Certified Cloud Security Professional CCSP (CCSP) — Questions 826900

987 questions total · 14pages · All types, answers revealed

Page 11

Page 12 of 14

Page 13
826
Multi-Selectmedium

Which TWO of the following are key components of a cloud incident response plan that should be tested regularly?

Select 2 answers
A.Encryption key management procedures.
B.Automation playbooks for containment and eradication.
C.Communication channels for alerting stakeholders.
D.Backup and restore procedures.
E.Service level agreements (SLAs) with cloud provider.
AnswersB, C

Automation playbooks must be tested to ensure they execute correctly.

Why this answer

Automation playbooks for containment and eradication (B) are critical because they enable rapid, consistent response to incidents in cloud environments, where manual intervention can be too slow to prevent lateral movement or data exfiltration. Regular testing ensures these playbooks execute correctly against live cloud APIs (e.g., AWS Lambda, Azure Automation) and that they properly isolate compromised resources without disrupting legitimate workloads.

Exam trap

ISC2 often tests the distinction between incident response plan components and broader operational or contractual elements, so candidates mistakenly select backup/restore procedures (D) or SLAs (E) because they seem related to incident handling, but they are not core to the detection, containment, and eradication phases that require regular testing.

827
Multi-Selecteasy

A company is implementing a hybrid cloud architecture. Which two components are essential for establishing a secure connection between on-premises and cloud environments? (Choose two.)

Select 2 answers
A.Direct connect or dedicated interconnect
B.Identity and access management (IAM)
C.Cloud access security broker (CASB)
D.Web application firewall (WAF)
E.Virtual private network (VPN) gateway
AnswersA, E

Direct connect provides a dedicated private network connection for low latency and security.

Why this answer

A Direct Connect or dedicated interconnect provides a private, dedicated network connection from on-premises to the cloud provider, bypassing the public internet for lower latency and more consistent bandwidth. A VPN gateway establishes an encrypted tunnel over the public internet using protocols like IPsec (IKEv2) to secure data in transit. Together, these two components form the essential hybrid connectivity layer: the dedicated circuit for primary, high-throughput traffic and the VPN as a secure backup or for lower-cost, lower-bandwidth needs.

Exam trap

The trap here is that candidates often confuse security controls (IAM, CASB, WAF) with network connectivity components, mistakenly thinking that any security tool is essential for hybrid cloud connectivity, when in fact only dedicated circuits and VPN gateways provide the actual secure link between environments.

828
Multi-Selecthard

Which THREE are key considerations when designing a secure software development lifecycle (SSDLC) for cloud applications?

Select 3 answers
A.Static code analysis during development
B.Threat modeling at design phase
C.Security testing in production
D.Using a single cloud provider
E.Secure coding standards
AnswersA, B, E

Static analysis tools scan code for vulnerabilities without executing it, catching issues early.

Why this answer

Static code analysis (SAST) is a key SSDLC practice because it automatically scans source code for security vulnerabilities (e.g., SQL injection, buffer overflows) during the development phase, enabling early remediation before code is deployed. This aligns with the 'shift left' principle, reducing the cost and effort of fixing flaws later in the lifecycle.

Exam trap

ISC2 often tests the distinction between activities that are part of the secure development lifecycle (design, code, test) versus operational security tasks (production testing), and candidates mistakenly select 'Security testing in production' because they confuse it with runtime security monitoring or penetration testing.

829
MCQmedium

A company has enabled object versioning on its cloud storage bucket to protect against accidental deletion. A ransomware attack encrypts all objects and creates new versions. To recover the data, the company needs to restore the previous unencrypted versions. What is the most efficient recovery method?

A.Delete the current versions or use the previous versions directly
B.Use the object lifecycle policy to delete current versions
C.Request the cloud provider to restore from their backups
D.Restore from a backup stored in a different region
AnswerA

Versioning allows direct access to previous unencrypted versions.

Why this answer

Since versioning is enabled, the company can delete the current (encrypted) versions or use the previous versions directly, effectively reverting to the state before the attack.

830
MCQmedium

A security engineer is reviewing logs and finds repeated failed login attempts to a cloud database instance. The database is accessible only from a specific security group. What is the BEST immediate action to reduce the attack surface?

A.Enable multi-factor authentication for the database user accounts.
B.Review the security group inbound rules and restrict the source IP to only the required application servers.
C.Change the database port to a non-standard port.
D.Delete the database instance and restore from backup.
AnswerB

This limits who can attempt to connect, reducing the attack surface.

Why this answer

Option B is correct because the immediate priority is to restrict network-level access to the database. Since the database is only accessible from a specific security group, reviewing and tightening the inbound rules to allow traffic only from the required application servers' IP addresses directly reduces the attack surface by eliminating unnecessary exposure. This is a fundamental network segmentation principle in cloud security, as it prevents any unauthorized host within the security group from attempting authentication.

Exam trap

ISC2 often tests the distinction between network-layer controls (security groups) and application-layer controls (MFA, port obfuscation) to see if candidates prioritize reducing the attack surface at the lowest possible layer, where the impact is broadest and most immediate.

How to eliminate wrong answers

Option A is wrong because enabling multi-factor authentication (MFA) for database user accounts addresses authentication strength but does not reduce the attack surface from repeated failed login attempts; MFA would still allow attackers to attempt authentication from any IP within the security group, and the logs show the attempts are already reaching the database, meaning network access is the immediate vector. Option C is wrong because changing the database port to a non-standard port is a form of security through obscurity and does not prevent attackers from scanning for the new port or from continuing failed login attempts once the port is discovered; it does not address the root cause of unauthorized network access. Option D is wrong because deleting the database instance and restoring from backup is an overly drastic and disruptive action that does not address the underlying misconfiguration in the security group; it would cause unnecessary downtime and data loss without preventing the same attack from recurring after restoration.

831
Multi-Selectmedium

Which THREE of the following are key components of a data protection impact assessment (DPIA) under GDPR?

Select 3 answers
A.List of all data subjects' names
B.Copy of the encryption algorithm
C.Measures to address risks
D.Description of processing operations
E.Assessment of necessity and proportionality
AnswersC, D, E

Correct. The DPIA must describe measures to mitigate identified risks.

Why this answer

Option C is correct because Article 35 of the GDPR explicitly requires a DPIA to include 'measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data.' This is a core component that demonstrates how the controller will mitigate identified privacy risks to an acceptable level.

Exam trap

ISC2 often tests the misconception that a DPIA is a technical audit checklist requiring detailed cryptographic or personal data inventories, when in fact it is a risk management document focused on necessity, proportionality, and risk mitigation measures.

832
Multi-Selectmedium

Which THREE of the following are common challenges in securing serverless applications?

Select 3 answers
A.Lack of control over the underlying kernel and OS
B.Insecure handling of event source inputs
C.Vulnerabilities in third-party libraries and dependencies
D.Increased attack surface due to many small functions
E.Difficulty in applying stateful firewall rules
AnswersB, C, D

Events from various sources may include malicious payloads.

Why this answer

Option B is correct because serverless functions rely on event-driven architectures where inputs from sources like HTTP requests, database changes, or message queues are processed directly. If these inputs are not properly validated and sanitized, attackers can inject malicious payloads (e.g., SQL injection, command injection) that execute within the function's runtime, leading to data breaches or unauthorized actions. This is a primary attack vector unique to serverless, as the function code directly consumes untrusted data without traditional perimeter defenses.

Exam trap

ISC2 often tests the misconception that serverless eliminates all infrastructure security concerns, leading candidates to overlook the critical need for input validation and dependency management, while incorrectly assuming that network controls like firewalls are still applicable.

833
MCQhard

During a forensic investigation of a compromised AWS account, the incident response team needs to determine the exact time an attacker created a new IAM user and what permissions were assigned. Which log source would provide the most reliable evidence?

A.AWS Config configuration history for the IAM user
B.S3 access logs for the bucket containing IAM policy files
C.AWS CloudTrail management events
D.VPC Flow Logs for the management console IP
AnswerC

CloudTrail management events capture all IAM API calls with detailed request parameters.

Why this answer

AWS CloudTrail management events capture all API calls made to the AWS Management Console, SDKs, CLI, and AWS services, including IAM CreateUser and AttachUserPolicy actions. These events record the exact timestamp, source IP, user agent, and the identity of the principal making the call, making them the definitive source for determining when an IAM user was created and what permissions were assigned.

Exam trap

Cisco often tests the distinction between management events (CloudTrail) and data events (S3 access logs, VPC Flow Logs), and the trap here is that candidates confuse network-level logs (VPC Flow Logs) or configuration snapshots (AWS Config) with the API-level audit trail that CloudTrail provides.

How to eliminate wrong answers

Option A is wrong because AWS Config configuration history records the state of resources over time but does not capture the exact API call timestamp or the identity of the caller; it only shows the resulting configuration changes. Option B is wrong because S3 access logs record requests to S3 buckets, not IAM user creation or policy assignment events; they are irrelevant for tracking IAM management actions. Option D is wrong because VPC Flow Logs capture network traffic metadata (IP addresses, ports, protocols) but do not log API-level actions like IAM user creation or permission assignments.

