Certified Cloud Security Professional CCSP (CCSP) — Questions 301375

504 questions total · 7pages · All types, answers revealed

Page 4

Page 5 of 7

Page 6
301
MCQmedium

A security analyst is investigating a data breach in a cloud environment. The analyst needs to preserve evidence for legal proceedings. Which of the following actions is most critical to ensure the chain of custody is maintained?

A.Calculate cryptographic hashes of all relevant files.
B.Isolate all affected systems from the network to prevent further data loss.
C.Begin a detailed log documenting all actions, timestamps, and personnel involved.
D.Immediately notify senior management and legal counsel.
AnswerC

This is the first step in establishing chain of custody.

Why this answer

Chain of custody requires documenting every transfer of evidence. Option B is correct because starting a log of all actions with timestamps and personnel ensures accountability. Option A is wrong because notifying management is important but not the most critical for chain of custody.

Option C is wrong because isolating systems can destroy volatile data. Option D is wrong because while important, unique hashing alone does not document custody.

302
Multi-Selecteasy

Which TWO data lifecycle stages are most critical for applying encryption controls in a cloud object storage service? (Choose two.)

Select 2 answers
A.Data in transit
B.Data in use
C.Data deletion
D.Data at rest
E.Data creation
AnswersA, D

Encryption protects data during API calls.

Why this answer

At rest and in transit are the lifecycle stages where encryption is typically applied. In use is not fully supported by object storage. Creation and deletion are events, not states.

303
MCQhard

A multinational corporation is deploying a containerized microservices application on a public cloud Kubernetes cluster. The cluster spans three availability zones in a single region. The application consists of a front-end service, a payment service, and a database service. The security team requires that the payment service must not be directly accessible from the internet, but must be accessible from the front-end service. The database must only be accessible from the payment service. Additionally, all inter-service communication must be encrypted, and the cluster must be able to scale up to 500 nodes during peak load. The cloud provider's container orchestration service is used. After deployment, the security team discovers that the payment service is still reachable from the internet via a public load balancer that was configured for testing. The team needs to remediate this issue immediately without disrupting the front-end service. Which of the following actions should the team take FIRST?

A.Change the payment service type from LoadBalancer to ClusterIP and update the front-end configuration.
B.Implement a Kubernetes NetworkPolicy that denies ingress to the payment service pods from all sources except the front-end service's pod label.
C.Delete the public load balancer that was used for testing.
D.Apply a security group to the node instances to block inbound traffic on the payment service port.
AnswerB

This immediately restricts access to only the front-end service, without changing the service type or affecting other components.

Why this answer

Option B is correct because a Kubernetes NetworkPolicy can enforce fine-grained ingress rules at the pod level, allowing only traffic from the front-end service's pod label to reach the payment service pods. This directly addresses the requirement to block internet access while preserving front-end-to-payment communication, without modifying the service type or disrupting the front-end service. NetworkPolicies operate at Layer 3/4 and are native to Kubernetes, making them the immediate and precise remediation.

Exam trap

ISC2 often tests the misconception that deleting the load balancer (Option C) is the first step, but the trap is that this ignores the need to maintain front-end-to-payment connectivity and the fact that a NetworkPolicy can immediately block internet traffic without removing the load balancer resource itself.

How to eliminate wrong answers

Option A is wrong because changing the payment service type from LoadBalancer to ClusterIP would remove the public load balancer but also require updating the front-end configuration to point to the new ClusterIP, which could disrupt the front-end service during the transition; it also does not address the immediate need to block internet access without disruption. Option C is wrong because deleting the public load balancer would stop internet traffic but does not ensure that the payment service remains accessible from the front-end service, and it may cause downtime if the load balancer is still referenced; it also does not provide a scalable, policy-based solution. Option D is wrong because applying a security group to the node instances blocks traffic at the infrastructure level, which is coarse-grained and does not account for Kubernetes pod IPs that may change with scaling; it also does not differentiate between traffic from the front-end service and other internal sources, potentially breaking legitimate inter-service communication.

304
Multi-Selectmedium

Which TWO of the following are effective strategies for protecting sensitive data in a public cloud environment?

Select 2 answers
A.Using the same encryption key for all data to simplify key management.
B.Storing encryption keys in the same storage bucket as the encrypted data.
C.Consolidating all sensitive data into a single storage bucket for easier management.
D.Data masking to obscure sensitive fields in non-production environments.
E.Tokenization to replace sensitive data with non-sensitive placeholders.
AnswersD, E

Correct. Data masking protects data in development and testing.

Why this answer

A (data masking) and B (tokenization) are both common techniques. C (storing encryption keys with data) is insecure. D (storing all data in one bucket) violates least privilege.

E (using same key for all data) is poor practice.

305
MCQmedium

A company wants to encrypt data at rest in a cloud object storage service. They require that the cloud provider has no access to the encryption keys. Which key management approach should they use?

A.Server-side encryption with customer-managed keys stored in a cloud HSM
B.Client-side encryption
C.Server-side encryption with cloud-managed keys
D.Server-side encryption with envelope encryption
AnswerB

Encryption happens on the client side; cloud provider never sees the keys.

Why this answer

Client-side encryption (B) is the correct approach because the data is encrypted before it is sent to the cloud provider, ensuring that the cloud provider never has access to the plaintext data or the encryption keys. With server-side encryption, even if the keys are customer-managed and stored in a cloud HSM (A), the encryption and decryption operations occur on the provider's infrastructure, meaning the provider's software stack could theoretically access the keys or plaintext. Options C and D also involve server-side operations, where the cloud provider manages or processes the keys, violating the requirement that the provider has no access to the keys.

Exam trap

The trap here is that candidates confuse 'customer-managed keys' (CMK) with 'client-side encryption,' assuming that storing keys in a cloud HSM (A) prevents provider access, but the CCSP exam emphasizes that server-side encryption inherently involves the provider's infrastructure in the encryption process, which violates the 'no access' requirement.

How to eliminate wrong answers

Option A is wrong because server-side encryption with customer-managed keys stored in a cloud HSM still requires the cloud provider's infrastructure to perform the encryption/decryption operations, and the provider's HSM service may have administrative access to the keys. Option C is wrong because server-side encryption with cloud-managed keys explicitly gives the cloud provider full control over the keys, directly violating the requirement. Option D is wrong because server-side encryption with envelope encryption still involves the cloud provider managing the key encryption key (KEK) and performing the encryption/decryption on its servers, so the provider retains access to the data encryption key (DEK) during processing.

306
MCQhard

A large enterprise is migrating its data center workloads to a public cloud. The security policy requires that all sensitive data stored in cloud storage services be encrypted with keys managed by the enterprise's on-premises HSM. The cloud storage service offers server-side encryption with customer-provided keys (SSE-C). However, compliance regulations prohibit the transmission of encryption keys over the public internet. The enterprise also has a dedicated network connection to the cloud provider (e.g., AWS Direct Connect). The security team is considering several options. Which solution meets all requirements: (1) data encrypted at rest on the cloud service, (2) keys controlled by the enterprise, (3) keys never transmitted over the internet?

A.Use a cloud-based HSM (e.g., AWS CloudHSM) and keep the key material in the cloud HSM.
B.Use SSE-C with the enterprise's HSM, sending keys over the dedicated connection (Direct Connect) as it is private.
C.Use server-side encryption with KMS using an imported key material protected by the enterprise's HSM, accessed via KMS API over the dedicated connection.
D.Use client-side encryption on-premises before uploading data, using keys from the HSM.
AnswerD

Keys never leave the on-premises HSM; only encrypted data is sent.

Why this answer

Option D is correct because client-side encryption encrypts data on-premises using keys from the enterprise's HSM before the data is ever transmitted to the cloud. This ensures the data is encrypted at rest in the cloud, the enterprise retains full control of the keys, and the keys never traverse any network—public or private—to the cloud provider. The dedicated connection (Direct Connect) is irrelevant for key transmission since the keys never leave the on-premises HSM.

Exam trap

ISC2 often tests the misconception that a private or dedicated network connection (like Direct Connect) satisfies a 'no transmission over the internet' requirement, but the trap here is that the regulation prohibits any network transmission of keys, not just over the public internet, so even a private link is disallowed if keys are sent over it.

How to eliminate wrong answers

Option A is wrong because using a cloud-based HSM (e.g., AWS CloudHSM) means the key material is stored and managed within the cloud provider's environment, not controlled exclusively by the enterprise's on-premises HSM, violating the requirement that keys be managed by the enterprise's on-premises HSM. Option B is wrong because SSE-C requires the customer to provide the encryption key with each API call (e.g., PUT Object), and even though the dedicated connection (Direct Connect) is private, the key is still transmitted over a network path that is not the public internet but is still a network transmission, which the compliance regulations prohibit (the regulation forbids transmission over any network, not just the public internet). Option C is wrong because using KMS with imported key material still requires the key to be transmitted to the KMS service via API calls over the dedicated connection, and the KMS service itself stores and manages the key, not the enterprise's on-premises HSM; the enterprise loses direct control and the key is transmitted over the network.

307
Multi-Selecteasy

A cloud security team is auditing a cloud environment and needs to ensure compliance with logging requirements. Which TWO actions are essential? (Choose two.)

Select 2 answers
A.Store logs in a publicly accessible bucket.
B.Allow users to modify logs.
C.Encrypt logs at rest.
D.Enable CloudTrail (or equivalent) for all regions.
E.Delete logs after 30 days.
AnswersC, D

Encryption protects log data at rest.

Why this answer

Encrypting logs at rest (Option C) is essential to protect sensitive audit data from unauthorized access if the storage medium is compromised. Cloud providers like AWS offer server-side encryption (SSE-S3 or SSE-KMS) for log buckets, ensuring compliance with standards such as SOC 2, PCI DSS, and ISO 27001. Without encryption, logs could be read by anyone with physical or administrative access to the storage infrastructure.

Exam trap

ISC2 often tests the misconception that deleting logs after a short period is a security best practice, but the trap is that compliance mandates specific retention durations, and premature deletion can lead to audit failures.

308
MCQeasy

A company wants to ensure that its cloud infrastructure can automatically add capacity during traffic spikes and remove capacity during low demand. Which cloud characteristic is primarily needed?

A.Broad network access
B.Measured service
C.Rapid elasticity
D.Resource pooling
AnswerC

Correct: Allows automatic scaling of resources.

Why this answer

Rapid elasticity is the cloud characteristic that enables automatic scaling of resources up or down in response to demand, often leveraging orchestration tools like AWS Auto Scaling or Azure VM Scale Sets. This ensures that capacity matches workload spikes and troughs without manual intervention, directly addressing the requirement for dynamic capacity adjustment.

Exam trap

ISC2 often tests the distinction between rapid elasticity and resource pooling, where candidates mistakenly think that sharing resources (pooling) inherently enables scaling, but pooling is about multi-tenancy, not dynamic capacity adjustment.

How to eliminate wrong answers

Option A is wrong because broad network access refers to the ability to access cloud services over standard network protocols (e.g., HTTPS, SSH) from various devices, not the dynamic scaling of resources. Option B is wrong because measured service involves metering and billing based on usage (e.g., per-hour or per-GB charges), not the automatic adjustment of capacity. Option D is wrong because resource pooling describes the multi-tenant model where physical resources are shared among multiple customers using virtualization, not the elasticity to scale resources on demand.

309
MCQmedium

A cloud security team is investigating a data breach in their AWS environment. The logs show that an EC2 instance with an attached IAM role was compromised. The attacker used the instance's temporary credentials to access an S3 bucket containing sensitive data. Which design change would BEST prevent this type of attack in the future?

A.Implement a network ACL that denies all outbound traffic from the EC2 instance to the S3 service.
B.Enable IMDSv2 with a hop limit of 1 on the EC2 instance.
C.Restrict S3 bucket access to the EC2 instance's private IP address only.
D.Disable public access on the S3 bucket using a bucket policy.
AnswerB

IMDSv2 with hop limit 1 prevents the attacker from using the instance as a proxy to retrieve credentials.

Why this answer

Option B is correct because enabling IMDSv2 with a hop limit of 1 forces the EC2 instance to use a session-oriented method to retrieve temporary credentials from the Instance Metadata Service (IMDS). This prevents SSRF attacks or other techniques that trick the instance into leaking its IAM role credentials, as the attacker would need to be on the instance itself to obtain the token. By setting the hop limit to 1, the metadata response is not forwarded beyond the instance's network interface, blocking remote access to the credentials.

Exam trap

ISC2 often tests the distinction between IMDSv1 (which is vulnerable to SSRF) and IMDSv2 with hop limit enforcement, and the trap here is that candidates mistakenly choose network-level controls (like NACLs or IP restrictions) instead of addressing the metadata service vulnerability that directly enables credential theft.

How to eliminate wrong answers

Option A is wrong because a network ACL denying all outbound traffic to S3 would block legitimate access from the EC2 instance to S3, breaking functionality, and does not address the root cause of credential theft from the instance metadata service. Option C is wrong because S3 bucket policies cannot restrict access based on the EC2 instance's private IP address; S3 uses source IP conditions, but private IPs are not routable over the internet and this approach would not prevent an attacker from using the stolen credentials from another location. Option D is wrong because disabling public access on the S3 bucket does not prevent an attacker who has valid temporary credentials from accessing the bucket; the attacker is using the instance's IAM role permissions, not public access.

