Certified Cloud Security Professional CCSP (CCSP) — Questions 151225

504 questions total · 7pages · All types, answers revealed

Page 2

Page 3 of 7

Page 4
151
MCQhard

A financial services company deploys a containerized application on Amazon ECS with Fargate. The application needs to access an encrypted RDS database. The security policy mandates that database credentials must never be stored in the application code or configuration files and must be rotated automatically every 90 days. Which solution should the DevOps team implement to satisfy these requirements?

A.Store credentials in AWS Secrets Manager, grant ECS task role access, and enable automatic rotation
B.Encrypt credentials with AWS KMS and pass them as environment variables during task definition
C.Store credentials in AWS Systems Manager Parameter Store (SecureString) and retrieve them at container startup
D.Use a secrets vault like Hashicorp Vault deployed on EC2 and mount secrets via sidecar container
AnswerA

Secrets Manager supports rotation and integrates with ECS, meeting all requirements.

Why this answer

AWS Secrets Manager is the correct choice because it is designed to securely store, retrieve, and automatically rotate database credentials on a schedule (e.g., every 90 days) without storing them in code or configuration. By granting the ECS task role (via IAM) permission to access the secret, the Fargate task can retrieve the credentials at runtime using the AWS SDK or CLI, ensuring they are never hardcoded. This satisfies both the no-storage-in-code and automatic rotation requirements mandated by the security policy.

Exam trap

ISC2 often tests the distinction between AWS Secrets Manager and Systems Manager Parameter Store, where candidates mistakenly choose Parameter Store because it is cheaper, but they overlook that Secrets Manager provides native automatic rotation for RDS credentials, which is explicitly required by the policy.

How to eliminate wrong answers

Option B is wrong because passing encrypted credentials as environment variables in the task definition still embeds them in the container's environment, which violates the policy of never storing credentials in code or configuration files, and it does not provide automatic rotation. Option C is wrong because AWS Systems Manager Parameter Store (SecureString) can store encrypted secrets but does not natively support automatic rotation of RDS database credentials; it requires custom Lambda functions or additional services to implement rotation, making it less suitable for the 90-day rotation requirement. Option D is wrong because deploying Hashicorp Vault on EC2 adds operational overhead, requires managing the EC2 instances and Vault cluster, and does not integrate natively with ECS Fargate's task role for seamless credential retrieval; it also does not automatically rotate RDS credentials without additional configuration.

152
MCQhard

A financial organization is migrating a critical application to a cloud environment. The application processes sensitive customer data and must comply with PCI DSS. The security architect proposes using serverless functions for the compute layer. Which security control is essential to protect the application from injection attacks?

A.Enable function-level logging for audit trails
B.Use parameterized queries in the functions' database calls
C.Encrypt all data in transit between functions
D.Implement a web application firewall (WAF) in front of the functions
AnswerB

Parameterized queries prevent injection by separating SQL code from user input.

Why this answer

Injection attacks (e.g., SQL injection) exploit untrusted input that is concatenated into database queries. Parameterized queries (prepared statements) separate SQL logic from data, ensuring user input is treated as data only, not executable code. This is the foundational control for preventing injection in serverless functions that interact with databases, as required by PCI DSS Requirement 6.5.1.

Exam trap

ISC2 often tests the misconception that a WAF is a universal injection defense, but in serverless architectures, injection can occur through non-HTTP triggers (e.g., S3 events, DynamoDB Streams) where a WAF has no visibility, making parameterized queries the essential control.

How to eliminate wrong answers

Option A is wrong because function-level logging provides audit trails for compliance and incident response, but does not prevent injection attacks; it only records events after the fact. Option C is wrong because encrypting data in transit (e.g., TLS) protects against eavesdropping and tampering during transmission, but does not address injection vulnerabilities within the application logic itself. Option D is wrong because a WAF can detect and block some injection patterns at the HTTP layer, but serverless functions often receive events from multiple sources (e.g., queues, storage triggers) that bypass the WAF, and WAFs cannot prevent injection in non-HTTP contexts or when input is already inside the function; parameterized queries are the definitive defense.

153
MCQeasy

A team is adopting DevSecOps. Which practice best integrates security into the development lifecycle?

A.Security awareness training
B.Annual penetration testing
C.Automated security testing in CI/CD pipeline
D.Manual code review before release
AnswerC

Automated security testing as part of CI/CD ensures security checks are performed with every build.

Why this answer

Automated security testing in the CI/CD pipeline (Option C) is the correct practice because it embeds security checks—such as static application security testing (SAST), dynamic application security testing (DAST), and software composition analysis (SCA)—directly into the build and deployment process. This ensures that vulnerabilities are detected and remediated early, aligning with the DevSecOps principle of 'shifting left' and enabling continuous security validation without slowing down development velocity.

Exam trap

ISC2 often tests the misconception that manual or periodic security activities (like annual pen tests or pre-release code reviews) are sufficient for DevSecOps, when the core requirement is continuous, automated security integration within the CI/CD pipeline itself.

How to eliminate wrong answers

Option A is wrong because security awareness training, while important for culture, is a people-focused activity that does not integrate automated, code-level security checks into the development lifecycle; it lacks the technical enforcement needed for continuous security in CI/CD. Option B is wrong because annual penetration testing is a point-in-time, manual assessment that occurs long after code is deployed, failing to provide the continuous, automated feedback required in a DevSecOps pipeline to catch vulnerabilities during development. Option D is wrong because manual code review before release is a gate-based, human-dependent process that introduces delays and inconsistency, and it does not scale or integrate with automated CI/CD workflows, whereas DevSecOps demands automated, frequent security validation.

154
MCQhard

A cloud architect is designing a disaster recovery (DR) solution for a critical application with a recovery time objective (RTO) of 30 minutes and a recovery point objective (RPO) of 5 minutes. The application runs on virtual machines in a private cloud. The architect is considering using a colocation facility as the DR site. Which replication method will meet the RPO requirement?

A.Synchronous replication
B.Periodic snapshots every 15 minutes
C.Periodic snapshots every 5 minutes
D.Asynchronous replication with a delay of 10 minutes
AnswerC

Correct: Provides RPO of 5 minutes if snapshots are taken every 5 minutes.

Why this answer

Option C is correct because periodic snapshots every 5 minutes align exactly with the RPO of 5 minutes, ensuring that at most 5 minutes of data is lost in a disaster. This method captures the VM state at the required interval without the complexity or latency constraints of synchronous replication, which is often impractical over long distances or limited bandwidth.

Exam trap

ISC2 often tests the misconception that synchronous replication is always the best choice for low RPO, but the trap here is that RPO is not the only constraint—RTO and network latency must also be considered, and periodic snapshots can meet a 5-minute RPO without the performance penalties of synchronous replication over a WAN link.

How to eliminate wrong answers

Option A is wrong because synchronous replication requires the primary and DR sites to have extremely low latency (typically <1-2 ms) and high bandwidth to avoid impacting application performance; over a colocation facility link, this is rarely achievable and would likely violate the RTO by causing application slowdowns. Option B is wrong because periodic snapshots every 15 minutes would allow up to 15 minutes of data loss, exceeding the 5-minute RPO requirement. Option D is wrong because asynchronous replication with a 10-minute delay means the DR site could be up to 10 minutes behind the primary, which exceeds the 5-minute RPO and does not guarantee recovery within the specified data loss window.

155
MCQhard

A financial services company is migrating a critical database to the cloud. The database contains columns with PII that must be encrypted. Performance is the highest priority, and the system must support queries on encrypted data. Which technique should be used?

A.Hashing
B.Application-level encryption
C.Transparent Data Encryption (TDE)
D.Tokenization
AnswerD

Tokenization replaces sensitive data with tokens that preserve format and length, enabling efficient queries without encryption overhead.

Why this answer

Tokenization is correct because it replaces sensitive PII with non-sensitive tokens that retain the format and length of the original data, allowing queries to run on the tokens without exposing the actual values. This approach provides strong security while maintaining high performance, as the token mapping is stored separately and queries are executed against the tokenized data without decryption overhead.

Exam trap

ISC2 often tests the misconception that TDE supports queries on encrypted data, but TDE only encrypts data at rest and decrypts it during access, failing the 'query on encrypted data' requirement without performance degradation.

How to eliminate wrong answers

Option A is wrong because hashing is a one-way function that does not support direct queries on the original data (e.g., range queries, pattern matching) and is not reversible for decryption. Option B is wrong because application-level encryption requires decrypting data in the application layer for each query, introducing significant latency and performance degradation, which conflicts with the performance priority. Option C is wrong because Transparent Data Encryption (TDE) encrypts data at rest but does not support queries on encrypted data; it decrypts data on-the-fly during reads, which adds overhead and still exposes plaintext in memory.

156
Multi-Selectmedium

Which TWO of the following are best practices for monitoring a cloud environment to detect security incidents?

Select 2 answers
A.Centralize logs from all cloud services into a single analytics platform.
B.Set up automated alerts based on defined thresholds for key security metrics.
C.Enable all available log sources to ensure complete visibility.
D.Monitor only network flow logs to reduce data volume.
E.Conduct manual log reviews on a weekly basis to identify anomalies.
AnswersA, B

Centralization allows correlation across services for better detection.

Why this answer

Centralizing logs from all cloud services into a single analytics platform (e.g., SIEM like Splunk or AWS Security Hub) enables correlation across disparate data sources, which is essential for detecting multi-vector attacks. This practice aligns with the NIST SP 800-92 log management guidelines and the CCSP domain of Cloud Security Operations, as it provides a unified view for threat detection and incident response.

Exam trap

ISC2 often tests the misconception that 'more logs are always better' (Option C) or that manual reviews are sufficient, when in reality, automated correlation and threshold-based alerting are required for effective incident detection in cloud environments.

157
Multi-Selectmedium

Which TWO of the following are considered best practices for securing containerized applications in a cloud environment?

Select 2 answers
A.Run containers with a non-root user.
B.Enable SSH inside the container for remote administration.
C.Use the 'latest' tag for base images to get the newest features.
D.Include debugging tools inside the container for troubleshooting.
E.Use a read-only filesystem for the container.
AnswersA, E

Limits potential damage if container is compromised.

Why this answer

Running containers with a non-root user is a fundamental security best practice because it limits the potential damage from a container breakout. By default, Docker containers run as root, which means if an attacker compromises the container, they have root privileges on the host kernel. Using the USER directive in a Dockerfile or specifying a non-root user at runtime reduces the attack surface and enforces the principle of least privilege.

Exam trap

ISC2 often tests the misconception that SSH or debugging tools are necessary for container management, when in fact they violate the immutable and ephemeral principles of container security; the trap is that candidates confuse traditional server administration with cloud-native container operations.

158
MCQmedium

A company uses a Cloud Access Security Broker (CASB) to enforce security policies on SaaS applications. They want to ensure that data uploaded to a file-sharing service does not contain Social Security numbers (SSNs). Which CASB capability is most effective?

A.Contextual access control
B.Inline DLP scanning
C.API-based data discovery
D.Encryption of data in transit
AnswerB

Inline scanning blocks sensitive data in real time.

