Certified Cloud Security Professional CCSP (CCSP) — Questions 451504

504 questions total · 7pages · All types, answers revealed

Page 6

Page 7 of 7

451
MCQeasy

A cloud administrator is configuring log retention for a financial application that must comply with PCI DSS. What is the minimum log retention period required by PCI DSS?

A.At least 90 days.
B.At least six months.
C.At least five years.
D.At least one year with the most recent three months available online.
AnswerD

PCI DSS Requirement 10.7 mandates retention for at least one year, with three months online.

Why this answer

PCI DSS requirement 10.7 mandates that audit trail history must be retained for at least one year, with the most recent three months of logs immediately available for analysis. This ensures that historical data is preserved for forensic investigation while maintaining quick access to recent activity. Option D correctly states this dual requirement.

Exam trap

The trap here is that candidates often confuse the 'immediately available' 90-day requirement with the total retention period, leading them to incorrectly select Option A instead of recognizing the full one-year retention mandate with the three-month online subset.

How to eliminate wrong answers

Option A is wrong because 90 days is only the minimum period for which the most recent logs must be immediately available, not the total retention period. Option B is wrong because six months is not a PCI DSS retention requirement; the standard requires one year total. Option C is wrong because five years exceeds the PCI DSS minimum; that duration is more typical of HIPAA or other regulatory frameworks, not PCI DSS.

452
MCQmedium

A cloud administrator applies the bucket policy shown in the exhibit to an S3 bucket. What is the expected outcome?

A.All objects uploaded must be encrypted using server-side encryption with S3-managed keys (SSE-S3)
B.All upload requests will be denied unless they include encryption metadata
C.All objects must be encrypted with AWS KMS keys
D.All objects uploaded must be client-side encrypted before uploading
AnswerA

The condition requires x-amz-server-side-encryption: AES256, which is SSE-S3.

Why this answer

Option A is correct because the bucket policy explicitly denies uploads unless the `x-amz-server-side-encryption` header is set to `AES256`, which corresponds to SSE-S3. This ensures all objects uploaded to the bucket are encrypted at rest using server-side encryption with S3-managed keys, as the policy condition enforces the presence of that specific encryption header.

Exam trap

The trap here is that candidates often confuse the requirement for any encryption metadata (option B) with the specific requirement for SSE-S3 (AES256), or they mistakenly think the policy enforces KMS (option C) because they overlook the exact header value `AES256` in the condition.

How to eliminate wrong answers

Option B is wrong because the policy does not merely require encryption metadata; it specifically requires the `x-amz-server-side-encryption` header to be set to `AES256`, not just any encryption metadata. Option C is wrong because the policy enforces SSE-S3 (AES256), not AWS KMS keys (which would require `aws:kms` in the header). Option D is wrong because the policy enforces server-side encryption, not client-side encryption; client-side encryption is performed before upload and does not involve the `x-amz-server-side-encryption` header.

453
MCQhard

An enterprise uses a Cloud Access Security Broker (CASB) to monitor cloud application usage. The CASB generates alerts about potential data loss prevention events. What is the primary purpose of the CASB's DLP capabilities?

A.To block all uploads of sensitive data to cloud apps
B.To classify data automatically using machine learning
C.To detect and prevent unauthorized sharing of sensitive data based on policies
D.To encrypt data before it is sent to cloud apps
AnswerC

DLP policies allow controlled sharing while blocking unauthorized transfers.

Why this answer

The primary purpose of a CASB's DLP capabilities is to enforce policies that detect and prevent unauthorized sharing of sensitive data. This is achieved by inspecting content in transit (e.g., via API or proxy) and applying rules such as blocking, quarantining, or alerting on policy violations. Option C correctly captures this core function of policy-based detection and prevention, which goes beyond simple blocking or classification.

Exam trap

ISC2 often tests the misconception that DLP's primary purpose is to block all sensitive data or to classify data, when in fact it is to enforce granular policies that detect and prevent unauthorized sharing based on context (e.g., user, location, device).

How to eliminate wrong answers

Option A is wrong because blocking all uploads of sensitive data is too restrictive and not the primary purpose; CASB DLP uses granular policies to allow legitimate transfers while blocking only unauthorized ones. Option B is wrong because automatic classification using machine learning is a feature of data discovery and classification tools, not the primary DLP purpose; DLP focuses on enforcing policies on already-classified or pattern-matched data. Option D is wrong because encryption is a separate control often handled by key management or tokenization services, not the primary DLP function; CASB DLP may trigger encryption but its core role is policy enforcement, not encryption itself.

454
Multi-Selectmedium

An organization is evaluating techniques to protect data while it is being processed in memory. The goal is to prevent unauthorized access even if the operating system or hypervisor is compromised. Which TWO techniques are suitable for protecting data in use?

Select 2 answers
A.Hashing
B.Data masking
C.Secure enclaves (e.g., Intel SGX)
D.Homomorphic encryption
E.Tokenization
AnswersC, D

Hardware-based isolation for code and data in memory.

Why this answer

Secure enclaves, such as Intel SGX, provide hardware-enforced isolation by creating trusted execution environments (TEEs) that encrypt memory pages in use, protecting data even if the OS or hypervisor is compromised. This makes them suitable for protecting data in use because the CPU itself enforces access controls, preventing any privileged software from reading the enclave's memory.

Exam trap

ISC2 often tests the distinction between 'data at rest' and 'data in use' protections, and candidates mistakenly choose hashing or tokenization because they associate them with security, but neither protects data during active processing in memory.

455
Multi-Selectmedium

A cloud security architect is concerned about potential side-channel attacks against VMs running on a shared hypervisor. Which TWO of the following measures would be most effective in mitigating such attacks?

Select 2 answers
A.Use dedicated (single-tenant) hosts for sensitive workloads.
B.Encrypt all data at rest using AES-256.
C.Disable hyper-threading on the physical hosts.
D.Implement network segmentation using VLANs.
E.Enable multi-factor authentication for all cloud administrative accounts.
AnswersA, C

Dedicated hosts guarantee no other VMs on the same hypervisor, eliminating shared-resource side channels.

Why this answer

Option A is correct because using dedicated (single-tenant) hosts ensures that the physical server is not shared with any other customer's VMs. This eliminates the possibility of a co-resident attacker exploiting shared hardware resources (such as CPU caches, memory buses, or branch predictors) to launch side-channel attacks like Prime+Probe or Flush+Reload. By removing the shared hypervisor layer between tenants, the attack surface for cross-VM side channels is effectively nullified.