310
MCQhard

An organization has a cloud environment with many accounts. They want to prevent any account from using certain services that are not approved (e.g., outside of a defined list). What is the BEST way to enforce this at the organizational level?

A.Configure each account's IAM policy to deny the services.
B.Enable AWS Config rules to detect and disable non-approved services.
C.Apply a service control policy (SCP) that denies the services.
D.Use resource-based policies on each resource to restrict usage.
AnswerC

SCPs are applied at the OU or account level and cannot be overridden by account admins.

Why this answer

Service Control Policies (SCPs) are the correct mechanism because they operate at the organizational level in AWS Organizations, allowing you to centrally define a whitelist or blacklist of services for all member accounts. Unlike IAM policies, SCPs set a permissions boundary that cannot be overridden by account administrators, ensuring that non-approved services are denied across the entire organization. This provides a preventive control that blocks the use of prohibited services before any action can occur.

Exam trap

The trap here is that candidates confuse detective controls (like AWS Config) with preventive controls (like SCPs), or assume that IAM policies applied per account can achieve the same centralized enforcement, missing the fact that SCPs are the only mechanism that cannot be bypassed by account-level administrators.

How to eliminate wrong answers

Option A is wrong because configuring each account's IAM policy individually is not an organizational-level enforcement; it is decentralized, error-prone, and can be overridden by account administrators with full IAM permissions. Option B is wrong because AWS Config rules are detective controls that can only detect and report non-compliant resources, not prevent their creation or usage; they cannot disable services in real time. Option D is wrong because resource-based policies are attached to individual resources (e.g., S3 buckets, KMS keys) and cannot restrict the use of entire services or apply at the organizational level across all accounts.

311
Multi-Selectmedium

A cloud security team is implementing a data discovery and classification program for their SaaS applications. Which TWO statements accurately describe best practices for data classification in the cloud?

Select 2 answers
A.Manual classification by users is more accurate than automated methods in large-scale cloud environments.
B.Tokenization can replace data classification by eliminating the need to identify sensitive data.
C.Automated tools can scan cloud storage and apply classification labels based on content inspection.
D.Data loss prevention (DLP) policies can enforce classification by monitoring and controlling data in motion and at rest.
E.Data classification labels must be applied by the cloud service provider to ensure consistency.
AnswersC, D

Correct: Automated tools are effective for identifying and labeling sensitive data across cloud environments.

Why this answer

Automated tools can efficiently scan cloud storage for sensitive data, and DLP policies can enforce classification during data usage. Manual classification is not more accurate than automated for large-scale cloud data, classification labels are not solely applied by the provider, and tokenization is a separate technique.

312
MCQmedium

A company's security team is investigating an anomalous spike in outbound traffic from a cloud workload. The workload is a web server running in an IaaS environment. The team suspects data exfiltration. Which of the following is the BEST initial step to identify the source and type of traffic?

A.Immediately isolate the workload by blocking all outbound traffic in the security group.
B.Deploy a host-based intrusion detection system (HIDS) agent on the workload.
C.Run a vulnerability scanner against the workload to identify possible entry points.
D.Enable VPC flow logs for the subnet hosting the workload and analyze the logs.
AnswerD

VPC flow logs provide network-level visibility and can quickly show anomalous outbound connections without requiring agent installation.

Why this answer

Option D is correct because VPC flow logs capture metadata about all IP traffic to and from network interfaces in a subnet, including source/destination IPs, ports, protocols, and packet/byte counts. Analyzing these logs allows the security team to identify the external destination IPs and ports involved in the anomalous outbound traffic, which is the fastest way to pinpoint the source workload and characterize the exfiltration pattern without disrupting service or requiring agent deployment.

Exam trap

ISC2 often tests the distinction between investigative actions and reactive containment; the trap here is that candidates may choose immediate isolation (Option A) as a 'best first step' when the question explicitly asks for the step to 'identify the source and type of traffic,' not to stop it.

How to eliminate wrong answers

Option A is wrong because immediately blocking all outbound traffic via security group is a reactive containment step, not an investigative one; it would halt all egress, potentially breaking legitimate services and destroying forensic evidence of the exfiltration path. Option B is wrong because deploying a HIDS agent is a proactive monitoring measure that requires installation time and may not capture the current traffic burst; it also does not provide immediate visibility into the network-level flow details needed to identify the exfiltration destination. Option C is wrong because running a vulnerability scanner identifies potential entry points but does not reveal current outbound traffic patterns or the specific data being exfiltrated; it is a post-incident forensic step, not an initial investigative action.

313
MCQmedium

A cloud operations team manages a critical application on AWS that uses EC2 instances behind an Application Load Balancer (ALB). The application experiences occasional high latency and timeout errors. The team has enabled detailed monitoring and CloudWatch Logs. They notice that during peak hours, the CPU utilization on some instances reaches 95%, while others remain around 40%. The security group allows traffic from a wide range of IP addresses. The team needs to improve both performance and security. Which of the following actions would BEST address the performance imbalance and also enhance security posture?

A.Schedule a periodic cron job to launch additional instances during expected peak hours and configure the ALB to use sticky sessions.
B.Create an auto scaling group with a dynamic scaling policy based on average CPU utilization, change the ALB to a Network Load Balancer for lower latency, and restrict the security group rules to the minimal required IP addresses.
C.Increase the instance size to a larger type that can handle peak loads and reduce the security group to allow only known IP ranges.
D.Replace the ALB with a Classic Load Balancer and configure it to use round-robin routing without health checks to balance traffic quickly.
AnswerB

Dynamic auto scaling adjusts capacity based on load, NLB provides lower latency, and restricting security groups enhances security.

Why this answer

Option D is correct because implementing an auto scaling policy based on CPU and swapping the ALB to a Network Load Balancer (NLB) for better performance, combined with tightening security group rules, addresses both issues. Option A is wrong because increasing instance size is not a dynamic solution and does not help with the imbalance. Option B is wrong because scheduling scaling based on time may not align with unpredictable traffic.

Option C is wrong because a Classic Load Balancer is older and less capable; also, round-robin without considering load may not fix the imbalance.

314
MCQmedium

A company is designing a data retention policy for cloud storage. Regulatory requirements mandate that certain records be kept for 7 years and then securely destroyed. Which combination of controls should be used?

A.Lifecycle policy and secure deletion
B.Data masking and encryption
C.Versioning and MFA delete
D.Lifecycle policy and object lock
AnswerA

Lifecycle policy automates deletion; cloud providers ensure secure deletion.

Why this answer

A lifecycle policy automates the transition and expiration of objects, allowing you to set a rule to delete objects after 7 years. Secure deletion (e.g., overwriting or cryptographic erasure) ensures the data is irrecoverable, meeting the regulatory requirement for secure destruction. Together, they provide a fully automated, auditable process for retention and destruction.

Exam trap

ISC2 often tests the distinction between 'preventing deletion' (object lock) and 'ensuring secure destruction' (secure deletion), leading candidates to choose object lock because it sounds like it handles retention, but it does not guarantee irrecoverable deletion after the retention period ends.

How to eliminate wrong answers

Option B is wrong because data masking and encryption protect data at rest or in use but do not automate deletion or ensure secure destruction after a retention period. Option C is wrong because versioning preserves multiple versions of an object, which could prevent complete deletion, and MFA delete only adds an extra authentication step to deletion operations, not secure destruction. Option D is wrong because object lock enforces a write-once-read-many (WORM) model that prevents deletion or modification during a retention period, but it does not provide secure deletion (e.g., overwriting or cryptographic erasure) after the lock expires; it only allows normal deletion, which may leave recoverable data.

315
Matchingmedium

Match each cloud security tool to its primary purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Cloud security posture management

Cloud workload protection platform

Cloud access security broker

Security information and event management

Why these pairings

These tools address different aspects of cloud security; CSPM focuses on configuration, CWPP on workloads.

316
MCQmedium

A security team is implementing a web application firewall (WAF) for a cloud-based e-commerce application. The application is built on a microservices architecture and uses a RESTful API. Which of the following is the PRIMARY reason to deploy the WAF at the API gateway level rather than at the individual service level?

A.To provide centralized protection against common web exploits before traffic reaches the microservices.
B.To reduce latency by caching responses at the API gateway.
C.To offload authentication from the microservices to the API gateway.
D.To monitor API usage and detect anomalies in traffic patterns.
AnswerA

Centralized WAF at the API gateway ensures consistent policy enforcement and reduces attack surface.

Why this answer

Deploying the WAF at the API gateway provides a centralized security enforcement point that inspects and filters all incoming HTTP/HTTPS traffic before it is routed to any individual microservice. This ensures that common web exploits—such as SQL injection, cross-site scripting (XSS), and OWASP Top 10 attacks—are blocked at the perimeter, reducing the attack surface and preventing malicious payloads from ever reaching the internal services. It also simplifies policy management and avoids the need to configure and maintain separate WAF instances for each microservice, which would introduce operational complexity and potential gaps in coverage.

Exam trap

The trap here is that candidates confuse the WAF's primary security purpose (centralized exploit prevention) with other common API gateway features like caching, authentication offloading, or traffic monitoring, leading them to select a technically valid but non-primary reason for WAF placement.

How to eliminate wrong answers

Option B is wrong because caching responses at the API gateway is a performance optimization, not a primary security reason for deploying a WAF; WAFs do not inherently cache responses, and caching is typically handled by a separate reverse proxy or CDN. Option C is wrong because offloading authentication to the API gateway is an identity and access management function, not a WAF function; while an API gateway can handle authentication, a WAF's primary role is to inspect and filter traffic for malicious content, not to authenticate users. Option D is wrong because monitoring API usage and detecting anomalies in traffic patterns is typically the responsibility of an API management platform or a dedicated security analytics tool, not the core function of a WAF; a WAF focuses on blocking known attack signatures and behavioral anomalies, but its primary deployment reason is centralized threat protection, not monitoring alone.

317
MCQmedium

A healthcare provider is subject to HIPAA regulations. They are planning to use a public cloud provider. Which design consideration is most important to ensure compliance?

A.Containerization
B.Cost optimization
C.Multi-cloud strategy
D.Data residency
AnswerD

Data residency ensures data is stored in approved locations, meeting HIPAA requirements.

Why this answer

Data residency is the most critical design consideration for a healthcare provider subject to HIPAA when using a public cloud, because HIPAA requires that protected health information (PHI) be stored and processed only in jurisdictions where the cloud provider can guarantee compliance with the HIPAA Privacy and Security Rules. If the cloud provider replicates data across regions or countries without explicit control, the organization may violate the HIPAA requirement to ensure that PHI is not exposed to unauthorized access or disclosure, and may also breach the Breach Notification Rule if data crosses borders into regions with weaker protections.

Exam trap

ISC2 often tests the misconception that technical controls like containerization or multi-cloud strategies are primary compliance tools, when in reality, foundational legal and geographic controls like data residency are the first and most critical step for regulated data in the cloud.

How to eliminate wrong answers

Option A is wrong because containerization (e.g., Docker, Kubernetes) is a deployment and isolation technology that does not inherently address data location, access controls, or compliance with HIPAA's administrative, physical, and technical safeguards; it is a means to package applications, not a compliance mechanism. Option B is wrong because cost optimization focuses on reducing cloud spending, which is irrelevant to HIPAA's core requirements for protecting PHI; prioritizing cost over compliance could lead to using cheaper, non-compliant storage or processing regions. Option C is wrong because a multi-cloud strategy involves using multiple cloud providers, which can increase complexity and risk of non-compliance if data residency and data flow across providers are not meticulously controlled; it does not directly ensure that PHI remains in compliant jurisdictions.

318
Multi-Selecteasy

Which TWO of the following are valid data states that must be protected in cloud computing?

Select 2 answers
A.Data encryption
B.Data at rest
C.Data in transit
D.Data integrity
E.Data in database
AnswersB, C

Data at rest is a standard state requiring protection.

Why this answer

In cloud computing, data exists in three primary states: at rest (stored on disk or in memory), in transit (moving across networks), and in use (being processed). The CCSP exam specifically identifies 'data at rest' and 'data in transit' as the two fundamental data states that require protection through encryption, access controls, and integrity mechanisms. Option B is correct because data at rest refers to inactive data stored physically on any digital device, such as databases, backups, or archives, and must be safeguarded against unauthorized access or theft.

Exam trap

ISC2 often tests the distinction between security controls (like encryption or integrity) and the actual data states that must be protected, causing candidates to confuse a protection mechanism with a state classification.

319
Multi-Selecthard

A company is implementing a cloud risk management program. Which THREE of the following are essential components of a risk assessment according to NIST SP 800-30?

Select 3 answers
A.Control implementation
B.Risk determination
C.Threat identification
D.Impact analysis
E.Vulnerability scanning
AnswersB, C, D

Determining risk level based on likelihood and impact is an essential component.

Why this answer

NIST SP 800-30 risk assessment includes threat identification, impact analysis, and risk determination. Vulnerability scanning is a method used to identify vulnerabilities, not a component of the assessment itself. Control implementation is part of risk mitigation.

320
MCQmedium

A multinational corporation operates across multiple cloud providers (AWS, Azure, GCP) and uses a variety of data storage services. They have a requirement to enforce a consistent encryption policy across all providers: all data at rest must be encrypted using a centrally managed key that is rotated every 90 days. The cloud security team is evaluating different key management solutions. They want to minimize operational overhead and avoid vendor lock-in. The team has experience with configuring cloud-native key management services (KMS) but is concerned about managing keys across different regions and providers. Which solution best meets the requirements?

