Certified Cloud Security Professional CCSP (CCSP) — Questions 676750

987 questions total · 14pages · All types, answers revealed

Page 9

Page 10 of 14

Page 11
676
MCQhard

A healthcare organization wants to perform analytics on encrypted patient data without decrypting it first, to maintain privacy. Which cryptographic technique supports this use case?

A.Homomorphic encryption
B.Tokenization
C.Format-preserving encryption (FPE)
D.Cryptographic hashing
AnswerA

Allows computation on encrypted data without decryption.

Why this answer

Homomorphic encryption allows computations to be performed directly on ciphertext, producing an encrypted result that, when decrypted, matches the result of operations performed on the plaintext. This enables the healthcare organization to run analytics on encrypted patient data without ever exposing the underlying sensitive information, thus preserving privacy throughout the processing lifecycle.

Exam trap

ISC2 often tests the distinction between 'processing on encrypted data' and 'protecting data at rest or in transit'—candidates mistakenly choose FPE or tokenization because they see 'encrypted' or 'token' and assume it supports analytics, but neither allows computation without decryption.

How to eliminate wrong answers

Option B (Tokenization) is wrong because it replaces sensitive data with non-sensitive tokens, but the original data must be stored in a separate vault and analytics cannot be performed on the tokens without detokenization, which breaks the 'no decryption' requirement. Option C (Format-preserving encryption) is wrong because it produces ciphertext that retains the original data format (e.g., 16-digit credit card numbers), but all operations require decryption first; it does not support computation on encrypted data. Option D (Cryptographic hashing) is wrong because it is a one-way function that cannot be reversed, and it does not allow any meaningful analytics on the hash values (e.g., you cannot compute an average or sum of hashed patient ages).

677
MCQmedium

A cloud security analyst is troubleshooting an access denied error when an application attempts to read an object from an S3 bucket. The application uses an IAM user that is not associated with the role specified in the policy. Which of the following is the most likely cause of the error?

A.The IAM user is not assuming the role before accessing the bucket.
B.The IAM user is not the specified role and is explicitly denied by the Deny statement.
C.The bucket policy has a conflicting Allow and Deny statement, causing an implicit deny.
D.The bucket policy is missing a condition for region restriction.
AnswerB

The Deny statement explicitly denies all principals that are not the specified role, so any other principal (including this IAM user) is denied access.

Why this answer

Option D is correct because the policy explicitly denies all principals except the specified role. The IAM user is not that role, so the Deny statement blocks access. Option A is irrelevant because the policy does not mention regions.

Option B is incorrect because the policy is syntactically valid and does not cause a conflict; the Deny overrides Allow per IAM evaluation logic. Option C is incorrect because the user is not attempting to assume the role, and the policy does not require it—it simply denies all principals that are not that role.

678
MCQhard

A cloud architect is designing VPC connectivity for a global organization with multiple AWS accounts. They need a central hub for connecting many VPCs together, supporting transitive routing. Which service should they use?

A.Private Link
B.Transit Gateway
C.VPN Connection
D.VPC Peering
AnswerB

Transit Gateway provides a hub-and-spoke architecture with transitive routing.

Why this answer

AWS Transit Gateway acts as a central hub that allows transitive routing between multiple VPCs and on-premises networks.

679
Multi-Selecteasy

A multinational corporation stores customer data in an AWS S3 bucket located in the US. The company's European customers' personal data must comply with GDPR. Which TWO actions should the company take to ensure compliance with GDPR data transfer requirements?

Select 2 answers
A.Implement encryption at rest using AWS KMS with a key stored in the US.
B.Sign Standard Contractual Clauses (SCCs) with the cloud provider.
C.Ensure that the data is only accessed by employees in the EU.
D.Use AWS Direct Connect to route traffic exclusively through EU-based links.
E.Implement a Data Processing Agreement (DPA) with AWS.
AnswersB, E

SCCs are a valid adequacy mechanism for transferring personal data to third countries under GDPR.

Why this answer

Standard Contractual Clauses (SCCs) are a lawful mechanism under GDPR for transferring personal data from the EU to a third country (the US) without an adequacy decision. By signing SCCs with AWS, the company contractually binds the cloud provider to ensure adequate data protection for the European customers' data stored in the US S3 bucket. This directly addresses the GDPR requirement for a valid transfer tool.

Exam trap

Cisco often tests the distinction between security controls (encryption, access restrictions) and legal transfer mechanisms (SCCs, DPA), trapping candidates who think technical measures alone satisfy GDPR transfer requirements.

680
Multi-Selectmedium

A cloud security architect is designing a multi-tenant SaaS application that must ensure strong isolation between tenants. Which TWO mechanisms are most effective for achieving multitenancy isolation?

Select 2 answers
A.Hypervisor-based virtual machine isolation
B.Network micro-segmentation
C.Encryption at rest for all tenant data
D.Database row-level permissions
E.API rate limiting per tenant
AnswersA, B

Hypervisor isolation separates VMs of different tenants.

Why this answer

Network micro-segmentation and hypervisor-level isolation are key for multi-tenant isolation. Encryption at rest protects data but does not isolate compute; database row-level permissions provide logical but not strong isolation; API rate limiting controls usage but not isolation.

681
MCQhard

A cloud service provider (CSP) includes a limitation of liability clause capped at the total fees paid in the past 12 months. A customer suffers a data breach due to provider negligence, losing $2M in business. The customer's annual spend is $500K. What is the customer's likely recovery?

A.The amount of direct damages only
B.Up to $500K, the total fees paid in the past 12 months
C.Full $2M because negligence overrides liability caps
D.Zero because the customer accepted the terms
AnswerB

The explicit cap is based on fees paid.

Why this answer

The clause limits liability to fees paid (12 months = $500K), so the customer can recover up to that amount, not the full $2M loss. Option B correctly states this limitation.

682
MCQmedium

A security engineer is reviewing container image security. Which of the following practices best ensures that a container image has not been tampered with and originates from a trusted source?

A.Scanning the image with Trivy for CVEs
B.Using a minimal base image like Alpine
C.Setting the image tag to :latest
D.Signing the image with Cosign and verifying it at deployment
AnswerD

Image signing ensures authenticity and integrity; verification enforces trust.

Why this answer

Image signing using tools like Cosign provides cryptographic verification of image integrity and authenticity. Scanning for CVEs identifies vulnerabilities but does not verify origin.

683
MCQeasy

During a cloud security audit, it is discovered that a cloud storage bucket is configured to allow access from any IP address. The bucket contains sensitive customer data. What is the BEST immediate action to secure the bucket?

A.Modify the bucket policy to deny access from all IP addresses except trusted ranges.
B.Enable bucket logging to track access attempts.
C.Notify the security team and wait for a formal change request.
D.Enable server-side encryption on the bucket.
AnswerA

This directly removes public access and restricts to trusted IPs.

Why this answer

The immediate risk is that the bucket is publicly accessible from any IP address, exposing sensitive customer data. Modifying the bucket policy to deny access from all IP addresses except trusted ranges directly addresses this exposure by restricting network-level access. This is the most effective first step because it removes the broad, unrestricted access while maintaining necessary access for authorized users.

Exam trap

ISC2 often tests the distinction between access control and other security controls, trapping candidates who confuse encryption or logging with network-level access restriction.

How to eliminate wrong answers

Option B is wrong because enabling bucket logging only records access attempts; it does not prevent unauthorized access, so the data remains exposed. Option C is wrong because waiting for a formal change request delays remediation, leaving the sensitive data vulnerable during the wait period. Option D is wrong because server-side encryption protects data at rest but does not control network access; the bucket remains accessible from any IP address, so encryption alone does not secure the bucket from unauthorized access.

684
MCQeasy

A company wants to enforce data classification in its cloud environment. They need to automatically identify and label sensitive data such as credit card numbers in cloud storage. Which service should they use?

A.Cloud KMS
B.Cloud DLP
C.Cloud Audit Logs
D.Cloud IAM
AnswerB

Cloud DLP is designed to discover, classify, and protect sensitive data in cloud storage.

Why this answer

Cloud DLP (Data Loss Prevention) can scan cloud storage for sensitive data like credit card numbers and apply classification labels or de-identification transforms.

685
MCQhard

A company is migrating a critical application to the cloud and must ensure that its security operations center (SOC) can detect and respond to threats in real time. The application generates high volumes of logs. Which combination of services would provide the MOST efficient and cost-effective solution for centralized logging, analysis, and alerting?

A.Deploy a basic monitoring tool that triggers alerts based on static thresholds.
B.Implement a Security Information and Event Management (SIEM) system with real-time correlation and a log management solution that auto-scales.
C.Use a cloud-native log storage service with long retention and no analysis.
D.Store logs in a centralized log server and have SOC analysts manually review them.
AnswerB

SIEM provides real-time correlation and auto-scaling handles high volumes efficiently.

Why this answer

Option B is correct because a SIEM system with real-time correlation enables the SOC to detect threats as they occur by analyzing log data across multiple sources, while an auto-scaling log management solution ensures cost efficiency by dynamically adjusting resources to handle high log volumes without over-provisioning. This combination provides centralized logging, real-time analysis, and alerting, meeting the requirement for efficient and cost-effective threat detection.

Exam trap

ISC2 often tests the misconception that simple storage or manual review is sufficient for real-time threat detection, but the CCSP emphasizes that centralized logging without analysis and correlation fails to meet SOC operational requirements for real-time response.