Exam trap

ISC2 often tests the distinction between data protection controls (encryption, MFA, network segmentation) and compute-level isolation controls, leading candidates to mistakenly select network or access controls that do not address the shared hardware attack surface.

456
MCQmedium

A healthcare organization is using a cloud-based electronic health record (EHR) system hosted on a PaaS platform. The platform provides a web interface and an API for integration with internal systems. The organization's security policy requires encryption of all data at rest and in transit. They have implemented SSL/TLS for data in transit and enabled server-side encryption for the database. However, during a recent audit, it was discovered that the API returns diagnostic data in clear text when accessed from internal networks. The internal network is considered trusted. The auditor recommends implementing end-to-end encryption. Which of the following is the BEST approach to meet this requirement?

A.Configure the API to require mutual TLS (mTLS) authentication and use TLS 1.2 or higher for all connections from internal systems.
B.Implement client-side encryption on the internal systems before sending data to the API.
C.Set up a VPN connection between the internal network and the cloud PaaS environment to encrypt all traffic.
D.Create a proxy service in the cloud that encrypts the data before forwarding it to the API.
AnswerA

mTLS ensures both parties are authenticated and the communication is encrypted, providing end-to-end encryption.

Why this answer

Option C is correct because implementing mutual TLS (mTLS) ensures that only authenticated clients (internal systems) can communicate with the API and all data is encrypted end-to-end. Option A is wrong because client-side encryption requires key management and does not guarantee encryption in transit between the internal systems and the API. Option B is wrong because using a VPN adds latency and complexity; mTLS is more lightweight and still encrypts the data.

Option D is wrong because sending data through a separate encryption endpoint adds extra components and potential points of failure.

457
MCQhard

An organization wants to ensure that its CSP does not access customer data for any purpose other than providing the service. Which clause should be included?

A.Right to audit
B.Security incident response
C.Data use restriction
D.Non-disclosure agreement
AnswerC

This clause restricts the provider's use of data to specified purposes.

Why this answer

A data use restriction clause explicitly limits the provider's use of customer data to only what is necessary to provide the service. Non-disclosure agreements protect confidentiality but don't restrict use. Right to audit provides oversight, and security incident response addresses breach management.

458
MCQeasy

An organization uses a cloud key management service (KMS) for encryption keys. The security policy requires automatic rotation of keys every 90 days. Which rotation strategy best balances security and operational impact?

A.Retain the original key for decryption and use a new key only for new data.
B.Have administrators manually create new keys every 90 days and update applications.
C.Configure the KMS to automatically generate new key versions and retire old ones with no application changes.
D.Re-encrypt all data with a new master key each rotation to ensure full key separation.
AnswerC

Automatic rotation with versioning is seamless and secure.

Why this answer

Option C is correct because cloud KMS services (e.g., AWS KMS, Azure Key Vault, GCP Cloud KMS) support automatic key rotation by creating new key versions while retaining previous versions for decryption of existing data. This approach satisfies the 90-day rotation policy without requiring application changes, as the KMS handles versioning transparently and the encryption context or key ID abstraction allows seamless use of the latest key for encryption.

Exam trap

The trap here is that candidates often confuse key rotation with re-encryption, assuming that rotating a key requires re-encrypting all existing data, when in fact cloud KMS versioning allows old keys to remain available for decryption without re-encrypting the entire dataset.

How to eliminate wrong answers

Option A is wrong because retaining the original key for decryption while using a new key only for new data does not rotate the original key; it merely adds a new key, leaving the original key active indefinitely, which violates the 90-day rotation policy. Option B is wrong because manual key creation every 90 days introduces operational overhead, risk of human error, and requires application updates to reference new keys, which contradicts the goal of minimizing operational impact. Option D is wrong because re-encrypting all data with a new master key each rotation is impractical and resource-intensive; cloud KMS rotation typically uses versioned keys where old versions remain available for decryption without re-encrypting existing ciphertext.

459
MCQhard

An organization is designing a cloud application that must remain available even if an entire AWS availability zone fails. Which architecture pattern should they implement?

A.Single region with multiple AZs active-active
B.Single region with multiple AZs active-standby
C.Active-passive in a single region
D.Multi-region active-active
AnswerA

This pattern distributes workloads across AZs, ensuring continued availability if one AZ fails.

Why this answer

The correct architecture is a single region with multiple Availability Zones (AZs) in an active-active configuration. This ensures that if one AZ fails, the application continues to serve traffic from the remaining AZs without any manual intervention, as all AZs are actively handling requests. AWS Availability Zones are physically separate data centers within a region, and an active-active pattern distributes the workload across them to achieve high availability and fault tolerance.

Exam trap

ISC2 often tests the distinction between surviving an AZ failure versus a region failure, and the trap here is that candidates may overcomplicate the solution by choosing multi-region active-active, not realizing that a single region with multiple AZs is sufficient and more cost-effective for the given requirement.

How to eliminate wrong answers

Option B (Single region with multiple AZs active-standby) is wrong because it introduces a standby component that is not actively serving traffic, leading to potential downtime during failover and resource underutilization; the question requires continuous availability even during an AZ failure, which active-standby does not guarantee without a failover delay. Option C (Active-passive in a single region) is wrong because it typically relies on a single AZ for the active component, making it vulnerable to AZ failure, and the passive component requires manual or automated failover, which introduces downtime. Option D (Multi-region active-active) is wrong because while it provides high availability, it is over-engineered for the requirement of surviving a single AZ failure; it adds unnecessary complexity, latency, and cost, and the question specifically asks for an architecture that remains available if an entire AWS availability zone fails, not a full region failure.

460
MCQhard

An organization experiences a data breach in the cloud. The CSP claims they are not liable because the breach was due to customer misconfiguration. The customer disagrees. What document should be reviewed to determine liability?

A.The CSP's privacy policy
B.The SOC 2 Type II report from the CSP
C.The incident response plan
D.The shared responsibility matrix in the service contract
AnswerD

This matrix explicitly defines responsibilities for security controls.

Why this answer

The shared responsibility matrix (SRM) is the definitive contractual document that delineates which security controls are managed by the cloud service provider (CSP) and which are the customer's obligation. In a breach caused by misconfiguration, the SRM specifies whether the configuration of the affected resource (e.g., an S3 bucket ACL or a security group rule) falls under the customer's responsibility. Without reviewing the SRM, liability cannot be determined because the matrix explicitly maps each control layer (e.g., network, compute, data) to the responsible party.

Exam trap

ISC2 often tests the misconception that a SOC report or privacy policy defines liability, when in fact only the contractual shared responsibility matrix legally allocates responsibility for specific security controls.

