Certified Cloud Security Professional CCSP (CCSP) — Questions 751825

987 questions total · 14pages · All types, answers revealed

Page 10

Page 11 of 14

Page 12
751
MCQeasy

A company is designing a multi-tier application in the cloud. The web tier must automatically scale based on CPU utilization, while the database tier should remain fixed to maintain data consistency. Which architectural pattern best meets these requirements?

A.Horizontal auto-scaling for the web tier and a fixed database tier
B.Manual scaling for both tiers
C.Vertical scaling of all tiers
D.Single-tier architecture with auto-scaling
AnswerA

This pattern separates stateless and stateful components appropriately.

Why this answer

Option A is correct because it separates the stateless web tier, which can safely scale horizontally using auto-scaling groups triggered by CPU utilization thresholds, from the stateful database tier, which must remain fixed to avoid consistency issues such as split-brain or replication lag. Horizontal scaling adds or removes identical web server instances without affecting session state, while a fixed database tier preserves ACID properties and prevents conflicts from concurrent writes across multiple database nodes.

Exam trap

ISC2 often tests the misconception that auto-scaling should apply uniformly to all tiers, but the trap here is that candidates forget the database tier requires stateful consistency and cannot scale horizontally without introducing eventual consistency or complex distributed transactions.

How to eliminate wrong answers

Option B is wrong because manual scaling for both tiers introduces operational overhead and cannot react dynamically to load changes, defeating the purpose of cloud elasticity. Option C is wrong because vertical scaling of all tiers (increasing instance size) has hard limits (maximum VM size) and does not address the need for the web tier to scale out; it also incorrectly scales the database tier, which should remain fixed. Option D is wrong because a single-tier architecture with auto-scaling collapses web and database functions into one layer, causing data consistency problems when multiple instances write to the same local storage and violating the multi-tier design requirement.

752
Multi-Selectmedium

A company uses a cloud key management service (KMS) with automatic key rotation enabled. Which TWO statements about key rotation are true?

Select 2 answers
A.The key ID changes after each rotation.
B.The old key is immediately destroyed after rotation.
C.New key material is generated, and the old key material is retained for decryption.
D.Applications using the key continue to work without modification.
E.All data encrypted with the old key must be re-encrypted.
AnswersC, D

Correct: Automatic rotation creates a new version; the old version is kept for decryption.

Why this answer

Option C is correct because cloud KMS services (e.g., AWS KMS, Azure Key Vault) implement automatic key rotation by generating new cryptographic key material while retaining the old key material. This allows data encrypted with the previous key version to still be decrypted, as the old key material is not destroyed but simply marked as retired for encryption operations.

Exam trap

ISC2 often tests the misconception that key rotation changes the key identifier or requires immediate re-encryption, when in fact the key ID remains stable and old key material is preserved for decryption.

753
MCQeasy

A security analyst reviews GCP Security Command Center findings and sees a high-severity alert for Event Threat Detection indicating that a service account key was used from an unexpected location. What is the best immediate action to contain the threat?

A.Disable the service account key
B.Create a new service account
C.Delete the service account
D.Rotate the key and monitor
AnswerA

Disabling the key immediately prevents further unauthorized use.

Why this answer

The correct immediate action is to disable the compromised service account key because Event Threat Detection has identified that the key is being used from an unexpected location, indicating potential unauthorized access. Disabling the key stops all further usage without deleting the service account or its other keys, preserving legitimate operations. This aligns with the principle of least privilege and incident response containment, as the key can later be rotated or deleted after investigation.

Exam trap

Cisco often tests the distinction between 'disable' and 'rotate' in key compromise scenarios, where candidates mistakenly choose rotation thinking it invalidates the old key, but rotation only creates a new key without disabling the old one unless explicitly done.

How to eliminate wrong answers

Option B is wrong because creating a new service account does not address the compromised key; the old key remains active and can still be used by the attacker. Option C is wrong because deleting the entire service account would disrupt all applications and resources relying on that account, which is an overly destructive action for a single compromised key. Option D is wrong because rotating the key (generating a new key) does not immediately disable the old compromised key; the old key remains valid until it is explicitly disabled or deleted, allowing continued unauthorized access during the rotation process.

754
MCQeasy

Which NIST essential characteristic of cloud computing allows the provider to dynamically assign and reassign resources to multiple tenants, often using a multi-tenant model?

A.Resource pooling
B.Rapid elasticity
C.Broad network access
D.Measured service
AnswerA

Correct. Pooling supports multi-tenancy and dynamic assignment.

Why this answer

Resource pooling is the characteristic where the provider's computing resources are pooled to serve multiple consumers, with physical and virtual resources dynamically assigned.

755
MCQeasy

A company that must comply with SOX is migrating its financial systems to a cloud service. Which of the following IT general controls is most critical for SOX compliance in the cloud?

A.Multi-factor authentication
B.Data encryption at rest
C.Automated backup procedures
D.Change management controls
AnswerD

Change management is a fundamental IT general control for SOX to ensure integrity of financial systems.

Why this answer

SOX requires strong controls over financial data; change management ensures changes to systems are authorized and tested.

756
Multi-Selectmedium

Which THREE of the following are valid methods for achieving multitenancy isolation in a public cloud IaaS environment?

Select 3 answers
A.Encrypting data at rest with tenant-specific keys
B.Using a single database schema for all tenants
C.Storage area network (SAN) zoning to separate tenant data
D.Shared memory segments across tenants for performance
E.Hypervisor-level isolation between virtual machines
AnswersA, C, E

Encryption prevents unauthorized access.

Why this answer

Hypervisor isolation, storage network segmentation (e.g., VLANs), and data encryption at rest are all valid isolation methods. Shared memory and single database schema for all tenants would break isolation.

757
MCQmedium

A software-as-a-service (SaaS) provider hosts customer data in a multi-tenant cloud environment. Each customer's data is stored in separate databases but shares a common infrastructure. A customer reports that they can see another customer's data in their application dashboard. The development team investigates and finds no application-level bugs. The security team suspects the issue is related to cloud data isolation. The provider uses a public cloud database service with separate schemas per customer. The database service uses shared compute resources. The provider's compliance team is concerned about data leakage between tenants. Which of the following is the MOST effective way to ensure data isolation in this environment?

A.Implement row-level security (RLS) on the database tables to restrict access based on customer ID.
B.Use application-level encryption with different keys per customer.
C.Enable database auditing and monitor for anomalies.
D.Move each customer to a separate database instance.
AnswerA

RLS provides fine-grained access control at the row level.

Why this answer

Row-level security (RLS) is the most effective because it enforces data isolation directly within the shared database engine, filtering rows based on the customer ID predicate. This prevents any cross-tenant data access even if the application layer is compromised or misconfigured, as the database itself evaluates the security policy on every query. Unlike encryption or auditing, RLS provides a deterministic access control mechanism that operates at the query execution level, ensuring that each tenant sees only their own data.

Exam trap

ISC2 often tests the misconception that encryption alone ensures data isolation, but encryption does not control access to the decrypted data once it is retrieved; the trap here is choosing application-level encryption (Option B) because it sounds security-focused, while RLS directly addresses the access control gap at the database layer.

How to eliminate wrong answers

Option B is wrong because application-level encryption with per-customer keys protects data at rest and in transit but does not prevent a query from returning another customer's encrypted data; the application could still decrypt it if the wrong key is used or if the key management is flawed. Option C is wrong because database auditing only logs access events for after-the-fact review; it does not prevent unauthorized data exposure in real time. Option D is wrong because moving each customer to a separate database instance would achieve isolation but is not the most effective use of shared resources in a multi-tenant SaaS environment; it increases operational complexity and cost, and RLS can achieve the same isolation without requiring separate instances.

758
MCQeasy

A cloud administrator is rotating encryption keys for a data storage service. The administrator wants to ensure that previously encrypted data remains accessible after the rotation. What is the best practice?

A.Delete the old key after rotation
B.Retain the old key and use envelope encryption so the new key can decrypt the old key
C.Re-encrypt all data with the new key immediately
D.Disable the old key and only use the new key for new writes
AnswerB

Old keys are kept but not active; new wrapped keys allow access.

Why this answer

Envelope encryption allows the new key to decrypt the old key, which in turn decrypts the data. This ensures that previously encrypted data remains accessible without re-encrypting it, as the old key is retained and protected under the new key. This is the best practice for key rotation in cloud storage services like AWS KMS or Azure Key Vault.

Exam trap

ISC2 often tests the misconception that key rotation requires immediate re-encryption of all data, but the correct approach is to retain old keys and use envelope encryption to maintain access without re-encryption.

How to eliminate wrong answers

Option A is wrong because deleting the old key immediately after rotation would render all data encrypted with that key permanently inaccessible, violating the requirement to maintain access. Option C is wrong because re-encrypting all data with the new key immediately is inefficient, resource-intensive, and unnecessary when envelope encryption can provide seamless access. Option D is wrong because disabling the old key without retaining it for decryption would break access to existing encrypted data, as the new key alone cannot decrypt data encrypted with the old key.

759
MCQeasy

Which tool is specifically designed to scan Infrastructure as Code (IaC) templates for cloud misconfigurations before deployment?

A.Checkov
B.OWASP ZAP
C.Snyk
D.GitGuardian
AnswerA

Checkov specializes in IaC security scanning.

Why this answer

Checkov is an IaC security scanner that checks Terraform, CloudFormation, and Kubernetes manifests for misconfigurations before deployment. The other tools serve different purposes.

760
MCQhard

A multinational corporation uses multiple cloud service providers for its critical applications. The board is concerned about concentration risk. Which strategy would best address this risk?

A.Negotiating a longer contract with the primary cloud provider to ensure stability
B.Implementing a hybrid cloud model with on-premises infrastructure only
C.Adopting a multi-cloud strategy that distributes applications across multiple cloud providers
D.Requiring each business unit to use the same cloud provider for consistency
AnswerC

Multi-cloud reduces dependency on a single provider.

Why this answer

Concentration risk refers to over-reliance on a single provider. A multi-cloud strategy reduces this risk by distributing workloads across multiple providers, avoiding a single point of failure.

