Certified Cloud Security Professional CCSP (CCSP) — Questions 976987

987 questions total · 14pages · All types, answers revealed

Page 13

Page 14 of 14

976
MCQhard

A cloud security engineer is configuring an AWS Lambda function that processes messages from an Amazon SQS queue. The function needs to write results to a DynamoDB table. Which of the following is the SECUREST way to manage the function's credentials?

A.Use AWS Secrets Manager to store credentials and retrieve them at runtime
B.Store the database credentials as ciphertext in the Lambda environment variables
C.Attach an IAM execution role to the Lambda function with fine-grained permissions for SQS and DynamoDB
D.Create an IAM user with Access Key and Secret Key and pass them to the function via encrypted environment variables
AnswerC

This follows least privilege and avoids any static credentials.

Why this answer

Option C is correct because AWS Lambda natively supports IAM execution roles, which provide temporary, automatically rotated credentials via the AWS Security Token Service (STS). By attaching an execution role with fine-grained permissions for SQS (e.g., sqs:ReceiveMessage) and DynamoDB (e.g., dynamodb:PutItem), the function never needs to manage long-lived secrets, eliminating the risk of credential leakage or rotation failures.

Exam trap

ISC2 often tests the misconception that storing encrypted credentials in environment variables or using a secrets manager is always the most secure approach, but for AWS-native services, IAM execution roles are the recommended and most secure method because they eliminate the need for any static, long-lived credentials.

How to eliminate wrong answers

Option A is wrong because AWS Secrets Manager is designed for storing secrets like database passwords, but for AWS-native services (SQS, DynamoDB), IAM roles are the securest and simplest approach; using Secrets Manager adds unnecessary complexity and cost without improving security. Option B is wrong because storing credentials as ciphertext in Lambda environment variables still requires the function to have a decryption key (e.g., KMS key) and manage the decryption process, which is less secure than using an IAM role that never exposes static credentials. Option D is wrong because creating an IAM user with long-lived Access Key and Secret Key violates the principle of least privilege and introduces static credentials that must be rotated, encrypted, and managed, whereas an IAM execution role provides temporary credentials that are automatically rotated and scoped to the function's execution.

977
Multi-Selecthard

Which THREE of the following are key considerations when conducting a cloud risk assessment?

Select 3 answers
A.Reviewing legal and regulatory requirements applicable to the organization
B.Analyzing network latency between cloud regions
C.Identifying threats specific to cloud deployment models (IaaS, PaaS, SaaS)
D.Evaluating the CSP's physical security controls in detail
E.Assessing the impact of shared tenancy on data isolation
AnswersA, C, E

Compliance with laws is a key risk consideration.

Why this answer

Option A is correct because legal and regulatory requirements (e.g., GDPR, HIPAA, PCI DSS) directly dictate data residency, privacy controls, and breach notification obligations. A cloud risk assessment must map these requirements to the specific cloud deployment to identify compliance gaps and potential liabilities.

Exam trap

ISC2 often tests the distinction between operational metrics (like latency) and risk assessment inputs, tricking candidates into selecting performance-related options as risk factors.

978
MCQmedium

In a DevSecOps pipeline for a cloud application, which practice best ensures that only approved open-source components are used?

A.Signing container images
B.Implementing dependency scanning with Snyk
C.Using a private artifact registry with allow-lists
D.Running SAST scans on all source code
AnswerC

A private registry restricts dependencies to those approved.

Why this answer

Option C is correct because a private artifact registry with allow-lists enforces a whitelist of approved open-source components, preventing developers from pulling unvetted dependencies directly from public repositories. This ensures that only components that have passed security and compliance reviews are used in the pipeline, directly addressing the requirement for 'approved' open-source components.

Exam trap

Cisco often tests the distinction between detection tools (like Snyk or SAST) and enforcement controls (like allow-lists), so candidates mistakenly choose a scanning tool that finds vulnerabilities rather than a policy-based mechanism that prevents unapproved components from being used at all.

How to eliminate wrong answers

Option A is wrong because signing container images ensures integrity and authenticity of the image itself, but does not control which open-source components are included inside the image. Option B is wrong because dependency scanning with Snyk identifies known vulnerabilities in open-source components but does not enforce a policy of only using pre-approved components; it detects issues after the component is already included. Option D is wrong because SAST (Static Application Security Testing) scans analyze custom source code for security flaws, not the approval status or provenance of open-source libraries.

979
MCQmedium

A company is implementing a cloud key management system (KMS) to control encryption keys for sensitive data. Which practice is essential to ensure the security of the keys?