How to eliminate wrong answers

Option A is wrong because a privacy policy describes how the CSP handles personal data (e.g., GDPR compliance), not the operational security responsibilities for configuration management. Option B is wrong because a SOC 2 Type II report provides an independent audit of the CSP's controls over a period of time, but it does not define contractual liability boundaries or assign responsibility for specific misconfigurations. Option C is wrong because an incident response plan outlines the steps to detect, contain, and recover from a breach, not the pre-defined allocation of liability between the CSP and the customer.

461
MCQmedium

A company experiences a security breach in its cloud environment, and the security team needs to preserve evidence for legal proceedings. Which of the following is the MOST important step to take first?

A.Disable all logging to prevent the attacker from seeing detection efforts.
B.Isolate the compromised systems from the network to prevent lateral movement.
C.Notify all affected customers of the breach.
D.Contact the legal department to obtain a warrant before any action.
AnswerB

Isolating systems is the first priority to stop the attack and preserve evidence.

Why this answer

Option B is correct because the immediate priority in a cloud security incident is to contain the breach and prevent lateral movement, which preserves the integrity of the evidence by stopping further compromise. Isolating compromised systems (e.g., via network security groups or virtual network segmentation) ensures that volatile data, such as memory contents and active connections, is not altered by ongoing attacker activity. This step aligns with the NIST SP 800-61 incident response framework, which emphasizes containment before evidence collection.

Exam trap

ISC2 often tests the misconception that preserving evidence means immediately collecting logs or notifying stakeholders, when in fact the first step is to contain the incident to prevent evidence from being altered or destroyed by ongoing attacker activity.

How to eliminate wrong answers

Option A is wrong because disabling all logging destroys the very evidence needed for legal proceedings and violates the principle of preserving forensic artifacts; logging should be enabled and protected to capture attacker actions. Option C is wrong because notifying affected customers prematurely can compromise the investigation, alert the attacker, and violate data breach notification laws that require a thorough forensic analysis first. Option D is wrong because obtaining a warrant is not a prerequisite for internal incident response actions; the company owns the cloud environment and can take immediate containment steps without a warrant, and waiting for legal authorization could allow the attacker to destroy evidence.

462
MCQmedium

A cloud architect is designing a data loss prevention (DLP) solution for a SaaS application. The DLP must inspect data in transit between end users and the cloud as well as data at rest. Which combination of controls is most appropriate?

A.Use network segmentation and security groups.
B.Deploy a cloud DLP service for content inspection and enforce encryption at rest.
C.Use encryption at rest and backup retention policies.
D.Implement a web application firewall (WAF) and a VPN.
AnswerB

Cloud DLP inspects data in transit and at rest; encryption protects at rest.

Why this answer

Option B is correct because a cloud DLP service (e.g., AWS Macie, Microsoft Purview) can inspect data in transit by analyzing API calls or traffic patterns, and encryption at rest (e.g., AES-256) protects stored data. This combination directly addresses both inspection of data in transit and protection of data at rest, which is the core requirement of the question.

Exam trap

The trap here is that candidates confuse a WAF (which inspects for attacks) with a DLP service (which inspects for sensitive data content), leading them to choose Option D despite it lacking content inspection for data in transit.

How to eliminate wrong answers

Option A is wrong because network segmentation and security groups control traffic flow and access, but they do not inspect the content of data in transit or protect data at rest. Option C is wrong because encryption at rest protects stored data, but backup retention policies only manage data lifecycle, not inspect data in transit. Option D is wrong because a WAF inspects HTTP traffic for web attacks, not data content for DLP, and a VPN encrypts the tunnel but does not inspect the data payload.

463
MCQhard

Refer to the exhibit. A cloud security administrator is reviewing the following security group configuration associated with a web server instance. What security best practice is being violated?

A.Outbound traffic should be allowed to any destination.
B.Inbound SSH should not be allowed from any source.
C.Inbound HTTPS should be allowed from any source.
D.Security groups should not be used for web servers.
AnswerB

The rule allows SSH from 0.0.0.0/0, violating least privilege and increasing attack surface.

Why this answer

Option B is correct because allowing inbound SSH (TCP port 22) from any source (0.0.0.0/0) violates the security best practice of least privilege. SSH should only be permitted from specific administrative IP ranges or bastion hosts to prevent unauthorized access and brute-force attacks. In a cloud environment like AWS, security groups should restrict SSH to known management networks, not the entire internet.

Exam trap

ISC2 often tests the misconception that allowing inbound HTTPS from any source is a violation, but for a public web server, this is correct; the trap is confusing the need for open HTTPS with the need to restrict administrative protocols like SSH.

How to eliminate wrong answers

Option A is wrong because outbound traffic should be restricted to only necessary destinations (e.g., specific update servers or databases), not allowed to any destination, as unrestricted outbound traffic can facilitate data exfiltration. Option C is wrong because inbound HTTPS (TCP port 443) should be allowed from any source for a public web server; this is a standard requirement for serving web content securely. Option D is wrong because security groups are the primary and recommended mechanism for controlling traffic to cloud instances like web servers; they are stateful and provide granular access control.

464
Multi-Selectmedium

Which THREE of the following are commonly required when conducting a cloud vendor risk assessment?

Select 3 answers
A.Security certifications (e.g., ISO 27001)
B.Financial stability of the vendor
C.Vendor's incident response plan
D.Pricing compared to competitors
E.Marketing materials and brand reputation
AnswersA, B, C

Evidence of security posture.

Why this answer

Financial stability, certifications, and incident response plans are standard vendor risk assessment items. Pricing comparison is procurement, not risk; marketing materials are irrelevant.

465
MCQhard

A large healthcare organization runs its electronic health records (EHR) system on a private cloud built with VMware vSphere. They have implemented a hybrid cloud strategy with a public cloud provider for disaster recovery. The EHR application is mission-critical and must maintain high availability with zero data loss. During a routine audit, the security team discovers that the replication between the private cloud and the public cloud uses asynchronous replication with a 15-minute recovery point objective (RPO). However, the application requires an RPO of less than 1 minute. Additionally, the replication data is not encrypted in transit. The compliance officer demands immediate remediation. The cloud architect must propose a solution that meets the RPO requirement and ensures encryption of data in transit. Which of the following actions is the most appropriate first step?

A.Move the entire EHR system to the public cloud and use native replication services.
B.Increase the frequency of asynchronous replication to every 30 seconds and use IPsec VPN for encryption.
C.Switch to synchronous replication between the private cloud and public cloud to achieve near-zero RPO, and enable TLS for replication traffic.
D.Implement a third-party replication tool that uses compression and encryption, and keep asynchronous replication with 15-minute RPO.
AnswerC

Synchronous replication meets RPO and TLS ensures encryption.