761
MCQmedium

An organization uses Azure Functions and needs to ensure that the function can securely access a database in a private VNet. What is the recommended approach?

A.Place the function in the same VNet as the database without any additional configuration
B.Use a VPN connection from the function to the database VNet
C.Enable VNet integration for the function app and configure the function to use the private IP of the database
D.Store database credentials in environment variables and use a public endpoint with IP whitelisting
AnswerC

Correct; VNet integration provides private connectivity.

Why this answer

VNet integration allows Azure Functions to access resources in a virtual network without exposing them to the internet, using a private IP.

762
MCQeasy

A company uses Azure Sentinel as its SIEM. To ingest Azure Activity Logs and correlate with other data sources, which connector should be configured?

A.Office 365 connector
B.Azure Defender connector
C.Azure Activity connector
D.Windows Security Events connector
AnswerC

This connector ingests Activity Logs for analysis in Sentinel.

Why this answer

The Azure Activity connector is specifically designed to ingest Azure Activity Logs, which contain subscription-level events such as resource creation, modification, and deletion. This connector enables Sentinel to correlate these operational logs with other data sources for comprehensive threat detection and incident response.

Exam trap

The trap here is that candidates confuse Azure Activity Logs (subscription-level operations) with Azure Defender alerts (security findings) or Office 365 logs (SaaS application logs), leading them to select a connector that ingests a different log type.

How to eliminate wrong answers

Option A is wrong because the Office 365 connector ingests logs from Microsoft 365 services (e.g., Exchange, SharePoint, Teams), not Azure subscription-level activity logs. Option B is wrong because the Azure Defender connector ingests security alerts from Azure Defender (formerly Azure Security Center), not raw Azure Activity Logs. Option D is wrong because the Windows Security Events connector ingests security event logs from Windows machines (e.g., Event ID 4625 for failed logons), not Azure platform logs.

763
MCQmedium

A healthcare organization stores patient records in a cloud object storage bucket. The compliance team requires that all files containing Protected Health Information (PHI) be automatically identified and classified. Which service should the organization implement to scan the bucket for PHI and label the data accordingly?

A.Cloud Audit Logs
B.Cloud KMS
C.Cloud DLP API
D.Identity and Access Management (IAM)
AnswerC

Cloud DLP API can discover and classify sensitive data such as PHI.

Why this answer

Cloud DLP (Data Loss Prevention) APIs can scan cloud storage for sensitive data like PHI and perform classification and labeling.

764
MCQhard

An administrator notices the log entries in the exhibit from a cloud-hosted server. What is the MOST likely security concern indicated by these logs?

A.A brute-force attack succeeded in logging into the system, and a database password was exposed in the command line
B.Data was exfiltrated from the MySQL database
C.The MySQL database was accessed by an unauthorized user
D.A failed SSH login attempt indicates a misconfigured firewall
AnswerA

Failed then accepted login indicates brute-force success; password in plaintext is a credential exposure.

Why this answer

The log entries show a successful SSH login followed by a MySQL command that includes the database password in plaintext on the command line (e.g., `mysql -u root -pPassword123`). This indicates a brute-force attack succeeded, and the password was exposed in the process list or shell history, which is a critical data security concern.

Exam trap

ISC2 often tests the distinction between a successful brute-force attack and data exfiltration, where candidates confuse a successful login with actual data theft, but the logs here only show the password exposure, not data movement.

How to eliminate wrong answers

Option B is wrong because data exfiltration from MySQL would require evidence of SELECT or export commands (e.g., INTO OUTFILE) transferring data to an external location, which is not present in the logs. Option C is wrong because the logs show a successful SSH login, not direct MySQL access; the MySQL access is subsequent and authorized by the logged-in user, not an unauthorized user. Option D is wrong because a failed SSH login attempt would show authentication failure messages (e.g., 'Failed password'), not a successful login; the logs show a successful login, so a misconfigured firewall is irrelevant.

765
MCQeasy

A company is considering moving its customer relationship management (CRM) system to the cloud. The CRM is accessed through a web browser and the provider handles all maintenance, security, and infrastructure. Which cloud service model is being used?

A.IaaS
B.FaaS
C.SaaS
D.PaaS
AnswerC

SaaS delivers fully managed software over the internet.

Why this answer

In SaaS, the provider manages everything except user access and data.

766
MCQhard

An organization is migrating a legacy application to the cloud and plans to use a cloud access security broker (CASB). Which of the following is the PRIMARY function of a CASB in securing cloud applications?

A.Performing vulnerability scans on cloud infrastructure
B.Encrypting data at rest in cloud storage
C.Protecting against distributed denial-of-service (DDoS) attacks
D.Enforcing security policies across cloud applications and controlling access
AnswerD

CASBs provide visibility, policy enforcement, and threat protection for cloud apps.

Why this answer

The primary function of a CASB is to enforce security policies and control access across cloud applications, acting as an intermediary between users and cloud providers. It provides visibility into cloud usage, applies data loss prevention (DLP) rules, and enforces authentication and authorization policies, which directly addresses the need to secure a legacy application migrated to the cloud.

Exam trap

ISC2 often tests the distinction between a CASB's primary role (policy enforcement and access control) and secondary capabilities (like encryption or DLP), leading candidates to mistake a supporting feature for the core function.

How to eliminate wrong answers

Option A is wrong because vulnerability scanning of cloud infrastructure is typically performed by a cloud security posture management (CSPM) tool or a vulnerability scanner, not a CASB, which focuses on application-level policy enforcement and user access control. Option B is wrong because while a CASB can apply encryption for data in transit or at rest via tokenization or proxy-based encryption, its primary function is not encrypting data at rest; that is a feature of cloud storage services or dedicated encryption tools. Option C is wrong because protecting against DDoS attacks is handled by web application firewalls (WAFs) or DDoS mitigation services, not a CASB, which is designed for visibility, compliance, and access control for cloud applications.

767
MCQmedium

Refer to the exhibit. A cloud administrator sees this error log from AWS CloudTrail. The user [email protected] is a member of the 'Analysts' group. Which of the following is the most likely cause of the AccessDenied error?

A.The user is trying to access the bucket from a different AWS region.
B.The IAM policy attached to the user or group does not include s3:PutObject for that bucket.
C.The bucket policy explicitly denies access to the 'Analysts' group.
D.The bucket requires server-side encryption and the request did not include encryption headers.
AnswerB

Missing IAM permissions are a common cause of AccessDenied.

Why this answer

The AccessDenied error for an s3:PutObject operation indicates that the IAM policy attached to the user or group does not grant the necessary permissions. Since the user is a member of the 'Analysts' group, the most likely cause is that the group's IAM policy lacks an Allow effect for s3:PutObject on the target bucket. AWS IAM evaluates both identity-based and resource-based policies, and if no explicit Allow is present, the default implicit deny applies.

Exam trap

ISC2 often tests the distinction between an implicit deny (missing Allow) and an explicit deny (Deny statement), and candidates mistakenly assume a bucket policy or encryption requirement is the cause when the error is simply a missing permission in the IAM policy.

How to eliminate wrong answers

Option A is wrong because S3 bucket access is not region-specific; a bucket is a global resource and cross-region access is allowed by default unless explicitly restricted by a bucket policy or VPC endpoint. Option C is wrong because the error log does not indicate an explicit deny; an explicit deny would produce a different error message (e.g., 'AccessDenied' with a reason like 'explicit deny'), and the question states the user is a member of the 'Analysts' group without mentioning a bucket policy that denies them. Option D is wrong because if the bucket required server-side encryption and the request lacked encryption headers, the error would be 'AccessDenied' but with a specific message about encryption requirements (e.g., 'The bucket policy requires encryption headers'), not a generic AccessDenied for s3:PutObject.

768
Multi-Selecthard

Which THREE of the following are key components of an incident response plan specific to cloud environments? (Choose three.)

Select 3 answers
A.Establishing a process for preserving system snapshots and logs as evidence
B.Requiring involvement of the legal department for every incident
C.Defining procedures for contacting the cloud provider's support and security teams
D.Including a detailed data forensic analysis procedure for all incident types
E.Clarifying the shared responsibility model for incident handling
AnswersA, C, E

Key to evidence preservation.

Why this answer

Options B, D, and E are correct. B: Contacting the cloud provider is essential for assistance and evidence preservation. D: Understanding the shared responsibility model clarifies who does what.

E: Documenting system baseline configurations helps identify changes. Option A is wrong because data forensic analysis is part of response but not a plan component; more specifically, the plan should include procedures, not just analysis. Option C is wrong because primarily the incident response team handles, but legal involvement is case-specific, not necessarily all incidents.

769
MCQeasy

A cloud administrator is designing a backup strategy for a critical database. Which of the following is the BEST approach to ensure data recoverability in case of a regional outage?

A.Regularly copy backups to a different geographic region.
B.Use tape backups stored in a physical safe in the same building.
C.Perform only daily backups without replication.
D.Store backups in a different availability zone within the same region.
AnswerA

Cross-region replication ensures data survives a regional outage.

Why this answer

Option A is correct because replicating backups to a different geographic region ensures data recoverability even if the entire primary region experiences a catastrophic outage. This approach leverages cross-region replication, which provides independent fault domains and meets the recovery point objective (RPO) and recovery time objective (RTO) requirements for regional disaster scenarios. Cloud providers like AWS, Azure, and GCP offer services such as S3 Cross-Region Replication (CRR) or Azure Geo-Redundant Storage (GRS) to automate this process.

Exam trap

ISC2 often tests the distinction between 'availability zone' and 'region' redundancy, where candidates mistakenly believe that multiple AZs within a single region provide sufficient protection against a regional outage, but they do not—only cross-region replication ensures survivability from a full regional failure.

How to eliminate wrong answers

Option B is wrong because tape backups stored in a physical safe in the same building are vulnerable to the same regional disaster (e.g., earthquake, flood, power grid failure) and do not provide off-site protection; they also introduce latency and manual handling risks. Option C is wrong because performing only daily backups without replication creates a single point of failure; if the primary region fails, the backup data is lost or inaccessible, violating the principle of geographic redundancy. Option D is wrong because storing backups in a different availability zone within the same region does not protect against a regional outage, as the entire region can fail simultaneously (e.g., due to a widespread natural disaster or service provider failure).

