaluating SIEM solutions. They need to minimize false positives while ensuring critical security events are not missed. Which of the following is the MOST effective technique to achieve this balance?

A.Implement context-aware correlation and tune rules based on feedback loops
B.Aggregate all security events into a single correlation rule
C.Increase the alert threshold for all event types to reduce noise
D.Rely exclusively on signature-based detection
AnswerA

Balances false positives and detection.

Why this answer

Option D is correct because tuning detection rules based on environmental context and using threat intelligence reduces false positives while maintaining sensitivity. Option A is wrong because increasing threshold reduces alerts but may miss true positives. Option B is wrong because aggregating events increases noise.

Option C is wrong because using only known signatures misses novel attacks.

54
MCQmedium

A security team is implementing Data Loss Prevention (DLP) for a SaaS application that stores customer PII. They want to detect when sensitive data is shared externally via email. Which is the best approach?

A.Implement database DLP to monitor queries to the PII database
B.Install endpoint DLP agents on all user devices
C.Use the SaaS application's API DLP rules to scan email content and attachments
D.Deploy network DLP at the cloud provider's network perimeter
AnswerC

Content-based scanning effectively detects sensitive data.

Why this answer

Option B is correct because content-based DLP scanning of email attachments is the standard way to detect sensitive data in transit. Option A is wrong because network DLP at the cloud perimeter cannot inspect encrypted email traffic. Option C is wrong because endpoint DLP on user devices is not effective for cloud email.

Option D is wrong because database DLP is for structured data at rest, not email.

55
MCQmedium

You are a cloud security engineer for a financial services company. The company has developed a cloud-native application that processes credit card transactions and stores sensitive financial data. The application is deployed on a Kubernetes cluster in a public cloud provider. The compliance team requires that all data at rest be encrypted using a customer-managed key (CMK) with automatic rotation. The application uses a managed database service (e.g., Amazon RDS) and object storage (e.g., Amazon S3) for storing transaction logs. The current configuration uses cloud-provider-managed keys for both services. The development team is concerned that enabling CMK with automatic rotation might cause application downtime due to key rotation latency. Additionally, the security team wants to ensure that access to the keys is auditable. Which course of action BEST addresses the compliance requirement while minimizing risk?

A.Create a CMK with automatic rotation enabled, grant the database and storage service access via IAM roles, and validate the rotation process in a staging environment before production deployment.
B.Continue using cloud-provider-managed keys and implement additional logging to meet audit requirements.
C.Use a CMK with manual rotation to have full control over the rotation schedule and avoid any potential downtime.
D.Implement client-side encryption with a key stored in a secure vault and disable server-side encryption.
AnswerA

This meets compliance using CMK, ensures auditable access via IAM, and mitigates risk by testing rotation in staging.

Why this answer

Option A is correct because it directly satisfies the compliance requirement for customer-managed keys (CMK) with automatic rotation, while mitigating the risk of downtime by validating the rotation process in a staging environment. Using IAM roles to grant the database and storage service access to the CMK ensures that key access is auditable via CloudTrail, meeting the security team's audit requirement. This approach allows the development team to test and confirm that key rotation latency does not cause application downtime before production deployment.

Exam trap

ISC2 often tests the misconception that manual rotation gives more control and avoids downtime, but the requirement explicitly states 'automatic rotation,' and manual rotation introduces operational risk and does not guarantee zero downtime.

How to eliminate wrong answers

Option B is wrong because continuing with cloud-provider-managed keys does not meet the compliance requirement for customer-managed keys (CMK) with automatic rotation, and additional logging does not address the encryption key ownership mandate. Option C is wrong because manual rotation of a CMK introduces operational overhead and risk of human error, and it does not satisfy the 'automatic rotation' requirement; it also does not inherently avoid downtime, as key rotation latency can still occur. Option D is wrong because implementing client-side encryption with a key stored in a secure vault and disabling server-side encryption would require significant application changes, increase complexity, and may not integrate seamlessly with managed services like Amazon RDS and S3, potentially causing more downtime risk than server-side CMK rotation.

56
MCQeasy

Which legal concept allows customers to retain ownership of data stored in the cloud regardless of where it is physically stored?

A.Data localization
B.Data portability
C.Data sovereignty
D.Data minimization
AnswerC

Data sovereignty holds that data is subject to the laws of the country where it is collected.

