Certified Cloud Security Professional CCSP (CCSP) — Questions 226300

504 questions total · 7pages · All types, answers revealed

Page 3

Page 4 of 7

Page 5
226
Multi-Selecthard

A cloud security architect is designing a secure CI/CD pipeline for a containerized application deployed on a Kubernetes cluster. The pipeline must ensure that only approved images are deployed. Which TWO of the following controls should be implemented? (Choose two.)

Select 2 answers
A.Implement role-based access control (RBAC) to restrict who can push images to the registry.
B.Configure the Kubernetes admission controller to reject pods that use unsigned images.
C.Use network policies to restrict pod-to-pod communication.
D.Scan all container images for vulnerabilities in the CI pipeline.
E.Sign container images with a private key and verify signatures before deployment.
AnswersB, E

An admission controller can enforce policies at deployment time, rejecting pods that do not meet criteria such as image signature verification.

Why this answer

Option B is correct because Kubernetes admission controllers can enforce policies such as rejecting pods that use unsigned images, ensuring only images with verified signatures are deployed. This directly addresses the requirement to deploy only approved images by validating image integrity at admission time.

Exam trap

ISC2 often tests the distinction between controls that prevent unauthorized images from being deployed (signing and admission control) versus controls that manage access or detect vulnerabilities but do not enforce approval at deployment time.

227
MCQmedium

A cloud security engineer is designing a disaster recovery plan for a critical application running on virtual machines. The RTO is 4 hours and RPO is 1 hour. Which approach meets these requirements?

A.Take daily snapshots and restore to a different region.
B.Use synchronous replication to a secondary availability zone.
C.Keep a warm standby in another region with continuous data replication.
D.Use asynchronous replication with a 1-hour lag to a secondary site.
AnswerC

Warm standby with continuous replication meets both RTO and RPO.

Why this answer

Option C meets both the RTO of 4 hours and RPO of 1 hour by maintaining a warm standby in another region with continuous data replication. Continuous replication ensures data is synchronized with minimal lag (well under 1 hour), and the warm standby VM can be activated quickly to meet the 4-hour RTO. This approach balances cost and recovery speed, as a warm standby is partially running and can be promoted to production faster than a cold standby.

Exam trap

ISC2 often tests the distinction between RPO and RTO, and the trap here is that candidates confuse asynchronous replication with a 1-hour lag as meeting both requirements, overlooking that a cold standby without pre-provisioned compute cannot achieve a 4-hour RTO even if the data is available.

How to eliminate wrong answers

Option A is wrong because daily snapshots provide an RPO of up to 24 hours, far exceeding the required 1-hour RPO, and restoring to a different region would likely exceed the 4-hour RTO due to the time needed to transfer and restore large snapshot data. Option B is wrong because synchronous replication to a secondary availability zone within the same region does not protect against a regional disaster; it only covers zone-level failures, and synchronous replication typically requires low-latency links, making it unsuitable for cross-region DR. Option D is wrong because asynchronous replication with a 1-hour lag exactly matches the RPO of 1 hour, but it does not guarantee the RTO of 4 hours; a secondary site with only replication and no pre-provisioned compute (cold standby) would require additional time to provision and start VMs, likely exceeding the RTO.

228
MCQeasy

A company is migrating to the cloud to reduce capital expenditures. They want to pay only for the resources they consume with no upfront investment. Which financial model does this describe?

A.Amortization
B.Capex
C.Leasing
D.Opex
AnswerD

Opex is the pay-as-you-go model that aligns with variable costs and no upfront investment.

Why this answer

Option D is correct because the operating expenditure (Opex) model allows a company to pay for cloud resources on a consumption basis without any upfront capital investment. This aligns with the goal of reducing capital expenditures (Capex) by shifting costs to variable, pay-as-you-go operational expenses.

Exam trap

ISC2 often tests the distinction between Capex and Opex by presenting a scenario that describes consumption-based pricing, and the trap is that candidates confuse 'leasing' (which still implies a fixed term) with true pay-as-you-go Opex.

How to eliminate wrong answers

Option A is wrong because amortization is an accounting method that spreads the cost of an intangible asset over its useful life, not a financial model for paying for cloud resources as consumed. Option B is wrong because Capex (capital expenditure) involves upfront investment in physical assets like servers, which contradicts the goal of avoiding upfront costs. Option C is wrong because leasing typically involves fixed periodic payments for a defined term, not a consumption-based model where you pay only for what you use.

229
MCQmedium

Your company, a global e-commerce platform, operates on a multi-cloud environment with workloads in AWS and Azure. You are the lead cloud architect. The platform experiences peak traffic during promotional events, with traffic spikes up to 10x normal. The application is composed of microservices running in containers orchestrated by Kubernetes on both clouds. Each cloud provider's Kubernetes cluster uses cluster autoscaler and horizontal pod autoscaler. Recently, during a flash sale, the AWS cluster failed to scale adequately, causing latency spikes and timeouts. AWS support indicated that the cluster hit a service quota limit for EC2 instances. You need to prevent this from recurring. You have the following options: A) Implement a multi-region deployment on AWS to distribute load. B) Pre-warm the AWS environment by requesting a service quota increase and using a pod priority class to ensure critical pods scale first. C) Migrate all workloads to Azure to simplify management. D) Use a global load balancer to route traffic to the cloud with the most available capacity. Which option is the best course of action?

A.Migrate all workloads to Azure to simplify management.
B.Use a global load balancer to route traffic to the cloud with the most available capacity.
C.Implement a multi-region deployment on AWS to distribute load.
D.Pre-warm the AWS environment by requesting a service quota increase and using a pod priority class to ensure critical pods scale first.
AnswerD

Addresses the quota limit directly and uses priority classes to manage scaling of critical services.

Why this answer

Option D is correct because the root cause is a hard AWS service quota for EC2 instances, which prevents the cluster autoscaler from launching new nodes. Requesting a quota increase removes this bottleneck, while pod priority classes ensure that critical microservices are scheduled first when resources are constrained, preventing latency spikes during flash sales.

Exam trap

ISC2 often tests the misconception that scaling issues are always solved by distributing load (e.g., multi-region or global load balancers), when the actual root cause is a hard resource quota that prevents any new compute capacity from being provisioned.

How to eliminate wrong answers

Option A is wrong because migrating all workloads to Azure does not address the underlying scaling issue—it merely shifts the problem to another cloud, which may also have its own quotas. Option B is wrong because a global load balancer can distribute traffic but does not resolve the AWS quota limit; the cluster will still fail to scale if it cannot launch new EC2 instances. Option C is wrong because multi-region deployment on AWS distributes load but does not increase the per-region EC2 instance quota; the cluster autoscaler would still be blocked by the same quota in each region.

230
Drag & Dropmedium

Drag and drop the steps for responding to a security incident involving a compromised cloud VM into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First isolate, then capture forensics, terminate, analyze, and finally remediate and restore.

231
MCQeasy

A cloud service provider is designing a new data center. To ensure physical security, which of the following controls is most effective for preventing unauthorized access to the server floor?

A.Implement biometric access controls and two-factor authentication at all entry points.
B.Hire 24/7 security guards to monitor the entrance.
C.Use mantraps at the main entrance to catch tailgating.
D.Install high-definition surveillance cameras covering all entrances and server aisles.
AnswerA

Biometric + 2FA provides strong authentication and prevents unauthorized access.

Why this answer

Option A is correct because biometric access control with two-factor authentication provides strong access control. Option B is wrong because surveillance cameras are detective, not preventive. Option C is wrong because security guards are less reliable and can be bypassed.

Option D is wrong because mantrap doors are effective but best when combined with authentication.

232
Multi-Selecthard

Which TWO of the following are requirements for a cloud service agreement to comply with the European Data Protection Board (EDPB) guidelines on data processing?

Select 2 answers
A.The processor may subcontract processing without notification
B.The processor must only process data on documented instructions from the controller
C.The controller must ensure the processor agrees to audit rights
D.The agreement must specify the duration of processing
E.The processor must retain data indefinitely
AnswersB, D

Correct. The agreement must ensure processing is only on documented instructions.

Why this answer

Option B is correct because the EDPB guidelines mandate that a processor may only process personal data on documented instructions from the controller. This ensures the processor’s actions are strictly controlled and auditable, preventing unauthorized processing that could violate GDPR Article 28(3)(a).

Exam trap

ISC2 often tests the distinction between controller and processor responsibilities, so candidates may mistakenly think the controller must agree to audit rights (Option C) rather than recognizing that the processor must agree to them in the agreement.

233
MCQeasy

A cloud customer wants to ensure that their data is encrypted during transmission between their on-premises data center and the cloud provider's service. Which protocol should they use?

A.Internet Protocol Security (IPSec)
B.Transport Layer Security (TLS) 1.2
C.Secure Shell (SSH)
D.Remote Desktop Protocol (RDP)
AnswerB

TLS is the standard for encrypting data in transit over networks.

Why this answer

TLS 1.2 is the correct choice because it is specifically designed to secure data in transit over networks, such as between an on-premises data center and a cloud provider. It operates at the transport layer, providing encryption, authentication, and integrity for HTTP-based traffic (HTTPS), which is the most common method for cloud API interactions. IPSec, while also a valid encryption protocol, is typically used for site-to-site VPN tunnels at the network layer, not for securing individual service-to-service transmissions like those to a cloud provider's REST API.

Exam trap

ISC2 often tests the distinction between network-layer encryption (IPSec) and transport-layer encryption (TLS), leading candidates to choose IPSec because it is commonly associated with 'secure transmission' between sites, but the question specifies 'between their on-premises data center and the cloud provider's service,' which implies application-level communication, not a full network tunnel.

How to eliminate wrong answers

Option A is wrong because IPSec operates at the network layer (Layer 3) and is primarily used for establishing VPN tunnels between entire networks, not for encrypting individual application-level data transmissions between a customer's data center and a specific cloud service endpoint. Option C is wrong because SSH is designed for secure remote shell access and command execution, not for encrypting bulk data transmission between data centers and cloud services; it lacks the necessary protocol support for web-based API calls. Option D is wrong because RDP is a proprietary protocol for remote desktop connections to Windows machines, not a general-purpose encryption protocol for data in transit between on-premises and cloud environments.

234
MCQeasy

A cloud application developer is using a containerized application with Docker. The security team requires that the application runs with the least privilege possible. Which of the following is the BEST practice to ensure the container does not run as root?

A.Use the --no-root flag when starting the container.
B.Include a USER directive in the Dockerfile to specify a non-root user.
C.Set the securityContext.runAsNonRoot parameter in the container manifest.
D.Use the --cap-drop=ALL option when running the container.
AnswerB

This is the standard way to run a container as a non-root user.

Why this answer

The USER directive in a Dockerfile sets the user for any subsequent RUN, CMD, or ENTRYPOINT instructions, ensuring the container process runs as a non-root user by default. This is the most direct and persistent method to enforce least privilege at build time, as it becomes part of the image itself and applies regardless of runtime flags.

Exam trap

ISC2 often tests the distinction between runtime flags (like --user or --cap-drop) and build-time directives (like USER), and candidates mistakenly think dropping capabilities is equivalent to running as a non-root user.

How to eliminate wrong answers

Option A is wrong because Docker does not have a --no-root flag; the correct approach is to use the --user flag at runtime or the USER directive in the Dockerfile. Option C is wrong because securityContext.runAsNonRoot is a Kubernetes pod-level setting, not a Docker-native construct, and it only enforces a policy that the container must not run as root, but does not actually set a non-root user. Option D is wrong because --cap-drop=ALL removes all Linux capabilities but does not change the user identity; the container could still run as root with no capabilities, which violates the least privilege principle for user context.

235
MCQmedium

A software development company is migrating its development and test environments to a public cloud. The security team has identified that many developers have assigned overly permissive IAM roles to the resources they create, such as giving full administrative access to databases and virtual machines. The company wants to enforce least privilege without impeding development agility. The cloud architect suggests using a combination of permission boundaries and service control policies. Which of the following approaches BEST enforces least privilege while maintaining development flexibility?

A.Define permission boundaries that limit the maximum permissions a developer can grant to resources, and allow developers to create IAM roles within those boundaries.
B.Implement an automated system that reviews and removes any privileges not used within 60 days.
C.Attach a service control policy at the organizational level that denies all actions unless explicitly allowed, and have developers create their own IAM policies.
D.Create a permission boundary that restricts all users to read-only access and require subordinates to request access for specific privileges.
AnswerA

Correct: Permission boundaries provide a preventative limit while allowing developers flexibility.

Why this answer

Permission boundaries in AWS IAM (or similar constructs in other clouds) allow an administrator to set the maximum permissions that a developer can grant to any IAM role or resource. By defining a permission boundary, developers retain the flexibility to create and attach policies within that boundary, ensuring they cannot exceed the defined limits. This directly enforces least privilege because even if a developer attaches a permissive policy, the boundary caps the effective permissions, preventing full administrative access to databases or VMs.