770
Multi-Selectmedium

Which TWO measures are effective for securing container images in a cloud environment?

Select 2 answers
A.Store images in a public registry without scanning
B.Sign images to ensure integrity
C.Use latest tags without version pinning
D.Run containers with root privileges
E.Scan images for vulnerabilities before deployment
AnswersB, E

Image signing verifies the image has not been tampered with.

Why this answer

Signing container images (e.g., using Docker Content Trust or Notary) ensures integrity and authenticity by cryptographically verifying that the image has not been tampered with since it was signed. This prevents man-in-the-middle attacks and the deployment of malicious images, which is a critical security measure in cloud environments where images are pulled from remote registries.

Exam trap

ISC2 often tests the misconception that 'latest tags are safe because they always point to the most recent version,' but the trap is that 'latest' is a mutable tag that can silently introduce breaking changes or vulnerabilities, whereas version pinning (e.g., using a specific digest or semantic version) ensures deterministic and auditable deployments.

771
MCQhard

A financial institution uses a multi-cloud strategy with AWS and Azure. They must comply with PCI DSS. The security team found that a developer accidentally stored a file with credit card numbers in an S3 bucket that is publicly readable. Which immediate action should be taken to contain the breach?

A.Delete the file immediately.
B.Enable default encryption on the bucket.
C.Remove the public read permission on the bucket.
D.Revoke the developer's IAM credentials.
AnswerC

This stops further exposure while preserving the file for forensic analysis.

Why this answer

Option C is correct because removing the public read permission on the S3 bucket immediately stops unauthorized access to the file containing credit card numbers, containing the breach in accordance with PCI DSS incident response requirements. This action does not destroy evidence (unlike deletion) and directly addresses the root cause—the bucket's misconfigured access control list (ACL) or bucket policy that allowed public read access. It is the fastest way to prevent further data exfiltration while preserving the file for forensic analysis.

Exam trap

ISC2 often tests the misconception that deleting the file or revoking credentials is the fastest containment step, but the trap here is that the root cause is the public permission, not the file's existence or the developer's identity—removing public access stops all anonymous access instantly, which is the correct containment action per incident response best practices.

How to eliminate wrong answers

Option A is wrong because deleting the file destroys potential forensic evidence needed for incident investigation and compliance reporting under PCI DSS Requirement 10 (track and monitor access to cardholder data), and the file may still be cached or accessible via bucket versioning or replication. Option B is wrong because enabling default encryption does not affect existing public read permissions; it only encrypts new objects at rest, leaving the already-exposed file still publicly readable. Option D is wrong because revoking the developer's IAM credentials does not remove the public read permission on the bucket; the file remains accessible to anyone on the internet, so the breach continues.

772
Multi-Selectmedium

A cloud security analyst is investigating a potential credential compromise in AWS. Which TWO CloudTrail events would be most relevant to establishing a timeline of the compromise?

Select 2 answers
A.DeleteBucket
B.UpdateLoginProfile
C.CreateAccessKey
D.DescribeInstances
E.ConsoleLogin
AnswersC, E

An attacker may create new access keys to maintain persistence.

Why this answer

Option C (CreateAccessKey) is correct because the creation of a new access key pair is a strong indicator of an attacker establishing persistent programmatic access to an AWS account. This event, logged by CloudTrail as 'CreateAccessKey' in the IAM service, provides a precise timestamp for when the attacker may have generated credentials to maintain access outside of the console.

Exam trap

Cisco often tests the distinction between events that indicate the initial compromise (like credential creation) versus events that are merely post-compromise reconnaissance or data destruction, leading candidates to select DescribeInstances or DeleteBucket as they seem suspicious but are not timeline-establishing events.

773
MCQhard

A cloud architect is designing a multi-tenant environment. To ensure that a tenant's virtual machine cannot access another tenant's memory, which resource isolation technique should be enforced at the hypervisor level?

A.IOMMU for device isolation
B.Memory isolation via hardware-enforced page tables
C.CPU pinning
D.Network segmentation with VLANs
AnswerB

Hypervisors use hardware support (like EPT) to isolate VM memory.

Why this answer

Memory isolation prevents cross-VM memory access; hypervisors enforce this by allocating dedicated memory pages.

774
MCQmedium

A company is migrating a legacy monolithic application to a cloud-native microservices architecture. The security architect is concerned about securing inter-service communication. Which of the following should be implemented to ensure mutual authentication and encryption between services?

A.Deploy a service mesh with mutual TLS (mTLS) for all inter-service communication.
B.Use shared API keys embedded in each service's configuration.
C.Implement TLS termination at the load balancer with internal certificates.
D.Place all services in the same Virtual Private Cloud (VPC) and restrict ingress with security groups.
AnswerA

A service mesh like Istio automates mTLS, providing strong encryption and mutual authentication.

Why this answer

A service mesh with mutual TLS (mTLS) provides both encryption and mutual authentication for inter-service communication, ensuring that each service verifies the identity of the other before exchanging data. This is the recommended approach for cloud-native microservices because it offloads security concerns from application code and uses X.509 certificates to establish trust, aligning with zero-trust principles.

Exam trap

ISC2 often tests the misconception that network segmentation (VPC/security groups) alone is sufficient for securing inter-service communication, but the CCSP emphasizes that encryption and mutual authentication are required for data-in-transit security in a zero-trust model.

How to eliminate wrong answers

Option B is wrong because shared API keys embedded in configuration do not provide mutual authentication (only one-way authentication) and are vulnerable to leakage, rotation issues, and replay attacks. Option C is wrong because TLS termination at the load balancer means traffic between services is decrypted and re-encrypted, leaving internal traffic potentially unencrypted and without mutual authentication between services themselves. Option D is wrong because placing services in the same VPC with security groups restricts network access but does not provide encryption or mutual authentication for inter-service communication; it relies on network perimeter controls rather than cryptographic identity.

775
Multi-Selecteasy

Which TWO of the following are characteristics of security groups compared to network ACLs in a cloud VPC? (Select two.)

Select 2 answers
A.Operate at the subnet level
B.Stateful – return traffic is automatically allowed
C.Stateless – each packet is evaluated independently
D.Support both allow and deny rules
E.Only allow rules can be specified
AnswersB, E

Security groups track connection state and allow return traffic.

Why this answer

Security groups are stateful (return traffic allowed) and support only allow rules. NACLs are stateless and support both allow and deny rules.

776
MCQhard

A security auditor is reviewing a cloud application's data encryption strategy. The application stores sensitive data in a cloud database. Which configuration would best ensure data confidentiality in the event of a database dump?

A.Tokenization of sensitive fields with a separate token vault
B.Entire database encryption at rest using cloud provider managed keys
C.Column-level encryption using application-managed keys
D.Transport layer security for all connections
AnswerC

Column-level encryption protects sensitive data at the database level.

Why this answer

Option C is correct because column-level encryption with application-managed keys ensures that even if the entire database is dumped, the sensitive columns remain encrypted and unreadable without the keys held by the application. This approach decouples key management from the cloud provider, preventing the provider from accessing the plaintext data and maintaining confidentiality during a breach or dump.

Exam trap

ISC2 often tests the distinction between encryption at rest and column-level encryption, trapping candidates who assume that full database encryption (Option B) protects against all data exposure scenarios, when in fact it does not protect data during a dump because the database engine decrypts it automatically.

How to eliminate wrong answers

Option A is wrong because tokenization replaces sensitive data with tokens, but if the token vault is compromised or the database dump includes the token mapping, confidentiality can be broken; it does not encrypt the data itself. Option B is wrong because encryption at rest using cloud provider managed keys protects data while stored on disk, but during a database dump (which extracts data in transit or in memory), the data is decrypted by the database engine and exposed in plaintext; the provider also has access to the keys. Option D is wrong because transport layer security (TLS) only protects data in transit between client and server, not data at rest or during a database dump, which occurs after the data has been stored.

777
Multi-Selectmedium

A DevSecOps team is implementing security scanning in the CI/CD pipeline for a cloud application. Which THREE tools or practices should be included to shift security left?

Select 3 answers
A.Infrastructure-as-Code (IaC) security scanning
B.Static Application Security Testing (SAST)
C.Web Application Firewall (WAF) deployment
D.Runtime Application Self-Protection (RASP)
E.Dependency scanning (e.g., Snyk)
AnswersA, B, E

IaC scanning detects misconfigurations before deployment.

Why this answer

Shift-left security involves integrating security early. SAST scans source code, IaC scanning detects misconfigurations before deployment, and dependency scanning identifies vulnerable libraries.

778
MCQhard

A financial institution subject to SOX is migrating its general ledger system to a SaaS provider. Which of the following IT general controls is most critical to ensure the integrity of financial data in the cloud?

A.Annual penetration testing of the SaaS provider's infrastructure
B.Change management procedures for the SaaS application
C.Daily backups of the financial database
D.Implementation of multi-factor authentication for all users
AnswerB

Change management is a key IT general control that directly impacts the reliability of financial data.

Why this answer

SOX requires controls over financial reporting. Change management ensures that modifications to the system are authorized, tested, and documented, which is critical for data integrity.

779
Multi-Selectmedium

A company is designing a data at rest encryption strategy for their cloud environment. Which TWO of the following are valid approaches? (Choose two.)

Select 2 answers
A.Server-side encryption with customer-provided keys (SSE-C)
B.Hashing data before storage
C.Client-side encryption
D.Tokenization of sensitive fields
E.Server-side encryption with cloud-managed keys (SSE-S3)
AnswersA, C

Customer provides the encryption key, which the cloud uses temporarily.

Why this answer

Server-side encryption with customer-provided keys (SSE-C) is a valid data-at-rest encryption approach because the customer retains control over the encryption keys while the cloud provider performs the encryption/decryption operations. This allows the customer to manage key lifecycle and compliance requirements without exposing plaintext keys to the provider. Client-side encryption is also valid because data is encrypted before being sent to the cloud, ensuring the provider never has access to plaintext data or encryption keys.

