Certified Cloud Security Professional CCSP (CCSP) — Questions 376450

504 questions total · 7pages · All types, answers revealed

Page 5

Page 6 of 7

Page 7
376
MCQeasy

A customer relies on this SOC 2 Type II report to assess a cloud provider's controls. What is the primary limitation of this report?

A.The report includes subjective opinions
B.The report does not cover the entire provider's infrastructure
C.The report is biased in favor of the provider
D.The report only covers controls up to Dec 31, 2023
AnswerD

Controls are not tested beyond the audit period.

Why this answer

The report covers controls tested from Jan to Dec 2023, not current. Controls may have changed since. The report is not predictive, but the time lag is the key limitation.

Scope is per provider, unbiased.

377
MCQeasy

A cloud customer experiences a ransomware attack that encrypts data in an object storage bucket. The customer has versioning enabled on the bucket. How can the customer MOST effectively restore the data?

A.Delete the bucket and recreate it
B.Restore the bucket to a previous version using the versioning feature
C.Use the cloud provider's undelete feature for the encrypted objects
D.Decrypt the objects using the ransomware decryption key
AnswerB

Versioning allows recovery of unencrypted versions.

Why this answer

With versioning enabled on the object storage bucket, each object version is preserved. The correct approach is to restore the bucket to a previous, unencrypted version using the versioning feature, which effectively rolls back the data to its state before the ransomware encrypted the current versions. This avoids data loss and does not require decryption keys or bucket deletion.

Exam trap

ISC2 often tests the misconception that 'versioning' is only for preventing accidental deletion, when in fact it also enables recovery from overwrites (including ransomware encryption), and candidates may incorrectly assume that a decryption key or undelete feature is the primary recovery method.

How to eliminate wrong answers

Option A is wrong because deleting and recreating the bucket would permanently remove all object versions, including the unencrypted ones, resulting in total data loss. Option C is wrong because cloud providers do not offer a generic 'undelete' feature for encrypted objects; versioning is the intended mechanism for recovering overwritten or deleted objects, and 'undelete' typically refers to recovering deleted objects, not restoring encrypted ones. Option D is wrong because ransomware decryption keys are controlled by the attacker and are not available to the customer; attempting to decrypt without the key is infeasible and not a recommended recovery strategy.

378
MCQmedium

A security team is reviewing a cloud application's CI/CD pipeline. They want to ensure that only approved open-source libraries are used in production builds. Which approach best addresses this requirement?

A.Segment the build network to limit internet access
B.Perform static code analysis after each build
C.Implement a software composition analysis (SCA) tool in the pipeline
D.Require manual approval for all library updates
AnswerC

SCA identifies and blocks unapproved open-source components.

Why this answer

A Software Composition Analysis (SCA) tool is specifically designed to automatically scan open-source libraries for known vulnerabilities, licensing issues, and version compliance. By integrating SCA into the CI/CD pipeline, the team can enforce a policy that only approved libraries (e.g., those passing a security and license review) are allowed in production builds, blocking unapproved or vulnerable components before deployment.

Exam trap

ISC2 often tests the distinction between SAST (static code analysis), DAST (dynamic analysis), and SCA, expecting candidates to recognize that only SCA directly addresses the management and approval of third-party open-source components and their associated risks.

How to eliminate wrong answers

Option A is wrong because segmenting the build network to limit internet access only restricts network connectivity, but does not prevent developers from introducing unapproved libraries already cached or stored locally; it also breaks legitimate dependency resolution from approved repositories. Option B is wrong because static code analysis (SAST) focuses on source code flaws (e.g., SQL injection, buffer overflows) and does not inspect third-party library metadata, licenses, or known CVEs in dependencies. Option D is wrong because requiring manual approval for all library updates is an operational process that does not scale, lacks automated detection of unapproved libraries, and introduces human error and delay without providing a technical enforcement gate in the pipeline.

379
MCQeasy

After decommissioning a cloud database, a company is concerned about data remanence. They have overwritten all storage blocks with zeros. However, regulatory auditors require proof that the data is unrecoverable. What additional step should the company take?

A.Physically destroy the storage media
B.Shred the hard drives
C.Request a certificate of destruction from the cloud provider
D.Degauss the drives
AnswerC

Certification provides audit evidence of proper sanitization.

Why this answer

Option C is correct because most cloud providers offer a certification of destruction that confirms data has been sanitized according to standards. Option A is wrong because physical destruction is not always possible in cloud. Option B is wrong because degaussing is for magnetic media, not cloud storage.

Option D is wrong because the provider typically does not provide raw disk drives.

380
MCQmedium

A healthcare SaaS company runs containerized microservices on Google Kubernetes Engine (GKE). The security team scans containers with a vulnerability scanner and finds that base images have several critical vulnerabilities. The container build process uses a Dockerfile that pulls the latest Ubuntu image from Docker Hub. The team wants to reduce the attack surface without delaying feature releases. What is the best approach?

A.Place a network security policy to restrict outbound traffic from pods
B.Schedule weekly automated rebuilds with the latest base image
C.Adopt minimal hardened base images and integrate vulnerability scanning into CI/CD
D.Refactor all applications to use scratch as base image
AnswerC

Hardened images minimize vulnerabilities and scanning ensures early detection.

Why this answer

Option D is correct because using minimal hardened images (e.g., distroless) reduces vulnerabilities and attack surface. Option A (weekly patching) leaves windows open. Option B (rebuild from scratch) is time-consuming and error-prone.

Option C (network segmentation) does not address vulnerable images.

381
MCQeasy

Refer to the exhibit. A CloudFormation template defines a security group as shown. What is the security concern with this configuration?

A.It allows SSH access on port 22.
B.It allows HTTP traffic on port 80, not HTTPS.
C.It does not allow outbound traffic.
D.It allows inbound traffic from all IP addresses on port 443, which is overly permissive.
AnswerD

Best practice is to restrict source IPs to known ranges.

Why this answer

Option D is correct because the security group rule allows inbound traffic on port 443 (HTTPS) from 0.0.0.0/0, which means any IP address on the internet can reach the resource. This is overly permissive and violates the principle of least privilege, as it exposes the service to potential attacks from any source without restriction.

Exam trap

ISC2 often tests the misconception that allowing a common protocol like HTTPS on port 443 is always safe, but the trap is that the source IP range (0.0.0.0/0) is the actual vulnerability, not the port or protocol itself.

How to eliminate wrong answers

Option A is wrong because allowing SSH access on port 22 is not inherently a security concern; the issue is the source IP range, not the protocol itself. Option B is wrong because the template allows HTTPS on port 443, not HTTP on port 80, and HTTP traffic is not defined in the exhibit. Option C is wrong because security groups in AWS are stateful by default, meaning that if inbound traffic is allowed, the corresponding outbound return traffic is automatically permitted, so the absence of explicit outbound rules does not block outbound traffic.

382
Multi-Selectmedium

A cloud security team is implementing tokenization for a payment system. Which THREE statements correctly describe tokenization characteristics?

Select 3 answers
A.Tokenization uses encryption algorithms to protect data.
B.The original sensitive data is stored in a secure token vault.
C.The token is a randomly generated string with no mathematical relationship to the original data.
D.Tokens can be used for transactions without exposing the original data.
E.Tokenization is reversible using the token alone.
AnswersB, C, D

Correct: The mapping between token and original data is stored in a vault.

Why this answer

Option B is correct because tokenization replaces sensitive data (e.g., credit card numbers) with a token, and the original data is stored securely in a token vault. This vault is isolated and access-controlled, ensuring that only authorized systems can detokenize the data when needed. The vault is the authoritative source for mapping tokens back to original values, which is fundamental to tokenization's security model.

Exam trap

ISC2 often tests the misconception that tokenization is a form of encryption, but the key distinction is that tokenization uses a lookup table (vault) rather than a mathematical algorithm, making it non-reversible without vault access.

383
MCQeasy

A cloud application uses OAuth 2.0 for authorization. What is the primary purpose of using a refresh token in this flow?

A.To obtain a new access token when the current one expires without user interaction.
B.To grant the same access token indefinitely.
C.To authenticate the user without a password.
D.To store user credentials on the resource server for later use.
AnswerA

Refresh tokens are long-lived and can be used to request new access tokens.

Why this answer

In OAuth 2.0, access tokens are short-lived by design to limit the window of compromise. A refresh token is a long-lived credential that allows the client to obtain a new access token from the authorization server without requiring the user to re-authenticate or re-consent. This enables seamless, ongoing access to protected resources while maintaining security through short-lived access tokens.

Exam trap

ISC2 often tests the misconception that refresh tokens are used for authentication or that they extend the life of the same access token, rather than understanding they are a separate credential used to obtain a new access token.

How to eliminate wrong answers

Option B is wrong because refresh tokens do not grant indefinite access; they can be revoked, have their own expiration, and are used to obtain new access tokens, not to extend the life of the same token. Option C is wrong because refresh tokens are not used for authentication; they are an authorization grant that assumes prior authentication has already occurred. Option D is wrong because refresh tokens are stored on the client (or client's backend), not on the resource server, and they are never used to store user credentials.

384
MCQeasy

A cloud administrator needs to ensure that all data transferred between an on-premises data center and a cloud VPC is encrypted in transit. Which solution should be used?

A.AWS Transit Gateway
B.AWS Route 53 Resolver
C.AWS Site-to-Site VPN
D.AWS Direct Connect
AnswerC

Site-to-Site VPN uses IPSec to encrypt all traffic between the on-premises network and VPC.

Why this answer

AWS Site-to-Site VPN creates an encrypted tunnel between an on-premises data center and a cloud VPC using IPsec (IKEv1/IKEv2) to protect all data in transit. This directly meets the requirement for encryption, as traffic traverses the public internet or a Direct Connect connection with encryption enabled.

Exam trap

The trap here is that candidates often assume Direct Connect inherently encrypts traffic because it is a private connection, but it does not; encryption must be explicitly implemented, and the VPN is the direct solution for encryption in transit.

How to eliminate wrong answers

Option A is wrong because AWS Transit Gateway is a network transit hub that interconnects VPCs and on-premises networks, but it does not itself provide encryption; it can route traffic through a VPN attachment, but the encryption comes from the VPN, not Transit Gateway. Option B is wrong because AWS Route 53 Resolver is a DNS resolution service that resolves domain names to IP addresses; it has no role in encrypting data in transit. Option D is wrong because AWS Direct Connect provides a private, dedicated network connection that bypasses the public internet, but by default it does not encrypt traffic; encryption must be added separately (e.g., via IPsec over Direct Connect or a VPN).

385
MCQmedium

A company is storing sensitive customer data in an S3 bucket. They need to ensure data is encrypted at rest and that the encryption keys are managed by the cloud provider. Which encryption strategy should they use?

A.SSE-C (Server-Side Encryption with Customer-Provided Keys)
B.Client-side encryption
C.SSE-KMS (Server-Side Encryption with AWS KMS)
D.SSE-S3 (Server-Side Encryption with S3-Managed Keys)
AnswerD

SSE-S3 uses keys managed by AWS, meeting the requirement.

Why this answer

SSE-S3 (Server-Side Encryption with S3-Managed Keys) encrypts data at rest using AES-256, with the encryption keys fully managed by AWS. This meets the requirement for the cloud provider to handle key management without any customer involvement in key generation, storage, or rotation.

Exam trap

ISC2 often tests the distinction between 'managed by the provider' and 'managed by the customer' — candidates confuse SSE-KMS (customer-managed KMS keys) with provider-managed keys, but SSE-KMS still gives the customer control over key lifecycle, making SSE-S3 the only option where the provider fully manages keys.

How to eliminate wrong answers

Option A is wrong because SSE-C requires the customer to provide and manage their own encryption keys, which contradicts the requirement that the cloud provider manages the keys. Option B is wrong because client-side encryption occurs before data is sent to S3, meaning the customer manages the keys and encryption process, not the cloud provider. Option C is wrong because SSE-KMS uses AWS Key Management Service, which gives the customer control over key policies, rotation, and auditing, meaning the customer retains management responsibility even though AWS hosts the keys.

386
MCQmedium

Refer to the exhibit. An IAM policy is attached to a user. Which action is the user allowed to perform?