A.Deploy a third-party cloud-agnostic key management solution that supports BYOK and integrates with all providers' KMS
B.Use each cloud provider's native KMS and create identical key policies manually
C.Store the key in an internal secrets manager and configure each provider's KMS to use that key as a root key
D.Implement client-side encryption using a single master key stored in the application configuration
AnswerA

Centralized policy management, consistent enforcement, and reduces vendor lock-in.

Why this answer

Option A is correct because a third-party cloud-agnostic key management solution (e.g., HashiCorp Vault, Thales CipherTrust) that supports Bring Your Own Key (BYOK) allows the organization to centrally manage and rotate a single root key every 90 days, while integrating with each provider's native KMS via external key stores (e.g., AWS KMS custom key store, Azure Key Vault managed HSM, GCP Cloud HSM). This minimizes operational overhead by avoiding manual per-provider policy replication and prevents vendor lock-in by decoupling key management from any single cloud provider's proprietary KMS.

Exam trap

ISC2 often tests the misconception that cloud-native KMS services can be centrally managed by simply replicating policies or using an internal secrets manager as a root key, but the trap is that cloud KMS does not allow external key material to be used as a root key for automatic rotation across providers—only a third-party agnostic solution with BYOK can enforce consistent, centrally controlled rotation.

How to eliminate wrong answers

Option B is wrong because manually creating identical key policies across AWS, Azure, and GCP KMS does not centralize key management; each provider's KMS would still use its own independent key material, making consistent rotation every 90 days operationally complex and error-prone. Option C is wrong because storing the key in an internal secrets manager and configuring each provider's KMS to use that key as a root key is technically infeasible—cloud-native KMS services do not accept external keys as root keys; they require keys to be imported as customer-managed keys (CMKs) but still manage them independently, and the secrets manager cannot enforce rotation across all providers' KMS. Option D is wrong because client-side encryption using a single master key stored in application configuration violates the requirement for centrally managed key rotation (the key would be static in config files) and introduces significant security risks, such as key exposure in code repositories or configuration management systems.

321
MCQhard

A multi-tier web application is deployed across two VPCs connected via VPC peering. The web tier in VPC A must communicate with the database tier in VPC B on port 3306. Security groups are used for instance-level security. Which security group configuration is MOST secure?

A.In the database security group, add an inbound rule allowing TCP/3306 from the security group ID of the web servers.
B.Configure a VPN connection between VPCs and use route tables to direct traffic.
C.In the network ACL for VPC B's subnet, add an inbound rule allowing TCP/3306 from VPC A CIDR.
D.In the database security group, add an inbound rule allowing TCP/3306 from the VPC A CIDR.
AnswerA

Security group referencing ensures only instances in the web security group can connect.

Why this answer

The most secure approach is to allow inbound traffic to the database security group from the web server security group by referencing its ID (security group ID). This ensures that only instances in the web server security group can reach the database, regardless of IP changes. Option A is less secure because any instance in the CIDR range could connect.

Option B is correct. Options C and D involve network ACLs or routing, which are not instance-level.

322
MCQmedium

A cloud customer wants to ensure that their data is not accessible to the cloud provider's employees. Which of the following controls would best address this requirement?

A.Enable detailed audit logging of all data access.
B.Implement strict IAM policies for CSP employees.
C.Encrypt data client-side before uploading to the cloud.
D.Enable server-side encryption with customer-provided keys.
AnswerC

Client-side encryption ensures only the customer holds the decryption keys.

Why this answer

Client-side encryption ensures that data is encrypted before it leaves the customer's environment, so the cloud provider never has access to the plaintext or the encryption keys. This means that even if a cloud provider employee gains administrative access to the storage infrastructure, they can only retrieve ciphertext, which is useless without the customer-held keys. This control directly addresses the requirement of preventing the provider's employees from accessing the data.

Exam trap

ISC2 often tests the distinction between client-side encryption and server-side encryption with customer-provided keys (SSE-C), where candidates mistakenly think SSE-C gives the customer full control over key access, but the provider's server still handles the plaintext during encryption/decryption.

How to eliminate wrong answers

Option A is wrong because audit logging only records who accessed data and when, but does not prevent access by cloud provider employees. Option B is wrong because IAM policies for CSP employees are managed by the provider, not the customer, and the customer cannot enforce or verify those policies to guarantee data inaccessibility. Option D is wrong because server-side encryption with customer-provided keys (SSE-C) still involves the cloud provider's server performing the encryption/decryption, meaning the plaintext is exposed to the provider's infrastructure during processing, and the provider's employees could potentially access the data if they have administrative privileges to the key management or storage systems.

323
MCQmedium

A financial services company is migrating to the cloud and must retain transaction records for seven years for regulatory compliance. They plan to use object storage with lifecycle policies. What is the most secure configuration for long-term data retention?

A.Configure a lifecycle policy to transition to archive storage after seven years
B.Enable object lock with retention mode set to compliance
C.Store objects in write-once-read-many (WORM) storage class
D.Use server-side encryption with KMS key
AnswerB

Compliance lock prevents any deletion or modification until the retention period expires.

Why this answer

Option B is correct because Object Lock with compliance retention mode provides the strongest guarantee against data modification or deletion, even by root users. This mode ensures that once an object is written, it cannot be overwritten or deleted until the retention period expires, which is critical for meeting the seven-year regulatory retention requirement. Unlike other options, compliance mode enforces a legal hold that cannot be removed by any user, including cloud administrators, making it the most secure configuration for immutable long-term retention.

Exam trap

ISC2 often tests the distinction between data protection mechanisms (encryption, lifecycle policies) and data immutability (Object Lock with compliance mode), leading candidates to choose encryption or archive transitions as sufficient for retention requirements.

How to eliminate wrong answers

Option A is wrong because transitioning to archive storage after seven years does not prevent deletion or modification during the retention period; lifecycle policies only move data between tiers but do not enforce immutability, so records could be altered or deleted before the seven-year mark. Option C is wrong because while WORM storage classes (e.g., S3 Glacier Instant Retrieval with Object Lock) can provide immutability, the term 'WORM storage class' is ambiguous and not a specific service; the correct implementation requires Object Lock with a retention mode, not just a storage class. Option D is wrong because server-side encryption with KMS key protects data at rest and in transit but does not prevent deletion or overwriting of objects; encryption alone does not enforce retention or immutability, so records could still be deleted before seven years.

324
MCQmedium

A company uses a cloud database that stores customer financial information. To ensure compliance with PCI DSS, which control is required?

A.Encryption of cardholder data stored in the database
B.Network segmentation between the database and other systems
C.Annual external vulnerability scans of the database
D.Multi-factor authentication for database administrators
AnswerA

PCI DSS requires encryption of stored cardholder data.

Why this answer

PCI DSS Requirement 3.4 specifically mandates that stored cardholder data must be rendered unreadable anywhere it is stored, including in cloud databases. Encryption at rest (e.g., AES-256) is the primary control to achieve this, as it directly protects the confidentiality of Primary Account Numbers (PANs) if the storage layer is compromised. Without encryption, the data remains in clear text, violating PCI DSS compliance.

Exam trap

ISC2 often tests the distinction between required controls (e.g., encryption for data at rest) and recommended or supporting controls (e.g., network segmentation, MFA, vulnerability scans), leading candidates to pick a broader security measure that is not the specific PCI DSS mandate for stored data.

How to eliminate wrong answers

Option B is wrong because network segmentation is a recommended security practice (PCI DSS Requirement 1) but is not a required control specifically for stored data; it addresses scope reduction, not the direct protection of cardholder data at rest. Option C is wrong because annual external vulnerability scans (PCI DSS Requirement 11.2) are required for internet-facing systems, but they are a detection control, not a required control for protecting stored data; they do not render data unreadable. Option D is wrong because multi-factor authentication for database administrators (PCI DSS Requirement 8.3) is required for administrative access to systems handling cardholder data, but it is an access control, not a direct requirement for protecting the stored data itself; encryption is the specific mandate for data at rest.

325
MCQhard

A security architect applies the above bucket policy to an Amazon S3 bucket containing sensitive data. What is the net effect of this policy?

A.It denies all PutObject requests, regardless of encryption.
B.It denies all PutObject requests that do not specify an encryption header, enforcing encryption at rest.
C.It allows only PutObject requests using SSE-KMS (AWS KMS managed keys).
D.It allows PutObject requests only from principals that use an IAM role with encryption permissions.
AnswerB

Correct: The Deny with Null condition blocks requests where the encryption header is null (missing), thus requiring encryption.

Why this answer

The bucket policy uses a condition key `s3:x-amz-server-side-encryption` with a `StringNotEquals` condition to deny `PutObject` requests that do not include the `x-amz-server-side-encryption` header set to `AES256`. This effectively denies any upload that does not specify server-side encryption with S3-Managed Keys (SSE-S3), enforcing encryption at rest for all objects written to the bucket.

Exam trap

ISC2 often tests the distinction between SSE-S3 (`AES256`) and SSE-KMS (`aws:kms`) in bucket policy conditions, leading candidates to confuse the required header value and incorrectly select an option involving KMS.

How to eliminate wrong answers

Option A is wrong because the policy does not deny all PutObject requests; it only denies those that lack the required encryption header, so requests that include the correct encryption header are allowed. Option C is wrong because the policy requires the encryption header value `AES256`, which corresponds to SSE-S3, not SSE-KMS (which would require `aws:kms`). Option D is wrong because the policy does not reference IAM roles or encryption permissions; it only checks for the presence and value of the encryption header, regardless of the principal's IAM role.

326
MCQmedium

A cloud security architect is designing a defense-in-depth strategy for a multi-tenant IaaS environment. Which of the following controls would BEST protect against workload isolation failure due to a hypervisor vulnerability?

A.Perform weekly vulnerability scans of the hypervisor and tenant workloads.
B.Deploy a dedicated virtual firewall instance for each tenant to enforce network segmentation.
C.Apply the latest hypervisor security patches and disable unnecessary services.
D.Use encrypted virtual disks for all tenant virtual machines.
AnswerB

Network segmentation using virtual firewalls provides an additional layer of isolation even if the hypervisor is compromised.

Why this answer

Option D is correct because a dedicated firewall instance for each tenant provides network-level isolation independent of the hypervisor. Option A is wrong because hypervisor hardening is necessary but does not guarantee isolation if a vulnerability exists. Option B is wrong because vulnerability scanning is detective, not preventive.

Option C is wrong while encryption protects data at rest, it does not prevent a hypervisor escape.

327
MCQeasy

A cloud application uses a RESTful API that handles payment transactions. The security team identifies that the API is vulnerable to brute-force attacks on the authentication endpoint. Which control should be implemented to mitigate this?

A.Implement rate limiting on the authentication endpoint
B.Require API keys for all requests
C.Use TLS to encrypt the communication channel
D.Add input validation for all parameters
AnswerA

Rate limiting reduces the number of allowed attempts, blocking brute-force attacks.

Why this answer

Rate limiting restricts the number of authentication requests from a single source within a given time window, directly mitigating brute-force attacks by making it infeasible to guess credentials at high speed. This control is specifically designed for authentication endpoints where repeated failed attempts are the primary attack vector, and it is a standard recommendation in OWASP and NIST guidelines for API security.

Exam trap

ISC2 often tests the distinction between authentication-specific controls (rate limiting) and general security measures (encryption, input validation), leading candidates to choose TLS or API keys because they are commonly associated with API security but do not address brute-force frequency.

How to eliminate wrong answers

Option B is wrong because API keys authenticate the client application, not the user, and do not prevent an attacker from repeatedly trying different passwords or tokens against the authentication endpoint. Option C is wrong because TLS encrypts data in transit to prevent eavesdropping and tampering, but it does not limit the number of requests an attacker can send, leaving the endpoint vulnerable to brute-force attempts. Option D is wrong because input validation prevents injection attacks (e.g., SQLi, XSS) but does not restrict the frequency of requests, so an attacker can still submit unlimited login attempts with valid parameter formats.

328
Multi-Selectmedium

A cloud security team is developing an incident response plan for a SaaS application hosted on a public cloud. During the preparation phase, which TWO steps are most critical to include?

Select 2 answers
A.Conduct regular tabletop exercises to simulate incident scenarios
B.Conduct a post-mortem analysis of previous incidents
C.Implement automated isolation of compromised instances
D.Define and document communication escalation paths
E.Deploy a security information and event management (SIEM) system
AnswersA, D

Tabletop exercises help validate the plan and train the response team before an incident.

Why this answer

Conducting regular tabletop exercises (Option A) is critical during the preparation phase because it validates the incident response plan's effectiveness, identifies gaps in team coordination, and ensures stakeholders understand their roles without impacting production systems. This proactive simulation aligns with NIST SP 800-61 and CCSP best practices for readiness testing before an actual incident occurs.

Exam trap

ISC2 often tests the distinction between preparation-phase activities (planning, training, documentation) and operational-phase activities (detection, containment, recovery), leading candidates to mistakenly select automated response or monitoring tools as preparation steps.

