Certified Cloud Security Professional CCSP (CCSP) — Questions 901975

987 questions total · 14pages · All types, answers revealed

Page 12

Page 13 of 14

Page 14
901
MCQmedium

A security analyst notices that an IAM user from a cloud account has logged in from two different countries within a span of 10 minutes. Which type of detection mechanism is most likely to flag this activity as suspicious?

A.A cloud configuration management database (CMDB)
B.A vulnerability scanner
C.An agent-based intrusion detection system (IDS)
D.A correlation rule in a SIEM
AnswerD

SIEM correlation rules can detect impossible travel by analyzing login events.

Why this answer

A correlation rule in a SIEM is designed to aggregate and analyze log data from multiple sources, such as cloud IAM logs, to detect anomalous patterns. The specific scenario of a user logging in from two geographically distant countries within 10 minutes is a classic example of an impossible travel time anomaly, which SIEM correlation rules are built to flag by comparing login timestamps and IP geolocation data.

Exam trap

Cisco often tests the distinction between detection mechanisms that analyze static configurations (CMDB, vulnerability scanners) versus those that analyze dynamic behavioral patterns (SIEM correlation rules), leading candidates to confuse a CMDB's asset inventory function with real-time anomaly detection.

How to eliminate wrong answers

Option A is wrong because a cloud configuration management database (CMDB) is a repository for storing metadata about IT assets and their relationships, not a real-time detection mechanism for user login anomalies. Option B is wrong because a vulnerability scanner is designed to identify security weaknesses in systems (e.g., missing patches, misconfigurations), not to analyze user behavior or login patterns. Option C is wrong because an agent-based intrusion detection system (IDS) monitors network traffic or host-level events for known attack signatures, but it does not typically correlate geolocation data from cloud IAM logs to detect impossible travel scenarios.

902
Multi-Selecthard

A cloud customer is selecting a cloud provider for hosting payment card data and must comply with PCI DSS. Which THREE of the following are valid considerations when assessing the provider's PCI DSS compliance?

Select 3 answers
A.The provider must have a Cloud Provider Responsibility Matrix
B.The provider must sign a Business Associate Agreement
C.The cloud provider can be assessed by a Qualified Security Assessor (QSA)
D.A shared responsibility matrix must define security controls for the CDE
E.The cloud provider must be a Level 1 service provider
AnswersA, C, D

This is required by PCI DSS for cloud environments.

Why this answer

PCI DSS allows cloud providers to be assessed by a QSA. Shared responsibility must be clearly defined. The provider may have a Responsibility Matrix as per Appendix A3.

903
MCQeasy

Which cloud characteristic allows a user to automatically provision computing resources without requiring human interaction with the service provider?

A.Broad network access
B.Rapid elasticity
C.Resource pooling
D.On-demand self-service
AnswerD

This characteristic allows users to provision resources automatically.

Why this answer

On-demand self-service enables automatic provisioning.

904
MCQhard

A financial services company uses a CI/CD pipeline to deploy microservices to a Kubernetes cluster. The security team wants to ensure container images are scanned for vulnerabilities before deployment. Which integration point in the pipeline is most effective?

A.Runtime security monitoring
B.Pre-commit hook in source control
C.Post-build image scanning in registry
D.Admission controller in Kubernetes
AnswerC

Scanning images in the registry after build ensures vulnerabilities are detected before deployment.

Why this answer

Post-build image scanning in the registry (Option C) is the most effective integration point because it automatically scans container images after they are built and pushed, catching vulnerabilities before the image is deployed to production. This ensures that only compliant images proceed through the pipeline, aligning with the principle of shift-left security without blocking developer velocity.

Exam trap

ISC2 often tests the distinction between proactive pipeline controls (like post-build scanning) and reactive runtime controls (like admission controllers), leading candidates to choose admission controllers because they seem directly related to Kubernetes security, but they miss the earlier, more effective integration point.

How to eliminate wrong answers

Option A is wrong because runtime security monitoring detects threats during execution, not before deployment, so it cannot prevent vulnerable images from being deployed. Option B is wrong because pre-commit hooks scan source code, not container images, and cannot detect vulnerabilities in base layers or dependencies added during the build process. Option D is wrong because an admission controller in Kubernetes can block deployment based on image policies, but it acts after the image is already built and pushed, making it a reactive control rather than a proactive integration point in the CI/CD pipeline.

905
MCQmedium

Which of the following is a best practice for managing secrets in cloud-native applications?

A.Hardcode secrets in environment variables
B.Include secrets in container images
C.Use the same secret across all environments
D.Store secrets in a dedicated secrets management service
AnswerD

Secrets managers provide secure storage, access control, and rotation.

Why this answer

Using a cloud secret manager (like AWS Secrets Manager or HashiCorp Vault) to inject secrets at runtime avoids hardcoding and enables rotation. Least privilege IAM and environment variables are also good but using a dedicated service is best.

906
MCQmedium

A data classification scheme for a cloud environment defines labels such as Public, Internal, Confidential, and Restricted. Which label should be applied to data that, if disclosed, would cause severe damage to the organization and is subject to regulatory fines?

A.Restricted
B.Public
C.Confidential
D.Internal
AnswerA

Restricted data is the most sensitive; disclosure causes severe damage and regulatory penalties.

Why this answer

Restricted is the highest classification level, used for data that would cause severe damage if disclosed and is subject to strict regulatory controls.

907
MCQeasy

A company is migrating sensitive customer data to a public cloud storage service. They want to ensure that even the cloud provider cannot access the plaintext data. Which encryption strategy should they implement?

A.Client-side encryption before uploading data
B.Server-side encryption with cloud-provider-managed keys
C.Tokenization of sensitive fields at the application layer
D.Enforcing role-based access control (RBAC) on the storage bucket
AnswerA

Client-side encryption ensures the provider never sees plaintext.

Why this answer

Client-side encryption ensures that data is encrypted before it leaves the customer's environment, so the cloud provider only ever receives ciphertext. This means the cloud provider cannot access the plaintext data, even if the storage service is compromised or the provider is legally compelled to disclose data. The encryption keys are managed and stored by the customer, not the cloud provider.

Exam trap

ISC2 often tests the distinction between encryption at rest (server-side) and encryption in transit or before upload (client-side), and the trap is that candidates confuse server-side encryption with the ability to prevent provider access, not realizing that the provider still holds the keys.

How to eliminate wrong answers

Option B is wrong because server-side encryption with cloud-provider-managed keys means the cloud provider holds the encryption keys and can decrypt the data on demand, which does not prevent the provider from accessing plaintext. Option C is wrong because tokenization replaces sensitive data with tokens, but the token mapping and original data are typically stored elsewhere and may still be accessible to the provider; it also does not encrypt the entire data payload, leaving other fields in plaintext. Option D is wrong because RBAC controls access to the storage bucket but does not encrypt the data; the cloud provider can still read the plaintext data stored in the bucket.

908
MCQmedium

During a code review, a developer identifies that an application uses input from an HTTP request to generate a SQL query string. What is the primary security concern?

A.Buffer overflow
B.Insecure deserialization
C.Cross-site scripting (XSS)
D.SQL injection
AnswerD

User input in SQL queries can lead to injection attacks.

Why this answer

Option D is correct because directly concatenating user-supplied input from an HTTP request into a SQL query string allows an attacker to inject arbitrary SQL commands. This can lead to unauthorized data access, data manipulation, or even complete database compromise. The primary security concern is SQL injection, which violates the confidentiality and integrity of cloud-hosted databases.

Exam trap

ISC2 often tests the distinction between input validation issues (like SQL injection) and output encoding issues (like XSS), so the trap here is confusing a server-side injection attack with a client-side script injection attack.

How to eliminate wrong answers

Option A is wrong because buffer overflow exploits typically target memory corruption in low-level languages like C/C++, not SQL query string generation in application code. Option B is wrong because insecure deserialization involves untrusted data being deserialized into objects, not the direct injection of SQL syntax into a query string. Option C is wrong because cross-site scripting (XSS) involves injecting client-side scripts into web pages viewed by other users, whereas this scenario directly manipulates a server-side SQL query.

909
MCQmedium

A cloud architect is designing a multi-tier application in a public cloud. The web tier must be accessible from the internet, while the application and database tiers must only be reachable from the web tier. The architect needs to ensure that even if the web server is compromised, the attacker cannot directly access the database. Which architecture BEST meets this requirement?

A.Place all tiers in the same subnet and use a single security group to control inbound traffic.
B.Place all tiers in the same VPC but different subnets, and use network ACLs to restrict traffic.
C.Place the web tier in a public subnet with a security group allowing HTTP/HTTPS from 0.0.0.0/0, and place the app and database tiers in private subnets with security groups allowing traffic only from the web tier's security group.
D.Use a VPN to connect the tiers and rely on IPsec policies for segmentation.
AnswerC

This provides proper isolation: private subnets with security group references restrict access to the web tier only.