A.Change the bucket's policy.
B.Read an existing object from the bucket.
C.Upload a new object to the bucket.
D.Delete an object from the bucket.
AnswerB

s3:GetObject is explicitly allowed.

Why this answer

The IAM policy grants the `s3:GetObject` action, which allows the user to read (download) an existing object from the specified S3 bucket. The policy explicitly allows this action for the bucket `my-bucket` and its objects, so the user can perform read operations on objects within that bucket.

Exam trap

ISC2 often tests the distinction between read and write permissions in S3 policies, where candidates mistakenly assume that `s3:GetObject` implies the ability to upload or modify objects, but each action (Get, Put, Delete) must be explicitly granted.

How to eliminate wrong answers

Option A is wrong because changing a bucket's policy requires the `s3:PutBucketPolicy` action, which is not included in the attached policy. Option C is wrong because uploading a new object requires the `s3:PutObject` action, which is not granted by the policy. Option D is wrong because deleting an object requires the `s3:DeleteObject` action, which is also absent from the policy.

387
MCQhard

A financial services company is required to maintain audit trails of all user activities in its cloud environment for regulatory compliance. The company uses multiple cloud services and wants a centralized logging solution. The current architecture sends logs to a central storage bucket, but some logs are being lost due to high volume and insufficient throughput. Additionally, the logs must be immutable to prevent tampering. The company needs to ensure that all logs are captured and stored in a tamper-proof manner. Which of the following solutions BEST meets the requirements?

A.Configure the cloud provider's logging service to send logs to a dedicated bucket with versioning and object lock enabled, and set a high throughput.
B.Cache logs locally on each server and have a background job upload them to a bucket.
C.Use multiple log streams with different destinations and aggregate them using a third-party SIEM.
D.Use a message queue to decouple log generation from storage, and store logs in a bucket with immutability settings.
AnswerA

Correct: Versioning and object lock prevent modification; provider logging handles throughput.

Why this answer

Option A is correct because enabling Object Lock with retention modes (Governance or Compliance) on the cloud storage bucket ensures immutability, preventing log tampering. Versioning provides an additional safeguard by preserving all object versions, and configuring a high throughput setting (e.g., increasing the bucket's request rate limits or using a dedicated endpoint) addresses the log loss due to insufficient throughput.

Exam trap

The trap here is that candidates may choose Option D because a message queue addresses throughput, but they overlook that immutability must be enforced at the storage layer, not just by decoupling the pipeline.

How to eliminate wrong answers

Option B is wrong because caching logs locally and uploading via a background job introduces a single point of failure and potential data loss if the server crashes before upload, and it does not guarantee immutability at rest. Option C is wrong because using multiple log streams with different destinations and a third-party SIEM adds complexity and latency but does not inherently solve the throughput bottleneck or provide native immutability for the stored logs. Option D is wrong because while a message queue decouples log generation from storage and can help with throughput, it does not directly ensure immutability of the stored logs unless the storage bucket itself has immutability settings enabled; the question already requires a solution that ensures tamper-proof storage, and the message queue alone does not enforce that.

388
MCQhard

Refer to the exhibit. A Kubernetes pod is configured as shown. Which security enhancement should be added to follow cloud security best practices?

A.Set allowPrivilegeEscalation to true
B.Use a more restrictive runAsUser value like 2000
C.Set readOnlyRootFilesystem to true
D.Use a trusted image from a private registry
AnswerC

Read-only root filesystem prevents unauthorized modifications.

Why this answer

Setting `readOnlyRootFilesystem` to true ensures the container's root filesystem is mounted as read-only, preventing attackers from modifying binaries, libraries, or configuration files at runtime. This is a key container hardening practice that limits the blast radius of a compromise, aligning with the CIS Benchmark for Kubernetes and cloud security best practices.

Exam trap

ISC2 often tests the distinction between runtime hardening (like read-only filesystem) and identity/access controls (like runAsUser or image trust), expecting candidates to recognize that a non-root user alone does not prevent file tampering.

How to eliminate wrong answers

Option A is wrong because setting `allowPrivilegeEscalation` to true allows processes within the container to gain more privileges than their parent (e.g., via setuid binaries), which directly violates the principle of least privilege and increases risk. Option B is wrong because while using a non-root user like 2000 is good practice, the question asks for a security enhancement to add; the pod already specifies `runAsUser: 1000`, which is already non-root, so changing the UID does not address the missing read-only filesystem or other hardening gaps. Option D is wrong because using a trusted image from a private registry is a supply chain security measure, but it does not mitigate runtime attacks that modify the container's filesystem; the pod configuration shown lacks filesystem-level protection, which is the immediate gap.

389
Multi-Selecteasy

Which TWO cloud monitoring tools are used primarily for detecting anomalous behavior that may indicate a security incident? (Choose two.)

Select 2 answers
A.Infrastructure monitoring tool.
B.Intrusion detection system (IDS).
C.Cloud cost management tool.
D.Application performance monitoring (APM).
E.Security information and event management (SIEM) system.
AnswersB, E

IDS monitors network traffic for malicious activity.

Why this answer

An Intrusion Detection System (IDS) is specifically designed to monitor network traffic and system activities for signs of malicious activity or policy violations, making it a primary tool for detecting anomalous behavior indicative of a security incident. A Security Information and Event Management (SIEM) system aggregates and correlates logs from multiple sources, using rules and analytics to identify patterns of suspicious activity that may signal a security breach.

Exam trap

ISC2 often tests the distinction between monitoring for performance (infrastructure/APM tools) versus monitoring for security (IDS/SIEM), and candidates mistakenly choose infrastructure monitoring or APM because they think 'monitoring' broadly covers security, but these tools lack the specific anomaly detection and correlation capabilities required for incident detection.

390
MCQhard

A cloud service provider (CSP) is designing a multi-tenant infrastructure and needs to ensure that a security incident in one tenant's environment does not compromise the confidentiality or integrity of other tenants. The CSP plans to use a combination of network segmentation, hypervisor isolation, and encryption. Which additional control is MOST critical to prevent side-channel attacks that could leak cryptographic keys or other sensitive data across tenants?

A.Ensure cryptographic operations use constant-time algorithms.
B.Implement virtual LANs (VLANs) and firewall rules between tenants.
C.Use hardware security modules (HSMs) for key management.
D.Enforce strict API rate limiting for each tenant.
AnswerA

Constant-time algorithms resist timing and cache-based side-channel attacks.

Why this answer

Side-channel attacks, such as timing attacks, exploit variations in execution time to infer sensitive data like cryptographic keys. Constant-time algorithms ensure that cryptographic operations execute in a fixed duration regardless of input, eliminating timing variations that could be measured across shared physical hardware. This is critical in multi-tenant environments where tenants share CPU caches and memory buses, as it prevents an attacker from extracting key material through precise timing measurements.

Exam trap

ISC2 often tests the distinction between network-level isolation (VLANs, firewalls) and microarchitectural side-channel defenses, leading candidates to choose network controls when the question specifically targets side-channel attacks that bypass network segmentation.

How to eliminate wrong answers

Option B is wrong because VLANs and firewall rules provide network-layer isolation but do not address side-channel attacks that occur at the hardware or microarchitectural level, such as cache timing or branch prediction analysis. Option C is wrong because HSMs secure key storage and operations but do not prevent side-channel leakage from the CPU or memory during cryptographic processing; an attacker can still observe timing or power variations. Option D is wrong because API rate limiting controls request frequency to prevent abuse but has no effect on side-channel attacks that exploit shared processor resources like caches or execution pipelines.

391
MCQhard

An e-commerce company uses a cloud-based web application firewall (WAF) to protect against common web exploits. The security team notices that a specific IP address is sending a high volume of requests that appear to be a DDoS attack. What is the best immediate response to mitigate the attack while minimizing impact on legitimate users?

A.Change the DNS to point to a different IP address.
B.Increase the compute capacity of the web servers.
C.Block the IP address in the WAF.
D.Implement rate limiting on the IP address with a threshold that allows normal traffic.
AnswerD

Rate limiting can distinguish between human users and automated attacks, reducing impact.

Why this answer

Option D is correct because rate limiting at the WAF allows the security team to restrict the volume of requests from the offending IP address without completely blocking it. This approach ensures that legitimate traffic from that IP (e.g., a shared NAT gateway or a user with a dynamic IP) can still pass through, while the DDoS attack traffic is throttled. WAFs typically support granular rate-limiting rules based on IP, session, or URI, making this the most precise and least disruptive immediate response.

Exam trap

ISC2 often tests the misconception that blocking an IP address (Option C) is the safest immediate action, but the trap is that legitimate users can share the same IP via NAT or proxy, making rate limiting a more precise and less harmful control.

How to eliminate wrong answers

Option A is wrong because changing DNS to point to a different IP address does not mitigate the attack; the attacker can simply follow the new IP, and DNS propagation delays (up to 48 hours) leave the original IP exposed. Option B is wrong because increasing compute capacity (horizontal or vertical scaling) does not stop the attack; it only temporarily absorbs more traffic, and the attacker can easily scale up the DDoS volume, leading to resource exhaustion and higher costs. Option C is wrong because blocking the IP address outright in the WAF may inadvertently block legitimate users who share that IP (e.g., users behind a carrier-grade NAT or a corporate proxy), causing a denial of service to valid customers.

392
MCQmedium

An organization uses cloud object storage for backup data and requires that once written, data cannot be modified or deleted for a specified retention period. Which feature should they enable?

A.Bucket versioning
B.Object lock with write-once-read-many (WORM) protection
C.Encryption at rest with customer-managed keys
D.Lifecycle management to expire objects old objects
AnswerB

Ensures immutability during retention period.

Why this answer

Object lock with WORM protection is the correct feature because it enforces a retention policy that prevents any user, including the root account, from modifying or deleting objects until the retention period expires. This is specifically designed for compliance requirements such as SEC 17a-4(f) and ensures data immutability at the object level, which bucket versioning, encryption, or lifecycle rules cannot guarantee.

Exam trap

ISC2 often tests the misconception that bucket versioning alone provides data immutability, but versioning only protects against accidental overwrites by preserving old versions, not against intentional deletion or modification of the current version.

How to eliminate wrong answers

Option A is wrong because bucket versioning preserves multiple versions of an object but does not prevent deletion or overwrite of the current version; it only allows recovery of previous versions, not immutability. Option C is wrong because encryption at rest with customer-managed keys protects data confidentiality but does not enforce any write-once or retention constraints; data can still be modified or deleted by authorized users. Option D is wrong because lifecycle management automates the transition or expiration of objects based on age or rules, but it does not prevent deletion or modification during the retention period; in fact, it can delete objects prematurely if misconfigured.

393
MCQeasy

A company is designing a multi-tier application in the cloud. The web tier must automatically scale based on CPU utilization, while the database tier should remain fixed to maintain data consistency. Which architectural pattern best meets these requirements?

A.Horizontal auto-scaling for the web tier and a fixed database tier
B.Manual scaling for both tiers
C.Vertical scaling of all tiers
D.Single-tier architecture with auto-scaling
AnswerA

This pattern separates stateless and stateful components appropriately.

Why this answer

Option A is correct because it separates the stateless web tier, which can safely scale horizontally using auto-scaling groups triggered by CPU utilization thresholds, from the stateful database tier, which must remain fixed to avoid consistency issues such as split-brain or replication lag. Horizontal scaling adds or removes identical web server instances without affecting session state, while a fixed database tier preserves ACID properties and prevents conflicts from concurrent writes across multiple database nodes.

Exam trap

ISC2 often tests the misconception that auto-scaling should apply uniformly to all tiers, but the trap here is that candidates forget the database tier requires stateful consistency and cannot scale horizontally without introducing eventual consistency or complex distributed transactions.

How to eliminate wrong answers

Option B is wrong because manual scaling for both tiers introduces operational overhead and cannot react dynamically to load changes, defeating the purpose of cloud elasticity. Option C is wrong because vertical scaling of all tiers (increasing instance size) has hard limits (maximum VM size) and does not address the need for the web tier to scale out; it also incorrectly scales the database tier, which should remain fixed. Option D is wrong because a single-tier architecture with auto-scaling collapses web and database functions into one layer, causing data consistency problems when multiple instances write to the same local storage and violating the multi-tier design requirement.

394
Multi-Selectmedium

A company uses a cloud key management service (KMS) with automatic key rotation enabled. Which TWO statements about key rotation are true?