Exam trap

ISC2 often tests the distinction between encryption and other data protection methods like hashing or tokenization, and the trap here is that candidates may confuse hashing or tokenization with encryption, or incorrectly assume that server-side encryption with cloud-managed keys is not a valid approach when it actually is, but the question requires selecting exactly two correct answers from the list.

780
MCQhard

A customer discovers the provider added a new sub-processor without notification. Which compliance risk is most directly exposed?

A.Increase in costs due to sub-processor fees
B.Sub-processor might have weaker security controls
C.Service performance degradation due to sub-processor
D.Violation of customer's audit rights under GDPR
AnswerD

Lack of notification prevents customer from objecting, violating contractual and GDPR sub-processor requirements.

Why this answer

The clause requires notification and opportunity to object. Failure to notify breaches the contract and exposes the customer to GDPR non-compliance (sub-processor requirements). Performance impact is secondary.

Encryption and cost change are not the direct risk.

781
MCQmedium

A company identifies a high-risk vulnerability in a cloud application. The cost to remediate is significantly higher than the potential loss from exploitation. Which risk treatment strategy is most appropriate?

A.Acceptance
B.Avoidance
C.Transfer
D.Mitigation
AnswerA

Correct. Risk acceptance is justified when cost of treatment exceeds potential loss.

Why this answer

When the cost to remediate a vulnerability exceeds the potential loss from exploitation, the most appropriate risk treatment strategy is acceptance. This means the organization formally acknowledges the risk and chooses to tolerate it without implementing additional controls, often documented in a risk register. In cloud environments, this is common for low-impact, high-cost vulnerabilities where the business decides the residual risk is within its risk appetite.

Exam trap

ISC2 often tests the distinction between risk acceptance and risk mitigation, where candidates mistakenly choose mitigation because they assume all vulnerabilities must be fixed, ignoring the cost-benefit analysis that justifies acceptance.

How to eliminate wrong answers

Option B (Avoidance) is wrong because avoidance involves eliminating the risk entirely, such as discontinuing the vulnerable cloud service or feature, which would be disproportionate and unnecessary when the potential loss is lower than remediation cost. Option C (Transfer) is wrong because transfer shifts the risk to a third party, typically through cyber insurance or outsourcing, but does not reduce the cost of remediation and may not be feasible for a specific application vulnerability. Option D (Mitigation) is wrong because mitigation involves implementing controls to reduce the risk to an acceptable level, which contradicts the premise that remediation cost is higher than the potential loss; mitigation would still incur that high cost.

782
MCQmedium

A financial services company must comply with a regulation that requires encryption keys used for cloud services to be generated and stored on-premises in a Hardware Security Module (HSM). The cloud provider must not have any access to the keys. Which key management approach should the company adopt?

A.Cloud KMS with HSM-backed keys
B.Customer-Managed Encryption Keys (CMEK)
C.Bring Your Own Key (BYOK)
D.Hold Your Own Key (HYOK)
AnswerD

HYOK keeps the key on-premises at all times.

Why this answer

Hold Your Own Key (HYOK) ensures the key never leaves the on-premises HSM, providing the highest level of control and preventing cloud provider access.

783
MCQhard

A covered entity under HIPAA is moving electronic protected health information (ePHI) to a public cloud. What is the primary requirement before the cloud provider hosts ePHI?

A.The cloud provider must be located within the United States
B.The cloud provider must sign a Business Associate Agreement (BAA)
C.The cloud provider must be certified under ISO 27001
D.The covered entity must obtain written authorization from each patient
AnswerB

A BAA is required to establish the cloud provider as a business associate and outline permitted uses of PHI.

Why this answer

HIPAA requires a Business Associate Agreement (BAA) between the covered entity and the cloud provider to ensure PHI is handled appropriately.

784
Multi-Selecteasy

A cloud storage administrator wants to ensure that only authorized users can access objects in a bucket, and they need to provide time-limited access to a specific object for an external partner. Which TWO access control methods should they use? (Choose two.)

Select 2 answers
A.Cross-region replication
B.Bucket versioning
C.Pre-signed URLs for the object
D.Object ACLs with public read access
E.Bucket policies using IAM
AnswersC, E

Pre-signed URLs provide temporary, specific access.

Why this answer

Pre-signed URLs (Option C) are the correct method for granting time-limited access to a specific object for an external partner because they embed authentication credentials (e.g., AWS Signature Version 4) directly into the URL, allowing temporary access without requiring the partner to have AWS credentials or IAM permissions. This mechanism enforces a configurable expiration time, ensuring access is revoked automatically after the specified period.

Exam trap

The trap here is that candidates often confuse bucket policies (Option E) with pre-signed URLs, but bucket policies are used for broad, persistent access control across the entire bucket, not for time-limited, object-specific access to an external partner without IAM credentials.

785
MCQmedium

A cloud security team is implementing a Web Application Firewall (WAF) for a public-facing web application. The application uses a REST API with JSON payloads. Which of the following is the WAF's primary benefit?

A.Scanning for data loss prevention (DLP) violations
B.Preventing network-layer DDoS attacks
C.Encrypting data in transit between client and server
D.Inspecting HTTP traffic for malicious payloads
AnswerD

WAFs filter application-layer attacks.

Why this answer

A WAF operates at Layer 7 (application layer) and is specifically designed to inspect HTTP/HTTPS traffic for malicious payloads such as SQL injection, cross-site scripting (XSS), and JSON-based attacks. For a REST API using JSON, the WAF can parse and validate the JSON structure, blocking malformed or malicious payloads before they reach the application server. This is the primary benefit because it directly protects the application logic from web-based exploits.

Exam trap

ISC2 often tests the distinction between Layer 7 (application) and Layer 3/4 (network) security controls, so candidates mistakenly choose network-layer DDoS protection (Option B) because they confuse WAF with a general-purpose firewall.

How to eliminate wrong answers

Option A is wrong because DLP scanning is a function of data loss prevention tools, not a WAF; a WAF does not inspect data for policy violations like credit card numbers or PII. Option B is wrong because preventing network-layer DDoS attacks (e.g., SYN floods) is the role of a network firewall or DDoS mitigation appliance, not a WAF which focuses on application-layer attacks. Option C is wrong because encrypting data in transit is the job of TLS/SSL (e.g., HTTPS), not a WAF; a WAF inspects decrypted traffic after TLS termination or uses a reverse proxy model, but it does not perform encryption itself.

786
MCQmedium

An organization uses GCP and wants to monitor for threats in real-time, including detecting malicious activity from compromised service accounts. Which GCP service should be used?

A.Cloud Audit Logs
B.Cloud Security Scanner
C.Container Threat Detection
D.Event Threat Detection
AnswerD

It detects threats like compromised credentials and suspicious API calls.

Why this answer

Event Threat Detection is part of GCP Security Command Center and provides real-time threat detection for IAM anomalies, including compromised service accounts.

787
MCQmedium

A security team wants to detect container image vulnerabilities before they are pushed to a registry. Which stage of the CI pipeline should container image scanning occur?

A.After build and before push to registry
B.During runtime in production
C.After deployment to production
D.After push to registry and before deployment
AnswerA

Scanning at this stage prevents vulnerable images from being stored in the registry.

Why this answer

Scanning container images after build but before push ensures vulnerabilities are caught early and not deployed.

788
Matchingmedium

Match each data state to its encryption requirement in cloud environments.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Encryption using AES-256

TLS 1.2+ encryption

Homomorphic or confidential computing

Encryption with separate key management

Why these pairings

Different data states require specific encryption mechanisms; data in use is challenging and requires advanced techniques.

789
MCQeasy

A cloud security analyst is reviewing access logs and notices that a pre-signed URL for an object was used after its expiration time. What should be the outcome of such an access attempt?

A.The request is redirected to a new URL automatically
B.The request is allowed because the URL was generated with valid credentials
C.The request is denied with an access denied error
D.The request is logged but still granted
AnswerC

Correct: Expired pre-signed URLs return 403 Forbidden.

Why this answer

Pre-signed URLs are time-limited; once expired, the URL is invalid and access is denied.

790
MCQmedium

An organization is using GCP Security Command Center with Event Threat Detection. Which type of event is most likely to generate a finding for 'exfiltration'?

A.A service account creating a new VM
B.A user logging in from a new IP address
C.A firewall rule change allowing all inbound traffic
D.A large number of objects being downloaded from a Cloud Storage bucket
AnswerD

High volume of downloads is a common exfiltration indicator.

Why this answer

Event Threat Detection (ETD) in GCP Security Command Center monitors Cloud Storage access logs for anomalous data access patterns. A large number of object downloads from a single bucket within a short time window is a strong indicator of data exfiltration, as it matches the behavioral signature of bulk data extraction. ETD uses machine learning models trained on normal access baselines to flag such volume-based anomalies as 'exfiltration' findings.

Exam trap

Cisco often tests the distinction between 'exfiltration' (data leaving the environment) and other security events like 'anomalous access' or 'misconfiguration'; the trap here is that candidates confuse a login from a new IP (Option B) with data exfiltration, when in fact exfiltration requires a data transfer action such as downloading objects.

How to eliminate wrong answers

Option A is wrong because creating a new VM is an infrastructure provisioning action, not a data movement event; ETD focuses on data access and network anomalies, not resource creation. Option B is wrong because a login from a new IP address typically triggers an 'anomalous login' or 'brute force' finding, not an exfiltration event; exfiltration requires data leaving the environment. Option C is wrong because a firewall rule change allowing all inbound traffic is a misconfiguration finding related to network security, not data exfiltration; ETD would flag this under 'open firewall' or 'ingress' rules, not data theft.

791
MCQmedium

A SOC analyst notices an alert for 'impossible travel' where a user logged in from New York and then from London within 15 minutes. The SIEM correlation rule likely compares which log fields?

A.User agent and browser type
B.Source IP address and timestamp
C.Destination IP and port
D.Volume of data transferred and timestamp
AnswerB

These are the primary fields used to calculate geographic distance and time difference.