Why this answer

Option C is correct because it implements defense-in-depth by placing the web tier in a public subnet with a security group that allows inbound HTTP/HTTPS from the internet, while the app and database tiers reside in private subnets with security groups that only permit traffic from the web tier's security group. This ensures that even if the web server is compromised, the attacker cannot directly reach the database because the database security group explicitly denies traffic from any source other than the web tier's security group, and the private subnets have no direct internet route.

Exam trap

The trap here is that candidates often confuse network ACLs (stateless, IP-based) with security groups (stateful, can reference other security groups), leading them to choose Option B because they think ACLs provide sufficient segmentation, but they overlook the need for group-based source references to prevent lateral movement from a compromised host.

How to eliminate wrong answers

Option A is wrong because placing all tiers in the same subnet with a single security group provides no network segmentation; if the web server is compromised, the attacker can directly access the database on the same subnet without any additional controls. Option B is wrong because while different subnets provide network segmentation, network ACLs are stateless and evaluate rules in order, but they do not support source-group-based references (like security group IDs), so they cannot restrict traffic to only the web tier's security group; they can only filter by IP ranges, which is less precise and could allow lateral movement if the web server's IP is spoofed or if multiple instances are used. Option D is wrong because a VPN with IPsec policies connects the tiers over an encrypted tunnel but does not enforce internal segmentation within the VPC; it would still require additional security groups or ACLs to restrict database access, and the VPN itself does not prevent a compromised web server from directly reaching the database if both are on the same network segment.

910
Matchingmedium

Match each key management solution to its characteristic.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Hardware-based key generation and storage

Software-based key lifecycle management

Customer-managed keys in cloud provider HSM

Customer holds and manages own keys

Why these pairings

Key management is critical for data protection; BYOK and KYOK offer different levels of customer control.

911
Multi-Selectmedium

A cloud security architect is designing a multi-tenant SaaS application. Which TWO isolation mechanisms should be implemented to prevent data leakage between tenants?

Select 2 answers
A.API rate limiting
B.Network isolation using virtual networks
C.Storage isolation through separate databases or schemas
D.Data encryption at rest
E.Identity federation
AnswersB, C

Network isolation prevents unauthorized access between tenants.

Why this answer

Network isolation (e.g., VLANs, VPCs) and storage isolation (e.g., separate databases or encryption per tenant) are key. Data encryption at rest protects data but not isolation between tenants. Identity federation and API rate limiting are not isolation mechanisms.

912
MCQmedium

A cloud-native application stores sensitive user files in an Amazon S3 bucket. Which misconfiguration poses the greatest risk of data exposure?

A.Bucket versioning enabled
B.Bucket ACL set to public read
C.Default encryption enabled
D.Bucket policy with a condition for source IP
AnswerB

Public read ACL allows anonymous access to all objects.

Why this answer

Setting the S3 bucket ACL to public read allows anyone on the internet to access files, leading to data exposure.

913
MCQmedium

Which of the following is a cloud-specific threat that should be included in a threat model for a cloud application?

A.Exposed S3 bucket
B.Cross-site scripting (XSS)
C.SQL injection
D.Buffer overflow
AnswerA

Misconfigured S3 buckets are a top cloud-specific threat.

Why this answer

Exposed S3 buckets are a common cloud-specific misconfiguration leading to data breaches. Other options are general security issues not unique to cloud.

914
Multi-Selecthard

A cloud architect is designing a multi-cloud solution that must maintain high availability and disaster recovery across two cloud providers. Which three key considerations should be included in the architecture? (Choose three.)

Select 3 answers
A.Rely on each provider's native high-availability features.
B.Use a single networking interface to simplify connectivity.
C.Use a single DNS provider for failover.
D.Implement consistent identity and access management across providers.
E.Ensure application code is cloud-agnostic.
AnswersA, D, E

Correct: Leverage provider capabilities within each region.

Why this answer

Option A is correct because relying on each provider's native high-availability features (e.g., AWS Auto Scaling and Multi-AZ deployments, Azure Availability Zones) allows the architecture to leverage built-in fault tolerance and automatic failover within each cloud. This avoids reinventing the wheel and ensures that each provider handles its own infrastructure failures, which is a foundational principle for multi-cloud HA/DR design.

Exam trap

ISC2 often tests the misconception that a single DNS provider or single network interface is acceptable for multi-cloud HA, when in reality these create critical single points of failure that violate the redundancy principle.

915
Multi-Selectmedium

A company is negotiating a cloud contract and wants to ensure data ownership and deletion. Which TWO clauses should be included? (Select two.)

Select 2 answers
A.Right to audit clause
B.Non-disclosure agreement
C.Data ownership clause
D.Service level agreement
E.Data deletion clause
AnswersC, E

Correct. This clause confirms the customer retains ownership.

Why this answer

Data ownership clause clarifies that the customer owns the data. Data deletion clause ensures the provider deletes data upon termination, including backups.

916
MCQmedium

An organization is looking for a cloud deployment model that is provisioned for exclusive use by a single organization, but may be owned, managed, and operated by the organization, a third party, or some combination. Which deployment model is this?

A.Hybrid cloud
B.Private cloud
C.Community cloud
D.Public cloud
AnswerB

Private cloud is exclusively for one organization.

Why this answer

Private cloud is defined as provisioned for exclusive use by a single organization. It can be on-premises or hosted, and managed by the organization or a third party.

917
Multi-Selectmedium

Which TWO statements about data masking are correct?

Select 2 answers
A.Data masking is a form of encryption.
B.Data masking is primarily used for production environments.
C.Data masking is reversible.
D.Data masking replaces sensitive data with realistic fictional data.
E.Data masking can be static or dynamic.
AnswersD, E

It produces realistic data for development and testing.

Why this answer

Option D is correct because data masking replaces sensitive data (e.g., credit card numbers, SSNs) with realistic but fictitious data that preserves the original data's format and referential integrity, ensuring that the masked data remains usable for testing or analytics without exposing actual sensitive information. This is distinct from encryption, as masking does not use a key to transform data but rather substitutes it with a non-sensitive equivalent.

Exam trap

The trap here is that candidates often confuse data masking with encryption, assuming both are reversible, or mistakenly think masking is used in production environments, whereas the CCSP emphasizes that masking is for non-production use and is irreversible by design.

918
MCQeasy

Which cloud characteristic refers to the ability to automatically scale resources up or down based on demand?

A.Resource pooling
B.Rapid elasticity
C.Broad network access
D.Measured service
AnswerB

Correct. Rapid elasticity enables automatic scaling.

Why this answer

Rapid elasticity allows resources to be provisioned and released automatically in response to demand, giving the appearance of unlimited capacity.

919
MCQmedium

During a CI/CD pipeline, a developer wants to automatically block builds if Terraform configuration files contain security misconfigurations. Which tool is best suited for this task?

A.Snyk
B.GitGuardian
C.Checkov
D.OWASP ZAP
AnswerC

Checkov scans IaC templates for misconfigurations and integrates into CI/CD pipelines.

Why this answer

Checkov is an open-source IaC scanning tool that checks Terraform, CloudFormation, and Kubernetes configurations for security misconfigurations, making it ideal for blocking builds in CI/CD.

920
MCQhard

A financial services company uses a multi-region cloud deployment for its trading application. The application consists of a web frontend, a REST API, and a relational database. Recently, a penetration test revealed that an attacker could perform a time-based blind SQL injection through the API's search functionality. The injection allows the attacker to enumerate database contents by observing response times. The development team was already aware of the issue but had prioritized other features. The security team now demands immediate remediation. The application is critical and cannot be taken offline. Which of the following is the most effective immediate action to mitigate the risk without modifying the application code?

A.Deploy a Web Application Firewall (WAF) with a rule to block SQL injection patterns
B.Implement rate limiting on the API endpoint
C.Enable DDoS protection on the cloud load balancer
D.Enable transparent data encryption (TDE) on the database
AnswerA

WAF provides virtual patching without code changes.

Why this answer

A WAF can inspect incoming HTTP requests and block those matching SQL injection patterns (e.g., SQL keywords, special characters) without modifying application code. Since the vulnerability is a time-based blind SQL injection, a WAF with a dedicated SQL injection rule set can immediately stop the attack vector by filtering malicious payloads at the edge, providing a virtual patch while the code fix is developed. This is the only option that directly addresses the injection vector without requiring code changes or downtime.

Exam trap

ISC2 often tests the misconception that rate limiting or DDoS protection can mitigate application-layer attacks like SQL injection, but these controls address availability threats, not data exfiltration or injection vulnerabilities.