How to eliminate wrong answers

Option A is wrong because a basic monitoring tool with static thresholds cannot perform real-time correlation across diverse log sources, leading to high false positives and missed advanced threats, and it lacks the scalability to handle high-volume logs efficiently. Option C is wrong because a cloud-native log storage service with long retention and no analysis fails to provide the real-time detection and alerting required by the SOC, as it only stores logs without any correlation or threat identification. Option D is wrong because storing logs in a centralized log server with manual review is neither efficient nor real-time, as SOC analysts cannot manually analyze high-volume logs quickly enough to detect and respond to threats promptly, and it does not scale cost-effectively.

686
MCQeasy

A developer is implementing a cloud application that stores sensitive user data. To minimize the risk of data exposure during transit, which security control should be enforced as a baseline requirement?

A.Implement IPsec tunnels between components
B.Use HTTPS without additional controls
C.Require SSH for all connections
D.Enforce TLS for all data in transit
AnswerD

TLS encrypts data in transit, protecting confidentiality and integrity.

Why this answer

TLS (Transport Layer Security) is the industry-standard protocol for encrypting data in transit, providing confidentiality, integrity, and authentication. Enforcing TLS for all communications ensures that sensitive user data is protected from eavesdropping and tampering during transmission, making it a baseline requirement for cloud application security.

Exam trap

ISC2 often tests the misconception that HTTPS alone is sufficient, but the trap here is that 'HTTPS without additional controls' (Option B) is not a baseline requirement because it lacks enforcement of strong TLS versions, certificate validation, and protections like HSTS, making it vulnerable to attacks that TLS enforcement (Option D) explicitly mitigates.

How to eliminate wrong answers

Option A is wrong because IPsec tunnels are typically used for site-to-site VPNs or network-layer encryption between entire subnets, not as a baseline for individual application-level connections; they add complexity and overhead without providing the same granular per-connection authentication and encryption as TLS. Option B is wrong because HTTPS without additional controls (like enforcing TLS 1.2 or higher, proper certificate validation, and HSTS) can still be vulnerable to downgrade attacks, man-in-the-middle attacks, and certificate spoofing, so it is not sufficient as a baseline requirement. Option C is wrong because SSH is designed for secure remote shell access and file transfer, not for general application data transit; it is not suitable for encrypting HTTP-based API calls or database connections between cloud components.

687
Multi-Selecteasy

Which THREE of the following are effective strategies for ensuring data backup integrity and recoverability in the cloud?

Select 3 answers
A.Maintain at least three copies of data across two different locations.
B.Encrypt all backups with a strong algorithm.
C.Perform regular restore tests to validate backup usability.
D.Set backup schedules to run daily for all critical data.
E.Store backups in immutable storage to prevent modification or deletion.
AnswersA, C, E

Multiple copies and geographic diversity improve recoverability.

Why this answer

Option A is correct because the 3-2-1 backup rule (three copies, two different media types, one offsite) is a foundational strategy for data durability and recoverability. In cloud environments, this typically means maintaining a primary copy, a local backup in a different availability zone, and a cross-region copy to protect against region-wide failures. This ensures that even if two copies are compromised, a third remains available for recovery.

Exam trap

ISC2 often tests the distinction between backup security (encryption) and backup integrity/recoverability, leading candidates to mistakenly select encryption as a strategy for recoverability when it only addresses confidentiality.

688
MCQmedium

A company uses a cloud-based identity provider for single sign-on. An application needs to verify the user's identity without storing credentials. Which token type should the application validate?

A.SAML assertion
B.JWT
C.Kerberos ticket
D.OAuth access token
AnswerA

SAML assertions are used in SSO to convey user identity and attributes.

Why this answer

A SAML assertion is the correct choice because it is specifically designed for single sign-on (SSO) scenarios where an identity provider (IdP) authenticates a user and issues a signed XML token containing the user's identity and attributes. The application validates the assertion's signature and trust relationship with the IdP, verifying the user's identity without ever storing or handling credentials. This aligns with the cloud-based identity provider model described in the question.

Exam trap

ISC2 often tests the distinction between authentication tokens (SAML) and authorization tokens (OAuth access tokens), leading candidates to pick OAuth access token because they confuse it with OpenID Connect ID tokens, which are actually JWTs used for identity in modern SSO.

How to eliminate wrong answers

Option B is wrong because a JWT (JSON Web Token) is a compact, self-contained token often used for stateless API authorization, but it is not inherently tied to SSO identity verification; it typically carries claims like user ID and expiration, but the application would still need to validate the JWT's signature and trust the issuer, which is not the standard SSO token format for cloud-based identity providers. Option C is wrong because a Kerberos ticket is a symmetric-key-based authentication token used in on-premises Windows domain environments, not in cloud-based identity provider SSO scenarios; it relies on a Key Distribution Center (KDC) and is not designed for cross-domain or cloud federation. Option D is wrong because an OAuth access token is primarily an authorization token that grants access to resources, not an identity token; it does not carry user identity claims in a standardized way for SSO verification, and the application would need a separate ID token (like OpenID Connect) to verify the user's identity.

689
MCQmedium

A cloud architect is tasked with designing a disaster recovery plan for a critical application. The recovery time objective (RTO) is 1 hour, and the recovery point objective (RPO) is 15 minutes. The application runs on IaaS with data stored in a relational database. Which replication strategy is MOST cost-effective while meeting the objectives?

A.Daily full backups to another region
B.Synchronous database mirroring across regions
C.Multi-region active-active deployment with load balancing
D.Asynchronous storage-level replication with 15-minute snapshots
AnswerD

Asynchronous replication with frequent snapshots meets the RPO cost-effectively.

Why this answer

Option D is correct because asynchronous storage-level replication with 15-minute snapshots meets the RPO of 15 minutes and the RTO of 1 hour, while being more cost-effective than synchronous replication. Asynchronous replication avoids the latency and bandwidth costs of synchronous mirroring across regions, and the 15-minute snapshot schedule ensures data loss is limited to the RPO window. This strategy is suitable for IaaS relational databases where near-real-time consistency is acceptable.

Exam trap

ISC2 often tests the misconception that synchronous replication is always required for low RPOs, but here the RPO is 15 minutes, which asynchronous replication with snapshots can meet at lower cost, and candidates may incorrectly choose synchronous mirroring due to assuming zero data loss is needed.

How to eliminate wrong answers

Option A is wrong because daily full backups to another region cannot achieve an RPO of 15 minutes; the backup interval is 24 hours, leading to potential data loss of up to a day, which far exceeds the 15-minute RPO. Option B is wrong because synchronous database mirroring across regions introduces significant network latency and cost, and while it can achieve near-zero RPO, it is overkill for a 15-minute RPO and may degrade application performance due to synchronous writes. Option C is wrong because multi-region active-active deployment with load balancing is designed for high availability and traffic distribution, not specifically for data replication with a defined RPO; it does not inherently provide point-in-time recovery snapshots and is more expensive than necessary for the stated RPO/RTO.

690
MCQhard

Refer to the exhibit. A security engineer reviews this CloudTrail log entry. The company has a policy that all deletion operations must be approved by the compliance team. What is the most likely compliance issue?

A.The deletion was performed from an internal IP address
B.The deletion was performed by a user who may not have authorization
C.The log entry does not include the object's encryption status
D.The deletion was performed without evidence of compliance team approval
AnswerD

The policy requires approval, but the log shows no approval step.

Why this answer

Option D is correct because the company policy explicitly requires compliance team approval for all deletion operations, and the CloudTrail log entry does not contain any evidence of such approval (e.g., no MFA context, no approval token, no IAM policy condition key indicating approval). CloudTrail logs record API calls but do not inherently capture external approval workflows; the absence of an approval artifact in the log indicates a policy violation.

Exam trap

ISC2 often tests the distinction between 'authorization' (who can perform an action) and 'approval' (a separate governance step), leading candidates to choose Option B when the real issue is the missing compliance approval artifact.

How to eliminate wrong answers

Option A is wrong because the source IP address being internal is irrelevant to the compliance issue; the policy concerns authorization, not network origin. Option B is wrong because the log entry shows the user identity (e.g., user ARN) and the action was performed, but the core issue is not whether the user 'may not have authorization'—the log itself does not indicate unauthorized access; the problem is the missing approval step. Option C is wrong because encryption status of the object is not required in a CloudTrail log for deletion compliance; the policy focuses on approval, not encryption metadata.

691
MCQeasy

A cloud security architect is designing a multi-tier application that processes sensitive customer data. To protect data in transit between the web tier and the application tier, which of the following is the MOST appropriate approach?

A.Use standard TLS with server-side certificates only
B.Establish SSH tunnels for all inter-tier communication
C.Use mutual TLS (mTLS) between the tiers
D.Implement IPsec VPN between the tiers
AnswerC

mTLS provides bidirectional authentication and encryption, ideal for service-to-service communication.

Why this answer

Mutual TLS (mTLS) is the most appropriate approach because it provides bidirectional authentication and encryption between the web tier and application tier. In a multi-tier application processing sensitive customer data, mTLS ensures that both the client (web tier) and server (application tier) present valid certificates, preventing man-in-the-middle attacks and unauthorized inter-tier communication. This is critical for protecting data in transit in zero-trust or internal network segments where simple server-side TLS would not verify the identity of the calling service.

Exam trap

ISC2 often tests the misconception that standard TLS (server-side only) is sufficient for internal service-to-service communication, but the trap here is that without mutual authentication, an attacker who compromises the web tier could impersonate it to the application tier, or a rogue service could connect to the application tier undetected.

How to eliminate wrong answers

Option A is wrong because standard TLS with server-side certificates only authenticates the server to the client, but does not authenticate the client (web tier) to the application tier, leaving the application tier vulnerable to unauthorized or spoofed connections. Option B is wrong because SSH tunnels provide point-to-point encryption but are designed for interactive shell access or port forwarding, not for high-throughput, persistent inter-tier service communication; they introduce management overhead and lack the certificate-based identity verification that mTLS offers for service-to-service authentication. Option D is wrong because IPsec VPN operates at the network layer and encrypts all traffic between subnets, but it is overly complex for application-layer communication, adds latency, and does not provide application-level identity verification between specific services; it is more suited for site-to-site connectivity rather than fine-grained inter-tier authentication.