834
Multi-Selecteasy

Which TWO of the following are valid methods for securing data at rest in a cloud storage service?

Select 2 answers
A.Disabling encryption to reduce latency.
B.Implementing client-side encryption before uploading data.
C.Using server-side encryption with customer-managed keys.
D.Setting the storage bucket to public read access.
E.Enabling access logging for the storage bucket.
AnswersB, C

Client-side encryption ensures data is encrypted before transmission.

Why this answer

Option B is correct because client-side encryption ensures data is encrypted before it leaves the client environment, so the cloud provider never has access to the plaintext. This is a valid method for securing data at rest in cloud storage, as the encrypted objects are stored in the service and can only be decrypted by the client holding the keys.

Exam trap

ISC2 often tests the distinction between encryption methods (client-side vs. server-side) and security controls (e.g., logging vs. encryption), so the trap here is that candidates may confuse access logging or public access settings with data-at-rest protection mechanisms.

835
MCQhard

During a cloud audit, the auditor finds that the CSP's data deletion process does not meet contractual requirements. The customer's data may still be recoverable after termination. What is the best next step for the customer?

A.Initiate a remediation plan with defined timelines
B.Immediately terminate the contract with the CSP
C.Report the CSP to the regulatory authority
D.Ignore the finding because it is a minor issue
AnswerA

Working with the CSP to correct the process is the appropriate first step.

Why this answer

Option D is correct because the customer should initiate a remediation plan with defined timelines to fix the process. Option A is wrong because terminating the contract may not solve the data issue immediately. Option B is wrong because reporting to the regulator may be premature.

Option C is wrong because ignoring is not acceptable.

836
MCQhard

An Azure application uses a key vault key for client-side encryption of data. The application also communicates with a cloud service over HTTPS. After deploying, the handshake failure occurs. Which of the following is the most likely cause?

A.The application is using the wrong key version
B.The key vault key is not accessible due to network restrictions
C.The client and server do not have a common TLS version or cipher suite
D.The key vault key is not enabled for encryption
AnswerC

Alert 40 indicates handshake failure due to version/cipher mismatch.

Why this answer

The handshake failure occurs at the transport layer (TLS/SSL), which is independent of client-side encryption using a key vault key. The most likely cause is a mismatch in TLS versions or cipher suites between the client and server, as HTTPS relies on a successful TLS handshake. Options A, B, and D relate to the key vault key's availability or configuration, which would not cause a TLS handshake failure.

Exam trap

The trap here is that candidates confuse client-side encryption (using a key vault key) with transport-layer security (TLS), assuming a key-related issue causes the handshake failure, when in fact the handshake is a separate protocol layer.

How to eliminate wrong answers

Option A is wrong because using the wrong key version would cause decryption failures on the client side, not a TLS handshake failure during HTTPS communication. Option B is wrong because network restrictions to the key vault would result in an access denied or timeout error when the application tries to retrieve the key, not a handshake failure in the TLS layer. Option D is wrong because if the key vault key is not enabled for encryption, the application would fail to encrypt data locally, but the HTTPS handshake is a separate process that does not depend on the key's encryption status.

837
MCQmedium

A financial institution is subject to strict regulatory requirements that mandate data residency and physical control over its infrastructure. At the same time, it wants to leverage cloud bursting for peak loads. Which deployment model should the institution adopt?

A.Hybrid cloud
B.Private cloud
C.Community cloud
D.Public cloud
AnswerA

Hybrid cloud allows the institution to keep sensitive data in a private cloud and use public cloud for bursting.

Why this answer

A hybrid cloud combines a private cloud for sensitive workloads with public cloud resources for elasticity, meeting both regulatory and scalability needs.

838
MCQhard

A cloud security team wants to enforce that only signed container images are deployed in their Kubernetes cluster. Which admission controller can validate image signatures at deploy time?

A.HashiCorp Vault
B.Consul
C.Trivy
D.Kyverno
AnswerD

Kyverno is a Kubernetes-native policy engine that can verify image signatures.

Why this answer

Admission controllers like OPA Gatekeeper or Kyverno can enforce policies to only allow images signed by trusted authorities.

839
MCQhard

During a security incident in a multi-tenant cloud environment, the cloud provider's logging system indicates that a virtual machine (VM) on a shared hypervisor has been compromised. The provider wants to assist the customer with forensic analysis while minimizing impact to other tenants. Which approach is most appropriate?

A.Rebuild the VM from a known good image and then run security scans.
B.Provide the customer with a memory snapshot of the compromised VM.
C.Clone the entire hypervisor and give the customer access to the clone.
D.Power off the VM immediately to contain the incident.
AnswerB

Memory snapshot preserves volatile data and allows forensic analysis without impacting other tenants.

Why this answer

Option B is correct because providing a memory snapshot of the compromised VM preserves volatile forensic data (e.g., running processes, network connections, encryption keys) without disrupting the hypervisor or other tenants. This approach adheres to the cloud provider's responsibility to isolate forensic evidence while maintaining multi-tenant isolation, as memory snapshots can be taken via hypervisor-level APIs (e.g., VMware VMotion or libvirt) without powering off the VM or cloning the entire host.

Exam trap

ISC2 often tests the distinction between forensic acquisition (preserving evidence) and incident containment/remediation, where candidates mistakenly choose immediate power-off (Option D) or rebuild (Option A) instead of the correct memory snapshot approach that balances evidence preservation with multi-tenant isolation.

How to eliminate wrong answers

Option A is wrong because rebuilding the VM from a known good image destroys all volatile evidence (e.g., memory-resident malware, active network connections) and is a remediation step, not a forensic acquisition step. Option C is wrong because cloning the entire hypervisor is excessively disruptive, exposes other tenants' data to the customer, and violates the shared responsibility model by breaking tenant isolation at the hypervisor level. Option D is wrong because powering off the VM immediately destroys volatile memory evidence and may trigger anti-forensic mechanisms in malware (e.g., self-deletion on shutdown), while also causing unnecessary downtime for the customer.

840
MCQhard

Which audit report provides the most comprehensive assurance regarding a cloud provider's controls over a period of time, including controls related to security, availability, processing integrity, confidentiality, and privacy?

A.ISO 27001 certification
B.SOC 2 Type I
C.CSA STAR self-assessment
D.SOC 2 Type II
AnswerD

Type II assesses controls over a period and covers the trust criteria.

Why this answer

SOC 2 Type II reports cover controls over a period of time and include the five trust service criteria. SOC 2 Type I is a point-in-time report. ISO 27001 is a certification, not a report.

CSA STAR is a self-assessment.

841
MCQeasy

A healthcare organization is storing patient records in a cloud object storage service. They must encrypt data at rest with keys they control and rotate regularly, but they do not want to manage the encryption process themselves. Which encryption option should they use?

A.Server-side encryption with cloud provider default keys
B.Customer-managed encryption keys (CMEK)
C.Customer-supplied encryption keys (CSEK)
D.Client-side encryption
AnswerB

Correct: customer creates keys in KMS, authorizes cloud service, and retains control.

Why this answer

CMEK allows the customer to create and manage keys in the cloud KMS, while the cloud service performs encryption/decryption using those keys, providing control without operational burden.

842
MCQmedium

A security engineer is reviewing a cloud application that uses AWS S3 buckets. Which vulnerability is most specific to cloud environments and is often exploited to access sensitive data?

A.Buffer overflow
B.SQL injection
C.Exposed S3 buckets with public read access
D.Cross-site scripting (XSS)
AnswerC

Correct. This is a cloud-specific misconfiguration that can expose data.

Why this answer

Exposed S3 buckets with public read access are a cloud-specific misconfiguration vulnerability because they rely on the AWS S3 bucket policy or ACL settings that grant unauthenticated access to objects. Unlike traditional on-premises vulnerabilities, this arises from improper cloud resource configuration, allowing attackers to enumerate and download sensitive data directly via HTTP/HTTPS requests without any authentication.

Exam trap

Cisco often tests the distinction between cloud-specific misconfigurations (like exposed S3 buckets) and traditional application vulnerabilities (like SQL injection or XSS), trapping candidates who confuse general web app flaws with cloud-native risks.

How to eliminate wrong answers

Option A is wrong because buffer overflow is a memory corruption vulnerability in software code, not a cloud-specific misconfiguration; it requires exploiting a programming flaw in an application, not a cloud storage setting. Option B is wrong because SQL injection is a web application vulnerability that targets database queries through user input, not a cloud environment's storage service like S3. Option D is wrong because cross-site scripting (XSS) is a client-side injection attack that executes malicious scripts in a user's browser, unrelated to cloud storage bucket permissions.

843
MCQmedium

In the shared responsibility model for public cloud IaaS, which of the following is typically the responsibility of the cloud customer?

A.Network infrastructure redundancy
B.Managing virtual machine guest OS patches
C.Physical security of data centers
D.Patching the hypervisor
AnswerB

Correct. The customer is responsible for patching the guest OS.

Why this answer

In IaaS, the customer manages the guest OS, applications, data, and network traffic controls. The provider manages the physical infrastructure, hypervisor, and network.

844
Multi-Selectmedium

Which THREE of the following are essential components of a Secure Software Development Lifecycle (SSDLC) in the cloud? (Choose three.)