How to eliminate wrong answers

Option B is wrong because rate limiting only restricts the number of requests per time window, which does not prevent a single crafted SQL injection payload from executing; it merely slows down enumeration but does not block the injection itself. Option C is wrong because DDoS protection mitigates volumetric attacks aimed at overwhelming resources, not application-layer attacks like SQL injection; it does not inspect payload content. Option D is wrong because transparent data encryption (TDE) protects data at rest in the database, but the SQL injection attack exploits the API to extract data in transit or via response timing, so encryption does not prevent the injection or the data exfiltration.

921
MCQmedium

A security architect is designing a container runtime security strategy. Which of the following controls is most effective at preventing a container from compromising the host kernel?

A.Seccomp profile
B.Read-only root filesystem
C.Resource limits (CPU/memory)
D.Image vulnerability scanning
AnswerA

Correct: Seccomp limits syscalls, directly reducing kernel attack surface.

Why this answer

Seccomp profiles restrict the system calls a container can make, reducing the attack surface against the host kernel.

922
Multi-Selecthard

An organization is using GCP and wants to implement automated remediation of security misconfigurations. Which TWO services can be used together to achieve this? (Choose two.)

Select 2 answers
A.Cloud Build
B.Cloud Audit Logs
C.Cloud Storage
D.Cloud Functions
E.Cloud Security Command Center
AnswersD, E

Cloud Functions can execute remediation code when triggered by Security Command Center.

Why this answer

Cloud Functions (D) is correct because it can be triggered by events from Cloud Security Command Center (Cloud SCC) to automatically remediate security misconfigurations. Cloud SCC detects vulnerabilities and misconfigurations, and Cloud Functions can execute remediation logic such as modifying IAM policies, enabling logging, or updating firewall rules. Together, they enable event-driven, automated security response without manual intervention.

Exam trap

Cisco often tests the distinction between services that detect or log issues (like Cloud Audit Logs or Cloud SCC alone) versus services that can execute automated remediation (like Cloud Functions), leading candidates to mistakenly select Cloud Audit Logs or Cloud Storage as capable of performing actions.

923
MCQeasy

A cloud customer receives a litigation hold notice requiring preservation of data stored in an object storage service. Which service feature should the customer use to ensure data cannot be modified or deleted until the hold is released?

A.Apply a retention policy using Object Lock
B.Set a lifecycle policy to transition to archival storage
C.Enable versioning on the bucket
D.Configure server-side encryption
AnswerA

Object Lock with retention periods prevents object deletion or modification.

Why this answer

Object lock features like S3 Object Lock enable a write-once-read-many (WORM) model to prevent deletion or modification, meeting legal hold requirements.

924
MCQmedium

A security architect is designing a multi-cloud data protection strategy. They need to give a third-party auditor time-limited, read-only access to a specific file in a cloud storage bucket. Which access control method is most appropriate?

A.Cloud VPN connection for the auditor
B.Bucket ACL granting read access to the auditor's cloud account
C.IAM policy granting read access to the auditor's user
D.Pre-signed URL with an expiration time
AnswerD

Pre-signed URLs provide time-limited, object-specific access without requiring the user to have cloud credentials.

Why this answer

Pre-signed URLs (or signed URLs) grant temporary access to a specific object without requiring the auditor to have cloud credentials. They can be configured with expiration times and permissions (e.g., read-only).

925
Multi-Selectmedium

A cloud operations team is implementing a disaster recovery plan. Which of the following are valid strategies for data replication in a cloud environment? (Choose three.)

Select 3 answers
A.Asynchronous replication across regions
B.Synchronous replication within the same region
C.Periodic snapshots to object storage
D.Replication via cloud provider's managed replication service
E.Active-active replication with load balancing
AnswersA, B, D

Asynchronous replication handles geographic distance with eventual consistency.

Why this answer

Asynchronous replication across regions is a valid DR strategy because it allows data to be copied to a geographically distant region without requiring an immediate acknowledgment from the target, which minimizes latency impact on the primary site. This approach is suitable for cloud environments where recovery point objectives (RPOs) of minutes to hours are acceptable, and it leverages the cloud provider's high-latency inter-region network links without stalling write operations.

Exam trap

ISC2 often tests the distinction between replication (continuous data copying) and backup (point-in-time snapshots), so candidates mistakenly select periodic snapshots as a replication strategy when it is actually a backup method.

926
MCQmedium

During a cloud migration, a company discovers that data stored in a specific region must remain there per contract. The cloud provider offers data replication across regions. What is the best practice to ensure compliance?

A.Use data residency controls provided by the cloud provider
B.Negotiate a new contract to allow replication
C.Disable all data replication features
D.Encrypt data before storing it
AnswerA

Technical controls enforce data location at the storage or service level.

Why this answer

Configuring data residency controls (like tagging and policies) ensures data stays within the required region. Disabling replication across regions is too restrictive and may affect availability; contract negotiation is less efficient than technical controls.

927
MCQmedium

A security architect is designing a VPC for a three-tier web application. Which of the following VPC subnet designs provides the most secure isolation for the database tier?

A.Database tier in a private subnet with security group allowing only the application tier
B.Database tier in a separate VPC with VPC peering
C.Database tier in a public subnet with security group allowing only the application tier
D.Database tier in the same subnet as the application tier
AnswerA

Correct; private subnet with no internet gateway and restricted security group provides strong isolation.

Why this answer

Placing the database tier in an isolated private subnet without direct internet access and with strict security group rules minimizes exposure.

928
MCQeasy

A cloud security engineer reviews this Terraform configuration for a security group. Which change is necessary to improve security?

A.Use a broader CIDR for ingress.
B.Restrict egress to specific ports.
C.Change protocol to UDP.
D.Remove the ingress rule.
AnswerB

Restricting egress limits data exfiltration risks.

Why this answer

The default egress rule in Terraform's AWS security group allows all outbound traffic (0.0.0.0/0, all ports, all protocols). This violates the principle of least privilege. Restricting egress to only specific ports and protocols (e.g., TCP/443 for HTTPS) reduces the attack surface and prevents data exfiltration or unintended outbound connections.

Exam trap

Cisco often tests the misconception that security groups only need ingress rules, leading candidates to overlook the critical security risk of overly permissive egress rules.

How to eliminate wrong answers

Option A is wrong because using a broader CIDR (e.g., 0.0.0.0/0) for ingress would increase the attack surface, allowing traffic from any IP address, which is less secure. Option C is wrong because changing the protocol to UDP does not inherently improve security; UDP is connectionless and can be used for attacks like amplification, and the protocol choice should be based on application requirements, not security generalization. Option D is wrong because removing the ingress rule entirely would block all inbound traffic, which may break legitimate application functionality; the issue is with overly permissive egress, not ingress.

929
MCQeasy

What is a Software Bill of Materials (SBOM) primarily used for?

A.Documenting all open-source and third-party components in an application
B.Tracking user access to cloud resources
C.Recording incident response procedures
D.Listing security controls implemented in the cloud environment
AnswerA

SBOM provides an inventory of dependencies for security analysis.

Why this answer

An SBOM lists all components and dependencies in a software product, aiding in vulnerability management and supply chain security.

930
MCQmedium

A security architect is designing a CI/CD pipeline for a cloud-native application. The team wants to automatically scan container images for vulnerabilities before deployment. Which of the following is the most effective approach?

A.Manually review images before each deployment
B.Integrate a container image scanner into the pipeline
C.Perform vulnerability scanning at runtime using a host-based agent
D.Scan the network for open ports on the container hosts
AnswerB

Automated scanning in the pipeline prevents vulnerable images from being deployed.

Why this answer

Integrating a container image scanner into the CI/CD pipeline ensures that vulnerabilities are detected early, before the image is deployed to production. This approach automates security checks as part of the build process, aligning with DevSecOps principles by shifting security left. Tools like Trivy, Clair, or Anchore can be configured to fail the pipeline if critical vulnerabilities are found, preventing insecure images from reaching runtime.

Exam trap

The trap here is that candidates confuse runtime host-based scanning (Option C) with image scanning, but the question specifically asks for scanning before deployment, making pipeline integration the only correct choice that enforces security gates early in the lifecycle.

How to eliminate wrong answers

Option A is wrong because manual review is not scalable, error-prone, and cannot keep pace with the frequency of deployments in a CI/CD pipeline, violating the automation principle of secure DevOps. Option C is wrong because runtime scanning with a host-based agent detects vulnerabilities only after the container is already running, missing the opportunity to block deployment of vulnerable images and potentially exposing the environment to exploitation. Option D is wrong because scanning the network for open ports on container hosts addresses network-level exposure, not the vulnerabilities within the container image itself, and is a reactive measure unrelated to image security.

931
Multi-Selectmedium

According to GDPR, which THREE are data subject rights? (Select three.)

Select 3 answers
A.Right to transfer data to a third country
B.Right to object to processing for direct marketing
C.Right to access
D.Right to erasure
E.Right to portability
AnswersC, D, E

Correct. Article 15 provides the right of access.

Why this answer

Right to erasure, right to portability, and right to access are explicit rights under GDPR. Right to rectification is also a right, but the options included correct ones.