Exam trap

ISC2 often tests the distinction between preventive controls (like permission boundaries) and detective/reactive controls (like privilege review), leading candidates to choose an option that sounds proactive but actually only audits after the fact.

How to eliminate wrong answers

Option B is wrong because it is a reactive measure that only removes unused privileges after 60 days, which does not prevent developers from initially assigning overly permissive roles; it also introduces a delay that could leave resources exposed. Option C is wrong because attaching a service control policy (SCP) at the organizational level that denies all actions unless explicitly allowed would require developers to create their own IAM policies, but SCPs alone do not prevent developers from creating overly permissive policies within the allowed actions—they lack the granular per-role cap that permission boundaries provide. Option D is wrong because restricting all users to read-only access and requiring subordinates to request specific privileges would severely impede development agility by forcing manual approval for every action, contradicting the goal of maintaining flexibility while enforcing least privilege.

236
Multi-Selecteasy

Which TWO of the following are recommended practices for securing cloud storage buckets? (Choose two.)

Select 2 answers
A.Block public read/write access
B.Enable bucket versioning
C.Enable default encryption
D.Delete unused buckets immediately
E.Enable access logging
AnswersA, C

Preventing public access is a fundamental security control.

Why this answer

Blocking public access and enabling encryption are key practices. Versioning and logging are good but not as primary. Deleting buckets is not a security practice.

237
MCQhard

A multinational corporation uses a cloud CASB to enforce data loss prevention (DLP) policies across SaaS applications. The security team discovers that sensitive data is being exfiltrated via encrypted traffic that the CASB cannot inspect. What is the most effective design change to mitigate this risk?

A.Implement user training to prevent data exfiltration.
B.Block all encrypted traffic at the network perimeter.
C.Deploy a forward proxy with SSL/TLS interception capabilities.
D.Disable TLS/SSL encryption for all sensitive data transfers.
AnswerC

Correct: This enables decryption and inspection of traffic while maintaining end-to-end security.

Why this answer

Option C is correct because a forward proxy with SSL/TLS interception capabilities allows the CASB to decrypt, inspect, and re-encrypt traffic, enabling DLP policy enforcement on data in transit. This design change addresses the root cause—encrypted traffic bypassing inspection—without breaking application functionality or security.

Exam trap

ISC2 often tests the misconception that blocking or disabling encryption is a valid DLP solution, when in fact the correct approach is to use interception that maintains encryption end-to-end while enabling inspection.

How to eliminate wrong answers

Option A is wrong because user training addresses human error but does not provide technical control over encrypted traffic, leaving the exfiltration vector open. Option B is wrong because blocking all encrypted traffic at the network perimeter would break legitimate business applications and is not a viable security design; it also violates the principle of least disruption. Option D is wrong because disabling TLS/SSL encryption for sensitive data transfers would expose data to interception and tampering, directly violating confidentiality and integrity requirements.

238
MCQmedium

A company uses a cloud-based database that contains personally identifiable information (PII). They need to allow developers to run queries against the database for testing purposes without exposing actual PII. Which technique should they use?

A.Encrypt the PII fields at rest
B.Grant developers direct access to a copy of the production data
C.Apply dynamic data masking to the PII columns
D.Tokenize the PII fields with a one-way hash
AnswerC

Masking provides realistic but fake data.

Why this answer

Option C is correct because dynamic data masking (DDM) allows the database to return masked PII to developers in real time without altering the underlying stored data. This technique applies masking rules at query runtime, so developers can run functional tests against production-like data while sensitive values are obfuscated. It avoids the need for separate sanitized copies and preserves referential integrity for testing.

Exam trap

ISC2 often tests the distinction between dynamic data masking and tokenization, where candidates mistakenly choose tokenization because they think a one-way hash is sufficient for testing, but they overlook that testing requires reversible or format-preserving transformations to maintain data utility.

How to eliminate wrong answers

Option A is wrong because encrypting PII at rest protects data on disk but does not prevent developers from seeing plaintext when they query the database; decryption keys are typically available to authorized users, so the PII would still be exposed in query results. Option B is wrong because granting developers direct access to a copy of production data, even if it is a copy, still exposes actual PII and violates the principle of least privilege and data minimization for testing environments. Option D is wrong because tokenization with a one-way hash is irreversible and would break the ability to run meaningful queries that require relationships or pattern matching; tokenization for testing typically uses reversible tokens or format-preserving encryption, not a one-way hash.

239
MCQmedium

A company uses a cloud key management service with automatic annual key rotation. An auditor requires that keys are rotated every 90 days to meet internal policy. What should the cloud security architect do to satisfy this requirement?

A.Create a manual process to rotate keys every 90 days using scripts.
B.Request an exception from the auditor because the default annual rotation is sufficient.
C.Configure the cloud KMS with a custom rotation period of 90 days.
D.Disable automatic rotation and rotate keys manually when needed.
AnswerC

Cloud KMS allows custom rotation policies; the architect should use it.

Why this answer

Option C is correct because cloud KMS services (e.g., AWS KMS, Azure Key Vault, GCP Cloud KMS) allow administrators to define a custom rotation period, overriding the default annual rotation. By configuring a 90-day rotation schedule, the architect directly meets the auditor's policy without manual intervention or exceptions, ensuring automated compliance.

Exam trap

ISC2 often tests the misconception that manual rotation or exception requests are acceptable workarounds, but the correct approach is to leverage the cloud KMS's built-in configuration to automate compliance with the required rotation interval.

How to eliminate wrong answers

Option A is wrong because creating a manual process introduces operational overhead, risk of human error, and potential gaps in compliance, whereas cloud KMS supports automated custom rotation periods. Option B is wrong because requesting an exception ignores the auditor's explicit requirement and does not address the policy gap; default annual rotation is not sufficient per the 90-day mandate. Option D is wrong because disabling automatic rotation and rotating manually reintroduces the same risks as Option A and defeats the purpose of using a managed KMS service, which is designed to automate key lifecycle management.

240
MCQmedium

A healthcare organization stores patient records in a cloud-based object storage service. To comply with HIPAA, they must ensure that data is encrypted at rest and that encryption keys are managed by the organization itself. Which key management approach should they implement?

A.Use server-side encryption with S3-managed keys (SSE-S3).
B.Use server-side encryption with AWS KMS-managed keys (SSE-KMS).
C.Use client-side encryption with customer-supplied encryption keys (CSEKS).
D.Implement a Bring Your Own Key (BYOK) model with a hardware security module (HSM) in the cloud.
AnswerD

Correct: BYOK allows the organization to control the encryption keys and meet compliance requirements.

Why this answer

Option D is correct because HIPAA requires the organization to maintain control over encryption keys, and a Bring Your Own Key (BYOK) model with a hardware security module (HSM) in the cloud allows the healthcare organization to generate, store, and manage their own keys externally while using them for cloud-based encryption. This approach ensures that the cloud provider cannot access the keys, meeting the regulatory requirement for key management by the organization itself.

Exam trap

ISC2 often tests the distinction between server-side encryption (where the provider manages keys) and client-side or BYOK models (where the customer retains key control), and the trap here is that candidates may assume SSE-KMS (Option B) gives the organization full key control, but KMS still allows the provider to manage the key lifecycle, failing the strict HIPAA requirement for the organization to be the sole manager.

How to eliminate wrong answers

Option A is wrong because server-side encryption with S3-managed keys (SSE-S3) uses keys managed entirely by the cloud provider, which does not satisfy the HIPAA requirement for the organization to manage the keys. Option B is wrong because server-side encryption with AWS KMS-managed keys (SSE-KMS) still delegates key management to the cloud provider's KMS service, even though the customer can control key policies; the provider retains potential access to the keys. Option C is wrong because client-side encryption with customer-supplied encryption keys (CSEKS) involves the organization managing keys on the client side, but it does not integrate with a hardware security module (HSM) for secure key storage and is not a cloud-native key management model; it also does not address the need for a dedicated HSM-based key management infrastructure that BYOK provides.

241
MCQeasy

Which of the following is a key benefit of using a software composition analysis (SCA) tool in a cloud application security program?

A.Detects known vulnerabilities in open-source libraries
B.Enforces runtime policies
C.Simulates attacks on running applications
D.Identifies vulnerabilities in proprietary code
AnswerA

SCA specifically identifies vulnerabilities in third-party components.

Why this answer

SCA tools automate the identification of open-source components within a codebase and cross-reference them against databases like the National Vulnerability Database (NVD) to detect known vulnerabilities (CVEs). This is a key benefit because cloud applications often heavily rely on open-source libraries, and SCA provides a scalable way to manage that risk without manual auditing.

Exam trap

ISC2 often tests the distinction between SCA (open-source dependency scanning) and SAST (proprietary code scanning), so the trap here is confusing which tool analyzes which type of code, leading candidates to incorrectly select option D.

How to eliminate wrong answers

Option B is wrong because enforcing runtime policies is the function of a Runtime Application Self-Protection (RASP) tool or a cloud workload protection platform (CWPP), not an SCA tool which focuses on static analysis of dependencies. Option C is wrong because simulating attacks on running applications is the purpose of a dynamic application security testing (DAST) tool or a penetration testing framework, not SCA which does not execute code. Option D is wrong because identifying vulnerabilities in proprietary code is the domain of static application security testing (SAST) tools that analyze custom source code, whereas SCA specifically targets open-source and third-party components.

242
MCQeasy

Refer to the exhibit. A company uses AWS Config to evaluate compliance with a rule that requires S3 buckets to enforce SSL. What should the administrator do next?

A.Enable SSL-only access on the bucket
B.Disable the Config rule
C.Update the rule to allow HTTP
D.Check which bucket is non-compliant
AnswerD

The administrator must identify the non-compliant resource before taking action.

Why this answer

The output shows the rule is non-compliant but does not identify which specific bucket(s). The logical next step is to check which resources are non-compliant. Enabling SSL-only access is a solution but first the administrator must identify the non-compliant bucket.

Disabling the rule or updating it would not resolve the issue.

243
MCQhard

A financial services firm uses a hybrid cloud architecture with a VPN connection to AWS. They need to comply with PCI DSS requirements for network segmentation. Which design is best?

A.Use AWS Direct Connect with multiple VLANs to separate traffic.
B.Implement a DMZ with a firewall appliance in a transit VPC.
C.Create separate VPCs for cardholder data and corporate systems, connected via VPC peering.
D.Use a single VPC with security groups to isolate workloads.
AnswerB

A transit VPC with firewall enforces segmentation and inspection, compliant with PCI DSS.

Why this answer

Option B is correct because a DMZ with a firewall appliance in a transit VPC provides a controlled, inspectable boundary between the on-premises network and AWS, enabling network segmentation that meets PCI DSS Requirement 1 (firewall configuration) and Requirement 1.3 (DMZ to isolate cardholder data from untrusted networks). The transit VPC design allows centralized egress/ingress inspection and prevents direct lateral movement between environments, which is critical for compliance.

Exam trap

The trap here is that candidates often confuse VPC peering or security groups as sufficient for network segmentation, but PCI DSS requires a DMZ with a firewall appliance to enforce a clear security boundary, not just logical isolation.

How to eliminate wrong answers

Option A is wrong because AWS Direct Connect with multiple VLANs does not inherently provide a DMZ or firewall inspection; it only extends the network, and PCI DSS requires a DMZ with a firewall to isolate cardholder data from untrusted networks, not just VLAN separation. Option C is wrong because VPC peering creates a direct, flat network connection between VPCs without any intermediate firewall or inspection point, violating PCI DSS Requirement 1.3 that mandates a DMZ and controlled traffic inspection. Option D is wrong because a single VPC with security groups alone cannot enforce network segmentation at the perimeter; security groups are stateful host-level filters, not network-layer firewalls, and PCI DSS requires a DMZ with a firewall appliance to separate cardholder data from untrusted networks.

244
MCQmedium

During a security incident involving a compromised virtual machine (VM) in a public cloud, the incident response team needs to preserve evidence for potential legal action. Which of the following actions should be taken FIRST?

A.Stop the VM and take a snapshot of its disks
B.Delete the VM immediately to prevent further damage
C.Isolate the VM by removing it from the network
D.Create a forensic image of the VM's volumes while it is still running
AnswerD

Captures volatile data and preserves evidence.

Why this answer

Option D is correct because creating a forensic image of the VM's volumes captures volatile and persistent data while preserving the original state. Option A is wrong because deleting the VM destroys evidence. Option B is wrong because stopping the VM may cause loss of volatile data but snapshotting after stop is acceptable, but the best first step is to create a forensic image before stopping.

Option C is wrong because isolating the network is important but does not preserve the VM state for forensics as effectively as imaging.

245
MCQeasy

Refer to the exhibit. A cloud administrator ran the Azure CLI command to list virtual machines. One VM shows a ProvisioningState of 'Failed'. What is the most likely cause of this state?