Why this answer

Option A is correct because data sovereignty means data is subject to the laws of the country where it is collected or owned. Option B is wrong because data localization restricts data to a specific location. Option C is wrong because data minimization is about limiting data collection.

Option D is wrong because data portability is about transferring data between services.

57
MCQhard

An organization is migrating a legacy application to the cloud and must comply with PCI DSS. The application currently logs credit card numbers in plaintext. Which data security control should be implemented FIRST?

A.Implement tokenization for credit card numbers
B.Deploy a data loss prevention (DLP) solution
C.Encrypt the database at rest
D.Perform data discovery and classification
AnswerD

First step is to find and classify sensitive data to understand scope.

Why this answer

Before any remediation can be applied, the organization must first perform data discovery and classification to locate where all credit card numbers (PANs) are stored, including logs, databases, and backups. PCI DSS Requirement 3.1 mandates that cardholder data be identified and classified before implementing controls like tokenization or encryption. Without discovery, subsequent controls may miss critical data stores, leaving plaintext PANs exposed.

Exam trap

ISC2 often tests the principle that security controls must be preceded by a discovery and classification phase, trapping candidates who jump to a technical solution like encryption or tokenization without first understanding the full scope of data exposure.

How to eliminate wrong answers

Option A is wrong because tokenization is a remediation step that cannot be correctly applied until the organization knows where all PANs reside; implementing it first risks missing data in logs or other unindexed locations. Option B is wrong because deploying a DLP solution without first discovering and classifying the data would result in poorly tuned policies that may fail to detect PANs in legacy log formats or generate excessive false positives. Option C is wrong because encrypting the database at rest does not address PANs stored in plaintext logs, application memory, or backup files, and PCI DSS requires protection of cardholder data wherever it exists, not just in the database.

58
MCQeasy

A company must ensure that cloud storage data is retained even if authorized users attempt to delete it, to comply with a legal hold. Which configuration is most effective?

A.Implement data classification labels
B.Enable immutable storage (WORM) on the bucket
C.Enable versioning on the storage bucket
D.Encrypt data with customer-managed keys
AnswerB

Immutable storage prevents any deletion or overwrite until hold expires.

Why this answer

Immutable storage (WORM) on a bucket prevents any object from being deleted or overwritten for a specified retention period, even by authorized users or the root account. This directly enforces legal hold requirements by making data tamper-proof and deletion-proof at the storage layer, regardless of user permissions.

Exam trap

ISC2 often tests the misconception that versioning alone provides legal hold protection, but versioning only preserves previous versions and does not block deletion of the current version or all versions via a lifecycle policy.

How to eliminate wrong answers

Option A is wrong because data classification labels only tag data with metadata (e.g., sensitivity level) but do not enforce any retention or deletion prevention; they are a governance tool, not a technical control. Option C is wrong because versioning retains overwritten or deleted object versions but still allows deletion of the current version and does not prevent permanent deletion of all versions; it is not a legal hold mechanism. Option D is wrong because encryption with customer-managed keys protects data confidentiality but does not prevent deletion of the encrypted objects; the storage system can still delete the ciphertext and keys.

59
MCQmedium

A cloud architect is designing a cost-optimized architecture for a batch processing job that runs once per day. The job requires high compute capacity for approximately 5 hours. Which cloud service model is most suitable?

A.Reserved instances
B.On-demand instances
C.Spot instances
D.Dedicated hosts
AnswerC

Correct: Cost-effective for fault-tolerant, short-lived workloads.

Why this answer

Spot instances are the most suitable for this batch processing job because they offer significant cost savings (up to 90% compared to on-demand) and are ideal for fault-tolerant, stateless workloads that can handle interruptions. The job runs once per day for only 5 hours, so it can easily be designed to checkpoint progress and resume if a spot instance is reclaimed, making the cost-optimized choice clear.

Exam trap

ISC2 often tests the misconception that spot instances are unreliable and unsuitable for any production workload, but the trap here is that they are perfectly appropriate for fault-tolerant, short-lived batch jobs where cost optimization is the primary goal.

How to eliminate wrong answers

Option A is wrong because Reserved instances require a 1- or 3-year commitment and are designed for steady-state, predictable workloads, not a short 5-hour daily batch job, leading to wasted cost for unused hours. Option B is wrong because On-demand instances provide full pricing flexibility but are the most expensive option, making them suboptimal for a cost-optimized architecture when spot instances can handle the same workload at a fraction of the cost. Option D is wrong because Dedicated hosts are physical servers dedicated to a single tenant, used for compliance or licensing needs, and are the most expensive option, offering no cost benefit for a batch processing job that does not require physical isolation.