Select 2 answers
A.The key ID changes after each rotation.
B.The old key is immediately destroyed after rotation.
C.New key material is generated, and the old key material is retained for decryption.
D.Applications using the key continue to work without modification.
E.All data encrypted with the old key must be re-encrypted.
AnswersC, D

Correct: Automatic rotation creates a new version; the old version is kept for decryption.

Why this answer

Option C is correct because cloud KMS services (e.g., AWS KMS, Azure Key Vault) implement automatic key rotation by generating new cryptographic key material while retaining the old key material. This allows data encrypted with the previous key version to still be decrypted, as the old key material is not destroyed but simply marked as retired for encryption operations.

Exam trap

ISC2 often tests the misconception that key rotation changes the key identifier or requires immediate re-encryption, when in fact the key ID remains stable and old key material is preserved for decryption.

395
MCQmedium

A software-as-a-service (SaaS) provider hosts customer data in a multi-tenant cloud environment. Each customer's data is stored in separate databases but shares a common infrastructure. A customer reports that they can see another customer's data in their application dashboard. The development team investigates and finds no application-level bugs. The security team suspects the issue is related to cloud data isolation. The provider uses a public cloud database service with separate schemas per customer. The database service uses shared compute resources. The provider's compliance team is concerned about data leakage between tenants. Which of the following is the MOST effective way to ensure data isolation in this environment?

A.Implement row-level security (RLS) on the database tables to restrict access based on customer ID.
B.Use application-level encryption with different keys per customer.
C.Enable database auditing and monitor for anomalies.
D.Move each customer to a separate database instance.
AnswerA

RLS provides fine-grained access control at the row level.

Why this answer

Row-level security (RLS) is the most effective because it enforces data isolation directly within the shared database engine, filtering rows based on the customer ID predicate. This prevents any cross-tenant data access even if the application layer is compromised or misconfigured, as the database itself evaluates the security policy on every query. Unlike encryption or auditing, RLS provides a deterministic access control mechanism that operates at the query execution level, ensuring that each tenant sees only their own data.

Exam trap

ISC2 often tests the misconception that encryption alone ensures data isolation, but encryption does not control access to the decrypted data once it is retrieved; the trap here is choosing application-level encryption (Option B) because it sounds security-focused, while RLS directly addresses the access control gap at the database layer.

How to eliminate wrong answers

Option B is wrong because application-level encryption with per-customer keys protects data at rest and in transit but does not prevent a query from returning another customer's encrypted data; the application could still decrypt it if the wrong key is used or if the key management is flawed. Option C is wrong because database auditing only logs access events for after-the-fact review; it does not prevent unauthorized data exposure in real time. Option D is wrong because moving each customer to a separate database instance would achieve isolation but is not the most effective use of shared resources in a multi-tenant SaaS environment; it increases operational complexity and cost, and RLS can achieve the same isolation without requiring separate instances.

396
MCQeasy

A cloud administrator is rotating encryption keys for a data storage service. The administrator wants to ensure that previously encrypted data remains accessible after the rotation. What is the best practice?

A.Delete the old key after rotation
B.Retain the old key and use envelope encryption so the new key can decrypt the old key
C.Re-encrypt all data with the new key immediately
D.Disable the old key and only use the new key for new writes
AnswerB

Old keys are kept but not active; new wrapped keys allow access.

Why this answer

Envelope encryption allows the new key to decrypt the old key, which in turn decrypts the data. This ensures that previously encrypted data remains accessible without re-encrypting it, as the old key is retained and protected under the new key. This is the best practice for key rotation in cloud storage services like AWS KMS or Azure Key Vault.

Exam trap

ISC2 often tests the misconception that key rotation requires immediate re-encryption of all data, but the correct approach is to retain old keys and use envelope encryption to maintain access without re-encryption.

How to eliminate wrong answers

Option A is wrong because deleting the old key immediately after rotation would render all data encrypted with that key permanently inaccessible, violating the requirement to maintain access. Option C is wrong because re-encrypting all data with the new key immediately is inefficient, resource-intensive, and unnecessary when envelope encryption can provide seamless access. Option D is wrong because disabling the old key without retaining it for decryption would break access to existing encrypted data, as the new key alone cannot decrypt data encrypted with the old key.

397
MCQhard

An administrator notices the log entries in the exhibit from a cloud-hosted server. What is the MOST likely security concern indicated by these logs?

A.A brute-force attack succeeded in logging into the system, and a database password was exposed in the command line
B.Data was exfiltrated from the MySQL database
C.The MySQL database was accessed by an unauthorized user
D.A failed SSH login attempt indicates a misconfigured firewall
AnswerA

Failed then accepted login indicates brute-force success; password in plaintext is a credential exposure.

Why this answer

The log entries show a successful SSH login followed by a MySQL command that includes the database password in plaintext on the command line (e.g., `mysql -u root -pPassword123`). This indicates a brute-force attack succeeded, and the password was exposed in the process list or shell history, which is a critical data security concern.

Exam trap

ISC2 often tests the distinction between a successful brute-force attack and data exfiltration, where candidates confuse a successful login with actual data theft, but the logs here only show the password exposure, not data movement.

How to eliminate wrong answers

Option B is wrong because data exfiltration from MySQL would require evidence of SELECT or export commands (e.g., INTO OUTFILE) transferring data to an external location, which is not present in the logs. Option C is wrong because the logs show a successful SSH login, not direct MySQL access; the MySQL access is subsequent and authorized by the logged-in user, not an unauthorized user. Option D is wrong because a failed SSH login attempt would show authentication failure messages (e.g., 'Failed password'), not a successful login; the logs show a successful login, so a misconfigured firewall is irrelevant.

398
MCQhard

An organization is migrating a legacy application to the cloud and plans to use a cloud access security broker (CASB). Which of the following is the PRIMARY function of a CASB in securing cloud applications?

A.Performing vulnerability scans on cloud infrastructure
B.Encrypting data at rest in cloud storage
C.Protecting against distributed denial-of-service (DDoS) attacks
D.Enforcing security policies across cloud applications and controlling access
AnswerD

CASBs provide visibility, policy enforcement, and threat protection for cloud apps.

Why this answer

The primary function of a CASB is to enforce security policies and control access across cloud applications, acting as an intermediary between users and cloud providers. It provides visibility into cloud usage, applies data loss prevention (DLP) rules, and enforces authentication and authorization policies, which directly addresses the need to secure a legacy application migrated to the cloud.

Exam trap

ISC2 often tests the distinction between a CASB's primary role (policy enforcement and access control) and secondary capabilities (like encryption or DLP), leading candidates to mistake a supporting feature for the core function.

How to eliminate wrong answers

Option A is wrong because vulnerability scanning of cloud infrastructure is typically performed by a cloud security posture management (CSPM) tool or a vulnerability scanner, not a CASB, which focuses on application-level policy enforcement and user access control. Option B is wrong because while a CASB can apply encryption for data in transit or at rest via tokenization or proxy-based encryption, its primary function is not encrypting data at rest; that is a feature of cloud storage services or dedicated encryption tools. Option C is wrong because protecting against DDoS attacks is handled by web application firewalls (WAFs) or DDoS mitigation services, not a CASB, which is designed for visibility, compliance, and access control for cloud applications.

399
MCQmedium

Refer to the exhibit. A cloud administrator sees this error log from AWS CloudTrail. The user [email protected] is a member of the 'Analysts' group. Which of the following is the most likely cause of the AccessDenied error?

A.The user is trying to access the bucket from a different AWS region.
B.The IAM policy attached to the user or group does not include s3:PutObject for that bucket.
C.The bucket policy explicitly denies access to the 'Analysts' group.
D.The bucket requires server-side encryption and the request did not include encryption headers.
AnswerB

Missing IAM permissions are a common cause of AccessDenied.

Why this answer

The AccessDenied error for an s3:PutObject operation indicates that the IAM policy attached to the user or group does not grant the necessary permissions. Since the user is a member of the 'Analysts' group, the most likely cause is that the group's IAM policy lacks an Allow effect for s3:PutObject on the target bucket. AWS IAM evaluates both identity-based and resource-based policies, and if no explicit Allow is present, the default implicit deny applies.

Exam trap

ISC2 often tests the distinction between an implicit deny (missing Allow) and an explicit deny (Deny statement), and candidates mistakenly assume a bucket policy or encryption requirement is the cause when the error is simply a missing permission in the IAM policy.

How to eliminate wrong answers

Option A is wrong because S3 bucket access is not region-specific; a bucket is a global resource and cross-region access is allowed by default unless explicitly restricted by a bucket policy or VPC endpoint. Option C is wrong because the error log does not indicate an explicit deny; an explicit deny would produce a different error message (e.g., 'AccessDenied' with a reason like 'explicit deny'), and the question states the user is a member of the 'Analysts' group without mentioning a bucket policy that denies them. Option D is wrong because if the bucket required server-side encryption and the request lacked encryption headers, the error would be 'AccessDenied' but with a specific message about encryption requirements (e.g., 'The bucket policy requires encryption headers'), not a generic AccessDenied for s3:PutObject.

400
Multi-Selecthard

Which THREE of the following are key components of an incident response plan specific to cloud environments? (Choose three.)

Select 3 answers
A.Establishing a process for preserving system snapshots and logs as evidence
B.Requiring involvement of the legal department for every incident
C.Defining procedures for contacting the cloud provider's support and security teams
D.Including a detailed data forensic analysis procedure for all incident types
E.Clarifying the shared responsibility model for incident handling
AnswersA, C, E

Key to evidence preservation.

Why this answer

Options B, D, and E are correct. B: Contacting the cloud provider is essential for assistance and evidence preservation. D: Understanding the shared responsibility model clarifies who does what.

E: Documenting system baseline configurations helps identify changes. Option A is wrong because data forensic analysis is part of response but not a plan component; more specifically, the plan should include procedures, not just analysis. Option C is wrong because primarily the incident response team handles, but legal involvement is case-specific, not necessarily all incidents.

401
MCQeasy

A cloud administrator is designing a backup strategy for a critical database. Which of the following is the BEST approach to ensure data recoverability in case of a regional outage?

A.Regularly copy backups to a different geographic region.
B.Use tape backups stored in a physical safe in the same building.
C.Perform only daily backups without replication.
D.Store backups in a different availability zone within the same region.
AnswerA

Cross-region replication ensures data survives a regional outage.

Why this answer

Option A is correct because replicating backups to a different geographic region ensures data recoverability even if the entire primary region experiences a catastrophic outage. This approach leverages cross-region replication, which provides independent fault domains and meets the recovery point objective (RPO) and recovery time objective (RTO) requirements for regional disaster scenarios. Cloud providers like AWS, Azure, and GCP offer services such as S3 Cross-Region Replication (CRR) or Azure Geo-Redundant Storage (GRS) to automate this process.

Exam trap

ISC2 often tests the distinction between 'availability zone' and 'region' redundancy, where candidates mistakenly believe that multiple AZs within a single region provide sufficient protection against a regional outage, but they do not—only cross-region replication ensures survivability from a full regional failure.

How to eliminate wrong answers

Option B is wrong because tape backups stored in a physical safe in the same building are vulnerable to the same regional disaster (e.g., earthquake, flood, power grid failure) and do not provide off-site protection; they also introduce latency and manual handling risks. Option C is wrong because performing only daily backups without replication creates a single point of failure; if the primary region fails, the backup data is lost or inaccessible, violating the principle of geographic redundancy. Option D is wrong because storing backups in a different availability zone within the same region does not protect against a regional outage, as the entire region can fail simultaneously (e.g., due to a widespread natural disaster or service provider failure).

402
Multi-Selectmedium

Which TWO measures are effective for securing container images in a cloud environment?

Select 2 answers
A.Store images in a public registry without scanning
B.Sign images to ensure integrity
C.Use latest tags without version pinning
D.Run containers with root privileges
E.Scan images for vulnerabilities before deployment
AnswersB, E

Image signing verifies the image has not been tampered with.

Why this answer

Signing container images (e.g., using Docker Content Trust or Notary) ensures integrity and authenticity by cryptographically verifying that the image has not been tampered with since it was signed. This prevents man-in-the-middle attacks and the deployment of malicious images, which is a critical security measure in cloud environments where images are pulled from remote registries.