932
MCQhard

A cloud security engineer reviews the Terraform configuration above. Which of the following is a security best practice that has been violated?

A.The user_data script should not be in plain text
B.The security group does not allow SSH access
C.The security group allows unrestricted inbound traffic on port 80
D.The instance uses a public AMI
AnswerC

Allowing inbound HTTP from anywhere broadens the attack surface.

Why this answer

Option A is correct because the security group allows unrestricted inbound traffic on port 80 from any source (0.0.0.0/0), violating the principle of least privilege. Option B (public AMI) is not necessarily a violation. Option C (plain text user_data) is a minor concern but not a best practice violation per se; secrets should not be in user_data.

Option D (no SSH access) is acceptable if not needed.

933
MCQmedium

A cloud architect is designing a data classification scheme for a SaaS provider. The provider handles customer data that includes public marketing materials, internal policies, and sensitive customer financial records. Which classification level should be assigned to customer financial records to enforce the highest level of protection?

A.Internal
B.Public
C.Restricted
D.Confidential
AnswerC

Restricted is the highest classification, suitable for financial records.

Why this answer

Restricted is the highest classification level, typically used for data that requires the most stringent controls, such as financial records or PII. Public is least sensitive, internal is for company-internal data, confidential is for sensitive but not critical data.

934
MCQhard

A large financial institution hosts a critical application in a multi-cloud environment using AWS and Azure. The application processes sensitive customer data and requires low-latency access to a shared database. The database is deployed as a MySQL instance in AWS RDS, and the Azure application instances connect to it over the public internet using SSL. Recently, the security team discovered that the database connection traffic is being routed through an unencrypted proxy, exposing the data in transit. The network architect must redesign the connectivity to ensure encryption end-to-end and minimize latency. The current setup includes an AWS Direct Connect and an Azure ExpressRoute that both terminate at the same on-premises data center. The on-premises network has a firewall that inspects all traffic. The architect proposes using the on-premises data center as an intermediary to route traffic between clouds. Which of the following solutions best addresses the security and latency requirements?

A.Create an AWS VPC peering connection to the Azure VNet through the on-premises data center using VPN tunnels, and configure the RDS security group to allow traffic only from the Azure VNet CIDR. Ensure the firewall does not decrypt the traffic.
B.Configure the Azure application to use a TLS termination proxy in the on-premises data center that forwards traffic to RDS over SSL, and allow the firewall to inspect traffic.
C.Use AWS Direct Connect and Azure ExpressRoute to connect directly to each other without going through the on-premises data center by establishing a cross-cloud direct connection.
D.Deploy a third-party SD-WAN appliance in both AWS and Azure to create an encrypted overlay network between the two clouds, bypassing the on-premises data center entirely.
AnswerA

Provides encrypted tunnel end-to-end and uses existing connections for low latency.

Why this answer

Option A is correct because it establishes an encrypted VPN tunnel between AWS and Azure through the on-premises data center, leveraging existing Direct Connect and ExpressRoute connections. This ensures end-to-end encryption (SSL from Azure app to RDS is preserved, and the VPN adds an additional layer) while keeping traffic within controlled, low-latency paths. Configuring the RDS security group to allow only the Azure VNet CIDR restricts access, and ensuring the firewall does not decrypt traffic prevents breaking the encryption chain.

Exam trap

The trap here is that candidates may assume Direct Connect and ExpressRoute can directly peer with each other (Option C) or that TLS termination at a proxy is acceptable (Option B), failing to recognize that end-to-end encryption must not be broken and that cloud provider direct interconnects are not available without a third-party service.

How to eliminate wrong answers

Option B is wrong because using a TLS termination proxy in the on-premises data center decrypts traffic for firewall inspection, breaking end-to-end encryption and exposing data in transit within the proxy. Option C is wrong because AWS Direct Connect and Azure ExpressRoute cannot directly interconnect without a third-party provider or intermediary; they terminate at separate on-premises locations and do not support direct cross-cloud peering. Option D is wrong because deploying a third-party SD-WAN appliance bypasses the on-premises data center entirely, which contradicts the architect's proposal to use the on-premises data center as an intermediary and may introduce additional latency or management complexity.

935
MCQhard

A security architect is designing a cloud-native application using microservices. They decide to implement mutual TLS (mTLS) for service-to-service communication in a Kubernetes cluster with hundreds of services. What is the primary challenge in managing mTLS certificates in this dynamic environment?

A.High latency due to encryption overhead
B.Certificate revocation and rotation
C.Incompatibility with HTTP/2
D.Increased complexity in load balancer configuration
AnswerB

Dynamic environments require automated, frequent certificate refreshes and effective revocation.

Why this answer

In a dynamic Kubernetes environment with hundreds of microservices, mTLS certificates must be frequently rotated and revoked to maintain security, especially as services scale up/down and pods are replaced. Manual certificate management is impractical, so automated solutions like SPIFFE/SPIRE or Istio’s Citadel are required to handle the lifecycle at scale. The primary challenge is not the encryption overhead but the operational complexity of ensuring every service has a valid, non-expired certificate and that compromised certificates can be promptly revoked across the mesh.

Exam trap

The trap here is that candidates confuse the operational challenge of certificate lifecycle management with perceived performance issues (latency) or compatibility concerns, when in fact mTLS is designed to work efficiently with modern protocols and the real difficulty is maintaining trust in a rapidly changing service mesh.

How to eliminate wrong answers

Option A is wrong because mTLS encryption overhead is minimal with modern hardware and optimized libraries (e.g., AES-NI, TLS 1.3), and latency is not the primary challenge in a dynamic environment. Option C is wrong because mTLS is fully compatible with HTTP/2; in fact, gRPC (which uses HTTP/2) commonly relies on mTLS for secure service-to-service communication. Option D is wrong because mTLS does not inherently increase load balancer configuration complexity; load balancers can terminate or pass-through mTLS, and the challenge lies in certificate lifecycle management, not load balancer setup.

936
MCQhard

A company uses a cloud-based intrusion detection system (IDS) that generates logs containing IP addresses. The company is headquartered in a country with data localization laws. What is the primary compliance risk?

A.The logs may be tampered with in transit
B.The IDS logs consume too much storage
C.Log data containing personal data may be processed in a different jurisdiction
D.The IDS may miss certain attack patterns
AnswerC

Data localization laws restrict cross-border transfer of personal data.

Why this answer

Logs contain IP addresses (personal data under many laws) and may be transferred abroad if the IDS vendor processes logs in another jurisdiction, violating localization requirements. Encryption does not solve localization.

937
MCQhard

During a security audit, it is discovered that a cloud service provider's infrastructure-as-a-service (IaaS) environment has virtual machines that were provisioned with default firewall rules allowing all inbound traffic from the internet. The organization's cloud security policy requires that all VM firewall rules follow a least-privilege model. What is the most effective approach to enforce this policy going forward?

A.Manually review each VM's firewall rules during deployment
B.Use a configuration management tool to periodically audit and correct firewall rules
C.Implement infrastructure as code templates with built-in security controls that enforce least-privilege firewall rules
D.Use a cloud security posture management (CSPM) tool that continuously monitors and alerts on non-compliant rules
AnswerC

Prevents non-compliant deployments from the start.

Why this answer

Option B is correct because using infrastructure as code (IaC) templates with built-in security controls ensures that all new VM deployments comply with the least-privilege policy, preventing non-compliant deployments. Options A and D are reactive or detective. Option C may miss non-compliant resources if not properly configured.

938
MCQmedium

What is the effective permission for a request coming from IP address 10.1.2.3?

A.Access allowed for all actions
B.Access denied due to explicit deny
C.Access allowed only for GetObject
D.Access denied because no explicit allow
AnswerC

The request IP matches the allow condition, so GetObject is allowed; other actions are implicitly denied.

Why this answer

The effective permission for a request from IP 10.1.2.3 is 'Access allowed only for GetObject' because the bucket policy includes an explicit allow for the s3:GetObject action when the source IP matches 10.1.2.3, and no explicit deny applies to that IP. Since there is no explicit deny for this specific request, the explicit allow grants access only to the GetObject action, not to other actions like PutObject or DeleteObject.

Exam trap

ISC2 often tests the misconception that an explicit allow for one action grants access to all actions, or that the absence of an explicit deny means full access, when in reality the default implicit deny restricts all other actions unless explicitly allowed.

How to eliminate wrong answers

Option A is wrong because an explicit allow for GetObject does not grant access for 'all actions'; AWS S3 bucket policies require explicit allow for each action, and other actions are implicitly denied. Option B is wrong because there is no explicit deny statement in the policy that matches the request from IP 10.1.2.3; explicit deny would override any allow, but it is not present here. Option D is wrong because there is an explicit allow for GetObject for that IP, so access is not denied due to 'no explicit allow'; the request is allowed for that specific action.