329
MCQhard

A healthcare organization recently migrated a patient records management application from on-premises infrastructure to a cloud environment using Infrastructure as a Service (IaaS). The application was originally designed as a monolithic workload running on bare-metal servers. After migration, the application is deployed on a fleet of virtual machines (VMs) of the same instance type. The organization is using a combination of Reserved Instances for baseline capacity and On-Demand instances to handle spikes. However, two months after the migration, the cloud bill is 40% higher than the estimated on-premises total cost of ownership. Additionally, performance reports indicate that the application experiences inconsistent latency and occasional timeouts during peak hours. The operations team has confirmed that the application code has not changed, and the cloud provider's infrastructure is healthy. There is no issue with network bandwidth or storage I/O. The team is considering several options to address both cost and performance issues. What should the team do first?

A.Migrate the application to serverless compute to eliminate the need to manage VMs.
B.Perform a rightsizing analysis of the current VM usage and adjust instance types accordingly.
C.Consolidate the workload into fewer, larger instances to reduce overhead and licensing costs.
D.Replace On-Demand instances with Spot Instances to reduce costs during spikes.
AnswerB

Rightsizing addresses both cost and performance by matching instance resources to actual workload demands. It is a standard first step in cloud optimization.

Why this answer

Option B is correct. The symptoms (high cost and inconsistent performance) strongly suggest that the instances are not appropriately sized for the workload. Rightsizing based on actual metrics (CPU, memory, I/O) is the most direct and effective first step to reduce waste and improve performance.

Option A is too drastic; moving to serverless would require significant architectural changes and is not a quick fix. Option C (Spot Instances) is unsuitable for baseline capacity because they can be terminated with little notice, which would disrupt a monolithic application. Option D (consolidation into fewer, larger instances) might reduce licensing costs but assumes that the current instances are underutilized; it could exacerbate performance issues if the application is not designed to scale horizontally.

330
MCQhard

A cloud security architect is designing a CI/CD pipeline for a serverless application using AWS Lambda. The application processes sensitive user data and requires encryption at rest and in transit. Which of the following is the BEST approach to securely manage database credentials used by the Lambda function?

A.Store the credentials in AWS Systems Manager Parameter Store with a SecureString parameter.
B.Use AWS Secrets Manager to store the credentials and retrieve them at runtime with least-privilege IAM roles.
C.Store the credentials as encrypted environment variables in the Lambda function configuration.
D.Hardcode the credentials in the Lambda function code and encrypt the deployment package.
AnswerB

Secrets Manager provides secure storage, automatic rotation, and fine-grained access control via IAM.

Why this answer

AWS Secrets Manager is the best choice because it is purpose-built for securely storing, rotating, and retrieving secrets such as database credentials. It integrates natively with AWS Lambda via the Secrets Manager API, allowing the function to fetch credentials at runtime using a least-privilege IAM role. This approach avoids embedding secrets in code or configuration and supports automatic rotation, which is critical for compliance with encryption and access control requirements.

Exam trap

ISC2 often tests the distinction between AWS Systems Manager Parameter Store (for configuration) and AWS Secrets Manager (for secrets), trapping candidates who think encryption alone is sufficient without considering rotation and lifecycle management.

How to eliminate wrong answers

Option A is wrong because AWS Systems Manager Parameter Store with SecureString provides encryption but lacks native automatic rotation and fine-grained access control for secrets; it is designed for configuration data, not secrets management. Option C is wrong because encrypted environment variables are still stored in the Lambda configuration and can be exposed through logs, error messages, or the AWS Management Console; they also do not support rotation. Option D is wrong because hardcoding credentials in code, even with an encrypted deployment package, violates the principle of not embedding secrets in code and makes rotation impossible without redeployment; the encryption key management also adds unnecessary complexity.

331
MCQeasy

A developer accidentally launched an EC2 instance with an overly permissive security group that allows SSH from 0.0.0.0/0. After a security review, the team wants to ensure this cannot happen again. What is the MOST effective preventive control?

A.Grant developers full access to EC2 and rely on training.
B.Attach an IAM policy to developer roles that denies the ec2:AuthorizeSecurityGroupIngress action if the CIDR is 0.0.0.0/0.
C.Use AWS Systems Manager to automatically remediate open SSH rules.
D.Enable AWS Config rules to detect and alert on open SSH.
AnswerB

This IAM policy condition prevents the action at the time of request.

Why this answer

Option B is correct because IAM policies can enforce preventive controls by denying the ec2:AuthorizeSecurityGroupIngress action when the CIDR is 0.0.0.0/0, which blocks the action at the API level before any rule is created. This is a preventive control because it stops the insecure configuration from being applied, rather than detecting or remediating it after the fact. By attaching this policy to developer roles, the team ensures that even if a developer attempts to add an overly permissive SSH rule, the request is denied by AWS IAM.

Exam trap

ISC2 often tests the distinction between preventive controls (IAM deny policies) and detective/reactive controls (AWS Config, Systems Manager remediation), and the trap here is that candidates may choose a detective or reactive option because they think 'alerting' or 'auto-remediation' is sufficient, when the question explicitly asks for the 'most effective preventive control.'

How to eliminate wrong answers

Option A is wrong because granting full EC2 access and relying solely on training is not a technical control; it depends on human behavior and does not prevent the action from occurring. Option C is wrong because AWS Systems Manager automation for remediation is a detective/reactive control, not preventive; it only fixes the issue after the insecure rule has already been created. Option D is wrong because AWS Config rules are detective controls that alert on non-compliant resources after they exist, but they do not block the initial creation of the overly permissive security group rule.

332
Multi-Selectmedium

Which TWO practices help protect against insecure deserialization attacks in cloud applications?

Select 2 answers
A.Allow deserialization from untrusted sources
B.Use strong encryption for all serialized data
C.Implement custom deserialization without validation
D.Validate serialized objects before deserialization
E.Restrict deserialization to a whitelist of classes
AnswersD, E

Validation can detect tampered objects.

Why this answer

Option D is correct because validating serialized objects before deserialization ensures that the data conforms to expected schemas and constraints, preventing malicious payloads from triggering arbitrary code execution. This practice is critical in cloud applications where deserialization of user-supplied data (e.g., JSON or XML) can lead to remote code execution (RCE) or denial-of-service (DoS) attacks if not validated.

Exam trap

ISC2 often tests the misconception that encryption alone (Option B) is sufficient to secure serialized data, but encryption only protects data at rest or in transit, not the deserialization process itself, which is where the attack occurs.

333
Multi-Selecteasy

Which TWO of the following are benefits of using tokenization for credit card data?

Select 2 answers
A.Maintains data format for existing systems
B.Reversible without a key vault
C.Reduces PCI DSS compliance scope
D.Eliminates the need for encryption
E.Slows down database queries
AnswersA, C

Tokens can preserve format, aiding integration.

Why this answer

Tokenization replaces sensitive credit card data with a non-sensitive token that retains the same format (e.g., a 16-digit number) and length, allowing existing systems, databases, and applications to process the token without modification. This format-preserving property ensures that legacy systems, such as payment gateways or CRM platforms, can continue to operate without requiring costly re-engineering. By using a token instead of the actual PAN, the organization reduces the scope of PCI DSS compliance because the tokenized data is not considered cardholder data under the PCI DSS standard.

Exam trap

ISC2 often tests the misconception that tokenization eliminates the need for encryption entirely, but the correct understanding is that tokenization reduces PCI DSS scope while encryption (for the vault and transit) remains essential.

334
MCQmedium

A cloud security engineer reviews the IAM policy shown in the exhibit, which is attached to an S3 bucket. The engineer finds that users from outside the 10.0.0.0/8 network can still download objects from the bucket. What is the most likely reason for this behavior?

A.The condition key 'aws:SourceIp' does not apply to S3 operations
B.The first statement's condition explicitly denies access to IPs outside 10.0.0.0/8
C.The second Allow statement does not include the IP restriction, allowing any IP to read objects
D.The policy document has a syntax error that causes the first statement to be ignored
AnswerC

The policy grants unrestricted GetObject access via the second statement.

Why this answer

Option C is correct because the second Allow statement in the IAM policy grants s3:GetObject access to all principals without any condition, effectively overriding the IP restriction in the first statement. AWS IAM policy evaluation is explicit deny by default, but when multiple statements apply, an Allow without conditions will permit the action even if another statement restricts it. Since the second statement has no aws:SourceIp condition, any IP address, including those outside 10.0.0.0/8, can download objects.

Exam trap

ISC2 often tests the nuance that an unconditional Allow statement can override a conditional Deny statement in IAM policies, leading candidates to incorrectly assume that the Deny with an IP restriction will block all access from outside the specified range.

How to eliminate wrong answers

Option A is wrong because the aws:SourceIp condition key does apply to S3 operations when used in a bucket policy; it is a valid condition key for controlling access based on the requester's IP address. Option B is wrong because the first statement uses 'Deny' with the condition, which would deny access to IPs outside 10.0.0.0/8, but the second Allow statement without the condition overrides this deny for the allowed action. Option D is wrong because there is no syntax error; the policy is valid and both statements are evaluated, but the Allow statement without the IP restriction permits the access.

335
Multi-Selectmedium

A company is evaluating cloud providers for compliance with the GDPR. Which TWO of the following are mandatory data protection roles under the GDPR?

Select 2 answers
A.Data Processor
B.Data Protection Officer (DPO)
C.Cloud Security Architect
D.Data Controller
E.Data Steward
AnswersA, D

The Data Processor is a mandatory role under GDPR.

Why this answer

The GDPR defines the Data Controller and Data Processor as mandatory roles. The Data Protection Officer (DPO) is required only under certain conditions (e.g., large-scale monitoring). Cloud Security Architect and Data Steward are not GDPR-defined roles.

336
MCQhard

A company uses a cloud key management service (KMS) and wants to ensure that keys can be used only within a specific geographic region. Which of the following should be configured?

A.VPC endpoint for KMS
B.CloudTrail logging
C.Key policy with a condition for allowed regions
D.Key rotation policy
AnswerC

Key policies with conditions can restrict use to specific regions.

Why this answer

Option C is correct because a key policy with a condition using the `kms:CallerRegion` or `aws:RequestRegion` condition key can explicitly restrict the geographic region where the KMS key can be used. This ensures that any cryptographic operation (e.g., Encrypt, Decrypt) attempted from an unauthorized region is denied, enforcing regional data sovereignty requirements.

Exam trap

ISC2 often tests the distinction between network-level controls (like VPC endpoints) and policy-level controls (like key policy conditions), leading candidates to mistakenly choose VPC endpoints for geographic restrictions when only a condition-based policy can enforce regional key usage.

How to eliminate wrong answers

Option A is wrong because a VPC endpoint for KMS only restricts network access to the KMS API via a private IP within a VPC, but does not enforce geographic region restrictions on key usage; the key could still be used from any region if the request reaches the endpoint. Option B is wrong because CloudTrail logging records API calls for auditing but does not enforce any access control or geographic restriction on key usage. Option D is wrong because a key rotation policy controls how often the key material is rotated, not where the key can be used; it has no effect on geographic restrictions.

337
Multi-Selecthard

Which THREE of the following are typical requirements for compliance with eDiscovery in a cloud environment?

Select 3 answers
A.Documentation of chain of custody
B.Search and retrieval capabilities across data sources
C.Ability to place legal hold on data
D.Encryption of data at rest
E.Data minimization principles
AnswersA, B, C

Ensures evidence integrity.

Why this answer

Legal hold preservation, search capabilities, and chain-of-custody documentation are fundamental to eDiscovery. Encryption is about security, not discovery; data minimization is a privacy principle but not specific to eDiscovery.

338
Matchingmedium

Match each cloud auditing term to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Service organization control report for security

Assessment of cloud provider controls

Analysis of logs for incident investigation

Real-time assessment of security controls

Why these pairings

Auditing in cloud requires continuous monitoring and third-party attestations like SOC 2.

339
MCQeasy

A company is deploying a cloud application that processes credit card transactions. Which standard must they comply with regarding data security?

A.GDPR
B.PCI DSS
C.HIPAA
D.ISO 27001
AnswerB

PCI DSS applies to credit card data handling.

Why this answer

PCI DSS (Payment Card Industry Data Security Standard) is the mandatory security standard for any organization that handles credit card transactions. It defines strict requirements for protecting cardholder data, including encryption, access control, and network segmentation. Since the application processes credit card transactions, compliance with PCI DSS is legally and contractually required.

Exam trap

ISC2 often tests the distinction between mandatory regulatory standards (like PCI DSS) and voluntary frameworks (like ISO 27001), leading candidates to mistakenly choose ISO 27001 because it is a well-known security standard.

How to eliminate wrong answers

Option A is wrong because GDPR (General Data Protection Regulation) governs the protection of personal data of EU citizens, not specifically credit card transaction security. Option C is wrong because HIPAA (Health Insurance Portability and Accountability Act) applies to protected health information (PHI) in healthcare, not payment card data. Option D is wrong because ISO 27001 is a voluntary international standard for information security management systems (ISMS), not a mandatory compliance requirement for credit card processing.

340
MCQmedium

An organization uses a continuous integration/continuous deployment (CI/CD) pipeline to deploy infrastructure as code. The security team wants to ensure that all cloud resources comply with internal security policies before deployment. Which of the following is the MOST effective method to enforce this?