A.Use a single key for all encryption operations to simplify management.
B.Export keys to the cloud provider's hardware security module (HSM).
C.Store encryption keys in the same region as the encrypted data.
D.Periodically rotate the encryption keys.
AnswerD

Key rotation limits the lifetime of exposed keys.

Why this answer

Periodic key rotation is essential because it limits the amount of data encrypted under a single key, reducing the impact of a key compromise and complying with cryptographic best practices (e.g., NIST SP 800-57). In a cloud KMS, rotation can be automated using key versions, where old keys are retained for decryption while new keys are used for encryption, ensuring forward secrecy and operational security.

Exam trap

ISC2 often tests the misconception that key rotation is optional or that storing keys in the same region as data is a security best practice, when in fact rotation is a mandatory control for key hygiene and regional separation is a common architectural pattern for isolation.

How to eliminate wrong answers

Option A is wrong because using a single key for all encryption operations violates the principle of key separation and increases the blast radius of a compromise; it also makes key management and auditing impractical. Option B is wrong because exporting keys to a cloud provider's HSM undermines the security model of a KMS, as keys should remain within the HSM's boundary and never be exported in plaintext; cloud HSMs typically do not allow key export to maintain FIPS 140-2/3 compliance. Option C is wrong because storing encryption keys in the same region as the encrypted data does not inherently improve security; it may actually increase risk if a regional breach occurs, and compliance frameworks often require key separation from data (e.g., storing keys in a different region or account) to provide defense in depth.

980
MCQhard

An organization wants to ensure that if they decide to migrate away from their current cloud provider, they can retrieve all data in a usable format and delete it from the provider's systems. Which principle does this best describe?

A.Interoperability
B.Portability
C.Elasticity
D.Reversibility
AnswerD

Correct. Reversibility covers data retrieval and deletion upon exit.

Why this answer

Reversibility is the ability to cleanly exit a cloud service, including data portability and secure deletion of data from the provider's environment.

981
MCQhard

A DevOps team is deploying containers in a Kubernetes cluster. They need to ensure that container images are scanned for vulnerabilities before deployment. Which is the most effective approach?

A.Scan images manually after deployment.
B.Use a container registry with integrated vulnerability scanning and enforce admission controls.
C.Rely on the developer's assurance that images are secure.
D.Use a runtime security tool.
AnswerB

Integrated scanning and admission control prevent vulnerable images from being deployed.

Why this answer

Option B is correct because integrating vulnerability scanning into the container registry (e.g., using tools like Trivy, Clair, or Amazon ECR scanning) combined with admission controllers (e.g., OPA/Gatekeeper or Kyverno) allows automated scanning of images at rest and blocks deployments of non-compliant images before they enter the cluster. This shift-left approach ensures that only images passing security policies are admitted, preventing vulnerable images from reaching production.

Exam trap

ISC2 often tests the distinction between pre-deployment controls (image scanning + admission) and runtime controls, so candidates mistakenly choose runtime tools (Option D) thinking they prevent vulnerabilities, when in fact runtime tools only detect active exploits after deployment.

How to eliminate wrong answers

Option A is wrong because scanning images manually after deployment introduces a delay that allows vulnerable containers to run in the cluster, violating the principle of shift-left security and failing to prevent exploitation. Option C is wrong because relying on developer assurance without automated verification is a security anti-pattern; developers may unknowingly introduce vulnerabilities, and this approach lacks auditability and enforcement. Option D is wrong because runtime security tools (e.g., Falco, Sysdig) monitor container behavior during execution but do not prevent vulnerable images from being deployed; they address post-deployment threats, not pre-deployment image integrity.

982
MCQmedium

A company develops a microservices application and wants to ensure secrets such as API keys and database credentials are not exposed in container images. Which approach best meets this requirement?

A.Hardcode secrets in the application code and obfuscate with encryption.
B.Use a secrets management service such as HashiCorp Vault to inject secrets at runtime.
C.Pass secrets as environment variables during container deployment.
D.Store secrets in a separate configuration file within the image.
AnswerB

Secrets are never stored in the image and are dynamically injected.

Why this answer

Option B is correct because a secrets management service like HashiCorp Vault allows secrets to be dynamically injected into containers at runtime, ensuring they never reside in the image. This approach decouples secrets from the application artifact, adhering to the principle of least privilege and immutable infrastructure. Vault can inject secrets via sidecar containers, init containers, or API calls, preventing exposure in image layers or configuration files.

Exam trap

ISC2 often tests the misconception that environment variables are a secure way to pass secrets because they are not in the image, but the trap is that environment variables are still exposed in the container's runtime environment and orchestration metadata, making them vulnerable to leakage via logs, debugging tools, or misconfigured RBAC.