60
Drag & Dropmedium

Drag and drop the steps for implementing a data retention policy for cloud storage (e.g., Amazon S3) into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First classify data, then define retention, configure lifecycle, enable immutability, and test.

61
Multi-Selecteasy

An organization wants to ensure compliance with industry regulations by implementing data classification in the cloud. Which two actions should the organization take? (Choose two.)

Select 2 answers
A.Implement auditing of access to sensitive data.
B.Store all data in a single repository for easy management.
C.Define data sensitivity levels and apply labels.
D.Encrypt all data regardless of classification.
E.Automatically tag all data as it is created.
AnswersA, C

Correct: Provides tracking and accountability.

Why this answer

Option A is correct because auditing access to sensitive data is a fundamental compliance requirement under regulations like GDPR, HIPAA, and PCI DSS. It provides a verifiable record of who accessed what data, when, and from where, enabling detection of unauthorized access and supporting forensic investigations. Without auditing, an organization cannot demonstrate compliance with data protection mandates that require monitoring and reporting of access to classified data.

Exam trap

ISC2 often tests the misconception that encryption alone satisfies compliance requirements, but the trap here is that encryption is a control, not a classification mechanism, and without auditing and defined sensitivity levels, compliance cannot be proven.

62
MCQeasy

A company wants to ensure that their cloud deployment has the highest level of isolation between tenants. Which deployment model is most appropriate?

A.Public cloud
B.Hybrid cloud
C.Private cloud
D.Community cloud
AnswerC

Private cloud is dedicated to a single organization, providing maximum isolation.

Why this answer

Private cloud (Option C) is correct because it is a single-tenant environment where the cloud infrastructure is dedicated exclusively to one organization, providing the highest level of isolation between tenants. In a private cloud, network segmentation is achieved through technologies such as VLANs (IEEE 802.1Q), VXLANs (RFC 7348), and dedicated hypervisor-level resource pools, ensuring that no other tenant's workloads share the same physical or virtual resources. This eliminates the multi-tenancy risks inherent in public and community clouds, where isolation relies on shared infrastructure and logical separation mechanisms like hypervisor-enforced memory isolation and network overlays.

Exam trap

ISC2 often tests the misconception that hybrid cloud provides the highest isolation because it includes a private component, but the trap is that hybrid cloud still incorporates a public cloud element, which inherently introduces multi-tenancy and reduces overall isolation compared to a fully private cloud.

How to eliminate wrong answers

Option A is wrong because public cloud deployments rely on multi-tenant architectures where multiple customers share the same physical infrastructure, with isolation achieved through logical controls such as hypervisor memory isolation, network ACLs, and tenant-specific encryption keys; this inherently provides lower isolation compared to a dedicated private cloud. Option B is wrong because hybrid cloud combines private and public cloud resources, and while the private portion offers high isolation, the public cloud component introduces multi-tenancy, reducing the overall isolation level across the deployment. Option D is wrong because community cloud is a multi-tenant model shared among several organizations with common concerns (e.g., regulatory compliance), and while it offers some isolation via policy-based segmentation, it does not achieve the dedicated, single-tenant isolation of a private cloud.

63
Multi-Selecthard

Which THREE components are essential for establishing a secure baseline configuration for a cloud virtual machine? (Choose three.)

Select 3 answers
A.Running applications as a service account.
B.Removing unnecessary software and services from the OS.
C.Configuring network security groups at the subnet level.
D.Implementing least privilege for local user accounts.
E.Enabling a host-based firewall to restrict inbound and outbound traffic.
AnswersB, D, E

Hardening by disabling unused services reduces attack surface.

Why this answer

Option B is correct because removing unnecessary software and services from the OS reduces the attack surface by eliminating potential vulnerabilities and backdoors. A secure baseline configuration must minimize the number of running components to only those required for the VM's intended function, following the principle of least functionality.

Exam trap

ISC2 often tests the distinction between OS-level hardening (baseline) and network-level controls (like NSGs), so candidates may mistakenly include subnet-level security groups as part of the VM's baseline configuration.