939
Multi-Selectmedium

A cloud security auditor is reviewing container runtime configurations. Which TWO practices help prevent a container from compromising the host operating system?

Select 2 answers
A.Using a read-only root filesystem
B.Disabling SELinux inside the container
C.Running containers in privileged mode
D.Dropping all Linux capabilities
E.Mapping the host's Docker socket into the container
AnswersA, D

A read-only filesystem prevents writing to critical system areas.

Why this answer

Running containers without the --privileged flag and with a read-only root filesystem reduces the risk of host compromise.

940
Multi-Selecthard

Which THREE of the following are key components of a secure cloud SDLC that support shift-left security? (Select THREE)

Select 3 answers
A.Post-deployment penetration testing
B.Infrastructure as Code (IaC) security scanning
C.Annual security awareness training
D.Threat modeling during the design phase
E.Automated SAST and DAST in the CI/CD pipeline
AnswersB, D, E

IaC scanning prevents misconfigurations before provisioning.

Why this answer

Infrastructure as Code (IaC) security scanning is a key component of shift-left security because it allows teams to detect misconfigurations and compliance violations in cloud templates (e.g., Terraform, CloudFormation) before any resources are provisioned. By integrating scanners like Checkov or tfsec into the development pipeline, security issues are identified and remediated during coding, not after deployment, which reduces risk and cost.

Exam trap

Cisco often tests the distinction between 'shift-left' (pre-deployment) and 'shift-right' (post-deployment) activities, so candidates mistakenly select post-deployment penetration testing (A) because they think all security testing is shift-left, but the key is that shift-left specifically means moving security earlier in the lifecycle, not after deployment.

941
Multi-Selecthard

A multinational corporation is implementing a multi-cloud strategy to avoid concentration risk. The risk management team is evaluating the inherent risks of using multiple cloud providers. Which THREE risks are specifically associated with a multi-cloud strategy? (Choose three.)

Select 3 answers
A.Higher likelihood of vendor lock-in due to proprietary services
B.Expanded attack surface due to more entry points and APIs
C.Increased complexity in managing consistent security policies across providers
D.Greater difficulty in meeting data sovereignty requirements across jurisdictions
E.Need for specialized skills and expertise for each cloud platform
AnswersB, C, E

Each provider adds its own set of APIs and interfaces, increasing potential vulnerabilities.

Why this answer

Multi-cloud strategies introduce complexity in managing different security models, increase the attack surface, and require expertise across multiple platforms. Vendor lock-in is reduced, not increased, and data sovereignty issues are not inherently worse than single-cloud.

942
MCQmedium

Which of the following is a key consideration when evaluating a cloud service provider's ability to meet compliance requirements for data sovereignty?

A.The provider's support tier
B.The provider's data center locations and geographic restrictions
C.The provider's penetration testing policy
D.The provider's SOC 2 Type II report
AnswerB

Data sovereignty requires data to reside in specific jurisdictions, so data center locations are critical.

Why this answer

Data sovereignty requires that data is stored and processed in specific geographic locations. Understanding where data centers are located and if they comply with local laws is crucial.

943
MCQmedium

A cloud service provider (CSP) offers a shared infrastructure where multiple customers' virtual machines run on the same physical host but are isolated by the hypervisor. Which cloud deployment model does this represent?

A.Hybrid cloud
B.Private cloud
C.Public cloud
D.Community cloud
AnswerC

Public cloud is characterized by shared, multi-tenant infrastructure with hypervisor isolation.

Why this answer

Public cloud utilizes shared infrastructure with multi-tenancy, where hypervisor isolation separates tenants. Private cloud would be dedicated; community cloud is shared by a specific group; hybrid combines models.

944
MCQmedium

A container image is built and scanned in a CI pipeline. Which practice should be implemented to ensure that the image has not been tampered with before deployment?

A.Using a minimal base image
B.Scanning the image with a vulnerability scanner
C.Signing the image with a private key and verifying the signature
D.Storing the image in a private registry
AnswerC

Image signing ensures authenticity and integrity.

Why this answer

Signing container images provides cryptographic verification of image integrity, ensuring they have not been altered since signing.

945
MCQhard

Refer to the exhibit. A security analyst reviews the S3 bucket policy shown. Which security issue should be flagged?

A.The policy restricts read access to a specific role, which is too permissive
B.The policy does not enable server-side encryption
C.The policy allows unauthenticated write access to the bucket
D.The policy contains a syntax error in the JSON
AnswerC

The second statement allows any principal to put objects, which is a security risk.

Why this answer

Option C is correct because the S3 bucket policy contains a Principal element set to "*" with an Effect of "Allow" on the s3:PutObject action, which grants unauthenticated write access to the bucket. This means anyone on the internet can upload objects without any authentication, leading to potential data corruption, storage cost abuse, or malware hosting. The policy does not include any condition (e.g., aws:SourceIp or aws:SecureTransport) to restrict the write operation, making it a critical security misconfiguration.

Exam trap

ISC2 often tests the distinction between read and write permissions in S3 bucket policies, and the trap here is that candidates focus on the read access being restricted (Option A) or missing encryption (Option B) while overlooking the glaring unauthenticated write access.

How to eliminate wrong answers

Option A is wrong because restricting read access to a specific role is a security best practice (least privilege), not too permissive; the issue is with write access, not read. Option B is wrong because server-side encryption is not enforced by the bucket policy itself—it is a separate bucket setting or can be enforced via a condition key (e.g., s3:x-amz-server-side-encryption) in the policy, but its absence is not the flagged security issue here. Option D is wrong because the JSON syntax appears valid (no missing commas, brackets, or quotes) based on the exhibit; the policy is syntactically correct but semantically flawed.

946
MCQmedium

An organization stores customer data in a cloud that is subject to GDPR. The organization uses a cloud provider that does not allow audits of its data centers. What is the best way to satisfy GDPR audit requirements?

A.Minimize data stored to reduce risk
B.Request a contractual waiver for audit rights
C.Switch to a provider that allows on-site audits
D.Rely on the provider's SOC 2 Type II report
AnswerD

SOC 2 provides independent audit evidence.

Why this answer

GDPR requires adequate assurances from processors. If direct audits are not possible, the customer can rely on third-party certifications like SOC 2 Type II or ISO 27001, which provide independent assurance. Waivers and data minimization do not meet audit requirements.

947
MCQhard

A cloud security engineer reviews the S3 bucket policy shown in the exhibit. What is the net effect of this policy when a request originates from IP address 203.0.113.10 over HTTPS?

A.Deny access because the request does not meet the SecureTransport condition
B.Allow access because the condition for Deny does not include SecureTransport
C.Deny access because the request is from the specified IP range
D.Allow access because the request uses HTTPS
AnswerC

Correct: Explicit Deny blocks the request.

Why this answer

The S3 bucket policy includes a Deny statement that blocks all requests from the IP range 203.0.113.0/24, which includes 203.0.113.10. The SecureTransport condition is only applied to the Allow statement, not the Deny, so HTTPS is irrelevant to the Deny effect. Since the request matches the IP address in the Deny statement, it is denied regardless of protocol.

Exam trap

ISC2 often tests the principle that an explicit Deny overrides any Allow, and candidates mistakenly think HTTPS or SecureTransport conditions apply globally to all statements in the policy.

How to eliminate wrong answers

Option A is wrong because the SecureTransport condition is only on the Allow statement, not the Deny; the Deny does not require HTTPS, so the request is denied based on IP alone. Option B is wrong because the Deny statement does not need a SecureTransport condition to block the request; the IP match is sufficient for denial. Option D is wrong because even though the request uses HTTPS, the Deny statement explicitly blocks the IP address, overriding any Allow that might apply.

948
MCQmedium

A company is using a single cloud provider for all critical services. What is the primary risk this company faces?

A.Data sovereignty risk
B.Compliance risk
C.Insider threat risk
D.Concentration risk
AnswerD

Concentration risk is the risk of relying too heavily on one vendor.

Why this answer

Concentration risk (vendor lock-in) arises from over-reliance on one provider, leading to potential business disruption if the provider fails.

949
MCQmedium

A healthcare provider is planning to migrate its electronic health records (EHR) system to a public cloud infrastructure. The system will store protected health information (PHI). Under HIPAA, what must the healthcare provider obtain from the cloud service provider before beginning the migration?

A.A Business Associate Agreement (BAA) that outlines the permitted uses of PHI and the security safeguards in place
B.A signed letter of attestation that the cloud provider is HIPAA-compliant
C.A Data Processing Agreement (DPA) as defined under GDPR
D.A Service Organization Control (SOC) 2 Type II report
AnswerA

A BAA is mandatory for any business associate handling PHI.

Why this answer

HIPAA requires covered entities to have a Business Associate Agreement (BAA) with any business associate that creates, receives, maintains, or transmits PHI on their behalf. The cloud provider is a business associate.