A.The VM's resource group has been moved to another subscription.
B.The VM is in a deallocated state.
C.The VM failed to start due to a resource quota limit or configuration error.
D.The VM was deleted by another administrator.
AnswerC

This is the typical reason for a failed provisioning state.

Why this answer

Option C is correct because a 'ProvisioningState' of 'Failed' in Azure indicates that the VM could not be created or started due to a resource quota limit (e.g., vCPU quota exceeded) or a configuration error (e.g., invalid network interface, unsupported VM size). This state is set by the Azure Resource Manager when the deployment or update operation fails, and it persists until the underlying issue is resolved and the VM is redeployed or reconfigured.

Exam trap

ISC2 often tests the distinction between 'ProvisioningState' and 'PowerState' — the trap here is that candidates confuse a 'Failed' provisioning state with a deallocated or stopped VM, but 'ProvisioningState' only reflects the success of the resource creation or update operation, not the runtime status.

How to eliminate wrong answers

Option A is wrong because moving a resource group to another subscription does not change the provisioning state of existing VMs; the VM would remain in its current state (e.g., 'Succeeded') and continue running. Option B is wrong because a deallocated VM shows a 'ProvisioningState' of 'Succeeded' (since it was successfully provisioned) and a 'PowerState' of 'Deallocated'; the 'ProvisioningState' field specifically tracks the success or failure of the provisioning operation, not the power state. Option D is wrong because if a VM is deleted, it no longer appears in the list of VMs; the 'ProvisioningState' field is only relevant for existing resources, and a deleted VM would return a '404 Not Found' error or simply not be listed.

246
MCQmedium

Refer to the exhibit. An administrator is reviewing an AWS S3 bucket policy. Based on the policy, which of the following is true?

A.The policy grants full administrative access to the bucket
B.The policy allows GetObject requests only from the specified IP range
C.The policy denies all access from the specified IP range
D.The bucket is publicly accessible to any IP address
AnswerB

Correct. The condition aws:SourceIp limits the Allow effect to that IP range.

Why this answer

The S3 bucket policy includes a Condition block using the IpAddress condition key to restrict the aws:SourceIp to a specific IP range. The Effect is Allow, and the Action is s3:GetObject, so only GET requests from that IP range are permitted. This makes option B correct because the policy explicitly allows GetObject requests from the specified IP range while implicitly denying all other access.

Exam trap

ISC2 often tests the distinction between an explicit Deny and an implicit Deny — candidates mistakenly think a condition-based Allow is the same as a Deny for non-matching IPs, but the policy only denies implicitly, not explicitly.

How to eliminate wrong answers

Option A is wrong because the policy only grants s3:GetObject permission, not full administrative actions like s3:PutObject, s3:DeleteObject, or s3:* — it is read-only, not full admin. Option C is wrong because the policy uses Allow with an IpAddress condition, not a Deny statement; a Deny would require a separate Deny effect or a NotIpAddress condition to explicitly block the IP range. Option D is wrong because the policy includes a condition that restricts access to a specific IP range, so the bucket is not publicly accessible to any IP address; requests from outside the range are implicitly denied.

247
MCQmedium

What additional security benefit does the VPC endpoint provide?

A.It encrypts data in transit.
B.It ensures data is not traversing the public internet.
C.It provides an additional layer of authentication.
D.It enables cross-region replication.
AnswerB

VPC endpoints route traffic privately, avoiding the public internet.

Why this answer

A VPC endpoint (specifically an interface or gateway endpoint) allows instances within a VPC to privately connect to supported AWS services (like S3 or DynamoDB) without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect. The core security benefit is that all traffic between the VPC and the service stays entirely within the AWS network backbone and never traverses the public internet, eliminating exposure to internet-based threats.

Exam trap

ISC2 often tests the misconception that VPC endpoints provide encryption or authentication, but the real security benefit is purely about keeping traffic off the public internet, not about adding cryptographic or identity-layer controls.

How to eliminate wrong answers

Option A is wrong because VPC endpoints do not inherently encrypt data in transit; encryption (e.g., TLS) is a separate configuration on the client side or service side, not a feature of the endpoint itself. Option C is wrong because VPC endpoints do not provide an additional layer of authentication; they rely on IAM policies and endpoint policies for access control, but the endpoint itself does not authenticate users or services beyond standard AWS authentication. Option D is wrong because VPC endpoints are used for private connectivity within a region or to a specific service, not for cross-region replication; cross-region replication is handled by services like S3 replication or RDS cross-region read replicas, not by VPC endpoints.

248
MCQeasy

A cloud application processes data subject to GDPR. The security team needs to ensure that all personally identifiable information (PII) is encrypted at rest and that access is logged. Which combination of controls should be implemented? (Select THREE)

A.Implement strict least privilege access controls
B.Use TLS for all network connections
C.Configure logging for all data access
D.Enable database encryption at rest
E.Implement a key management system
AnswerA, C, D

Limits who can access PII, reducing unauthorized access.

Why this answer

Option A is correct because strict least privilege access controls ensure that only authorized users or services can access PII, minimizing the risk of unauthorized exposure. This is a fundamental security principle for GDPR compliance, as it directly supports the data minimization and access control requirements. By restricting access to only what is necessary for a role, the organization reduces the attack surface and ensures that any access is intentional and auditable.

Exam trap

ISC2 often tests the distinction between encryption at rest and in transit, so candidates may incorrectly select TLS (Option B) thinking it covers encryption requirements, but the question explicitly specifies 'at rest'.

How to eliminate wrong answers

Option B is wrong because TLS encrypts data in transit, not at rest; the question specifically requires encryption at rest, so TLS does not address that requirement. Option E is wrong because while a key management system is important for managing encryption keys, it is not a direct control for encrypting data at rest or logging access; the question asks for controls that ensure PII is encrypted at rest and access is logged, and key management is a supporting process, not a primary control.

249
Multi-Selecthard

Which THREE statements about cryptographic key lifecycle management are correct?

Select 3 answers
A.Key usage should be logged and audited.
B.Key generation should be performed within a secure cryptographic module.
C.Key destruction should render the key irrecoverable.
D.Key backup must be encrypted and stored separately from the keys they protect.
E.Key rotation policies must ensure all data is re-encrypted with the new key immediately.
AnswersA, B, C

Logging provides accountability and helps detect unauthorized use.

Why this answer

Option A is correct because auditing key usage is a fundamental requirement for accountability and compliance in cryptographic key management. Logging every key operation (e.g., generation, encryption, decryption, signing) allows detection of unauthorized use or policy violations, and is mandated by standards like NIST SP 800-57 Part 1, which states that audit logs must be protected and reviewed regularly.

Exam trap

ISC2 often tests the misconception that key rotation requires immediate re-encryption of all existing data, when in practice it uses lazy re-encryption or key wrapping to avoid performance and availability impacts.

250
MCQmedium

A security analyst is reviewing CloudTrail logs and sees the above event. The analyst suspects that the AMI used may be outdated and vulnerable. Which action should the analyst take to verify the security posture of the launched instance?

A.Verify that the instance is not assigned a public IP address
B.Check the security groups associated with the instance
C.Check the AMI ID for known vulnerabilities using the AWS Systems Manager Patch Manager
D.Look up the AMI in the EC2 console and review its description and security bulletins
AnswerD

Reviewing the AMI details helps determine if it is outdated or has known issues.

Why this answer

Option D is correct because the AMI ID in the CloudTrail log can be used to look up the AMI in the EC2 console, where its description, release notes, and associated security bulletins are available. This allows the analyst to determine if the AMI is outdated or has known vulnerabilities, directly addressing the suspicion about the AMI's security posture.

Exam trap

ISC2 often tests the distinction between checking the AMI itself (via its ID and associated bulletins) versus checking runtime configurations (like security groups or public IPs) or using patching tools that apply to instances, not AMI metadata.

How to eliminate wrong answers

Option A is wrong because verifying the absence of a public IP address checks network exposure, not the security posture of the AMI itself; an instance can be vulnerable regardless of public IP assignment. Option B is wrong because security groups control network traffic rules, not the underlying AMI's software vulnerabilities; they do not reveal if the AMI is outdated. Option C is wrong because AWS Systems Manager Patch Manager is used to patch running instances, not to check an AMI ID for known vulnerabilities; it operates on instances, not on AMI metadata or security bulletins.

251
Multi-Selecthard

Which THREE of the following are valid techniques to protect application programming interfaces (APIs) from abuse?

Select 3 answers
A.Use API gateways to enforce authentication and authorization policies.
B.Use JSON Web Tokens (JWT) without encryption.
C.Use only HTTP GET requests for all API calls.
D.Implement rate limiting and throttling.
E.Require API keys or OAuth tokens for every request.
AnswersA, D, E

Centralizes security controls.

Why this answer

API gateways act as a centralized policy enforcement point, intercepting all API traffic to validate authentication (e.g., OAuth 2.0, SAML) and authorization (e.g., RBAC, ABAC) before requests reach backend services. This prevents unauthorized access and ensures that only authenticated clients with proper permissions can invoke protected endpoints, directly mitigating abuse such as credential stuffing or privilege escalation.

Exam trap

The trap here is that candidates may think JWT without encryption is acceptable because JWTs are often signed (JWS), but the CCSP exam emphasizes that confidentiality is a separate requirement—signing alone does not protect sensitive data in the payload, and encryption (JWE) is mandatory when tokens contain private information.

252
MCQhard

A SaaS provider stores customer data in a multi-tenant database. A new regulation requires that data of former customers be completely erased within 30 days of account closure. Which process should the provider implement?

A.Physically destroy the hard drives containing the data.
B.Mark the data as deleted and exclude it from query results.
C.Overwrite the data with zeros using a secure delete tool.
D.Encrypt each customer's data with a unique key and delete the key upon account closure.
AnswerD

Crypto-shredding ensures data is effectively unrecoverable.

Why this answer

Option D is correct because it implements cryptographic erasure, which renders the data permanently inaccessible by deleting the unique encryption key. This approach satisfies the regulation's requirement for complete erasure within 30 days without physically destroying hardware or risking data remnants, as the encrypted data becomes irrecoverable without the key. In a multi-tenant SaaS environment, this method is efficient, scalable, and avoids service disruption to other tenants sharing the same storage.

Exam trap

ISC2 often tests the distinction between logical deletion (soft delete) and cryptographic erasure, trapping candidates who think marking data as deleted or overwriting with zeros is sufficient in a multi-tenant cloud environment, where shared storage and data redundancy make physical overwrite impractical.

How to eliminate wrong answers

Option A is wrong because physically destroying hard drives is impractical for a multi-tenant database, as it would destroy data for all customers, not just former ones, and violates the principle of shared infrastructure. Option B is wrong because marking data as deleted and excluding it from query results only hides the data logically; the underlying data remains on the storage medium and could be recovered through forensic tools, failing the regulation's requirement for complete erasure. Option C is wrong because overwriting data with zeros using a secure delete tool is not feasible in a multi-tenant database environment where data is stored in shared blocks and may be subject to wear-leveling, snapshots, or copy-on-write mechanisms that prevent guaranteed overwrite of all copies.

253
Drag & Dropmedium

Drag and drop the steps for implementing a secure DevOps (DevSecOps) pipeline in a cloud environment into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First SAST at commit, then DAST in staging, IaC scanning, policy enforcement, and runtime monitoring.

254
MCQmedium

A cloud application uses a third-party identity provider (IdP) for SSO. The security team notices that tokens are being reused across different applications. Which token binding mechanism should be implemented?

A.Use of bearer tokens without additional protection
B.Short token expiration times
C.Token binding to TLS session
D.Audience restriction
AnswerC

Token binding ties the token to a specific TLS connection.

Why this answer

Token binding cryptographically ties an access token to a specific TLS session, preventing token export and replay across different applications. This directly addresses the reuse of tokens across applications by binding the token to the TLS layer, so even if an attacker intercepts the token, it cannot be used with a different TLS connection. RFC 8471 defines token binding for OAuth 2.0, ensuring the token is only valid when presented over the same TLS channel that was established during issuance.

Exam trap

ISC2 often tests the distinction between token binding and audience restriction, where candidates mistakenly think audience restriction prevents reuse across applications, but audience restriction only limits which application can accept the token, not that the token is bound to a specific TLS session.

How to eliminate wrong answers

Option A is wrong because bearer tokens without additional protection are inherently vulnerable to replay and reuse, which is exactly the problem described in the scenario. Option B is wrong because short token expiration times reduce the window of opportunity but do not prevent token reuse across applications during the token's lifetime; an attacker can still replay the token within that window. Option D is wrong because audience restriction limits which application can accept the token based on the 'aud' claim, but it does not prevent the token from being reused across different applications if the attacker can present it to the intended audience; it controls scope, not binding to a specific session.

255
MCQmedium

A cloud security auditor is assessing a company's data classification policy for their cloud environment. Which finding would be considered a critical deficiency?