Why this answer

Inline DLP scanning is the most effective CASB capability for preventing data containing Social Security numbers from being uploaded to a file-sharing service because it inspects the content of files in real time as they are being uploaded. The CASB acts as a proxy, intercepting the HTTP/HTTPS traffic, parsing the file payload, and applying pattern-matching algorithms (e.g., regex for SSN format) to block the upload before it reaches the SaaS application. This proactive, real-time enforcement is essential for data loss prevention (DLP) at the point of upload.

Exam trap

The trap here is that candidates often confuse API-based data discovery (which is excellent for identifying sensitive data at rest) with inline DLP scanning (which is required for real-time prevention), leading them to choose Option C even though it cannot block the upload in progress.

How to eliminate wrong answers

Option A is wrong because contextual access control focuses on who, when, and from where access is attempted (e.g., location, device posture), not on inspecting the content of uploaded files for sensitive data like SSNs. Option C is wrong because API-based data discovery scans data already stored in the SaaS application via its API, which is reactive and cannot prevent the initial upload of SSNs; it can only detect them after the fact. Option D is wrong because encryption of data in transit (e.g., TLS 1.2/1.3) protects data from eavesdropping during transmission but does not inspect or block the content of the data being uploaded.

159
MCQmedium

An organization uses infrastructure as code (IaC) to deploy cloud resources. The security team wants to prevent misconfigurations such as open security groups from being deployed. Which two practices should be integrated into the IaC pipeline? (Select TWO)

A.Limit access to the cloud management console
B.Perform manual code reviews for every change
C.Segment the network using security groups
D.Implement policy-as-code to enforce security rules
E.Use automated security scanning tools for IaC templates
AnswerD, E

Policy-as-code can block non-compliant templates from being applied.

Why this answer

Policy-as-code (D) allows security rules to be defined in a machine-readable format (e.g., using Open Policy Agent or HashiCorp Sentinel) and automatically evaluated during the IaC pipeline, preventing non-compliant configurations from being deployed. Automated security scanning tools (E) analyze IaC templates (e.g., Terraform, CloudFormation) for known misconfigurations, such as overly permissive security group rules, before they reach production. Together, these practices enforce security guardrails early in the development lifecycle.

Exam trap

ISC2 often tests the distinction between operational controls (like manual reviews or console access) and automated pipeline controls (like policy-as-code and scanning), expecting candidates to recognize that only automated, integrated checks can prevent misconfigurations at the code level before deployment.

How to eliminate wrong answers

Option A is wrong because limiting access to the cloud management console is an administrative control that does not prevent misconfigurations in IaC templates; it only restricts who can manually make changes after deployment. Option B is wrong because manual code reviews are slow, error-prone, and cannot scale to catch all misconfigurations, especially in large IaC codebases; automated checks are required for consistent enforcement. Option C is wrong because segmenting the network using security groups is a network architecture practice, not a pipeline integration; it does not prevent misconfigurations in the IaC templates themselves.

160
MCQmedium

A company uses this IAM policy on an S3 bucket containing logs with personally identifiable information (PII). What is the most immediate compliance risk?

A.Data integrity may be compromised
B.Data is not encrypted at rest
C.Anonymous users can read PII
D.Access logging is not enabled
AnswerC

Public access enabled, violates data protection laws.

Why this answer

The policy allows anonymous read access to all objects in the bucket, exposing PII. Unencrypted logs are a secondary concern; access logging missing is not the risk; integrity is not directly threatened.

161
MCQeasy

A cloud administrator notices that a storage bucket containing sensitive data is publicly accessible. What is the most likely misconfiguration?

A.The bucket has logging disabled.
B.The bucket's ACLs are too permissive.
C.The bucket is using server-side encryption.
D.The bucket is versioned.
AnswerB

Permissive ACLs often cause unintended public access.

Why this answer

The most likely misconfiguration is that the bucket's ACLs are too permissive, granting public read or write access to the storage bucket. In cloud platforms like AWS S3 or Azure Blob Storage, bucket ACLs or bucket policies can be set to allow public access, which directly exposes sensitive data. Disabling logging, using server-side encryption, or enabling versioning do not inherently make a bucket publicly accessible.

Exam trap

ISC2 often tests the misconception that security features like encryption or logging directly prevent unauthorized access, when in fact access control misconfigurations (like permissive ACLs) are the root cause of public exposure.

How to eliminate wrong answers

Option A is wrong because disabling logging only affects audit trails and does not control access permissions; a bucket can be publicly accessible even with logging enabled. Option C is wrong because server-side encryption protects data at rest but does not affect access control; a publicly accessible bucket with encryption still exposes data to anyone who can read it. Option D is wrong because versioning creates multiple object versions but does not change the bucket's access policy; a publicly accessible bucket remains public regardless of versioning status.

162
MCQeasy

Refer to the exhibit. An administrator attaches security group sg-12345 to a web server. Which of the following describes the traffic that will be allowed by the security group?

A.Only SSH traffic from the internal network is allowed inbound.
B.Inbound HTTP and HTTPS from anywhere, and SSH only from the internal network are allowed.
C.The server cannot initiate any outbound connections.
D.All inbound traffic from the internet is allowed.
AnswerB

This matches the rules shown.

Why this answer

Option D is correct. Inbound HTTP and HTTPS from anywhere (0.0.0.0/0) are allowed. SSH is allowed only from the internal network (10.0.0.0/8).

Outbound all traffic is allowed. Options A, B, and C are incorrect because they misrepresent the rules.

163
MCQhard

A cloud customer is subject to the EU General Data Protection Regulation (GDPR) and uses a cloud provider that subcontracts data processing to a third party without notification. Which GDPR requirement is violated?

A.Data protection by design
B.Data breach notification
C.Sub-processor authorization
D.Right to erasure
AnswerC

GDPR Article 28 requires explicit authorization for sub-processors.

Why this answer

GDPR requires that data controllers obtain prior authorization before a processor engages a sub-processor. The customer (controller) was not notified, violating the requirement for sub-processor authorization. Other rights like erasure are unrelated to this scenario.

164
Multi-Selectmedium

A company is moving a legacy application to a public cloud. The application requires low latency and high throughput between two application tiers. Which two cloud design principles should be applied? (Choose two.)

Select 2 answers
A.Use dedicated network connections between tiers.
B.Deploy both tiers in the same region but different availability zones.
C.Use a single large instance for both tiers.
D.Place the tiers in different VPCs with a transit gateway.
E.Deploy both tiers in the same availability zone.
AnswersA, E

Correct: Provides dedicated throughput and reduces contention.

Why this answer

Option A is correct because dedicated network connections, such as AWS Direct Connect or Azure ExpressRoute, provide consistent low latency and high throughput by bypassing the public internet and reducing jitter. This ensures predictable performance for latency-sensitive inter-tier communication, which is critical for legacy applications with strict performance requirements.

Exam trap

ISC2 often tests the misconception that deploying across availability zones always improves performance, but the trap here is that inter-zone latency can harm low-latency requirements, making same-zone deployment (Option E) the correct choice alongside dedicated connections.

165
MCQmedium

A company needs to ensure that its cloud-stored data is retained only for a specific period due to legal requirements. Which process should be automated?

A.Data lifecycle management
B.Data classification
C.Data encryption
D.Data backup
AnswerA

DLM policies automate retention and deletion based on rules.

Why this answer

Data lifecycle management (DLM) focuses on managing data throughout its lifecycle, including retention and deletion. Data classification categorizes data, encryption protects it, and backup creates copies, but none directly automate retention periods.

166
Multi-Selecteasy

Which TWO of the following are valid considerations when performing forensic imaging of virtual machines in a public cloud? (Choose two.)

Select 2 answers
A.Time synchronization between the imaging tool and the VM clock is essential
B.The imaging process must be performed from within the same cloud region
C.Images of other tenants' VMs can be accessed through the hypervisor if needed
D.The cloud provider will provide hypervisor memory dumps upon request
E.Volatile data will be lost if the VM is powered off before imaging
AnswersA, E

Ensures accurate timeline.

Why this answer

Options A and D are correct. A: In-memory data is lost when VM is stopped, so acquire while running. D: Time synchronization is important for timeline analysis.

Option B is wrong because cloud provider typically does not allow direct access to hypervisor memory for forensic purposes. Option C is wrong because hypervisor-level isolation prevents accessing other tenants' images.

167
MCQhard

During a cloud migration, a company discovers that its existing virtual machine images contain embedded credentials and proprietary software that must not be exposed to the cloud provider's administrators. Which of the following is the BEST strategy to protect this sensitive data while maintaining the ability to create new instances?

A.Use a VPN to encrypt data in transit between the on-premises environment and the cloud.
B.Use a cryptographic hash of the image to ensure integrity, and store the image in object storage with access controls.
C.Encrypt the virtual machine images using a customer-provided key (CMK) integrated with the cloud provider's key management service.
D.Tokenize the embedded credentials and replace them with placeholders in the image.
AnswerC

Encryption with a CMK ensures the provider cannot decrypt the image without the key.

Why this answer

Option C is correct because encrypting the virtual machine images with a customer-provided key (CMK) integrated with the cloud provider's key management service ensures that the cloud provider's administrators cannot access the embedded credentials and proprietary software. The encryption is performed client-side or using envelope encryption where the CMK wraps a data encryption key, and only the customer holds the master key material. This allows the customer to create new instances from the encrypted image while maintaining full control over access to the sensitive data.

Exam trap

The trap here is that candidates often confuse integrity controls (hashing) with confidentiality controls (encryption), or assume that network-level protections like VPNs extend to data at rest, leading them to pick Option A or B instead of the correct encryption-based answer.

How to eliminate wrong answers

Option A is wrong because a VPN only protects data in transit between on-premises and the cloud, but does not protect the image at rest in the cloud provider's storage, leaving the embedded credentials and proprietary software exposed to administrators. Option B is wrong because a cryptographic hash ensures integrity (detecting tampering) but does not provide confidentiality; the image remains unencrypted and readable by the cloud provider's administrators. Option D is wrong because tokenization replaces credentials with placeholders, but the proprietary software remains in the clear; additionally, tokenization requires a secure token vault and does not protect the entire image from administrator access.

168
MCQhard

A company uses a cloud-based SIEM to aggregate logs from multiple sources. Recently, the SIEM stopped receiving logs from a critical application server. The server is running and the application is functioning normally. The security team has verified that the log forwarder service is running on the server and the network path to the SIEM is open. Which additional step should the team take to diagnose the issue?

A.Check the server's CPU and memory utilization.
B.Review the firewall rules between the server and the SIEM.
C.Restart the SIEM collector service.
D.Inspect the log forwarder's configuration and recent log files for errors.
AnswerD

This directly addresses the most probable cause of misconfiguration.

Why this answer

Option D is correct because the most likely cause of logs not being received by the SIEM, when the server is running and the network path is open, is a misconfiguration or error within the log forwarder itself. Inspecting the forwarder's configuration (e.g., destination IP, port, protocol) and its local log files (e.g., syslog, Windows Event Forwarding logs) can reveal authentication failures, queue overflows, or parsing errors that prevent log transmission. This step directly addresses the log generation and forwarding pipeline, which is the remaining point of failure after verifying network connectivity and service status.

Exam trap

ISC2 often tests the misconception that network-level checks (firewall, connectivity) are sufficient, when the real issue is often an application-layer misconfiguration within the log forwarder itself, which candidates overlook because they assume a 'running' service is correctly configured.