692
MCQmedium

A cloud storage bucket is configured with versioning enabled. A ransomware attack encrypts all objects in the bucket. How can the organization recover the original data?

A.Use the cloud provider's backup service to restore the bucket
B.Replicate data from the cross-region replica
C.Use the cloud provider's ransomware recovery service
D.Restore from previous versions of the objects
AnswerD

Versioning allows retrieval of previous, unencrypted versions, effectively recovering the data.

Why this answer

Versioning preserves previous versions of objects. The organization can restore previous unencrypted versions, provided they have not been deleted and the ransomware did not delete versions.

693
MCQmedium

In a public cloud IaaS model, which of the following security controls is the cloud customer primarily responsible for implementing?

A.Hypervisor security
B.Network infrastructure security
C.Physical security of data centers
D.Guest OS patch management
AnswerD

The customer manages the guest OS, including patching.

Why this answer

The customer is responsible for securing the guest OS and applications.

694
MCQhard

A company uses a hybrid cloud architecture with on-premises key management and cloud services. They need to ensure that encryption keys used for cloud data are never exposed to the cloud provider. Which key management approach best meets this requirement?

A.Use the cloud provider's native key management service
B.Store keys in a cloud key vault with access logs
C.Use a BYOK solution with an on-premises HSM and key caching
D.Deploy a cloud-based HSM and store keys only there
AnswerC

BYOK allows key generation and lifetime outside the cloud.

Why this answer

Option C is correct because a Bring Your Own Key (BYOK) solution with an on-premises Hardware Security Module (HSM) allows the company to generate and store encryption keys locally, then securely transfer them to the cloud for use without exposing the raw key material to the cloud provider. Key caching ensures that the cloud service can perform operations without the provider ever having persistent access to the plaintext keys, meeting the requirement that keys are never exposed to the cloud provider.

Exam trap

ISC2 often tests the misconception that a cloud-based HSM (Option D) is equivalent to on-premises key control, but the trap is that any key stored in the cloud provider's infrastructure is still accessible to the provider, whereas BYOK with an on-premises HSM ensures the provider never has access to the plaintext key material.

How to eliminate wrong answers

Option A is wrong because using the cloud provider's native key management service means the provider generates, stores, and manages the keys, giving them full access to the key material and violating the requirement. Option B is wrong because storing keys in a cloud key vault with access logs still places the keys under the cloud provider's control and infrastructure, exposing them to the provider's administrators and potential breaches. Option D is wrong because deploying a cloud-based HSM and storing keys only there still means the keys reside within the cloud provider's environment, subject to their physical and logical access controls, thus exposing the keys to the provider.

695
MCQmedium

A cloud security team is implementing container runtime security. Which of the following measures is most effective at preventing a container from breaking out to the host OS?

A.Setting the container's root filesystem to read-only
B.Applying a Seccomp profile that whitelists only necessary syscalls
C.Using a non-root user inside the container
D.Dropping all Linux capabilities except those required
AnswerB

Seccomp profiles directly limit syscalls, a common vector for escape.

Why this answer

Seccomp profiles restrict system calls available to containers, significantly reducing the attack surface for container escape vulnerabilities. Dropping capabilities and read-only root filesystem are important but not as comprehensive as seccomp.

696
MCQeasy

An organization is developing a mobile app that communicates with a cloud API. To ensure secure authentication, which of the following should be used?

A.Session cookies for state management
B.Basic authentication with username and password
C.OAuth 2.0 with OpenID Connect
D.API keys sent in HTTP headers
AnswerC

Provides delegated authorization and authentication for mobile apps.

Why this answer

OAuth 2.0 with OpenID Connect (OIDC) is the correct choice because it provides a delegated authorization framework (OAuth 2.0) combined with an identity layer (OIDC) that enables secure authentication and single sign-on (SSO) for mobile apps communicating with cloud APIs. This combination issues short-lived access tokens and ID tokens (typically JWTs) rather than exposing long-lived credentials, and supports token refresh, scoped permissions, and PKCE (Proof Key for Code Exchange) to prevent authorization code interception on mobile devices.

Exam trap

ISC2 often tests the misconception that API keys or Basic auth are sufficient for mobile-to-cloud authentication, but the trap is that these methods lack the delegation, token lifecycle management, and identity verification that OAuth 2.0 with OpenID Connect provides, which is the industry standard (RFC 6749, RFC 7519) for securing mobile API access.

How to eliminate wrong answers

Option A is wrong because session cookies are designed for server-side web applications with browser-based state management; mobile apps lack a browser context for cookie handling and are vulnerable to CSRF and session hijacking, making cookies unsuitable for native mobile-to-API communication. Option B is wrong because Basic authentication transmits credentials (Base64-encoded username:password) in every request, exposing them to interception and replay attacks; it offers no token expiration, no scoping, and no support for multi-factor authentication, violating cloud security best practices. Option D is wrong because API keys sent in HTTP headers are static, long-lived secrets that are easily leaked in client-side code (e.g., mobile app binaries), provide no user authentication or delegation, and lack built-in revocation mechanisms beyond key rotation.

697
Multi-Selectmedium

A company is drafting a cloud service contract and wants to ensure it can exit the provider without losing access to its data. Which TWO clauses are most important to include?

Select 2 answers
A.Data deletion clause requiring deletion of all data, including backups, after termination
B.Data portability clause specifying the right to export data in a standard format
C.Service Level Agreement (SLA) for availability
D.Non-disclosure agreement (NDA)
E.Right to audit clause
AnswersA, B

Ensures data is not retained after exit.

Why this answer

Data portability ensures the customer can export data in a usable format. Data deletion ensures the provider deletes all copies of customer data after termination. These clauses are critical for a clean exit.

698
MCQhard

Under GDPR, a cloud data controller must notify the supervisory authority of a personal data breach within what timeframe?

A.24 hours
B.72 hours
C.7 days
D.48 hours
AnswerB

72 hours is the correct timeframe under GDPR.

Why this answer

GDPR Article 33 requires notification within 72 hours of becoming aware of the breach.

699
MCQmedium

A developer is designing a microservices-based application in the cloud. They need to ensure communication between services is loosely coupled and resilient to failures. Which design pattern should they implement?

A.API gateway
B.Event-driven messaging
C.Service mesh
D.Database per service
AnswerB

Event-driven messaging uses asynchronous messages, enabling loose coupling and resilience to failures.

Why this answer

Event-driven messaging (B) is correct because it enables asynchronous, decoupled communication between microservices, allowing them to operate independently and remain resilient to failures. When a service publishes an event, other services consume it at their own pace, preventing cascading failures and ensuring the system can handle partial outages without blocking. This pattern directly supports loose coupling and fault tolerance, which are critical for cloud-based microservices architectures.

Exam trap

ISC2 often tests the distinction between patterns that manage communication (like service mesh) versus patterns that decouple communication (like event-driven messaging), and the trap here is that candidates confuse a service mesh's ability to handle retries and circuit breakers with the fundamental loose coupling provided by asynchronous event-driven architectures.

How to eliminate wrong answers

Option A (API gateway) is wrong because it acts as a single entry point for client requests and typically handles synchronous communication, which can introduce a bottleneck and tight coupling between services, not the loosely coupled, failure-resilient pattern required. Option C (Service mesh) is wrong because it focuses on managing service-to-service communication at the infrastructure layer (e.g., with sidecar proxies like Envoy) and does not inherently provide the asynchronous, event-driven decoupling needed for resilience; it handles traffic management and observability but not failure isolation through loose coupling. Option D (Database per service) is wrong because it is a data management pattern that ensures each microservice has its own database to avoid tight coupling at the data layer, but it does not address communication resilience or asynchronous messaging between services.

700
MCQeasy

A security engineer needs to ensure that all API calls made to AWS resources are logged for auditing. Which AWS service should be enabled to capture management and data events?

A.Amazon CloudWatch Logs
B.AWS Config
C.AWS GuardDuty
D.AWS CloudTrail
AnswerD

CloudTrail records API calls and is the correct service for auditing.

Why this answer

AWS CloudTrail is the service designed to log API calls for auditing. It can capture management events (control plane) and data events (data plane) such as S3 object-level operations and Lambda invocations.

701
MCQeasy

Which characteristic of cloud computing allows a user to provision computing resources automatically without requiring human interaction with the service provider?

A.Rapid elasticity
B.Broad network access
C.On-demand self-service
D.Measured service
AnswerC

This is the ability to provision resources automatically without human provider interaction.

Why this answer

On-demand self-service enables users to provision resources as needed without manual intervention from the provider. This is a fundamental characteristic defined by NIST.

702
MCQmedium

A cloud application uses customer-managed encryption keys (CMK) stored in a cloud HSM. The application needs to decrypt data on demand. How should the key be accessed?

A.Use the HSM to decrypt without exposing the key
B.Use a key management service with IAM permissions
C.Store the key in application configuration
D.Copy the key to the application's memory
AnswerB

KMS provides secure access to keys with IAM controls, allowing decryption requests without exposing the key material.

Why this answer

Option B is correct because cloud key management services (e.g., AWS KMS, Azure Key Vault) allow you to use customer-managed keys (CMK) stored in a cloud HSM without ever exposing the plaintext key to the application. The application calls the KMS API with IAM permissions to request decryption, and the HSM performs the decryption inside its hardware boundary, returning only the decrypted data. This ensures the key material never leaves the HSM's secure enclave, maintaining the security posture required for CMK usage.