A.The data classification policy is reviewed annually.
B.The policy does not specify retention periods for each classification.
C.Employees receive data classification training once during onboarding.
D.The data classification scheme does not include labels for public, internal, confidential, and restricted.
AnswerD

Classes are essential for mapping controls to data sensitivity.

Why this answer

Without data classification labels, it is impossible to enforce appropriate controls. Option A is critical. Other options are important but not as fundamental as missing labels.

256
MCQhard

A company uses a cloud-based file storage service and wants to enable client-side encryption to prevent the cloud provider from accessing plaintext data. Which of the following MUST be implemented?

A.Server-side encryption with customer-provided keys (SSE-C)
B.Envelope encryption with a master key stored on-premises
C.Transport Layer Security (TLS) for all uploads
D.Key management service (KMS) with auto-rotation
AnswerB

Envelope encryption allows client-side encryption; master key on-premises ensures provider cannot access.

Why this answer

Client-side encryption requires that encryption keys are never accessible to the cloud provider. Envelope encryption with a master key stored on-premises ensures the data encryption key (DEK) is encrypted by a master key that remains under the customer's exclusive control, so the cloud service never has the plaintext key or data. This satisfies the requirement of preventing the provider from accessing plaintext data.

Exam trap

ISC2 often tests the distinction between server-side and client-side encryption, where candidates mistakenly think SSE-C or KMS with customer keys qualifies as client-side encryption, but the key differentiator is whether the cloud provider ever has access to the plaintext key or performs any cryptographic operation on the data.

How to eliminate wrong answers

Option A is wrong because server-side encryption with customer-provided keys (SSE-C) still involves the cloud provider performing the encryption/decryption on its servers, meaning the provider temporarily accesses the plaintext key and data during processing. Option C is wrong because Transport Layer Security (TLS) protects data in transit but does not protect data at rest; once the data reaches the cloud provider's servers, it is decrypted and stored in plaintext unless additional encryption is applied. Option D is wrong because a key management service (KMS) with auto-rotation typically stores the master key in the cloud provider's infrastructure, giving the provider potential access to the key material and thus the plaintext data.

257
MCQeasy

A company is moving a legacy application to the cloud. The application uses hard-coded passwords for database connections. Which secure development practice should be implemented to address this issue?

A.Multi-factor authentication
B.Input validation
C.Encryption at rest
D.Secrets management
AnswerD

Secrets management securely stores and retrieves credentials, removing the need for hard-coded passwords.

Why this answer

Hard-coded passwords in application code violate the principle of least privilege and create a persistent security risk if the code is exposed. Secrets management (D) addresses this by storing database credentials in a secure, centralized vault (e.g., HashiCorp Vault, AWS Secrets Manager) and retrieving them at runtime via API calls, eliminating the need to embed passwords in source code or configuration files.

Exam trap

ISC2 often tests the distinction between 'encryption at rest' (protecting stored data) and 'secrets management' (protecting credentials used to access that data), leading candidates to confuse data protection with credential protection.

How to eliminate wrong answers

Option A is wrong because multi-factor authentication (MFA) is an identity verification mechanism for user access, not a method to securely store or manage application-level database credentials. Option B is wrong because input validation prevents injection attacks (e.g., SQL injection) by sanitizing user-supplied data, but it does not address the storage or retrieval of hard-coded passwords. Option C is wrong because encryption at rest protects data stored on disk (e.g., database files) from unauthorized access, but it does not prevent the exposure of credentials hard-coded in application code or configuration.

258
MCQmedium

A company wants to enforce that all API calls to its cloud services are authenticated and authorized. Which design pattern should be implemented?

A.Implement OAuth 2.0 with scopes
B.Use API keys with IP whitelisting
C.Allow basic authentication over HTTPS
D.Use shared secrets with HMAC
AnswerA

OAuth 2.0 with scopes enables delegated, scoped access.

Why this answer

OAuth 2.0 with scopes is the correct design pattern because it provides a standardized, token-based authorization framework that allows fine-grained access control to API resources. Scopes define specific permissions (e.g., read, write) and are validated by the resource server, ensuring that each API call is both authenticated (via the access token) and authorized (via the scopes). This aligns with the principle of least privilege and is widely adopted for securing cloud APIs.

Exam trap

The trap here is that candidates often confuse authentication (verifying identity) with authorization (granting permissions) and choose a method like API keys or basic auth that only authenticates, failing to address the authorization requirement explicitly stated in the question.

How to eliminate wrong answers

Option B is wrong because API keys with IP whitelisting only authenticate the client application, not the user or the request context, and IP whitelisting can be bypassed via spoofing or compromised networks; it lacks granular authorization. Option C is wrong because basic authentication over HTTPS sends credentials (username/password) in every request, which is vulnerable to credential leakage if the client or server is compromised, and it does not support scoped authorization. Option D is wrong because shared secrets with HMAC provide message integrity and authentication but do not offer a standardized way to enforce fine-grained authorization scopes; managing shared secrets at scale is also a security risk.

259
MCQhard

A multinational corporation uses a cloud access security broker (CASB) to enforce data protection policies across multiple SaaS applications. They discover that sensitive data tagged with 'Confidential' is being shared externally via a file-sharing application. The CASB currently only logs activities. Which action should the security team take to prevent such data loss in the future?

A.Encrypt all files stored in the file-sharing application.
B.Revoke user access to the file-sharing application for all employees.
C.Train employees on data handling policies.
D.Implement a DLP policy that automatically blocks sharing of documents with the 'Confidential' label.
AnswerD

Directly prevents the identified data loss scenario.

Why this answer

Option D is correct because a CASB with Data Loss Prevention (DLP) capabilities can enforce real-time policies to block sharing of documents tagged with a specific sensitivity label (e.g., 'Confidential'). Since the CASB currently only logs activities, implementing a DLP policy that automatically blocks the sharing action addresses the root cause—preventing the data loss at the point of egress—rather than merely detecting it after the fact.

Exam trap

ISC2 often tests the distinction between detection (logging) and prevention (blocking), and the trap here is that candidates may choose training (Option C) as a 'best practice' without recognizing that the question explicitly asks for a technical action to prevent data loss, which requires an automated enforcement mechanism like DLP.

How to eliminate wrong answers

Option A is wrong because encrypting all files in the file-sharing application does not prevent sharing; encryption protects data at rest but does not control who can access or share the decrypted content. Option B is wrong because revoking access for all employees is an overly drastic measure that disrupts business operations and does not address the need for granular, policy-based control over specific data labels. Option C is wrong because training employees on data handling policies is a preventive administrative control, but it does not provide a technical enforcement mechanism to automatically block sharing of 'Confidential' documents in real time, leaving the organization reliant on human compliance.

260
MCQeasy

A company uses an Infrastructure as a Service (IaaS) provider for critical applications. They need to define a backup retention policy that meets regulatory requirements for keeping financial records for 7 years. Which of the following strategies best meets this requirement while optimizing costs?

A.Perform daily full backups and retain all backups for 7 years.
B.Perform daily backups, keep weekly backups for 3 months, monthly for 1 year, and yearly for 7 years in cold storage.
C.Replicate all backups to a secondary region with snapshots kept for 7 years.
D.Use a grandfather-father-son rotation scheme with weekly, monthly, and yearly backups.
AnswerB

This tiered retention reduces costs while meeting the 7-year requirement.

Why this answer

Option B is correct because it implements a tiered backup retention strategy that aligns with the 7-year regulatory requirement while minimizing storage costs. By transitioning weekly backups to cold storage after 3 months, monthly backups after 1 year, and yearly backups for the full 7 years, the company reduces the cost of storing infrequently accessed data. This approach leverages the IaaS provider's lifecycle management policies (e.g., AWS S3 Lifecycle or Azure Blob Storage access tiers) to automatically move backups to lower-cost storage classes like Glacier or Archive, which are optimized for long-term retention.

Exam trap

ISC2 often tests the misconception that a simple rotation scheme (like grandfather-father-son) alone satisfies both retention and cost optimization, but the trap is that rotation schemes define retention cycles without addressing storage tiering or cold storage, which is essential for cost-effective long-term retention in the cloud.

How to eliminate wrong answers

Option A is wrong because performing daily full backups and retaining all for 7 years incurs excessive storage costs and is operationally inefficient, as it does not leverage incremental or differential backup strategies or tiered storage to reduce expenses. Option C is wrong because replicating all backups to a secondary region with snapshots kept for 7 years provides geographic redundancy but does not inherently optimize costs; it duplicates storage costs across regions without a tiered retention policy, leading to unnecessary expense. Option D is wrong because a grandfather-father-son rotation scheme is a tape-based backup rotation method that defines retention cycles (e.g., daily, weekly, monthly) but does not specify storage tier optimization or cold storage transition, and it may not meet a strict 7-year retention requirement without additional configuration; it is a legacy concept not directly tied to cloud cost optimization.

261
MCQhard

Refer to the exhibit. A data sync job fails with the error shown. The IAM role 'data-sync-role' has the following policy attached: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": "arn:aws:s3:*:*:data-bucket-2024/*" } ] } What is the MOST likely cause of the failure?

A.The resource ARN in the policy is incorrectly formatted, causing the action to not be applied.
B.The role 'data-sync-role' is not attached to the sync job.
C.The bucket 'data-bucket-2024' does not exist.
D.There is an explicit Deny policy blocking the action.
AnswerA

The ARN uses wildcards in the wrong positions; S3 object ARNs require bucket name and key without account or region.

Why this answer

Option C is correct. The resource ARN in the policy uses wildcards incorrectly: 'arn:aws:s3:*:*:data-bucket-2024/*' is not a valid S3 object ARN. The correct format is 'arn:aws:s3:::data-bucket-2024/*'.

The malformed ARN means the policy does not actually grant access to the object. Option A is incorrect because the bucket exists. Option B is incorrect because the role is attached.

Option D is incorrect because there is no explicit deny.

262
MCQeasy

What is the primary purpose of a Data Processing Agreement (DPA) between a data controller and a cloud service provider?

A.To set data retention periods for processed data
B.To specify encryption algorithms to be used
C.To establish data backup and recovery procedures
D.To define roles and responsibilities for data processing
AnswerD

The DPA clarifies the controller-processor relationship.

Why this answer

A Data Processing Agreement (DPA) is a legally binding contract required under regulations like GDPR. Its primary purpose is to define the roles and responsibilities of the data controller and the data processor (the cloud service provider), ensuring the processor acts only on the controller's documented instructions and meets compliance obligations. Without a DPA, the controller cannot legally transfer data to the processor, as the agreement establishes the lawful basis and accountability for processing activities.

Exam trap

ISC2 often tests the distinction between legal/compliance documents (DPA) and operational/technical documents (SLA, security policies), so the trap here is confusing the DPA's role in defining processing roles with specific technical controls like encryption or backup procedures.

How to eliminate wrong answers

Option A is wrong because data retention periods are typically defined in a separate data retention policy or contract clause, not the DPA; the DPA focuses on processing instructions and compliance, not specific retention schedules. Option B is wrong because encryption algorithms are a technical security measure specified in a Security Addendum or SLA, not the DPA; the DPA addresses legal and contractual roles, not cryptographic implementation details. Option C is wrong because backup and recovery procedures are operational controls documented in a Business Continuity Plan or Disaster Recovery Plan, not the DPA; the DPA governs data processing boundaries and liability, not specific recovery steps.

263
MCQhard

A security engineer is investigating an incident where an attacker exploited a server-side request forgery (SSRF) vulnerability in a cloud application. The application runs on AWS and uses internal metadata endpoints. Which mitigation should be prioritized to prevent future SSRF attacks?

A.Implement input validation to block malicious URLs
B.Restrict outbound network access from the application instances using security groups
C.Deploy a web application firewall (WAF) to inspect outgoing requests
D.Disable the IMDSv1 endpoint and require IMDSv2 tokens
AnswerB

Blocking outbound traffic to the metadata IP (169.254.169.254) and other internal IPs prevents SSRF exploitation.

Why this answer

Option B is correct because restricting outbound network access from application instances using security groups directly prevents the application from reaching the internal metadata endpoint (169.254.169.254) and other internal services. This is a fundamental network-layer control that stops SSRF attacks at the source, regardless of input validation or request inspection, by blocking the outbound traffic that the attacker would exploit.

Exam trap

ISC2 often tests the misconception that input validation or WAFs are sufficient to stop SSRF, when in reality the most effective mitigation is network-layer egress filtering that blocks access to internal metadata endpoints.

How to eliminate wrong answers

Option A is wrong because input validation to block malicious URLs is easily bypassed by attackers using URL encoding, redirects, or alternative representations of the metadata endpoint (e.g., decimal IP, DNS rebinding), and it does not address the root cause of the application making unauthorized outbound requests. Option C is wrong because a web application firewall (WAF) inspects incoming HTTP requests, not outgoing requests from the application; it cannot block the outbound SSRF traffic that originates from the application server itself. Option D is wrong because disabling IMDSv1 and requiring IMDSv2 tokens only protects the metadata service from unauthorized access via token-based authentication, but it does not prevent the application from making SSRF requests to other internal endpoints or external systems; the attacker could still exploit the application to make outbound requests to arbitrary targets.