Exam trap

ISC2 often tests the misconception that 'latest tags are safe because they always point to the most recent version,' but the trap is that 'latest' is a mutable tag that can silently introduce breaking changes or vulnerabilities, whereas version pinning (e.g., using a specific digest or semantic version) ensures deterministic and auditable deployments.

403
MCQhard

A financial institution uses a multi-cloud strategy with AWS and Azure. They must comply with PCI DSS. The security team found that a developer accidentally stored a file with credit card numbers in an S3 bucket that is publicly readable. Which immediate action should be taken to contain the breach?

A.Delete the file immediately.
B.Enable default encryption on the bucket.
C.Remove the public read permission on the bucket.
D.Revoke the developer's IAM credentials.
AnswerC

This stops further exposure while preserving the file for forensic analysis.

Why this answer

Option C is correct because removing the public read permission on the S3 bucket immediately stops unauthorized access to the file containing credit card numbers, containing the breach in accordance with PCI DSS incident response requirements. This action does not destroy evidence (unlike deletion) and directly addresses the root cause—the bucket's misconfigured access control list (ACL) or bucket policy that allowed public read access. It is the fastest way to prevent further data exfiltration while preserving the file for forensic analysis.

Exam trap

ISC2 often tests the misconception that deleting the file or revoking credentials is the fastest containment step, but the trap here is that the root cause is the public permission, not the file's existence or the developer's identity—removing public access stops all anonymous access instantly, which is the correct containment action per incident response best practices.

How to eliminate wrong answers

Option A is wrong because deleting the file destroys potential forensic evidence needed for incident investigation and compliance reporting under PCI DSS Requirement 10 (track and monitor access to cardholder data), and the file may still be cached or accessible via bucket versioning or replication. Option B is wrong because enabling default encryption does not affect existing public read permissions; it only encrypts new objects at rest, leaving the already-exposed file still publicly readable. Option D is wrong because revoking the developer's IAM credentials does not remove the public read permission on the bucket; the file remains accessible to anyone on the internet, so the breach continues.

404
MCQmedium

A company is migrating a legacy monolithic application to a cloud-native microservices architecture. The security architect is concerned about securing inter-service communication. Which of the following should be implemented to ensure mutual authentication and encryption between services?

A.Deploy a service mesh with mutual TLS (mTLS) for all inter-service communication.
B.Use shared API keys embedded in each service's configuration.
C.Implement TLS termination at the load balancer with internal certificates.
D.Place all services in the same Virtual Private Cloud (VPC) and restrict ingress with security groups.
AnswerA

A service mesh like Istio automates mTLS, providing strong encryption and mutual authentication.

Why this answer

A service mesh with mutual TLS (mTLS) provides both encryption and mutual authentication for inter-service communication, ensuring that each service verifies the identity of the other before exchanging data. This is the recommended approach for cloud-native microservices because it offloads security concerns from application code and uses X.509 certificates to establish trust, aligning with zero-trust principles.

Exam trap

ISC2 often tests the misconception that network segmentation (VPC/security groups) alone is sufficient for securing inter-service communication, but the CCSP emphasizes that encryption and mutual authentication are required for data-in-transit security in a zero-trust model.

How to eliminate wrong answers

Option B is wrong because shared API keys embedded in configuration do not provide mutual authentication (only one-way authentication) and are vulnerable to leakage, rotation issues, and replay attacks. Option C is wrong because TLS termination at the load balancer means traffic between services is decrypted and re-encrypted, leaving internal traffic potentially unencrypted and without mutual authentication between services themselves. Option D is wrong because placing services in the same VPC with security groups restricts network access but does not provide encryption or mutual authentication for inter-service communication; it relies on network perimeter controls rather than cryptographic identity.

405
MCQhard

A security auditor is reviewing a cloud application's data encryption strategy. The application stores sensitive data in a cloud database. Which configuration would best ensure data confidentiality in the event of a database dump?

A.Tokenization of sensitive fields with a separate token vault
B.Entire database encryption at rest using cloud provider managed keys
C.Column-level encryption using application-managed keys
D.Transport layer security for all connections
AnswerC

Column-level encryption protects sensitive data at the database level.

Why this answer

Option C is correct because column-level encryption with application-managed keys ensures that even if the entire database is dumped, the sensitive columns remain encrypted and unreadable without the keys held by the application. This approach decouples key management from the cloud provider, preventing the provider from accessing the plaintext data and maintaining confidentiality during a breach or dump.

Exam trap

ISC2 often tests the distinction between encryption at rest and column-level encryption, trapping candidates who assume that full database encryption (Option B) protects against all data exposure scenarios, when in fact it does not protect data during a dump because the database engine decrypts it automatically.

How to eliminate wrong answers

Option A is wrong because tokenization replaces sensitive data with tokens, but if the token vault is compromised or the database dump includes the token mapping, confidentiality can be broken; it does not encrypt the data itself. Option B is wrong because encryption at rest using cloud provider managed keys protects data while stored on disk, but during a database dump (which extracts data in transit or in memory), the data is decrypted by the database engine and exposed in plaintext; the provider also has access to the keys. Option D is wrong because transport layer security (TLS) only protects data in transit between client and server, not data at rest or during a database dump, which occurs after the data has been stored.

406
Multi-Selectmedium

A company is designing a data at rest encryption strategy for their cloud environment. Which TWO of the following are valid approaches? (Choose two.)

Select 2 answers
A.Server-side encryption with customer-provided keys (SSE-C)
B.Hashing data before storage
C.Client-side encryption
D.Tokenization of sensitive fields
E.Server-side encryption with cloud-managed keys (SSE-S3)
AnswersA, C

Customer provides the encryption key, which the cloud uses temporarily.

Why this answer

Server-side encryption with customer-provided keys (SSE-C) is a valid data-at-rest encryption approach because the customer retains control over the encryption keys while the cloud provider performs the encryption/decryption operations. This allows the customer to manage key lifecycle and compliance requirements without exposing plaintext keys to the provider. Client-side encryption is also valid because data is encrypted before being sent to the cloud, ensuring the provider never has access to plaintext data or encryption keys.

Exam trap

ISC2 often tests the distinction between encryption and other data protection methods like hashing or tokenization, and the trap here is that candidates may confuse hashing or tokenization with encryption, or incorrectly assume that server-side encryption with cloud-managed keys is not a valid approach when it actually is, but the question requires selecting exactly two correct answers from the list.

407
MCQhard

A customer discovers the provider added a new sub-processor without notification. Which compliance risk is most directly exposed?

A.Increase in costs due to sub-processor fees
B.Sub-processor might have weaker security controls
C.Service performance degradation due to sub-processor
D.Violation of customer's audit rights under GDPR
AnswerD

Lack of notification prevents customer from objecting, violating contractual and GDPR sub-processor requirements.

Why this answer

The clause requires notification and opportunity to object. Failure to notify breaches the contract and exposes the customer to GDPR non-compliance (sub-processor requirements). Performance impact is secondary.

Encryption and cost change are not the direct risk.

408
MCQmedium

A company identifies a high-risk vulnerability in a cloud application. The cost to remediate is significantly higher than the potential loss from exploitation. Which risk treatment strategy is most appropriate?

A.Acceptance
B.Avoidance
C.Transfer
D.Mitigation
AnswerA

Correct. Risk acceptance is justified when cost of treatment exceeds potential loss.

Why this answer

When the cost to remediate a vulnerability exceeds the potential loss from exploitation, the most appropriate risk treatment strategy is acceptance. This means the organization formally acknowledges the risk and chooses to tolerate it without implementing additional controls, often documented in a risk register. In cloud environments, this is common for low-impact, high-cost vulnerabilities where the business decides the residual risk is within its risk appetite.

Exam trap

ISC2 often tests the distinction between risk acceptance and risk mitigation, where candidates mistakenly choose mitigation because they assume all vulnerabilities must be fixed, ignoring the cost-benefit analysis that justifies acceptance.

How to eliminate wrong answers

Option B (Avoidance) is wrong because avoidance involves eliminating the risk entirely, such as discontinuing the vulnerable cloud service or feature, which would be disproportionate and unnecessary when the potential loss is lower than remediation cost. Option C (Transfer) is wrong because transfer shifts the risk to a third party, typically through cyber insurance or outsourcing, but does not reduce the cost of remediation and may not be feasible for a specific application vulnerability. Option D (Mitigation) is wrong because mitigation involves implementing controls to reduce the risk to an acceptable level, which contradicts the premise that remediation cost is higher than the potential loss; mitigation would still incur that high cost.

409
MCQmedium

A cloud security team is implementing a Web Application Firewall (WAF) for a public-facing web application. The application uses a REST API with JSON payloads. Which of the following is the WAF's primary benefit?

A.Scanning for data loss prevention (DLP) violations
B.Preventing network-layer DDoS attacks
C.Encrypting data in transit between client and server
D.Inspecting HTTP traffic for malicious payloads
AnswerD

WAFs filter application-layer attacks.

Why this answer

A WAF operates at Layer 7 (application layer) and is specifically designed to inspect HTTP/HTTPS traffic for malicious payloads such as SQL injection, cross-site scripting (XSS), and JSON-based attacks. For a REST API using JSON, the WAF can parse and validate the JSON structure, blocking malformed or malicious payloads before they reach the application server. This is the primary benefit because it directly protects the application logic from web-based exploits.

Exam trap

ISC2 often tests the distinction between Layer 7 (application) and Layer 3/4 (network) security controls, so candidates mistakenly choose network-layer DDoS protection (Option B) because they confuse WAF with a general-purpose firewall.

How to eliminate wrong answers

Option A is wrong because DLP scanning is a function of data loss prevention tools, not a WAF; a WAF does not inspect data for policy violations like credit card numbers or PII. Option B is wrong because preventing network-layer DDoS attacks (e.g., SYN floods) is the role of a network firewall or DDoS mitigation appliance, not a WAF which focuses on application-layer attacks. Option C is wrong because encrypting data in transit is the job of TLS/SSL (e.g., HTTPS), not a WAF; a WAF inspects decrypted traffic after TLS termination or uses a reverse proxy model, but it does not perform encryption itself.

410
Matchingmedium

Match each data state to its encryption requirement in cloud environments.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Encryption using AES-256

TLS 1.2+ encryption

Homomorphic or confidential computing

Encryption with separate key management

Why these pairings

Different data states require specific encryption mechanisms; data in use is challenging and requires advanced techniques.

411
MCQeasy

A development team is migrating a legacy application to the cloud. Which security testing approach should be adopted early in the CI/CD pipeline to catch vulnerabilities as code is written?

A.Dynamic application security testing (DAST)
B.Penetration testing
C.Runtime application self-protection (RASP)
D.Static application security testing (SAST)
AnswerD

SAST scans source code early in the pipeline.

Why this answer

Static application security testing (SAST) analyzes source code, bytecode, or binary code without executing the application, making it ideal for integration early in the CI/CD pipeline to catch vulnerabilities like SQL injection, buffer overflows, and XSS as code is written. This 'white-box' approach provides immediate feedback to developers, aligning with the shift-left security principle for cloud-native development.

Exam trap

ISC2 often tests the distinction between SAST (white-box, early pipeline) and DAST (black-box, post-deployment), and candidates mistakenly choose DAST because they think 'dynamic' implies early testing, but DAST requires a running application.

How to eliminate wrong answers

Option A is wrong because DAST tests the running application from the outside (black-box), which requires a deployed environment and cannot catch vulnerabilities at the code-writing stage. Option B is wrong because penetration testing is a manual or automated simulated attack on a live system, performed later in the SDLC, not during development. Option C is wrong because RASP is a runtime protection technology embedded in the application runtime environment that monitors and blocks attacks in production, not a testing tool for the CI/CD pipeline.

412
MCQmedium

The exhibit shows a bucket policy that grants public read access. What is the most effective way to remove this public access?

A.Add an access control list (ACL) that denies public access.
B.Change the bucket policy to deny all access.
C.Enable S3 Block Public Access settings at the bucket or account level.
D.Enable bucket versioning and delete the public objects.
AnswerC

Block Public Access settings explicitly deny public access, overriding any bucket policies.