Select 3 answers
A.Static application security testing (SAST) in CI/CD
B.Dynamic application security testing (DAST) in staging
C.Manual code reviews without automation
D.Threat modeling during design phase
E.Annual penetration testing only
AnswersA, B, D

SAST finds vulnerabilities in source code early.

Why this answer

Option A is correct because SAST tools scan source code, bytecode, or binaries for vulnerabilities like SQL injection or buffer overflows early in the development cycle. Integrating SAST into the CI/CD pipeline enables automated, continuous security checks on every commit or build, which is a core practice of a Secure Software Development Lifecycle (SSDLC) in the cloud. This shift-left approach catches flaws before they reach production, reducing remediation cost and risk.

Exam trap

ISC2 often tests the misconception that manual reviews are a primary or essential component of an SSDLC in the cloud, when in fact automation is critical for speed and consistency, and they also test the trap that annual penetration testing is sufficient for cloud environments, which require continuous security validation.

845
MCQeasy

A security engineer is reviewing container security practices. Which tool is specifically designed to scan container images for Common Vulnerabilities and Exposures (CVEs)?

A.Kubernetes RBAC
B.Trivy
C.Seccomp
D.OPA Gatekeeper
AnswerB

Trivy is a popular image vulnerability scanner.

Why this answer

Trivy is an open-source vulnerability scanner for container images, commonly used in CI/CD pipelines.

846
Multi-Selectmedium

Which TWO of the following are key elements of a cloud service agreement (CSA) for legal compliance?

Select 2 answers
A.Audit rights
B.Encryption key management
C.Data portability tools
D.Service level agreements (SLA) uptime guarantee
E.Data processing terms (DPA)
AnswersA, E

Allows customer to verify compliance, often legally required.

Why this answer

Data processing terms (DPA) and audit rights are standard CSA elements addressing legal compliance. Encryption key management and portability are more about security and operations, but not always considered 'key legal compliance' elements.

847
MCQmedium

A company is negotiating a cloud service agreement and wants to ensure it can verify the provider's security controls independently. Which contractual clause is essential for this purpose?

A.Data deletion clause
B.Right to audit clause
C.Service Level Agreement (SLA) on uptime
D.Data portability clause
AnswerB

This clause grants the customer the right to conduct audits or review third-party audit reports.

Why this answer

A right to audit clause gives the customer the contractual ability to assess the provider's controls, either through on-site audits or review of audit reports.

848
MCQmedium

The security team notices that the request above is from a known malicious IP address. However, the load balancer did not block it. What is the most likely reason?

A.The user-agent indicates it is a legitimate search engine
B.The response code indicates success
C.The load balancer's access control list does not include the IP address
D.The request was encrypted with TLS
AnswerC

If the IP is not in the deny list, the request will be allowed.

Why this answer

C is correct because a load balancer's access control list (ACL) is a stateless or stateful rule set that explicitly defines which source IP addresses are allowed or denied. If the malicious IP address is not listed in the ACL, the load balancer will not block the traffic, regardless of the request's content or encryption status. The security team's observation that the request was from a known malicious IP but was not blocked directly points to a missing or incomplete ACL entry.

Exam trap

ISC2 often tests the misconception that encryption (TLS) or response codes can override access control decisions, but the trap here is that candidates forget ACLs operate at a lower layer and are independent of application-layer details like user-agent or HTTP status codes.

How to eliminate wrong answers

Option A is wrong because the user-agent header is easily spoofed and does not determine the legitimacy of the source IP; a malicious actor can set a user-agent string to mimic a legitimate search engine. Option B is wrong because the response code (e.g., HTTP 200) indicates the request was processed successfully, but it does not imply that the request should have been blocked; blocking decisions are based on pre-configured rules, not on the outcome of the request. Option D is wrong because TLS encryption protects data in transit but does not affect IP-based access control; a load balancer can inspect the source IP before or after TLS termination, and encryption does not bypass ACL rules.

849
MCQhard

An organization uses a cloud-based data analytics platform with data stored in a data warehouse. The security team discovers that some tables contain unencrypted personally identifiable information (PII). They need to automatically scan the data warehouse for PII and apply pseudonymization to protect sensitive columns. Which cloud service should be used?

A.Cloud Storage bucket policies
B.Cloud Access Security Broker (CASB)
C.Cloud Data Loss Prevention (DLP) API
D.Cloud Key Management Service (KMS)
AnswerC

DLP API provides scanning and de-identification transforms for sensitive data.

Why this answer

Cloud DLP (Data Loss Prevention) APIs can scan data stores like BigQuery for sensitive data types (PII, credit card numbers, etc.) and apply de-identification transforms such as pseudonymization, masking, tokenization, etc. This is the intended service for automated discovery and protection.

850
MCQhard

During a security review, a cloud security architect discovers that a PaaS database service has public network access enabled. The application team claims they need it for external integrations. What is the most secure alternative to allow necessary access?

A.Encrypt all data at rest and in transit to the database.
B.Use Azure Private Link or AWS PrivateLink to connect via private IP within the cloud network.
C.Move the database to a VM-hosted instance with a VPN connection.
D.Restrict public access using IP whitelisting to only required external IPs.
AnswerB

Traffic never traverses the public internet, and access is restricted to private endpoints.

Why this answer

Option C is correct because private link creates a private endpoint, eliminating exposure to the public internet. Option A is wrong because firewall rules still allow public IP addresses. Option B is wrong because it changes the service but still may have public exposure.

Option D is wrong because it is not a security control.

851
MCQhard

A company uses AWS CloudTrail with log file validation enabled. An auditor wants to verify that a specific log file has not been tampered with. Which process should the auditor use to confirm the integrity of the CloudTrail log file?

A.Use the AWS CLI command 'aws cloudtrail validate-logs' which automatically verifies the digital signature and hash
B.Check the log file’s last modified timestamp against the CloudTrail delivery timestamp
C.Compare the log file’s SHA-256 hash with the hash stored in AWS Key Management Service (KMS)
D.Review the log file’s integrity using the SHA-256 checksum provided in the S3 object metadata
AnswerA

The validate-logs command performs the verification using the digest files and public key.

Why this answer

CloudTrail log file validation uses SHA-256 hashing and digital signatures. The log file digest file contains the hash of the log file and is signed by a private key. To verify, the auditor uses the public key (from AWS) to verify the signature on the digest, then compares the hash of the log file to the hash in the digest.

852
MCQeasy

In a cloud VPC design, which component acts as a stateful firewall at the instance level, allowing only inbound rules?

A.Security group
B.Network ACL (NACL)
C.Internet gateway
D.Route table
AnswerA

Security groups are instance-level stateful firewalls.

Why this answer

Security groups are stateful firewalls that control traffic to instances; they only support allow rules and are stateful.

853
MCQhard

During a threat modeling session for a cloud-native application, which cloud-specific attack path is most critical to identify?

A.Cross-Site Scripting (XSS) in a web form
B.SQL injection in a legacy database
C.Server-Side Request Forgery (SSRF) to the metadata service
D.Buffer overflow in a compiled binary
AnswerC

SSRF to the metadata endpoint (e.g., 169.254.169.254) can leak cloud IAM credentials.

Why this answer

SSRF targeting cloud metadata endpoints is a critical cloud-specific threat because it can expose IAM credentials, leading to full account compromise. This is a unique cloud attack path not typically present in on-premises environments.

854
MCQmedium

A financial services company is required to keep customer data within a specific geographic boundary due to regulatory requirements. The company is evaluating cloud deployment models. Which model would best ensure data sovereignty while still providing scalability?

A.Hybrid cloud with public cloud bursting
B.Public cloud with multi-region deployment
C.Community cloud hosted in the required geography
D.Private cloud on-premises
AnswerC

Correct. Community cloud meets shared requirements and can be geo-fenced.

Why this answer

A community cloud can be shared by organizations with common compliance needs, such as financial regulations, and can be deployed in a specific region to meet data sovereignty.

855
MCQmedium

A large enterprise is migrating a legacy .NET application to Azure App Service. The application currently stores session state in-memory on the web server. During the migration, the team plans to horizontally scale the application across multiple instances. The security team requires that session data remain confidential and be available even if an instance fails. Which solution should the team implement?

A.Store session data in Azure SQL Database with column-level encryption
B.Use Azure Redis Cache to store session state with encryption enabled
C.Encrypt session data and store it as a client-side cookie
D.Configure Application Gateway with cookie-based affinity (sticky sessions)
AnswerB

Redis provides scalable, encrypted, persistent session storage independent of instances.

Why this answer

Azure Redis Cache with encryption enabled provides a secure, centralized session store that persists data independently of individual web server instances. This ensures session data remains available even if an instance fails, and encryption protects confidentiality in transit and at rest, meeting the security team's requirements for horizontal scaling.

Exam trap

ISC2 often tests the distinction between availability and affinity, where candidates mistakenly choose sticky sessions (Option D) thinking they solve availability, but sticky sessions actually create a single point of failure by binding a user to one instance.