264
MCQhard

An organization uses cloud databases and needs to protect sensitive fields such as credit card numbers. They want to preserve the ability to perform exact match searches and joins on these fields. Which data protection technique best meets these requirements?

A.Tokenization with a secure token vault
B.Format-preserving encryption (FPE)
C.Dynamic data masking
D.Deterministic encryption
AnswerA

Tokens can be designed to preserve format and allow exact match joins.

Why this answer

Tokenization with a secure token vault is correct because it replaces sensitive data (e.g., credit card numbers) with unique, randomly generated tokens that have no mathematical relationship to the original values. The token vault stores the mapping, allowing exact match searches and joins on the tokens while keeping the original data secure, as the tokens are consistent for the same input value.

Exam trap

ISC2 often tests the distinction between tokenization and deterministic encryption, where candidates mistakenly choose deterministic encryption because it also supports exact match searches, but they overlook that tokenization provides stronger security by removing the mathematical link between the token and the original data, making it resistant to key compromise and frequency analysis.

How to eliminate wrong answers

Option B (Format-preserving encryption) is wrong because FPE produces ciphertext that preserves the original format but is still encrypted, meaning it does not eliminate the risk of exposing sensitive data if the encryption key is compromised, and it may not be suitable for all cloud environments where key management is complex. Option C (Dynamic data masking) is wrong because it only hides data from unauthorized users at query time without changing the underlying stored data, so it does not protect the data at rest and cannot prevent access to the original values if the masking rules are bypassed. Option D (Deterministic encryption) is wrong because while it allows exact match searches by always producing the same ciphertext for a given plaintext, it is vulnerable to frequency analysis attacks and does not provide the same level of security as tokenization, as the encrypted values are still mathematically reversible with the key.

265
Drag & Dropmedium

Drag and drop the steps for conducting a cloud security risk assessment using the NIST CSF framework into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Start with identification, then threat/vulnerability assessment, risk analysis, treatment, and monitoring.

266
Multi-Selecteasy

Which TWO of the following are examples of data sovereignty laws that directly affect cloud data storage?

Select 2 answers
A.General Data Protection Regulation (GDPR)
B.Sarbanes-Oxley Act (SOX)
C.California Consumer Privacy Act (CCPA)
D.Payment Card Industry Data Security Standard (PCI DSS)
E.Health Insurance Portability and Accountability Act (HIPAA)
AnswersA, C

GDPR applies to personal data of EU residents and includes data sovereignty principles.

Why this answer

The General Data Protection Regulation (GDPR) is a data sovereignty law because it imposes strict requirements on the storage and processing of personal data of EU residents, mandating that data be stored within the EU or in jurisdictions with equivalent protection, directly affecting where cloud providers can host data. It enforces data localization principles through mechanisms such as Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs), requiring cloud customers to ensure their provider's storage regions comply with these territorial restrictions.

Exam trap

ISC2 often tests the distinction between data sovereignty (geographic storage restrictions) and data security/privacy regulations (which focus on protection controls but not location), causing candidates to mistakenly select PCI DSS or HIPAA as sovereignty laws when they are actually security and privacy frameworks without territorial mandates.

267
MCQeasy

A company receives an erasure request under GDPR. The cloud provider can delete from active storage within 24 hours but requires 90 days to delete from archives. The company has a contractual obligation to ensure deletion within 30 days. What should the company do?

A.Delete the data from the application layer only and rely on provider for archives.
B.Accept the 90-day timeline and inform the data subject accordingly.
C.Request the provider to delete from archives within 30 days and verify.
D.Reject the request as impractical.
AnswerC

This actively pursues compliance with both the contract and GDPR by expediting deletion.

Why this answer

Option C is correct because the company has a contractual obligation to ensure deletion within 30 days, which overrides the provider's default 90-day archive retention policy. The company must formally request the provider to expedite the deletion from archives and verify compliance, as GDPR Article 17 requires the controller to ensure erasure without undue delay, and the provider as processor must assist. Relying on the provider's standard timeline without action would breach the contract and GDPR accountability requirements.

Exam trap

ISC2 often tests the misconception that a cloud provider's default retention policy absolves the controller of contractual or regulatory deadlines, when in fact the controller must actively manage the processor's actions or employ alternative technical controls like key destruction to meet the timeline.

How to eliminate wrong answers

Option A is wrong because deleting only from the application layer while leaving data in archives violates the GDPR erasure principle, as the data remains accessible and recoverable, and the controller remains responsible for complete deletion. Option B is wrong because accepting the 90-day timeline and merely informing the data subject does not fulfill the contractual obligation of 30-day deletion, and GDPR does not allow the controller to unilaterally extend the erasure deadline based on the processor's limitations. Option D is wrong because rejecting the request as impractical ignores the controller's duty to use contractual leverage or technical measures (e.g., encryption key destruction) to meet the 30-day deadline, and GDPR does not permit refusal solely due to archive retention policies.

268
MCQhard

An AWS S3 bucket policy is configured as shown in the exhibit. The security team wants to ensure that only requests from the corporate IP range (203.0.113.0/24) can read objects in the bucket. However, they notice that a CloudFront distribution configured to serve content from this bucket is returning 403 Forbidden errors. What is the MOST likely cause?

A.The bucket policy has a syntax error in the Condition block.
B.There is an implicit deny that overrides the explicit allow.
C.The bucket policy does not allow the s3:GetObject action.
D.CloudFront requests originate from CloudFront IP addresses, not the end user's IP.
AnswerD

The condition on aws:SourceIp checks the IP of the requestor, which is CloudFront's IP, not the viewer's IP.

Why this answer

D is correct because when CloudFront fetches objects from an S3 origin, it uses its own IP addresses, not the end user's IP address. The bucket policy restricts access to the corporate IP range (203.0.113.0/24), but CloudFront's requests come from AWS's CloudFront edge IP range, which falls outside that range. This causes S3 to deny the request, resulting in a 403 Forbidden error.

Exam trap

ISC2 often tests the misconception that the end user's IP address is preserved through a CDN or proxy, leading candidates to incorrectly assume the bucket policy's IP restriction will work as intended.

How to eliminate wrong answers

Option A is wrong because the Condition block syntax is valid; the policy uses standard AWS IAM policy language with IpAddress condition key, and there is no syntax error indicated. Option B is wrong because there is no implicit deny overriding the explicit allow; the issue is that the condition does not match CloudFront's source IP, not a deny override. Option C is wrong because the policy explicitly allows the s3:GetObject action for the specified IP range, so the action is permitted when the condition is met.

269
MCQmedium

A medium-sized e-commerce company uses a cloud provider's container orchestration service (e.g., Amazon ECS or Google Kubernetes Engine). They have a security requirement to ensure that all containers run with the least privilege principle. The development team often requests containers to run as root for debugging purposes. The security team wants to enforce a policy that prevents containers from running as root in the production environment. However, the development team still needs the ability to troubleshoot occasionally. The cloud security architect must design a solution that restricts root privilege in production but allows controlled troubleshooting. Which of the following approaches is the most effective?

A.Allow containers to run as root but configure host-based intrusion detection to alert on suspicious activities.
B.Grant developers SSH access to the host nodes for troubleshooting.
C.Use a security context constraint (or PodSecurityPolicy) to deny all containers running as root, and require developers to use a sidecar container for debugging.
D.Create two separate clusters, one for production with root restriction, and one for debugging where root is allowed.
AnswerC

Enforces non-root and provides controlled debugging via sidecar.

Why this answer

Option C is correct because it uses a security context constraint (SCC) or PodSecurityPolicy (PSP) to enforce a deny-all policy for root containers in production, which aligns with the least privilege principle. The sidecar container provides a controlled debugging mechanism without granting root access to the main application container, allowing developers to troubleshoot via a separate, privileged sidecar that can be audited and restricted.

Exam trap

ISC2 often tests the misconception that allowing root in containers with monitoring (Option A) or using separate clusters (Option D) is acceptable, but the CCSP emphasizes that least privilege must be enforced at the container level, not compensated for by external controls.

How to eliminate wrong answers

Option A is wrong because allowing containers to run as root and relying solely on host-based intrusion detection (HIDS) does not prevent the violation of the least privilege principle; root access in containers can still lead to container breakout or privilege escalation before any alert is triggered. Option B is wrong because granting developers SSH access to host nodes undermines the security boundary, as it exposes the underlying host OS and potentially other containers, violating the principle of isolation and increasing the attack surface. Option D is wrong because maintaining two separate clusters (production and debugging) introduces operational complexity, configuration drift, and does not enforce least privilege in production; developers might still need root access in production for debugging, which the separate cluster does not address without additional controls.

270
MCQmedium

A cloud customer is migrating a legacy application to a cloud platform. The application currently runs on physical servers and uses local storage. The migration plan involves rehosting the application on virtual machines (VMs) in the cloud. The security team wants to ensure that the VMs are properly hardened before deployment. During the migration testing, the team discovers that the base image used for the VMs contains several unnecessary services and default credentials. The team is concerned that these vulnerabilities could be exploited. The cloud provider offers a shared responsibility model where the customer is responsible for securing the OS. Which of the following is the BEST course of action to address this issue?

A.Deploy the VMs and run vulnerability scans to identify and fix issues after deployment
B.Ask the cloud provider to provide a hardened OS image
C.Create a custom golden image with necessary hardening and approved software only
D.Deploy the VMs and manually apply security patches and remove services after deployment
AnswerC

Ensures consistent and secure base.

Why this answer

Option C is correct because creating a custom golden image allows the customer to enforce a hardened baseline that removes unnecessary services, disables default credentials, and includes only approved software before any VM is deployed. This aligns with the shared responsibility model, where the customer controls OS-level security, and prevents vulnerabilities from ever reaching production. Pre-hardening the image is more secure and efficient than fixing issues post-deployment, as it eliminates the window of exposure during initial boot and configuration.

Exam trap

The trap here is that candidates may choose Option D (manual patching after deployment) because it seems practical, but they overlook that this approach leaves VMs vulnerable during the initial boot and configuration phase, whereas pre-hardening the image eliminates that risk entirely.

How to eliminate wrong answers

Option A is wrong because deploying VMs with known vulnerabilities and relying on post-deployment vulnerability scans introduces a window of exposure where the VMs could be compromised before patches are applied, and it violates the principle of secure-by-default. Option B is wrong because the cloud provider is responsible for the hypervisor and infrastructure, not the OS image; asking them to provide a hardened OS image shifts responsibility that the customer must own under the shared responsibility model, and providers typically offer only generic base images. Option D is wrong because manually patching and removing services after deployment is error-prone, time-consuming, and leaves the VMs exposed during the time between deployment and remediation, which is especially risky in automated scaling scenarios.

271
MCQhard

A cloud security team needs to implement a logging strategy that captures user activity, API calls, and resource changes across multiple cloud services. The logs must be tamper-proof and retained for at least one year. Which combination of actions best meets these requirements?

A.Stream all logs to a Security Information and Event Management (SIEM) system and retain raw logs for one year on standard storage.
B.Enable logging for all services, encrypt logs at rest, and store them in a centralized log management system.
C.Use separate logging accounts for each cloud service and retain logs in their native format.
D.Centralize logs into a dedicated log archive account with write-once-read-many (WORM) storage and enable anomaly detection alerts.
AnswerD

WORM storage prevents modification or deletion, meeting tamper-proof requirement.

Why this answer

Option C is correct because centralizing logs with write-once storage ensures tamper-proof retention, and alerting on anomalies provides security monitoring. Option A is wrong because encryption alone does not prevent tampering, and simple log management may allow deletion. Option B is wrong because using separate log accounts for each service creates silos and complexity.

Option D is wrong because exporting to SIEM is good but retention should be in immutable storage.

272
MCQeasy

A cloud operations team is setting up a new virtual network in the cloud. They need to segment traffic between different tiers of an application (web, application, database). Which security control should they implement?

A.Network access control lists and security groups
B.Intrusion detection system
C.Data loss prevention
D.Web application firewall
AnswerA

NACLs and security groups filter traffic based on rules, enabling segmentation.

Why this answer

Option D is correct because network access control lists (NACLs) and security groups provide network segmentation by controlling traffic between tiers. Option A (IDS) detects threats but does not control traffic. Option B (WAF) protects web applications at layer 7.

Option C (DLP) prevents data loss.

273
Multi-Selecthard

Which THREE of the following are key components of a cloud data governance framework?

Select 3 answers
A.Data retention policies
B.Data access controls
C.Data masking
D.Data classification
E.Data encryption at rest
AnswersA, B, D

Policies define how long data is kept and when to delete.