How to eliminate wrong answers

Option A is wrong because hardcoding secrets in application code, even with obfuscation, is insecure—encryption keys must still be stored somewhere, and obfuscation can be reversed, violating the core security principle of not embedding secrets in code. Option C is wrong because passing secrets as environment variables during deployment, while better than hardcoding, still exposes them in the container's process list, logs, and orchestration metadata, and they can be read from the host or via /proc. Option D is wrong because storing secrets in a separate configuration file within the image means the secrets are baked into the image layers, making them accessible to anyone who can pull the image, and they persist in registries and caches.

983
MCQmedium

A DevSecOps team is integrating static application security testing (SAST) into their CI/CD pipeline. Which of the following is the PRIMARY benefit of performing SAST during the build phase rather than later in the pipeline?

A.It identifies runtime vulnerabilities such as SQL injection
B.It reduces false positives compared to dynamic analysis
C.It enables early detection of vulnerabilities before deployment
D.It scans running applications to find configuration issues
AnswerC

Early detection in the build phase prevents vulnerable code from reaching production.

Why this answer

Performing SAST during the build phase allows the team to identify security vulnerabilities in the source code before the application is compiled, packaged, or deployed. This early detection reduces the cost and effort of remediation because issues are found at the point of code creation, not after deployment. The primary benefit is shifting security left to catch defects before they reach production.

Exam trap

ISC2 often tests the concept of 'shift left' security, and the trap here is confusing SAST's static analysis capability with runtime detection, leading candidates to incorrectly choose options that describe dynamic or runtime testing benefits.

How to eliminate wrong answers

Option A is wrong because SAST analyzes source code statically and cannot identify runtime vulnerabilities like SQL injection that depend on dynamic input and database interaction; those are better detected by DAST or IAST. Option B is wrong because SAST often produces more false positives than dynamic analysis due to its lack of runtime context, not fewer. Option D is wrong because SAST does not scan running applications; it scans source code or binaries without execution, whereas configuration issues in running apps are found by tools like configuration scanning or DAST.

984
Multi-Selectmedium

A company is deploying a SIEM solution in Azure. Which THREE data sources should be ingested to provide comprehensive visibility into the cloud environment?

Select 3 answers
A.Azure Activity Logs
B.Azure Active Directory sign-in logs
C.Azure VNet Flow Logs
D.Azure Monitor Metrics
E.Azure Defender for Cloud alerts
AnswersA, B, E

Captures control plane operations.

Why this answer

Azure Activity Logs are correct because they provide the control-plane audit trail for all Azure resource management operations, including create, update, and delete actions. This is essential for detecting unauthorized configuration changes and meeting compliance requirements in a SIEM.

Exam trap

Cisco often tests the distinction between operational monitoring data (Metrics) and security-relevant audit data (Logs, Alerts), leading candidates to incorrectly select Azure Monitor Metrics as a required SIEM source.

985
MCQmedium

A cloud security architect is designing a multi-tenant environment using Type 1 hypervisors. Which of the following is the primary security risk associated with this architecture?

A.Insecure VM migration between hosts
B.Insufficient logging of hypervisor events
C.Resource contention leading to denial of service
D.VM escape from guest to hypervisor
AnswerD

VM escape is a major threat in multi-tenant environments as it could allow an attacker to control the hypervisor and access other tenants' VMs.

Why this answer

In multi-tenant cloud environments, VM escape is a critical risk where an attacker compromises a VM and attempts to break out to the hypervisor to access other VMs. Regular patching of the hypervisor mitigates this.

986
MCQmedium

An organization is using a public cloud IaaS and wants to ensure they understand which security responsibilities fall on them. According to the shared responsibility model, which of the following is the customer responsible for in an IaaS deployment?

A.Hypervisor security
B.Physical security of data centers
C.Security of the guest operating system
D.Network infrastructure hardening
AnswerC

Correct. The customer manages the OS, apps, and data.

Why this answer

In IaaS, the customer is responsible for securing the operating system, applications, and data, while the provider secures the physical infrastructure.

987
MCQmedium

A cloud security analyst is reviewing the network architecture of a VPC. The security team wants to block all traffic from a known malicious IP address at the subnet level. Which AWS network security component should they use?

A.Network ACL (NACL)
B.Transit gateway
C.Security group
D.VPC peering connection
AnswerA

NACLs are stateless and allow explicit deny rules at the subnet level.

Why this answer

NACLs (Network Access Control Lists) are stateless firewalls that operate at the subnet level and support both allow and deny rules. Security groups are stateful and only support allow rules at the instance level.

Page 13

Page 14 of 14

Certified Cloud Security Professional CCSP CCSP Questions 976–987 | Page 14/14 | Courseiva