How to eliminate wrong answers

Option A is wrong because Azure SQL Database with column-level encryption does not provide the low-latency, in-memory performance needed for session state in a horizontally scaled web application, and it introduces unnecessary database overhead and cost. Option C is wrong because storing encrypted session data as a client-side cookie violates the requirement for availability after instance failure, as the data is tied to the client and not centrally managed, and cookies have size limits (typically 4 KB) that cannot accommodate large session states. Option D is wrong because Application Gateway with cookie-based affinity (sticky sessions) pins a client to a specific instance, which prevents true horizontal scaling and does not ensure session data availability if that instance fails, as the session remains in-memory on that single server.

856
MCQhard

A company is designing a multi-cloud strategy to avoid vendor lock-in and ensure portability. They are considering using containers and an open-source orchestration platform. Which of the following is the BEST choice to achieve workload portability across different cloud providers?

A.Kubernetes
B.Azure Functions
C.AWS Lambda
D.VMware vSphere
AnswerA

Kubernetes is open-source and supported by all major cloud providers.

Why this answer

Kubernetes is an open-source container orchestration platform that allows portability across clouds.

857
MCQhard

A cloud security architect is designing a data classification and labeling solution for a multinational corporation with offices in multiple countries. The corporation uses various SaaS applications (Office 365, Salesforce, etc.) and IaaS services. They require automatic classification of documents based on content (e.g., credit card numbers, social security numbers) and enforcement of protection policies (e.g., encryption, access restrictions) based on the classification. The solution must work across all cloud services and provide a unified management console. The corporation also needs to maintain data residency—data must not be stored in a different geographic region than where it was classified. Which cloud security solution BEST meets these requirements?

A.Deploy a cloud access security broker (CASB) with integrated DLP capabilities that can classify and enforce policies across multiple cloud apps.
B.Use each cloud provider's native DLP service (e.g., Microsoft Information Protection, AWS Macie) and manage them individually.
C.Use a third-party encryption gateway that encrypts all data leaving the on-premises network.
D.Implement a custom data classification system running on a virtual machine that inspects data via APIs.
AnswerA

Provides unified management, cross-cloud classification, and policy enforcement.

Why this answer

Option A is correct. A CASB with integrated DLP can classify content across multiple cloud apps and enforce policies from a single console, while also supporting data residency through policy configuration. Option B lacks unified management.

Option C is complex and may not scale. Option D does not provide classification.

858
MCQeasy

The exhibit shows the versioning configuration for an S3 bucket. What effect does enabling MFADelete have on data protection?

A.It automatically encrypts all new object versions
B.It requires MFA to permanently delete an object version
C.It prevents any version of an object from being overwritten
D.It requires MFA for all operations on the bucket
AnswerB

MFADelete adds MFA protection for delete operations.

Why this answer

Enabling MFADelete on an S3 bucket requires multi-factor authentication to permanently delete an object version or to suspend versioning on the bucket. This adds a critical layer of protection against accidental or malicious deletion of object versions, ensuring that even with administrative credentials, a second factor is needed to complete the destructive operation. It does not affect encryption, overwrite prevention, or all operations—only permanent deletion and versioning suspension.

Exam trap

ISC2 often tests the misconception that MFADelete applies to all bucket operations, when in fact it only applies to permanent deletion of object versions and suspension of versioning, not to reads, writes, or other management actions.

How to eliminate wrong answers

Option A is wrong because MFADelete does not automatically encrypt objects; encryption is managed separately via server-side encryption (SSE-S3, SSE-KMS, SSE-C) or client-side encryption. Option C is wrong because MFADelete does not prevent overwriting an object version; it only protects against permanent deletion of a version, while new versions can still be written (overwriting the current version). Option D is wrong because MFADelete does not require MFA for all operations; it only applies to two specific actions: permanently deleting an object version and suspending versioning on the bucket.

859
MCQhard

Which runtime security control monitors application behavior and can block attacks by analyzing application logic and context?

A.Web application firewall (WAF)
B.Intrusion detection system (IDS)
C.Runtime application self-protection (RASP)
D.Static application security testing (SAST)
AnswerC

RASP instruments the application runtime to detect and block attacks based on application logic.

Why this answer

C is correct because Runtime Application Self-Protection (RASP) is a security technology that is integrated into an application's runtime environment, allowing it to monitor actual application behavior and context (e.g., input validation, SQL queries, API calls) in real time. Unlike external controls, RASP can understand the application's logic and data flow, enabling it to block attacks such as SQL injection or command injection by analyzing the specific context of each request.

Exam trap

Cisco often tests the distinction between network-layer controls (WAF) and application-layer controls (RASP), and the trap here is that candidates mistakenly choose WAF because they think it 'analyzes application logic' when in fact WAFs rely on signatures and patterns, not runtime context.

How to eliminate wrong answers

Option A is wrong because a Web Application Firewall (WAF) operates at the network or HTTP layer, inspecting traffic patterns and signatures (e.g., OWASP ModSecurity rules) without understanding the application's internal logic or runtime context. Option B is wrong because an Intrusion Detection System (IDS) passively monitors network or host events for known attack signatures or anomalies, but it cannot block attacks inline or analyze application-specific logic and context. Option D is wrong because Static Application Security Testing (SAST) analyzes source code or binaries at rest, not during runtime, and thus cannot monitor or block live application behavior.

860
MCQhard

A company uses a cloud key management service (KMS) with an HSM-backed key for encrypting sensitive data. They want to ensure that the key is automatically rotated every 90 days and that older key versions are retained for decryption of previously encrypted data. Which KMS feature should be configured?

A.Automatic key rotation with version retention
B.Key aliasing
C.Key destruction schedule
D.Key revocation policy
AnswerA

Automatic rotation creates new key versions; old versions are retained for decryption.

Why this answer

Key rotation in cloud KMS (e.g., AWS KMS, Azure Key Vault, GCP Cloud KMS) can be set to automatic rotation with a specified period. Old key versions are retained so that data encrypted with older keys can still be decrypted. The key material changes, but key ID remains the same.

861
Multi-Selectmedium

Which TWO statements about data classification are correct?

Select 2 answers
A.Data classification is performed once at creation.
B.Data classification must be automated to be effective.
C.Data classification can be based on context and content.
D.Data classification is solely based on regulatory requirements.
E.Data classification labels determine access controls.
AnswersC, E

Classification uses both content inspection and contextual metadata.

Why this answer

Option C is correct because data classification can be based on both context (e.g., source, creator, location) and content (e.g., keywords, patterns, data values). This dual approach allows organizations to apply classification rules that consider the environment and the actual data, enabling more accurate and granular protection. For example, a document containing a credit card number (content) created by the finance department (context) could be classified as 'Confidential'.

Exam trap

ISC2 often tests the misconception that data classification is a static, one-time activity (Option A) or that automation is mandatory (Option B), when in reality classification is a continuous process and can be manual or hybrid.

862
Multi-Selectmedium

Which THREE of the following are benefits of using a hybrid cloud deployment model?

Select 3 answers
A.Elasticity to burst to public cloud during peak demand
B.Simplified SLA management across environments
C.Ability to keep sensitive workloads on-premises while using public cloud for less sensitive ones
D.Consistent security policies can be applied across both environments
E.Eliminates data sovereignty concerns
AnswersA, C, D

Hybrid enables scaling to public cloud.

Why this answer

Hybrid cloud offers flexibility to keep sensitive data on-premises, burst to public cloud for elasticity, and maintain consistent security policies across environments. It does not reduce SLA complexity or eliminate data sovereignty concerns.

863
Multi-Selectmedium

Which THREE of the following are typical responsibilities of a cloud customer under the shared responsibility model?

Select 3 answers
A.Classifying data and managing data encryption.
B.Physical security of data centers.
C.Managing user identities and access permissions.
D.Patching the hypervisor.
E.Patching operating systems on virtual machines.
AnswersA, C, E

Data classification and encryption are customer responsibilities.

Why this answer

Option A is correct because under the shared responsibility model, the cloud customer is responsible for classifying their data and managing encryption (both at rest and in transit) using tools like AWS KMS, Azure Key Vault, or client-side encryption libraries. The provider secures the infrastructure, but the customer controls access to the data itself.

Exam trap

ISC2 often tests the misconception that customers are responsible for patching the hypervisor or physical security, when in fact those are always provider obligations under the shared responsibility model.

864
MCQeasy

A customer requires complete control over encryption keys used to protect data at rest in the cloud. Which cloud service model provides the most direct control?

A.Infrastructure as a Service (IaaS)
B.Anything as a Service (XaaS)
C.Platform as a Service (PaaS)
D.Software as a Service (SaaS)
AnswerA

IaaS provides the most control over the operating system, storage, and encryption keys.

Why this answer

Option A is correct. IaaS gives customers control over the entire infrastructure stack, including encryption key management. PaaS and SaaS abstract away much of that control, limiting customer-managed key options.

865
Multi-Selecteasy

A cloud security team needs to ensure that all data in transit between on-premises systems and the cloud is encrypted. Which TWO options should they consider? (Choose two.)

Select 2 answers
A.Set up a VPN between on-premises and cloud
B.Use signed URLs for access
C.Enable bucket versioning
D.Enable server-side encryption with CMEK
E.Use TLS 1.2+ for all API calls
AnswersA, E

VPN encrypts all traffic between networks.