A.Restrict the IAM permissions of developers to only approved roles.
B.Run automated policy compliance checks as part of the CI/CD pipeline.
C.Conduct manual security reviews after each deployment.
D.Deploy resources and then scan for compliance after deployment.
AnswerB

Policy-as-code checks block non-compliant deployments before they go live.

Why this answer

Option D is correct because integrating policy-as-code scanning into the CI/CD pipeline catches non-compliance before deployment. Option A is incorrect because manual reviews are error-prone and slow. Option B is incorrect because post-deployment scanning is reactive.

Option C is incorrect because only limiting user permissions does not prevent misconfigurations from valid users.

341
MCQeasy

Which risk assessment method uses subjective scales to assign probabilities and impacts?

A.Semi-quantitative risk assessment
B.Quantitative risk assessment
C.Qualitative risk assessment
D.Bottom-up risk assessment
AnswerC

Uses subjective scales like high/medium/low.

Why this answer

Qualitative risk assessment (option C) is correct because it relies on subjective scales (e.g., high, medium, low) to assign probabilities and impacts, rather than numerical data. This method is commonly used in cloud security to quickly evaluate risks when precise data is unavailable, aligning with the CCSP domain of Legal, Risk and Compliance.

Exam trap

ISC2 often tests the distinction between qualitative and semi-quantitative methods, where candidates confuse subjective scales (qualitative) with ordinal numerical scales (semi-quantitative), leading them to incorrectly select semi-quantitative risk assessment.

How to eliminate wrong answers

Option A is wrong because semi-quantitative risk assessment uses numerical values (e.g., 1-5 scales) to assign probabilities and impacts, not purely subjective scales. Option B is wrong because quantitative risk assessment uses objective numerical data (e.g., monetary values, statistical probabilities) to calculate risk, not subjective scales. Option D is wrong because bottom-up risk assessment is a structural approach that identifies risks from individual components upward, not a method for assigning probabilities and impacts via subjective scales.

342
MCQhard

The exhibit shows a key policy for a customer master key (CMK) in a cloud KMS. An administrator wants to prevent the AppRole from using the key to decrypt data. Which change to the policy would accomplish this?

A.Add a deny statement for AppRole with effect "Deny" for kms:Decrypt.
B.Remove the entire "Allow use of the key" statement.
C.Change the AppRole action list to include only kms:Encrypt.
D.Remove "kms:Decrypt" from the action list in the AppRole statement.
AnswerD

Decrypt is the specific action needed for decryption. Removing it prevents decryption but allows encryption.

Why this answer

Option D is correct because the AppRole's current policy statement explicitly includes 'kms:Decrypt' in the action list, granting it permission to decrypt data. By removing 'kms:Decrypt' from that action list, the AppRole retains its other allowed actions (such as kms:Encrypt) but can no longer perform decryption operations. This is the most precise and least disruptive change, as it only removes the specific permission needed to prevent decryption without affecting other allowed actions.

Exam trap

ISC2 often tests the principle of least privilege and the precise modification of permissions, where candidates may incorrectly choose to add a deny statement (Option A) instead of simply removing the specific action from the allow list, misunderstanding that an explicit deny is not the most efficient or correct way to revoke a permission that was previously granted.

How to eliminate wrong answers

Option A is wrong because adding a deny statement for kms:Decrypt would create an explicit deny, which in IAM policy evaluation logic overrides any allow, but it is unnecessarily complex and could introduce unintended conflicts; the simpler and more direct approach is to remove the permission from the allow statement. Option B is wrong because removing the entire 'Allow use of the key' statement would revoke all permissions for the AppRole, including necessary actions like kms:Encrypt, which is overly broad and not the minimal change required. Option C is wrong because changing the action list to include only kms:Encrypt would also remove kms:Decrypt, but it would also remove any other actions currently allowed (e.g., kms:GenerateDataKey, kms:DescribeKey) that might be needed; the question specifically asks to prevent decryption, so removing only kms:Decrypt is more targeted.

343
MCQhard

Refer to the exhibit. A cloud security analyst is reviewing an S3 bucket policy. The bucket contains sensitive data and must only be accessible over HTTPS from the internal network (10.0.0.0/24). Which of the following correctly describes the behavior of this policy?

A.Requests from 10.0.0.0/24 over HTTPS are allowed; all other requests are denied.
B.Requests from 10.0.0.0/24 over HTTP are allowed because the Allow statement matches.
C.The policy is invalid because it combines Allow and Deny statements.
D.All requests from 10.0.0.0/24 are denied because the Deny statement applies to all actions.
AnswerA

The Allow statement permits GetObject from the internal IP range, and the Deny blocks non-HTTPS requests. Requests from external IPs are implicitly denied.

Why this answer

The policy uses an explicit Deny for any request that is not using HTTPS (i.e., aws:SecureTransport is false) or does not originate from the 10.0.0.0/24 IP range. This Deny overrides the Allow statement, ensuring that only requests meeting both conditions (source IP 10.0.0.0/24 AND HTTPS) are permitted. Requests from 10.0.0.0/24 over HTTPS satisfy the Allow and are not caught by the Deny, so they are allowed; all other requests are denied.

Exam trap

ISC2 often tests the misconception that an Allow statement alone is sufficient to grant access, ignoring that an explicit Deny with broader conditions can override it, or that a policy with both Allow and Deny is automatically invalid.

How to eliminate wrong answers

Option B is wrong because the Deny statement explicitly denies requests over HTTP (when aws:SecureTransport is false), so even if the source IP matches 10.0.0.0/24, the request is blocked. Option C is wrong because combining Allow and Deny statements is valid in AWS IAM policy evaluation; explicit Deny always takes precedence, but the policy is syntactically and logically correct. Option D is wrong because the Deny statement does not apply to all actions from 10.0.0.0/24; it only denies requests that are not using HTTPS (i.e., aws:SecureTransport is false) or that come from outside the 10.0.0.0/24 range, so requests from 10.0.0.0/24 over HTTPS are allowed.

344
MCQmedium

A company uses a cloud-based CI/CD pipeline with GitLab. Developers push code to a repository, triggering a build. The security team notices that sensitive API keys are being logged in build output. Which practice best prevents this?

A.Implement a secrets detection tool in the pipeline
B.Use environment variables in the pipeline configuration
C.Use a separate build server
D.Encrypt the Git repository
AnswerA

Automated secrets detection scans for and blocks credentials in build output.

Why this answer

A secrets detection tool (e.g., GitLab Secret Detection, TruffleHog, or Gitleaks) scans code and build output for patterns matching API keys, tokens, or passwords before they are logged or stored. This directly prevents sensitive credentials from appearing in build logs, which is the specific issue described. Unlike other options, it actively identifies and blocks secrets at the point of exposure.

Exam trap

The trap here is that candidates often confuse 'using environment variables' (a secure storage method) with 'preventing secrets from being logged' (a detection and blocking mechanism), leading them to choose Option B even though environment variables do not stop accidental output.

How to eliminate wrong answers

Option B is wrong because environment variables in pipeline configuration (e.g., CI/CD variables in GitLab) are a secure way to pass secrets, but they do not prevent secrets from being accidentally logged in build output if the application or script explicitly prints them. Option C is wrong because using a separate build server does not address the root cause—secrets can still be logged regardless of where the build runs; it only changes the execution environment. Option D is wrong because encrypting the Git repository protects data at rest but does not prevent secrets from being exposed in plaintext during the build process or in logs.

345
Multi-Selectmedium

Which TWO of the following are primary objectives of a cloud application security program?

Select 2 answers
A.Maintaining application availability
B.Performing continuous deployment
C.Implementing a microservices architecture
D.Ensuring data confidentiality and integrity
E.Adopting Agile development practices
AnswersA, D

Availability is a key security objective (CIA triad).

Why this answer

Maintaining application availability is a primary objective of a cloud application security program because it directly supports the security triad of confidentiality, integrity, and availability (CIA). In a cloud environment, availability ensures that authorized users can access applications and data when needed, which is critical for business continuity and is often enforced through SLAs, redundancy, and DDoS protection mechanisms. Without availability, security controls become irrelevant as the service is effectively denied.

Exam trap

ISC2 often tests the distinction between security objectives and operational or architectural practices, trapping candidates who confuse 'continuous deployment' or 'microservices' with security goals because they are commonly discussed in cloud security contexts but are not primary objectives.

346
MCQhard

A cloud application uses containers orchestrated by Kubernetes. The security team wants to enforce that containers cannot run as root and that file systems are read-only at runtime. Which Kubernetes security context configuration should be applied?

A.Use a RuntimeClass that disables root capabilities
B.Set the container's user to a non-root user in the Dockerfile
C.Apply a PodSecurityPolicy that blocks privileged containers
D.Configure a SecurityContext with runAsNonRoot: true and readOnlyRootFilesystem: true
AnswerD

Directly sets the required properties in the container specification.

Why this answer

Option D is correct because Kubernetes SecurityContext allows fine-grained control over container permissions at the pod or container level. Setting `runAsNonRoot: true` ensures the container cannot run as UID 0, and `readOnlyRootFilesystem: true` mounts the container's root filesystem as read-only, preventing unauthorized writes at runtime. This directly satisfies the security team's requirements without relying on external policies or image-level configurations.

Exam trap

The trap here is that candidates confuse image-level defaults (like a non-root user in a Dockerfile) with runtime enforcement via SecurityContext, or they think PodSecurityPolicy (a deprecated feature) is the only way to enforce these restrictions, when in fact SecurityContext is the direct and correct mechanism.

How to eliminate wrong answers

Option A is wrong because a RuntimeClass primarily selects a container runtime (e.g., gVisor, Kata Containers) for isolation, not a mechanism to disable root capabilities or enforce read-only filesystems; it does not directly set runAsNonRoot or readOnlyRootFilesystem. Option B is wrong because setting a non-root user in the Dockerfile only affects the image's default user; it can be overridden at runtime (e.g., by specifying `securityContext.runAsUser: 0`), so it does not enforce the restriction. Option C is wrong because PodSecurityPolicy (PSP) is a deprecated, cluster-level admission controller that can block privileged containers but does not directly enforce `runAsNonRoot: true` or `readOnlyRootFilesystem: true`; it requires additional policy rules and is being replaced by Pod Security Standards.

347
MCQmedium

A healthcare organization has deployed a cloud-based application that handles protected health information (PHI). The application runs on virtual machines in a virtual private cloud (VPC). The security team has implemented security groups to control traffic to the VMs. Recently, an external penetration test revealed that a web server VM is accessible from the internet on port 22 (SSH) from any IP address (0.0.0.0/0). The security team also discovered that the SSH key pair used for the web server was created with a weak algorithm (1024-bit RSA). The team needs to remediate these issues without causing downtime for the application. Additionally, the application logs must be sent to a centralized logging solution that is encrypted in transit and at rest. Which combination of actions should the security team take?

A.Restrict inbound SSH access to only a bastion host's IP address, generate a new 2048-bit RSA key pair, configure the application to send logs via TLS to a centralized logging service, and enable server-side encryption for the logging bucket.
B.Implement a VPN connection for all administrative access, keep the existing key pair, and use a third-party logging tool with TLS.
C.Change the SSH port to a non-standard port, keep the existing key pair, and enable logging to a cloud storage bucket without encryption.
D.Disable SSH access entirely and use a serial console for administration, keep the existing key pair, and send logs via plaintext syslog to a logging server.
AnswerA

This fully addresses both vulnerabilities and logging requirements.

Why this answer

Option A is correct because it addresses both critical vulnerabilities without downtime: restricting SSH to a bastion host's IP eliminates internet-wide exposure, and generating a new 2048-bit RSA key pair replaces the weak 1024-bit key. For logging, TLS ensures encryption in transit, and server-side encryption for the logging bucket ensures encryption at rest, meeting compliance requirements for PHI.

Exam trap

ISC2 often tests the distinction between security by obscurity (e.g., changing ports) and actual security controls (e.g., restricting IPs and using strong keys), leading candidates to pick options that seem quick but fail compliance requirements.

How to eliminate wrong answers

Option B is wrong because keeping the existing 1024-bit RSA key pair leaves a weak cryptographic algorithm in place, which is a security risk and non-compliant with standards like NIST SP 800-57. Option C is wrong because changing the SSH port to a non-standard port is security by obscurity and does not prevent scanning or brute-force attacks, and sending logs to a bucket without encryption violates encryption-at-rest requirements for PHI. Option D is wrong because disabling SSH entirely and using a serial console is impractical for cloud VMs and often causes downtime, and sending logs via plaintext syslog lacks encryption in transit, violating HIPAA and other regulations.

348
MCQeasy

A DevOps engineer runs the above command and gets the error. What is the MOST likely missing permission?

A.storage.buckets.get
B.storage.buckets.list
C.storage.objects.get
D.storage.objects.list
AnswerD

List permission is required to list objects in a bucket.

Why this answer

The command likely involves listing objects within a bucket (e.g., `gsutil ls` or an equivalent `GET /b/{bucket}/o` API call). The error indicates the principal lacks the `storage.objects.list` permission, which is required to enumerate objects in a bucket. Without this permission, the API returns a 403 Forbidden error even if the principal has other storage permissions.

Exam trap

ISC2 often tests the distinction between object-level permissions (like `storage.objects.get`) and bucket-level listing permissions (like `storage.objects.list`), trapping candidates who assume read access to objects implies the ability to list them.