Why this answer

Option C is correct because synchronous replication ensures that data is written to both the primary and secondary sites before acknowledging the write, achieving near-zero RPO (typically sub-second). Enabling TLS for replication traffic encrypts data in transit, directly addressing the compliance requirement. This approach meets the application's mission-critical need for zero data loss and encryption without changing the underlying hybrid architecture.

Exam trap

ISC2 often tests the misconception that increasing asynchronous replication frequency can achieve near-zero RPO, but only synchronous replication guarantees zero data loss by ensuring writes are committed at both sites before acknowledgment.

How to eliminate wrong answers

Option A is wrong because moving the entire EHR system to the public cloud does not inherently solve the RPO or encryption issues; it merely shifts the problem and may introduce new latency or compliance concerns without guaranteeing sub-minute RPO. Option B is wrong because increasing asynchronous replication frequency to 30 seconds still does not guarantee zero data loss (RPO is not zero) and IPsec VPN encrypts the tunnel but does not necessarily encrypt the replication stream itself at the application layer, potentially leaving data exposed during transit. Option D is wrong because keeping asynchronous replication with a 15-minute RPO fails to meet the sub-minute RPO requirement, regardless of compression and encryption improvements.

466
MCQeasy

Refer to the exhibit. A cloud administrator discovers this Azure role assignment in the Finance resource group. The role definition ID corresponds to 'Storage Blob Data Contributor'. What is the immediate compliance concern?

A.The principal ID is not a human-readable name
B.The assignment is scoped to a storage account
C.The assignment has no expiration date
D.The assignment provides unconstrained access without any condition
AnswerD

Lack of conditions such as IP restrictions or MFA could lead to unauthorized access.

Why this answer

Option D is correct because the role assignment 'Storage Blob Data Contributor' grants full read, write, and delete permissions on blob data within the scope, without any Azure attribute-based access control (ABAC) conditions. This violates the principle of least privilege, as it allows unconstrained access to all blob containers and blobs in the storage account, which is a compliance concern under frameworks like SOC 2 or ISO 27001 that require fine-grained access controls.

Exam trap

The trap here is that candidates often overlook the absence of conditions (ABAC) and focus on superficial details like the principal ID format or scope, but the core compliance issue is the lack of constrained access, which is a direct violation of least privilege and data governance requirements.

How to eliminate wrong answers

Option A is wrong because the principal ID being a GUID rather than a human-readable name is a normal Azure behavior; the actual identity (user, group, or service principal) is resolved via Azure AD, and this does not inherently create a compliance issue. Option B is wrong because scoping the assignment to a storage account is actually a best practice—it limits the blast radius compared to a subscription or management group scope, so it is not a compliance concern. Option C is wrong because Azure role assignments do not have an expiration date by default; they are permanent until explicitly removed, and the absence of an expiration date is not a compliance violation unless a specific policy requires temporary access, which is not indicated here.

467
MCQmedium

Refer to the exhibit. A security administrator is reviewing an S3 bucket policy. What is the primary security concern with this policy?

A.The policy allows delete access from a trusted IP range without additional controls
B.The policy does not enforce server-side encryption
C.The bucket is publicly accessible from any IP
D.The policy does not require MFA for delete operations
AnswerA

Delete access should be restricted further or require MFA.

Why this answer

Option A is correct because the policy grants s3:DeleteObject permission to a trusted IP range without requiring additional controls like MFA or versioning safeguards. This means an attacker who compromises a machine within that IP range can permanently delete objects without any secondary authentication, leading to potential data loss. The lack of a condition such as 'aws:MultiFactorAuthPresent': true or a Deny for delete operations without MFA is the primary security concern.

Exam trap

ISC2 often tests the distinction between 'publicly accessible' and 'accessible from a trusted IP range'—candidates may mistakenly think any IP-based restriction is sufficient, overlooking that delete operations without MFA or versioning are still a critical risk.

How to eliminate wrong answers

Option B is wrong because the policy does not explicitly enforce server-side encryption, but that is not the primary security concern; the question focuses on the most critical risk, which is unauthorized deletion. Option C is wrong because the policy restricts access to a specific IP range (e.g., 'aws:SourceIp': '192.0.2.0/24'), so the bucket is not publicly accessible from any IP. Option D is wrong because while MFA for delete operations is a best practice, the policy does not require it, but the core issue is that delete access is granted to a trusted IP range without any additional controls—MFA is just one possible control, and the absence of any control is the primary concern.

468
MCQhard

A financial services company uses a CI/CD pipeline to deploy microservices to a Kubernetes cluster. The security team wants to ensure container images are scanned for vulnerabilities before deployment. Which integration point in the pipeline is most effective?

A.Runtime security monitoring
B.Pre-commit hook in source control
C.Post-build image scanning in registry
D.Admission controller in Kubernetes
AnswerC

Scanning images in the registry after build ensures vulnerabilities are detected before deployment.

Why this answer

Post-build image scanning in the registry (Option C) is the most effective integration point because it automatically scans container images after they are built and pushed, catching vulnerabilities before the image is deployed to production. This ensures that only compliant images proceed through the pipeline, aligning with the principle of shift-left security without blocking developer velocity.

Exam trap

ISC2 often tests the distinction between proactive pipeline controls (like post-build scanning) and reactive runtime controls (like admission controllers), leading candidates to choose admission controllers because they seem directly related to Kubernetes security, but they miss the earlier, more effective integration point.

How to eliminate wrong answers

Option A is wrong because runtime security monitoring detects threats during execution, not before deployment, so it cannot prevent vulnerable images from being deployed. Option B is wrong because pre-commit hooks scan source code, not container images, and cannot detect vulnerabilities in base layers or dependencies added during the build process. Option D is wrong because an admission controller in Kubernetes can block deployment based on image policies, but it acts after the image is already built and pushed, making it a reactive control rather than a proactive integration point in the CI/CD pipeline.

469
MCQeasy

A company is migrating sensitive customer data to a public cloud storage service. They want to ensure that even the cloud provider cannot access the plaintext data. Which encryption strategy should they implement?

A.Client-side encryption before uploading data
B.Server-side encryption with cloud-provider-managed keys
C.Tokenization of sensitive fields at the application layer
D.Enforcing role-based access control (RBAC) on the storage bucket
AnswerA

Client-side encryption ensures the provider never sees plaintext.