Why this answer

Impossible travel detection typically uses sign-in logs (source IP, geolocation) and event timestamps to identify logins from distant locations within a short time.

792
MCQeasy

A development team is migrating a legacy application to the cloud. Which security testing approach should be adopted early in the CI/CD pipeline to catch vulnerabilities as code is written?

A.Dynamic application security testing (DAST)
B.Penetration testing
C.Runtime application self-protection (RASP)
D.Static application security testing (SAST)
AnswerD

SAST scans source code early in the pipeline.

Why this answer

Static application security testing (SAST) analyzes source code, bytecode, or binary code without executing the application, making it ideal for integration early in the CI/CD pipeline to catch vulnerabilities like SQL injection, buffer overflows, and XSS as code is written. This 'white-box' approach provides immediate feedback to developers, aligning with the shift-left security principle for cloud-native development.

Exam trap

ISC2 often tests the distinction between SAST (white-box, early pipeline) and DAST (black-box, post-deployment), and candidates mistakenly choose DAST because they think 'dynamic' implies early testing, but DAST requires a running application.

How to eliminate wrong answers

Option A is wrong because DAST tests the running application from the outside (black-box), which requires a deployed environment and cannot catch vulnerabilities at the code-writing stage. Option B is wrong because penetration testing is a manual or automated simulated attack on a live system, performed later in the SDLC, not during development. Option C is wrong because RASP is a runtime protection technology embedded in the application runtime environment that monitors and blocks attacks in production, not a testing tool for the CI/CD pipeline.

793
MCQmedium

The exhibit shows a bucket policy that grants public read access. What is the most effective way to remove this public access?

A.Add an access control list (ACL) that denies public access.
B.Change the bucket policy to deny all access.
C.Enable S3 Block Public Access settings at the bucket or account level.
D.Enable bucket versioning and delete the public objects.
AnswerC

Block Public Access settings explicitly deny public access, overriding any bucket policies.

Why this answer

Option C is correct because S3 Block Public Access settings provide a definitive, override-capable mechanism to prevent any public access to an S3 bucket, regardless of other policies or ACLs. These settings can be applied at the bucket or account level and will block all public access even if a bucket policy explicitly grants it, making them the most effective and secure method to remove public access.

Exam trap

ISC2 often tests the misconception that modifying the bucket policy or ACLs is sufficient to remove public access, but the trap is that these can be overridden or misconfigured, whereas S3 Block Public Access settings provide a guaranteed, centralized control that cannot be bypassed by other permissions.

How to eliminate wrong answers

Option A is wrong because ACLs are legacy and cannot deny access; they only grant permissions, and adding a deny ACL is not a valid operation. Option B is wrong because changing the bucket policy to deny all access would conflict with the existing grant and could lead to ambiguous evaluation results; S3 evaluates policies with an explicit deny override, but the most effective approach is to use Block Public Access settings which are designed for this purpose. Option D is wrong because enabling versioning and deleting public objects does not remove the bucket policy that grants public read access; the policy would still allow access to any remaining or future objects.

794
MCQmedium

Refer to the exhibit. A developer reports that users are being denied access to a cloud application. The error log shows the above. What is the most likely cause of the denial?

A.The token was issued by an untrusted issuer
B.The token lacks required permissions
C.The token's expiration time has passed
D.The token's signature is invalid
AnswerC

The log explicitly states 'Token expired at 2024-11-20T10:30:00Z', indicating expiration.

Why this answer

The error log indicates that the token's expiration time has passed, which is a standard validation check in OAuth 2.0 and OpenID Connect (OIDC) flows. When a token's `exp` claim is less than the current server time, the authorization server or resource server rejects the request with an 'access denied' or similar error. This is the most direct cause of the denial shown in the exhibit.

Exam trap

ISC2 often tests the distinction between token validation steps (signature, issuer, expiration, permissions) and the specific error messages each step produces, so candidates must match the error log text to the correct validation failure rather than assuming a generic 'access denied' reason.

How to eliminate wrong answers

Option A is wrong because an untrusted issuer would trigger an 'invalid issuer' or 'untrusted issuer' error, not a token expiration error; the issuer is validated via the `iss` claim against a pre-configured trusted issuer list. Option B is wrong because missing permissions would result in a '403 Forbidden' or 'insufficient_scope' error, not a token expiration error; permissions are checked after token validity. Option D is wrong because an invalid signature would cause a 'signature verification failed' or 'invalid token' error, not a token expiration error; signature validation occurs before expiration checks.

795
MCQeasy

A US-based company uses a cloud provider with data centers in the US and Europe. To transfer personal data of EU citizens to the US, which mechanism is most appropriate under GDPR?

A.Explicit consent
B.Standard Contractual Clauses (SCCs)
C.Binding Corporate Rules (BCRs)
D.Adequacy decision
AnswerB

Correct. SCCs are a recognized transfer mechanism for data transfers to third countries.

Why this answer

Standard Contractual Clauses (SCCs) are the most appropriate mechanism because they provide a legally recognized data transfer tool under GDPR Article 46 for transferring personal data from the EU to a third country (the US) without an adequacy decision. SCCs are pre-approved contractual terms that both the data exporter (EU-based) and data importer (US-based) must sign, ensuring adequate safeguards for the data subjects' rights. This mechanism is specifically designed for scenarios where the cloud provider's data centers span jurisdictions without a current adequacy finding, as is the case with the US post-Schrems II.

Exam trap

ISC2 often tests the misconception that an adequacy decision is the default or most straightforward option for US transfers, but the trap is that the US currently lacks an adequacy decision, making SCCs the primary lawful mechanism for such cross-border data flows.

How to eliminate wrong answers

Option A is wrong because explicit consent under GDPR Article 49 is a derogation for specific, occasional transfers and cannot be used as a general or repetitive mechanism for ongoing data flows to a US cloud provider; it also requires a high burden of proof and can be withdrawn at any time. Option C is wrong because Binding Corporate Rules (BCRs) are designed for intra-group transfers within a multinational enterprise, not for transfers between a US-based company and an external cloud provider that is not part of the same corporate group. Option D is wrong because there is currently no adequacy decision in effect for the US under GDPR (the Privacy Shield was invalidated in 2020), so this mechanism is not available for general transfers to the US.

796
MCQeasy

Which security testing approach is most effective at identifying vulnerabilities early in the cloud software development lifecycle (SDLC) by analyzing source code without executing the application?

A.Interactive Application Security Testing (IAST)
B.Static Application Security Testing (SAST)
C.Runtime Application Self-Protection (RASP)
D.Dynamic Application Security Testing (DAST)
AnswerB

SAST analyzes source code without execution, fitting the shift-left model.

Why this answer

Static Application Security Testing (SAST) is the correct approach because it analyzes source code, bytecode, or binary code without executing the application, making it ideal for identifying vulnerabilities early in the SDLC (shift-left). Unlike dynamic or runtime tools, SAST scans the codebase statically, catching issues like SQL injection, buffer overflows, and insecure cryptographic implementations before compilation or deployment.

Exam trap

Cisco often tests the distinction between SAST and DAST by framing the question around 'early in the SDLC' and 'without executing the application'—candidates mistakenly choose DAST because it is a common security test, but DAST requires a running application and is performed later in the lifecycle.

How to eliminate wrong answers

Option A is wrong because Interactive Application Security Testing (IAST) requires the application to be running and instrumented, typically within a test environment, to analyze code paths during execution—it does not work on static source code. Option C is wrong because Runtime Application Self-Protection (RASP) is a runtime security control embedded in the application that monitors and blocks attacks during execution, not a testing tool for early SDLC vulnerability detection. Option D is wrong because Dynamic Application Security Testing (DAST) tests the running application from the outside (black-box) by sending HTTP requests and analyzing responses, which requires a deployed instance and cannot analyze source code statically.

797
MCQeasy

Which CSA STAR tier involves a third-party assessment and results in a certification based on ISO 27001?

A.Tier 4: Auditing
B.Tier 3: Continuous monitoring
C.Tier 2: Third-party assessment
D.Tier 1: Self-assessment
AnswerC

Tier 2 includes STAR Certification (ISO 27001 + CCM) and STAR Attestation (SOC 2).

Why this answer

CSA STAR Tier 2 includes STAR Certification, which is based on ISO 27001 plus cloud-specific controls.

798
MCQmedium

An IAM policy named S3ReadOnlyAccess has DefaultVersionId v3. What does this indicate?

A.The policy is newly created.
B.The policy is currently using version v3 as the default.
C.The policy has three custom versions.
D.The policy cannot be attached to any entity.
AnswerB

DefaultVersionId indicates the active version.

Why this answer

The DefaultVersionId of an IAM policy indicates which version is currently active and enforced when the policy is attached to an IAM user, group, or role. Since the policy is named S3ReadOnlyAccess and has DefaultVersionId v3, version v3 is the default and is being used for access control decisions. This is the standard behavior for IAM policies in AWS, where you can have multiple versions but only one is designated as the default.

Exam trap

ISC2 often tests the misconception that DefaultVersionId indicates the total number of versions or that a policy with a non-v1 default is somehow broken or unattachable, when in fact it simply shows which version is active.

How to eliminate wrong answers

Option A is wrong because a newly created policy would have DefaultVersionId v1, not v3, as the first version is always v1. Option C is wrong because DefaultVersionId v3 does not imply there are exactly three custom versions; there could be more versions (e.g., v1, v2, v3, v4) and only v3 is set as default, or some versions may be non-default. Option D is wrong because a policy with a default version can be attached to any entity; the DefaultVersionId simply indicates which version is active, and the policy remains attachable unless explicitly restricted.

799
MCQmedium

A financial services company uses a cloud-based logging service for audit trails. A regulatory investigation is initiated, and the company is required to preserve all logs from the past 18 months. The cloud provider's default retention policy is 12 months, and logs older than that are automatically deleted. The company did not configure custom retention. What is the most appropriate action to ensure compliance?

A.Accept the data loss and explain to regulators that the provider has a limited retention policy.
B.Export all available logs and store them locally immediately.
C.Request that the provider place a legal hold on all logs and verify implementation.
D.Rely on the provider's backup policy, which may retain data for up to 24 months.
AnswerC

A legal hold overrides retention policies and ensures preservation; verification confirms compliance.