Exam trap

ISC2 often tests the misconception that 'using an HSM directly' is the correct answer, but the trap is that cloud environments require a key management service (KMS) as the intermediary to enforce IAM policies, audit logging, and key lifecycle management—the HSM alone does not provide these access control features.

How to eliminate wrong answers

Option A is wrong because while the HSM can decrypt without exposing the key, the question asks how the application should access the key; directly calling the HSM API is not the standard cloud pattern—a key management service (KMS) abstracts HSM operations and provides IAM-based access control, auditing, and key rotation. Option C is wrong because storing the key in application configuration violates the fundamental principle of CMK security—keys must never be stored in plaintext outside the HSM or KMS, as configuration files are easily exposed via misconfigurations or breaches. Option D is wrong because copying the key to the application's memory exposes the plaintext key material, defeating the purpose of using a hardware security module (HSM) and violating the 'never export the key' rule that CMK policies enforce.

703
MCQeasy

A small business wants to use a cloud service but has limited in-house IT expertise. Which cloud service model requires the least customer management responsibility?

A.IaaS
B.SaaS
C.PaaS
D.FaaS
AnswerB

SaaS is fully managed; customer only uses the application.

Why this answer

SaaS (Software as a Service) delivers a complete application managed entirely by the cloud provider, so the customer only needs to use the software without managing underlying infrastructure, platforms, or runtime. For a small business with limited IT expertise, this model minimizes operational overhead because the provider handles maintenance, patching, and availability.

Exam trap

ISC2 often tests the misconception that PaaS requires less management than SaaS because candidates confuse 'platform management' with 'application management,' but PaaS still leaves the customer responsible for application code and its dependencies.

How to eliminate wrong answers

Option A is wrong because IaaS requires the customer to manage virtual machines, storage, and networking, which demands significant IT expertise for OS patching, security groups, and configuration. Option C is wrong because PaaS still requires the customer to manage application code, runtime settings, and sometimes database configurations, though the provider manages the underlying platform. Option D is wrong because FaaS (Function as a Service) involves writing and deploying individual functions, which still requires development skills and management of function triggers, dependencies, and scaling logic.

704
MCQmedium

A cloud customer is concerned about the right to erasure under GDPR because the cloud provider replicates data across multiple regions and keeps backups. What technical challenge does this create for complying with a erasure request?

A.The data must be anonymized instead of deleted.
B.The customer must notify all other users who may have accessed the data.
C.The cloud provider may not be able to delete data from all replicas and backups within the required time frame.
D.The cloud provider must retain the data for audit purposes.
AnswerC

Replication and backups create multiple copies that must all be erased, which can be challenging.

Why this answer

Under GDPR, the right to erasure requires deletion of all copies of the data. In cloud environments, data may be replicated across regions and stored in backups with different retention periods, making it technically difficult to ensure complete deletion from all locations.

705
Multi-Selecteasy

A company needs to ensure that data stored in the cloud is securely deleted when no longer needed. Which TWO of the following are secure deletion methods? (Choose two.)

Select 2 answers
A.Cryptographic erasure (destroying encryption keys)
B.Deleting the file metadata
C.Multiple overwrite of the storage blocks
D.Wiping the swap space
E.Degaussing the storage medium
AnswersA, C

Without key, encrypted data is unrecoverable.

Why this answer

Cryptographic erasure renders data unrecoverable by securely destroying the encryption keys used to encrypt the data at rest. Without the keys, the ciphertext becomes effectively indecipherable, even if the underlying storage blocks remain intact. This method is recognized by NIST SP 800-88 as a valid sanitization technique for cloud environments where physical access to storage is limited.

Exam trap

ISC2 often tests the distinction between logical deletion (e.g., deleting metadata) and secure deletion, and candidates mistakenly choose 'deleting file metadata' because they confuse it with secure file deletion in operating systems, ignoring that cloud storage APIs do not guarantee physical block erasure.

706
MCQmedium

A company is adopting a hybrid cloud model to run sensitive workloads on-premises and less critical applications in the public cloud. Which security consideration is most critical for this environment?

A.Using a single cloud provider for both environments
B.Ensuring high-speed network connectivity
C.Maintaining consistent security policies across both environments
D.Implementing data encryption at rest only
AnswerC

Consistent policies prevent security gaps in hybrid cloud.

Why this answer

Hybrid cloud requires consistent security policies across environments to avoid gaps. Connectivity is important but policy consistency ensures security controls are uniformly applied.

707
MCQhard

A cloud security architect is designing an API gateway for a microservices application. The gateway must authenticate requests, enforce rate limiting, and log all transactions for audit. Which of the following security controls is most critical to protect against API abuse?

A.Implement rate limiting and throttling based on client identity and request volume.
B.Use TLS 1.3 to encrypt all traffic between clients and the gateway.
C.Validate and sanitize all input parameters to prevent injection attacks.
D.Require API keys for all requests and revoke keys of suspicious clients.
AnswerA

Rate limiting directly mitigates abuse by controlling request rates.

Why this answer

Option D is correct because rate limiting and throttling directly prevent abuse by limiting request frequency. Option A is wrong because encryption protects data in transit but not abuse. Option B is wrong because input validation prevents injection but not volume-based attacks.

Option C is wrong because API keys authenticate but do not limit usage.

708
MCQeasy

A customer relies on this SOC 2 Type II report to assess a cloud provider's controls. What is the primary limitation of this report?

A.The report includes subjective opinions
B.The report does not cover the entire provider's infrastructure
C.The report is biased in favor of the provider
D.The report only covers controls up to Dec 31, 2023
AnswerD

Controls are not tested beyond the audit period.

Why this answer

The report covers controls tested from Jan to Dec 2023, not current. Controls may have changed since. The report is not predictive, but the time lag is the key limitation.

Scope is per provider, unbiased.

709
MCQeasy

A cloud customer experiences a ransomware attack that encrypts data in an object storage bucket. The customer has versioning enabled on the bucket. How can the customer MOST effectively restore the data?

A.Delete the bucket and recreate it
B.Restore the bucket to a previous version using the versioning feature
C.Use the cloud provider's undelete feature for the encrypted objects
D.Decrypt the objects using the ransomware decryption key
AnswerB

Versioning allows recovery of unencrypted versions.

Why this answer

With versioning enabled on the object storage bucket, each object version is preserved. The correct approach is to restore the bucket to a previous, unencrypted version using the versioning feature, which effectively rolls back the data to its state before the ransomware encrypted the current versions. This avoids data loss and does not require decryption keys or bucket deletion.

Exam trap

ISC2 often tests the misconception that 'versioning' is only for preventing accidental deletion, when in fact it also enables recovery from overwrites (including ransomware encryption), and candidates may incorrectly assume that a decryption key or undelete feature is the primary recovery method.

How to eliminate wrong answers

Option A is wrong because deleting and recreating the bucket would permanently remove all object versions, including the unencrypted ones, resulting in total data loss. Option C is wrong because cloud providers do not offer a generic 'undelete' feature for encrypted objects; versioning is the intended mechanism for recovering overwritten or deleted objects, and 'undelete' typically refers to recovering deleted objects, not restoring encrypted ones. Option D is wrong because ransomware decryption keys are controlled by the attacker and are not available to the customer; attempting to decrypt without the key is infeasible and not a recommended recovery strategy.

710
MCQmedium

A security team is reviewing a cloud application's CI/CD pipeline. They want to ensure that only approved open-source libraries are used in production builds. Which approach best addresses this requirement?

A.Segment the build network to limit internet access
B.Perform static code analysis after each build
C.Implement a software composition analysis (SCA) tool in the pipeline
D.Require manual approval for all library updates
AnswerC

SCA identifies and blocks unapproved open-source components.

Why this answer

A Software Composition Analysis (SCA) tool is specifically designed to automatically scan open-source libraries for known vulnerabilities, licensing issues, and version compliance. By integrating SCA into the CI/CD pipeline, the team can enforce a policy that only approved libraries (e.g., those passing a security and license review) are allowed in production builds, blocking unapproved or vulnerable components before deployment.

Exam trap

ISC2 often tests the distinction between SAST (static code analysis), DAST (dynamic analysis), and SCA, expecting candidates to recognize that only SCA directly addresses the management and approval of third-party open-source components and their associated risks.

How to eliminate wrong answers

Option A is wrong because segmenting the build network to limit internet access only restricts network connectivity, but does not prevent developers from introducing unapproved libraries already cached or stored locally; it also breaks legitimate dependency resolution from approved repositories. Option B is wrong because static code analysis (SAST) focuses on source code flaws (e.g., SQL injection, buffer overflows) and does not inspect third-party library metadata, licenses, or known CVEs in dependencies. Option D is wrong because requiring manual approval for all library updates is an operational process that does not scale, lacks automated detection of unapproved libraries, and introduces human error and delay without providing a technical enforcement gate in the pipeline.

711
MCQeasy

A cloud security architect is designing a multi-tenant virtualized environment. Which type of hypervisor is considered most secure for cloud deployments due to its reduced attack surface and direct hardware control?

A.Type 1 bare-metal hypervisor
B.Type 2 hosted hypervisor
C.Emulated hypervisor (e.g., QEMU without KVM)
D.Container runtime (e.g., Docker)
AnswerA

Type 1 hypervisors run directly on hardware, providing better isolation and security.

Why this answer

Type 1 (bare-metal) hypervisors run directly on hardware without an underlying OS, reducing attack surface and improving isolation. Type 2 hypervisors run on a host OS, adding complexity and potential vulnerabilities.