Why this answer

Data retention policies are a key component of a cloud data governance framework because they define the lifecycle of data, specifying how long data must be kept and when it should be securely deleted. This ensures compliance with legal, regulatory, and business requirements, such as GDPR or HIPAA, and prevents unnecessary storage costs and security risks from outdated data.

Exam trap

ISC2 often tests the distinction between governance components (policies, roles, processes) and technical security controls (encryption, masking), leading candidates to mistakenly select data masking or encryption as governance framework elements.

274
MCQmedium

A cloud operations team is implementing a logging strategy for their hybrid cloud environment. They need to ensure that logs from on-premises systems are collected and stored in a centralized cloud logging service with low latency. Which configuration is most appropriate?

A.Transfer logs via email attachments
B.Use a VPN connection and forward syslog directly to the cloud endpoint
C.Configure on-premises systems to send logs via syslog over the internet with TLS
D.Use a cloud logging agent on-premises that buffers and sends logs via HTTPS
AnswerB

A dedicated VPN reduces latency and ensures consistent connectivity.

Why this answer

Option A is correct because using a VPN connection and forwarding syslog directly to the cloud endpoint provides a dedicated, low-latency path. Option B (syslog over the internet) may introduce latency. Option C (cloud logging agent) may buffer and delay logs.

Option D (email) is not suitable for real-time logging.

275
MCQmedium

A company has a disaster recovery (DR) plan that includes failing over to a secondary cloud region. The plan was tested six months ago and worked, but since then significant infrastructure changes have been made. Which of the following should the company do to ensure the DR plan remains effective?

A.Wait until the next annual DR test to verify the changes.
B.Automate the entire failover process to eliminate human error.
C.Update the DR documentation to reflect the changes and assume the plan still works.
D.Conduct a tabletop exercise now, followed by a partial failover test of critical applications.
AnswerD

Tabletop and partial failover identify gaps quickly and are less disruptive.

Why this answer

Option B is correct because iterative tabletop exercises and partial failovers validate changes without full disruption. Option A is wrong because one annual test is insufficient given the changes. Option C is wrong because documentation updates without testing are risky.

Option D is wrong because automating fails reduces human error but still requires validation.

276
Multi-Selectmedium

Which TWO of the following are common risk treatment options in cloud risk management?

Select 2 answers
A.Ignorance
B.Transference
C.Avoidance
D.Deletion
E.Acceptance
AnswersB, C

Correct. Transferring risk to a third party (e.g., insurance) is a treatment option.

Why this answer

Options A and C are correct. Avoidance and transference (transfer) are standard risk treatment options. Acceptance is also a treatment, but in this question we require exactly two correct, so we chose avoidance and transference.

Mitigation is another common option, but it is not listed as correct here.

277
MCQeasy

A cloud customer is decommissioning a storage service that contains sensitive data. The cloud provider offers several data destruction options. Which method provides the HIGHEST assurance that data is irrecoverable?

A.Degaussing the storage media
B.Physical shredding of the storage drives
C.Multiple overwrite passes with zeros and ones
D.Cryptographic erasure of encryption keys
AnswerB

Guarantees data is irrecoverable.

Why this answer

Option C is correct because physical destruction of the storage media ensures data cannot be recovered by any means. Option A is wrong because cryptographic erasure is effective but if the key is not properly destroyed, data may still be recoverable. Option B is wrong because overwriting with zeros may leave residual data in some cases.

Option D is wrong because degaussing is effective for magnetic media but not for SSDs, and some drives may still be recoverable.

278
MCQeasy

A company uses a cloud storage service to store sensitive customer data. They need to ensure that data is encrypted at rest using keys managed by the cloud provider. Which encryption model should they use?

A.Server-Side Encryption with S3-Managed Keys (SSE-S3)
B.Server-Side Encryption with AWS KMS (SSE-KMS)
C.Client-Side Encryption (CSE)
D.Server-Side Encryption with Customer-Provided Keys (SSE-C)
AnswerA

SSE-S3 uses cloud provider-managed keys.

Why this answer

The requirement specifies that the cloud provider manages the encryption keys. SSE-S3 uses keys that are entirely managed by AWS (S3) for encrypting data at rest, with each object encrypted by a unique key that is itself encrypted by a regularly rotated master key. This aligns perfectly with the scenario where the customer does not want to manage keys.

Exam trap

ISC2 often tests the distinction between 'provider-managed keys' (SSE-S3) and 'customer-managed keys' (SSE-KMS or SSE-C), where candidates mistakenly choose SSE-KMS because it offers more control, but the question explicitly requires keys managed solely by the provider.

How to eliminate wrong answers

Option B is wrong because SSE-KMS uses AWS KMS keys, which are still managed by the cloud provider but offer additional control (e.g., key rotation policies, audit trails) and are not the default 'provider-managed' model; the question explicitly asks for keys managed by the cloud provider, and SSE-S3 is the simplest provider-managed option. Option C is wrong because Client-Side Encryption (CSE) requires the customer to encrypt data before uploading, meaning the customer manages the keys, not the cloud provider. Option D is wrong because SSE-C requires the customer to provide their own encryption keys, which the cloud provider uses temporarily but does not manage or store; the customer retains full key management responsibility.

279
MCQmedium

During a security audit, a cloud application is found to have numerous container images with critical vulnerabilities. The DevOps team wants to prevent vulnerable images from being deployed to production. Which two controls should be implemented? (Select TWO)

A.Implement image vulnerability scanning in the CI/CD pipeline
B.Regularly update base images
C.Only allow signed images to be pulled from a trusted registry
D.Use network segmentation to isolate production containers
E.Run all containers as non-root users
AnswerA, C

Scanning can fail the build if critical vulnerabilities are found, preventing deployment.

Why this answer

Option A is correct because integrating image vulnerability scanning into the CI/CD pipeline ensures that every container image is automatically checked for known Common Vulnerabilities and Exposures (CVEs) before it can be promoted to production. This shift-left approach blocks vulnerable images at build time, preventing them from ever reaching the production environment. Option C is correct because enforcing signed images from a trusted registry (e.g., using Docker Content Trust or Notary) cryptographically verifies the image's integrity and origin, ensuring only authorized, non-tampered images are deployed.

Exam trap

ISC2 often tests the distinction between preventive controls (like scanning and signing) that stop vulnerable images from being deployed versus mitigative controls (like network segmentation or non-root users) that reduce the impact after deployment, leading candidates to select the latter as a substitute for prevention.

How to eliminate wrong answers

Option B is wrong because regularly updating base images is a good security hygiene practice but does not prevent already-built vulnerable images from being deployed; it only reduces future vulnerabilities. Option D is wrong because network segmentation isolates production containers at the network layer to limit lateral movement, but it does not prevent a vulnerable image from being deployed in the first place. Option E is wrong because running containers as non-root users reduces the blast radius of a compromise but does not stop a vulnerable image from being deployed to production.

280
MCQeasy

A cloud service provider (CSP) offers a shared responsibility model. According to this model, who is responsible for patching the hypervisor?

A.The customer.
B.The regulatory authority.
C.The cloud service provider.
D.A third-party auditor.
AnswerC

The CSP manages the hypervisor as part of the shared responsibility model.

Why this answer

Option A is correct because the hypervisor is part of the underlying infrastructure, which the CSP manages. Option B is wrong because the customer does not have access to patch the hypervisor. Option C is wrong because a third party is not involved.

Option D is wrong because the hypervisor is not typically managed by a regulatory body.

281
MCQmedium

A software company develops an API for third-party integrations. They want to ensure that only authorized partners can access the API. Which authentication mechanism is most appropriate?

A.Basic authentication with API keys
B.OAuth 2.0 with client credentials
C.SAML 2.0
D.X.509 certificates
AnswerB

OAuth 2.0 client credentials grant is a standard for machine-to-machine API authentication.

Why this answer

OAuth 2.0 with the client credentials grant is the most appropriate mechanism for machine-to-machine API access because it allows the API to authenticate the third-party application itself (the client) using a client ID and client secret, without involving end-user credentials. This grant type is specifically designed for server-to-server integrations where the client is acting on its own behalf, providing a secure, token-based approach that avoids sharing long-lived secrets directly with each API call.

Exam trap

ISC2 often tests the distinction between authentication mechanisms by presenting SAML 2.0 as a plausible answer for API security, but the trap here is that SAML is designed for browser-based user authentication and federation, not for direct API access from third-party applications, leading candidates to confuse identity federation with API authorization.

How to eliminate wrong answers

Option A is wrong because Basic authentication with API keys transmits the API key in plaintext (Base64-encoded) with every request, offering no cryptographic protection and requiring the API key to be stored and sent repeatedly, which increases exposure risk and lacks the token expiration and scoping capabilities of OAuth 2.0. Option C is wrong because SAML 2.0 is an XML-based federated identity protocol designed for browser-based single sign-on (SSO) with user authentication, not for direct API access from third-party applications; it is heavy, not optimized for RESTful APIs, and does not provide a simple client credentials flow. Option D is wrong because X.509 certificates are used for mutual TLS (mTLS) authentication, which is more complex to manage (certificate issuance, renewal, revocation) and is typically reserved for high-security environments or regulatory compliance, not as a standard mechanism for third-party API integrations where OAuth 2.0 is the industry norm.

282
MCQeasy

What does this bucket policy enforce?

A.The policy denies all uploads unless they use SSE-KMS.
B.All objects must be encrypted with a specific KMS key.
C.Any object uploaded without encryption will be denied.
D.Only objects encrypted with SSE-S3 are allowed.
AnswerA

The Deny effect applies when the encryption is not 'aws:kms'.

Why this answer

The bucket policy uses a Condition block with `s3:x-amz-server-side-encryption` set to `aws:kms`, which means any upload must include the `x-amz-server-side-encryption` header with the value `aws:kms`. If the header is missing or set to any other value (e.g., `AES256` for SSE-S3), the request is denied. This enforces that all uploads use SSE-KMS, but does not require a specific KMS key unless a `kms:EncryptionContext` or `kms:KeyArn` condition is also present.

Exam trap

ISC2 often tests the distinction between 'requiring SSE-KMS' and 'requiring a specific KMS key'—candidates mistakenly think that any SSE-KMS condition implies a specific key, but the policy only checks the encryption type, not the key ARN.

How to eliminate wrong answers

Option B is wrong because the policy does not specify a particular KMS key ARN or ID in the Condition block; it only requires the encryption type to be `aws:kms`, not a specific key. Option C is wrong because the policy does not deny unencrypted uploads outright—it denies uploads that do not have the `x-amz-server-side-encryption` header set to `aws:kms`, meaning an upload with no encryption header would be denied, but the statement is too broad because it implies any object without encryption is denied, which is true only if the header is absent; however, the policy also denies uploads with SSE-S3 or other encryption types, so the core issue is that the policy enforces SSE-KMS, not just 'no encryption'. Option D is wrong because the policy explicitly requires `aws:kms`, not `AES256` (SSE-S3), so objects encrypted with SSE-S3 would be denied.

283
MCQmedium

A company is migrating on-premises workloads to IaaS. They need to ensure that virtual machine images are secure and free of malware. Which approach is best practice?

A.Use a golden image from the cloud provider's marketplace.
B.Rely on host-based firewalls to protect instances.
C.Perform vulnerability scanning on running instances only.
D.Create a hardened baseline image and store it in a secure repository.
AnswerD

Creating a hardened baseline ensures images are secure before deployment.

Why this answer

Option D is correct because creating a hardened baseline image ensures that the virtual machine is built from a known, secure configuration with all necessary security patches, minimal services, and no malware. Storing this image in a secure repository (e.g., encrypted and access-controlled) prevents tampering and allows consistent deployment of secure instances. This approach follows the principle of immutable infrastructure and is a foundational practice for secure IaaS migrations.

Exam trap

ISC2 often tests the misconception that using a cloud provider's marketplace image is sufficient for security, but the trap is that these images are not tailored to the organization's specific hardening requirements and may contain default credentials or unnecessary services.

How to eliminate wrong answers

Option A is wrong because cloud provider marketplace images are generic and may not meet the organization's specific security requirements; they can contain unnecessary software or default configurations that introduce vulnerabilities. Option B is wrong because host-based firewalls only control network traffic and do not detect or remove malware already present in the virtual machine image; they are a perimeter control, not a secure image creation practice. Option C is wrong because vulnerability scanning on running instances only identifies issues after deployment, leaving the initial image potentially compromised; it does not prevent the deployment of a malicious or unhardened image.

284
Multi-Selecthard

Which TWO of the following are required elements of a valid Business Continuity Plan (BCP) in the cloud?

Select 2 answers
A.Communication plan for notifying stakeholders during a disruption.
B.Strategy to avoid vendor lock-in with the CSP.
C.A detailed risk assessment for all cloud services.
D.Network topology diagrams of the cloud environment.
E.Recovery Point Objective (RPO) and Recovery Time Objective (RTO) for critical systems.
AnswersA, E

A communication plan is critical for coordinating response.