Why this answer

Option C is correct because S3 Block Public Access settings provide a definitive, override-capable mechanism to prevent any public access to an S3 bucket, regardless of other policies or ACLs. These settings can be applied at the bucket or account level and will block all public access even if a bucket policy explicitly grants it, making them the most effective and secure method to remove public access.

Exam trap

ISC2 often tests the misconception that modifying the bucket policy or ACLs is sufficient to remove public access, but the trap is that these can be overridden or misconfigured, whereas S3 Block Public Access settings provide a guaranteed, centralized control that cannot be bypassed by other permissions.

How to eliminate wrong answers

Option A is wrong because ACLs are legacy and cannot deny access; they only grant permissions, and adding a deny ACL is not a valid operation. Option B is wrong because changing the bucket policy to deny all access would conflict with the existing grant and could lead to ambiguous evaluation results; S3 evaluates policies with an explicit deny override, but the most effective approach is to use Block Public Access settings which are designed for this purpose. Option D is wrong because enabling versioning and deleting public objects does not remove the bucket policy that grants public read access; the policy would still allow access to any remaining or future objects.

413
MCQmedium

Refer to the exhibit. A developer reports that users are being denied access to a cloud application. The error log shows the above. What is the most likely cause of the denial?

A.The token was issued by an untrusted issuer
B.The token lacks required permissions
C.The token's expiration time has passed
D.The token's signature is invalid
AnswerC

The log explicitly states 'Token expired at 2024-11-20T10:30:00Z', indicating expiration.

Why this answer

The error log indicates that the token's expiration time has passed, which is a standard validation check in OAuth 2.0 and OpenID Connect (OIDC) flows. When a token's `exp` claim is less than the current server time, the authorization server or resource server rejects the request with an 'access denied' or similar error. This is the most direct cause of the denial shown in the exhibit.

Exam trap

ISC2 often tests the distinction between token validation steps (signature, issuer, expiration, permissions) and the specific error messages each step produces, so candidates must match the error log text to the correct validation failure rather than assuming a generic 'access denied' reason.

How to eliminate wrong answers

Option A is wrong because an untrusted issuer would trigger an 'invalid issuer' or 'untrusted issuer' error, not a token expiration error; the issuer is validated via the `iss` claim against a pre-configured trusted issuer list. Option B is wrong because missing permissions would result in a '403 Forbidden' or 'insufficient_scope' error, not a token expiration error; permissions are checked after token validity. Option D is wrong because an invalid signature would cause a 'signature verification failed' or 'invalid token' error, not a token expiration error; signature validation occurs before expiration checks.

414
MCQeasy

A US-based company uses a cloud provider with data centers in the US and Europe. To transfer personal data of EU citizens to the US, which mechanism is most appropriate under GDPR?

A.Explicit consent
B.Standard Contractual Clauses (SCCs)
C.Binding Corporate Rules (BCRs)
D.Adequacy decision
AnswerB

Correct. SCCs are a recognized transfer mechanism for data transfers to third countries.

Why this answer

Standard Contractual Clauses (SCCs) are the most appropriate mechanism because they provide a legally recognized data transfer tool under GDPR Article 46 for transferring personal data from the EU to a third country (the US) without an adequacy decision. SCCs are pre-approved contractual terms that both the data exporter (EU-based) and data importer (US-based) must sign, ensuring adequate safeguards for the data subjects' rights. This mechanism is specifically designed for scenarios where the cloud provider's data centers span jurisdictions without a current adequacy finding, as is the case with the US post-Schrems II.

Exam trap

ISC2 often tests the misconception that an adequacy decision is the default or most straightforward option for US transfers, but the trap is that the US currently lacks an adequacy decision, making SCCs the primary lawful mechanism for such cross-border data flows.

How to eliminate wrong answers

Option A is wrong because explicit consent under GDPR Article 49 is a derogation for specific, occasional transfers and cannot be used as a general or repetitive mechanism for ongoing data flows to a US cloud provider; it also requires a high burden of proof and can be withdrawn at any time. Option C is wrong because Binding Corporate Rules (BCRs) are designed for intra-group transfers within a multinational enterprise, not for transfers between a US-based company and an external cloud provider that is not part of the same corporate group. Option D is wrong because there is currently no adequacy decision in effect for the US under GDPR (the Privacy Shield was invalidated in 2020), so this mechanism is not available for general transfers to the US.

415
MCQmedium

An IAM policy named S3ReadOnlyAccess has DefaultVersionId v3. What does this indicate?

A.The policy is newly created.
B.The policy is currently using version v3 as the default.
C.The policy has three custom versions.
D.The policy cannot be attached to any entity.
AnswerB

DefaultVersionId indicates the active version.

Why this answer

The DefaultVersionId of an IAM policy indicates which version is currently active and enforced when the policy is attached to an IAM user, group, or role. Since the policy is named S3ReadOnlyAccess and has DefaultVersionId v3, version v3 is the default and is being used for access control decisions. This is the standard behavior for IAM policies in AWS, where you can have multiple versions but only one is designated as the default.

Exam trap

ISC2 often tests the misconception that DefaultVersionId indicates the total number of versions or that a policy with a non-v1 default is somehow broken or unattachable, when in fact it simply shows which version is active.

How to eliminate wrong answers

Option A is wrong because a newly created policy would have DefaultVersionId v1, not v3, as the first version is always v1. Option C is wrong because DefaultVersionId v3 does not imply there are exactly three custom versions; there could be more versions (e.g., v1, v2, v3, v4) and only v3 is set as default, or some versions may be non-default. Option D is wrong because a policy with a default version can be attached to any entity; the DefaultVersionId simply indicates which version is active, and the policy remains attachable unless explicitly restricted.

416
MCQmedium

A financial services company uses a cloud-based logging service for audit trails. A regulatory investigation is initiated, and the company is required to preserve all logs from the past 18 months. The cloud provider's default retention policy is 12 months, and logs older than that are automatically deleted. The company did not configure custom retention. What is the most appropriate action to ensure compliance?

A.Accept the data loss and explain to regulators that the provider has a limited retention policy.
B.Export all available logs and store them locally immediately.
C.Request that the provider place a legal hold on all logs and verify implementation.
D.Rely on the provider's backup policy, which may retain data for up to 24 months.
AnswerC

A legal hold overrides retention policies and ensures preservation; verification confirms compliance.

Why this answer

Option C is correct because a legal hold (or litigation hold) is a cloud provider feature that overrides the default retention policy to preserve data indefinitely or for a specified period, preventing automated deletion. This ensures compliance with regulatory requirements without relying on manual exports or backups, and the company must verify implementation through provider tools or APIs to confirm the hold is active.

Exam trap

ISC2 often tests the misconception that exporting logs locally is sufficient for compliance, but the trap is that this fails to preserve logs already deleted and does not meet the requirement for ongoing preservation, whereas a legal hold is the designed mechanism for regulatory holds.

How to eliminate wrong answers

Option A is wrong because accepting data loss and explaining to regulators is not a valid compliance action; regulations typically require preservation, and ignorance of retention limits is not an acceptable excuse. Option B is wrong because exporting all available logs immediately would only capture logs up to the current point, missing logs already deleted beyond 12 months, and does not address ongoing preservation for future regulatory needs. Option D is wrong because relying on the provider's backup policy is speculative and not guaranteed; backups may have shorter retention or be subject to the same deletion policies, and they are not designed for legal compliance holds.

417
MCQmedium

An organization uses a cloud storage service to share files with external partners. They want to ensure that the files are automatically deleted after 30 days. Which data lifecycle control should be implemented?

A.Object lock
B.Lifecycle policy
C.Versioning
D.Access control list
AnswerB

Lifecycle policies automate expiration and deletion.

Why this answer

A lifecycle policy is the correct data lifecycle control because it allows administrators to define rules that automatically expire and delete objects after a specified period, such as 30 days. This is a native feature of cloud storage services like Amazon S3, Azure Blob Storage, and Google Cloud Storage, enabling automated data retention and deletion without manual intervention.

Exam trap

ISC2 often tests the distinction between data protection controls (Object Lock, Versioning) and data lifecycle controls (Lifecycle Policy), leading candidates to confuse retention with deletion.

How to eliminate wrong answers

Option A is wrong because Object Lock is designed to prevent objects from being deleted or overwritten for a fixed retention period or indefinitely (legal hold), which is the opposite of automatic deletion. Option C is wrong because Versioning preserves multiple versions of an object, allowing recovery of deleted or overwritten versions, but does not automatically delete data after a time period. Option D is wrong because Access Control Lists (ACLs) manage permissions for who can read or write objects, not the lifecycle or scheduled deletion of data.

418
MCQeasy

A company is moving its customer database to a public cloud provider. The database contains personally identifiable information (PII) of European Union citizens. Which legal framework imposes requirements on the cloud customer regarding data protection and privacy in this scenario?

A.Sarbanes-Oxley Act (SOX)
B.General Data Protection Regulation (GDPR)
C.Health Insurance Portability and Accountability Act (HIPAA)
D.Payment Card Industry Data Security Standard (PCI DSS)
AnswerB

GDPR governs processing of personal data of EU individuals.

Why this answer

The General Data Protection Regulation (GDPR) is the correct legal framework because it specifically governs the processing of personally identifiable information (PII) of European Union citizens, regardless of where the data is stored or processed. As the cloud customer is moving a customer database containing EU PII to a public cloud provider, GDPR imposes strict requirements on the data controller (the customer) for data protection, consent, breach notification, and cross-border data transfer safeguards.

Exam trap

ISC2 often tests the misconception that any data privacy law applies globally, but the trap here is that candidates may choose HIPAA or PCI DSS because they are familiar with data protection, failing to recognize that GDPR is the only framework specifically designed for EU citizen PII regardless of industry.

How to eliminate wrong answers

Option A is wrong because the Sarbanes-Oxley Act (SOX) applies to financial reporting and internal controls for publicly traded companies in the U.S., not to general PII of EU citizens. Option C is wrong because the Health Insurance Portability and Accountability Act (HIPAA) applies only to protected health information (PHI) held by covered entities in the U.S., not to a general customer database containing EU PII. Option D is wrong because the Payment Card Industry Data Security Standard (PCI DSS) applies to cardholder data and payment card transactions, not to general PII or EU citizen data.

419
MCQmedium

A company's cloud infrastructure is subject to GDPR. The DPO requires that all customer personal data be encrypted at rest and in transit. The cloud provider offers SSE-S3 for object storage and enforces TLS 1.2 for API calls. Which additional control should the company implement to meet GDPR accountability requirements?

A.Implement client-side encryption with a key management service.
B.Enable detailed logging of all access to encrypted data.
C.Automatically delete backups older than 30 days.
D.Apply data masking to all personal data fields before storage.
AnswerB

Logging provides an audit trail to demonstrate compliance with GDPR accountability.

Why this answer

While SSE-S3 and TLS 1.2 address encryption at rest and in transit, GDPR accountability requires the company to demonstrate compliance through audit trails. Enabling detailed logging of all access to encrypted data (Option B) provides the necessary records to prove who accessed personal data, when, and from where, fulfilling the 'demonstrate compliance' principle under Article 5(2) and Article 30 of the GDPR.

Exam trap

The trap here is that candidates confuse encryption controls (Options A and D) or data lifecycle policies (Option C) with accountability, which is a governance and audit requirement, not a technical data protection measure.

How to eliminate wrong answers

Option A is wrong because client-side encryption with a KMS is an additional encryption measure, but encryption is already satisfied by SSE-S3 and TLS 1.2; the gap is accountability, not encryption strength. Option C is wrong because automatically deleting backups older than 30 days is a data retention policy that may violate GDPR's storage limitation principle if not justified, and it does not address the accountability requirement for access logging. Option D is wrong because data masking before storage is a data minimization technique, but it does not create an audit trail; the DPO's requirement is specifically about accountability, not about reducing the sensitivity of stored data.

420
Multi-Selecthard

Which THREE of the following are essential steps in a cloud data discovery process?

Select 3 answers
A.Map data flows between systems
B.Encrypt all discovered data
C.Classify data based on sensitivity
D.Identify where sensitive data resides
E.Create backup copies of data
AnswersA, C, D

Understanding data movement is critical.

Why this answer

Option A is correct because mapping data flows between systems is a foundational step in cloud data discovery. It enables organizations to understand how data moves across cloud services, APIs, and storage tiers, which is critical for identifying where sensitive data may be transmitted or stored. Without this mapping, discovery efforts may miss data in transit or in transient storage, leading to incomplete visibility.