Why this answer

TLS 1.2+ encrypts API communications, and VPN establishes an encrypted tunnel for hybrid connectivity. Both protect data in transit.

866
MCQmedium

A company runs its production workloads on a cloud platform. The security team wants to ensure that all compute instances are patched within 30 days of a patch release. Which of the following is the BEST approach to enforce this requirement?

A.Use an automated patch management tool that deploys patches to all instances within 30 days
B.Configure vulnerability scanning to identify unpatched instances and notify administrators
C.Create a change management process that requires approval for all patches
D.Implement a manual patching policy and require each team to submit a patch report monthly
AnswerA

Automation enforces timeline.

Why this answer

Option B is correct because automated patch management with a scheduled deployment ensures compliance with the timeline. Option A is wrong because manual patching is error-prone and may not meet the timeline. Option C is wrong while it helps identify unpatched instances, it does not enforce patching.

Option D is wrong because approval workflow adds delay.

867
MCQhard

A company uses AWS and needs to allow a Lambda function in a VPC to access an S3 bucket without traversing the internet. Which solution meets this requirement securely?

A.Configure a NAT gateway in the VPC and route traffic through it
B.Create a VPC endpoint for S3 and attach it to the Lambda's VPC
C.Use VPC peering to connect to the S3 bucket's VPC
D.Assign a public IP to the Lambda and use an internet gateway
AnswerB

Correct; a VPC endpoint enables private connectivity.

Why this answer

VPC endpoints (Gateway or Interface) allow private access to AWS services without internet traversal. For S3, a Gateway endpoint is commonly used.

868
Multi-Selecthard

An organization is migrating a legacy application to the cloud and requires reversibility. Which THREE of the following should be considered to ensure the application can be migrated away from the cloud provider in the future?

Select 3 answers
A.Using containerization with Kubernetes for workload portability
B.Designing the application to use open standards (e.g., OAuth, REST)
C.Using proprietary APIs for storage and compute
D.Implementing auto-scaling policies
E.Ensuring data can be exported in standard formats (e.g., CSV, JSON)
AnswersA, B, E

Containers and orchestration improve portability.

Why this answer

Reversibility involves using open standards and APIs, ensuring data portability, and avoiding deep integration with proprietary services. Auto-scaling is a benefit but not a requirement for reversibility.

869
MCQeasy

A cloud administrator is configuring log retention for a financial application that must comply with PCI DSS. What is the minimum log retention period required by PCI DSS?

A.At least 90 days.
B.At least six months.
C.At least five years.
D.At least one year with the most recent three months available online.
AnswerD

PCI DSS Requirement 10.7 mandates retention for at least one year, with three months online.

Why this answer

PCI DSS requirement 10.7 mandates that audit trail history must be retained for at least one year, with the most recent three months of logs immediately available for analysis. This ensures that historical data is preserved for forensic investigation while maintaining quick access to recent activity. Option D correctly states this dual requirement.

Exam trap

The trap here is that candidates often confuse the 'immediately available' 90-day requirement with the total retention period, leading them to incorrectly select Option A instead of recognizing the full one-year retention mandate with the three-month online subset.

How to eliminate wrong answers

Option A is wrong because 90 days is only the minimum period for which the most recent logs must be immediately available, not the total retention period. Option B is wrong because six months is not a PCI DSS retention requirement; the standard requires one year total. Option C is wrong because five years exceeds the PCI DSS minimum; that duration is more typical of HIPAA or other regulatory frameworks, not PCI DSS.

870
MCQmedium

A cloud administrator applies the bucket policy shown in the exhibit to an S3 bucket. What is the expected outcome?

A.All objects uploaded must be encrypted using server-side encryption with S3-managed keys (SSE-S3)
B.All upload requests will be denied unless they include encryption metadata
C.All objects must be encrypted with AWS KMS keys
D.All objects uploaded must be client-side encrypted before uploading
AnswerA

The condition requires x-amz-server-side-encryption: AES256, which is SSE-S3.

Why this answer

Option A is correct because the bucket policy explicitly denies uploads unless the `x-amz-server-side-encryption` header is set to `AES256`, which corresponds to SSE-S3. This ensures all objects uploaded to the bucket are encrypted at rest using server-side encryption with S3-managed keys, as the policy condition enforces the presence of that specific encryption header.

Exam trap

The trap here is that candidates often confuse the requirement for any encryption metadata (option B) with the specific requirement for SSE-S3 (AES256), or they mistakenly think the policy enforces KMS (option C) because they overlook the exact header value `AES256` in the condition.

How to eliminate wrong answers

Option B is wrong because the policy does not merely require encryption metadata; it specifically requires the `x-amz-server-side-encryption` header to be set to `AES256`, not just any encryption metadata. Option C is wrong because the policy enforces SSE-S3 (AES256), not AWS KMS keys (which would require `aws:kms` in the header). Option D is wrong because the policy enforces server-side encryption, not client-side encryption; client-side encryption is performed before upload and does not involve the `x-amz-server-side-encryption` header.

871
MCQhard

An enterprise uses a Cloud Access Security Broker (CASB) to monitor cloud application usage. The CASB generates alerts about potential data loss prevention events. What is the primary purpose of the CASB's DLP capabilities?

A.To block all uploads of sensitive data to cloud apps
B.To classify data automatically using machine learning
C.To detect and prevent unauthorized sharing of sensitive data based on policies
D.To encrypt data before it is sent to cloud apps
AnswerC

DLP policies allow controlled sharing while blocking unauthorized transfers.

Why this answer

The primary purpose of a CASB's DLP capabilities is to enforce policies that detect and prevent unauthorized sharing of sensitive data. This is achieved by inspecting content in transit (e.g., via API or proxy) and applying rules such as blocking, quarantining, or alerting on policy violations. Option C correctly captures this core function of policy-based detection and prevention, which goes beyond simple blocking or classification.

Exam trap

ISC2 often tests the misconception that DLP's primary purpose is to block all sensitive data or to classify data, when in fact it is to enforce granular policies that detect and prevent unauthorized sharing based on context (e.g., user, location, device).

How to eliminate wrong answers

Option A is wrong because blocking all uploads of sensitive data is too restrictive and not the primary purpose; CASB DLP uses granular policies to allow legitimate transfers while blocking only unauthorized ones. Option B is wrong because automatic classification using machine learning is a feature of data discovery and classification tools, not the primary DLP purpose; DLP focuses on enforcing policies on already-classified or pattern-matched data. Option D is wrong because encryption is a separate control often handled by key management or tokenization services, not the primary DLP function; CASB DLP may trigger encryption but its core role is policy enforcement, not encryption itself.

872
Multi-Selectmedium

An organization is evaluating techniques to protect data while it is being processed in memory. The goal is to prevent unauthorized access even if the operating system or hypervisor is compromised. Which TWO techniques are suitable for protecting data in use?

Select 2 answers
A.Hashing
B.Data masking
C.Secure enclaves (e.g., Intel SGX)
D.Homomorphic encryption
E.Tokenization
AnswersC, D

Hardware-based isolation for code and data in memory.

Why this answer

Secure enclaves, such as Intel SGX, provide hardware-enforced isolation by creating trusted execution environments (TEEs) that encrypt memory pages in use, protecting data even if the OS or hypervisor is compromised. This makes them suitable for protecting data in use because the CPU itself enforces access controls, preventing any privileged software from reading the enclave's memory.

Exam trap

ISC2 often tests the distinction between 'data at rest' and 'data in use' protections, and candidates mistakenly choose hashing or tokenization because they associate them with security, but neither protects data during active processing in memory.

873
MCQhard

During a security assessment of a Kubernetes cluster, you discover that a container is running as root with privileged mode enabled. Which of the following is the most critical risk associated with this configuration?

A.Network policy bypass allowing unauthorized pod communication
B.Potential for container escape to the host OS
C.Increased memory consumption due to lack of resource limits
D.Inability to mount volumes for persistent storage
AnswerB

Privileged mode and root access significantly increase the risk of container escape.

Why this answer

Running as root with privileged mode grants full host access, making container escape to the host OS highly feasible. Seccomp and AppArmor can mitigate, but the core risk is escape.

874
Multi-Selectmedium

A cloud security architect is concerned about potential side-channel attacks against VMs running on a shared hypervisor. Which TWO of the following measures would be most effective in mitigating such attacks?

Select 2 answers
A.Use dedicated (single-tenant) hosts for sensitive workloads.
B.Encrypt all data at rest using AES-256.
C.Disable hyper-threading on the physical hosts.
D.Implement network segmentation using VLANs.
E.Enable multi-factor authentication for all cloud administrative accounts.
AnswersA, C

Dedicated hosts guarantee no other VMs on the same hypervisor, eliminating shared-resource side channels.

Why this answer

Option A is correct because using dedicated (single-tenant) hosts ensures that the physical server is not shared with any other customer's VMs. This eliminates the possibility of a co-resident attacker exploiting shared hardware resources (such as CPU caches, memory buses, or branch predictors) to launch side-channel attacks like Prime+Probe or Flush+Reload. By removing the shared hypervisor layer between tenants, the attack surface for cross-VM side channels is effectively nullified.