Why this answer

Option A is correct because a communication plan is a mandatory component of any BCP, as defined by ISO 22301 and NIST SP 800-34. In a cloud context, this plan must specify how to notify stakeholders—including the CSP, internal teams, and customers—during a disruption, ensuring coordinated response and compliance with SLAs.

Exam trap

ISC2 often tests the distinction between what is required *in* a BCP versus what is required *to create* a BCP, causing candidates to mistakenly include risk assessments or network diagrams as core BCP elements.

285
MCQhard

An architect reviews this S3 bucket policy. What security concern should be raised?

A.The policy grants access to all users from the specified IP range.
B.The policy allows s3:GetObject from any source.
C.The policy allows s3:GetObject only to the specific bucket.
D.The policy does not restrict access to authenticated users.
AnswerA

Without a Principal, the policy applies to all users (including anonymous) from that IP range.

Why this answer

Option A is correct because the policy grants s3:GetObject access to all users (Principal: "*") from the specified IP range, which means any unauthenticated user on the internet within that IP range can read objects in the bucket. This violates the principle of least privilege and exposes data to potential unauthorized access, as the policy does not require authentication or additional authorization checks.

Exam trap

ISC2 often tests the misconception that an IP restriction alone ensures security, when in fact it still allows anonymous access from any user within that range, bypassing authentication and IAM controls.

How to eliminate wrong answers

Option B is wrong because the policy explicitly restricts access to a specific IP range via the `aws:SourceIp` condition, so it does not allow s3:GetObject from any source. Option C is wrong because while the policy does restrict s3:GetObject to the specific bucket (via the Resource ARN), this is not a security concern—it is a correct scoping of permissions. Option D is wrong because the policy does not require authenticated users; it grants access to all users (Principal: "*") within the IP range, which is the actual security concern, not the lack of authentication restriction.

286
MCQeasy

A cloud architect needs to protect data in transit between an on-premises data center and a cloud virtual private cloud (VPC). Which solution is MOST appropriate?

A.SSL certificate on web server
B.TLS for each application
C.VPN with IPsec
D.Direct Connect without encryption
AnswerC

IPsec VPN encrypts all traffic between sites.

Why this answer

An IPsec VPN is the most appropriate solution for protecting data in transit between an on-premises data center and a cloud VPC because it provides network-layer encryption and authentication for all IP traffic between the two sites. IPsec operates at Layer 3, securing the entire tunnel without requiring per-application configuration, and is designed specifically for site-to-site connectivity. This ensures confidentiality, integrity, and replay protection for all data traversing the public internet or a direct connect link.

Exam trap

ISC2 often tests the misconception that TLS or SSL is sufficient for all data-in-transit scenarios, but the trap here is that TLS is application-layer and cannot secure non-HTTP traffic or provide a site-to-site tunnel, whereas IPsec is the correct network-layer solution for connecting entire networks.

How to eliminate wrong answers

Option A is wrong because an SSL certificate on a web server only protects HTTP traffic (Layer 7) and does not secure other protocols or the entire data stream between the data center and VPC. Option B is wrong because implementing TLS for each application is application-specific, requires individual configuration per service, and does not provide a unified, network-level security boundary for all traffic between the two sites. Option D is wrong because Direct Connect without encryption leaves all data in transit unencrypted, exposing it to potential interception or tampering, and does not meet the requirement to protect data in transit.

287
MCQhard

Your organization, a healthcare provider subject to HIPAA, has migrated electronic protected health information (ePHI) to a public cloud IaaS provider. The cloud provider offers default encryption at rest using their managed key service. During a recent audit, it was discovered that the encryption keys are generated and stored by the cloud provider without any customer involvement. The auditor states that this arrangement may violate HIPAA requirements because the covered entity does not have exclusive control over the keys. You need to ensure compliance while maintaining cost efficiency. After discussing with the cloud provider, they suggest the following options: A. Enable client-side encryption using a custom key management system (KMS) on the customer's premises. B. Use the provider's default encryption and rely on their BAA that states they will protect the keys. C. Implement a third-party key management solution that stores keys in the cloud but is controlled by the customer. D. Disable encryption and rely on access controls and auditing only. Which option best addresses the compliance requirement while considering the operational impact?

A.Enable client-side encryption using a custom key management system (KMS) on the customer's premises.
B.Disable encryption and rely on access controls and auditing only.
C.Use the provider's default encryption and rely on their BAA that states they will protect the keys.
D.Implement a third-party key management solution that stores keys in the cloud but is controlled by the customer.
AnswerA

Correct. Client-side encryption with customer-controlled keys ensures compliance and maintains security.

Why this answer

Option A is correct because client-side encryption with a customer-controlled KMS ensures the covered entity retains exclusive control over the encryption keys, meeting HIPAA's requirement that the covered entity must be able to prevent the cloud provider from accessing ePHI. By encrypting data before it leaves the customer premises, the cloud provider never has access to the plaintext keys, and the customer maintains full lifecycle management, including key rotation and revocation. This approach is cost-efficient as it avoids complex third-party integrations and leverages existing on-premises infrastructure.

Exam trap

ISC2 often tests the misconception that a Business Associate Agreement (BAA) alone is sufficient to satisfy HIPAA encryption requirements, when in fact the covered entity must maintain exclusive control over encryption keys to prevent unauthorized access by the cloud provider.

How to eliminate wrong answers

Option B is wrong because disabling encryption entirely violates HIPAA's Security Rule requirement to implement encryption as an addressable implementation specification for ePHI at rest, and relying solely on access controls and auditing does not provide the necessary confidentiality protection. Option C is wrong because using the provider's default encryption with a BAA does not give the covered entity exclusive control over the keys; the provider still generates and stores the keys, which the auditor has identified as non-compliant. Option D is wrong because implementing a third-party KMS that stores keys in the cloud but is controlled by the customer still exposes the keys to the cloud provider's infrastructure, potentially allowing the provider to access them via hypervisor or storage layers, and introduces additional latency and cost without guaranteeing exclusive control.

288
MCQhard

A cloud application processes credit card numbers. To reduce PCI DSS scope, the company wants to remove the original PAN from its databases and use a surrogate value that can be reversed only by a privileged application. Which data protection technique should they use?

A.Truncation of the first 6 and last 4 digits
B.Dynamic data masking in the application tier
C.Tokenization using a cloud-based token vault
D.Symmetric encryption with a key stored in the database
AnswerC

Tokenization replaces PAN with a token and the token vault controls detokenization.

Why this answer

Tokenization replaces the original PAN with a randomly generated surrogate value (token) that has no mathematical relationship to the original data. The token can be reversed only by a privileged application that has access to the token vault, which stores the mapping between tokens and actual PANs. This effectively removes the PAN from the application's databases, reducing PCI DSS scope because the tokenized data is not considered sensitive cardholder data.

Exam trap

ISC2 often tests the distinction between tokenization and encryption, where candidates mistakenly choose symmetric encryption (Option D) because they think encryption alone removes data from scope, but PCI DSS requires that the decryption key be stored separately from the encrypted data, and even then, encrypted PANs are still considered cardholder data unless the key is managed by a third-party service.

How to eliminate wrong answers

Option A is wrong because truncation (showing only the last 4 digits) still leaves the full PAN stored elsewhere in the system, and the truncated value cannot be reversed to recover the original PAN, so it does not meet the requirement for a reversible surrogate value. Option B is wrong because dynamic data masking only hides data at query time from unauthorized users, but the original PAN remains stored in the database, so it does not remove the PAN from databases or reduce PCI DSS scope. Option D is wrong because symmetric encryption with a key stored in the database keeps the key co-located with the ciphertext, violating the principle of separation of duties and failing to reduce PCI DSS scope, as the encrypted data is still considered cardholder data under PCI DSS requirements.

289
MCQmedium

A company uses cloud storage for sensitive data and wants to ensure that the cloud provider cannot access their encryption keys. Which approach should they implement?

A.Cloud KMS with software keys
B.Cloud KMS with hardware keys
C.Cloud HSM
D.Cloud External Key Manager (EKM)
AnswerD

EKM allows customers to store keys outside the cloud provider, preventing provider access.

Why this answer

Cloud External Key Manager (EKM) allows the customer to manage and store encryption keys outside the cloud provider's infrastructure, often in an on-premises HSM or a third-party key management system. This ensures the cloud provider never has access to the plaintext keys, meeting the requirement that the provider cannot access the encryption keys. EKM typically uses protocols like PKCS#11 or KMIP to allow the cloud service to perform cryptographic operations without exposing the keys to the provider.

Exam trap

ISC2 often tests the distinction between 'cloud-managed' and 'customer-managed' keys, where candidates mistakenly think that using hardware keys (HSM) automatically prevents provider access, but the trap is that provider-managed HSMs still give the provider administrative control over the hardware.

How to eliminate wrong answers

Option A is wrong because Cloud KMS with software keys stores keys within the cloud provider's infrastructure, and the provider can potentially access them, especially if the keys are managed by the provider's software. Option B is wrong because Cloud KMS with hardware keys still stores keys in the cloud provider's HSM, meaning the provider has logical access and control over the key management process, even if the keys are in hardware. Option C is wrong because Cloud HSM, while providing dedicated hardware security modules, is still managed by the cloud provider, and the provider retains administrative access to the HSMs, which could allow them to access keys if they chose to.

290
MCQhard

An organization uses a multi-cloud architecture with applications running on both AWS and Azure. They need to implement a secrets management solution that works across both platforms and supports automated rotation. Which approach best meets these requirements?

A.Deploy HashiCorp Vault as a centralized secrets manager
B.Store secrets as encrypted environment variables in each environment
C.Use Azure Key Vault with a federation bridge to AWS
D.Use AWS Secrets Manager for all secrets
AnswerA

Vault is cloud-agnostic, supports automated rotation, and integrates with both AWS and Azure.

Why this answer

HashiCorp Vault provides a cloud-agnostic secrets management service with automated rotation and cross-cloud capabilities. AWS Secrets Manager is AWS-specific. Azure Key Vault is Azure-specific.

Encrypted environment variables are not easily rotated and require redeployment.

291
MCQmedium

A healthcare organization uses a cloud-based electronic health record system. Patient data is encrypted at rest using server-side encryption with AWS KMS keys. The security team notices that during a recent security incident, an attacker used compromised credentials to decrypt and exfiltrate a large number of patient records. The attacker performed decryption operations using the KMS API, which was logged in CloudTrail. The organization wants to implement additional controls to prevent such bulk decryption in the future while still allowing authorized access. Which of the following is the BEST course of action?

A.Implement a key vault with an access broker that requires multi-factor authentication for each decryption request.
B.Change the encryption to client-side encryption using keys stored on-premises.
C.Create a KMS key policy that requires a condition for a specific IP range or VPC endpoint.
D.Enable automatic key rotation on the KMS key.
AnswerA

MFA adds strong authentication for each decryption, preventing bulk decryption even with compromised credentials.

Why this answer

A is correct because implementing a key vault with an access broker that requires multi-factor authentication for each decryption request directly addresses the root cause: compromised credentials. By requiring MFA per decryption operation, even if an attacker steals credentials, they cannot perform bulk decryption without also bypassing the MFA challenge for each API call. This control operates at the application layer, independent of the KMS key policy, and provides granular, per-request authorization.

Exam trap

ISC2 often tests the misconception that network-layer controls (like IP restrictions) or key rotation are sufficient to prevent unauthorized decryption, when in fact they do not address the core issue of compromised credentials being used to make legitimate API calls.

How to eliminate wrong answers

Option B is wrong because moving to client-side encryption with on-premises keys does not prevent bulk decryption if the attacker compromises the client application or the key management system; it also introduces key availability and latency issues for a cloud-based EHR system. Option C is wrong because restricting decryption to a specific IP range or VPC endpoint does not stop an attacker who uses compromised credentials from a legitimate IP or VPC; it only limits the network path, not the authorization of the request. Option D is wrong because automatic key rotation does not prevent an attacker from using compromised credentials to decrypt data with the current key; rotation only limits the window of exposure for future data, not the ability to decrypt already-encrypted records.

292
MCQhard

A company's cloud storage bucket policy inadvertently allowed anonymous users to list and read objects. After discovering the exposure, the security team has corrected the policy. Which additional step is critical to prevent recurrence?

A.Enable logging and monitoring to detect similar exposures.
B.Assign a dedicated security team to manually approve all policy changes.
C.Review all existing bucket policies and correct any other misconfigurations.
D.Implement automated policy validation as part of the infrastructure as code deployment process.
AnswerD

Automated checks in CI/CD prevent misconfigured policies from being applied.