How to eliminate wrong answers

Option A is wrong because `storage.buckets.get` is needed to retrieve bucket metadata (e.g., IAM configuration, location), not to list objects. Option B is wrong because `storage.buckets.list` is required to list all buckets in a project, not objects within a specific bucket. Option C is wrong because `storage.objects.get` is needed to read a specific object's data or metadata, not to list objects in a bucket.

349
MCQmedium

A company uses a cloud provider's managed database service. The security team is concerned about the shared responsibility model for patching the operating system and database engine. According to the shared responsibility model, who is responsible for applying security patches to the database engine?

A.The customer, because they control the database configuration
B.A third-party vendor contracted by the customer
C.The cloud provider, because it is a managed service
D.Both the customer and the cloud provider equally
AnswerC

Managed services include engine patching by the provider.

Why this answer

Option C is correct because for managed services, the cloud provider is responsible for patching the underlying database engine. Option A is wrong because the customer is responsible for the data and access, not the engine. Option B is wrong because both parties do not share this responsibility.

Option D is wrong because the database engine is part of the service.

350
MCQhard

A company is deploying a multi-tier application in a public cloud and needs to restrict traffic between tiers. The web tier must only accept HTTPS from the internet, and the app tier must only accept HTTP from the web tier. Which cloud networking feature should be used to enforce this?

A.Network access control lists (ACLs) attached to the subnets.
B.Security groups applied to each tier’s instances.
C.Internet gateway with appropriate routes.
D.VPC peering connection between tier subnets.
AnswerA

Network ACLs are stateless and can enforce explicit allow rules between subnets.

Why this answer

Network ACLs are stateless, meaning they filter traffic based on source and destination IP addresses, ports, and protocols at the subnet level. By configuring inbound rules on the web tier subnet to allow HTTPS (TCP/443) from the internet and outbound rules to allow HTTP (TCP/80) to the app tier subnet, and inbound rules on the app tier subnet to allow HTTP only from the web tier subnet, you enforce the required traffic restrictions without maintaining session state. This stateless behavior is essential for explicitly controlling traffic between tiers in a multi-tier architecture.

Exam trap

ISC2 often tests the distinction between stateless (network ACLs) and stateful (security groups) filtering, and the trap here is that candidates assume security groups can enforce inter-tier traffic restrictions as effectively as ACLs, overlooking that security groups are stateful and instance-specific, not subnet-wide.

How to eliminate wrong answers

Option B is wrong because security groups are stateful, meaning if you allow inbound HTTPS to the web tier, the return traffic is automatically allowed, but they cannot enforce outbound restrictions from the web tier to the app tier without additional rules; more critically, security groups are applied at the instance level, not the subnet level, making them less suitable for controlling traffic between entire tiers. Option C is wrong because an internet gateway only provides a target for routing traffic to and from the internet; it does not filter or restrict traffic between subnets or tiers. Option D is wrong because VPC peering connects two VPCs for routing, but it does not provide any filtering or access control; it merely establishes a network path, leaving traffic restrictions to ACLs or security groups.

351
MCQhard

A healthcare company, MedSecure, is migrating its critical patient record application to a public cloud IaaS environment. The application processes Protected Health Information (PHI) subject to HIPAA in the US and also includes some patient data from EU residents subject to GDPR. MedSecure has signed Business Associate Agreements (BAAs) with the cloud provider covering US HIPAA compliance. However, the compliance officer is concerned about GDPR requirements for EU patient data. The architecture uses AWS EC2 instances behind an Application Load Balancer, with data stored in Amazon RDS (MySQL) using encryption at rest and TLS for transmission. The company uses AWS CloudTrail for logging but only retains logs for 90 days. The compliance officer has identified that the current logging retention does not meet the GDPR requirement for logs to be retained for a minimum of 12 months for audit purposes. Additionally, the data stored in RDS is in a single AWS region in the US (us-east-1). The company plans to expand to EU customers. The GDPR requires that personal data of EU residents be stored in the EU or have adequate safeguards for transfer. Currently, the company has not implemented any data residency controls. What course of action should MedSecure take to address the most critical compliance gaps?

A.Extend CloudTrail log retention to 12 months by configuring a new trail in a separate account and storing logs in an S3 bucket with a lifecycle policy to delete after 12 months. For data residency, use AWS DMS to replicate the RDS database to a second RDS instance in the eu-west-1 region and enable cross-region replication for continuous sync.
B.Implement AWS Config rules to monitor compliance with both HIPAA and GDPR, and enable AWS CloudTrail Insights to detect unusual activity. For data residency, sign a Standard Contractual Clauses (SCCs) with the cloud provider for the existing US-based data.
C.Enable S3 Object Lock for CloudTrail logs to ensure they cannot be deleted before 12 months, and use AWS DMS with CDC to replicate data to a eu-west-1 region. Also, sign a Data Processing Agreement (DPA) with AWS specifically for GDPR coverage.
D.Use AWS Lambda to copy CloudTrail logs from the existing trail to a separate S3 bucket with a retention policy of 12 months. For data residency, configure the RDS instance to have a read replica in eu-west-1 and implement a DPA with AWS for GDPR.
AnswerC

This comprehensively addresses both gaps: immutable log retention, EU data replication, and a DPA to cover legal transfer safeguards.

Why this answer

Option C is correct because it directly addresses the two most critical compliance gaps: GDPR log retention (12 months) and data residency for EU patient data. Enabling S3 Object Lock on CloudTrail logs ensures they cannot be deleted or altered before 12 months, meeting GDPR audit requirements. Using AWS DMS with Change Data Capture (CDC) to replicate the RDS database to eu-west-1 provides a continuous, low-latency copy of PHI within the EU, satisfying GDPR data residency.

Signing a Data Processing Agreement (DPA) with AWS specifically for GDPR coverage is essential because the existing BAA only covers HIPAA, and GDPR requires a separate DPA to establish the cloud provider as a data processor under EU law.

Exam trap

ISC2 often tests the distinction between data replication mechanisms (e.g., read replicas vs. DMS with CDC) and the specific legal documents required for different regulations (BAA for HIPAA vs. DPA for GDPR), leading candidates to choose options that mix correct concepts with incorrect implementations.

How to eliminate wrong answers

Option A is wrong because configuring a new trail in a separate account does not prevent premature deletion of logs; a lifecycle policy alone does not enforce immutability, and GDPR requires logs to be retained for 12 months with protection against deletion or alteration. Additionally, using AWS DMS to replicate the RDS database to a second RDS instance with cross-region replication does not inherently provide continuous CDC synchronization for real-time data residency compliance. Option B is wrong because AWS Config rules and CloudTrail Insights are monitoring and detection tools, not mechanisms to enforce log retention or data residency; signing SCCs for existing US-based data does not satisfy the GDPR requirement that EU personal data be stored in the EU or have adequate safeguards for transfer, and SCCs alone do not replace the need for a DPA with the cloud provider.

Option D is wrong because using a Lambda function to copy logs to a separate S3 bucket does not ensure immutability or prevent deletion before 12 months; a read replica in eu-west-1 is read-only and cannot accept writes, so it does not provide a writable copy of the database for EU data residency, and implementing a DPA is correct but the log retention and data residency solutions are insufficient.

352
MCQmedium

A developer receives the above error when trying to create a route in an API Gateway. Which action should the developer take to resolve the issue?

A.Change the endpoint type to private
B.Add an authentication mechanism to the API
C.Verify that the API is deployed to the correct stage
D.Delete the existing route or use a different route key
AnswerD

Removing the duplicate or choosing a unique key resolves the conflict.

Why this answer

The error indicates that a route with the same key already exists in the API Gateway. API Gateway enforces unique route keys within an API; attempting to create a duplicate route key (e.g., the same HTTP method and path combination) will fail. Deleting the existing route or using a different route key resolves the conflict by ensuring each route key is unique.

Exam trap

ISC2 often tests the misconception that deployment stages or authentication mechanisms can resolve configuration conflicts, when in fact the error is a direct result of violating a uniqueness constraint on route keys within the API Gateway resource hierarchy.

How to eliminate wrong answers

Option A is wrong because changing the endpoint type to private does not address a duplicate route key error; endpoint type controls network accessibility, not route uniqueness. Option B is wrong because adding an authentication mechanism (e.g., IAM, Lambda authorizer) does not resolve a conflict where a route key already exists; authentication is unrelated to route key duplication. Option C is wrong because verifying the API deployment stage does not fix a duplicate route key error; deployment stages affect which version of the API is live, not the uniqueness of route keys within the API definition.

353
Multi-Selecteasy

Which TWO of the following are secure coding practices that help prevent injection attacks?

Select 2 answers
A.Printing stack traces in production error messages
B.Using parameterized queries for database calls
C.Using stored procedures exclusively
D.Validating and sanitizing all user inputs
E.Storing user passwords in plaintext
AnswersB, D

Parameterized queries separate SQL logic from data, preventing injection.

Why this answer

Option B is correct because parameterized queries (also known as prepared statements) separate SQL logic from data by using placeholders (e.g., `?` in MySQLi or `:param` in PDO). The database driver treats the user-supplied values strictly as data, never as executable code, which prevents an attacker from injecting malicious SQL commands even if the input contains special characters like `' OR 1=1 --`.

Exam trap

ISC2 often tests the misconception that stored procedures are inherently safe against injection, but the trap is that stored procedures can still be vulnerable if they dynamically construct SQL strings using concatenated input, so parameterization must be applied inside the procedure as well.

354
Multi-Selectmedium

A company is deploying a critical application on a public cloud IaaS platform. To ensure high availability and disaster recovery, which TWO of the following strategies should the company implement? (Choose two.)

Select 2 answers
A.Deploy the application across multiple availability zones within a region.
B.Use an active-passive configuration with both instances in the same availability zone.
C.Configure the application to run in only one region to simplify management.
D.Implement automated snapshots and replicate data to a different geographic region.
E.Use a single, large virtual machine instance to handle all traffic.
AnswersA, D

This provides high availability within a region.

Why this answer

Deploying across multiple availability zones (AZs) within a region ensures that if one AZ experiences an outage, the application can continue serving traffic from another AZ, providing high availability. This is a fundamental cloud architecture pattern for fault tolerance, as each AZ is an isolated data center with independent power, cooling, and networking.

Exam trap

ISC2 often tests the distinction between high availability (fault tolerance within a region using multiple AZs) and disaster recovery (cross-region data replication and failover), and the trap is that candidates confuse active-passive in the same AZ (which is not HA) with a valid HA strategy.

355
MCQmedium

A multinational corporation uses a SaaS application for customer relationship management (CRM). The CRM application stores customer data including names, email addresses, and purchase history. The company has operations in the EU, California, and Japan. A new regulation in Japan requires that any transfer of personal data outside Japan must have the data subject's consent if the destination country does not have an adequacy decision. The company's cloud provider stores data in the United States. The company currently relies on the provider's data processing agreement that includes standard contractual clauses (SCCs). However, the Japanese regulator has stated that SCCs are not sufficient for transfers from Japan unless supplemented. You are tasked with ensuring compliance for Japanese data subjects. Which of the following is the most appropriate next step? A. Obtain explicit consent from each Japanese data subject for data transfer to the US. B. Move the data for Japanese subjects to a data center in Japan. C. Continue using SCCs as they are recognized internationally. D. Pseudonymize the data before transfer. Which option best addresses the compliance requirement while considering the operational impact?

A.Move the data for Japanese subjects to a data center in Japan.
B.Continue using SCCs as they are recognized internationally.
C.Pseudonymize the data before transfer.
D.Obtain explicit consent from each Japanese data subject for data transfer to the US.
AnswerD

Correct. Explicit consent is a valid legal basis under Japanese law when other mechanisms are insufficient.

Why this answer

Option D is correct because the Japanese regulator has explicitly stated that SCCs alone are insufficient for transfers from Japan, and obtaining explicit consent from each data subject directly satisfies the requirement for a valid transfer mechanism under Japanese law. This approach ensures compliance without requiring infrastructure changes, though it may be operationally burdensome. The other options either fail to meet regulatory requirements or introduce unnecessary operational impact.

Exam trap

ISC2 often tests the misconception that pseudonymization or data localization alone can bypass cross-border transfer restrictions, when in fact explicit consent or an approved mechanism is required under the specific regulation.

How to eliminate wrong answers

Option A (moving data to a Japan data center) is wrong because it does not address the transfer to the US for processing; the data would still need to be transferred to the US for the SaaS CRM to function, and the regulation applies to any transfer outside Japan. Option B (continuing with SCCs) is wrong because the Japanese regulator has stated SCCs are not sufficient unless supplemented, so relying on them alone would violate the regulation. Option C (pseudonymization) is wrong because pseudonymization does not eliminate the need for a valid transfer mechanism under Japanese law; the data remains personal data subject to transfer restrictions.

356
MCQhard

A healthcare organization wants to perform analytics on encrypted patient data without decrypting it first, to maintain privacy. Which cryptographic technique supports this use case?

A.Homomorphic encryption
B.Tokenization
C.Format-preserving encryption (FPE)
D.Cryptographic hashing
AnswerA

Allows computation on encrypted data without decryption.

Why this answer

Homomorphic encryption allows computations to be performed directly on ciphertext, producing an encrypted result that, when decrypted, matches the result of operations performed on the plaintext. This enables the healthcare organization to run analytics on encrypted patient data without ever exposing the underlying sensitive information, thus preserving privacy throughout the processing lifecycle.