64
MCQhard

A SaaS provider uses a customer-managed encryption key (CMEK) model for data-at-rest. The provider's application runs in a multi-tenant cloud environment. Which attack surface is MOST directly mitigated by this approach?

A.Misconfigured storage buckets exposing data
B.Insider threats from cloud provider employees
C.SQL injection vulnerabilities in the application
D.Side-channel attacks on shared physical hardware
AnswerB

CMEK prevents provider access to customer data without the key.

Why this answer

A customer-managed encryption key (CMEK) model gives the customer control over the key used to encrypt data at rest. This directly mitigates the risk of a cloud provider employee accessing the plaintext data, because even if the employee has administrative access to the storage infrastructure, they cannot decrypt the data without the customer's key. The provider holds the encrypted data, but the decryption key is managed and controlled by the customer, creating a logical separation that protects against insider threats from the provider's personnel.

Exam trap

ISC2 often tests the misconception that encryption alone prevents all data exposure, but the trap here is that candidates confuse data-at-rest encryption with access control or application security, failing to recognize that CMEK specifically addresses the insider threat from the cloud provider's staff who might otherwise access raw storage.

How to eliminate wrong answers

Option A is wrong because misconfigured storage buckets expose data through incorrect access control policies (e.g., public read/write ACLs), which encryption does not prevent—encryption protects data at rest but does not enforce access controls. Option C is wrong because SQL injection is an application-layer attack that exploits improper input validation in the application code, and encryption of data at rest does not prevent injection or protect data while it is being processed in memory. Option D is wrong because side-channel attacks on shared physical hardware exploit timing, power consumption, or electromagnetic leaks to infer data; encryption keys managed by the customer do not prevent these physical-layer attacks, which target the compute or memory operations rather than the stored encrypted data.

65
MCQmedium

A cloud customer receives a legal hold notice for pending litigation. The data resides in multi-tenant storage. What is the most appropriate initial action?

A.Do nothing until the provider issues a notice
B.Rely on the provider's backup retention cycle
C.Alert all other tenants about the hold
D.Preserve the relevant data using customer-accessible tools
AnswerD

The customer must preserve its own data; tools like snapshot or legal hold features should be used.

Why this answer

Preserving all relevant data from the customer's tenant is required. Alerting other tenants violates privacy; relying solely on provider backup may be insufficient as backups might not be retained indefinitely; doing nothing is non-compliant.

66
MCQmedium

A security architect is designing access controls for a cloud-based microservices application. Which approach best aligns with the principle of least privilege for service-to-service authentication?

A.Use long-lived bearer tokens
B.Implement mutual TLS with unique certificates per service
C.Assign IAM roles with broad permissions
D.Use a shared API key across all services
AnswerB

Mutual TLS with unique certificates enforces service identity and least privilege.

Why this answer

Mutual TLS (mTLS) with unique certificates per service enforces least privilege by ensuring each microservice authenticates with a distinct identity, and access can be scoped to specific certificates. This prevents a compromised service from impersonating others, as each service has its own private key and certificate, and the TLS handshake requires both sides to present and validate certificates.

Exam trap

ISC2 often tests the misconception that shared secrets or broad IAM roles are acceptable for service-to-service communication, but the trap is that candidates overlook the need for per-service identity and cryptographic proof of identity, which mTLS uniquely provides.

How to eliminate wrong answers

Option A is wrong because long-lived bearer tokens, such as static OAuth2 tokens, increase the risk of token theft and reuse; they lack the per-request cryptographic binding of mTLS and violate least privilege by providing persistent access without rotation. Option C is wrong because assigning IAM roles with broad permissions (e.g., wildcard actions or resources) grants excessive privileges, directly contradicting the principle of least privilege by allowing a service to access more than necessary. Option D is wrong because a shared API key across all services creates a single point of failure and common credential; if the key is compromised, all services are exposed, and there is no way to isolate or revoke access per service.

67
Multi-Selecteasy

Which THREE of the following are typical data privacy principles found in most regulations?

Select 3 answers
A.Data minimization
B.Accountability
C.Data retention
D.Purpose limitation
E.Data monetization
AnswersA, B, D

Data minimization is a core privacy principle requiring collection of only necessary data.

Why this answer

Data minimization, purpose limitation, and accountability are common principles in privacy regulations like GDPR. Data retention is a practice derived from principles, and data monetization is not a privacy principle but a business activity.