How to eliminate wrong answers

Option A is wrong because CPU and memory utilization on the application server would not prevent a properly configured and running log forwarder from sending logs; high resource usage might cause delays but not a complete cessation of log forwarding, and the server is functioning normally. Option B is wrong because the security team has already verified that the network path to the SIEM is open, which implicitly includes firewall rules; reviewing them again would be redundant and not address the log forwarder's internal state. Option C is wrong because restarting the SIEM collector service on the cloud-based SIEM side would not fix a problem originating from the log forwarder's configuration or errors; the collector is receiving logs from other sources, indicating it is operational.

169
MCQhard

A multinational corporation operates in a country where data sovereignty laws require that all customer data remain within the country's borders. The company uses a global public cloud provider. Which operational control is MOST critical to ensure compliance?

A.Use a VPN to connect to the cloud provider's network.
B.Implement cloud policy to restrict resource deployment to approved regions.
C.Conduct quarterly audits of data storage locations.
D.Encrypt all data at rest and in transit.
AnswerB

Policy enforcement prevents resources from being created outside allowed regions.

Why this answer

Option B is correct because implementing a cloud policy to restrict resource deployment to approved regions is the most direct and proactive operational control to enforce data sovereignty. By using Azure Policy, AWS Service Control Policies (SCPs), or GCP Organization Policies, the organization can programmatically prevent resources from being provisioned in non-compliant regions, ensuring customer data never leaves the required jurisdiction. This is a preventive control that operates at the infrastructure level, unlike detective or reactive measures.

Exam trap

ISC2 often tests the distinction between preventive and detective controls, and the trap here is that candidates confuse encryption or VPNs (which protect data in transit/at rest) with location enforcement, failing to recognize that data sovereignty is a geographic constraint, not a security one.

How to eliminate wrong answers

Option A is wrong because a VPN only secures the network connection between the organization and the cloud provider; it does not control where the cloud provider physically stores data, so it cannot enforce data sovereignty. Option C is wrong because quarterly audits are a detective control that only identifies non-compliance after it has occurred, rather than preventing it; by the time an audit reveals data in a prohibited region, the violation has already happened. Option D is wrong because encryption protects data confidentiality but does not address data location; encrypted data stored in a non-compliant region still violates data sovereignty laws.

170
Multi-Selecteasy

Which TWO best practices help secure a cloud application's runtime environment?

Select 2 answers
A.Use immutable infrastructure
B.Implement host-based intrusion detection
C.Run applications with least privilege
D.Enable automatic patching of dependencies
E.Use container orchestration platform
AnswersA, C

Immutable infrastructure ensures that runtime environments are not modified after deployment, reducing drift and attack surface.

Why this answer

Immutable infrastructure ensures that once a cloud application's runtime environment is deployed, it is never modified in place. Any change requires building a new image and redeploying, which eliminates configuration drift, reduces the attack surface, and prevents unauthorized modifications from persisting. This directly secures the runtime environment by enforcing a known-good state at all times.

Exam trap

ISC2 often tests the distinction between security controls that are preventive (like immutable infrastructure and least privilege) versus detective or reactive controls (like HIDS), leading candidates to mistakenly select host-based intrusion detection as a runtime security best practice.

171
MCQhard

A cloud application uses a service mesh for inter-service communication. The security team wants to enforce mutual TLS (mTLS) between all services and ensure that service identities are verified. What is the most effective way to achieve this?

A.Set up Kerberos authentication between services
B.Configure a VPN between all service subnets
C.Implement IPsec in the network layer
D.Use the service mesh's built-in mTLS and certificate management
AnswerD

Service mesh handles mTLS and identity natively.

Why this answer

The service mesh's built-in mTLS and certificate management is the most effective approach because it provides automatic, transparent mutual TLS encryption and identity verification at the application layer, using X.509 certificates issued by the mesh's certificate authority (e.g., Istio's Citadel or Linkerd's identity controller). This ensures that every inter-service communication is authenticated and encrypted without requiring changes to application code, and it integrates directly with the service mesh's identity model (e.g., Kubernetes service accounts).

Exam trap

ISC2 often tests the misconception that network-layer encryption (IPsec or VPN) is sufficient for service-to-service authentication, but the key requirement here is per-service identity verification at the application layer, which only a service mesh's mTLS with certificate management can provide.

How to eliminate wrong answers

Option A is wrong because Kerberos is a network authentication protocol that requires a centralized Key Distribution Center (KDC) and is not designed for per-request mTLS in a service mesh; it adds complexity and does not provide transport-layer encryption natively. Option B is wrong because a VPN encrypts traffic at the network layer between subnets but does not provide per-service identity verification or mutual authentication at the application layer, and it cannot enforce mTLS between individual services within the same subnet. Option C is wrong because IPsec operates at the network layer (Layer 3) and can encrypt traffic between hosts or subnets, but it lacks the granularity to verify individual service identities and does not integrate with service mesh certificate management for dynamic, short-lived certificates.

172
MCQeasy

A healthcare organization is migrating patient data to a public cloud. Which legal framework most directly governs the protection of this data?

A.Health Insurance Portability and Accountability Act (HIPAA)
B.Payment Card Industry Data Security Standard (PCI DSS)
C.Sarbanes-Oxley Act (SOX)
D.General Data Protection Regulation (GDPR)
AnswerA

HIPAA sets standards for protecting PHI in the US.

Why this answer

HIPAA applies to protected health information (PHI) in the US, making it the most directly relevant legal framework for healthcare data. GDPR is broader but less specific to US healthcare, and PCI DSS is for payment card data.

173
Multi-Selecteasy

Which TWO of the following are best practices for cloud key management?

Select 2 answers
A.Use separate keys for different tenants or applications.
B.Hard-code encryption keys in application source code for simplicity.
C.Store keys in the same geographic region as the data for low latency.
D.Rotate encryption keys on a regular schedule.
E.Use a single master key for all encryption operations.
AnswersA, D

Correct. Isolation reduces impact of a key compromise.

Why this answer

A (rotate keys) and B (separate keys per tenant) are recommended. C (hard-code keys) is bad. D (store keys in same region) is not a security practice.

E (use same key for all) is poor.

174
MCQhard

Refer to the exhibit. A security analyst reviews this CloudTrail log entry. What is the most immediate concern?

A.A user named john.doe is not authorized to modify security groups.
B.An EC2 instance was launched without approval.
C.A security group rule was added that allows unrestricted SSH access.
D.The user john.doe failed to authenticate.
AnswerC

SSH from 0.0.0.0/0 is a major security exposure.

Why this answer

Option C is correct because the CloudTrail log entry shows an AuthorizeSecurityGroupIngress API call that added a rule allowing SSH (port 22) from source 0.0.0.0/0, which grants unrestricted internet access. This is a critical security misconfiguration that exposes the EC2 instance to potential brute-force attacks or unauthorized access, making it the most immediate concern.

Exam trap

ISC2 often tests the distinction between an authorization failure (IAM policy deny) and a successful but dangerous action; the trap here is that candidates see the user name and assume a permission error, but the log shows the action succeeded, making the unrestricted SSH rule the real risk.

How to eliminate wrong answers

Option A is wrong because the log entry shows the API call was successful ("eventType": "AwsApiCall", no error code), indicating john.doe was authorized to modify security groups at the time of the event. Option B is wrong because the log entry records an AuthorizeSecurityGroupIngress action, not a RunInstances action; no EC2 instance was launched in this event. Option D is wrong because the log entry shows a successful API call with "userIdentity" details and no authentication failure (no "errorCode" or "errorMessage" fields indicating a failure), so john.doe authenticated successfully.

175
MCQmedium

A company has deployed a mission-critical application in the cloud and needs to ensure that it remains available even if an entire cloud region fails. Which architecture pattern should they adopt?

A.Regular backups to a different region
B.Active-passive across regions
C.Vertical scaling within a single region
D.Horizontal scaling within a single availability zone
AnswerB

Active-passive replicates to another region for failover.

Why this answer

Option C is correct because an active-passive across-regions architecture provides disaster recovery for region failure. Option A (vertical scaling) increases capacity in the same region. Option B (horizontal scaling within a single AZ) does not protect against region failure.

Option D (backups) is not a high-availability pattern.

176
MCQmedium

A financial institution uses a cloud data warehouse to store transaction data. The data is classified into three tiers: public, internal, and confidential. The current architecture stores all data in a single dataset with column-level encryption for confidential fields. A recent internal penetration test revealed that an analyst with access to the data warehouse could query aggregated statistics that inadvertently revealed confidential individual transactions. The security team needs to implement a solution that prevents such data leakage while preserving analytical capabilities. Which solution BEST addresses this?

A.Deploy a differential privacy framework that adds noise to query results.
B.Implement row-level security to restrict each analyst to only view data related to their assigned region.
C.Use dynamic data masking to obscure confidential fields based on the user's clearance.
D.Encrypt the entire dataset with a key that is only available to a privileged group.
AnswerA

Preserves aggregate analysis while protecting individual records.

Why this answer

Differential privacy is the correct solution because it directly addresses the core issue: aggregated statistics can be reverse-engineered to infer individual records. By adding calibrated noise to query results, it ensures that the output of any query does not reveal whether a specific individual's data is present, thus preventing leakage from aggregate queries while still allowing analysts to derive meaningful trends and patterns.

Exam trap

ISC2 often tests the distinction between access control mechanisms (row-level security, masking, encryption) and privacy-preserving techniques (differential privacy), trapping candidates who confuse restricting direct data access with preventing inference from aggregated outputs.

How to eliminate wrong answers

Option B is wrong because row-level security restricts access based on region, but it does not prevent an analyst from querying aggregated statistics that could reveal confidential individual transactions within their allowed region. Option C is wrong because dynamic data masking obscures fields at the column level, but it does not protect against inference attacks on aggregated results; an analyst could still compute sums or averages that leak individual values. Option D is wrong because encrypting the entire dataset with a key available only to a privileged group would block all analysts from querying the data, destroying analytical capabilities entirely, which is not the goal.

177
Matchingmedium

Match each cloud service model to its primary responsibility area according to the shared responsibility model.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Application security

Platform security

Infrastructure security

Full stack security

Why these pairings

The shared responsibility model delineates security obligations; SaaS offloads most to provider, on-premises retains all.

178
Matchingmedium

Match each compliance framework to its primary jurisdiction or industry.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

European Union data protection

US healthcare information privacy

Payment card industry security

US financial reporting controls

Why these pairings

Compliance frameworks are often region- or industry-specific; cloud providers must support customer compliance.

179
MCQeasy

A cloud security engineer is tasked with automating the response to a detected malware infection on a virtual machine. The engineer wants to isolate the VM from the network immediately upon detection. Which cloud-native feature should be used?

A.Take a snapshot of the VM for forensic analysis.
B.Modify the VM's security group to deny all inbound and outbound traffic.
C.Attach the VM to a different load balancer.
D.Create a site-to-site VPN connection for the VM.
AnswerB

Security groups can be updated programmatically to isolate the VM.