950
Multi-Selectmedium

A security architect is designing a logging strategy for a multi-cloud environment using AWS and Azure. Which TWO practices should be implemented to ensure log integrity and prevent tampering? (Choose two.)

Select 2 answers
A.Store logs in a publicly readable S3 bucket for transparency
B.Encrypt logs using server-side encryption with AWS KMS
C.Enable CloudTrail log file validation
D.Use S3 Object Lock or Azure Immutable Blob Storage
E.Enable cross-region replication for logs
AnswersC, D

This uses SHA-256 hashing and RSA signatures to verify log integrity.

Why this answer

Log file validation (e.g., CloudTrail log file validation) ensures cryptographic verification of log integrity. Write-once-read-many (WORM) storage, such as S3 Object Lock or Azure Immutable Blob Storage, prevents deletion or modification of logs.

951
Multi-Selecthard

An organization is migrating a legacy application to the cloud and wants to maximize elasticity. Which THREE characteristics should the application support to benefit from cloud elasticity?

Select 3 answers
A.Distributed architecture
B.Monolithic architecture
C.Horizontal scaling support
D.Stateless design
E.Vertical scaling capability
AnswersA, C, D

Distributed components can be scaled independently.

Why this answer

Statelessness allows instances to be added/removed easily. Horizontal scaling (adding more instances) is typical for elasticity. Distributed architecture supports scaling.

Vertical scaling (bigger instances) is limited by instance size, and monolithic design hinders elasticity.

952
MCQeasy

Which security testing technique is most effective at identifying vulnerabilities early in the development lifecycle by analyzing source code without executing it?

A.Runtime Application Self-Protection (RASP)
B.Dynamic Application Security Testing (DAST)
C.Interactive Application Security Testing (IAST)
D.Static Application Security Testing (SAST)
AnswerD

SAST examines source code statically, enabling early detection.

Why this answer

Static Application Security Testing (SAST) analyzes source code at rest, allowing early detection of vulnerabilities before compilation or execution. This aligns with shift-left security principles.

953
Multi-Selecthard

A company is implementing a software-defined perimeter (SDP) for their cloud environment. Which THREE characteristics are typical of an SDP? (Choose three.)

Select 3 answers
A.Static IP whitelisting.
B.Dynamic firewall rules based on user identity.
C.Application-layer access control.
D.Mutual authentication between client and controller.
E.Single-factor authentication.
AnswersB, C, D

SDP adjusts rules dynamically based on user identity.

Why this answer

Option B is correct because software-defined perimeter (SDP) architecture uses dynamic firewall rules that are created on-the-fly based on user identity and device posture, rather than static IP addresses. The SDP controller authenticates the user and then dynamically provisions a firewall rule to allow the user's specific IP address to access the requested application, ensuring zero-trust network access.

Exam trap

The trap here is that candidates confuse SDP's dynamic, identity-based firewall rules with traditional static IP whitelisting (Option A), failing to recognize that SDP eliminates reliance on IP addresses for access control.

954
MCQmedium

Which vulnerability is considered a cloud-specific API security issue?

A.Broken Object Level Authorization (BOLA)
B.SQL Injection
C.Cross-Site Request Forgery (CSRF)
D.Clickjacking
AnswerA

BOLA is a cloud-relevant API vulnerability where object access controls are insufficient.

Why this answer

Broken Object Level Authorization (BOLA or IDOR) is a common API vulnerability where an attacker can access objects by modifying IDs. This is not unique to cloud but is critical in cloud APIs due to shared responsibility.

955
MCQeasy

An organization uses cloud storage and wants to protect against accidental deletion of objects. They also want to be able to recover previous versions of objects in case of unintended modifications. Which feature should they enable?

A.Bucket policies
B.Access logs
C.Versioning
D.Server-side encryption
AnswerC

Versioning retains all object versions for recovery.

Why this answer

Versioning in cloud storage preserves every version of an object, allowing recovery from accidental deletions or overwrites.

956
MCQeasy

A developer accidentally uploaded a file containing API credentials to a public cloud storage bucket. The cloud provider states they cannot guarantee deletion of the object. Which practice could have prevented this incident?

A.Data loss prevention for cloud storage
B.Bucket versioning
C.Access control lists
D.Server-side encryption
AnswerA

DLP can inspect and block uploads containing sensitive data.

Why this answer

Data Loss Prevention (DLP) for cloud storage can automatically scan objects for sensitive content, such as API credentials, before or after upload. When configured with policies to block or quarantine files containing patterns like access keys, DLP prevents the data from ever being stored in a public bucket, eliminating the risk even if the provider cannot guarantee deletion. This proactive control addresses the root cause—sensitive data exposure—rather than relying on post-incident remediation.

Exam trap

ISC2 often tests the distinction between preventive controls (DLP) and detective/reactive controls (versioning, encryption, ACLs), leading candidates to choose bucket versioning because it allows rollback, but versioning does not prevent the initial exposure of sensitive data.

How to eliminate wrong answers

Option B (Bucket versioning) is wrong because versioning retains multiple copies of an object, which would actually increase the exposure by preserving the compromised file even after deletion attempts, and does not prevent the initial upload. Option C (Access control lists) is wrong because ACLs only restrict who can access the bucket after the file is stored; they do not prevent a developer from uploading sensitive content to a publicly accessible bucket. Option D (Server-side encryption) is wrong because encryption protects data at rest from unauthorized access but does not prevent the upload of plaintext credentials; the credentials would still be readable by anyone with access to the bucket.

957
MCQeasy

A company is moving its data to the cloud and must ensure that all data at rest is encrypted using keys that are generated and managed on-premises, with the cloud provider having no access to the keys. Which encryption method should be used?

A.Bring Your Own Key (BYOK)
B.Customer-Managed Encryption Keys (CMEK)
C.AES-256 Server-Side Encryption
D.Customer-Supplied Encryption Keys (CSEK)
AnswerD

CSEK involves the customer supplying their own keys, and the cloud provider does not have access to them.

Why this answer

Customer-supplied encryption keys (CSEK) allow the customer to generate and manage keys outside the cloud, giving the maximum control and ensuring the cloud provider cannot access the keys.

958
MCQhard

A cloud security engineer needs to implement a solution to detect configuration drift against CIS benchmarks for AWS workloads. Which tool or service is specifically designed for cloud security posture management (CSPM) in AWS?

A.AWS CloudTrail
B.AWS Security Hub
C.AWS Config
D.AWS Inspector
AnswerB

Security Hub performs automated CSPM checks against standards like CIS.

Why this answer

AWS Security Hub is a cloud security posture management (CSPM) service that aggregates security findings from multiple AWS services and third-party tools, and it can continuously monitor AWS workloads against CIS AWS Foundations Benchmarks. It provides automated compliance checks, consolidated dashboards, and remediation guidance specifically designed for detecting configuration drift from benchmark standards.

Exam trap

Cisco often tests the distinction between AWS Config (a configuration recorder and evaluator) and AWS Security Hub (a CSPM aggregator with built-in benchmark compliance), leading candidates to mistakenly choose Config because it can evaluate rules, even though it lacks the centralized benchmark reporting and multi-service integration that Security Hub provides.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail is a governance, compliance, and auditing service that records API activity and user actions, but it does not perform configuration drift detection or CIS benchmark checks. Option C is wrong because AWS Config is a configuration tracking and evaluation service that can assess resource compliance against custom rules or managed rules, but it is not a dedicated CSPM tool and lacks the centralized multi-account, multi-service benchmark aggregation that Security Hub provides. Option D is wrong because AWS Inspector is a vulnerability management service focused on scanning EC2 instances and container images for software vulnerabilities and network exposure, not for detecting configuration drift against CIS benchmarks for cloud workloads.

959
MCQmedium

What is the primary purpose of a Software Bill of Materials (SBOM) in cloud application security?

A.To scan infrastructure as code
B.To inventory all dependencies and facilitate vulnerability management
C.To automate deployment of containers
D.To document software licensing
AnswerB

SBOMs enable identification of vulnerable components and support supply chain risk management.

Why this answer

An SBOM lists all components (libraries, dependencies) used in a software application, helping to track vulnerabilities and ensure supply chain security.

960
MCQmedium

During an eDiscovery process, a company needs to preserve data stored in AWS S3 that may be relevant to a lawsuit. Which AWS feature should be used to implement a legal hold?

A.AWS CloudTrail
B.S3 Object Lock
C.S3 Versioning
D.AWS Config
AnswerB

S3 Object Lock enforces a retention policy that can serve as a legal hold.

Why this answer

S3 Object Lock prevents object deletion or modification for a specified period, meeting legal hold requirements.

961
Multi-Selectmedium

Which TWO of the following are required for GDPR compliance when processing personal data in the cloud?