Why this answer

Client-side encryption ensures that data is encrypted before it leaves the customer's environment, so the cloud provider only ever receives ciphertext. This means the cloud provider cannot access the plaintext data, even if the storage service is compromised or the provider is legally compelled to disclose data. The encryption keys are managed and stored by the customer, not the cloud provider.

Exam trap

ISC2 often tests the distinction between encryption at rest (server-side) and encryption in transit or before upload (client-side), and the trap is that candidates confuse server-side encryption with the ability to prevent provider access, not realizing that the provider still holds the keys.

How to eliminate wrong answers

Option B is wrong because server-side encryption with cloud-provider-managed keys means the cloud provider holds the encryption keys and can decrypt the data on demand, which does not prevent the provider from accessing plaintext. Option C is wrong because tokenization replaces sensitive data with tokens, but the token mapping and original data are typically stored elsewhere and may still be accessible to the provider; it also does not encrypt the entire data payload, leaving other fields in plaintext. Option D is wrong because RBAC controls access to the storage bucket but does not encrypt the data; the cloud provider can still read the plaintext data stored in the bucket.

470
MCQmedium

During a code review, a developer identifies that an application uses input from an HTTP request to generate a SQL query string. What is the primary security concern?

A.Buffer overflow
B.Insecure deserialization
C.Cross-site scripting (XSS)
D.SQL injection
AnswerD

User input in SQL queries can lead to injection attacks.

Why this answer

Option D is correct because directly concatenating user-supplied input from an HTTP request into a SQL query string allows an attacker to inject arbitrary SQL commands. This can lead to unauthorized data access, data manipulation, or even complete database compromise. The primary security concern is SQL injection, which violates the confidentiality and integrity of cloud-hosted databases.

Exam trap

ISC2 often tests the distinction between input validation issues (like SQL injection) and output encoding issues (like XSS), so the trap here is confusing a server-side injection attack with a client-side script injection attack.

How to eliminate wrong answers

Option A is wrong because buffer overflow exploits typically target memory corruption in low-level languages like C/C++, not SQL query string generation in application code. Option B is wrong because insecure deserialization involves untrusted data being deserialized into objects, not the direct injection of SQL syntax into a query string. Option C is wrong because cross-site scripting (XSS) involves injecting client-side scripts into web pages viewed by other users, whereas this scenario directly manipulates a server-side SQL query.

471
MCQmedium

A cloud architect is designing a multi-tier application in a public cloud. The web tier must be accessible from the internet, while the application and database tiers must only be reachable from the web tier. The architect needs to ensure that even if the web server is compromised, the attacker cannot directly access the database. Which architecture BEST meets this requirement?

A.Place all tiers in the same subnet and use a single security group to control inbound traffic.
B.Place all tiers in the same VPC but different subnets, and use network ACLs to restrict traffic.
C.Place the web tier in a public subnet with a security group allowing HTTP/HTTPS from 0.0.0.0/0, and place the app and database tiers in private subnets with security groups allowing traffic only from the web tier's security group.
D.Use a VPN to connect the tiers and rely on IPsec policies for segmentation.
AnswerC

This provides proper isolation: private subnets with security group references restrict access to the web tier only.

Why this answer

Option C is correct because it implements defense-in-depth by placing the web tier in a public subnet with a security group that allows inbound HTTP/HTTPS from the internet, while the app and database tiers reside in private subnets with security groups that only permit traffic from the web tier's security group. This ensures that even if the web server is compromised, the attacker cannot directly reach the database because the database security group explicitly denies traffic from any source other than the web tier's security group, and the private subnets have no direct internet route.

Exam trap

The trap here is that candidates often confuse network ACLs (stateless, IP-based) with security groups (stateful, can reference other security groups), leading them to choose Option B because they think ACLs provide sufficient segmentation, but they overlook the need for group-based source references to prevent lateral movement from a compromised host.

How to eliminate wrong answers

Option A is wrong because placing all tiers in the same subnet with a single security group provides no network segmentation; if the web server is compromised, the attacker can directly access the database on the same subnet without any additional controls. Option B is wrong because while different subnets provide network segmentation, network ACLs are stateless and evaluate rules in order, but they do not support source-group-based references (like security group IDs), so they cannot restrict traffic to only the web tier's security group; they can only filter by IP ranges, which is less precise and could allow lateral movement if the web server's IP is spoofed or if multiple instances are used. Option D is wrong because a VPN with IPsec policies connects the tiers over an encrypted tunnel but does not enforce internal segmentation within the VPC; it would still require additional security groups or ACLs to restrict database access, and the VPN itself does not prevent a compromised web server from directly reaching the database if both are on the same network segment.

472
Matchingmedium

Match each key management solution to its characteristic.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Hardware-based key generation and storage

Software-based key lifecycle management

Customer-managed keys in cloud provider HSM

Customer holds and manages own keys

Why these pairings

Key management is critical for data protection; BYOK and KYOK offer different levels of customer control.

473
Multi-Selecthard

A cloud architect is designing a multi-cloud solution that must maintain high availability and disaster recovery across two cloud providers. Which three key considerations should be included in the architecture? (Choose three.)

Select 3 answers
A.Rely on each provider's native high-availability features.
B.Use a single networking interface to simplify connectivity.
C.Use a single DNS provider for failover.
D.Implement consistent identity and access management across providers.
E.Ensure application code is cloud-agnostic.
AnswersA, D, E

Correct: Leverage provider capabilities within each region.

Why this answer

Option A is correct because relying on each provider's native high-availability features (e.g., AWS Auto Scaling and Multi-AZ deployments, Azure Availability Zones) allows the architecture to leverage built-in fault tolerance and automatic failover within each cloud. This avoids reinventing the wheel and ensures that each provider handles its own infrastructure failures, which is a foundational principle for multi-cloud HA/DR design.

Exam trap

ISC2 often tests the misconception that a single DNS provider or single network interface is acceptable for multi-cloud HA, when in reality these create critical single points of failure that violate the redundancy principle.

474
Multi-Selectmedium

Which TWO statements about data masking are correct?

Select 2 answers
A.Data masking is a form of encryption.
B.Data masking is primarily used for production environments.
C.Data masking is reversible.
D.Data masking replaces sensitive data with realistic fictional data.
E.Data masking can be static or dynamic.
AnswersD, E

It produces realistic data for development and testing.

Why this answer

Option D is correct because data masking replaces sensitive data (e.g., credit card numbers, SSNs) with realistic but fictitious data that preserves the original data's format and referential integrity, ensuring that the masked data remains usable for testing or analytics without exposing actual sensitive information. This is distinct from encryption, as masking does not use a key to transform data but rather substitutes it with a non-sensitive equivalent.