Exam trap

ISC2 often tests the distinction between data protection controls (encryption, MFA, network segmentation) and compute-level isolation controls, leading candidates to mistakenly select network or access controls that do not address the shared hardware attack surface.

875
MCQmedium

A healthcare organization is using a cloud-based electronic health record (EHR) system hosted on a PaaS platform. The platform provides a web interface and an API for integration with internal systems. The organization's security policy requires encryption of all data at rest and in transit. They have implemented SSL/TLS for data in transit and enabled server-side encryption for the database. However, during a recent audit, it was discovered that the API returns diagnostic data in clear text when accessed from internal networks. The internal network is considered trusted. The auditor recommends implementing end-to-end encryption. Which of the following is the BEST approach to meet this requirement?

A.Configure the API to require mutual TLS (mTLS) authentication and use TLS 1.2 or higher for all connections from internal systems.
B.Implement client-side encryption on the internal systems before sending data to the API.
C.Set up a VPN connection between the internal network and the cloud PaaS environment to encrypt all traffic.
D.Create a proxy service in the cloud that encrypts the data before forwarding it to the API.
AnswerA

mTLS ensures both parties are authenticated and the communication is encrypted, providing end-to-end encryption.

Why this answer

Option C is correct because implementing mutual TLS (mTLS) ensures that only authenticated clients (internal systems) can communicate with the API and all data is encrypted end-to-end. Option A is wrong because client-side encryption requires key management and does not guarantee encryption in transit between the internal systems and the API. Option B is wrong because using a VPN adds latency and complexity; mTLS is more lightweight and still encrypts the data.

Option D is wrong because sending data through a separate encryption endpoint adds extra components and potential points of failure.

876
MCQhard

An organization wants to ensure that its CSP does not access customer data for any purpose other than providing the service. Which clause should be included?

A.Right to audit
B.Security incident response
C.Data use restriction
D.Non-disclosure agreement
AnswerC

This clause restricts the provider's use of data to specified purposes.

Why this answer

A data use restriction clause explicitly limits the provider's use of customer data to only what is necessary to provide the service. Non-disclosure agreements protect confidentiality but don't restrict use. Right to audit provides oversight, and security incident response addresses breach management.

877
MCQhard

In a cloud environment, a data subject exercises their right to erasure under GDPR. The cloud provider has multiple replicas and backups. What is the primary technical challenge in fulfilling this request?

A.Transferring data to another controller
B.Ensuring deletion from backups and replicas within retention periods
C.Obtaining consent from other data subjects
D.Identifying the data subject's data across all systems
AnswerB

Correct. Backups are often immutable or have retention periods that prevent immediate deletion.

Why this answer

GDPR's right to erasure requires deletion of all copies, including from backups and replicas, which is technically complex due to retention policies and storage architecture.

878
MCQhard

A cloud security architect is designing a key management strategy for a hybrid cloud environment. The organization requires that encryption keys never leave their on-premises hardware security module (HSM) due to strict regulatory mandates, yet cloud services must be able to perform encryption operations on data at rest. Which key management approach meets these requirements?

A.Customer-managed encryption keys (CMEK)
B.Hold Your Own Key (HYOK)
C.Cloud provider default encryption
D.Bring Your Own Key (BYOK)
AnswerB

Correct: HYOK keeps the key in the customer's HSM; cloud service calls back to on-prem for crypto operations.

Why this answer

HYOK (Hold Your Own Key) keeps the key in the customer's on-prem HSM; the cloud service sends data to be encrypted/decrypted on-prem, which can introduce latency but satisfies key location constraints.

879
Multi-Selectmedium

An organization is designing a data residency strategy for compliance with data sovereignty laws. They must ensure that customer data remains within specific geographic boundaries. Which three measures should they implement? (Choose three.)

Select 3 answers
A.Use pre-signed URLs for all access
B.Use IAM policies to restrict API calls to specific regions
C.Configure bucket policies to deny storage outside allowed regions
D.Enable cross-region replication for disaster recovery
E.Select cloud regions within the required geographic area
AnswersB, C, E

IAM conditions can limit operations to allowed regions.

Why this answer

To enforce data residency, organizations should choose cloud regions in the required geography, configure bucket policies to restrict storage location, and use IAM policies to limit access from other regions. Cross-region replication would violate data residency.

880
Multi-Selectmedium

In the context of eDiscovery, a legal hold must be placed on data stored in a cloud environment. Which THREE actions should the cloud customer take to ensure the legal hold is effective?

Select 3 answers
A.Ensure the legal hold prevents both deletion and modification of the data.
B.Delete any non-relevant data to reduce storage costs.
C.Rely solely on the cloud provider's default backup retention policies.
D.Apply the legal hold to all copies of the data, including backups and replicas in different regions.
E.Notify the cloud provider of the legal hold and request technical enforcement such as object lock.
AnswersA, D, E

Modification can alter evidence; hold must prevent both.

Why this answer

A legal hold requires preserving all relevant data, including backups and replicas. It must also prevent modification, not just deletion. Communication with the provider ensures technical enforcement.

881
MCQmedium

A healthcare organization is migrating patient records to a public cloud provider. Which of the following is the most critical consideration regarding shared responsibility when using IaaS?

A.The cloud provider is responsible for all security controls because they own the infrastructure.
B.The customer has no responsibility for network security because the provider manages the hypervisor.
C.The cloud provider automatically encrypts all data at rest and in transit by default.
D.The customer is responsible for securing the operating system, applications, and data they deploy on the IaaS platform.
AnswerD

Correct per shared responsibility model for IaaS.

Why this answer

In IaaS, the customer is responsible for securing the OS, applications, and data, while the provider secures the physical infrastructure. Data encryption and access control are customer responsibilities.

882
MCQmedium

A company wants to migrate a legacy application to the cloud with minimal re-architecture. They need control over the operating system and middleware but do not want to manage physical hardware. Which service model is most suitable?

A.FaaS
B.SaaS
C.IaaS
D.PaaS
AnswerC

Correct. IaaS provides the flexibility to manage OS and middleware.

Why this answer

IaaS provides virtualized computing resources where the customer manages OS, apps, and data, but not the underlying infrastructure.

883
MCQmedium

A multinational corporation with its headquarters in the United States processes personal data of European Union data subjects using a cloud-based customer relationship management (CRM) system hosted in the United States. According to the General Data Protection Regulation (GDPR), which of the following is the company's primary obligation regarding the protection of that data?

A.The company must delete all personal data within 30 days of collection.
B.The company is not subject to GDPR because its headquarters and the cloud server are located outside the EU.
C.The company must appoint a representative in the EU and ensure that any data transfers outside the EU are covered by an adequacy decision, standard contractual clauses, or binding corporate rules.
D.The company must obtain explicit consent from each data subject before processing their data.
AnswerC

This is correct. GDPR requires a representative if the controller is not established in the EU, and transfers must have a legal mechanism.

Why this answer

GDPR applies to any organization processing personal data of EU data subjects, regardless of where the processing occurs. The company is a data controller and must comply with all GDPR requirements, including data subject rights and breach notification.

884
MCQeasy

Which NIST SP 800-145 cloud service model provides the consumer with the ability to deploy applications onto a cloud infrastructure where the consumer does not manage the underlying cloud infrastructure, including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment?

A.Platform as a Service (PaaS)
B.Function as a Service (FaaS)
C.Software as a Service (SaaS)
D.Infrastructure as a Service (IaaS)
AnswerA

PaaS provides a platform for deploying applications without managing underlying infrastructure.

Why this answer

This is the definition of Platform as a Service (PaaS) per NIST SP 800-145. The consumer manages applications and data, while the provider manages everything else.

885
Multi-Selecthard

A DevSecOps team is implementing a secure container supply chain. Which THREE practices should they adopt to ensure image integrity and trust from build to deployment?

Select 3 answers
A.Signing container images with Cosign
B.Storing images in a private registry without scanning
C.Using admission controller (e.g., Kyverno) to verify signatures
D.Allowing any image with a :latest tag
E.Scanning images for vulnerabilities using Trivy
AnswersA, C, E

Signing provides cryptographic proof of origin.

Why this answer

Image signing, vulnerability scanning, and using admission controllers to verify signatures ensure integrity and trust.

886
MCQeasy

An organization uses a cloud key management service (KMS) for encryption keys. The security policy requires automatic rotation of keys every 90 days. Which rotation strategy best balances security and operational impact?

A.Retain the original key for decryption and use a new key only for new data.
B.Have administrators manually create new keys every 90 days and update applications.
C.Configure the KMS to automatically generate new key versions and retire old ones with no application changes.
D.Re-encrypt all data with a new master key each rotation to ensure full key separation.
AnswerC

Automatic rotation with versioning is seamless and secure.

Why this answer

Option C is correct because cloud KMS services (e.g., AWS KMS, Azure Key Vault, GCP Cloud KMS) support automatic key rotation by creating new key versions while retaining previous versions for decryption of existing data. This approach satisfies the 90-day rotation policy without requiring application changes, as the KMS handles versioning transparently and the encryption context or key ID abstraction allows seamless use of the latest key for encryption.