Why this answer

Modifying the VM's security group to deny all inbound and outbound traffic is the correct cloud-native method to immediately isolate the VM from the network. Security groups act as a virtual firewall at the instance level, and by removing all allow rules, you effectively block all traffic to and from the VM, containing the malware without deleting or powering off the instance.

Exam trap

ISC2 often tests the distinction between network isolation (security groups) and forensic preservation (snapshots), trapping candidates who confuse post-incident analysis steps with immediate containment actions.

How to eliminate wrong answers

Option A is wrong because taking a snapshot is a forensic preservation step, not an isolation mechanism; it does not alter the VM's network connectivity and the malware could still communicate. Option C is wrong because attaching the VM to a different load balancer does not isolate it; it merely changes the traffic distribution endpoint and may even expose the VM to new traffic. Option D is wrong because creating a site-to-site VPN connection extends the network to an external site, which is the opposite of isolation and would increase the attack surface.

180
Multi-Selecthard

Which THREE of the following are key characteristics of cloud computing as defined by NIST SP 800-145?

Select 3 answers
A.Broad network access
B.On-demand self-service
C.Location independence
D.Dedicated hardware per tenant
E.Rapid elasticity
AnswersA, B, E

Resources are available over the network and accessed through standard mechanisms.

Why this answer

Option A is correct because NIST SP 800-145 defines broad network access as the capability for cloud capabilities to be accessed over the network by standard mechanisms (e.g., HTTPS, SSH, VPN) that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, workstations). This characteristic ensures that resources are available from any location with internet connectivity, not limited to a single physical network segment.

Exam trap

ISC2 often tests the distinction between 'location independence' (a common misconception) and the actual NIST-defined characteristic of 'resource pooling,' where the consumer generally has no control over the exact physical location of resources but may specify at a higher level of abstraction (e.g., country, region, or availability zone).

181
MCQmedium

Refer to the exhibit. An organization has this S3 bucket policy for a bucket containing sensitive customer data. What is the primary risk associated with this policy?

A.The policy does not restrict access to specific IP addresses
B.The policy allows anonymous read access to all objects in the bucket
C.Any unencrypted request is denied, which could cause data loss if encryption fails
D.The policy requires server-side encryption, but does not enforce it for all requests
AnswerB

The principal is '*' meaning anyone can read objects if they meet the condition.

Why this answer

The S3 bucket policy includes an Allow effect with a Principal of '*' and a condition that only denies unencrypted requests, but it does not explicitly deny anonymous access. Because the Allow statement grants s3:GetObject to all principals (including anonymous users) when the request is encrypted, any unauthenticated user can read objects in the bucket over HTTPS. This is the primary risk: anonymous read access to all objects, exposing sensitive customer data.

Exam trap

ISC2 often tests the misconception that adding encryption requirements alone secures a bucket, when in fact the policy must also explicitly deny anonymous access by using a Deny statement with a NotPrincipal or by restricting the Principal to specific AWS accounts.

How to eliminate wrong answers

Option A is wrong because restricting access to specific IP addresses is not the primary risk; the policy already allows anonymous access, and IP restriction would not prevent that without an explicit Deny for anonymous principals. Option C is wrong because denying unencrypted requests does not cause data loss if encryption fails; it simply rejects the request, and the data remains intact in the bucket. Option D is wrong because the policy does enforce server-side encryption for all requests via the condition that denies requests without the aws:SecureTransport or s3:x-amz-server-side-encryption header; the issue is that it allows anonymous access when encryption is present.

182
MCQhard

During a cloud migration, a company discovers that some sensitive data was inadvertently stored in an object storage bucket with public read access. The security team needs to determine the scope of exposure and remediate. What is the FIRST step they should take?

A.Notify the data protection authority.
B.Change the bucket's permission to private.
C.Immediately delete all objects in the bucket.
D.Review the bucket's access logs to identify any unauthorized access.
AnswerD

Access logs reveal who has accessed the data, which is crucial for scope assessment.

Why this answer

The first step is to review the bucket's access logs (e.g., AWS CloudTrail or S3 server access logs) to identify any unauthorized access. This determines the scope of exposure—who accessed the data, when, and from where—before taking any remediation action. Without this forensic step, the company cannot assess breach notification obligations or legal liability.

Exam trap

ISC2 often tests the principle of 'preserve evidence first'—candidates mistakenly jump to remediation (changing permissions or deleting objects) without first conducting forensic analysis to determine the scope of exposure.

How to eliminate wrong answers

Option A is wrong because notifying the data protection authority is a post-forensic step that should only occur after confirming actual unauthorized access and determining the scope of exposure. Option B is wrong because changing the bucket's permission to private without first reviewing logs could destroy evidence of unauthorized access (e.g., logs may be overwritten or deleted). Option C is wrong because immediately deleting all objects in the bucket would destroy forensic evidence and potentially violate legal hold or e-discovery requirements.

183
MCQeasy

Which of the following is a key consideration when defining a cloud provider's liability for data breaches?

A.The provider's incident response plan
B.The provider's insurance policy limits
C.The number of previous breaches
D.The limitation of liability clause in the contract
AnswerD

This clause sets the maximum liability the provider accepts.

Why this answer

The limitation of liability clause in the contract defines the maximum liability of the provider in the event of a breach. Provider's insurance, incident response plan, and history of breaches may influence negotiations but are not the contractual definition of liability.

184
MCQhard

A cloud customer is subject to the Health Insurance Portability and Accountability Act (HIPAA). They are considering using a cloud provider that offers infrastructure as a service (IaaS). Which of the following is the customer's responsibility under the HIPAA shared responsibility model?

A.Encryption of data at rest
B.Patching of the hypervisor
C.Network firewall configuration
D.Physical security of the data center
AnswerA

Correct. The customer must ensure ePHI is encrypted at rest, as they control the data.

Why this answer

Under the HIPAA shared responsibility model for IaaS, the customer retains responsibility for securing the data they store and process, including encryption of data at rest. The cloud provider manages the underlying infrastructure (hypervisor, physical security, network fabric), but the customer must implement and manage encryption mechanisms for their stored data, such as using AES-256 encryption with customer-managed keys via services like AWS KMS or Azure Key Vault.

Exam trap

ISC2 often tests the misconception that network firewall configuration is a customer responsibility in IaaS, but the trap is that the provider manages the physical and hypervisor-level firewalls, while the customer only controls virtual firewalls within their isolated tenant environment.

How to eliminate wrong answers

Option B is wrong because patching the hypervisor is the sole responsibility of the cloud provider, as it is part of the underlying virtualization layer that the customer cannot access or modify. Option C is wrong because network firewall configuration at the hypervisor or physical network level is managed by the provider; the customer is only responsible for virtual firewalls or security groups within their own virtual network. Option D is wrong because physical security of the data center, including access controls, surveillance, and environmental safeguards, is exclusively the provider's responsibility under the IaaS model.

185
MCQeasy

A security analyst reviews the bucket policy above. What is the primary security concern?

A.The bucket policy allows public read access to all objects
B.The bucket policy uses an outdated version
C.The bucket policy is missing a Condition element
D.The bucket policy allows public write access to all objects
AnswerA

Allowing GetObject to anonymous users makes all objects publicly readable.

Why this answer

Option A is correct because the bucket policy grants public read access to all objects via a Principal set to '*' and an Effect of 'Allow' on the s3:GetObject action. This means any unauthenticated user on the internet can list and download objects in the bucket, leading to potential data exposure. The primary security concern is unauthorized data disclosure, which violates the principle of least privilege.

Exam trap

ISC2 often tests the distinction between read and write permissions in bucket policies, so candidates may mistakenly choose public write access (Option D) when the policy clearly shows read access, or they may overthink the missing Condition element (Option C) as the primary issue rather than the explicit public Principal.

How to eliminate wrong answers

Option B is wrong because the policy version (e.g., '2012-10-17') is the standard AWS IAM policy version and is not outdated; an outdated version would not cause a security concern by itself. Option C is wrong because while a missing Condition element can reduce granularity, it is not inherently a security concern if the policy already allows public access; the absence of a Condition does not create the exposure—the overly permissive Principal and Action do. Option D is wrong because the policy shown allows read access (s3:GetObject), not write access (s3:PutObject); public write access would be a different and equally severe concern, but it is not present in this policy.

186
MCQmedium

A company is migrating sensitive customer data to the cloud. They need to classify data according to the organization's data classification policy, which includes public, internal, confidential, and restricted categories. Which of the following is the MOST important step to ensure data classification is effective in the cloud?

A.Assign a data custodian to manually tag data objects
B.Implement encryption for all data at rest and in transit
C.Integrate classification labels with DLP and access control policies
D.Store each classification level in separate cloud regions
AnswerC

Automation and integration with DLP enforce policies consistently.

Why this answer

Integrating classification labels with DLP and access control policies ensures that the classification scheme is enforced automatically, not just documented. This allows the cloud infrastructure to apply appropriate protections (e.g., blocking unauthorized access or preventing data exfiltration) based on the label, making classification actionable and effective in a dynamic cloud environment.

Exam trap

ISC2 often tests the misconception that encryption alone is sufficient for data classification, but encryption is a protection mechanism, not a classification or enforcement mechanism; the trap is confusing security controls with data governance processes.

How to eliminate wrong answers

Option A is wrong because manually tagging data objects is error-prone, does not scale in a cloud environment with potentially millions of objects, and lacks automated enforcement; data custodians should define policy, not perform manual tagging. Option B is wrong because encryption protects data confidentiality and integrity but does not classify data or enforce classification-based access controls; it is a security control, not a classification mechanism. Option D is wrong because storing each classification level in separate cloud regions is impractical, costly, and does not inherently enforce access controls; classification should be enforced through policy and labels, not physical or logical separation alone.

187
Multi-Selecthard

Which THREE of the following are required components of a cloud data lifecycle policy?

Select 3 answers
A.Legal hold process
B.Data deletion procedures
C.Data classification
D.Data retention schedule
E.Data encryption algorithm selection
AnswersB, C, D

Correct. Deletion is the final stage of the lifecycle.

Why this answer

Data deletion procedures are a required component of a cloud data lifecycle policy because they define how data is securely and irreversibly removed at the end of its useful life. This includes methods such as cryptographic erasure, overwriting with patterns (e.g., NIST SP 800-88), or degaussing, ensuring compliance with legal and regulatory requirements. Without explicit deletion procedures, data may persist in cloud storage, leading to unauthorized access or retention violations.

Exam trap

ISC2 often tests the distinction between operational security controls (like encryption algorithms) and governance-level lifecycle policy components, leading candidates to mistakenly include technical implementation details as required policy elements.

188
MCQeasy

A company is implementing a secure software development lifecycle (SSDLC) for its cloud-native applications. Which practice should be automated to detect vulnerabilities early in the development process?

A.Static application security testing (SAST)
B.Penetration testing in production
C.Dynamic application security testing (DAST)
D.Manual code review
AnswerA

SAST scans source code early in development, enabling early vulnerability detection.

Why this answer

Static application security testing (SAST) analyzes source code, bytecode, or binaries without executing the application, making it ideal for early detection of vulnerabilities during the coding phase of the SSDLC. By integrating SAST into the CI/CD pipeline, developers receive immediate feedback on security flaws such as SQL injection or buffer overflows, enabling remediation before the code is built or deployed. This aligns with the 'shift left' principle, catching issues when they are cheapest and easiest to fix.