Exam trap

ISC2 often tests the distinction between 'processing on encrypted data' and 'protecting data at rest or in transit'—candidates mistakenly choose FPE or tokenization because they see 'encrypted' or 'token' and assume it supports analytics, but neither allows computation without decryption.

How to eliminate wrong answers

Option B (Tokenization) is wrong because it replaces sensitive data with non-sensitive tokens, but the original data must be stored in a separate vault and analytics cannot be performed on the tokens without detokenization, which breaks the 'no decryption' requirement. Option C (Format-preserving encryption) is wrong because it produces ciphertext that retains the original data format (e.g., 16-digit credit card numbers), but all operations require decryption first; it does not support computation on encrypted data. Option D (Cryptographic hashing) is wrong because it is a one-way function that cannot be reversed, and it does not allow any meaningful analytics on the hash values (e.g., you cannot compute an average or sum of hashed patient ages).

357
MCQmedium

A cloud security analyst is troubleshooting an access denied error when an application attempts to read an object from an S3 bucket. The application uses an IAM user that is not associated with the role specified in the policy. Which of the following is the most likely cause of the error?

A.The IAM user is not assuming the role before accessing the bucket.
B.The IAM user is not the specified role and is explicitly denied by the Deny statement.
C.The bucket policy has a conflicting Allow and Deny statement, causing an implicit deny.
D.The bucket policy is missing a condition for region restriction.
AnswerB

The Deny statement explicitly denies all principals that are not the specified role, so any other principal (including this IAM user) is denied access.

Why this answer

Option D is correct because the policy explicitly denies all principals except the specified role. The IAM user is not that role, so the Deny statement blocks access. Option A is irrelevant because the policy does not mention regions.

Option B is incorrect because the policy is syntactically valid and does not cause a conflict; the Deny overrides Allow per IAM evaluation logic. Option C is incorrect because the user is not attempting to assume the role, and the policy does not require it—it simply denies all principals that are not that role.

358
Multi-Selecteasy

A multinational corporation stores customer data in an AWS S3 bucket located in the US. The company's European customers' personal data must comply with GDPR. Which TWO actions should the company take to ensure compliance with GDPR data transfer requirements?

Select 2 answers
A.Implement encryption at rest using AWS KMS with a key stored in the US.
B.Sign Standard Contractual Clauses (SCCs) with the cloud provider.
C.Ensure that the data is only accessed by employees in the EU.
D.Use AWS Direct Connect to route traffic exclusively through EU-based links.
E.Implement a Data Processing Agreement (DPA) with AWS.
AnswersB, E

SCCs are a valid adequacy mechanism for transferring personal data to third countries under GDPR.

Why this answer

Under GDPR, transfers of personal data to third countries require adequate safeguards. Signing Standard Contractual Clauses (SCCs) with the cloud provider and implementing a Data Processing Agreement (DPA) are both recognized mechanisms. Encryption alone (A) does not address transfer legality; access location (C) is irrelevant; and Direct Connect (D) is a network connectivity option, not a legal safeguard.

359
MCQhard

A cloud service provider (CSP) includes a limitation of liability clause capped at the total fees paid in the past 12 months. A customer suffers a data breach due to provider negligence, losing $2M in business. The customer's annual spend is $500K. What is the customer's likely recovery?

A.The amount of direct damages only
B.Up to $500K, the total fees paid in the past 12 months
C.Full $2M because negligence overrides liability caps
D.Zero because the customer accepted the terms
AnswerB

The explicit cap is based on fees paid.

Why this answer

The clause limits liability to fees paid (12 months = $500K), so the customer can recover up to that amount, not the full $2M loss. Option B correctly states this limitation.

360
MCQeasy

During a cloud security audit, it is discovered that a cloud storage bucket is configured to allow access from any IP address. The bucket contains sensitive customer data. What is the BEST immediate action to secure the bucket?

A.Modify the bucket policy to deny access from all IP addresses except trusted ranges.
B.Enable bucket logging to track access attempts.
C.Notify the security team and wait for a formal change request.
D.Enable server-side encryption on the bucket.
AnswerA

This directly removes public access and restricts to trusted IPs.

Why this answer

The immediate risk is that the bucket is publicly accessible from any IP address, exposing sensitive customer data. Modifying the bucket policy to deny access from all IP addresses except trusted ranges directly addresses this exposure by restricting network-level access. This is the most effective first step because it removes the broad, unrestricted access while maintaining necessary access for authorized users.

Exam trap

ISC2 often tests the distinction between access control and other security controls, trapping candidates who confuse encryption or logging with network-level access restriction.

How to eliminate wrong answers

Option B is wrong because enabling bucket logging only records access attempts; it does not prevent unauthorized access, so the data remains exposed. Option C is wrong because waiting for a formal change request delays remediation, leaving the sensitive data vulnerable during the wait period. Option D is wrong because server-side encryption protects data at rest but does not control network access; the bucket remains accessible from any IP address, so encryption alone does not secure the bucket from unauthorized access.

361
MCQhard

A company is migrating a critical application to the cloud and must ensure that its security operations center (SOC) can detect and respond to threats in real time. The application generates high volumes of logs. Which combination of services would provide the MOST efficient and cost-effective solution for centralized logging, analysis, and alerting?

A.Deploy a basic monitoring tool that triggers alerts based on static thresholds.
B.Implement a Security Information and Event Management (SIEM) system with real-time correlation and a log management solution that auto-scales.
C.Use a cloud-native log storage service with long retention and no analysis.
D.Store logs in a centralized log server and have SOC analysts manually review them.
AnswerB

SIEM provides real-time correlation and auto-scaling handles high volumes efficiently.

Why this answer

Option B is correct because a SIEM system with real-time correlation enables the SOC to detect threats as they occur by analyzing log data across multiple sources, while an auto-scaling log management solution ensures cost efficiency by dynamically adjusting resources to handle high log volumes without over-provisioning. This combination provides centralized logging, real-time analysis, and alerting, meeting the requirement for efficient and cost-effective threat detection.

Exam trap

ISC2 often tests the misconception that simple storage or manual review is sufficient for real-time threat detection, but the CCSP emphasizes that centralized logging without analysis and correlation fails to meet SOC operational requirements for real-time response.

How to eliminate wrong answers

Option A is wrong because a basic monitoring tool with static thresholds cannot perform real-time correlation across diverse log sources, leading to high false positives and missed advanced threats, and it lacks the scalability to handle high-volume logs efficiently. Option C is wrong because a cloud-native log storage service with long retention and no analysis fails to provide the real-time detection and alerting required by the SOC, as it only stores logs without any correlation or threat identification. Option D is wrong because storing logs in a centralized log server with manual review is neither efficient nor real-time, as SOC analysts cannot manually analyze high-volume logs quickly enough to detect and respond to threats promptly, and it does not scale cost-effectively.

362
MCQeasy

A developer is implementing a cloud application that stores sensitive user data. To minimize the risk of data exposure during transit, which security control should be enforced as a baseline requirement?

A.Implement IPsec tunnels between components
B.Use HTTPS without additional controls
C.Require SSH for all connections
D.Enforce TLS for all data in transit
AnswerD

TLS encrypts data in transit, protecting confidentiality and integrity.

Why this answer

TLS (Transport Layer Security) is the industry-standard protocol for encrypting data in transit, providing confidentiality, integrity, and authentication. Enforcing TLS for all communications ensures that sensitive user data is protected from eavesdropping and tampering during transmission, making it a baseline requirement for cloud application security.

Exam trap

ISC2 often tests the misconception that HTTPS alone is sufficient, but the trap here is that 'HTTPS without additional controls' (Option B) is not a baseline requirement because it lacks enforcement of strong TLS versions, certificate validation, and protections like HSTS, making it vulnerable to attacks that TLS enforcement (Option D) explicitly mitigates.

How to eliminate wrong answers

Option A is wrong because IPsec tunnels are typically used for site-to-site VPNs or network-layer encryption between entire subnets, not as a baseline for individual application-level connections; they add complexity and overhead without providing the same granular per-connection authentication and encryption as TLS. Option B is wrong because HTTPS without additional controls (like enforcing TLS 1.2 or higher, proper certificate validation, and HSTS) can still be vulnerable to downgrade attacks, man-in-the-middle attacks, and certificate spoofing, so it is not sufficient as a baseline requirement. Option C is wrong because SSH is designed for secure remote shell access and file transfer, not for general application data transit; it is not suitable for encrypting HTTP-based API calls or database connections between cloud components.

363
Multi-Selecteasy

Which THREE of the following are effective strategies for ensuring data backup integrity and recoverability in the cloud?

Select 3 answers
A.Maintain at least three copies of data across two different locations.
B.Encrypt all backups with a strong algorithm.
C.Perform regular restore tests to validate backup usability.
D.Set backup schedules to run daily for all critical data.
E.Store backups in immutable storage to prevent modification or deletion.
AnswersA, C, E

Multiple copies and geographic diversity improve recoverability.

Why this answer

Option A is correct because the 3-2-1 backup rule (three copies, two different media types, one offsite) is a foundational strategy for data durability and recoverability. In cloud environments, this typically means maintaining a primary copy, a local backup in a different availability zone, and a cross-region copy to protect against region-wide failures. This ensures that even if two copies are compromised, a third remains available for recovery.

Exam trap

ISC2 often tests the distinction between backup security (encryption) and backup integrity/recoverability, leading candidates to mistakenly select encryption as a strategy for recoverability when it only addresses confidentiality.

364
MCQmedium

A company uses a cloud-based identity provider for single sign-on. An application needs to verify the user's identity without storing credentials. Which token type should the application validate?

A.SAML assertion
B.JWT
C.Kerberos ticket
D.OAuth access token
AnswerA

SAML assertions are used in SSO to convey user identity and attributes.

Why this answer

A SAML assertion is the correct choice because it is specifically designed for single sign-on (SSO) scenarios where an identity provider (IdP) authenticates a user and issues a signed XML token containing the user's identity and attributes. The application validates the assertion's signature and trust relationship with the IdP, verifying the user's identity without ever storing or handling credentials. This aligns with the cloud-based identity provider model described in the question.

Exam trap

ISC2 often tests the distinction between authentication tokens (SAML) and authorization tokens (OAuth access tokens), leading candidates to pick OAuth access token because they confuse it with OpenID Connect ID tokens, which are actually JWTs used for identity in modern SSO.

How to eliminate wrong answers

Option B is wrong because a JWT (JSON Web Token) is a compact, self-contained token often used for stateless API authorization, but it is not inherently tied to SSO identity verification; it typically carries claims like user ID and expiration, but the application would still need to validate the JWT's signature and trust the issuer, which is not the standard SSO token format for cloud-based identity providers. Option C is wrong because a Kerberos ticket is a symmetric-key-based authentication token used in on-premises Windows domain environments, not in cloud-based identity provider SSO scenarios; it relies on a Key Distribution Center (KDC) and is not designed for cross-domain or cloud federation. Option D is wrong because an OAuth access token is primarily an authorization token that grants access to resources, not an identity token; it does not carry user identity claims in a standardized way for SSO verification, and the application would need a separate ID token (like OpenID Connect) to verify the user's identity.

365
MCQmedium

A cloud architect is tasked with designing a disaster recovery plan for a critical application. The recovery time objective (RTO) is 1 hour, and the recovery point objective (RPO) is 15 minutes. The application runs on IaaS with data stored in a relational database. Which replication strategy is MOST cost-effective while meeting the objectives?

A.Daily full backups to another region
B.Synchronous database mirroring across regions
C.Multi-region active-active deployment with load balancing
D.Asynchronous storage-level replication with 15-minute snapshots
AnswerD

Asynchronous replication with frequent snapshots meets the RPO cost-effectively.

Why this answer

Option D is correct because asynchronous storage-level replication with 15-minute snapshots meets the RPO of 15 minutes and the RTO of 1 hour, while being more cost-effective than synchronous replication. Asynchronous replication avoids the latency and bandwidth costs of synchronous mirroring across regions, and the 15-minute snapshot schedule ensures data loss is limited to the RPO window. This strategy is suitable for IaaS relational databases where near-real-time consistency is acceptable.

Exam trap

ISC2 often tests the misconception that synchronous replication is always required for low RPOs, but here the RPO is 15 minutes, which asynchronous replication with snapshots can meet at lower cost, and candidates may incorrectly choose synchronous mirroring due to assuming zero data loss is needed.

How to eliminate wrong answers

Option A is wrong because daily full backups to another region cannot achieve an RPO of 15 minutes; the backup interval is 24 hours, leading to potential data loss of up to a day, which far exceeds the 15-minute RPO. Option B is wrong because synchronous database mirroring across regions introduces significant network latency and cost, and while it can achieve near-zero RPO, it is overkill for a 15-minute RPO and may degrade application performance due to synchronous writes. Option C is wrong because multi-region active-active deployment with load balancing is designed for high availability and traffic distribution, not specifically for data replication with a defined RPO; it does not inherently provide point-in-time recovery snapshots and is more expensive than necessary for the stated RPO/RTO.

366
MCQhard

Refer to the exhibit. A security engineer reviews this CloudTrail log entry. The company has a policy that all deletion operations must be approved by the compliance team. What is the most likely compliance issue?