Exam trap

The trap here is that candidates often confuse key rotation with re-encryption, assuming that rotating a key requires re-encrypting all existing data, when in fact cloud KMS versioning allows old keys to remain available for decryption without re-encrypting the entire dataset.

How to eliminate wrong answers

Option A is wrong because retaining the original key for decryption while using a new key only for new data does not rotate the original key; it merely adds a new key, leaving the original key active indefinitely, which violates the 90-day rotation policy. Option B is wrong because manual key creation every 90 days introduces operational overhead, risk of human error, and requires application updates to reference new keys, which contradicts the goal of minimizing operational impact. Option D is wrong because re-encrypting all data with a new master key each rotation is impractical and resource-intensive; cloud KMS rotation typically uses versioned keys where old versions remain available for decryption without re-encrypting existing ciphertext.

887
MCQeasy

A cloud security engineer is tasked with ensuring that all API calls made to AWS resources are logged for audit purposes. Which AWS service should be enabled to capture management events such as creating or deleting EC2 instances?

A.AWS Config
B.AWS CloudTrail
C.Amazon GuardDuty
D.AWS Security Hub
AnswerB

CloudTrail records API calls and can be enabled to capture management events.

Why this answer

AWS CloudTrail is the correct service because it is specifically designed to record API activity in an AWS account, including management events such as creating or deleting EC2 instances. It captures the who, what, when, and source IP for every API call, which is essential for audit logging and compliance. AWS Config, by contrast, records resource configuration changes and compliance history, not API call logs.

Exam trap

The trap here is that candidates confuse AWS Config (which tracks configuration history) with CloudTrail (which tracks API calls), leading them to select AWS Config for audit logging of management events.

How to eliminate wrong answers

Option A is wrong because AWS Config records resource configuration changes and evaluates compliance rules, but it does not capture API call logs or management events like creating or deleting EC2 instances. Option C is wrong because Amazon GuardDuty is a threat detection service that analyzes VPC flow logs, DNS logs, and CloudTrail events for malicious activity, but it does not itself generate or store API audit logs. Option D is wrong because AWS Security Hub aggregates security findings from multiple services (including CloudTrail) and provides a compliance dashboard, but it is not a logging service and does not capture raw API events.

888
MCQhard

An organization is designing a cloud application that must remain available even if an entire AWS availability zone fails. Which architecture pattern should they implement?

A.Single region with multiple AZs active-active
B.Single region with multiple AZs active-standby
C.Active-passive in a single region
D.Multi-region active-active
AnswerA

This pattern distributes workloads across AZs, ensuring continued availability if one AZ fails.

Why this answer

The correct architecture is a single region with multiple Availability Zones (AZs) in an active-active configuration. This ensures that if one AZ fails, the application continues to serve traffic from the remaining AZs without any manual intervention, as all AZs are actively handling requests. AWS Availability Zones are physically separate data centers within a region, and an active-active pattern distributes the workload across them to achieve high availability and fault tolerance.

Exam trap

ISC2 often tests the distinction between surviving an AZ failure versus a region failure, and the trap here is that candidates may overcomplicate the solution by choosing multi-region active-active, not realizing that a single region with multiple AZs is sufficient and more cost-effective for the given requirement.

How to eliminate wrong answers

Option B (Single region with multiple AZs active-standby) is wrong because it introduces a standby component that is not actively serving traffic, leading to potential downtime during failover and resource underutilization; the question requires continuous availability even during an AZ failure, which active-standby does not guarantee without a failover delay. Option C (Active-passive in a single region) is wrong because it typically relies on a single AZ for the active component, making it vulnerable to AZ failure, and the passive component requires manual or automated failover, which introduces downtime. Option D (Multi-region active-active) is wrong because while it provides high availability, it is over-engineered for the requirement of surviving a single AZ failure; it adds unnecessary complexity, latency, and cost, and the question specifically asks for an architecture that remains available if an entire AWS availability zone fails, not a full region failure.

889
MCQhard

An organization experiences a data breach in the cloud. The CSP claims they are not liable because the breach was due to customer misconfiguration. The customer disagrees. What document should be reviewed to determine liability?

A.The CSP's privacy policy
B.The SOC 2 Type II report from the CSP
C.The incident response plan
D.The shared responsibility matrix in the service contract
AnswerD

This matrix explicitly defines responsibilities for security controls.

Why this answer

The shared responsibility matrix (SRM) is the definitive contractual document that delineates which security controls are managed by the cloud service provider (CSP) and which are the customer's obligation. In a breach caused by misconfiguration, the SRM specifies whether the configuration of the affected resource (e.g., an S3 bucket ACL or a security group rule) falls under the customer's responsibility. Without reviewing the SRM, liability cannot be determined because the matrix explicitly maps each control layer (e.g., network, compute, data) to the responsible party.

Exam trap

ISC2 often tests the misconception that a SOC report or privacy policy defines liability, when in fact only the contractual shared responsibility matrix legally allocates responsibility for specific security controls.

How to eliminate wrong answers

Option A is wrong because a privacy policy describes how the CSP handles personal data (e.g., GDPR compliance), not the operational security responsibilities for configuration management. Option B is wrong because a SOC 2 Type II report provides an independent audit of the CSP's controls over a period of time, but it does not define contractual liability boundaries or assign responsibility for specific misconfigurations. Option C is wrong because an incident response plan outlines the steps to detect, contain, and recover from a breach, not the pre-defined allocation of liability between the CSP and the customer.

890
MCQeasy

A cloud security professional is evaluating container runtime security. Which Linux capability should be dropped from a container to prevent it from loading kernel modules?

A.CAP_DAC_OVERRIDE
B.CAP_CHOWN
C.CAP_SYS_MODULE
D.CAP_NET_RAW
AnswerC

Correct; dropping CAP_SYS_MODULE prevents kernel module manipulation.

Why this answer

The CAP_SYS_MODULE capability allows loading/unloading kernel modules, which is a common vector for container escape. Dropping it reduces risk.

891
MCQmedium

A company experiences a security breach in its cloud environment, and the security team needs to preserve evidence for legal proceedings. Which of the following is the MOST important step to take first?

A.Disable all logging to prevent the attacker from seeing detection efforts.
B.Isolate the compromised systems from the network to prevent lateral movement.
C.Notify all affected customers of the breach.
D.Contact the legal department to obtain a warrant before any action.
AnswerB

Isolating systems is the first priority to stop the attack and preserve evidence.

Why this answer

Option B is correct because the immediate priority in a cloud security incident is to contain the breach and prevent lateral movement, which preserves the integrity of the evidence by stopping further compromise. Isolating compromised systems (e.g., via network security groups or virtual network segmentation) ensures that volatile data, such as memory contents and active connections, is not altered by ongoing attacker activity. This step aligns with the NIST SP 800-61 incident response framework, which emphasizes containment before evidence collection.

Exam trap

ISC2 often tests the misconception that preserving evidence means immediately collecting logs or notifying stakeholders, when in fact the first step is to contain the incident to prevent evidence from being altered or destroyed by ongoing attacker activity.

How to eliminate wrong answers

Option A is wrong because disabling all logging destroys the very evidence needed for legal proceedings and violates the principle of preserving forensic artifacts; logging should be enabled and protected to capture attacker actions. Option C is wrong because notifying affected customers prematurely can compromise the investigation, alert the attacker, and violate data breach notification laws that require a thorough forensic analysis first. Option D is wrong because obtaining a warrant is not a prerequisite for internal incident response actions; the company owns the cloud environment and can take immediate containment steps without a warrant, and waiting for legal authorization could allow the attacker to destroy evidence.

892
Multi-Selectmedium

A cloud security architect is designing a key management strategy to meet regulatory requirements for key separation and tamper evidence. Which TWO of the following are benefits of using hardware security modules (HSMs) backing a cloud KMS? (Select TWO.)

Select 2 answers
A.Compliance with FIPS 140-2 Level 3 or higher
B.Eliminates the need for customer-managed keys
C.Reduced latency for encryption operations
D.Automatic key rotation without customer intervention
E.Tamper-resistant key storage that prevents key extraction
AnswersA, E

HSMs can meet higher FIPS security levels, aiding regulatory compliance.

Why this answer

HSMs provide tamper-resistant hardware for key generation and storage, ensuring keys are protected against physical tampering. They also provide a root of trust for key management.

893
MCQmedium

A cloud architect is designing a data loss prevention (DLP) solution for a SaaS application. The DLP must inspect data in transit between end users and the cloud as well as data at rest. Which combination of controls is most appropriate?

A.Use network segmentation and security groups.
B.Deploy a cloud DLP service for content inspection and enforce encryption at rest.
C.Use encryption at rest and backup retention policies.
D.Implement a web application firewall (WAF) and a VPN.
AnswerB

Cloud DLP inspects data in transit and at rest; encryption protects at rest.

Why this answer

Option B is correct because a cloud DLP service (e.g., AWS Macie, Microsoft Purview) can inspect data in transit by analyzing API calls or traffic patterns, and encryption at rest (e.g., AES-256) protects stored data. This combination directly addresses both inspection of data in transit and protection of data at rest, which is the core requirement of the question.