Exam trap

ISC2 often tests the distinction between SAST (white-box, early) and DAST (black-box, late), and the trap here is that candidates mistakenly choose DAST because they confuse 'dynamic' with 'automated,' forgetting that DAST requires a running application and cannot detect vulnerabilities in source code.

How to eliminate wrong answers

Option B is wrong because penetration testing in production occurs after deployment, not early in development, and can introduce risks to live systems. Option C is wrong because dynamic application security testing (DAST) requires a running application to test, making it a later-stage practice that cannot detect vulnerabilities in code before it is compiled or deployed. Option D is wrong because manual code review is not automated and is slower, less consistent, and more error-prone than automated SAST, failing to meet the requirement for automation to detect vulnerabilities early.

189
Multi-Selectmedium

A cloud service provider (CSP) is undergoing a SOC 2 Type II audit. The auditor reviews the CSP's access control policies and identifies that user access reviews are performed quarterly. However, the auditor notes that there is no automated termination of access for terminated employees. Which TWO of the following control objectives are likely to be non-compliant based on this finding?

Select 2 answers
A.Change management procedures
B.Least privilege principle
C.Logical access controls
D.Encryption of data at rest
E.Physical access controls
AnswersB, C

Failure to revoke access violates least privilege.

Why this answer

The lack of automated termination of access for terminated employees directly violates the least privilege principle (B), which requires that users have only the minimum access necessary to perform their job functions. Without automated deprovisioning, terminated employees retain access, creating a persistent risk of unauthorized data access or system compromise. This control objective is non-compliant because the CSP cannot ensure that access rights are promptly revoked when no longer needed.

Exam trap

ISC2 often tests the distinction between logical access controls (which include user account management, authentication, and authorization) and other control domains like change management or physical security, leading candidates to overlook that the finding directly impacts logical access controls (C) and least privilege (B) simultaneously.

190
MCQeasy

A cloud security architect is implementing a data classification scheme. They need to ensure that data labeled 'confidential' is automatically encrypted when stored in cloud storage. Which approach best achieves this?

A.Use a separate storage bucket for confidential data with default encryption enabled
B.Deploy a data loss prevention (DLP) tool to scan and encrypt on upload
C.Configure cloud storage bucket policies to enforce encryption for objects with a 'confidential' tag
D.Train users to manually encrypt files before uploading
AnswerC

Automated enforcement based on classification labels.

Why this answer

Option C is correct because cloud storage bucket policies can be configured to enforce server-side encryption for objects that carry a specific metadata tag (e.g., 'confidential'). This approach automates encryption at the point of storage without requiring separate buckets or manual intervention, ensuring that all tagged data is encrypted as a condition of the write operation.

Exam trap

ISC2 often tests the misconception that DLP tools can enforce encryption at the point of upload, when in fact DLP is typically a post-storage or in-transit scanning mechanism, not a storage-layer encryption enforcer.

How to eliminate wrong answers

Option A is wrong because using a separate bucket with default encryption does not automatically enforce encryption based on data classification; it only encrypts all objects in that bucket, which may include non-confidential data and does not scale with dynamic tagging. Option B is wrong because DLP tools typically scan data after it is stored or in transit, not at the moment of upload, and they cannot enforce encryption at the storage layer; they may trigger alerts or remediation but do not directly encrypt objects during the write operation. Option D is wrong because training users to manually encrypt files is error-prone, non-scalable, and violates the principle of automated policy enforcement required for consistent data protection in cloud environments.

191
Multi-Selecthard

Which THREE are best practices for implementing secrets management in cloud applications?

Select 3 answers
A.Embed secrets in application logs for debugging
B.Store secrets in version control repositories
C.Use a dedicated secrets management service
D.Rotate secrets regularly
E.Encrypt secrets at rest and in transit
AnswersC, D, E

Dedicated services provide secure storage, access control, and audit.

Why this answer

Option C is correct because dedicated secrets management services (e.g., AWS Secrets Manager, Azure Key Vault, HashiCorp Vault) provide centralized, auditable, and policy-controlled storage for secrets like API keys and database credentials. These services enforce encryption at rest (e.g., using envelope encryption with AWS KMS) and in transit (TLS 1.2+), and support automatic rotation, reducing the risk of exposure compared to ad-hoc methods.

Exam trap

ISC2 often tests the misconception that logging secrets is acceptable for debugging (Option A) or that version control with .gitignore is sufficient to protect secrets (Option B), but the CCSP exam emphasizes that secrets must never be stored in logs or repositories, and must always be managed via dedicated, rotation-capable services.

192
MCQeasy

A startup provides a cloud-based document collaboration platform. They store user-uploaded documents in a cloud object storage bucket. Compliance with data privacy laws requires that when a user deletes an account, all their documents must be permanently deleted within 30 days. The current process uses object versioning and lifecycle policies to expire objects after 30 days. However, during a recent audit, it was discovered that deleted user documents were still accessible via the bucket's previous versions for months after the deletion. The security team needs to ensure that all traces of a user's data are removed immediately upon account deletion. Which solution should be implemented?

A.Configure bucket policies to deny read access to all objects after the user deletion date.
B.Change the bucket's default encryption to use customer-managed keys and delete the key after 30 days.
C.Enable MFA Delete on the bucket to require additional authentication for deletions.
D.Use a lifecycle policy to permanently delete current and previous object versions immediately after the user deletion request.
AnswerD

Ensures immediate removal of all versions.

Why this answer

Option D is correct because object versioning in cloud storage (e.g., AWS S3) retains both current and previous versions of objects. A lifecycle policy that immediately expires both current and noncurrent versions upon user deletion ensures that all copies of the data are permanently removed, satisfying the 30-day compliance requirement. Without explicitly targeting previous versions, the default lifecycle policy only deletes current versions, leaving older versions accessible indefinitely.

Exam trap

ISC2 often tests the misconception that lifecycle policies automatically delete all object versions, when in fact they require separate rules for current and noncurrent versions, and candidates may overlook the need to explicitly target previous versions.

How to eliminate wrong answers

Option A is wrong because denying read access does not delete the objects; the data remains stored and recoverable, violating the permanent deletion requirement. Option B is wrong because deleting a customer-managed key (CMK) renders the data cryptographically inaccessible but does not remove the encrypted objects from the bucket; they still exist and could be recovered if the key is restored, and this approach does not meet the explicit deletion mandate. Option C is wrong because MFA Delete adds an authentication step for deletions but does not automate the deletion process or address the need to remove previous versions; it only prevents accidental or unauthorized deletions.

193
MCQeasy

A company stores PII in the cloud and needs to ensure compliance with GDPR. What is the first step they should take?

A.Delete all data older than the required retention period
B.Implement encryption for all stored data
C.Sign a Data Processing Agreement with the CSP
D.Perform data classification and mapping
AnswerD

This is the initial step to identify and locate PII.

Why this answer

Option A is correct because data classification and mapping are foundational to understanding what data is subject to GDPR. Option B is wrong because encryption is a security control, not the first step. Option C is wrong because deleting old data may be part of data minimization but not the first step.

Option D is wrong because a DPA is signed after identifying data processing activities.

194
MCQeasy

A financial services company is migrating sensitive customer data to a cloud environment. The compliance team requires that all data at rest be encrypted using a key managed by the organization, not the cloud provider. Which solution should the company implement?

A.Enforce TLS 1.2 for all data transfers
B.Implement tokenization for all sensitive fields
C.Client-side encryption using a customer-managed key
D.Server-side encryption with AWS S3 managed keys (SSE-S3)
AnswerC

Correct: Data encrypted before upload; keys held by customer.

Why this answer

Option C is correct because client-side encryption ensures that data is encrypted before it leaves the organization's control, and the customer retains sole possession of the encryption key. This satisfies the compliance requirement that the cloud provider never has access to the key, as the provider only stores the encrypted ciphertext. In contrast, server-side encryption options (like SSE-S3) involve the provider managing or having access to the key material.

Exam trap

The trap here is that candidates often confuse server-side encryption with customer-managed keys (SSE-C) as meeting the requirement, but SSE-C still involves the cloud provider performing the encryption on their infrastructure, whereas client-side encryption ensures the provider never sees the plaintext or the key.

How to eliminate wrong answers

Option A is wrong because TLS 1.2 protects data in transit, not data at rest, and does not address encryption of stored data or key management. Option B is wrong because tokenization replaces sensitive data with non-sensitive tokens but does not encrypt the original data at rest; the mapping table or vault must still be secured, and it does not inherently use a customer-managed key for encryption. Option D is wrong because SSE-S3 uses AWS-managed keys, meaning the cloud provider controls the key material, which violates the requirement that the organization manages the key.

195
MCQeasy

A developer needs to store session state for a cloud-based web application. Which of the following is the most secure approach?

A.Store session data in an encrypted server-side storage
B.Store session data in a database with SSL
C.Store session data in client-side cookies
D.Store session data in a distributed cache
AnswerA

Server-side storage with encryption protects session data from unauthorized access.

Why this answer

Option A is correct because storing session state in encrypted server-side storage ensures that session data is never exposed to the client, mitigating risks of tampering, replay, or information disclosure. Encryption at rest (e.g., using AES-256) protects against unauthorized access to the storage layer, while server-side control prevents client-side manipulation of session tokens or data. This approach aligns with the principle of least privilege and is recommended by OWASP for secure session management in cloud applications.

Exam trap

ISC2 often tests the misconception that SSL/TLS alone provides sufficient security for session data, but the trap here is that SSL only protects data in transit, not at rest, so candidates who choose 'database with SSL' overlook the need for encryption at rest and server-side control.

How to eliminate wrong answers

Option B is wrong because SSL/TLS only protects data in transit between client and server, not data at rest in the database; an attacker with database access could read session data if it is not encrypted. Option C is wrong because storing session data in client-side cookies exposes it to XSS attacks, cookie theft, and tampering, as cookies can be modified by the client or intercepted over HTTP if not properly secured with HttpOnly and Secure flags. Option D is wrong because a distributed cache (e.g., Redis or Memcached) typically does not provide built-in encryption at rest and may be accessible to other cloud tenants or attackers if misconfigured, making it less secure than dedicated encrypted storage.

196
Multi-Selectmedium

Which THREE of the following are key considerations when designing a key management lifecycle for cloud data encryption?

Select 3 answers
A.Key rotation
B.Key usage monitoring
C.Key escrow
D.Key generation
E.Key storage
AnswersA, D, E

Rotation is a key lifecycle phase.

Why this answer

Key rotation is a critical lifecycle operation that limits the exposure of encrypted data if a key is compromised. By periodically replacing encryption keys with new ones, organizations reduce the window of vulnerability and comply with standards like NIST SP 800-57, which recommends cryptographic key rotation based on the key's usage period and security strength.

Exam trap

ISC2 often tests the distinction between lifecycle phases (generate, store, rotate, destroy) and operational controls (monitoring, escrow), so candidates mistakenly include monitoring or escrow as core design steps when they are actually supporting processes.

197
MCQhard

Based on the CloudTrail log, why did the Decrypt call fail?

A.The encryption algorithm mismatch.
B.The ciphertext was tampered.
C.The key policy denied access.
D.The CMK was disabled.
AnswerC

The error message indicates the user lacks authorization on the key.