A.The deletion was performed from an internal IP address
B.The deletion was performed by a user who may not have authorization
C.The log entry does not include the object's encryption status
D.The deletion was performed without evidence of compliance team approval
AnswerD

The policy requires approval, but the log shows no approval step.

Why this answer

Option D is correct because the company policy explicitly requires compliance team approval for all deletion operations, and the CloudTrail log entry does not contain any evidence of such approval (e.g., no MFA context, no approval token, no IAM policy condition key indicating approval). CloudTrail logs record API calls but do not inherently capture external approval workflows; the absence of an approval artifact in the log indicates a policy violation.

Exam trap

ISC2 often tests the distinction between 'authorization' (who can perform an action) and 'approval' (a separate governance step), leading candidates to choose Option B when the real issue is the missing compliance approval artifact.

How to eliminate wrong answers

Option A is wrong because the source IP address being internal is irrelevant to the compliance issue; the policy concerns authorization, not network origin. Option B is wrong because the log entry shows the user identity (e.g., user ARN) and the action was performed, but the core issue is not whether the user 'may not have authorization'—the log itself does not indicate unauthorized access; the problem is the missing approval step. Option C is wrong because encryption status of the object is not required in a CloudTrail log for deletion compliance; the policy focuses on approval, not encryption metadata.

367
MCQeasy

A cloud security architect is designing a multi-tier application that processes sensitive customer data. To protect data in transit between the web tier and the application tier, which of the following is the MOST appropriate approach?

A.Use standard TLS with server-side certificates only
B.Establish SSH tunnels for all inter-tier communication
C.Use mutual TLS (mTLS) between the tiers
D.Implement IPsec VPN between the tiers
AnswerC

mTLS provides bidirectional authentication and encryption, ideal for service-to-service communication.

Why this answer

Mutual TLS (mTLS) is the most appropriate approach because it provides bidirectional authentication and encryption between the web tier and application tier. In a multi-tier application processing sensitive customer data, mTLS ensures that both the client (web tier) and server (application tier) present valid certificates, preventing man-in-the-middle attacks and unauthorized inter-tier communication. This is critical for protecting data in transit in zero-trust or internal network segments where simple server-side TLS would not verify the identity of the calling service.

Exam trap

ISC2 often tests the misconception that standard TLS (server-side only) is sufficient for internal service-to-service communication, but the trap here is that without mutual authentication, an attacker who compromises the web tier could impersonate it to the application tier, or a rogue service could connect to the application tier undetected.

How to eliminate wrong answers

Option A is wrong because standard TLS with server-side certificates only authenticates the server to the client, but does not authenticate the client (web tier) to the application tier, leaving the application tier vulnerable to unauthorized or spoofed connections. Option B is wrong because SSH tunnels provide point-to-point encryption but are designed for interactive shell access or port forwarding, not for high-throughput, persistent inter-tier service communication; they introduce management overhead and lack the certificate-based identity verification that mTLS offers for service-to-service authentication. Option D is wrong because IPsec VPN operates at the network layer and encrypts all traffic between subnets, but it is overly complex for application-layer communication, adds latency, and does not provide application-level identity verification between specific services; it is more suited for site-to-site connectivity rather than fine-grained inter-tier authentication.

368
MCQhard

A company uses a hybrid cloud architecture with on-premises key management and cloud services. They need to ensure that encryption keys used for cloud data are never exposed to the cloud provider. Which key management approach best meets this requirement?

A.Use the cloud provider's native key management service
B.Store keys in a cloud key vault with access logs
C.Use a BYOK solution with an on-premises HSM and key caching
D.Deploy a cloud-based HSM and store keys only there
AnswerC

BYOK allows key generation and lifetime outside the cloud.

Why this answer

Option C is correct because a Bring Your Own Key (BYOK) solution with an on-premises Hardware Security Module (HSM) allows the company to generate and store encryption keys locally, then securely transfer them to the cloud for use without exposing the raw key material to the cloud provider. Key caching ensures that the cloud service can perform operations without the provider ever having persistent access to the plaintext keys, meeting the requirement that keys are never exposed to the cloud provider.

Exam trap

ISC2 often tests the misconception that a cloud-based HSM (Option D) is equivalent to on-premises key control, but the trap is that any key stored in the cloud provider's infrastructure is still accessible to the provider, whereas BYOK with an on-premises HSM ensures the provider never has access to the plaintext key material.

How to eliminate wrong answers

Option A is wrong because using the cloud provider's native key management service means the provider generates, stores, and manages the keys, giving them full access to the key material and violating the requirement. Option B is wrong because storing keys in a cloud key vault with access logs still places the keys under the cloud provider's control and infrastructure, exposing them to the provider's administrators and potential breaches. Option D is wrong because deploying a cloud-based HSM and storing keys only there still means the keys reside within the cloud provider's environment, subject to their physical and logical access controls, thus exposing the keys to the provider.

369
MCQeasy

An organization is developing a mobile app that communicates with a cloud API. To ensure secure authentication, which of the following should be used?

A.Session cookies for state management
B.Basic authentication with username and password
C.OAuth 2.0 with OpenID Connect
D.API keys sent in HTTP headers
AnswerC

Provides delegated authorization and authentication for mobile apps.

Why this answer

OAuth 2.0 with OpenID Connect (OIDC) is the correct choice because it provides a delegated authorization framework (OAuth 2.0) combined with an identity layer (OIDC) that enables secure authentication and single sign-on (SSO) for mobile apps communicating with cloud APIs. This combination issues short-lived access tokens and ID tokens (typically JWTs) rather than exposing long-lived credentials, and supports token refresh, scoped permissions, and PKCE (Proof Key for Code Exchange) to prevent authorization code interception on mobile devices.

Exam trap

ISC2 often tests the misconception that API keys or Basic auth are sufficient for mobile-to-cloud authentication, but the trap is that these methods lack the delegation, token lifecycle management, and identity verification that OAuth 2.0 with OpenID Connect provides, which is the industry standard (RFC 6749, RFC 7519) for securing mobile API access.

How to eliminate wrong answers

Option A is wrong because session cookies are designed for server-side web applications with browser-based state management; mobile apps lack a browser context for cookie handling and are vulnerable to CSRF and session hijacking, making cookies unsuitable for native mobile-to-API communication. Option B is wrong because Basic authentication transmits credentials (Base64-encoded username:password) in every request, exposing them to interception and replay attacks; it offers no token expiration, no scoping, and no support for multi-factor authentication, violating cloud security best practices. Option D is wrong because API keys sent in HTTP headers are static, long-lived secrets that are easily leaked in client-side code (e.g., mobile app binaries), provide no user authentication or delegation, and lack built-in revocation mechanisms beyond key rotation.

370
MCQmedium

A developer is designing a microservices-based application in the cloud. They need to ensure communication between services is loosely coupled and resilient to failures. Which design pattern should they implement?

A.API gateway
B.Event-driven messaging
C.Service mesh
D.Database per service
AnswerB

Event-driven messaging uses asynchronous messages, enabling loose coupling and resilience to failures.

Why this answer

Event-driven messaging (B) is correct because it enables asynchronous, decoupled communication between microservices, allowing them to operate independently and remain resilient to failures. When a service publishes an event, other services consume it at their own pace, preventing cascading failures and ensuring the system can handle partial outages without blocking. This pattern directly supports loose coupling and fault tolerance, which are critical for cloud-based microservices architectures.

Exam trap

ISC2 often tests the distinction between patterns that manage communication (like service mesh) versus patterns that decouple communication (like event-driven messaging), and the trap here is that candidates confuse a service mesh's ability to handle retries and circuit breakers with the fundamental loose coupling provided by asynchronous event-driven architectures.

How to eliminate wrong answers

Option A (API gateway) is wrong because it acts as a single entry point for client requests and typically handles synchronous communication, which can introduce a bottleneck and tight coupling between services, not the loosely coupled, failure-resilient pattern required. Option C (Service mesh) is wrong because it focuses on managing service-to-service communication at the infrastructure layer (e.g., with sidecar proxies like Envoy) and does not inherently provide the asynchronous, event-driven decoupling needed for resilience; it handles traffic management and observability but not failure isolation through loose coupling. Option D (Database per service) is wrong because it is a data management pattern that ensures each microservice has its own database to avoid tight coupling at the data layer, but it does not address communication resilience or asynchronous messaging between services.

371
Drag & Dropmedium

Drag and drop the steps for setting up a virtual private cloud (VPC) with public and private subnets in AWS into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create VPC, then subnets, Internet Gateway, route tables, and finally launch instances.

372
MCQmedium

A cloud application uses customer-managed encryption keys (CMK) stored in a cloud HSM. The application needs to decrypt data on demand. How should the key be accessed?

A.Use the HSM to decrypt without exposing the key
B.Use a key management service with IAM permissions
C.Store the key in application configuration
D.Copy the key to the application's memory
AnswerB

KMS provides secure access to keys with IAM controls, allowing decryption requests without exposing the key material.

Why this answer

Option B is correct because cloud key management services (e.g., AWS KMS, Azure Key Vault) allow you to use customer-managed keys (CMK) stored in a cloud HSM without ever exposing the plaintext key to the application. The application calls the KMS API with IAM permissions to request decryption, and the HSM performs the decryption inside its hardware boundary, returning only the decrypted data. This ensures the key material never leaves the HSM's secure enclave, maintaining the security posture required for CMK usage.

Exam trap

ISC2 often tests the misconception that 'using an HSM directly' is the correct answer, but the trap is that cloud environments require a key management service (KMS) as the intermediary to enforce IAM policies, audit logging, and key lifecycle management—the HSM alone does not provide these access control features.

How to eliminate wrong answers

Option A is wrong because while the HSM can decrypt without exposing the key, the question asks how the application should access the key; directly calling the HSM API is not the standard cloud pattern—a key management service (KMS) abstracts HSM operations and provides IAM-based access control, auditing, and key rotation. Option C is wrong because storing the key in application configuration violates the fundamental principle of CMK security—keys must never be stored in plaintext outside the HSM or KMS, as configuration files are easily exposed via misconfigurations or breaches. Option D is wrong because copying the key to the application's memory exposes the plaintext key material, defeating the purpose of using a hardware security module (HSM) and violating the 'never export the key' rule that CMK policies enforce.

373
MCQeasy

A small business wants to use a cloud service but has limited in-house IT expertise. Which cloud service model requires the least customer management responsibility?

A.IaaS
B.SaaS
C.PaaS
D.FaaS
AnswerB

SaaS is fully managed; customer only uses the application.

Why this answer

SaaS (Software as a Service) delivers a complete application managed entirely by the cloud provider, so the customer only needs to use the software without managing underlying infrastructure, platforms, or runtime. For a small business with limited IT expertise, this model minimizes operational overhead because the provider handles maintenance, patching, and availability.

Exam trap

ISC2 often tests the misconception that PaaS requires less management than SaaS because candidates confuse 'platform management' with 'application management,' but PaaS still leaves the customer responsible for application code and its dependencies.

How to eliminate wrong answers

Option A is wrong because IaaS requires the customer to manage virtual machines, storage, and networking, which demands significant IT expertise for OS patching, security groups, and configuration. Option C is wrong because PaaS still requires the customer to manage application code, runtime settings, and sometimes database configurations, though the provider manages the underlying platform. Option D is wrong because FaaS (Function as a Service) involves writing and deploying individual functions, which still requires development skills and management of function triggers, dependencies, and scaling logic.

374
Multi-Selecteasy

A company needs to ensure that data stored in the cloud is securely deleted when no longer needed. Which TWO of the following are secure deletion methods? (Choose two.)

Select 2 answers
A.Cryptographic erasure (destroying encryption keys)
B.Deleting the file metadata
C.Multiple overwrite of the storage blocks
D.Wiping the swap space
E.Degaussing the storage medium
AnswersA, C

Without key, encrypted data is unrecoverable.

Why this answer

Cryptographic erasure renders data unrecoverable by securely destroying the encryption keys used to encrypt the data at rest. Without the keys, the ciphertext becomes effectively indecipherable, even if the underlying storage blocks remain intact. This method is recognized by NIST SP 800-88 as a valid sanitization technique for cloud environments where physical access to storage is limited.

Exam trap

ISC2 often tests the distinction between logical deletion (e.g., deleting metadata) and secure deletion, and candidates mistakenly choose 'deleting file metadata' because they confuse it with secure file deletion in operating systems, ignoring that cloud storage APIs do not guarantee physical block erasure.

375
MCQhard

A cloud security architect is designing an API gateway for a microservices application. The gateway must authenticate requests, enforce rate limiting, and log all transactions for audit. Which of the following security controls is most critical to protect against API abuse?

A.Implement rate limiting and throttling based on client identity and request volume.
B.Use TLS 1.3 to encrypt all traffic between clients and the gateway.
C.Validate and sanitize all input parameters to prevent injection attacks.
D.Require API keys for all requests and revoke keys of suspicious clients.
AnswerA

Rate limiting directly mitigates abuse by controlling request rates.

Why this answer

Option D is correct because rate limiting and throttling directly prevent abuse by limiting request frequency. Option A is wrong because encryption protects data in transit but not abuse. Option B is wrong because input validation prevents injection but not volume-based attacks.

Option C is wrong because API keys authenticate but do not limit usage.

Page 4

Page 5 of 7

Page 6

All pages