Exam trap

The trap here is that candidates often confuse data masking with encryption, assuming both are reversible, or mistakenly think masking is used in production environments, whereas the CCSP emphasizes that masking is for non-production use and is irreversible by design.

475
MCQhard

A financial services company uses a multi-region cloud deployment for its trading application. The application consists of a web frontend, a REST API, and a relational database. Recently, a penetration test revealed that an attacker could perform a time-based blind SQL injection through the API's search functionality. The injection allows the attacker to enumerate database contents by observing response times. The development team was already aware of the issue but had prioritized other features. The security team now demands immediate remediation. The application is critical and cannot be taken offline. Which of the following is the most effective immediate action to mitigate the risk without modifying the application code?

A.Deploy a Web Application Firewall (WAF) with a rule to block SQL injection patterns
B.Implement rate limiting on the API endpoint
C.Enable DDoS protection on the cloud load balancer
D.Enable transparent data encryption (TDE) on the database
AnswerA

WAF provides virtual patching without code changes.

Why this answer

A WAF can inspect incoming HTTP requests and block those matching SQL injection patterns (e.g., SQL keywords, special characters) without modifying application code. Since the vulnerability is a time-based blind SQL injection, a WAF with a dedicated SQL injection rule set can immediately stop the attack vector by filtering malicious payloads at the edge, providing a virtual patch while the code fix is developed. This is the only option that directly addresses the injection vector without requiring code changes or downtime.

Exam trap

ISC2 often tests the misconception that rate limiting or DDoS protection can mitigate application-layer attacks like SQL injection, but these controls address availability threats, not data exfiltration or injection vulnerabilities.

How to eliminate wrong answers

Option B is wrong because rate limiting only restricts the number of requests per time window, which does not prevent a single crafted SQL injection payload from executing; it merely slows down enumeration but does not block the injection itself. Option C is wrong because DDoS protection mitigates volumetric attacks aimed at overwhelming resources, not application-layer attacks like SQL injection; it does not inspect payload content. Option D is wrong because transparent data encryption (TDE) protects data at rest in the database, but the SQL injection attack exploits the API to extract data in transit or via response timing, so encryption does not prevent the injection or the data exfiltration.

476
Multi-Selectmedium

A cloud operations team is implementing a disaster recovery plan. Which of the following are valid strategies for data replication in a cloud environment? (Choose three.)

Select 3 answers
A.Asynchronous replication across regions
B.Synchronous replication within the same region
C.Periodic snapshots to object storage
D.Replication via cloud provider's managed replication service
E.Active-active replication with load balancing
AnswersA, B, D

Asynchronous replication handles geographic distance with eventual consistency.

Why this answer

Asynchronous replication across regions is a valid DR strategy because it allows data to be copied to a geographically distant region without requiring an immediate acknowledgment from the target, which minimizes latency impact on the primary site. This approach is suitable for cloud environments where recovery point objectives (RPOs) of minutes to hours are acceptable, and it leverages the cloud provider's high-latency inter-region network links without stalling write operations.

Exam trap

ISC2 often tests the distinction between replication (continuous data copying) and backup (point-in-time snapshots), so candidates mistakenly select periodic snapshots as a replication strategy when it is actually a backup method.

477
MCQmedium

During a cloud migration, a company discovers that data stored in a specific region must remain there per contract. The cloud provider offers data replication across regions. What is the best practice to ensure compliance?

A.Use data residency controls provided by the cloud provider
B.Negotiate a new contract to allow replication
C.Disable all data replication features
D.Encrypt data before storing it
AnswerA

Technical controls enforce data location at the storage or service level.

Why this answer

Configuring data residency controls (like tagging and policies) ensures data stays within the required region. Disabling replication across regions is too restrictive and may affect availability; contract negotiation is less efficient than technical controls.

478
MCQeasy

A cloud security engineer reviews this Terraform configuration for a security group. Which change is necessary to improve security?

A.Use a broader CIDR for ingress.
B.Restrict egress to specific ports.
C.Change protocol to UDP.
D.Remove the ingress rule.
AnswerB

Restricting egress limits data exfiltration risks.

Why this answer

The egress rule allows all outbound traffic (all ports to any IP). Restricting egress to specific ports reduces the attack surface. The ingress is already restricted to VPC CIDR.

Removing ingress would break functionality. Broader ingress is worse. Changing protocol does not improve security.

479
MCQmedium

A security architect is designing a CI/CD pipeline for a cloud-native application. The team wants to automatically scan container images for vulnerabilities before deployment. Which of the following is the most effective approach?

A.Manually review images before each deployment
B.Integrate a container image scanner into the pipeline
C.Perform vulnerability scanning at runtime using a host-based agent
D.Scan the network for open ports on the container hosts
AnswerB

Automated scanning in the pipeline prevents vulnerable images from being deployed.

Why this answer

Integrating a container image scanner into the CI/CD pipeline ensures that vulnerabilities are detected early, before the image is deployed to production. This approach automates security checks as part of the build process, aligning with DevSecOps principles by shifting security left. Tools like Trivy, Clair, or Anchore can be configured to fail the pipeline if critical vulnerabilities are found, preventing insecure images from reaching runtime.

Exam trap

The trap here is that candidates confuse runtime host-based scanning (Option C) with image scanning, but the question specifically asks for scanning before deployment, making pipeline integration the only correct choice that enforces security gates early in the lifecycle.

How to eliminate wrong answers

Option A is wrong because manual review is not scalable, error-prone, and cannot keep pace with the frequency of deployments in a CI/CD pipeline, violating the automation principle of secure DevOps. Option C is wrong because runtime scanning with a host-based agent detects vulnerabilities only after the container is already running, missing the opportunity to block deployment of vulnerable images and potentially exposing the environment to exploitation. Option D is wrong because scanning the network for open ports on container hosts addresses network-level exposure, not the vulnerabilities within the container image itself, and is a reactive measure unrelated to image security.

480
MCQhard

A cloud security engineer reviews the Terraform configuration above. Which of the following is a security best practice that has been violated?

A.The user_data script should not be in plain text
B.The security group does not allow SSH access
C.The security group allows unrestricted inbound traffic on port 80
D.The instance uses a public AMI
AnswerC

Allowing inbound HTTP from anywhere broadens the attack surface.

Why this answer

Option A is correct because the security group allows unrestricted inbound traffic on port 80 from any source (0.0.0.0/0), violating the principle of least privilege. Option B (public AMI) is not necessarily a violation. Option C (plain text user_data) is a minor concern but not a best practice violation per se; secrets should not be in user_data.