Why this answer

Option D is correct because implementing automated policy validation as part of the infrastructure as code (IaC) deployment process ensures that any bucket policy changes are automatically checked against security rules before they are applied. This prevents misconfigurations like allowing anonymous access from reaching production, addressing the root cause rather than just reacting after exposure. In cloud environments like AWS S3, tools such as AWS CloudFormation with cfn-nag or Terraform with Sentinel can enforce policies programmatically, eliminating human error in manual reviews.

Exam trap

ISC2 often tests the distinction between detective controls (logging/monitoring) and preventive controls (automated validation in IaC), and the trap here is that candidates choose option A because they think monitoring is sufficient, but the question specifically asks for a step to 'prevent recurrence,' which requires a preventive control.

How to eliminate wrong answers

Option A is wrong because enabling logging and monitoring detects exposures after they occur but does not prevent recurrence; it is a detective control, not a preventive one. Option B is wrong because assigning a dedicated security team to manually approve all policy changes is impractical at scale, introduces delays, and still relies on human review which can miss subtle misconfigurations like a missing condition key in an S3 bucket policy. Option C is wrong because reviewing all existing bucket policies is a one-time remediation step that does not prevent future misconfigurations; it lacks the automated, continuous enforcement needed to stop recurrence.

293
MCQeasy

A company is conducting a risk assessment for a new cloud service. They identify a vulnerability that could lead to a data breach. The likelihood is low, but the impact is high. According to common risk management frameworks, how should this risk be addressed?

A.Ignore the risk until it materializes.
B.Accept the risk because the likelihood is low.
C.Implement controls to reduce the risk.
D.Transfer the risk to a third party.
AnswerC

Mitigation is appropriate for high-impact risks even if likelihood is low.

Why this answer

Option C is correct because, in risk management frameworks like NIST SP 800-37 or ISO 27005, a risk with high impact must be mitigated regardless of low likelihood. The potential for a data breach from this vulnerability means the organization should implement controls (e.g., encryption, access controls, or patching) to reduce the risk to an acceptable level, as the cost of a breach outweighs the low probability.

Exam trap

ISC2 often tests the misconception that low likelihood alone justifies risk acceptance, but the trap here is that high impact overrides low probability in most compliance-driven frameworks, requiring active mitigation.

How to eliminate wrong answers

Option A is wrong because ignoring a risk with high impact violates the fundamental risk management principle of proactive mitigation; waiting for materialization could lead to catastrophic data loss and regulatory penalties. Option B is wrong because accepting a risk solely due to low likelihood ignores the high impact; risk acceptance requires a formal decision based on risk appetite, not just probability, and low likelihood does not negate the need for controls when impact is severe. Option D is wrong because transferring the risk (e.g., via cyber insurance) does not eliminate the vulnerability; the organization remains liable for the breach and must still implement technical controls to meet compliance requirements like GDPR or HIPAA.

294
MCQeasy

A small business uses a cloud file storage service to share project files with external partners. They have enabled versioning on the bucket, and each partner has a unique folder. The security team discovers that a former employee, who had administrative access, deleted all files in a partner's folder and then deleted the folder. The bucket's versioning allows restoration of the files, but the folder deletion cannot be undone. The business wants to prevent similar incidents in the future while still allowing external partners to upload and download files. Which approach should be taken?

A.Use bucket policies to prevent deletion of objects by anyone except a specific admin group, and use lifecycle policies to manage temporary files.
B.Use object lock with compliance mode to prevent object deletion or overwrites.
C.Enable MFA Delete on the bucket.
D.Disable versioning and implement a backup process.
AnswerB

Compliance mode locks objects irrevocably, preventing any deletion.

Why this answer

Option B is correct because Object Lock with compliance mode prevents any object from being deleted or overwritten by any user, including the root account, for the specified retention period. This directly addresses the requirement to prevent file deletion while still allowing partners to upload and download files, as versioning remains enabled and folder structure can be recreated.

Exam trap

ISC2 often tests the distinction between MFA Delete (which only adds an authentication step but does not prevent deletion by authorized users) and Object Lock (which provides immutable protection against deletion or overwrites).

How to eliminate wrong answers

Option A is wrong because bucket policies can restrict deletion but do not prevent a user with administrative access (like the former employee) from modifying the policy or bypassing it, and lifecycle policies manage temporary files but do not prevent deletion. Option C is wrong because MFA Delete only requires multi-factor authentication for delete operations, but a former employee with administrative credentials could still authenticate and delete objects if they have MFA access, and it does not prevent folder deletion. Option D is wrong because disabling versioning and implementing a backup process would remove the ability to restore previous versions and does not prevent deletion; backups are reactive, not preventive.

295
MCQeasy

A cloud security administrator needs to ensure that all API calls to the cloud provider's management plane are logged for audit purposes. Which service should be enabled?

A.Cloud configuration service
B.Cloud threat detection service
C.Cloud audit logging service
D.Cloud monitoring service
AnswerC

Audit logs capture all management plane API calls.

Why this answer

Option C is correct because the cloud audit logging service (e.g., AWS CloudTrail) records API calls for auditing. Option A (monitoring) focuses on performance metrics. Option B (configuration) tracks resource changes but not all API calls.

Option D (threat detection) is for security threats.

296
MCQeasy

A company is migrating its on-premises workloads to a public cloud environment. The security team is concerned about maintaining visibility into network traffic between virtual machines in the same virtual network. Which cloud architecture component should be implemented to address this concern?

A.Security groups
B.Virtual network traffic mirroring
C.Virtual private cloud (VPC) peering
D.Network access control lists (NACLs)
AnswerB

Correct: Enables packet capture for analysis.

Why this answer

Virtual network traffic mirroring (or port mirroring) enables the capture and inspection of all network packets flowing between virtual machines within the same virtual network, including east-west traffic. This provides the security team with the deep packet visibility needed for threat detection, compliance auditing, and troubleshooting without requiring changes to the VM configurations or routing paths.

Exam trap

The trap here is that candidates often confuse security groups or NACLs with visibility tools, mistakenly believing that filtering or logging features (like flow logs) provide the same packet-level capture as traffic mirroring, when in fact flow logs only record metadata (e.g., source/destination IP, port, protocol) and not the full packet payload.

How to eliminate wrong answers

Option A is wrong because security groups act as a stateful virtual firewall that filters traffic based on rules (e.g., source IP, port), but they do not capture or mirror traffic for analysis; they only permit or deny packets. Option C is wrong because VPC peering connects two separate virtual networks, allowing traffic between them, but it does not provide visibility into traffic within a single virtual network. Option D is wrong because network access control lists (NACLs) are stateless packet filters applied at the subnet boundary, not a mechanism for copying or monitoring traffic flows between VMs inside the same subnet.

297
Multi-Selectmedium

A cloud security architect is designing a data loss prevention (DLP) strategy for a multi-cloud environment. Which TWO actions are effective in preventing unauthorized exfiltration of sensitive data?

Select 2 answers
A.Enable detailed logging and monitoring of all data access events
B.Encrypt all data at rest using provider-managed keys
C.Use a cloud access security broker (CASB) to enforce data classification
D.Implement strict Identity and Access Management (IAM) policies with least privilege
E.Deploy DLP tools to inspect outbound traffic for sensitive data patterns
AnswersD, E

Correct: Limits access to sensitive data, reducing exfiltration risk.

Why this answer

Option D is correct because implementing strict IAM policies with least privilege ensures that users and services have only the minimum permissions necessary to perform their functions. This directly limits the attack surface and prevents unauthorized access to sensitive data, which is a foundational control against exfiltration. Without least privilege, even with other controls in place, an over-privileged account could be exploited to move or copy data out of the environment.

Exam trap

ISC2 often tests the distinction between preventive and detective controls, and the trap here is that candidates confuse monitoring (detective) or encryption (protective but not preventive against exfiltration by authorized users) with direct prevention mechanisms like least privilege and DLP content inspection.

298
Multi-Selecthard

Which THREE controls help protect data in use within a cloud environment? (Choose three.)

Select 3 answers
A.Confidential computing
B.Tokenization
C.Access control lists
D.Secure enclaves (e.g., Intel SGX)
E.Homomorphic encryption
AnswersA, D, E

Encrypts data in use in memory.

Why this answer

Confidential computing protects data in use by executing computations within a hardware-based Trusted Execution Environment (TEE), such as Intel SGX or AMD SEV, which isolates the data and code from the host operating system and hypervisor. This ensures that even privileged users or cloud administrators cannot access the plaintext data while it is being processed in memory.

Exam trap

ISC2 often tests the distinction between data-at-rest, data-in-transit, and data-in-use controls, and the trap here is that candidates confuse tokenization (which protects data at rest) or access control lists (which protect data at rest/in transit) with technologies that specifically protect data during active processing in memory.

299
MCQmedium

An enterprise uses a cloud-based relational database service (e.g., AWS RDS) to store customer order data. The database is encrypted at rest using the cloud provider's default encryption. The security team is concerned about the risk of a rogue database administrator (DBA) exfiltrating data by creating unencrypted backups or snapshots and moving them to a different account. Which of the following controls would BEST mitigate this risk while maintaining operational efficiency?

A.Use a customer-managed key (CMK) in KMS and configure the database to use that key for encryption, and restrict the DBA's IAM permissions to prevent using the key on snapshots.
B.Disable the ability for any user to create database snapshots.
C.Implement database activity monitoring (DAM) to alert on snapshot creation.
D.Enable automatic snapshot encryption and ensure that only the database service role can access snapshots.
AnswerA

Ensures snapshots are encrypted and DBA cannot decrypt them without key permission.

Why this answer

Option A is correct because using a customer-managed key (CMK) in AWS KMS allows the organization to attach a key policy that explicitly denies the DBA's IAM role the kms:Decrypt permission on the CMK when used with snapshot operations. This prevents the DBA from creating an unencrypted snapshot or from copying an encrypted snapshot to another account, as the snapshot would remain encrypted with the CMK and the DBA cannot decrypt it. This maintains operational efficiency because the DBA can still perform routine database management tasks (e.g., creating backups) but cannot exfiltrate data via snapshots.

Exam trap

ISC2 often tests the misconception that enabling automatic encryption or monitoring alone is sufficient to prevent data exfiltration by a privileged insider, when in reality only a combination of customer-managed keys with strict key policies and IAM permission boundaries can block the DBA's ability to decrypt or re-encrypt snapshots for exfiltration.

How to eliminate wrong answers

Option B is wrong because completely disabling snapshot creation would break critical operational processes such as automated backups, point-in-time recovery, and disaster recovery, making it an impractical and overly restrictive control. Option C is wrong because database activity monitoring (DAM) only provides alerting after the fact; it does not prevent a rogue DBA from successfully exfiltrating data via unencrypted snapshots, as the DBA could still create and move the snapshot before the alert is acted upon. Option D is wrong because enabling automatic snapshot encryption does not prevent the DBA from creating a snapshot that is encrypted with a key they can access (e.g., the default AWS managed key), and restricting access to only the database service role does not stop a DBA with elevated IAM permissions from assuming that role or using their own permissions to copy the snapshot to another account.

300
MCQmedium

A company runs a multi-tier cloud application with a web frontend, an API layer, and a database. The application uses OAuth 2.0 for authentication. Recently, users have been experiencing session hijacking attacks. Upon investigation, the security team finds that session tokens are being intercepted in transit. The application uses HTTPS for all communications, but a developer discovers that the application is also accessible via HTTP due to a misconfiguration. The team wants to implement additional security controls to prevent token theft. Which course of action should be taken first?

A.Use IP address binding for session tokens
B.Implement HTTP Strict Transport Security (HSTS) to enforce HTTPS connections
C.Switch from OAuth to SAML for authentication
D.Shorten the session token expiration time
AnswerB

HSTS forces browsers to use HTTPS only, eliminating HTTP access and reducing token interception risk.

Why this answer

The root cause is that the application is accessible via HTTP due to a misconfiguration, allowing session tokens to be intercepted in transit despite HTTPS being available. Implementing HTTP Strict Transport Security (HSTS) forces the browser to always use HTTPS, preventing any HTTP connections and thus eliminating the interception vector. This directly addresses the misconfiguration before other controls, which would only mitigate but not prevent the theft.

Exam trap

ISC2 often tests the concept that session hijacking prevention must address the root cause (insecure transport) rather than just mitigating the impact of token theft, leading candidates to choose options like shortening expiration or IP binding instead of enforcing HTTPS with HSTS.

How to eliminate wrong answers

Option A is wrong because IP address binding for session tokens is a server-side binding that can help prevent token reuse from different IPs, but it does not prevent the initial interception of the token over HTTP; the token can still be stolen in transit. Option C is wrong because switching from OAuth 2.0 to SAML does not change the transport security issue; both protocols can be used over HTTP and are equally vulnerable to interception if HTTPS is not enforced. Option D is wrong because shortening the session token expiration time reduces the window of opportunity for an attacker to use a stolen token, but it does not prevent the token from being intercepted in the first place over an HTTP connection.

Page 3

Page 4 of 7

Page 5

All pages