Exam trap

ISC2 often tests the distinction between discovery steps and subsequent security controls, so the trap here is that candidates mistakenly treat encryption or backup as part of the discovery process when they are actually post-discovery remediation or protection actions.

421
MCQhard

A financial services firm is designing a cloud environment that must comply with PCI DSS. The security architect proposes using a virtual private cloud (VPC) with subnets, security groups, and network ACLs. However, the compliance officer is concerned about the risk of data exposure due to misconfiguration. Which additional control would BEST address this concern?

A.Use a Web Application Firewall (WAF)
B.Implement a Security Information and Event Management (SIEM) system
C.Integrate Cloud Security Posture Management (CSPM)
D.Deploy Data Loss Prevention (DLP) tools
AnswerC

CSPM automates monitoring and remediation of misconfigurations.

Why this answer

CSPM tools continuously monitor cloud infrastructure configurations against compliance frameworks like PCI DSS, automatically detecting misconfigurations such as overly permissive security group rules or network ACLs that could expose cardholder data. This directly addresses the compliance officer's concern about data exposure due to misconfiguration by providing real-time visibility and remediation guidance, which is more proactive than the other options.

Exam trap

The trap here is that candidates often confuse CSPM with SIEM or DLP, thinking log analysis or data monitoring can catch configuration errors, but CSPM is the only tool specifically designed to audit and enforce cloud infrastructure configurations against compliance standards like PCI DSS.

How to eliminate wrong answers

Option A is wrong because a Web Application Firewall (WAF) protects against application-layer attacks (e.g., SQL injection, XSS) but does not detect or prevent misconfigurations in VPC subnets, security groups, or network ACLs. Option B is wrong because a Security Information and Event Management (SIEM) system aggregates and analyzes logs for threat detection and incident response, but it does not proactively scan cloud infrastructure for compliance misconfigurations or enforce security baselines. Option D is wrong because Data Loss Prevention (DLP) tools monitor and block sensitive data in transit or at rest, but they do not assess the underlying network or access control configurations that could lead to exposure.

422
Multi-Selecthard

Which THREE of the following are essential steps in the incident response process for a cloud security incident?

Select 3 answers
A.Perform a full forensic analysis of all systems before containment.
B.Contain the incident to prevent further damage.
C.Reward the team that discovered the incident to encourage reporting.
D.Eradicate the root cause of the incident.
E.Identify and classify the incident based on severity and impact.
AnswersB, D, E

Containment is critical to limit scope.

Why this answer

Correct answers are A, B, and D. Identification (A), containment (B), and eradication (D) are key phases. Option C is wrong because rewarding staff is not part of incident response.

Option E is wrong because forensics typically occurs after containment, but is not an essential step in the core process (it is part of analysis).

423
MCQhard

A healthcare company uses a cloud-based patient management system. The cloud provider experiences a security incident that may have exposed protected health information (PHI). The provider notifies the company within 72 hours, as required by the service agreement. The company's internal breach response policy requires a legal review of the incident before notifying affected individuals. The legal review typically takes 48 hours. However, the company is required to notify patients within 60 days under HIPAA. With the 72-hour notification from the provider, the company has 60 days to notify patients. What is the most effective approach to meet the 60-day notification requirement while ensuring compliance with internal policy?

A.Notify patients immediately and then perform the legal review.
B.Wait for the legal review to complete before notifying patients.
C.Notify patients immediately based on the provider's notification.
D.Begin the legal review immediately and prepare patient notification in parallel.
AnswerD

Parallel processing allows timely notification while ensuring legal input is incorporated.

Why this answer

Option D is correct because it allows the company to satisfy both the HIPAA 60-day notification requirement and its internal legal review policy by running the legal review and patient notification preparation concurrently. This parallel approach minimizes delay while ensuring that the notification content is legally vetted before release, which is critical for PHI incidents under HIPAA's Breach Notification Rule (45 CFR § 164.404).

Exam trap

ISC2 often tests the misconception that you must choose between compliance and internal policy, when in fact parallel processing of legal review and notification preparation is the correct approach to meet both requirements without violating the 60-day HIPAA deadline.

How to eliminate wrong answers

Option A is wrong because notifying patients immediately without legal review could expose the company to legal liability if the notification contains inaccurate or incomplete information, and it violates the internal policy requiring a legal review first. Option B is wrong because waiting for the legal review to complete before starting notification preparation could consume the entire 60-day window, risking non-compliance with HIPAA's 60-day deadline if the review takes longer than expected. Option C is wrong because notifying patients immediately based solely on the provider's notification bypasses the required legal review and may lead to premature disclosure of unverified PHI details, which could increase legal risk.

424
MCQmedium

A company is migrating to the cloud and must comply with the Health Insurance Portability and Accountability Act (HIPAA). They plan to store electronic protected health information (ePHI) in a cloud database. Which of the following is a mandatory requirement for the cloud service agreement?

A.The CSP must store data in a specific geographic location.
B.The CSP must perform quarterly penetration tests.
C.The CSP must encrypt all data at rest using AES-256.
D.The CSP must sign a Business Associate Agreement (BAA).
AnswerD

A BAA is required to ensure the CSP safeguards ePHI.

Why this answer

Under HIPAA, a covered entity or business associate must have a written Business Associate Agreement (BAA) with any cloud service provider (CSP) that creates, receives, maintains, or transmits electronic protected health information (ePHI) on their behalf. The BAA is a mandatory contractual requirement that establishes the CSP's permitted uses and disclosures of ePHI, as well as its obligations to safeguard the data. Without a signed BAA, the CSP cannot lawfully handle ePHI, making this the only option that is a direct regulatory mandate under HIPAA.

Exam trap

ISC2 often tests the distinction between mandatory (required) and addressable (optional but must be documented if not implemented) specifications under HIPAA, leading candidates to incorrectly select encryption or testing frequency as mandatory requirements.

How to eliminate wrong answers

Option A is wrong because HIPAA does not mandate a specific geographic storage location; data residency requirements may arise from other regulations or organizational policy, but they are not a HIPAA requirement. Option B is wrong because HIPAA does not prescribe a specific frequency for penetration tests; the Security Rule requires periodic assessments of security measures, but quarterly testing is not a mandatory requirement. Option C is wrong because while encryption of ePHI at rest is an addressable implementation specification under the HIPAA Security Rule, AES-256 is not explicitly mandated; the rule allows for equivalent alternatives that meet the standard of protecting data.

425
MCQmedium

A global e-commerce platform uses AWS API Gateway to expose REST APIs to third-party developers. The security team notices that a malicious user is repeatedly sending large payloads to a /submit endpoint, causing high CPU usage on backend Lambda functions. The API uses a simple API key for authentication. Which combination of controls should be implemented to mitigate this attack while preserving legitimate access?

A.Configure API Gateway throttling and request body size validation
B.Subscribe to AWS Shield Advanced for DDoS protection
C.Change authentication to IAM roles with temporary credentials
D.Enable AWS WAF with a rate-based rule and block IP addresses
AnswerA

Throttling limits request rate, and size validation rejects large payloads before reaching Lambda.

Why this answer

Option A is correct because it directly addresses the two attack vectors: large payloads causing CPU exhaustion and excessive request volume. API Gateway request body size validation (up to 10 MB by default, configurable) rejects oversized payloads before they reach the backend Lambda, while throttling (e.g., 10,000 requests per second with a burst limit) prevents a single user from overwhelming the system. Together, these controls preserve legitimate access by only limiting anomalous traffic, not blocking all users.

Exam trap

ISC2 often tests the distinction between network-layer DDoS protection (Shield Advanced) and application-layer controls (throttling, WAF, payload validation), leading candidates to choose Shield Advanced when the attack is clearly at the application layer.

How to eliminate wrong answers

Option B is wrong because AWS Shield Advanced provides protection against volumetric DDoS attacks (e.g., SYN floods, UDP amplification), but it does not filter application-layer attacks like oversized payloads or high-volume requests to a specific endpoint; it also incurs significant cost and is overkill for this scenario. Option C is wrong because switching to IAM roles with temporary credentials (e.g., using AWS Signature Version 4) improves authentication security but does not mitigate the attack—the malicious user could still send large payloads and high request volumes after obtaining valid credentials. Option D is wrong because AWS WAF with a rate-based rule can block IP addresses that exceed a request threshold, but this is a reactive measure that may block legitimate users sharing the same IP (e.g., via NAT) and does not prevent the CPU impact from large payloads; it also requires additional configuration and cost.

426
Matchingmedium

Match each virtualization security concept to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Software that manages virtual machines

Attack breaking out of VM isolation

Virtual machine introspection for monitoring

Moving a running VM between hosts

Why these pairings

Virtualization is foundational to cloud; security concerns include isolation and hypervisor integrity.

427
MCQhard

A company uses a serverless architecture with AWS Lambda to process user-uploaded files. The Lambda function is triggered by an S3 bucket event. While reviewing security, the architect wants to ensure that the Lambda function cannot be invoked by unauthorized S3 buckets or accounts. What is the most secure configuration?

A.Use a condition in the policy that checks the source IP address.
B.Place the Lambda function inside a VPC with a VPC endpoint for S3.
C.Configure the Lambda function's resource-based policy to grant permission only to the specific S3 bucket ARN and its owner account.
D.Attach a resource-based policy that allows any S3 bucket to invoke the function.
AnswerC

Restricts invocation to a known source.

Why this answer

Option C is correct because the most secure way to restrict Lambda invocation to a specific S3 bucket is to use a resource-based policy that explicitly grants the `lambda:InvokeFunction` permission only to the trusted bucket's ARN and the owning AWS account. This ensures that even if another S3 bucket or account attempts to trigger the function, the invocation is denied by the Lambda permission model, which evaluates both the resource-based policy and the caller's identity.

Exam trap

The trap here is that candidates often confuse network-level controls (like VPC placement or IP filtering) with identity-based access controls, failing to realize that S3 event notifications invoke Lambda through AWS's internal service-to-service channel, which bypasses network restrictions and requires explicit resource-based policy conditions.

How to eliminate wrong answers

Option A is wrong because checking the source IP address is ineffective for S3 event notifications, as S3 invokes Lambda via AWS internal services, not from a fixed public IP; the source IP can vary and is not a reliable control for cross-account or cross-bucket invocation. Option B is wrong because placing the Lambda function inside a VPC with a VPC endpoint for S3 controls network traffic but does not restrict which S3 buckets or accounts can invoke the function; invocation permissions are governed by IAM and resource-based policies, not network placement. Option D is wrong because allowing any S3 bucket to invoke the function violates the principle of least privilege and would permit unauthorized buckets or accounts to trigger the Lambda, leading to potential data exfiltration or abuse.

428
MCQeasy

A cloud application is being designed to handle highly sensitive financial data. The security architect wants to ensure that encryption keys are managed outside the application's memory space. Which service model should they use?

A.Cloud Hardware Security Module (CloudHSM)
B.Key Management Service (KMS)
C.Trusted Platform Module (TPM)
D.Hardware Security Module (HSM)
AnswerD

HSM stores keys in tamper-resistant hardware, isolated from application memory.

Why this answer

Option D is correct because a Hardware Security Module (HSM) is a dedicated hardware appliance that manages encryption keys in a physically and logically isolated environment, entirely separate from the application's memory space. For highly sensitive financial data, an HSM provides FIPS 140-2 Level 3 or higher certification, ensuring keys never leave the device and are protected against memory-scraping attacks. This aligns with the requirement to keep key management outside the application's memory.

Exam trap

The trap here is that candidates confuse CloudHSM (a specific vendor service) with the generic HSM model, or they assume KMS provides the same hardware-level isolation, when in fact KMS often relies on software-based key management that may not guarantee keys are kept outside application memory.

How to eliminate wrong answers

Option A is wrong because CloudHSM is a cloud-based HSM service that still operates as a dedicated hardware appliance, but the question asks for the service model itself, not a specific cloud vendor implementation; the generic term 'HSM' is the correct model. Option B is wrong because Key Management Service (KMS) typically uses software-based key storage and may cache keys in memory, failing to guarantee that keys are managed entirely outside the application's memory space. Option C is wrong because Trusted Platform Module (TPM) is a hardware chip integrated into the motherboard for platform integrity and local key storage, but it is not designed for scalable, external key management for cloud applications and does not isolate keys from the application's memory in the same way a dedicated HSM does.