Option D (no SSH access) is acceptable if not needed.

481
MCQhard

A large financial institution hosts a critical application in a multi-cloud environment using AWS and Azure. The application processes sensitive customer data and requires low-latency access to a shared database. The database is deployed as a MySQL instance in AWS RDS, and the Azure application instances connect to it over the public internet using SSL. Recently, the security team discovered that the database connection traffic is being routed through an unencrypted proxy, exposing the data in transit. The network architect must redesign the connectivity to ensure encryption end-to-end and minimize latency. The current setup includes an AWS Direct Connect and an Azure ExpressRoute that both terminate at the same on-premises data center. The on-premises network has a firewall that inspects all traffic. The architect proposes using the on-premises data center as an intermediary to route traffic between clouds. Which of the following solutions best addresses the security and latency requirements?

A.Create an AWS VPC peering connection to the Azure VNet through the on-premises data center using VPN tunnels, and configure the RDS security group to allow traffic only from the Azure VNet CIDR. Ensure the firewall does not decrypt the traffic.
B.Configure the Azure application to use a TLS termination proxy in the on-premises data center that forwards traffic to RDS over SSL, and allow the firewall to inspect traffic.
C.Use AWS Direct Connect and Azure ExpressRoute to connect directly to each other without going through the on-premises data center by establishing a cross-cloud direct connection.
D.Deploy a third-party SD-WAN appliance in both AWS and Azure to create an encrypted overlay network between the two clouds, bypassing the on-premises data center entirely.
AnswerA

Provides encrypted tunnel end-to-end and uses existing connections for low latency.

Why this answer

Option A is correct because it establishes an encrypted VPN tunnel between AWS and Azure through the on-premises data center, leveraging existing Direct Connect and ExpressRoute connections. This ensures end-to-end encryption (SSL from Azure app to RDS is preserved, and the VPN adds an additional layer) while keeping traffic within controlled, low-latency paths. Configuring the RDS security group to allow only the Azure VNet CIDR restricts access, and ensuring the firewall does not decrypt traffic prevents breaking the encryption chain.

Exam trap

The trap here is that candidates may assume Direct Connect and ExpressRoute can directly peer with each other (Option C) or that TLS termination at a proxy is acceptable (Option B), failing to recognize that end-to-end encryption must not be broken and that cloud provider direct interconnects are not available without a third-party service.

How to eliminate wrong answers

Option B is wrong because using a TLS termination proxy in the on-premises data center decrypts traffic for firewall inspection, breaking end-to-end encryption and exposing data in transit within the proxy. Option C is wrong because AWS Direct Connect and Azure ExpressRoute cannot directly interconnect without a third-party provider or intermediary; they terminate at separate on-premises locations and do not support direct cross-cloud peering. Option D is wrong because deploying a third-party SD-WAN appliance bypasses the on-premises data center entirely, which contradicts the architect's proposal to use the on-premises data center as an intermediary and may introduce additional latency or management complexity.

482
MCQhard

A security architect is designing a cloud-native application using microservices. They decide to implement mutual TLS (mTLS) for service-to-service communication in a Kubernetes cluster with hundreds of services. What is the primary challenge in managing mTLS certificates in this dynamic environment?

A.High latency due to encryption overhead
B.Certificate revocation and rotation
C.Incompatibility with HTTP/2
D.Increased complexity in load balancer configuration
AnswerB

Dynamic environments require automated, frequent certificate refreshes and effective revocation.

Why this answer

In a dynamic Kubernetes environment with hundreds of microservices, mTLS certificates must be frequently rotated and revoked to maintain security, especially as services scale up/down and pods are replaced. Manual certificate management is impractical, so automated solutions like SPIFFE/SPIRE or Istio’s Citadel are required to handle the lifecycle at scale. The primary challenge is not the encryption overhead but the operational complexity of ensuring every service has a valid, non-expired certificate and that compromised certificates can be promptly revoked across the mesh.

Exam trap

The trap here is that candidates confuse the operational challenge of certificate lifecycle management with perceived performance issues (latency) or compatibility concerns, when in fact mTLS is designed to work efficiently with modern protocols and the real difficulty is maintaining trust in a rapidly changing service mesh.

How to eliminate wrong answers

Option A is wrong because mTLS encryption overhead is minimal with modern hardware and optimized libraries (e.g., AES-NI, TLS 1.3), and latency is not the primary challenge in a dynamic environment. Option C is wrong because mTLS is fully compatible with HTTP/2; in fact, gRPC (which uses HTTP/2) commonly relies on mTLS for secure service-to-service communication. Option D is wrong because mTLS does not inherently increase load balancer configuration complexity; load balancers can terminate or pass-through mTLS, and the challenge lies in certificate lifecycle management, not load balancer setup.

483
MCQhard

A company uses a cloud-based intrusion detection system (IDS) that generates logs containing IP addresses. The company is headquartered in a country with data localization laws. What is the primary compliance risk?

A.The logs may be tampered with in transit
B.The IDS logs consume too much storage
C.Log data containing personal data may be processed in a different jurisdiction
D.The IDS may miss certain attack patterns
AnswerC

Data localization laws restrict cross-border transfer of personal data.

Why this answer

Logs contain IP addresses (personal data under many laws) and may be transferred abroad if the IDS vendor processes logs in another jurisdiction, violating localization requirements. Encryption does not solve localization.

484
MCQhard

During a security audit, it is discovered that a cloud service provider's infrastructure-as-a-service (IaaS) environment has virtual machines that were provisioned with default firewall rules allowing all inbound traffic from the internet. The organization's cloud security policy requires that all VM firewall rules follow a least-privilege model. What is the most effective approach to enforce this policy going forward?

A.Manually review each VM's firewall rules during deployment
B.Use a configuration management tool to periodically audit and correct firewall rules
C.Implement infrastructure as code templates with built-in security controls that enforce least-privilege firewall rules
D.Use a cloud security posture management (CSPM) tool that continuously monitors and alerts on non-compliant rules
AnswerC

Prevents non-compliant deployments from the start.

Why this answer

Option B is correct because using infrastructure as code (IaC) templates with built-in security controls ensures that all new VM deployments comply with the least-privilege policy, preventing non-compliant deployments. Options A and D are reactive or detective. Option C may miss non-compliant resources if not properly configured.

485
MCQmedium

What is the effective permission for a request coming from IP address 10.1.2.3?