712
MCQmedium

A cloud application uses IAM roles to grant permissions to compute instances. What is the primary security advantage of this approach over hardcoding credentials?

A.Simplified load balancing
B.Elimination of hardcoded secrets
C.Improved application performance
D.Reduced network latency
AnswerB

IAM roles provide temporary credentials without embedding secrets in code.

Why this answer

Using IAM roles eliminates the need to hardcode credentials (like access keys) in code, reducing the risk of exposure. IAM roles automatically rotate temporary credentials and are managed by the cloud provider.

713
MCQeasy

After decommissioning a cloud database, a company is concerned about data remanence. They have overwritten all storage blocks with zeros. However, regulatory auditors require proof that the data is unrecoverable. What additional step should the company take?

A.Physically destroy the storage media
B.Shred the hard drives
C.Request a certificate of destruction from the cloud provider
D.Degauss the drives
AnswerC

Certification provides audit evidence of proper sanitization.

Why this answer

In a cloud environment, the customer does not have physical access to the underlying storage media. Overwriting with zeros is a software-based sanitization method, but cloud providers typically do not allow customers to perform physical destruction or degaussing. The correct additional step is to request a certificate of destruction from the cloud provider, which serves as auditable proof that the provider has performed its own secure disposal process (e.g., NIST SP 800-88 compliant media sanitization) and that the data is unrecoverable.

Exam trap

The trap here is that candidates mistakenly apply on-premises data destruction methods (physical destruction, shredding, degaussing) to a cloud environment, forgetting that the customer lacks physical access and must rely on the provider's attestation and compliance documentation.

How to eliminate wrong answers

Option A is wrong because physically destroying storage media is not feasible for a cloud customer who lacks physical access to the provider's data centers; such actions would violate the shared responsibility model and the cloud provider's security policies. Option B is wrong because shredding hard drives is a physical destruction method that requires possession of the drives, which the customer does not have in a cloud IaaS/PaaS/SaaS model; the provider handles physical media lifecycle. Option D is wrong because degaussing (using a strong magnetic field to erase data) is only effective on magnetic media (e.g., HDDs) and cannot be performed by the customer on cloud infrastructure; it also does not work on SSDs or flash-based storage, which are common in cloud environments, and the customer lacks physical access to apply degaussing equipment.

714
MCQhard

A company is implementing a data loss prevention (DLP) strategy for cloud storage. They need to detect and mask credit card numbers in documents stored in a cloud storage bucket. The DLP service provides de-identification transforms including masking, tokenization, and pseudonymization. Which transform should the company use to irreversibly replace the credit card numbers with a placeholder while maintaining the original format for analytics?

A.Pseudonymisation
B.Bucketing
C.Masking
D.Tokenization
AnswerC

Masking irreversibly obscures data while preserving format.

Why this answer

Masking replaces sensitive data with a masked version, such as showing only the last four digits, preserving format for analytics. Tokenization substitutes with a token that requires a mapping table. Pseudonymization replaces with a consistent pseudonym that can be reversed.

Bucketing groups values into ranges.

715
MCQmedium

A company uses Azure Defender for Cloud to protect its hybrid environment. Which of the following is a feature of Azure Defender that provides vulnerability assessment for virtual machines?

A.Azure Secure Score
B.Azure Policy
C.Defender for Servers
D.Azure Sentinel
AnswerC

Defender for Servers includes vulnerability assessment and threat detection.

Why this answer

Azure Defender includes integrated vulnerability assessment via Qualys or Microsoft built-in scanner, available for Defender for Servers.

716
MCQeasy

Which of the following is the primary benefit of using client-side encryption for data stored in the cloud?

A.Automatic key rotation
B.Maximum control over encryption keys
C.Simplified key management
D.Reduced latency for data access
AnswerB

Cloud provider never has access to keys or data.

Why this answer

Client-side encryption ensures that the cloud provider never has access to the encryption keys or the plaintext data, giving the customer maximum control.

717
MCQmedium

A healthcare SaaS company runs containerized microservices on Google Kubernetes Engine (GKE). The security team scans containers with a vulnerability scanner and finds that base images have several critical vulnerabilities. The container build process uses a Dockerfile that pulls the latest Ubuntu image from Docker Hub. The team wants to reduce the attack surface without delaying feature releases. What is the best approach?

A.Place a network security policy to restrict outbound traffic from pods
B.Schedule weekly automated rebuilds with the latest base image
C.Adopt minimal hardened base images and integrate vulnerability scanning into CI/CD
D.Refactor all applications to use scratch as base image
AnswerC

Hardened images minimize vulnerabilities and scanning ensures early detection.

Why this answer

Option D is correct because using minimal hardened images (e.g., distroless) reduces vulnerabilities and attack surface. Option A (weekly patching) leaves windows open. Option B (rebuild from scratch) is time-consuming and error-prone.

Option C (network segmentation) does not address vulnerable images.

718
Multi-Selectmedium

A cloud architect is designing a multi-tenant SaaS application. Which TWO design principles are critical for ensuring tenant isolation? (Select TWO.)

Select 2 answers
A.Network isolation between tenants
B.Single shared database for all tenants
C.Using the same OS image for all tenants
D.Data isolation (e.g., schema per tenant or encryption)
E.Resource pooling across tenants
AnswersA, D

Correct. Network isolation prevents cross-tenant traffic.

Why this answer

Multitenancy isolation requires strong network isolation (e.g., virtual networks, security groups) and data isolation (e.g., separate databases or encryption per tenant) to prevent one tenant from accessing another's data.

719
MCQeasy

Refer to the exhibit. A CloudFormation template defines a security group as shown. What is the security concern with this configuration?

A.It allows SSH access on port 22.
B.It allows HTTP traffic on port 80, not HTTPS.
C.It does not allow outbound traffic.
D.It allows inbound traffic from all IP addresses on port 443, which is overly permissive.
AnswerD

Best practice is to restrict source IPs to known ranges.

Why this answer

Option D is correct because the security group rule allows inbound traffic on port 443 (HTTPS) from 0.0.0.0/0, which means any IP address on the internet can reach the resource. This is overly permissive and violates the principle of least privilege, as it exposes the service to potential attacks from any source without restriction.

Exam trap

ISC2 often tests the misconception that allowing a common protocol like HTTPS on port 443 is always safe, but the trap is that the source IP range (0.0.0.0/0) is the actual vulnerability, not the port or protocol itself.

How to eliminate wrong answers

Option A is wrong because allowing SSH access on port 22 is not inherently a security concern; the issue is the source IP range, not the protocol itself. Option B is wrong because the template allows HTTPS on port 443, not HTTP on port 80, and HTTP traffic is not defined in the exhibit. Option C is wrong because security groups in AWS are stateful by default, meaning that if inbound traffic is allowed, the corresponding outbound return traffic is automatically permitted, so the absence of explicit outbound rules does not block outbound traffic.

720
MCQmedium

An organization is using Azure and wants to centrally collect activity logs from multiple subscriptions into a single Log Analytics workspace for cross-account analysis and retention management. What is the best approach?

A.Use Azure Monitor Agent on all VMs to collect logs.
B.Enable Azure Sentinel on each subscription and aggregate using cross-workspace queries.
C.Use Azure Policy to deploy Diagnostic Settings on each subscription to stream Activity Logs to a central Log Analytics workspace.
D.Use Azure Storage account with event grid to forward logs to a central location.
AnswerC

Diagnostic settings can stream Activity Logs to a Log Analytics workspace, and Azure Policy can enforce this across subscriptions.

Why this answer

Option C is correct because Azure Policy can enforce the deployment of Diagnostic Settings across all subscriptions, automatically streaming Activity Logs to a central Log Analytics workspace. This ensures centralized collection, cross-account analysis, and retention management without manual configuration per subscription.

Exam trap

Cisco often tests the distinction between Azure Monitor Agent (for VM guest OS logs) and Diagnostic Settings (for Azure platform logs), leading candidates to mistakenly choose agent-based collection for subscription-level Activity Logs.

How to eliminate wrong answers

Option A is wrong because Azure Monitor Agent collects OS-level performance and event logs from VMs, not Azure Activity Logs (which are subscription-level control plane logs). Option B is wrong because Azure Sentinel is a SIEM that can use cross-workspace queries, but it does not natively aggregate Activity Logs from multiple subscriptions into a single workspace; it requires Diagnostic Settings to forward logs first, making it an unnecessary extra layer. Option D is wrong because Azure Storage with Event Grid can forward logs, but it introduces latency, complexity, and lacks the native querying and retention management capabilities of Log Analytics workspaces.

721
MCQhard

An organization needs to migrate a legacy application to the cloud. The application requires full control over the operating system, middleware, and runtime. The team wants to minimize management overhead while retaining OS-level access. Which cloud service model is most appropriate?

A.IaaS
B.SaaS
C.FaaS
D.PaaS
AnswerA

IaaS allows full OS control while the provider manages physical infrastructure.

Why this answer

IaaS provides virtualized hardware with OS access; PaaS abstracts the OS.

722
Multi-Selectmedium

An organization is implementing a SOAR solution for cloud incident response. Which THREE capabilities are essential for automating incident response workflows? (Choose three.)

Select 3 answers
A.Integration with threat intelligence feeds
B.Automated playbook execution
C.Case management and reporting
D.Manual ticketing system
E.Real-time user activity monitoring
AnswersA, B, C

Enriches alerts with context.

Why this answer

Integration with threat intelligence feeds (A) is essential because SOAR platforms ingest external threat data (e.g., STIX/TAXII feeds, CISA alerts) to enrich alerts and trigger automated responses. This allows the SOAR to correlate cloud events with known indicators of compromise (IOCs) and adjust playbooks dynamically without manual intervention.