68
MCQeasy

A financial services company is migrating its on-premises data center to a public cloud IaaS environment. During the transition, the security team must ensure that the same network segmentation and firewall rules are maintained. Which of the following is the BEST approach to replicate the on-premises network security controls in the cloud?

A.Configure a site-to-site VPN between on-premises and cloud to extend the existing network.
B.Use virtual private clouds (VPCs) with subnets and security groups to enforce segmentation and firewall rules.
C.Implement an intrusion detection and prevention system (IDPS) to monitor traffic.
D.Deploy a software-defined WAN (SD-WAN) to manage network traffic between cloud resources.
AnswerB

VPCs and security groups directly replicate network segmentation and firewall controls.

Why this answer

Option B is correct because VPCs with subnets and security groups provide native, software-defined network segmentation and stateful firewall rules that directly replicate on-premises network segmentation and ACLs. Security groups act as virtual firewalls at the instance level, while network ACLs provide subnet-level stateless filtering, together enabling granular control without extending the on-premises network.

Exam trap

The trap here is that candidates often confuse extending the network via VPN (Option A) with replicating segmentation, not realizing that VPNs merge networks rather than isolating them, while VPCs provide the necessary logical isolation and granular firewall controls.

How to eliminate wrong answers

Option A is wrong because a site-to-site VPN extends the on-premises network into the cloud, which does not replicate segmentation and firewall rules but instead merges the networks, potentially breaking isolation and requiring additional routing and firewall policies. Option C is wrong because an IDPS monitors and alerts on malicious traffic but does not enforce network segmentation or firewall rules; it is a detection control, not a preventive control for segmentation. Option D is wrong because SD-WAN optimizes traffic routing and bandwidth across WAN links but does not provide network segmentation or firewall rule enforcement within the cloud environment.

69
MCQhard

A cloud security architect is designing a forensics capability for a multi-tenant infrastructure-as-a-service (IaaS) environment. Which of the following is the MOST significant challenge when performing forensic acquisition of virtual machine (VM) memory?

A.High performance overhead caused by memory acquisition
B.Inability to access the hypervisor-level memory of other tenants due to isolation
C.Memory content is not available after the VM is powered off
D.Lack of tools that can capture memory from a running VM in the cloud
AnswerB

Multi-tenancy prevents cross-tenant memory access.

Why this answer

Option A is correct because accessing another tenant's VM memory would violate isolation boundaries and is not permitted by the cloud provider. Option B is wrong because VM memory can be imaged using tools like LiME, but the main issue is access. Option C is wrong because memory acquisition does not necessarily cause high performance impact.

Option D is wrong because memory content is volatile but the challenge is obtaining it from a tenant's perspective.

70
MCQhard

A financial institution uses a cloud-based data warehouse to store customer transaction records. They must comply with a regulation that requires deletion of data after 7 years. Which approach should they use to ensure data is irrecoverably destroyed?

A.Overwrite the data with multiple patterns of zeros and ones
B.Encrypt the data and then destroy the encryption keys (cryptographic erasure)
C.Tokenize the data and retain the token mapping
D.Delete the data using the cloud provider's API and remove pointers
AnswerB

Cryptographic erasure renders data unreadable without keys.

Why this answer

Cryptographic erasure (Option B) is the correct approach because it renders the encrypted data irrecoverable by securely destroying the encryption keys, making the ciphertext permanently undecipherable. This method is recognized by standards like NIST SP 800-88 as an effective sanitization technique for data at rest, especially in cloud environments where physical access to storage media is unavailable. It ensures compliance with the 7-year deletion requirement without needing to overwrite or physically destroy the underlying cloud storage.

Exam trap

ISC2 often tests the misconception that simply deleting data via the cloud provider's API or overwriting data is sufficient for irrecoverable destruction, but the trap is that cloud storage systems maintain multiple copies, snapshots, and version histories that are not addressed by these methods, making cryptographic erasure the only practical option for compliance.

How to eliminate wrong answers

Option A is wrong because overwriting data with multiple patterns of zeros and ones (e.g., DoD 5220.22-M) is impractical in a cloud data warehouse where data is stored on distributed, shared, and often versioned storage systems; the cloud provider may retain snapshots, replicas, or previous versions that are not overwritten, leaving residual data recoverable. Option C is wrong because tokenization replaces sensitive data with tokens but retains the token mapping, which does not destroy the original data; the mapping can be reversed, and the original data remains stored elsewhere, failing to achieve irrecoverable deletion. Option D is wrong because deleting data via the cloud provider's API and removing pointers only removes logical references; the underlying data blocks remain on physical media and can be recovered through forensic techniques or provider-side snapshots, making it insufficient for compliance with irrecoverable destruction requirements.