Why this answer

The Decrypt call failed because the key policy attached to the AWS KMS CMK explicitly denied the IAM role or user making the request. CloudTrail logs show the error code 'AccessDenied' or 'UnauthorizedOperation', which indicates that the key policy did not grant the necessary kms:Decrypt permission to the principal. Even if the CMK is enabled and the ciphertext is valid, a restrictive key policy will block the operation.

Exam trap

ISC2 often tests the distinction between key policy denials and CMK state issues; the trap here is that candidates confuse 'AccessDenied' errors with 'DisabledException' or 'InvalidCiphertextException', assuming the key is disabled or the ciphertext is corrupted when the real cause is a missing or explicit deny in the key policy.

How to eliminate wrong answers

Option A is wrong because an encryption algorithm mismatch would produce a 'ValidationException' or 'InvalidCiphertextException', not an access-denied error. Option B is wrong because tampered ciphertext would cause a 'InvalidCiphertextException' due to integrity check failure (e.g., AWS KMS uses authenticated encryption with AES-GCM, which detects tampering). Option D is wrong because a disabled CMK would result in a 'DisabledException' or 'KMSInvalidStateException', not an access-denied error.

198
MCQmedium

Refer to the exhibit. An administrator applies this S3 bucket policy. What is the overall effect?

A.Only requests originating from VPC vpc-12345678 are allowed to retrieve objects
B.All requests are denied because the Deny statement overrides the Allow statement
C.All requests are allowed because there is an Allow statement
D.Only requests made with HTTPS are allowed
AnswerA

The policy explicitly allows from that VPC and denies from others.

Why this answer

The S3 bucket policy includes an Allow statement that grants s3:GetObject access only to the VPC endpoint vpc-12345678, using the aws:SourceVpce condition key. This means only requests originating from that specific VPC endpoint are permitted to retrieve objects. The Deny statement with a NotPrincipal condition is redundant or misconfigured, but the Allow statement's condition effectively restricts access to the VPC endpoint, making option A correct.

Exam trap

ISC2 often tests the nuance that a Deny statement with NotPrincipal does not automatically deny all requests; candidates mistakenly assume any Deny overrides all Allow statements, but the specific condition in the Allow statement (aws:SourceVpce) is the key to understanding the policy's effect.

How to eliminate wrong answers

Option B is wrong because the Deny statement uses a NotPrincipal condition, which does not create a blanket denial; the Allow statement with the VPC condition is the effective control, and the Deny does not override it in this context. Option C is wrong because the Allow statement is not unconditional—it includes a condition that restricts access to requests from vpc-12345678, so not all requests are allowed. Option D is wrong because the policy does not reference HTTPS or any encryption protocol; it only uses the aws:SourceVpce condition key, not aws:SecureTransport.

199
MCQhard

An auditor is reviewing a cloud provider's SOC 2 Type II report. Which aspect of the report is most relevant for assessing the effectiveness of controls over a period?

A.System description
B.Description of tests and results
C.Opinion letter
D.Management's assertion
AnswerB

This section details the tests performed and their outcomes, proving controls operated effectively over the period.

Why this answer

The SOC 2 Type II report evaluates the operational effectiveness of controls over a specified period (typically 6–12 months). The 'Description of tests and results' section provides the auditor's detailed testing procedures and outcomes, directly showing whether controls operated effectively throughout that period. This makes it the most relevant aspect for assessing control effectiveness over time.

Exam trap

ISC2 often tests the distinction between Type I (point-in-time design) and Type II (period-of-time effectiveness), and candidates mistakenly choose the opinion letter or system description because they focus on the report's overall conclusion rather than the detailed test evidence that proves effectiveness over time.

How to eliminate wrong answers

Option A is wrong because the system description merely outlines the system's boundaries and control objectives, not the actual testing or effectiveness over time. Option C is wrong because the opinion letter gives the auditor's overall conclusion but lacks the granular test details needed to assess specific control effectiveness. Option D is wrong because management's assertion is a self-declaration of control design and implementation, not an independent verification of operational effectiveness over the period.

200
Multi-Selecteasy

Which TWO of the following are key components of a secure software development lifecycle (SSDLC) in a cloud environment?

Select 2 answers
A.Automated static application security testing (SAST) during code commit.
B.Conducting code reviews with a security focus.
C.Performing security testing only after deployment to production.
D.Mandatory security awareness training for developers.
E.Integration of unit tests that check for security functionality.
AnswersA, B

Identifies vulnerabilities early in development.

Why this answer

Automated SAST during code commit is a key component of a secure software development lifecycle (SSDLC) in a cloud environment because it enables early detection of vulnerabilities (e.g., injection flaws, buffer overflows) by scanning source code as it is committed to the repository. This shift-left approach integrates security directly into the CI/CD pipeline, preventing flaws from progressing to later stages where remediation is more costly and complex.

Exam trap

ISC2 often tests the distinction between core technical components of the SSDLC (like automated SAST and security-focused code reviews) versus supporting activities (like training or unit tests) that are beneficial but not mandatory for the lifecycle itself.

201
MCQhard

During a cloud migration, a company decides to move a legacy application with no code changes. Which migration strategy are they using?

A.Refactor
B.Repurchase
C.Replatform
D.Rehost (lift and shift)
AnswerD

Rehosting migrates the application as-is, requiring no code changes.

Why this answer

Option A is correct because rehost (lift and shift) moves applications without modification. Options B, C, and D involve changes to the application or purchasing a new solution.

202
MCQmedium

Refer to the exhibit. A security analyst finds this IAM policy attached to an S3 bucket. What is the primary security issue?

A.The policy is missing a condition for encryption.
B.The policy does not specify a source IP.
C.The policy allows all actions.
D.The policy grants public read access to all objects.
AnswerD

Principal '*' with Allow effect makes the bucket publicly readable.

Why this answer

Option D is correct because the IAM policy statement includes `"Principal": "*"` and `"Effect": "Allow"` without any condition restricting access, which grants public read access to all objects in the S3 bucket. This violates the principle of least privilege and exposes sensitive data to anyone on the internet, making it a critical security misconfiguration.

Exam trap

ISC2 often tests the distinction between 'public access' and 'all actions' — candidates mistakenly think 'all actions' is the issue, but the trap is that the policy only grants read access, yet the public principal makes it a severe data exposure risk regardless of the action scope.

How to eliminate wrong answers

Option A is wrong because while encryption conditions are a best practice, the absence of an encryption condition does not directly cause public exposure; the core issue is the lack of access restrictions. Option B is wrong because source IP restrictions are not required for all S3 policies; the primary flaw here is the public principal, not the absence of IP filtering. Option C is wrong because the policy only allows `s3:GetObject` (read access), not all actions; the statement explicitly lists `"Action": "s3:GetObject"`, so it does not permit write, delete, or other administrative actions.

203
Matchingmedium

Match each cloud incident response phase to its primary activity.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Develop incident response plan and tools

Identify potential security incidents

Isolate affected systems and prevent spread

Restore normal operations and verify integrity

Why these pairings

Incident response in cloud requires adaptation to shared responsibility and ephemeral resources.

204
MCQhard

A cloud security engineer is responsible for a SaaS application hosted on a public cloud provider. The application uses a relational database to store customer data. The security team recently conducted a vulnerability assessment and discovered that the database can be accessed over the internet without any network restrictions. Additionally, the database admin user has the same password as the root account, and the password has not been changed in 18 months. The company is subject to GDPR and PCI DSS compliance requirements. The engineer needs to remediate these issues immediately. Which of the following actions should be taken FIRST?

A.Change the database admin password to a complex new password immediately.
B.Upgrade the database to the latest version with all security patches applied.
C.Configure the database security group to allow traffic only from the application server's IP address range.
D.Enable encryption at rest for the database to protect the data if it is stolen.
AnswerC

Restricting network access is the quickest way to eliminate the internet exposure and should be done first to prevent ongoing attacks.

Why this answer

Option B is correct because restricting network access to authorized sources only is the most immediate way to reduce the attack surface and prevent unauthorized access over the internet. Option A is wrong because changing the password is important but should follow the network restriction to ensure the database is not exposed during the change. Option C is wrong while enabling encryption is a best practice, it does not prevent an attacker from connecting directly.

Option D is wrong because upgrading the database might not be immediately available and does not address the access issue.

205
MCQhard

A security engineer applies the above bucket policy to an S3 bucket containing sensitive data. Which of the following best describes the effect of this policy?

A.It allows all access to the bucket.
B.It denies access to objects over HTTPS, but allows HTTP.
C.It denies access to objects over HTTP, but allows HTTPS.
D.It denies all access to the bucket.
AnswerC

Correct: The condition denies when SecureTransport is false (HTTP).

Why this answer

The bucket policy uses a `Deny` effect with a `Condition` block that checks `aws:SecureTransport` equals `false`. This condition denies access when the request is made over HTTP (non-secure transport), effectively blocking HTTP requests while allowing HTTPS requests. The policy does not affect HTTPS requests because the condition only triggers when `SecureTransport` is false.

Exam trap

The trap here is that candidates confuse the `Deny` effect with a blanket denial, missing the conditional `aws:SecureTransport` check, or they misinterpret the condition as denying HTTPS instead of HTTP.

How to eliminate wrong answers

Option A is wrong because the policy explicitly denies access under a specific condition (HTTP), not allowing all access. Option B is wrong because the policy denies HTTP access, not HTTPS; it does not deny access over HTTPS. Option D is wrong because the policy does not deny all access; it only denies access when the request uses HTTP (non-secure transport), leaving HTTPS access permitted.

206
MCQeasy

A company is migrating a legacy application to the cloud. The application uses hardcoded database credentials. Which secure development practice should be implemented to address this?

A.Use code signing for all deployments
B.Implement input validation on all user inputs
C.Enable encryption at rest for the database
D.Use a secrets management service
AnswerD

Secrets management securely stores and rotates credentials, eliminating hardcoding.

Why this answer

Hardcoded database credentials in application code create a severe security risk because they are exposed in version control, logs, and static analysis. Using a secrets management service (e.g., AWS Secrets Manager, HashiCorp Vault, Azure Key Vault) allows credentials to be stored securely, rotated automatically, and accessed at runtime via API calls, eliminating the need to embed secrets in code. This aligns with the principle of least privilege and secure credential management in cloud application security.

Exam trap

ISC2 often tests the distinction between 'protecting data at rest' (encryption) and 'protecting access credentials' (secrets management), leading candidates to mistakenly choose encryption at rest when the real issue is credential exposure in code.

How to eliminate wrong answers

Option A is wrong because code signing ensures the integrity and authenticity of the deployed code, but it does not address the problem of hardcoded credentials—it does not remove secrets from the codebase. Option B is wrong because input validation prevents injection attacks (e.g., SQLi, XSS) by sanitizing user-supplied data, but it has no effect on static credentials embedded in the application source code. Option C is wrong because encryption at rest protects data stored in the database (e.g., on disk), but it does not protect the credentials used to access the database—those credentials remain exposed in the code.

207
MCQeasy

A cloud service provider stores customer data in a multi-tenant environment. A customer from the European Union requests that all personal data be encrypted at rest to comply with GDPR. What is the primary reason for this requirement?