Exam trap

Cisco often tests the distinction between SOAR's core capabilities (automation, orchestration, and case management) and adjacent technologies like SIEM or UEBA, leading candidates to mistakenly select monitoring or manual processes as essential SOAR features.

723
Multi-Selectmedium

A cloud security team is implementing tokenization for a payment system. Which THREE statements correctly describe tokenization characteristics?

Select 3 answers
A.Tokenization uses encryption algorithms to protect data.
B.The original sensitive data is stored in a secure token vault.
C.The token is a randomly generated string with no mathematical relationship to the original data.
D.Tokens can be used for transactions without exposing the original data.
E.Tokenization is reversible using the token alone.
AnswersB, C, D

Correct: The mapping between token and original data is stored in a vault.

Why this answer

Option B is correct because tokenization replaces sensitive data (e.g., credit card numbers) with a token, and the original data is stored securely in a token vault. This vault is isolated and access-controlled, ensuring that only authorized systems can detokenize the data when needed. The vault is the authoritative source for mapping tokens back to original values, which is fundamental to tokenization's security model.

Exam trap

ISC2 often tests the misconception that tokenization is a form of encryption, but the key distinction is that tokenization uses a lookup table (vault) rather than a mathematical algorithm, making it non-reversible without vault access.

724
MCQeasy

A cloud application uses OAuth 2.0 for authorization. What is the primary purpose of using a refresh token in this flow?

A.To obtain a new access token when the current one expires without user interaction.
B.To grant the same access token indefinitely.
C.To authenticate the user without a password.
D.To store user credentials on the resource server for later use.
AnswerA

Refresh tokens are long-lived and can be used to request new access tokens.

Why this answer

In OAuth 2.0, access tokens are short-lived by design to limit the window of compromise. A refresh token is a long-lived credential that allows the client to obtain a new access token from the authorization server without requiring the user to re-authenticate or re-consent. This enables seamless, ongoing access to protected resources while maintaining security through short-lived access tokens.

Exam trap

ISC2 often tests the misconception that refresh tokens are used for authentication or that they extend the life of the same access token, rather than understanding they are a separate credential used to obtain a new access token.

How to eliminate wrong answers

Option B is wrong because refresh tokens do not grant indefinite access; they can be revoked, have their own expiration, and are used to obtain new access tokens, not to extend the life of the same token. Option C is wrong because refresh tokens are not used for authentication; they are an authorization grant that assumes prior authentication has already occurred. Option D is wrong because refresh tokens are stored on the client (or client's backend), not on the resource server, and they are never used to store user credentials.

725
MCQmedium

A security analyst is configuring an API Gateway for a cloud application. The application must handle high traffic and prevent abuse from a single client. Which feature should the analyst enable to limit the number of requests from a client within a specified time window?

A.Rate limiting
B.TLS enforcement
C.Web Application Firewall (WAF) integration
D.API key authentication
AnswerA

Rate limiting controls the number of requests per time window from a client.

Why this answer

Rate limiting throttles requests from a client to prevent abuse and ensure fair usage. API keys authenticate but do not limit rate; WAF filters malicious traffic; TLS enforces encryption.

726
MCQeasy

A cloud administrator needs to ensure that all data transferred between an on-premises data center and a cloud VPC is encrypted in transit. Which solution should be used?

A.AWS Transit Gateway
B.AWS Route 53 Resolver
C.AWS Site-to-Site VPN
D.AWS Direct Connect
AnswerC

Site-to-Site VPN uses IPSec to encrypt all traffic between the on-premises network and VPC.

Why this answer

AWS Site-to-Site VPN creates an encrypted tunnel between an on-premises data center and a cloud VPC using IPsec (IKEv1/IKEv2) to protect all data in transit. This directly meets the requirement for encryption, as traffic traverses the public internet or a Direct Connect connection with encryption enabled.

Exam trap

The trap here is that candidates often assume Direct Connect inherently encrypts traffic because it is a private connection, but it does not; encryption must be explicitly implemented, and the VPN is the direct solution for encryption in transit.

How to eliminate wrong answers

Option A is wrong because AWS Transit Gateway is a network transit hub that interconnects VPCs and on-premises networks, but it does not itself provide encryption; it can route traffic through a VPN attachment, but the encryption comes from the VPN, not Transit Gateway. Option B is wrong because AWS Route 53 Resolver is a DNS resolution service that resolves domain names to IP addresses; it has no role in encrypting data in transit. Option D is wrong because AWS Direct Connect provides a private, dedicated network connection that bypasses the public internet, but by default it does not encrypt traffic; encryption must be added separately (e.g., via IPsec over Direct Connect or a VPN).

727
Multi-Selecthard

A company is implementing a DLP strategy to protect PII in cloud storage. They need to discover sensitive data and then apply de-identification transforms. Which THREE de-identification transforms are appropriate for anonymizing PII while maintaining data utility for analytics? (Select THREE.)

Select 3 answers
A.Encryption
B.Bucketing
C.Pseudonymisation
D.Tokenization
E.Masking
AnswersC, D, E

Pseudonymisation replaces with consistent pseudonyms.

Why this answer

Masking, tokenization, and pseudonymisation are de-identification transforms that protect PII while preserving some utility. Masking obscures parts of data (e.g., showing only last four digits). Tokenization replaces with tokens that can be mapped back.

Pseudonymisation replaces with consistent pseudonyms that are reversible with additional data. Bucketing groups values into ranges, which can be useful but may reduce utility. Encryption is not considered a de-identification transform in DLP context.

728
MCQmedium

A cloud application uses an IAM role with a policy that allows 's3:*' on all buckets. This is an example of which cloud security issue?

A.Exposed S3 bucket
B.Over-permissive IAM
C.Insecure API endpoint
D.Hardcoded credentials
AnswerB

Wildcard permissions like 's3:*' grant too broad access.

Why this answer

Over-permissive IAM roles with wildcard permissions grant excessive privileges, violating least privilege.

729
MCQmedium

A security engineer discovers that a cloud application can access the metadata service endpoint at 169.254.169.254. Which vulnerability is most likely being exploited?

A.Server-Side Request Forgery (SSRF)
B.SQL Injection
C.Cross-Site Scripting (XSS)
D.Insecure Deserialization
AnswerA

SSRF enables an attacker to make requests from the server, potentially accessing internal services like the metadata endpoint.

Why this answer

Server-Side Request Forgery (SSRF) can be used to target the cloud metadata endpoint (169.254.169.254) to retrieve IAM credentials or other sensitive information. This is a cloud-specific vulnerability.

730
Multi-Selectmedium

A company uses GCP and wants to implement agentless vulnerability scanning for their Compute Engine instances. Which TWO services can provide this capability? (Choose two.)

Select 2 answers
A.GCP Web Security Scanner
B.GCP Cloud Armor
C.Rapid7 InsightVM (agentless via API)
D.GCP Security Command Center
E.Qualys Cloud Agent
AnswersC, D

Rapid7 can perform agentless scanning using cloud APIs.

Why this answer

Rapid7 InsightVM can perform agentless vulnerability scanning of GCP Compute Engine instances by leveraging the cloud provider's API to query instance configurations, installed software, and patch levels without requiring an agent on each VM. This is achieved through read-only API integrations that collect system metadata and compare it against vulnerability databases, making it a valid agentless scanning solution for GCP.

Exam trap

The trap here is that candidates often confuse agentless scanning with cloud-native services like Security Command Center (which provides vulnerability findings but relies on agents or API-based scanning partners) or mistakenly think Qualys Cloud Agent can operate agentlessly, when in fact it requires an installed agent.

731
MCQhard

A cloud security architect is designing a log aggregation strategy for a multi-account AWS environment. The security team needs to ensure logs from all accounts are stored centrally and cannot be altered. Which combination of services meets these requirements?

A.CloudTrail with cross-account log delivery to a central S3 bucket and enable log file validation
B.CloudWatch Logs to a centralized log group with IAM policies
C.S3 server access logs delivered to each account's own bucket
D.VPC Flow Logs to CloudWatch Logs in each account
AnswerA

This provides centralized storage and integrity verification.

Why this answer

Option A is correct because AWS CloudTrail supports cross-account log delivery to a central S3 bucket, and enabling log file validation uses a digest file signed with the CloudTrail private key to cryptographically verify that log files have not been modified, deleted, or tampered with since delivery. This combination ensures centralized storage and immutability, meeting the security team's requirements.

Exam trap

The trap here is that candidates may confuse centralized logging (e.g., CloudWatch Logs cross-account) with immutability, overlooking that only CloudTrail's log file validation provides cryptographic proof of non-repudiation and tamper detection.

How to eliminate wrong answers

Option B is wrong because CloudWatch Logs to a centralized log group with IAM policies does not provide cryptographic integrity verification; logs can be altered by anyone with sufficient permissions, and CloudWatch Logs does not offer built-in log file validation like CloudTrail. Option C is wrong because S3 server access logs delivered to each account's own bucket are not centralized; they remain in individual accounts and lack cross-account aggregation, and S3 server access logs do not support log file validation for tamper-proofing. Option D is wrong because VPC Flow Logs to CloudWatch Logs in each account are not stored centrally and have no mechanism to prevent alteration; they are per-account and lack the cryptographic integrity checks required for immutability.

732
MCQmedium

A company is storing sensitive customer data in an S3 bucket. They need to ensure data is encrypted at rest and that the encryption keys are managed by the cloud provider. Which encryption strategy should they use?

A.SSE-C (Server-Side Encryption with Customer-Provided Keys)
B.Client-side encryption
C.SSE-KMS (Server-Side Encryption with AWS KMS)
D.SSE-S3 (Server-Side Encryption with S3-Managed Keys)
AnswerD

SSE-S3 uses keys managed by AWS, meeting the requirement.