429
MCQmedium

A company is migrating its on-premises virtualized environment to the Azure cloud. The security team wants to ensure they can detect and respond to security incidents in the cloud. They plan to use Azure Security Center and Azure Sentinel. The on-premises environment uses a SIEM tool and logs from all servers are forwarded to it. In the cloud, they have provisioned virtual machines (VMs) running various workloads. The team needs to ensure that all security events from these VMs are captured and analyzed. Which of the following steps should they take FIRST to achieve comprehensive log collection?

A.Enable Azure Diagnostics extension and install the Log Analytics agent on all VMs to send logs to a Log Analytics workspace.
B.Set up a jump box VM with administrative tools and restrict access to it using just-in-time VM access.
C.Enable Azure Security Center's standard tier and rely on its built-in security events collection.
D.Configure network security group flow logs and send them to a storage account for analysis.
AnswerA

This collects OS-level events and allows Security Center and Sentinel to analyze them.

Why this answer

Option A is correct because enabling Azure Diagnostics and the Log Analytics agent on all VMs sends logs to Azure Monitor and Log Analytics workspace, which is the foundation for Sentinel and Security Center. Option B is wrong because enabling network security group flow logs is important for network data, but not for VM-level logs. Option C is wrong while the Security Center collects security events, it may not cover all custom logs; the agent is needed for full coverage.

Option D is wrong because configuring VDI for administrators does not address general VM logging.

430
Multi-Selectmedium

Which TWO of the following are key components of a cloud incident response plan that should be tested regularly?

Select 2 answers
A.Encryption key management procedures.
B.Automation playbooks for containment and eradication.
C.Communication channels for alerting stakeholders.
D.Backup and restore procedures.
E.Service level agreements (SLAs) with cloud provider.
AnswersB, C

Automation playbooks must be tested to ensure they execute correctly.

Why this answer

Automation playbooks for containment and eradication (B) are critical because they enable rapid, consistent response to incidents in cloud environments, where manual intervention can be too slow to prevent lateral movement or data exfiltration. Regular testing ensures these playbooks execute correctly against live cloud APIs (e.g., AWS Lambda, Azure Automation) and that they properly isolate compromised resources without disrupting legitimate workloads.

Exam trap

ISC2 often tests the distinction between incident response plan components and broader operational or contractual elements, so candidates mistakenly select backup/restore procedures (D) or SLAs (E) because they seem related to incident handling, but they are not core to the detection, containment, and eradication phases that require regular testing.

431
Multi-Selecteasy

A company is implementing a hybrid cloud architecture. Which two components are essential for establishing a secure connection between on-premises and cloud environments? (Choose two.)

Select 2 answers
A.Direct connect or dedicated interconnect
B.Identity and access management (IAM)
C.Cloud access security broker (CASB)
D.Web application firewall (WAF)
E.Virtual private network (VPN) gateway
AnswersA, E

Direct connect provides a dedicated private network connection for low latency and security.

Why this answer

A Direct Connect or dedicated interconnect provides a private, dedicated network connection from on-premises to the cloud provider, bypassing the public internet for lower latency and more consistent bandwidth. A VPN gateway establishes an encrypted tunnel over the public internet using protocols like IPsec (IKEv2) to secure data in transit. Together, these two components form the essential hybrid connectivity layer: the dedicated circuit for primary, high-throughput traffic and the VPN as a secure backup or for lower-cost, lower-bandwidth needs.

Exam trap

The trap here is that candidates often confuse security controls (IAM, CASB, WAF) with network connectivity components, mistakenly thinking that any security tool is essential for hybrid cloud connectivity, when in fact only dedicated circuits and VPN gateways provide the actual secure link between environments.

432
Multi-Selecthard

Which THREE are key considerations when designing a secure software development lifecycle (SSDLC) for cloud applications?

Select 3 answers
A.Static code analysis during development
B.Threat modeling at design phase
C.Security testing in production
D.Using a single cloud provider
E.Secure coding standards
AnswersA, B, E

Static analysis tools scan code for vulnerabilities without executing it, catching issues early.

Why this answer

Static code analysis (SAST) is a key SSDLC practice because it automatically scans source code for security vulnerabilities (e.g., SQL injection, buffer overflows) during the development phase, enabling early remediation before code is deployed. This aligns with the 'shift left' principle, reducing the cost and effort of fixing flaws later in the lifecycle.

Exam trap

ISC2 often tests the distinction between activities that are part of the secure development lifecycle (design, code, test) versus operational security tasks (production testing), and candidates mistakenly select 'Security testing in production' because they confuse it with runtime security monitoring or penetration testing.

433
MCQmedium

A security engineer is reviewing logs and finds repeated failed login attempts to a cloud database instance. The database is accessible only from a specific security group. What is the BEST immediate action to reduce the attack surface?

A.Enable multi-factor authentication for the database user accounts.
B.Review the security group inbound rules and restrict the source IP to only the required application servers.
C.Change the database port to a non-standard port.
D.Delete the database instance and restore from backup.
AnswerB

This limits who can attempt to connect, reducing the attack surface.

Why this answer

Option B is correct because the immediate priority is to restrict network-level access to the database. Since the database is only accessible from a specific security group, reviewing and tightening the inbound rules to allow traffic only from the required application servers' IP addresses directly reduces the attack surface by eliminating unnecessary exposure. This is a fundamental network segmentation principle in cloud security, as it prevents any unauthorized host within the security group from attempting authentication.

Exam trap

ISC2 often tests the distinction between network-layer controls (security groups) and application-layer controls (MFA, port obfuscation) to see if candidates prioritize reducing the attack surface at the lowest possible layer, where the impact is broadest and most immediate.

How to eliminate wrong answers

Option A is wrong because enabling multi-factor authentication (MFA) for database user accounts addresses authentication strength but does not reduce the attack surface from repeated failed login attempts; MFA would still allow attackers to attempt authentication from any IP within the security group, and the logs show the attempts are already reaching the database, meaning network access is the immediate vector. Option C is wrong because changing the database port to a non-standard port is a form of security through obscurity and does not prevent attackers from scanning for the new port or from continuing failed login attempts once the port is discovered; it does not address the root cause of unauthorized network access. Option D is wrong because deleting the database instance and restoring from backup is an overly drastic and disruptive action that does not address the underlying misconfiguration in the security group; it would cause unnecessary downtime and data loss without preventing the same attack from recurring after restoration.

434
Multi-Selectmedium

Which THREE of the following are key components of a data protection impact assessment (DPIA) under GDPR?

Select 3 answers
A.List of all data subjects' names
B.Copy of the encryption algorithm
C.Measures to address risks
D.Description of processing operations
E.Assessment of necessity and proportionality
AnswersC, D, E

Correct. The DPIA must describe measures to mitigate identified risks.

Why this answer

Option C is correct because Article 35 of the GDPR explicitly requires a DPIA to include 'measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data.' This is a core component that demonstrates how the controller will mitigate identified privacy risks to an acceptable level.

Exam trap

ISC2 often tests the misconception that a DPIA is a technical audit checklist requiring detailed cryptographic or personal data inventories, when in fact it is a risk management document focused on necessity, proportionality, and risk mitigation measures.

435
Multi-Selectmedium

Which THREE of the following are common challenges in securing serverless applications?

Select 3 answers
A.Lack of control over the underlying kernel and OS
B.Insecure handling of event source inputs
C.Vulnerabilities in third-party libraries and dependencies
D.Increased attack surface due to many small functions
E.Difficulty in applying stateful firewall rules
AnswersB, C, D

Events from various sources may include malicious payloads.

Why this answer

Option B is correct because serverless functions rely on event-driven architectures where inputs from sources like HTTP requests, database changes, or message queues are processed directly. If these inputs are not properly validated and sanitized, attackers can inject malicious payloads (e.g., SQL injection, command injection) that execute within the function's runtime, leading to data breaches or unauthorized actions. This is a primary attack vector unique to serverless, as the function code directly consumes untrusted data without traditional perimeter defenses.

Exam trap

ISC2 often tests the misconception that serverless eliminates all infrastructure security concerns, leading candidates to overlook the critical need for input validation and dependency management, while incorrectly assuming that network controls like firewalls are still applicable.

436
Multi-Selecteasy

Which TWO of the following are valid methods for securing data at rest in a cloud storage service?

Select 2 answers
A.Disabling encryption to reduce latency.
B.Implementing client-side encryption before uploading data.
C.Using server-side encryption with customer-managed keys.
D.Setting the storage bucket to public read access.
E.Enabling access logging for the storage bucket.
AnswersB, C

Client-side encryption ensures data is encrypted before transmission.

Why this answer

Option B is correct because client-side encryption ensures data is encrypted before it leaves the client environment, so the cloud provider never has access to the plaintext. This is a valid method for securing data at rest in cloud storage, as the encrypted objects are stored in the service and can only be decrypted by the client holding the keys.

Exam trap

ISC2 often tests the distinction between encryption methods (client-side vs. server-side) and security controls (e.g., logging vs. encryption), so the trap here is that candidates may confuse access logging or public access settings with data-at-rest protection mechanisms.

437
MCQhard

During a cloud audit, the auditor finds that the CSP's data deletion process does not meet contractual requirements. The customer's data may still be recoverable after termination. What is the best next step for the customer?

A.Initiate a remediation plan with defined timelines
B.Immediately terminate the contract with the CSP
C.Report the CSP to the regulatory authority
D.Ignore the finding because it is a minor issue
AnswerA

Working with the CSP to correct the process is the appropriate first step.

Why this answer

Option D is correct because the customer should initiate a remediation plan with defined timelines to fix the process. Option A is wrong because terminating the contract may not solve the data issue immediately. Option B is wrong because reporting to the regulator may be premature.

Option C is wrong because ignoring is not acceptable.

438
MCQhard

An Azure application uses a key vault key for client-side encryption of data. The application also communicates with a cloud service over HTTPS. After deploying, the handshake failure occurs. Which of the following is the most likely cause?

A.The application is using the wrong key version
B.The key vault key is not accessible due to network restrictions
C.The client and server do not have a common TLS version or cipher suite
D.The key vault key is not enabled for encryption
AnswerC

Alert 40 indicates handshake failure due to version/cipher mismatch.

Why this answer

The handshake failure occurs at the transport layer (TLS/SSL), which is independent of client-side encryption using a key vault key. The most likely cause is a mismatch in TLS versions or cipher suites between the client and server, as HTTPS relies on a successful TLS handshake. Options A, B, and D relate to the key vault key's availability or configuration, which would not cause a TLS handshake failure.

Exam trap

The trap here is that candidates confuse client-side encryption (using a key vault key) with transport-layer security (TLS), assuming a key-related issue causes the handshake failure, when in fact the handshake is a separate protocol layer.

How to eliminate wrong answers

Option A is wrong because using the wrong key version would cause decryption failures on the client side, not a TLS handshake failure during HTTPS communication. Option B is wrong because network restrictions to the key vault would result in an access denied or timeout error when the application tries to retrieve the key, not a handshake failure in the TLS layer. Option D is wrong because if the key vault key is not enabled for encryption, the application would fail to encrypt data locally, but the HTTPS handshake is a separate process that does not depend on the key's encryption status.

439
MCQhard

During a security incident in a multi-tenant cloud environment, the cloud provider's logging system indicates that a virtual machine (VM) on a shared hypervisor has been compromised. The provider wants to assist the customer with forensic analysis while minimizing impact to other tenants. Which approach is most appropriate?

A.Rebuild the VM from a known good image and then run security scans.
B.Provide the customer with a memory snapshot of the compromised VM.
C.Clone the entire hypervisor and give the customer access to the clone.
D.Power off the VM immediately to contain the incident.
AnswerB

Memory snapshot preserves volatile data and allows forensic analysis without impacting other tenants.

Why this answer

Option B is correct because providing a memory snapshot of the compromised VM preserves volatile forensic data (e.g., running processes, network connections, encryption keys) without disrupting the hypervisor or other tenants. This approach adheres to the cloud provider's responsibility to isolate forensic evidence while maintaining multi-tenant isolation, as memory snapshots can be taken via hypervisor-level APIs (e.g., VMware VMotion or libvirt) without powering off the VM or cloning the entire host.