Why this answer

Option C is correct because a legal hold (or litigation hold) is a cloud provider feature that overrides the default retention policy to preserve data indefinitely or for a specified period, preventing automated deletion. This ensures compliance with regulatory requirements without relying on manual exports or backups, and the company must verify implementation through provider tools or APIs to confirm the hold is active.

Exam trap

ISC2 often tests the misconception that exporting logs locally is sufficient for compliance, but the trap is that this fails to preserve logs already deleted and does not meet the requirement for ongoing preservation, whereas a legal hold is the designed mechanism for regulatory holds.

How to eliminate wrong answers

Option A is wrong because accepting data loss and explaining to regulators is not a valid compliance action; regulations typically require preservation, and ignorance of retention limits is not an acceptable excuse. Option B is wrong because exporting all available logs immediately would only capture logs up to the current point, missing logs already deleted beyond 12 months, and does not address ongoing preservation for future regulatory needs. Option D is wrong because relying on the provider's backup policy is speculative and not guaranteed; backups may have shorter retention or be subject to the same deletion policies, and they are not designed for legal compliance holds.

800
MCQhard

A multinational corporation must comply with GDPR and local data residency laws. They are designing a cloud storage architecture that will store customer data in the EU region. However, to improve disaster recovery, they want to replicate data to a secondary region outside the EU. Which approach meets compliance requirements?

A.Use cross-region replication to a non-EU region but apply client-side encryption before upload
B.Use same-region replication within the EU and disable cross-region replication
C.Use cross-region replication to a US region and encrypt data with SSE-S3
D.Use cross-region replication to a non-EU region and rely on a Data Processing Agreement (DPA)
AnswerB

Same-region replication keeps data within the EU, complying with data residency requirements.

Why this answer

To comply with data residency laws, data must stay within the EU. Replicating to a non-EU region violates GDPR. Instead, they should replicate to another EU region or use encryption with customer-managed keys and ensure the key is stored in the EU.

801
MCQhard

An organization is evaluating a cloud provider's SLA for a critical application. The provider offers a 99.95% uptime SLA with a 10% service credit for each 30-minute downtime period exceeding the threshold. The organization's business impact analysis requires a maximum downtime of 4.38 hours per year. Does the provider's SLA meet this requirement, and what is the annual allowed downtime based on the SLA?

A.No, because service credits only apply after 30 minutes of downtime, so actual uptime is lower.
B.Yes, because the 10% credit effectively increases the uptime commitment.
C.No, because 99.95% uptime allows 5 hours of downtime per year.
D.Yes, because the SLA guarantees 99.95% uptime, which equals 4.38 hours of downtime per year.
AnswerD

Correct calculation: 0.05% of 8760 hours = 4.38 hours.

Why this answer

99.95% uptime allows 0.05% downtime per year. 0.05% of 365 days * 24 hours = 0.05% * 8760 hours = 4.38 hours. Exactly meets the requirement. The service credit mechanism does not change the allowed downtime.

802
Multi-Selectmedium

Which TWO of the following are recommended practices for securing container images in a cloud environment? (Select TWO)

Select 2 answers
A.Using the latest tag for all images
B.Scanning images for vulnerabilities in the CI pipeline
C.Running containers as root user
D.Storing images in a public registry for easier access
E.Signing container images with a cryptographic key
AnswersB, E

Vulnerability scanning prevents deployment of insecure images.

Why this answer

Signing container images ensures integrity and prevents tampering, and scanning images in the CI pipeline before deployment catches vulnerabilities early.

803
MCQmedium

An organization uses a cloud storage service to share files with external partners. They want to ensure that the files are automatically deleted after 30 days. Which data lifecycle control should be implemented?

A.Object lock
B.Lifecycle policy
C.Versioning
D.Access control list
AnswerB

Lifecycle policies automate expiration and deletion.

Why this answer

A lifecycle policy is the correct data lifecycle control because it allows administrators to define rules that automatically expire and delete objects after a specified period, such as 30 days. This is a native feature of cloud storage services like Amazon S3, Azure Blob Storage, and Google Cloud Storage, enabling automated data retention and deletion without manual intervention.

Exam trap

ISC2 often tests the distinction between data protection controls (Object Lock, Versioning) and data lifecycle controls (Lifecycle Policy), leading candidates to confuse retention with deletion.

How to eliminate wrong answers

Option A is wrong because Object Lock is designed to prevent objects from being deleted or overwritten for a fixed retention period or indefinitely (legal hold), which is the opposite of automatic deletion. Option C is wrong because Versioning preserves multiple versions of an object, allowing recovery of deleted or overwritten versions, but does not automatically delete data after a time period. Option D is wrong because Access Control Lists (ACLs) manage permissions for who can read or write objects, not the lifecycle or scheduled deletion of data.

804
MCQhard

A financial institution is required to comply with the Sarbanes-Oxley Act (SOX) for its cloud-hosted financial applications. The cloud provider is responsible for the underlying infrastructure. Which of the following controls is most likely the responsibility of the financial institution as part of IT general controls (ITGC)?

A.Physical security of the data center housing the cloud servers
B.Logical access controls to the financial application, including user provisioning and segregation of duties
C.Network intrusion detection at the cloud perimeter
D.Patching of the hypervisor that hosts the virtual machines
AnswerB

The customer controls user access to the application and data, which is a key ITGC area.

Why this answer

SOX requires organizations to maintain ITGCs over systems that support financial reporting. Logical access controls (e.g., user provisioning, authentication) are typically the responsibility of the customer (the financial institution) because they manage who can access the application and data.

805
MCQeasy

Which of the following is a benefit of enabling CloudTrail log file validation?

A.It ensures the integrity of log files by allowing you to confirm that they have not been modified.
B.It automatically deletes old log files based on a retention policy.
C.It encrypts log files at rest.
D.It compresses log files to save storage space.
AnswerA

Log file validation provides integrity verification.

Why this answer

CloudTrail log file validation uses a hash-based digital signature (SHA-256) to create a digest file for each log file. This allows you to verify that the log files have not been tampered with, deleted, or modified after they were delivered by CloudTrail, ensuring their integrity for forensic analysis and compliance.

Exam trap

Cisco often tests the distinction between integrity (log file validation) and other security controls like encryption, compression, or lifecycle management, leading candidates to confuse validation with unrelated features.

How to eliminate wrong answers

Option B is wrong because CloudTrail log file validation does not manage retention or deletion; lifecycle policies are configured separately via S3 lifecycle rules or CloudTrail console settings. Option C is wrong because encryption at rest is provided by S3 server-side encryption (SSE-S3, SSE-KMS, or SSE-C), not by log file validation. Option D is wrong because compression is not a feature of log file validation; CloudTrail logs can be delivered in gzip format if configured, but validation does not compress them.

806
MCQhard

During a security review of a serverless application, you notice that a Lambda function's execution role has permissions to delete all S3 buckets in the account. What is the most appropriate remediation to align with the principle of least privilege?

A.Create a custom IAM role that grants only the necessary actions on a specific S3 bucket
B.Store S3 bucket names in environment variables instead of hardcoding
C.Attach the AWS managed policy 'AmazonS3ReadOnlyAccess'
D.Remove the Lambda function's VPC integration
AnswerA

A custom role with resource-level restrictions follows least privilege.

Why this answer

Creating a custom role with only the specific actions needed (e.g., s3:PutObject for a specific bucket) reduces blast radius. Using managed policies may grant excessive permissions; environment variables and VPC integration are unrelated.

807
MCQeasy

Which data classification level typically includes information that, if disclosed, could cause serious damage to an organization, such as trade secrets or personally identifiable information (PII)?

A.Internal
B.Confidential
C.Restricted
D.Public
AnswerC

Restricted is the highest classification for most sensitive data.

Why this answer

Restricted data is the highest classification level, covering data that could cause severe damage if disclosed.

808
MCQeasy

A company is moving its customer database to a public cloud provider. The database contains personally identifiable information (PII) of European Union citizens. Which legal framework imposes requirements on the cloud customer regarding data protection and privacy in this scenario?

A.Sarbanes-Oxley Act (SOX)
B.General Data Protection Regulation (GDPR)
C.Health Insurance Portability and Accountability Act (HIPAA)
D.Payment Card Industry Data Security Standard (PCI DSS)
AnswerB

GDPR governs processing of personal data of EU individuals.

Why this answer

The General Data Protection Regulation (GDPR) is the correct legal framework because it specifically governs the processing of personally identifiable information (PII) of European Union citizens, regardless of where the data is stored or processed. As the cloud customer is moving a customer database containing EU PII to a public cloud provider, GDPR imposes strict requirements on the data controller (the customer) for data protection, consent, breach notification, and cross-border data transfer safeguards.

Exam trap

ISC2 often tests the misconception that any data privacy law applies globally, but the trap here is that candidates may choose HIPAA or PCI DSS because they are familiar with data protection, failing to recognize that GDPR is the only framework specifically designed for EU citizen PII regardless of industry.

How to eliminate wrong answers

Option A is wrong because the Sarbanes-Oxley Act (SOX) applies to financial reporting and internal controls for publicly traded companies in the U.S., not to general PII of EU citizens. Option C is wrong because the Health Insurance Portability and Accountability Act (HIPAA) applies only to protected health information (PHI) held by covered entities in the U.S., not to a general customer database containing EU PII. Option D is wrong because the Payment Card Industry Data Security Standard (PCI DSS) applies to cardholder data and payment card transactions, not to general PII or EU citizen data.

809
MCQmedium

A company's cloud infrastructure is subject to GDPR. The DPO requires that all customer personal data be encrypted at rest and in transit. The cloud provider offers SSE-S3 for object storage and enforces TLS 1.2 for API calls. Which additional control should the company implement to meet GDPR accountability requirements?

A.Implement client-side encryption with a key management service.
B.Enable detailed logging of all access to encrypted data.
C.Automatically delete backups older than 30 days.
D.Apply data masking to all personal data fields before storage.
AnswerB

Logging provides an audit trail to demonstrate compliance with GDPR accountability.