Why this answer

SSE-S3 (Server-Side Encryption with S3-Managed Keys) encrypts data at rest using AES-256, with the encryption keys fully managed by AWS. This meets the requirement for the cloud provider to handle key management without any customer involvement in key generation, storage, or rotation.

Exam trap

ISC2 often tests the distinction between 'managed by the provider' and 'managed by the customer' — candidates confuse SSE-KMS (customer-managed KMS keys) with provider-managed keys, but SSE-KMS still gives the customer control over key lifecycle, making SSE-S3 the only option where the provider fully manages keys.

How to eliminate wrong answers

Option A is wrong because SSE-C requires the customer to provide and manage their own encryption keys, which contradicts the requirement that the cloud provider manages the keys. Option B is wrong because client-side encryption occurs before data is sent to S3, meaning the customer manages the keys and encryption process, not the cloud provider. Option C is wrong because SSE-KMS uses AWS Key Management Service, which gives the customer control over key policies, rotation, and auditing, meaning the customer retains management responsibility even though AWS hosts the keys.

733
MCQeasy

An organization is moving sensitive customer data to the cloud and must ensure that data is encrypted before being sent to the cloud provider. They want to maintain full control over the encryption keys and not rely on the cloud provider for any key management. Which approach should they use?

A.VPN encryption
B.Server-side encryption with AWS KMS
C.Transparent Data Encryption (TDE)
D.Client-side encryption
AnswerD

Client-side encryption encrypts data before upload, giving the customer full control.

Why this answer

Client-side encryption involves encrypting data on-premises or on the client side before uploading to the cloud. The keys are controlled entirely by the customer, and the cloud provider never has access to the plaintext or keys.

734
MCQhard

A company is migrating to a hybrid cloud and needs to ensure consistent security policies across both on-premises and cloud environments. Which of the following is the MOST critical consideration?

A.Implementing single sign-on (SSO) for all users
B.Using dedicated private network connections
C.Choosing the same cloud provider for all public cloud workloads
D.Ensuring that security policies are uniformly applied and enforced across all environments
AnswerD

Consistent policy enforcement prevents security gaps between environments.

Why this answer

Consistent security policy enforcement is key in hybrid cloud. While identity management and encryption are important, ensuring the same policies apply across environments is the most critical to avoid gaps.

735
MCQmedium

Refer to the exhibit. An IAM policy is attached to a user. Which action is the user allowed to perform?

A.Change the bucket's policy.
B.Read an existing object from the bucket.
C.Upload a new object to the bucket.
D.Delete an object from the bucket.
AnswerB

s3:GetObject is explicitly allowed.

Why this answer

The IAM policy grants the `s3:GetObject` action, which allows the user to read (download) an existing object from the specified S3 bucket. The policy explicitly allows this action for the bucket `my-bucket` and its objects, so the user can perform read operations on objects within that bucket.

Exam trap

ISC2 often tests the distinction between read and write permissions in S3 policies, where candidates mistakenly assume that `s3:GetObject` implies the ability to upload or modify objects, but each action (Get, Put, Delete) must be explicitly granted.

How to eliminate wrong answers

Option A is wrong because changing a bucket's policy requires the `s3:PutBucketPolicy` action, which is not included in the attached policy. Option C is wrong because uploading a new object requires the `s3:PutObject` action, which is not granted by the policy. Option D is wrong because deleting an object requires the `s3:DeleteObject` action, which is also absent from the policy.

736
MCQhard

A financial services company is required to maintain audit trails of all user activities in its cloud environment for regulatory compliance. The company uses multiple cloud services and wants a centralized logging solution. The current architecture sends logs to a central storage bucket, but some logs are being lost due to high volume and insufficient throughput. Additionally, the logs must be immutable to prevent tampering. The company needs to ensure that all logs are captured and stored in a tamper-proof manner. Which of the following solutions BEST meets the requirements?

A.Configure the cloud provider's logging service to send logs to a dedicated bucket with versioning and object lock enabled, and set a high throughput.
B.Cache logs locally on each server and have a background job upload them to a bucket.
C.Use multiple log streams with different destinations and aggregate them using a third-party SIEM.
D.Use a message queue to decouple log generation from storage, and store logs in a bucket with immutability settings.
AnswerA

Correct: Versioning and object lock prevent modification; provider logging handles throughput.

Why this answer

Option A is correct because enabling Object Lock with retention modes (Governance or Compliance) on the cloud storage bucket ensures immutability, preventing log tampering. Versioning provides an additional safeguard by preserving all object versions, and configuring a high throughput setting (e.g., increasing the bucket's request rate limits or using a dedicated endpoint) addresses the log loss due to insufficient throughput.

Exam trap

The trap here is that candidates may choose Option D because a message queue addresses throughput, but they overlook that immutability must be enforced at the storage layer, not just by decoupling the pipeline.

How to eliminate wrong answers

Option B is wrong because caching logs locally and uploading via a background job introduces a single point of failure and potential data loss if the server crashes before upload, and it does not guarantee immutability at rest. Option C is wrong because using multiple log streams with different destinations and a third-party SIEM adds complexity and latency but does not inherently solve the throughput bottleneck or provide native immutability for the stored logs. Option D is wrong because while a message queue decouples log generation from storage and can help with throughput, it does not directly ensure immutability of the stored logs unless the storage bucket itself has immutability settings enabled; the question already requires a solution that ensures tamper-proof storage, and the message queue alone does not enforce that.

737
Multi-Selectmedium

A cloud security engineer is hardening container runtime environments. Which TWO of the following are effective measures to prevent container escape?

Select 2 answers
A.Using the latest kernel version
B.Mounting the host filesystem as read-only
C.Running containers in privileged mode
D.Dropping all Linux capabilities except those required
E.Applying Seccomp profiles
AnswersD, E

Correct; dropping capabilities reduces escape vectors.

Why this answer

Seccomp profiles restrict system calls, and dropping unnecessary Linux capabilities reduces the attack surface, both of which help prevent container escape.

738
MCQhard

Refer to the exhibit. A Kubernetes pod is configured as shown. Which security enhancement should be added to follow cloud security best practices?

A.Set allowPrivilegeEscalation to true
B.Use a more restrictive runAsUser value like 2000
C.Set readOnlyRootFilesystem to true
D.Use a trusted image from a private registry
AnswerC

Read-only root filesystem prevents unauthorized modifications.

Why this answer

Setting `readOnlyRootFilesystem` to true ensures the container's root filesystem is mounted as read-only, preventing attackers from modifying binaries, libraries, or configuration files at runtime. This is a key container hardening practice that limits the blast radius of a compromise, aligning with the CIS Benchmark for Kubernetes and cloud security best practices.

Exam trap

ISC2 often tests the distinction between runtime hardening (like read-only filesystem) and identity/access controls (like runAsUser or image trust), expecting candidates to recognize that a non-root user alone does not prevent file tampering.

How to eliminate wrong answers

Option A is wrong because setting `allowPrivilegeEscalation` to true allows processes within the container to gain more privileges than their parent (e.g., via setuid binaries), which directly violates the principle of least privilege and increases risk. Option B is wrong because while using a non-root user like 2000 is good practice, the question asks for a security enhancement to add; the pod already specifies `runAsUser: 1000`, which is already non-root, so changing the UID does not address the missing read-only filesystem or other hardening gaps. Option D is wrong because using a trusted image from a private registry is a supply chain security measure, but it does not mitigate runtime attacks that modify the container's filesystem; the pod configuration shown lacks filesystem-level protection, which is the immediate gap.

739
Multi-Selecteasy

Which TWO cloud monitoring tools are used primarily for detecting anomalous behavior that may indicate a security incident? (Choose two.)

Select 2 answers
A.Infrastructure monitoring tool.
B.Intrusion detection system (IDS).
C.Cloud cost management tool.
D.Application performance monitoring (APM).
E.Security information and event management (SIEM) system.
AnswersB, E

IDS monitors network traffic for malicious activity.

Why this answer

An Intrusion Detection System (IDS) is specifically designed to monitor network traffic and system activities for signs of malicious activity or policy violations, making it a primary tool for detecting anomalous behavior indicative of a security incident. A Security Information and Event Management (SIEM) system aggregates and correlates logs from multiple sources, using rules and analytics to identify patterns of suspicious activity that may signal a security breach.

Exam trap

ISC2 often tests the distinction between monitoring for performance (infrastructure/APM tools) versus monitoring for security (IDS/SIEM), and candidates mistakenly choose infrastructure monitoring or APM because they think 'monitoring' broadly covers security, but these tools lack the specific anomaly detection and correlation capabilities required for incident detection.

740
MCQeasy

A cloud security professional is concerned about VM escape attacks. Which mitigation is most effective?

A.Encryption of VM disks
B.Regular patching of the hypervisor
C.Use of Type 2 hypervisors
D.Network segmentation between VMs
AnswerB

Patching fixes known vulnerabilities that could be used for VM escape.

Why this answer

Hypervisor patching is the primary defense against VM escape, as these attacks exploit vulnerabilities in the hypervisor. Network segmentation and encryption do not prevent the attack itself.

741
Multi-Selectmedium

A security architect is designing a key management strategy for a cloud environment. They need to ensure that keys are rotated automatically and that the cloud service cannot access the key without explicit authorization. Which TWO options should they consider? (Choose two.)

Select 2 answers
A.Customer-supplied keys (CSEK) for each operation
B.Bring your own key (BYOK) with rotation configured in cloud KMS
C.Default server-side encryption using provider-managed keys
D.Customer-managed keys (CMEK) with automatic rotation in cloud KMS
E.Hold your own key (HYOK) with on-premises HSM
AnswersB, D

BYOK allows importing keys and managing rotation in cloud KMS.