71
MCQeasy

Refer to the exhibit. A log entry shows a suspected SQL injection attack. Which security control would have prevented this attack?

A.Encrypt the database connection
B.Implement rate limiting on the login endpoint
C.Enforce strong password policies
D.Use parameterized SQL queries
AnswerD

Parameterized queries prevent injection by treating input as data.

Why this answer

Option D is correct because SQL injection attacks exploit unsanitized user input that is concatenated into SQL queries. Parameterized queries (also known as prepared statements) separate SQL logic from data by using placeholders, ensuring that user input is always treated as data, not executable code. This prevents an attacker from injecting malicious SQL commands, regardless of the input content.

Exam trap

ISC2 often tests the distinction between network-layer controls (like encryption) and application-layer controls (like input validation), and the trap here is that candidates confuse encryption of the connection with prevention of injection, thinking encrypted traffic cannot carry malicious payloads.

How to eliminate wrong answers

Option A is wrong because encrypting the database connection (e.g., using TLS/SSL) protects data in transit from eavesdropping but does not prevent the execution of malicious SQL statements; the injection still occurs at the application layer. Option B is wrong because rate limiting on the login endpoint only mitigates brute-force or credential-stuffing attacks by restricting request frequency; it has no effect on the content of a single request that contains SQL injection payload. Option C is wrong because enforcing strong password policies (e.g., complexity, length) reduces the risk of credential compromise but does not address the vulnerability of unsanitized input in SQL queries; an attacker can still inject SQL without needing valid credentials.

72
MCQmedium

An administrator configured the above key policy for a KMS key used to encrypt S3 backup data. The backup role 'BackupRole' is in the same account. However, when the backup service attempts to use the key to decrypt objects, the operation fails. What is the most likely cause?

A.The principal ARN is incorrect because the role name contains uppercase letters
B.The 'kms:ViaService' condition restricts calls to those originating from S3, but the backup service uses direct KMS API
C.The key policy requires a grant token that is not being provided
D.The action list does not include 'kms:Decrypt' for S3
AnswerB

The condition prevents direct KMS calls.

Why this answer

The 'kms:ViaService' condition key restricts KMS API calls to those that originate from a specific AWS service, in this case S3. However, the backup service is likely making direct KMS API calls (e.g., Decrypt) rather than having S3 proxy the request, so the condition fails. The key policy explicitly denies access unless the call comes via S3, which is why decryption fails.

Exam trap

ISC2 often tests the nuance that 'kms:ViaService' only applies when the request is made through the specified service's integration, not when the client calls KMS directly, leading candidates to overlook the direct API call scenario.

How to eliminate wrong answers

Option A is wrong because principal ARNs in AWS IAM are case-sensitive but role names can contain uppercase letters; the ARN format uses the role name exactly as defined, so uppercase letters are valid and not the cause of failure. Option C is wrong because grant tokens are used with KMS grants, not key policies; the key policy here does not require a grant token, and the error is unrelated to grants. Option D is wrong because the action list includes 'kms:Decrypt' for the backup role (as shown in the policy snippet), so the missing action is not the issue.

73
Multi-Selectmedium

A cloud security team is designing a defense-in-depth strategy for a web application. Which TWO of the following are effective network-level security controls? (Choose two.)

Select 2 answers
A.CloudTrail
B.Network ACLs
C.IAM policies
D.Web Application Firewall (WAF)
E.Security groups
AnswersB, E

NACLs are stateless firewall rules at the subnet level.

Why this answer

Network ACLs (Option B) are a stateless, subnet-level firewall that filters traffic based on rules evaluating source/destination IP, protocol, and port. They operate at Layer 3/4 of the OSI model, making them an effective network-level security control for defense-in-depth by providing a first line of perimeter defense.

Exam trap

The trap here is confusing application-layer controls (WAF) or identity controls (IAM) with network-layer controls, or mistaking CloudTrail (a logging service) for a network security control.