Exam trap

The trap here is that candidates confuse a WAF (which inspects for attacks) with a DLP service (which inspects for sensitive data content), leading them to choose Option D despite it lacking content inspection for data in transit.

How to eliminate wrong answers

Option A is wrong because network segmentation and security groups control traffic flow and access, but they do not inspect the content of data in transit or protect data at rest. Option C is wrong because encryption at rest protects stored data, but backup retention policies only manage data lifecycle, not inspect data in transit. Option D is wrong because a WAF inspects HTTP traffic for web attacks, not data content for DLP, and a VPN encrypts the tunnel but does not inspect the data payload.

894
MCQmedium

A security engineer is concerned about a scenario where a malicious process inside a VM breaks out of the virtualized environment to compromise the hypervisor. What is this attack called and what is the primary mitigation?

A.VM sprawl; use resource limits
B.Side-channel attack; disable hyperthreading
C.Privilege escalation; enable SELinux inside VM
D.VM escape; regularly patch the hypervisor
AnswerD

VM escape is a critical multi-tenancy risk; patching is key.

Why this answer

VM escape occurs when code inside a VM accesses the hypervisor. Patching the hypervisor closes known vulnerabilities.

895
MCQhard

Refer to the exhibit. A cloud security administrator is reviewing the following security group configuration associated with a web server instance. What security best practice is being violated?

A.Outbound traffic should be allowed to any destination.
B.Inbound SSH should not be allowed from any source.
C.Inbound HTTPS should be allowed from any source.
D.Security groups should not be used for web servers.
AnswerB

The rule allows SSH from 0.0.0.0/0, violating least privilege and increasing attack surface.

Why this answer

Option B is correct because allowing inbound SSH (TCP port 22) from any source (0.0.0.0/0) violates the security best practice of least privilege. SSH should only be permitted from specific administrative IP ranges or bastion hosts to prevent unauthorized access and brute-force attacks. In a cloud environment like AWS, security groups should restrict SSH to known management networks, not the entire internet.

Exam trap

ISC2 often tests the misconception that allowing inbound HTTPS from any source is a violation, but for a public web server, this is correct; the trap is confusing the need for open HTTPS with the need to restrict administrative protocols like SSH.

How to eliminate wrong answers

Option A is wrong because outbound traffic should be restricted to only necessary destinations (e.g., specific update servers or databases), not allowed to any destination, as unrestricted outbound traffic can facilitate data exfiltration. Option C is wrong because inbound HTTPS (TCP port 443) should be allowed from any source for a public web server; this is a standard requirement for serving web content securely. Option D is wrong because security groups are the primary and recommended mechanism for controlling traffic to cloud instances like web servers; they are stateful and provide granular access control.

896
Multi-Selectmedium

Which THREE of the following are commonly required when conducting a cloud vendor risk assessment?

Select 3 answers
A.Security certifications (e.g., ISO 27001)
B.Financial stability of the vendor
C.Vendor's incident response plan
D.Pricing compared to competitors
E.Marketing materials and brand reputation
AnswersA, B, C

Evidence of security posture.

Why this answer

Financial stability, certifications, and incident response plans are standard vendor risk assessment items. Pricing comparison is procurement, not risk; marketing materials are irrelevant.

897
MCQhard

A large healthcare organization runs its electronic health records (EHR) system on a private cloud built with VMware vSphere. They have implemented a hybrid cloud strategy with a public cloud provider for disaster recovery. The EHR application is mission-critical and must maintain high availability with zero data loss. During a routine audit, the security team discovers that the replication between the private cloud and the public cloud uses asynchronous replication with a 15-minute recovery point objective (RPO). However, the application requires an RPO of less than 1 minute. Additionally, the replication data is not encrypted in transit. The compliance officer demands immediate remediation. The cloud architect must propose a solution that meets the RPO requirement and ensures encryption of data in transit. Which of the following actions is the most appropriate first step?

A.Move the entire EHR system to the public cloud and use native replication services.
B.Increase the frequency of asynchronous replication to every 30 seconds and use IPsec VPN for encryption.
C.Switch to synchronous replication between the private cloud and public cloud to achieve near-zero RPO, and enable TLS for replication traffic.
D.Implement a third-party replication tool that uses compression and encryption, and keep asynchronous replication with 15-minute RPO.
AnswerC

Synchronous replication meets RPO and TLS ensures encryption.

Why this answer

Option C is correct because synchronous replication ensures that data is written to both the primary and secondary sites before acknowledging the write, achieving near-zero RPO (typically sub-second). Enabling TLS for replication traffic encrypts data in transit, directly addressing the compliance requirement. This approach meets the application's mission-critical need for zero data loss and encryption without changing the underlying hybrid architecture.

Exam trap

ISC2 often tests the misconception that increasing asynchronous replication frequency can achieve near-zero RPO, but only synchronous replication guarantees zero data loss by ensuring writes are committed at both sites before acknowledgment.

How to eliminate wrong answers

Option A is wrong because moving the entire EHR system to the public cloud does not inherently solve the RPO or encryption issues; it merely shifts the problem and may introduce new latency or compliance concerns without guaranteeing sub-minute RPO. Option B is wrong because increasing asynchronous replication frequency to 30 seconds still does not guarantee zero data loss (RPO is not zero) and IPsec VPN encrypts the tunnel but does not necessarily encrypt the replication stream itself at the application layer, potentially leaving data exposed during transit. Option D is wrong because keeping asynchronous replication with a 15-minute RPO fails to meet the sub-minute RPO requirement, regardless of compression and encryption improvements.

898
MCQeasy

Refer to the exhibit. A cloud administrator discovers this Azure role assignment in the Finance resource group. The role definition ID corresponds to 'Storage Blob Data Contributor'. What is the immediate compliance concern?

A.The principal ID is not a human-readable name
B.The assignment is scoped to a storage account
C.The assignment has no expiration date
D.The assignment provides unconstrained access without any condition
AnswerD

Lack of conditions such as IP restrictions or MFA could lead to unauthorized access.

Why this answer

Option D is correct because the role assignment 'Storage Blob Data Contributor' grants full read, write, and delete permissions on blob data within the scope, without any Azure attribute-based access control (ABAC) conditions. This violates the principle of least privilege, as it allows unconstrained access to all blob containers and blobs in the storage account, which is a compliance concern under frameworks like SOC 2 or ISO 27001 that require fine-grained access controls.

Exam trap

The trap here is that candidates often overlook the absence of conditions (ABAC) and focus on superficial details like the principal ID format or scope, but the core compliance issue is the lack of constrained access, which is a direct violation of least privilege and data governance requirements.

How to eliminate wrong answers

Option A is wrong because the principal ID being a GUID rather than a human-readable name is a normal Azure behavior; the actual identity (user, group, or service principal) is resolved via Azure AD, and this does not inherently create a compliance issue. Option B is wrong because scoping the assignment to a storage account is actually a best practice—it limits the blast radius compared to a subscription or management group scope, so it is not a compliance concern. Option C is wrong because Azure role assignments do not have an expiration date by default; they are permanent until explicitly removed, and the absence of an expiration date is not a compliance violation unless a specific policy requires temporary access, which is not indicated here.

899
MCQmedium

Refer to the exhibit. A security administrator is reviewing an S3 bucket policy. What is the primary security concern with this policy?

A.The policy allows delete access from a trusted IP range without additional controls
B.The policy does not enforce server-side encryption
C.The bucket is publicly accessible from any IP
D.The policy does not require MFA for delete operations
AnswerA

Delete access should be restricted further or require MFA.

Why this answer

Option A is correct because the policy grants s3:DeleteObject permission to a trusted IP range without requiring additional controls like MFA or versioning safeguards. This means an attacker who compromises a machine within that IP range can permanently delete objects without any secondary authentication, leading to potential data loss. The lack of a condition such as 'aws:MultiFactorAuthPresent': true or a Deny for delete operations without MFA is the primary security concern.

Exam trap

ISC2 often tests the distinction between 'publicly accessible' and 'accessible from a trusted IP range'—candidates may mistakenly think any IP-based restriction is sufficient, overlooking that delete operations without MFA or versioning are still a critical risk.

How to eliminate wrong answers

Option B is wrong because the policy does not explicitly enforce server-side encryption, but that is not the primary security concern; the question focuses on the most critical risk, which is unauthorized deletion. Option C is wrong because the policy restricts access to a specific IP range (e.g., 'aws:SourceIp': '192.0.2.0/24'), so the bucket is not publicly accessible from any IP. Option D is wrong because while MFA for delete operations is a best practice, the policy does not require it, but the core issue is that delete access is granted to a trusted IP range without any additional controls—MFA is just one possible control, and the absence of any control is the primary concern.

900
MCQhard

In a public cloud IaaS environment, which of the following is the customer responsible for securing, according to the shared responsibility model?

A.Operating system and applications
B.Virtualization hypervisor
C.Network infrastructure
D.Physical security of data centers
AnswerA

The customer manages OS, apps, and data.

Why this answer

The customer is responsible for securing the operating system, applications, and data they deploy. The provider secures the physical infrastructure, network, and hypervisor.

Page 11

Page 12 of 14

Page 13