Why this answer

Customer-managed keys (CMEK) allow the customer to control key lifecycle in cloud KMS, and BYOK enables importing keys from on-premises while still using cloud KMS for rotation.

742
MCQhard

A cloud service provider (CSP) is designing a multi-tenant infrastructure and needs to ensure that a security incident in one tenant's environment does not compromise the confidentiality or integrity of other tenants. The CSP plans to use a combination of network segmentation, hypervisor isolation, and encryption. Which additional control is MOST critical to prevent side-channel attacks that could leak cryptographic keys or other sensitive data across tenants?

A.Ensure cryptographic operations use constant-time algorithms.
B.Implement virtual LANs (VLANs) and firewall rules between tenants.
C.Use hardware security modules (HSMs) for key management.
D.Enforce strict API rate limiting for each tenant.
AnswerA

Constant-time algorithms resist timing and cache-based side-channel attacks.

Why this answer

Side-channel attacks, such as timing attacks, exploit variations in execution time to infer sensitive data like cryptographic keys. Constant-time algorithms ensure that cryptographic operations execute in a fixed duration regardless of input, eliminating timing variations that could be measured across shared physical hardware. This is critical in multi-tenant environments where tenants share CPU caches and memory buses, as it prevents an attacker from extracting key material through precise timing measurements.

Exam trap

ISC2 often tests the distinction between network-level isolation (VLANs, firewalls) and microarchitectural side-channel defenses, leading candidates to choose network controls when the question specifically targets side-channel attacks that bypass network segmentation.

How to eliminate wrong answers

Option B is wrong because VLANs and firewall rules provide network-layer isolation but do not address side-channel attacks that occur at the hardware or microarchitectural level, such as cache timing or branch prediction analysis. Option C is wrong because HSMs secure key storage and operations but do not prevent side-channel leakage from the CPU or memory during cryptographic processing; an attacker can still observe timing or power variations. Option D is wrong because API rate limiting controls request frequency to prevent abuse but has no effect on side-channel attacks that exploit shared processor resources like caches or execution pipelines.

743
MCQmedium

A cloud security architect is evaluating vulnerability management solutions for a hybrid cloud environment. The team needs to scan both on-premises servers and cloud workloads without installing agents on every system. Which approach is most suitable for cloud workloads?

A.Agent-based scanning using Amazon Inspector
B.Network vulnerability scanning from a remote scanner
C.Container image scanning only
D.Agentless scanning via cloud APIs (CSPM)
AnswerD

CSPM tools like AWS Security Hub use API-based scanning to check configurations and vulnerabilities without agents.

Why this answer

Agentless scanning uses cloud APIs to assess vulnerabilities without requiring an agent on each instance. This is ideal for cloud workloads where agents may not be desired.

744
MCQhard

An e-commerce company uses a cloud-based web application firewall (WAF) to protect against common web exploits. The security team notices that a specific IP address is sending a high volume of requests that appear to be a DDoS attack. What is the best immediate response to mitigate the attack while minimizing impact on legitimate users?

A.Change the DNS to point to a different IP address.
B.Increase the compute capacity of the web servers.
C.Block the IP address in the WAF.
D.Implement rate limiting on the IP address with a threshold that allows normal traffic.
AnswerD

Rate limiting can distinguish between human users and automated attacks, reducing impact.

Why this answer

Option D is correct because rate limiting at the WAF allows the security team to restrict the volume of requests from the offending IP address without completely blocking it. This approach ensures that legitimate traffic from that IP (e.g., a shared NAT gateway or a user with a dynamic IP) can still pass through, while the DDoS attack traffic is throttled. WAFs typically support granular rate-limiting rules based on IP, session, or URI, making this the most precise and least disruptive immediate response.

Exam trap

ISC2 often tests the misconception that blocking an IP address (Option C) is the safest immediate action, but the trap is that legitimate users can share the same IP via NAT or proxy, making rate limiting a more precise and less harmful control.

How to eliminate wrong answers

Option A is wrong because changing DNS to point to a different IP address does not mitigate the attack; the attacker can simply follow the new IP, and DNS propagation delays (up to 48 hours) leave the original IP exposed. Option B is wrong because increasing compute capacity (horizontal or vertical scaling) does not stop the attack; it only temporarily absorbs more traffic, and the attacker can easily scale up the DDoS volume, leading to resource exhaustion and higher costs. Option C is wrong because blocking the IP address outright in the WAF may inadvertently block legitimate users who share that IP (e.g., users behind a carrier-grade NAT or a corporate proxy), causing a denial of service to valid customers.

745
MCQeasy

An organization wants to detect potential crypto mining activity on their AWS EC2 instances. Which AWS service uses machine learning to identify such threats?

A.AWS WAF
B.Amazon GuardDuty
C.Amazon Inspector
D.AWS Shield
AnswerB

GuardDuty uses ML to detect threats like crypto mining.

Why this answer

Amazon GuardDuty is a threat detection service that uses machine learning, anomaly detection, and integrated threat intelligence to continuously monitor for malicious activity, including cryptocurrency mining (e.g., connections to known mining pools or unusual compute resource spikes). It analyzes AWS CloudTrail logs, VPC Flow Logs, and DNS logs to identify behavioral patterns indicative of crypto mining, such as sustained outbound traffic to mining pool IPs or unusual EC2 instance launches.

Exam trap

The trap here is that candidates often confuse Amazon Inspector (a vulnerability scanner) with GuardDuty (a threat detection service), mistakenly thinking Inspector's agent-based monitoring can detect runtime threats like crypto mining, when in fact Inspector only assesses configuration and software vulnerabilities.

How to eliminate wrong answers

Option A is wrong because AWS WAF is a web application firewall that protects against common web exploits like SQL injection and cross-site scripting, not a service that uses machine learning to detect crypto mining activity on EC2 instances. Option C is wrong because Amazon Inspector is a vulnerability management service that scans for software vulnerabilities and unintended network exposure, not a machine learning-based threat detection service for behavioral anomalies like crypto mining. Option D is wrong because AWS Shield is a managed DDoS protection service that safeguards against distributed denial-of-service attacks, not a service that identifies crypto mining threats via machine learning.

746
MCQmedium

A security auditor is reviewing a cloud provider's controls to ensure that customer data is appropriately isolated. Which design principle is most directly related to this requirement?

A.Multitenancy isolation
B.Reversibility
C.Portability
D.Elasticity
AnswerA

Multitenancy isolation ensures separation between tenants.

Why this answer

Multitenancy isolation ensures that resources (compute, storage, network) of different customers are separated. Elasticity is about scaling, portability about moving, reversibility about exiting.

747
MCQhard

A company plans to deploy a multi-tier application across multiple cloud providers to avoid single points of failure. They need to ensure consistent security policies, including identity federation and network segmentation, across all environments. Which architecture consideration is MOST critical?

A.Using a single cloud provider for all tiers
B.Storing all data in a single provider's data center
C.Using different encryption standards for each provider
D.Implementing a unified security policy management tool
AnswerD

A unified tool ensures consistent policies across providers.

Why this answer

Consistent security policy across environments is critical in hybrid/multi-cloud.

748
MCQmedium

A company is adopting shift-left security. Which action best exemplifies this approach?

A.Running SAST scans during code development
B.Monitoring logs for suspicious activity
C.Performing security reviews after deployment
D.Conducting penetration testing annually
AnswerA

SAST during development catches issues early.

Why this answer

Integrating security testing into the development phase (e.g., SAST, dependency scanning) before code is committed or deployed is the essence of shift-left security.

749
MCQmedium

An organization uses cloud object storage for backup data and requires that once written, data cannot be modified or deleted for a specified retention period. Which feature should they enable?

A.Bucket versioning
B.Object lock with write-once-read-many (WORM) protection
C.Encryption at rest with customer-managed keys
D.Lifecycle management to expire objects old objects
AnswerB

Ensures immutability during retention period.

Why this answer

Object lock with WORM protection is the correct feature because it enforces a retention policy that prevents any user, including the root account, from modifying or deleting objects until the retention period expires. This is specifically designed for compliance requirements such as SEC 17a-4(f) and ensures data immutability at the object level, which bucket versioning, encryption, or lifecycle rules cannot guarantee.

Exam trap

ISC2 often tests the misconception that bucket versioning alone provides data immutability, but versioning only protects against accidental overwrites by preserving old versions, not against intentional deletion or modification of the current version.

How to eliminate wrong answers

Option A is wrong because bucket versioning preserves multiple versions of an object but does not prevent deletion or overwrite of the current version; it only allows recovery of previous versions, not immutability. Option C is wrong because encryption at rest with customer-managed keys protects data confidentiality but does not enforce any write-once or retention constraints; data can still be modified or deleted by authorized users. Option D is wrong because lifecycle management automates the transition or expiration of objects based on age or rules, but it does not prevent deletion or modification during the retention period; in fact, it can delete objects prematurely if misconfigured.

750
Multi-Selecthard

A global enterprise is conducting a cloud risk assessment. Which THREE factors should be considered? (Select three.)

Select 3 answers
A.Color of the provider's logo
B.Inherent risk of data leaving the on-premises environment
C.Provider's stock price
D.Concentration risk from using a single cloud provider
E.Effectiveness of provider controls as evidenced by audit reports
AnswersB, D, E

Correct. Moving data to cloud introduces inherent risks.

Why this answer

Inherent risk relates to data leaving premises. Provider control effectiveness is assessed via audit reports. Concentration risk is the risk of over-reliance on a single provider.

Page 9

Page 10 of 14

Page 11