74
MCQeasy

A regional bank is migrating its customer data to a cloud provider that offers services in multiple jurisdictions. The bank's legal team is concerned about compliance with data protection regulations, specifically regarding the right to be forgotten. During a review, the bank discovers that the cloud provider's data deletion process takes up to 90 days for archived data. The bank needs to ensure it can comply with customer deletion requests within 30 days as required by GDPR. What should the bank do?

A.Store all customer data on-premises and only use the cloud for non-sensitive data.
B.Accept the 90-day timeline and rely on a contractual clause that shifts liability to the provider.
C.Implement a process to request immediate deletion from the provider and verify completion within 30 days.
D.Negotiate a service level agreement that requires the provider to complete deletion within 30 days for all data.
AnswerC

This directly ensures compliance with the 30-day GDPR requirement through active management and verification.

Why this answer

Option C is correct because the bank must maintain compliance with GDPR's 30-day deletion requirement. By implementing a process to request immediate deletion from the provider and verifying completion within 30 days, the bank ensures it can meet the regulatory deadline regardless of the provider's standard 90-day archival deletion cycle. This approach leverages the provider's ability to perform expedited deletion upon request, which is a common capability in cloud services for compliance purposes.

Exam trap

ISC2 often tests the misconception that an SLA can override technical limitations or regulatory obligations, but the trap here is that candidates may choose D without realizing that SLAs cannot guarantee deletion within 30 days for archived data due to inherent storage architecture constraints, and the bank must instead implement a process to handle expedited deletion requests.

How to eliminate wrong answers

Option A is wrong because storing all customer data on-premises defeats the purpose of cloud migration and does not address the bank's need to use cloud services for customer data while remaining compliant. Option B is wrong because accepting the 90-day timeline and relying on a contractual liability shift does not absolve the bank from its regulatory obligation to delete data within 30 days; GDPR holds the data controller (the bank) ultimately responsible. Option D is wrong because negotiating an SLA for 30-day deletion on all data may not be feasible or enforceable for archived data due to technical constraints like tape-based storage or immutable snapshots, and the provider's standard process may still take 90 days for such data.

75
MCQeasy

A financial services company uses a hybrid cloud environment with an on-premises data center and AWS. They have deployed a Cloud Access Security Broker (CASB) to enforce data loss prevention (DLP) policies for SaaS applications. Recently, the security team noticed that sensitive customer data is being exfiltrated via encrypted traffic to a sanctioned cloud storage application. The CASB logs show the traffic is identified as HTTPS, but the DLP policy is not blocking it. The team verifies that the CASB is configured with a forward proxy and SSL inspection is enabled. Which action should the security team take to prevent this exfiltration?

A.Block all HTTPS traffic to the cloud storage application
B.Ensure the CASB's SSL certificate is deployed to all endpoint devices
C.Configure the CASB to log only metadata for encrypted traffic
D.Disable HTTPS for the cloud storage application and force HTTP
AnswerB

Without the CASB’s certificate trusted by clients, SSL inspection fails, and DLP cannot inspect encrypted content.

Why this answer

The CASB is configured as a forward proxy with SSL inspection enabled, but for SSL inspection to work, the CASB's certificate must be trusted by the endpoint devices. Without the CASB's certificate deployed to the endpoints, the SSL inspection fails (the CASB cannot decrypt the traffic), so the DLP policy cannot inspect the payload of HTTPS traffic, allowing sensitive data to be exfiltrated. Deploying the CASB's certificate to all endpoint devices ensures that the endpoints trust the CASB's man-in-the-middle decryption, enabling the CASB to decrypt, inspect, and enforce DLP policies on encrypted traffic.

Exam trap

The trap here is that candidates assume SSL inspection is automatically effective once enabled in the CASB configuration, overlooking the critical prerequisite that the CASB's certificate must be trusted by the endpoints for decryption to occur.

How to eliminate wrong answers

Option A is wrong because blocking all HTTPS traffic to the cloud storage application is an overly broad and disruptive measure that would break legitimate business use of the sanctioned application, and it does not address the root cause of the DLP policy not being enforced on encrypted traffic. Option C is wrong because logging only metadata for encrypted traffic would reduce visibility and prevent the CASB from inspecting the payload, making it impossible to enforce DLP policies on the content of the traffic. Option D is wrong because disabling HTTPS and forcing HTTP would expose the data in transit to interception and tampering, violating security best practices and potentially regulatory compliance requirements, and it does not leverage the existing SSL inspection capability of the CASB.

Page 1 of 7

Page 2

All pages