Exam trap

ISC2 often tests the distinction between forensic acquisition (preserving evidence) and incident containment/remediation, where candidates mistakenly choose immediate power-off (Option D) or rebuild (Option A) instead of the correct memory snapshot approach that balances evidence preservation with multi-tenant isolation.

How to eliminate wrong answers

Option A is wrong because rebuilding the VM from a known good image destroys all volatile evidence (e.g., memory-resident malware, active network connections) and is a remediation step, not a forensic acquisition step. Option C is wrong because cloning the entire hypervisor is excessively disruptive, exposes other tenants' data to the customer, and violates the shared responsibility model by breaking tenant isolation at the hypervisor level. Option D is wrong because powering off the VM immediately destroys volatile memory evidence and may trigger anti-forensic mechanisms in malware (e.g., self-deletion on shutdown), while also causing unnecessary downtime for the customer.

440
Multi-Selectmedium

Which THREE of the following are essential components of a Secure Software Development Lifecycle (SSDLC) in the cloud? (Choose three.)

Select 3 answers
A.Static application security testing (SAST) in CI/CD
B.Dynamic application security testing (DAST) in staging
C.Manual code reviews without automation
D.Threat modeling during design phase
E.Annual penetration testing only
AnswersA, B, D

SAST finds vulnerabilities in source code early.

Why this answer

Option A is correct because SAST tools scan source code, bytecode, or binaries for vulnerabilities like SQL injection or buffer overflows early in the development cycle. Integrating SAST into the CI/CD pipeline enables automated, continuous security checks on every commit or build, which is a core practice of a Secure Software Development Lifecycle (SSDLC) in the cloud. This shift-left approach catches flaws before they reach production, reducing remediation cost and risk.

Exam trap

ISC2 often tests the misconception that manual reviews are a primary or essential component of an SSDLC in the cloud, when in fact automation is critical for speed and consistency, and they also test the trap that annual penetration testing is sufficient for cloud environments, which require continuous security validation.

441
Multi-Selectmedium

Which TWO of the following are key elements of a cloud service agreement (CSA) for legal compliance?

Select 2 answers
A.Audit rights
B.Encryption key management
C.Data portability tools
D.Service level agreements (SLA) uptime guarantee
E.Data processing terms (DPA)
AnswersA, E

Allows customer to verify compliance, often legally required.

Why this answer

Data processing terms (DPA) and audit rights are standard CSA elements addressing legal compliance. Encryption key management and portability are more about security and operations, but not always considered 'key legal compliance' elements.

442
MCQmedium

The security team notices that the request above is from a known malicious IP address. However, the load balancer did not block it. What is the most likely reason?

A.The user-agent indicates it is a legitimate search engine
B.The response code indicates success
C.The load balancer's access control list does not include the IP address
D.The request was encrypted with TLS
AnswerC

If the IP is not in the deny list, the request will be allowed.

Why this answer

C is correct because a load balancer's access control list (ACL) is a stateless or stateful rule set that explicitly defines which source IP addresses are allowed or denied. If the malicious IP address is not listed in the ACL, the load balancer will not block the traffic, regardless of the request's content or encryption status. The security team's observation that the request was from a known malicious IP but was not blocked directly points to a missing or incomplete ACL entry.

Exam trap

ISC2 often tests the misconception that encryption (TLS) or response codes can override access control decisions, but the trap here is that candidates forget ACLs operate at a lower layer and are independent of application-layer details like user-agent or HTTP status codes.

How to eliminate wrong answers

Option A is wrong because the user-agent header is easily spoofed and does not determine the legitimacy of the source IP; a malicious actor can set a user-agent string to mimic a legitimate search engine. Option B is wrong because the response code (e.g., HTTP 200) indicates the request was processed successfully, but it does not imply that the request should have been blocked; blocking decisions are based on pre-configured rules, not on the outcome of the request. Option D is wrong because TLS encryption protects data in transit but does not affect IP-based access control; a load balancer can inspect the source IP before or after TLS termination, and encryption does not bypass ACL rules.

443
MCQhard

During a security review, a cloud security architect discovers that a PaaS database service has public network access enabled. The application team claims they need it for external integrations. What is the most secure alternative to allow necessary access?

A.Encrypt all data at rest and in transit to the database.
B.Use Azure Private Link or AWS PrivateLink to connect via private IP within the cloud network.
C.Move the database to a VM-hosted instance with a VPN connection.
D.Restrict public access using IP whitelisting to only required external IPs.
AnswerB

Traffic never traverses the public internet, and access is restricted to private endpoints.

Why this answer

Option C is correct because private link creates a private endpoint, eliminating exposure to the public internet. Option A is wrong because firewall rules still allow public IP addresses. Option B is wrong because it changes the service but still may have public exposure.

Option D is wrong because it is not a security control.

444
MCQmedium

A large enterprise is migrating a legacy .NET application to Azure App Service. The application currently stores session state in-memory on the web server. During the migration, the team plans to horizontally scale the application across multiple instances. The security team requires that session data remain confidential and be available even if an instance fails. Which solution should the team implement?

A.Store session data in Azure SQL Database with column-level encryption
B.Use Azure Redis Cache to store session state with encryption enabled
C.Encrypt session data and store it as a client-side cookie
D.Configure Application Gateway with cookie-based affinity (sticky sessions)
AnswerB

Redis provides scalable, encrypted, persistent session storage independent of instances.

Why this answer

Azure Redis Cache with encryption enabled provides a secure, centralized session store that persists data independently of individual web server instances. This ensures session data remains available even if an instance fails, and encryption protects confidentiality in transit and at rest, meeting the security team's requirements for horizontal scaling.

Exam trap

ISC2 often tests the distinction between availability and affinity, where candidates mistakenly choose sticky sessions (Option D) thinking they solve availability, but sticky sessions actually create a single point of failure by binding a user to one instance.

How to eliminate wrong answers

Option A is wrong because Azure SQL Database with column-level encryption does not provide the low-latency, in-memory performance needed for session state in a horizontally scaled web application, and it introduces unnecessary database overhead and cost. Option C is wrong because storing encrypted session data as a client-side cookie violates the requirement for availability after instance failure, as the data is tied to the client and not centrally managed, and cookies have size limits (typically 4 KB) that cannot accommodate large session states. Option D is wrong because Application Gateway with cookie-based affinity (sticky sessions) pins a client to a specific instance, which prevents true horizontal scaling and does not ensure session data availability if that instance fails, as the session remains in-memory on that single server.

445
MCQhard

A cloud security architect is designing a data classification and labeling solution for a multinational corporation with offices in multiple countries. The corporation uses various SaaS applications (Office 365, Salesforce, etc.) and IaaS services. They require automatic classification of documents based on content (e.g., credit card numbers, social security numbers) and enforcement of protection policies (e.g., encryption, access restrictions) based on the classification. The solution must work across all cloud services and provide a unified management console. The corporation also needs to maintain data residency—data must not be stored in a different geographic region than where it was classified. Which cloud security solution BEST meets these requirements?

A.Deploy a cloud access security broker (CASB) with integrated DLP capabilities that can classify and enforce policies across multiple cloud apps.
B.Use each cloud provider's native DLP service (e.g., Microsoft Information Protection, AWS Macie) and manage them individually.
C.Use a third-party encryption gateway that encrypts all data leaving the on-premises network.
D.Implement a custom data classification system running on a virtual machine that inspects data via APIs.
AnswerA

Provides unified management, cross-cloud classification, and policy enforcement.

Why this answer

Option A is correct. A CASB with integrated DLP can classify content across multiple cloud apps and enforce policies from a single console, while also supporting data residency through policy configuration. Option B lacks unified management.

Option C is complex and may not scale. Option D does not provide classification.

446
MCQeasy

The exhibit shows the versioning configuration for an S3 bucket. What effect does enabling MFADelete have on data protection?

A.It automatically encrypts all new object versions
B.It requires MFA to permanently delete an object version
C.It prevents any version of an object from being overwritten
D.It requires MFA for all operations on the bucket
AnswerB

MFADelete adds MFA protection for delete operations.

Why this answer

Enabling MFADelete on an S3 bucket requires multi-factor authentication to permanently delete an object version or to suspend versioning on the bucket. This adds a critical layer of protection against accidental or malicious deletion of object versions, ensuring that even with administrative credentials, a second factor is needed to complete the destructive operation. It does not affect encryption, overwrite prevention, or all operations—only permanent deletion and versioning suspension.

Exam trap

ISC2 often tests the misconception that MFADelete applies to all bucket operations, when in fact it only applies to permanent deletion of object versions and suspension of versioning, not to reads, writes, or other management actions.

How to eliminate wrong answers

Option A is wrong because MFADelete does not automatically encrypt objects; encryption is managed separately via server-side encryption (SSE-S3, SSE-KMS, SSE-C) or client-side encryption. Option C is wrong because MFADelete does not prevent overwriting an object version; it only protects against permanent deletion of a version, while new versions can still be written (overwriting the current version). Option D is wrong because MFADelete does not require MFA for all operations; it only applies to two specific actions: permanently deleting an object version and suspending versioning on the bucket.

447
Multi-Selectmedium

Which TWO statements about data classification are correct?

Select 2 answers
A.Data classification is performed once at creation.
B.Data classification must be automated to be effective.
C.Data classification can be based on context and content.
D.Data classification is solely based on regulatory requirements.
E.Data classification labels determine access controls.
AnswersC, E

Classification uses both content inspection and contextual metadata.

Why this answer

Option C is correct because data classification can be based on both context (e.g., source, creator, location) and content (e.g., keywords, patterns, data values). This dual approach allows organizations to apply classification rules that consider the environment and the actual data, enabling more accurate and granular protection. For example, a document containing a credit card number (content) created by the finance department (context) could be classified as 'Confidential'.

Exam trap

ISC2 often tests the misconception that data classification is a static, one-time activity (Option A) or that automation is mandatory (Option B), when in reality classification is a continuous process and can be manual or hybrid.

448
Multi-Selectmedium

Which THREE of the following are typical responsibilities of a cloud customer under the shared responsibility model?

Select 3 answers
A.Classifying data and managing data encryption.
B.Physical security of data centers.
C.Managing user identities and access permissions.
D.Patching the hypervisor.
E.Patching operating systems on virtual machines.
AnswersA, C, E

Data classification and encryption are customer responsibilities.

Why this answer

Option A is correct because under the shared responsibility model, the cloud customer is responsible for classifying their data and managing encryption (both at rest and in transit) using tools like AWS KMS, Azure Key Vault, or client-side encryption libraries. The provider secures the infrastructure, but the customer controls access to the data itself.

Exam trap

ISC2 often tests the misconception that customers are responsible for patching the hypervisor or physical security, when in fact those are always provider obligations under the shared responsibility model.

449
MCQeasy

A customer requires complete control over encryption keys used to protect data at rest in the cloud. Which cloud service model provides the most direct control?

A.Infrastructure as a Service (IaaS)
B.Anything as a Service (XaaS)
C.Platform as a Service (PaaS)
D.Software as a Service (SaaS)
AnswerA

IaaS provides the most control over the operating system, storage, and encryption keys.

Why this answer

Option A is correct. IaaS gives customers control over the entire infrastructure stack, including encryption key management. PaaS and SaaS abstract away much of that control, limiting customer-managed key options.

450
MCQmedium

A company runs its production workloads on a cloud platform. The security team wants to ensure that all compute instances are patched within 30 days of a patch release. Which of the following is the BEST approach to enforce this requirement?

A.Use an automated patch management tool that deploys patches to all instances within 30 days
B.Configure vulnerability scanning to identify unpatched instances and notify administrators
C.Create a change management process that requires approval for all patches
D.Implement a manual patching policy and require each team to submit a patch report monthly
AnswerA

Automation enforces timeline.

Why this answer

Option B is correct because automated patch management with a scheduled deployment ensures compliance with the timeline. Option A is wrong because manual patching is error-prone and may not meet the timeline. Option C is wrong while it helps identify unpatched instances, it does not enforce patching.

Option D is wrong because approval workflow adds delay.

Page 5

Page 6 of 7

Page 7

All pages