A.To ensure data portability
B.To prevent unauthorized access by other tenants
C.To meet data minimization principles
D.To satisfy the right to be forgotten
AnswerB

Correct. Encryption at rest prevents unauthorized access.

Why this answer

Option A is correct because encryption at rest protects against unauthorized access in multi-tenant environments. Option B is about portability, not encryption. Option C is about minimizing data collected, not encryption.

Option D is about deletion, not encryption.

208
MCQhard

Which type of threat is this log most likely indicating?

A.Account takeover
B.Malware infection
C.Insider threat
D.Data exfiltration
AnswerD

Anomalous large data transfer to an unknown location at unusual time is a classic sign of data exfiltration.

Why this answer

The log shows a large volume of outbound data transfers from a cloud storage bucket to an external IP address, which is characteristic of data exfiltration. In cloud environments, such activity often involves unauthorized copying of sensitive data to an attacker-controlled location, bypassing normal access controls.

Exam trap

ISC2 often tests the distinction between data exfiltration and insider threat by presenting a log of outbound data transfer without user context, leading candidates to incorrectly assume insider intent when the pattern itself defines the threat type.

How to eliminate wrong answers

Option A is wrong because account takeover typically involves anomalous login patterns, failed authentication attempts, or access from unusual locations, not sustained outbound data transfers. Option B is wrong because malware infection usually manifests as unusual process execution, registry changes, or internal lateral movement, not direct bulk data uploads to external IPs. Option C is wrong because insider threat could involve data exfiltration, but the log alone does not indicate the user's intent or authorization level; the pattern of large outbound transfers to an external IP is more specifically indicative of exfiltration regardless of insider or external actor.

209
MCQmedium

An administrator applies the above bucket policy to an S3 bucket containing sensitive data. What is the EFFECT of this policy?

A.Allows public read access
B.Allows access only from specific IP addresses
C.Denies access if the request does not use HTTPS
D.Denies access if the request uses HTTPS
AnswerC

It denies HTTP requests, enforcing HTTPS.

Why this answer

The bucket policy uses a `Deny` effect with a condition `aws:SecureTransport` set to `false`, which means any request that does not use HTTPS (i.e., plain HTTP) is denied. This enforces encryption in transit for all access to the S3 bucket, ensuring sensitive data is not transmitted over an unencrypted channel. Option C correctly identifies that the policy denies access if the request does not use HTTPS.

Exam trap

ISC2 often tests the distinction between `Deny` and `Allow` effects in S3 bucket policies, and the trap here is that candidates misread the condition as denying HTTPS instead of denying non-HTTPS, or they assume the policy grants public access because they overlook the absence of an `Allow` statement.

How to eliminate wrong answers

Option A is wrong because the policy does not contain any `Effect: Allow` statement for public access; it only has a `Deny` statement, so public read access is not granted. Option B is wrong because the policy does not reference the `aws:SourceIp` condition key or any IP address range; it only checks the `aws:SecureTransport` condition. Option D is wrong because the policy denies access when `aws:SecureTransport` is `false`, meaning it denies HTTP, not HTTPS; requests using HTTPS have `aws:SecureTransport` set to `true` and are not denied by this condition.

210
MCQmedium

A company is adopting a serverless architecture using AWS Lambda. The security team is concerned about potential injection attacks via event payloads. Which practice is most effective at mitigating such attacks?

A.Use a web application firewall (WAF) in front of the API Gateway
B.Assign the least privilege IAM role to each Lambda function
C.Validate and sanitize all input data from event sources
D.Encrypt environment variables containing sensitive configuration
AnswerC

Input validation prevents malicious payloads from being processed.

Why this answer

Option C is correct because serverless functions like AWS Lambda are directly invoked by event payloads, and without input validation and sanitization, an attacker can inject malicious code (e.g., SQL, NoSQL, OS commands) that the function executes. This is the most effective mitigation as it addresses the root cause at the application layer, regardless of any perimeter controls.

Exam trap

ISC2 often tests the misconception that perimeter controls (like WAFs) or IAM permissions are sufficient to prevent application-layer attacks, but the trap here is that injection vulnerabilities are code-level flaws that only input validation can directly remediate.

How to eliminate wrong answers

Option A is wrong because a WAF operates at the HTTP/HTTPS layer and cannot inspect or block injection attacks that originate from non-HTTP event sources (e.g., S3 events, DynamoDB Streams, SQS messages) or from payloads that are already inside the trusted network path. Option B is wrong because least privilege IAM roles control what resources the Lambda function can access (e.g., read from a database), but they do not prevent the function from executing malicious input passed in the event payload. Option D is wrong because encrypting environment variables protects sensitive configuration data at rest and in transit, but it has no effect on injection attacks that exploit unsanitized input in the event payload.

211
MCQmedium

A company is adopting DevSecOps and wants to incorporate security testing into their continuous integration pipeline. They have decided to run SAST (static analysis) and SCA (software composition analysis) tools. Which of the following is the PRIMARY reason for including SCA in addition to SAST?

A.To detect insecure runtime behavior
B.To identify known vulnerabilities in third-party libraries and dependencies
C.To reduce false positives identified by SAST
D.To scan for vulnerabilities in custom APIs
AnswerB

SCA specifically scans open source components for known CVEs.

Why this answer

SCA (Software Composition Analysis) is specifically designed to identify known vulnerabilities in third-party libraries and dependencies by comparing their versions against public vulnerability databases like the National Vulnerability Database (NVD) or OWASP Dependency-Check. SAST (Static Application Security Testing) analyzes custom source code for security flaws but cannot inspect external libraries that are often pulled in via package managers (e.g., npm, Maven, pip). Including SCA ensures that the organization addresses supply chain risks, which is a primary goal in DevSecOps pipelines.

Exam trap

ISC2 often tests the distinction between SAST (custom code analysis) and SCA (third-party dependency analysis), and the trap here is that candidates may confuse SCA with DAST or think SCA can reduce SAST false positives, when in reality SCA addresses a completely different attack surface—open-source library vulnerabilities.

How to eliminate wrong answers

Option A is wrong because detecting insecure runtime behavior is the domain of DAST (Dynamic Application Security Testing) or IAST (Interactive Application Security Testing), not SCA, which focuses on static analysis of dependency manifests. Option C is wrong because SCA does not reduce false positives from SAST; false positive reduction is typically achieved by tuning SAST rules, using IAST for verification, or implementing manual triage processes. Option D is wrong because scanning for vulnerabilities in custom APIs is a function of SAST (for code-level flaws) or DAST (for runtime API endpoints), not SCA, which only analyzes third-party components and their known CVEs.

212
Multi-Selecteasy

Which THREE of the following are essential characteristics of cloud computing as defined by NIST SP 800-145?

Select 3 answers
A.Multi-tenancy
B.Resource pooling
C.Virtualization
D.On-demand self-service
E.Measured service
AnswersB, D, E

Correct. Resource pooling is one of the five essential characteristics.

Why this answer

Resource pooling is correct because NIST SP 800-145 defines it as one of the five essential characteristics, where the provider's computing resources are pooled to serve multiple consumers using a multi-tenant model, with physical and virtual resources dynamically assigned and reassigned according to consumer demand. This enables economies of scale and location independence, as the customer generally has no control or knowledge over the exact location of the provided resources.

Exam trap

ISC2 often tests the distinction between 'multi-tenancy' (a design goal) and 'resource pooling' (the NIST-defined characteristic), and between 'virtualization' (an implementation detail) and the essential characteristics, leading candidates to incorrectly select options that are common in cloud but not in the NIST definition.

213
MCQhard

A company is implementing a serverless application using AWS Lambda. The function processes S3 events and writes to a DynamoDB table. Which of the following is the MOST secure way to grant the necessary permissions?

A.Use resource-based policies on the Lambda function
B.Attach a managed policy that grants full access to S3 and DynamoDB
C.Use the root user credentials of the AWS account
D.Create a custom IAM role with only the required actions on specific resources
AnswerD

Least privilege with scoped actions and resources.

Why this answer

Option D is correct because AWS Lambda functions require an IAM role (execution role) to access other AWS services. By creating a custom IAM role with only the required actions (e.g., s3:GetObject for the specific S3 bucket and dynamodb:PutItem for the specific DynamoDB table), you adhere to the principle of least privilege, minimizing the attack surface and ensuring secure, auditable access.

Exam trap

ISC2 often tests the misconception that resource-based policies on the Lambda function can grant the function permissions to other services, when in fact they only control invocation permissions, not the function's outbound access to resources like S3 or DynamoDB.

How to eliminate wrong answers

Option A is wrong because resource-based policies on a Lambda function control who can invoke the function, not what the function can access; they do not grant the function permissions to S3 or DynamoDB. Option B is wrong because attaching a managed policy that grants full access to S3 and DynamoDB violates least privilege, potentially allowing the function to perform unintended actions (e.g., delete data) and increasing the blast radius of a compromise. Option C is wrong because using root user credentials is a severe security risk—root credentials have unrestricted access, should never be used for programmatic access, and violate AWS best practices and compliance requirements.

214
MCQhard

Refer to the exhibit. A security engineer has attached the above IAM policy to a user. What is the effect of this policy?

A.The user can upload objects only to the my-bucket bucket with no restrictions.
B.The user can upload objects only if they use customer-managed KMS keys.
C.The user is denied from uploading objects without encryption.
D.The user can upload objects only if they specify server-side encryption with AES256.
AnswerD

The condition requires s3:x-amz-server-side-encryption to be AES256.

Why this answer

Option D is correct because the IAM policy uses a `Condition` block with `s3:x-amz-server-side-encryption` set to `AES256`. This condition ensures that any `s3:PutObject` request must include the `x-amz-server-side-encryption` header with the value `AES256`. Without this header or with a different encryption value, the request is denied.

The `Deny` effect overrides any `Allow` that might exist, so the user is forced to specify SSE-S3 (AES-256) encryption on every upload.

Exam trap

ISC2 often tests the distinction between SSE-S3 (`AES256`) and SSE-KMS (`aws:kms`), and the trap here is that candidates mistakenly think the policy allows any encryption or that it only blocks unencrypted uploads, when in fact it mandates a specific encryption type.

How to eliminate wrong answers

Option A is wrong because the policy does not grant unrestricted uploads; it explicitly denies uploads that do not meet the encryption condition. Option B is wrong because the condition requires `AES256`, which refers to SSE-S3 (Amazon S3-managed keys), not customer-managed KMS keys (SSE-KMS). Option C is wrong because the policy does not deny all unencrypted uploads; it only denies uploads that lack the specific `x-amz-server-side-encryption: AES256` header, meaning uploads with other encryption types (e.g., SSE-KMS) are also denied.

215
Multi-Selectmedium

A cloud architect is evaluating cloud service models for a new application. Which two characteristics are advantages of PaaS over IaaS? (Choose two.)

Select 2 answers
A.Greater control over the underlying OS
B.Lower cost due to shared infrastructure
C.Reduced management of middleware and runtime
D.Higher flexibility to customize networking
E.Built-in scalability and high availability
AnswersC, E

PaaS manages middleware and runtime, reducing customer management overhead.