Why this answer

While SSE-S3 and TLS 1.2 address encryption at rest and in transit, GDPR accountability requires the company to demonstrate compliance through audit trails. Enabling detailed logging of all access to encrypted data (Option B) provides the necessary records to prove who accessed personal data, when, and from where, fulfilling the 'demonstrate compliance' principle under Article 5(2) and Article 30 of the GDPR.

Exam trap

The trap here is that candidates confuse encryption controls (Options A and D) or data lifecycle policies (Option C) with accountability, which is a governance and audit requirement, not a technical data protection measure.

How to eliminate wrong answers

Option A is wrong because client-side encryption with a KMS is an additional encryption measure, but encryption is already satisfied by SSE-S3 and TLS 1.2; the gap is accountability, not encryption strength. Option C is wrong because automatically deleting backups older than 30 days is a data retention policy that may violate GDPR's storage limitation principle if not justified, and it does not address the accountability requirement for access logging. Option D is wrong because data masking before storage is a data minimization technique, but it does not create an audit trail; the DPO's requirement is specifically about accountability, not about reducing the sensitivity of stored data.

810
MCQmedium

A company uses a cloud object storage service to host a public website. The website content is static and needs to be accessible to anyone on the internet, but the company wants to prevent direct listing of the bucket contents. Which combination of access controls should be configured?

A.IAM policies granting public access to the bucket
B.Enable versioning and cross-region replication
C.Bucket ACLs set to public and block public access disabled
D.Block public access to the bucket and use pre-signed URLs for objects
AnswerD

Prevents listing and provides controlled access.

Why this answer

Blocking public access to the bucket while allowing access via signed URLs provides time-limited access to specific objects without exposing the entire bucket.

811
Multi-Selecthard

Which THREE of the following are essential steps in a cloud data discovery process?

Select 3 answers
A.Map data flows between systems
B.Encrypt all discovered data
C.Classify data based on sensitivity
D.Identify where sensitive data resides
E.Create backup copies of data
AnswersA, C, D

Understanding data movement is critical.

Why this answer

Option A is correct because mapping data flows between systems is a foundational step in cloud data discovery. It enables organizations to understand how data moves across cloud services, APIs, and storage tiers, which is critical for identifying where sensitive data may be transmitted or stored. Without this mapping, discovery efforts may miss data in transit or in transient storage, leading to incomplete visibility.

Exam trap

ISC2 often tests the distinction between discovery steps and subsequent security controls, so the trap here is that candidates mistakenly treat encryption or backup as part of the discovery process when they are actually post-discovery remediation or protection actions.

812
MCQhard

During a supply chain security review, a team discovers that container images are not being verified at admission time. Which Kubernetes-native tool should be implemented to ensure only signed images are deployed?

A.NetworkPolicy
B.PodSecurityPolicy
C.Admission controller (e.g., Kyverno) with image signature verification
D.ResourceQuota
AnswerC

Correct: Admission controllers can validate image signatures using tools like Cosign.

Why this answer

An admission controller like OPA Gatekeeper or Kyverno can enforce policies that verify image signatures before allowing pod creation.

813
MCQhard

A financial services firm is designing a cloud environment that must comply with PCI DSS. The security architect proposes using a virtual private cloud (VPC) with subnets, security groups, and network ACLs. However, the compliance officer is concerned about the risk of data exposure due to misconfiguration. Which additional control would BEST address this concern?

A.Use a Web Application Firewall (WAF)
B.Implement a Security Information and Event Management (SIEM) system
C.Integrate Cloud Security Posture Management (CSPM)
D.Deploy Data Loss Prevention (DLP) tools
AnswerC

CSPM automates monitoring and remediation of misconfigurations.

Why this answer

CSPM tools continuously monitor cloud infrastructure configurations against compliance frameworks like PCI DSS, automatically detecting misconfigurations such as overly permissive security group rules or network ACLs that could expose cardholder data. This directly addresses the compliance officer's concern about data exposure due to misconfiguration by providing real-time visibility and remediation guidance, which is more proactive than the other options.

Exam trap

The trap here is that candidates often confuse CSPM with SIEM or DLP, thinking log analysis or data monitoring can catch configuration errors, but CSPM is the only tool specifically designed to audit and enforce cloud infrastructure configurations against compliance standards like PCI DSS.

How to eliminate wrong answers

Option A is wrong because a Web Application Firewall (WAF) protects against application-layer attacks (e.g., SQL injection, XSS) but does not detect or prevent misconfigurations in VPC subnets, security groups, or network ACLs. Option B is wrong because a Security Information and Event Management (SIEM) system aggregates and analyzes logs for threat detection and incident response, but it does not proactively scan cloud infrastructure for compliance misconfigurations or enforce security baselines. Option D is wrong because Data Loss Prevention (DLP) tools monitor and block sensitive data in transit or at rest, but they do not assess the underlying network or access control configurations that could lead to exposure.

814
Multi-Selecthard

Which THREE of the following are essential steps in the incident response process for a cloud security incident?

Select 3 answers
A.Perform a full forensic analysis of all systems before containment.
B.Contain the incident to prevent further damage.
C.Reward the team that discovered the incident to encourage reporting.
D.Eradicate the root cause of the incident.
E.Identify and classify the incident based on severity and impact.
AnswersB, D, E

Containment is critical to limit scope.

Why this answer

Correct answers are A, B, and D. Identification (A), containment (B), and eradication (D) are key phases. Option C is wrong because rewarding staff is not part of incident response.

Option E is wrong because forensics typically occurs after containment, but is not an essential step in the core process (it is part of analysis).

815
MCQhard

A healthcare company uses a cloud-based patient management system. The cloud provider experiences a security incident that may have exposed protected health information (PHI). The provider notifies the company within 72 hours, as required by the service agreement. The company's internal breach response policy requires a legal review of the incident before notifying affected individuals. The legal review typically takes 48 hours. However, the company is required to notify patients within 60 days under HIPAA. With the 72-hour notification from the provider, the company has 60 days to notify patients. What is the most effective approach to meet the 60-day notification requirement while ensuring compliance with internal policy?

A.Notify patients immediately and then perform the legal review.
B.Wait for the legal review to complete before notifying patients.
C.Notify patients immediately based on the provider's notification.
D.Begin the legal review immediately and prepare patient notification in parallel.
AnswerD

Parallel processing allows timely notification while ensuring legal input is incorporated.

Why this answer

Option D is correct because it allows the company to satisfy both the HIPAA 60-day notification requirement and its internal legal review policy by running the legal review and patient notification preparation concurrently. This parallel approach minimizes delay while ensuring that the notification content is legally vetted before release, which is critical for PHI incidents under HIPAA's Breach Notification Rule (45 CFR § 164.404).

Exam trap

ISC2 often tests the misconception that you must choose between compliance and internal policy, when in fact parallel processing of legal review and notification preparation is the correct approach to meet both requirements without violating the 60-day HIPAA deadline.

How to eliminate wrong answers

Option A is wrong because notifying patients immediately without legal review could expose the company to legal liability if the notification contains inaccurate or incomplete information, and it violates the internal policy requiring a legal review first. Option B is wrong because waiting for the legal review to complete before starting notification preparation could consume the entire 60-day window, risking non-compliance with HIPAA's 60-day deadline if the review takes longer than expected. Option C is wrong because notifying patients immediately based solely on the provider's notification bypasses the required legal review and may lead to premature disclosure of unverified PHI details, which could increase legal risk.

816
MCQmedium

A security analyst is configuring a SIEM solution and wants to ingest security findings from AWS Security Hub into Splunk. What is the most efficient method?

A.Enable Security Hub cross-Region aggregation, then export to a CSV file.
B.Use AWS Lambda to pull findings from Security Hub API and push to Splunk HTTP Event Collector.
C.Configure Security Hub to publish findings to an S3 bucket, then use Splunk to read from S3.
D.Use AWS Glue to catalog Security Hub data and connect to Splunk via JDBC.
AnswerB

Lambda can subscribe to Security Hub via EventBridge or poll the API, and forward to Splunk.

Why this answer

Option B is correct because AWS Lambda can directly invoke the Security Hub API to retrieve findings and forward them to Splunk's HTTP Event Collector (HEC) in near real-time, avoiding intermediate storage or batch processing. This serverless approach minimizes latency and operational overhead, making it the most efficient method for continuous ingestion.

Exam trap

Cisco often tests the misconception that S3-based export (Option C) is the default or most reliable method, but the trap here is that S3 introduces latency and requires additional polling, whereas a Lambda push is more efficient for real-time security operations.

How to eliminate wrong answers

Option A is wrong because exporting to a CSV file is a manual, batch-oriented process that lacks automation and real-time capabilities, and cross-Region aggregation alone does not provide a direct ingestion pipeline to Splunk. Option C is wrong because publishing findings to an S3 bucket introduces unnecessary storage and latency, requiring Splunk to poll S3 periodically, which is less efficient than a push-based model. Option D is wrong because AWS Glue is designed for ETL and data cataloging, not for real-time streaming; using JDBC would add complexity and latency, and Security Hub does not expose a JDBC interface.

817
MCQmedium

A company is implementing a SIEM solution and needs to ingest security logs from multiple AWS accounts into a centralized security account. Which AWS service can best aggregate findings from all accounts?

A.Amazon GuardDuty
B.Amazon CloudWatch Logs
C.AWS Security Hub
D.AWS Config
AnswerC

Security Hub aggregates security findings across accounts and integrates with SIEM.

Why this answer

AWS Security Hub can be enabled in multiple accounts and configured to send findings to a central administrator account, enabling cross-account aggregation.

818
MCQeasy

A cloud customer is concerned about the risk of unauthorized access to data due to the shared infrastructure of a public cloud. What type of risk does this represent?

A.Control risk
B.Detection risk
C.Inherent risk
D.Residual risk
AnswerC

Inherent risk is the natural risk arising from the use of shared cloud infrastructure.

Why this answer

Inherent risk is the risk that exists before any controls are applied; shared infrastructure is a key inherent risk of cloud computing.