Select 2 answers
A.Appoint a Data Protection Officer (DPO) for all organizations
B.Store data only within the European Union
C.Use only ISO 27001 certified cloud service providers
D.Conduct a Data Protection Impact Assessment (DPIA) when processing is likely to result in high risk
E.Maintain a record of processing activities
AnswersD, E

GDPR requires DPIA for high-risk processing.

Why this answer

Options A and B are correct. DPIA is required for high-risk processing, and records of processing activities are mandatory. Option C is wrong because data can be stored outside EU with adequate safeguards.

Option D is wrong because DPO is only required in certain cases. Option E is wrong because CSP certification is not a legal requirement.

962
Multi-Selectmedium

Which TWO of the following are best practices for securing a cloud-based container orchestration platform?

Select 2 answers
A.Use minimal base images to reduce the attack surface.
B.Store secrets in environment variables for ease of use.
C.Run containers with root privileges by default.
D.Enable audit logging for all administrative actions.
E.Disable TLS certificate validation for internal communications.
AnswersA, D

Minimal images reduce vulnerabilities.

Why this answer

Using minimal base images (e.g., Alpine or distroless images) reduces the number of installed packages and libraries, thereby shrinking the attack surface. This practice limits the potential vectors for privilege escalation or remote code execution within containers, which is a core security principle for containerized workloads in platforms like Kubernetes.

Exam trap

ISC2 often tests the misconception that environment variables are a safe place for secrets because they are 'not stored on disk,' but in reality they are accessible to any process or user with access to the container's runtime environment.

963
MCQmedium

A cloud security engineer is configuring a Data Loss Prevention (DLP) API to scan a cloud storage bucket for personally identifiable information (PII). Which of the following is a de-identification technique that replaces sensitive values with a token that can be mapped back to the original data using a secure lookup table?

A.Tokenization
B.Pseudonymization
C.Bucketing
D.Masking
AnswerA

Tokenization replaces original data with a token that can be mapped back using a secure token vault.

Why this answer

Tokenization replaces sensitive data with a token that can be reversed via a lookup table, preserving referential integrity while protecting the original data.

964
MCQhard

After a security incident involving a compromised IAM key, a security engineer needs to collect forensic evidence from the AWS environment. Which of the following actions would be most useful for determining the timeline of the compromise?

A.Taking a memory dump of the EC2 instance
B.Reviewing CloudTrail events for the compromised key
C.Analyzing VPC Flow Logs for data exfiltration
D.Checking AWS Config for resource changes
AnswerB

CloudTrail logs all actions taken with that key, providing a clear timeline.

Why this answer

CloudTrail logs contain detailed records of all API calls, including the identity, timestamp, and source IP. Analyzing these logs helps establish the timeline of when the key was used.

965
MCQhard

A company uses AWS Organizations with multiple accounts. A security team wants to ensure that a specific S3 bucket in the production account cannot be deleted by anyone, including the root user of that account. Which control should be implemented?

A.Use S3 event notifications to alert when a delete is attempted.
B.Enable S3 Versioning on the bucket.
C.Enable AWS CloudTrail to log any deletion attempt.
D.Apply a service control policy (SCP) to deny s3:DeleteBucket on the production account.
AnswerD

SCPs apply to all principals including root, and cannot be overridden within the account.

Why this answer

Option D is correct because a service control policy (SCP) is an AWS Organizations policy that can be applied to an account (or OU) to restrict permissions for all IAM users, roles, and even the root user of that account. By attaching an SCP that denies the s3:DeleteBucket action, the security team ensures that no principal in the production account, including the root user, can delete the specified S3 bucket. This provides a preventive control that overrides any allow permissions within the account.

Exam trap

ISC2 often tests the distinction between preventive controls (like SCPs) and detective/reactive controls (like CloudTrail or notifications), and the trap here is that candidates confuse logging or versioning with actual deletion prevention.

How to eliminate wrong answers

Option A is wrong because S3 event notifications are only reactive alerts; they do not prevent the deletion from occurring, so the bucket can still be deleted. Option B is wrong because S3 Versioning protects objects within the bucket from being overwritten or deleted, but it does not prevent the bucket itself from being deleted. Option C is wrong because AWS CloudTrail logs API calls for auditing purposes but does not block the deletion action; it only records it after the fact.

966
MCQeasy

Which of the following is the best way to protect a web application from cross-site scripting (XSS) attacks?

A.Encode all output that is rendered in HTML.
B.Implement a Content Security Policy (CSP) as the sole defense.
C.Use a combination of input validation, output encoding, and Content Security Policy.
D.Validate all user input on the server side.
AnswerC

Defense in depth reduces the risk of XSS.

Why this answer

Option C is correct because cross-site scripting (XSS) attacks exploit multiple vectors, and no single defense is sufficient. Input validation prevents malicious payloads from being stored or processed, output encoding ensures that any residual dangerous characters are rendered inert in the HTML context, and Content Security Policy (CSP) provides a robust, browser-enforced layer that can block inline scripts and restrict script sources even if other defenses fail. This defense-in-depth approach aligns with the OWASP XSS prevention cheat sheet and is the recommended strategy for cloud-hosted web applications.

Exam trap

ISC2 often tests the misconception that a single security control (like output encoding or CSP alone) is sufficient, when the correct answer always requires a defense-in-depth combination of input validation, output encoding, and CSP.

How to eliminate wrong answers

Option A is wrong because output encoding alone does not prevent XSS in all contexts (e.g., JavaScript event handlers, CSS, or URL contexts require context-specific encoding) and does not address stored XSS where the payload is executed before encoding is applied. Option B is wrong because implementing CSP as the sole defense is insufficient; CSP can be bypassed if the application has JSONP endpoints, unsafe-inline fallbacks, or misconfigured directives, and it does not remediate existing XSS vulnerabilities in the application code. Option D is wrong because server-side input validation alone cannot stop XSS; it can be bypassed with encoding variations (e.g., double URL encoding, Unicode escapes) and does not protect against reflected or DOM-based XSS where the payload is generated client-side without server validation.

967
Multi-Selectmedium

A cloud security architect is evaluating options for private connectivity to cloud services without traversing the internet. Which TWO services can be used to achieve this? (Select two.)

Select 2 answers
A.VPC peering
B.Security group
C.VPC endpoint
D.Internet gateway
E.NAT gateway
AnswersA, C

VPC peering connects VPCs privately within the same cloud provider.

Why this answer

VPC endpoints (AWS PrivateLink, Azure Private Link, GCP Private Service Connect) and VPC peering provide private connectivity without internet. Internet gateway and NAT gateway use internet; security groups are firewalls.

968
Multi-Selectmedium

An organization wants to prevent secrets from being exposed in source code. Which two practices should they adopt? (Choose TWO.)

Select 2 answers
A.Implement secret scanning in the CI/CD pipeline
B.Encrypt all source code files
C.Use a firewall to block access to code repositories
D.Use a secrets management service to retrieve credentials at runtime
E.Disable git history
AnswersA, D

Secret scanning tools can detect and block commits containing secrets.

Why this answer

Using a secrets manager (like AWS Secrets Manager or Vault) avoids hardcoding credentials. Scanning for secrets in code repositories (e.g., GitGuardian) helps detect and remove any secrets that might have been committed.

969
MCQeasy

A development team is adopting a DevSecOps approach for a cloud-native application. Which practice best exemplifies the shift-left security principle?

A.Reviewing logs for security incidents weekly
B.Scanning Infrastructure as Code (IaC) templates with Checkov before deployment
C.Configuring a cloud WAF after the application is live
D.Performing runtime penetration testing after deployment
AnswerB

Correct. IaC scanning in the CI pipeline identifies misconfigurations early, aligning with shift-left.

Why this answer

Option B is correct because scanning Infrastructure as Code (IaC) templates with Checkov before deployment embodies the shift-left security principle by identifying and remediating misconfigurations early in the development lifecycle. This proactive approach prevents security issues from reaching production, reducing risk and cost compared to post-deployment fixes.

Exam trap

Cisco often tests the misconception that shift-left means any security activity performed early in the lifecycle, but the trap here is that candidates may confuse post-deployment controls (like WAF or pen testing) with true shift-left practices, which must occur before code is deployed or infrastructure is provisioned.

How to eliminate wrong answers

Option A is wrong because reviewing logs for security incidents weekly is a reactive, post-deployment monitoring practice that does not shift security left; it detects issues after they have occurred. Option C is wrong because configuring a cloud WAF after the application is live is a runtime security control applied after deployment, not an early-stage preventive measure. Option D is wrong because performing runtime penetration testing after deployment is a late-stage validation activity that does not catch vulnerabilities during development or build phases.

970
MCQhard

A cloud security analyst is investigating a potential data breach. They discover that an employee's credentials were used to access a cloud storage bucket containing sensitive files. The access logs show the employee accessed the bucket from an IP address in a different country during the time of the incident. Which of the following is the MOST likely attack vector?