Why this answer

Option C is correct because PaaS abstracts away middleware, runtime, and OS management, allowing developers to focus on code rather than patching or configuring these layers. This reduces operational overhead compared to IaaS, where you must manage the OS, runtime, and middleware yourself. Option E is correct because PaaS platforms typically include built-in load balancing, auto-scaling, and redundancy features, whereas in IaaS you must architect and implement these capabilities manually.

Exam trap

ISC2 often tests the misconception that PaaS is always cheaper than IaaS due to shared infrastructure, but the real advantage is reduced management of middleware and runtime, not guaranteed cost savings.

216
Drag & Dropmedium

Drag and drop the steps for performing a cloud migration using the 'lift and shift' strategy into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First assess, then set up target, replicate, transfer data, and finally test and cut over.

217
Matchingmedium

Match each NIST SP 800-53 control family to its focus area.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Access Control

Audit and Accountability

System and Communications Protection

System and Information Integrity

Physical and Environmental Protection

Why these pairings

NIST SP 800-53 provides security and privacy controls; each family addresses a specific domain.

218
Drag & Dropmedium

Drag and drop the steps for setting up a cloud access security broker (CASB) in a SaaS environment into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Start with policy definition, then deploy, configure, test, and finally full rollout.

219
Multi-Selectmedium

Which TWO data states must be encrypted to meet common compliance requirements for data in the cloud? (Choose two.)

Select 2 answers
A.Data in audit logs
B.Data in backup
C.Data at rest
D.Data in transit
E.Data in use
AnswersC, D

Required by regulations like PCI DSS, HIPAA.

Why this answer

Data at rest (C) must be encrypted because compliance frameworks like PCI DSS, HIPAA, and GDPR require protection of stored data against unauthorized access. Encryption at rest typically uses AES-256 or similar algorithms to secure data on disks, databases, or object storage, ensuring that even if physical media is compromised, the data remains unreadable.

Exam trap

ISC2 often tests the distinction between data states and data locations, so the trap here is that candidates confuse 'data in backup' or 'data in audit logs' as separate states when they are actually subsets of data at rest or in transit.

220
MCQhard

A financial services company runs a critical application on a cloud infrastructure. The application consists of a web tier, an application tier, and a database tier, all deployed in a single cloud region. The database is a managed relational database service with automated backups enabled. The company's disaster recovery plan requires a Recovery Time Objective (RTO) of 4 hours and a Recovery Point Objective (RPO) of 1 hour. During a recent regional outage, the primary region became unavailable for 6 hours. The company attempted to restore the database from the latest automated backup in a different region, but the restore took 5 hours due to the large database size, exceeding the RTO. Additionally, the backup was 2 hours old at the time of the outage, exceeding the RPO. The security team has also noted that the backup data is encrypted with a cloud-managed key, which may not meet future compliance requirements for customer-managed encryption keys. Which course of action should the company take to meet both the RTO and RPO objectives while also addressing the encryption requirement?

A.Implement cross-region read replicas with synchronous replication and enable encryption with a customer-managed key that is replicated to the disaster recovery region.
B.Store the backup in a different region using cross-region copy and use a cloud HSM to manage the encryption key.
C.Use cross-region asynchronous replication with a separate database instance and encrypt with a cloud-managed key.
D.Increase the frequency of automated backups to every 30 minutes and use faster storage for the database restore process.
AnswerA

Synchronous replicas provide RPO of seconds and failover in minutes; customer-managed keys meet compliance.

Why this answer

Option A is correct because cross-region read replicas with synchronous replication can provide a standby database in another region with an RPO of effectively zero (synchronous replication ensures no data loss) and an RTO measured in minutes (promote the replica to primary), meeting both the 4-hour RTO and 1-hour RPO. Using a customer-managed key (CMK) replicated to the DR region satisfies the compliance requirement for customer-managed encryption keys, as the key can be controlled and audited independently of the cloud provider.

Exam trap

ISC2 often tests the distinction between synchronous and asynchronous replication in the context of RPO/RTO, and the trap here is that candidates assume cross-region backups or asynchronous replication can meet strict RPO/RTO targets, ignoring the inherent latency and restore time penalties.

How to eliminate wrong answers

Option B is wrong because storing backups in a different region via cross-region copy still relies on the backup creation schedule (e.g., 2-hour-old backup) and restore time (5 hours), failing both RPO and RTO; using a cloud HSM does not address the restore speed or backup age. Option C is wrong because asynchronous replication can introduce replication lag (often minutes to hours), potentially exceeding the 1-hour RPO, and encrypting with a cloud-managed key does not meet the customer-managed key compliance requirement. Option D is wrong because increasing backup frequency to 30 minutes only improves RPO (to 30 minutes) but does not reduce the 5-hour restore time (RTO failure) and does not address the encryption key compliance issue.

221
MCQeasy

A company has a contractual requirement that the CSP must delete all customer data within 30 days of contract termination. Which document should specify this requirement?

A.Business Associate Agreement (BAA)
B.Data Processing Agreement (DPA)
C.Memorandum of Understanding (MOU)
D.Service Level Agreement (SLA)
AnswerB

DPAs include data processing terms, such as deletion upon termination.

Why this answer

The Data Processing Agreement (DPA) outlines data handling obligations, including deletion requirements. SLAs cover performance, BAAs are for HIPAA, and MOUs are high-level.

222
MCQmedium

An organization wants to assess the security controls of a cloud provider before entering into a contract. What is the most efficient method?

A.Request a penetration test report
B.Conduct an on-site audit
C.Perform vulnerability scanning
D.Review a SOC 2 Type II report
AnswerD

SOC 2 Type II reports provide a thorough, independent evaluation of controls over a period.

Why this answer

Reviewing a SOC 2 Type II report provides an independent assessment of a provider's controls over time. On-site audits are costly and time-consuming. Vulnerability scanning and penetration test reports may not be available or comprehensive.

223
MCQmedium

A client is negotiating a cloud service agreement and wants to conduct on-site audits of the provider's data centers. The provider argues that on-site audits are unnecessary due to SOC 2 reports. Which is the best approach for the client?

A.Request a right to review SOC 2 reports and conduct limited assessments
B.Insist on on-site audits
C.Terminate negotiations
D.Accept SOC 2 reports as sufficient
AnswerA

Correct. This approach allows the client to gain assurance without being overly intrusive.

Why this answer

The client should request a right to review SOC 2 reports and conduct limited assessments because SOC 2 reports provide a point-in-time snapshot of controls, but they do not cover real-time operational changes, custom configurations, or specific contractual requirements. On-site audits may be impractical due to multi-tenancy and shared infrastructure, so a balanced approach of reviewing SOC 2 reports plus targeted assessments (e.g., reviewing evidence of key controls, interviewing staff, or examining specific systems) gives the client sufficient assurance without disrupting the provider's operations.

Exam trap

The trap here is that candidates assume on-site audits are always necessary for compliance, but the CCSP exam emphasizes that cloud providers typically rely on third-party attestations (like SOC 2, ISO 27001) and that physical audits are often impractical due to multi-tenancy and security risks.

How to eliminate wrong answers

Option B is wrong because insisting on on-site audits ignores the provider's legitimate concerns about security, multi-tenancy, and operational disruption; in cloud environments, on-site audits are often replaced by third-party attestations like SOC 2, and the provider may not allow physical access due to shared infrastructure. Option C is wrong because terminating negotiations is premature and disproportionate; the client can still achieve reasonable assurance through SOC 2 reports and limited assessments without walking away. Option D is wrong because accepting SOC 2 reports as sufficient without any additional verification fails to account for the report's scope limitations (e.g., it may not cover all relevant controls, and it is a snapshot in time), leaving the client exposed to risks not addressed by the report.

224
MCQhard

A healthcare organization is migrating its electronic health record (EHR) system to a public cloud. The system stores sensitive patient data subject to HIPAA. The cloud architect has designed a multi-tier architecture with load balancers, web servers, application servers, and a PostgreSQL database. The database contains ePHI. To meet compliance, the architect plans to encrypt the database at rest using AWS RDS encryption with KMS. However, during a security review, the compliance officer notes that the database backups are stored in an S3 bucket that is not encrypted. Additionally, the application logs, which may contain patient data, are sent to CloudWatch Logs without encryption. The compliance officer insists that all data stores containing ePHI must be encrypted at rest. Which action should the architect take to ensure compliance?

A.Enable S3 bucket encryption for backups and enable encryption for CloudWatch Logs using KMS.
B.Disable automated backups and rely on point-in-time recovery.
C.Enable encryption on the RDS instance and use encrypted replicas.
D.Enable encryption on the S3 bucket only, since backups are the main concern.
AnswerA

This ensures all data stores with ePHI are encrypted at rest.

Why this answer

Option A is correct because HIPAA requires encryption of ePHI at rest in all data stores. The S3 bucket containing unencrypted database backups and the CloudWatch Logs that may contain patient data both need encryption enabled via KMS to meet compliance. AWS RDS encryption protects the live database, but backups and logs are separate storage locations that must also be encrypted.

Exam trap

The trap here is that candidates assume encrypting the RDS instance automatically encrypts all associated data stores, such as backups exported to S3 and CloudWatch Logs, when in fact each service requires separate encryption configuration.

How to eliminate wrong answers

Option B is wrong because disabling automated backups does not address the existing unencrypted backups in S3 or the unencrypted CloudWatch Logs, and point-in-time recovery still relies on encrypted storage. Option C is wrong because the RDS instance is already encrypted with RDS encryption; the issue is the backups in S3 and CloudWatch Logs, not the database itself. Option D is wrong because it only addresses the S3 bucket and ignores the CloudWatch Logs, which also contain ePHI and must be encrypted to comply with HIPAA.

225
MCQmedium

An organization uses a cloud-based DLP solution to monitor outbound traffic. They want to prevent the exfiltration of credit card numbers. Which detection technique is most appropriate for this requirement?

A.Exact data matching against a list of known card numbers
B.Machine learning classification of sensitive data
C.Fingerprinting of known credit card documents
D.Regular expression matching for credit card number patterns
AnswerD

Regex can identify card numbers based on format.

Why this answer

Regular expression matching (option D) is the most appropriate technique because credit card numbers follow well-defined, predictable patterns (e.g., 16 digits, specific starting digits for each issuer like 4 for Visa, 5 for MasterCard, and Luhn algorithm validation). This allows the DLP solution to detect credit card numbers in outbound traffic without requiring a pre-populated list or prior training, making it ideal for real-time monitoring of unknown or new card numbers.

Exam trap

ISC2 often tests the misconception that machine learning (option B) is always the most advanced or accurate technique, but for structured data like credit card numbers, regex is simpler, faster, and more precise.

How to eliminate wrong answers

Option A is wrong because exact data matching requires a pre-compiled list of known credit card numbers, which is impractical for detecting unknown or newly issued cards and does not scale for outbound traffic monitoring. Option B is wrong because machine learning classification is better suited for identifying unstructured or context-dependent sensitive data (e.g., legal documents) and introduces latency and false positives for a well-defined pattern like credit card numbers. Option C is wrong because fingerprinting of known credit card documents is designed to detect specific files (e.g., PDFs or spreadsheets) containing card numbers, not to identify card numbers in arbitrary outbound traffic such as emails or web requests.

Page 2

Page 3 of 7

Page 4

All pages