819
MCQhard

During a cloud security incident, a security team needs to isolate a compromised EC2 instance that is performing outbound port scanning. Which containment action should be taken first?

A.Terminate the instance immediately
B.Modify the security group to deny outbound traffic
C.Create an AMI of the instance for analysis
D.Detach the instance from the VPC
AnswerB

This stops the malicious activity while preserving the instance for investigation.

Why this answer

Modifying the instance's security group to deny all outbound traffic is a quick and reversible containment action that stops the scanning.

820
MCQmedium

A company is migrating to the cloud and must comply with the Health Insurance Portability and Accountability Act (HIPAA). They plan to store electronic protected health information (ePHI) in a cloud database. Which of the following is a mandatory requirement for the cloud service agreement?

A.The CSP must store data in a specific geographic location.
B.The CSP must perform quarterly penetration tests.
C.The CSP must encrypt all data at rest using AES-256.
D.The CSP must sign a Business Associate Agreement (BAA).
AnswerD

A BAA is required to ensure the CSP safeguards ePHI.

Why this answer

Under HIPAA, a covered entity or business associate must have a written Business Associate Agreement (BAA) with any cloud service provider (CSP) that creates, receives, maintains, or transmits electronic protected health information (ePHI) on their behalf. The BAA is a mandatory contractual requirement that establishes the CSP's permitted uses and disclosures of ePHI, as well as its obligations to safeguard the data. Without a signed BAA, the CSP cannot lawfully handle ePHI, making this the only option that is a direct regulatory mandate under HIPAA.

Exam trap

ISC2 often tests the distinction between mandatory (required) and addressable (optional but must be documented if not implemented) specifications under HIPAA, leading candidates to incorrectly select encryption or testing frequency as mandatory requirements.

How to eliminate wrong answers

Option A is wrong because HIPAA does not mandate a specific geographic storage location; data residency requirements may arise from other regulations or organizational policy, but they are not a HIPAA requirement. Option B is wrong because HIPAA does not prescribe a specific frequency for penetration tests; the Security Rule requires periodic assessments of security measures, but quarterly testing is not a mandatory requirement. Option C is wrong because while encryption of ePHI at rest is an addressable implementation specification under the HIPAA Security Rule, AES-256 is not explicitly mandated; the rule allows for equivalent alternatives that meet the standard of protecting data.

821
MCQmedium

A global e-commerce platform uses AWS API Gateway to expose REST APIs to third-party developers. The security team notices that a malicious user is repeatedly sending large payloads to a /submit endpoint, causing high CPU usage on backend Lambda functions. The API uses a simple API key for authentication. Which combination of controls should be implemented to mitigate this attack while preserving legitimate access?

A.Configure API Gateway throttling and request body size validation
B.Subscribe to AWS Shield Advanced for DDoS protection
C.Change authentication to IAM roles with temporary credentials
D.Enable AWS WAF with a rate-based rule and block IP addresses
AnswerA

Throttling limits request rate, and size validation rejects large payloads before reaching Lambda.

Why this answer

Option A is correct because it directly addresses the two attack vectors: large payloads causing CPU exhaustion and excessive request volume. API Gateway request body size validation (up to 10 MB by default, configurable) rejects oversized payloads before they reach the backend Lambda, while throttling (e.g., 10,000 requests per second with a burst limit) prevents a single user from overwhelming the system. Together, these controls preserve legitimate access by only limiting anomalous traffic, not blocking all users.

Exam trap

ISC2 often tests the distinction between network-layer DDoS protection (Shield Advanced) and application-layer controls (throttling, WAF, payload validation), leading candidates to choose Shield Advanced when the attack is clearly at the application layer.

How to eliminate wrong answers

Option B is wrong because AWS Shield Advanced provides protection against volumetric DDoS attacks (e.g., SYN floods, UDP amplification), but it does not filter application-layer attacks like oversized payloads or high-volume requests to a specific endpoint; it also incurs significant cost and is overkill for this scenario. Option C is wrong because switching to IAM roles with temporary credentials (e.g., using AWS Signature Version 4) improves authentication security but does not mitigate the attack—the malicious user could still send large payloads and high request volumes after obtaining valid credentials. Option D is wrong because AWS WAF with a rate-based rule can block IP addresses that exceed a request threshold, but this is a reactive measure that may block legitimate users sharing the same IP (e.g., via NAT) and does not prevent the CPU impact from large payloads; it also requires additional configuration and cost.

822
MCQeasy

A cloud security team is reviewing container security practices. Which of the following is the most effective way to minimize the attack surface of a container image?

A.Using the latest version of a base image
B.Using a minimal base image such as distroless
C.Using the :latest tag to ensure freshness
D.Scanning the image for CVEs after deployment
AnswerB

Correct; distroless images are minimal and reduce attack surface.

Why this answer

Distroless images contain only the application and its runtime dependencies, eliminating unnecessary packages and reducing the attack surface.

823
MCQhard

A company uses a serverless architecture with AWS Lambda to process user-uploaded files. The Lambda function is triggered by an S3 bucket event. While reviewing security, the architect wants to ensure that the Lambda function cannot be invoked by unauthorized S3 buckets or accounts. What is the most secure configuration?

A.Use a condition in the policy that checks the source IP address.
B.Place the Lambda function inside a VPC with a VPC endpoint for S3.
C.Configure the Lambda function's resource-based policy to grant permission only to the specific S3 bucket ARN and its owner account.
D.Attach a resource-based policy that allows any S3 bucket to invoke the function.
AnswerC

Restricts invocation to a known source.

Why this answer

Option C is correct because the most secure way to restrict Lambda invocation to a specific S3 bucket is to use a resource-based policy that explicitly grants the `lambda:InvokeFunction` permission only to the trusted bucket's ARN and the owning AWS account. This ensures that even if another S3 bucket or account attempts to trigger the function, the invocation is denied by the Lambda permission model, which evaluates both the resource-based policy and the caller's identity.

Exam trap

The trap here is that candidates often confuse network-level controls (like VPC placement or IP filtering) with identity-based access controls, failing to realize that S3 event notifications invoke Lambda through AWS's internal service-to-service channel, which bypasses network restrictions and requires explicit resource-based policy conditions.

How to eliminate wrong answers

Option A is wrong because checking the source IP address is ineffective for S3 event notifications, as S3 invokes Lambda via AWS internal services, not from a fixed public IP; the source IP can vary and is not a reliable control for cross-account or cross-bucket invocation. Option B is wrong because placing the Lambda function inside a VPC with a VPC endpoint for S3 controls network traffic but does not restrict which S3 buckets or accounts can invoke the function; invocation permissions are governed by IAM and resource-based policies, not network placement. Option D is wrong because allowing any S3 bucket to invoke the function violates the principle of least privilege and would permit unauthorized buckets or accounts to trigger the Lambda, leading to potential data exfiltration or abuse.

824
MCQeasy

A cloud application is being designed to handle highly sensitive financial data. The security architect wants to ensure that encryption keys are managed outside the application's memory space. Which service model should they use?

A.Cloud Hardware Security Module (CloudHSM)
B.Key Management Service (KMS)
C.Trusted Platform Module (TPM)
D.Hardware Security Module (HSM)
AnswerD

HSM stores keys in tamper-resistant hardware, isolated from application memory.

Why this answer

Option D is correct because a Hardware Security Module (HSM) is a dedicated hardware appliance that manages encryption keys in a physically and logically isolated environment, entirely separate from the application's memory space. For highly sensitive financial data, an HSM provides FIPS 140-2 Level 3 or higher certification, ensuring keys never leave the device and are protected against memory-scraping attacks. This aligns with the requirement to keep key management outside the application's memory.

Exam trap

The trap here is that candidates confuse CloudHSM (a specific vendor service) with the generic HSM model, or they assume KMS provides the same hardware-level isolation, when in fact KMS often relies on software-based key management that may not guarantee keys are kept outside application memory.

How to eliminate wrong answers

Option A is wrong because CloudHSM is a cloud-based HSM service that still operates as a dedicated hardware appliance, but the question asks for the service model itself, not a specific cloud vendor implementation; the generic term 'HSM' is the correct model. Option B is wrong because Key Management Service (KMS) typically uses software-based key storage and may cache keys in memory, failing to guarantee that keys are managed entirely outside the application's memory space. Option C is wrong because Trusted Platform Module (TPM) is a hardware chip integrated into the motherboard for platform integrity and local key storage, but it is not designed for scalable, external key management for cloud applications and does not isolate keys from the application's memory in the same way a dedicated HSM does.

825
MCQmedium

A company is migrating its on-premises virtualized environment to the Azure cloud. The security team wants to ensure they can detect and respond to security incidents in the cloud. They plan to use Azure Security Center and Azure Sentinel. The on-premises environment uses a SIEM tool and logs from all servers are forwarded to it. In the cloud, they have provisioned virtual machines (VMs) running various workloads. The team needs to ensure that all security events from these VMs are captured and analyzed. Which of the following steps should they take FIRST to achieve comprehensive log collection?

A.Enable Azure Diagnostics extension and install the Log Analytics agent on all VMs to send logs to a Log Analytics workspace.
B.Set up a jump box VM with administrative tools and restrict access to it using just-in-time VM access.
C.Enable Azure Security Center's standard tier and rely on its built-in security events collection.
D.Configure network security group flow logs and send them to a storage account for analysis.
AnswerA

This collects OS-level events and allows Security Center and Sentinel to analyze them.

Why this answer

Option A is correct because enabling Azure Diagnostics and the Log Analytics agent on all VMs sends logs to Azure Monitor and Log Analytics workspace, which is the foundation for Sentinel and Security Center. Option B is wrong because enabling network security group flow logs is important for network data, but not for VM-level logs. Option C is wrong while the Security Center collects security events, it may not cover all custom logs; the agent is needed for full coverage.

Option D is wrong because configuring VDI for administrators does not address general VM logging.

Page 10

Page 11 of 14

Page 12
Certified Cloud Security Professional CCSP CCSP Questions 751–825 | Page 11/14 | Courseiva