A.The employee intentionally accessed the data from that country
B.A distributed denial-of-service (DDoS) attack overwhelmed access controls
C.The cloud storage bucket was misconfigured as public
D.The employee's credentials were stolen via a phishing attack
AnswerD

Phishing could compromise credentials used from a foreign IP.

Why this answer

The correct answer is D because the scenario describes a classic credential theft attack: an employee's credentials are used from an anomalous geographic location to access sensitive cloud storage. Phishing is the most common vector for stealing credentials, as it tricks users into revealing their passwords, which are then reused by attackers to authenticate to cloud services like AWS S3 or Azure Blob Storage. The access logs showing a foreign IP address strongly indicate the credentials were compromised and used by an unauthorized party, not the employee.

Exam trap

ISC2 often tests the distinction between credential theft and misconfiguration; the trap here is that candidates see 'different country' and assume a public bucket (option C) because they confuse geographic anomaly with open access, but the logs explicitly show credential usage, ruling out anonymous access.

How to eliminate wrong answers

Option A is wrong because the employee intentionally accessing data from a different country would not constitute a breach unless they were acting maliciously, but the scenario is about investigating a potential breach, and the anomalous IP suggests unauthorized use, not a routine business trip. Option B is wrong because a DDoS attack overwhelms network resources or application availability, not access controls; it does not grant an attacker valid credentials to authenticate to a cloud storage bucket. Option C is wrong because a misconfigured public bucket would allow anonymous access without requiring any credentials, but the logs show the employee's credentials were used, indicating authentication occurred, not anonymous public access.

971
MCQhard

A security team is investigating a potential credential compromise in AWS. They have CloudTrail logs showing an IAM user's access key was used to launch instances in a region where the user has never operated. What is the BEST course of action to confirm and contain the incident?

A.Create a new IAM policy to deny all actions for that user.
B.Check CloudTrail for the access key events, then rotate the key in IAM.
C.Immediately delete all EC2 instances launched by that user.
D.Disable the user's console password and delete the access key.
AnswerB

This confirms the usage and revokes the compromised key.

Why this answer

Option B is correct because the first step in confirming a potential credential compromise is to verify that the anomalous activity (instance launches in an unfamiliar region) is indeed associated with the specific access key in CloudTrail logs. Once confirmed, rotating the key (i.e., deactivating the old key and issuing a new one) immediately invalidates the compromised credential, stopping any further unauthorized use while preserving the user's ability to operate with a new key. This aligns with AWS's incident response best practices for IAM credential compromise.

Exam trap

Cisco often tests the distinction between 'containment' (stopping the attack) and 'remediation' (cleaning up resources); the trap here is that candidates may choose to delete resources (Option C) or disable the user entirely (Option D) instead of focusing on the compromised credential itself, which is the root cause of the incident.

How to eliminate wrong answers

Option A is wrong because creating a new IAM policy to deny all actions for that user is overly broad and may disrupt legitimate operations; it also does not directly invalidate the compromised access key, as the key remains active and could still be used if the policy evaluation allows it (e.g., if the user has other policies granting access). Option C is wrong because immediately deleting all EC2 instances launched by that user destroys forensic evidence and may delete instances that were launched legitimately; containment should focus on the credential, not the resources, until the scope is understood. Option D is wrong because disabling the console password does not affect programmatic access via the access key, and deleting the access key without first confirming it is the compromised key in CloudTrail could delete a legitimate key, causing unnecessary disruption; rotation is the preferred containment action.

972
MCQeasy

A security engineer needs to ensure that all API calls made to AWS resources are logged for auditing purposes. Which AWS service should be enabled to capture management events, data events, and provide log file validation?

A.Amazon CloudWatch Logs
B.AWS CloudTrail
C.AWS Config
D.AWS GuardDuty
AnswerB

CloudTrail records API activity across AWS services and supports log file validation.

Why this answer

AWS CloudTrail is the correct service because it is specifically designed to log API calls and actions taken within an AWS account, capturing management events (e.g., creating or deleting resources) and data events (e.g., S3 object-level operations). It also provides log file validation through digital signatures using SHA-256 hashing and RSA, ensuring the integrity and authenticity of the log files after they have been delivered.

Exam trap

Cisco often tests the distinction between services that generate logs (CloudTrail) versus services that store or analyze logs (CloudWatch Logs, GuardDuty), leading candidates to confuse CloudWatch Logs as the primary logging service for API calls.

How to eliminate wrong answers

Option A is wrong because Amazon CloudWatch Logs is a service for monitoring, storing, and accessing log files from various AWS resources (e.g., EC2, Lambda), but it does not natively capture AWS API calls or provide log file validation; it can only ingest CloudTrail logs if configured as a destination. Option C is wrong because AWS Config is a service for evaluating resource configurations against desired policies and tracking configuration changes, not for logging API calls or providing log file validation. Option D is wrong because AWS GuardDuty is a threat detection service that analyzes CloudTrail logs, VPC Flow Logs, and DNS logs for malicious activity, but it does not itself capture or log API calls nor provide log file validation.

973
MCQhard

A security engineer reviews the S3 bucket policy shown in the exhibit. Which security concern should be addressed immediately?

A.The principal "*" grants access to all AWS services
B.The second statement allows unrestricted public read access to all objects
C.The policy version is outdated and should be updated
D.The resource ARN does not include the bucket itself, only objects
AnswerB

The second statement has no condition, so it grants s3:GetObject to anyone, overriding the IP restriction.

Why this answer

Option B is correct because the second statement in the S3 bucket policy uses `"Effect": "Allow"` with `"Principal": "*"` and `"Action": "s3:GetObject"` without any condition restricting access (e.g., `IpAddress` or `Referer`). This effectively grants anonymous, unauthenticated read access to every object in the bucket, which is a critical data exposure risk. Such a policy violates the principle of least privilege and should be remediated immediately by removing the statement or adding a condition to restrict access.

Exam trap

ISC2 often tests the misconception that `"Principal": "*"` only applies to AWS services, when in fact it grants access to all principals including anonymous users, and candidates may overlook the missing condition that would otherwise restrict access.

How to eliminate wrong answers

Option A is wrong because `"Principal": "*"` grants access to all AWS users and anonymous users, not just AWS services; the misconception is that `*` limits to services, but it actually means any principal (including unauthenticated users). Option C is wrong because the policy version `"2012-10-17"` is the current and valid version for S3 bucket policies; an outdated version would be `"2008-10-17"`, but that is not a security concern here. Option D is wrong because the resource ARN `"arn:aws:s3:::example-bucket/*"` correctly specifies objects within the bucket; while it does not include the bucket itself, this is intentional for object-level permissions and is not a security issue—the bucket ARN would be needed only for bucket-level actions like `s3:ListBucket`, which is not the concern in this policy.

974
MCQhard

A cloud security engineer needs to ensure that a containerized application running in a Kubernetes cluster securely stores and rotates database credentials. Which is the most appropriate solution?

A.Store credentials as environment variables in the pod manifest
B.Embed credentials in the container image during build
C.Use a secrets management system integrated with Kubernetes, such as HashiCorp Vault with CSI driver
D.Use Kubernetes Secrets without encryption at rest
AnswerC

Vault provides secure storage, dynamic credentials, and rotation.

Why this answer

Option C is correct because HashiCorp Vault integrated with the Kubernetes CSI (Container Storage Interface) driver allows dynamic, short-lived database credentials to be injected into pods as volumes, enabling automatic rotation without application changes. This approach ensures secrets are never stored in the cluster's etcd or exposed in environment variables, aligning with the principle of least privilege and compliance requirements for credential rotation.

Exam trap

ISC2 often tests the misconception that Kubernetes Secrets are inherently secure because they are base64-encoded, but the trap is that base64 is not encryption, and without encryption at rest or an external secrets manager, they are vulnerable to etcd compromise.

How to eliminate wrong answers

Option A is wrong because storing credentials as environment variables in the pod manifest exposes them in plaintext in the cluster's etcd and in any logs or dumps that capture environment variables, violating security best practices for secret management. Option B is wrong because embedding credentials in the container image during build makes them immutable and accessible to anyone with image pull access, preventing rotation without rebuilding and redeploying the image. Option D is wrong because Kubernetes Secrets without encryption at rest store secrets in base64-encoded plaintext in etcd, which is not secure against unauthorized access to the underlying storage, and they lack native rotation capabilities.

975
MCQmedium

A financial institution requires a cloud environment that is shared by multiple organizations with common regulatory compliance needs, such as PCI DSS. Which deployment model is most appropriate?

A.Private cloud
B.Public cloud
C.Community cloud
D.Hybrid cloud
AnswerC

Correct. Community cloud is shared by organizations with common interests.

Why this answer

A community cloud is designed for organizations with shared concerns like compliance, security, or policy, and is more suitable than public or private cloud for this specific requirement.

Page 12

Page 13 of 14

Page 14