A.Access allowed for all actions
B.Access denied due to explicit deny
C.Access allowed only for GetObject
D.Access denied because no explicit allow
AnswerC

The request IP matches the allow condition, so GetObject is allowed; other actions are implicitly denied.

Why this answer

The effective permission for a request from IP 10.1.2.3 is 'Access allowed only for GetObject' because the bucket policy includes an explicit allow for the s3:GetObject action when the source IP matches 10.1.2.3, and no explicit deny applies to that IP. Since there is no explicit deny for this specific request, the explicit allow grants access only to the GetObject action, not to other actions like PutObject or DeleteObject.

Exam trap

ISC2 often tests the misconception that an explicit allow for one action grants access to all actions, or that the absence of an explicit deny means full access, when in reality the default implicit deny restricts all other actions unless explicitly allowed.

How to eliminate wrong answers

Option A is wrong because an explicit allow for GetObject does not grant access for 'all actions'; AWS S3 bucket policies require explicit allow for each action, and other actions are implicitly denied. Option B is wrong because there is no explicit deny statement in the policy that matches the request from IP 10.1.2.3; explicit deny would override any allow, but it is not present here. Option D is wrong because there is an explicit allow for GetObject for that IP, so access is not denied due to 'no explicit allow'; the request is allowed for that specific action.

486
MCQhard

Refer to the exhibit. A security analyst reviews the S3 bucket policy shown. Which security issue should be flagged?

A.The policy restricts read access to a specific role, which is too permissive
B.The policy does not enable server-side encryption
C.The policy allows unauthenticated write access to the bucket
D.The policy contains a syntax error in the JSON
AnswerC

The second statement allows any principal to put objects, which is a security risk.

Why this answer

Option C is correct because the S3 bucket policy contains a Principal element set to "*" with an Effect of "Allow" on the s3:PutObject action, which grants unauthenticated write access to the bucket. This means anyone on the internet can upload objects without any authentication, leading to potential data corruption, storage cost abuse, or malware hosting. The policy does not include any condition (e.g., aws:SourceIp or aws:SecureTransport) to restrict the write operation, making it a critical security misconfiguration.

Exam trap

ISC2 often tests the distinction between read and write permissions in S3 bucket policies, and the trap here is that candidates focus on the read access being restricted (Option A) or missing encryption (Option B) while overlooking the glaring unauthenticated write access.

How to eliminate wrong answers

Option A is wrong because restricting read access to a specific role is a security best practice (least privilege), not too permissive; the issue is with write access, not read. Option B is wrong because server-side encryption is not enforced by the bucket policy itself—it is a separate bucket setting or can be enforced via a condition key (e.g., s3:x-amz-server-side-encryption) in the policy, but its absence is not the flagged security issue here. Option D is wrong because the JSON syntax appears valid (no missing commas, brackets, or quotes) based on the exhibit; the policy is syntactically correct but semantically flawed.

487
MCQmedium

An organization stores customer data in a cloud that is subject to GDPR. The organization uses a cloud provider that does not allow audits of its data centers. What is the best way to satisfy GDPR audit requirements?

A.Minimize data stored to reduce risk
B.Request a contractual waiver for audit rights
C.Switch to a provider that allows on-site audits
D.Rely on the provider's SOC 2 Type II report
AnswerD

SOC 2 provides independent audit evidence.

Why this answer

GDPR requires adequate assurances from processors. If direct audits are not possible, the customer can rely on third-party certifications like SOC 2 Type II or ISO 27001, which provide independent assurance. Waivers and data minimization do not meet audit requirements.

488
MCQhard

A cloud security engineer reviews the S3 bucket policy shown in the exhibit. What is the net effect of this policy when a request originates from IP address 203.0.113.10 over HTTPS?

A.Deny access because the request does not meet the SecureTransport condition
B.Allow access because the condition for Deny does not include SecureTransport
C.Deny access because the request is from the specified IP range
D.Allow access because the request uses HTTPS
AnswerC

Correct: Explicit Deny blocks the request.

Why this answer

The S3 bucket policy includes a Deny statement that blocks all requests from the IP range 203.0.113.0/24, which includes 203.0.113.10. The SecureTransport condition is only applied to the Allow statement, not the Deny, so HTTPS is irrelevant to the Deny effect. Since the request matches the IP address in the Deny statement, it is denied regardless of protocol.

Exam trap

ISC2 often tests the principle that an explicit Deny overrides any Allow, and candidates mistakenly think HTTPS or SecureTransport conditions apply globally to all statements in the policy.

How to eliminate wrong answers

Option A is wrong because the SecureTransport condition is only on the Allow statement, not the Deny; the Deny does not require HTTPS, so the request is denied based on IP alone. Option B is wrong because the Deny statement does not need a SecureTransport condition to block the request; the IP match is sufficient for denial. Option D is wrong because even though the request uses HTTPS, the Deny statement explicitly blocks the IP address, overriding any Allow that might apply.

489
Multi-Selecthard

A company is implementing a software-defined perimeter (SDP) for their cloud environment. Which THREE characteristics are typical of an SDP? (Choose three.)

Select 3 answers
A.Static IP whitelisting.
B.Dynamic firewall rules based on user identity.
C.Application-layer access control.
D.Mutual authentication between client and controller.
E.Single-factor authentication.
AnswersB, C, D

SDP adjusts rules dynamically based on user identity.

Why this answer

Option B is correct because software-defined perimeter (SDP) architecture uses dynamic firewall rules that are created on-the-fly based on user identity and device posture, rather than static IP addresses. The SDP controller authenticates the user and then dynamically provisions a firewall rule to allow the user's specific IP address to access the requested application, ensuring zero-trust network access.

Exam trap

The trap here is that candidates confuse SDP's dynamic, identity-based firewall rules with traditional static IP whitelisting (Option A), failing to recognize that SDP eliminates reliance on IP addresses for access control.

490
MCQeasy

A developer accidentally uploaded a file containing API credentials to a public cloud storage bucket. The cloud provider states they cannot guarantee deletion of the object. Which practice could have prevented this incident?

A.Data loss prevention for cloud storage
B.Bucket versioning
C.Access control lists
D.Server-side encryption
AnswerA

DLP can inspect and block uploads containing sensitive data.

Why this answer

Data Loss Prevention (DLP) for cloud storage can automatically scan objects for sensitive content, such as API credentials, before or after upload. When configured with policies to block or quarantine files containing patterns like access keys, DLP prevents the data from ever being stored in a public bucket, eliminating the risk even if the provider cannot guarantee deletion. This proactive control addresses the root cause—sensitive data exposure—rather than relying on post-incident remediation.

Exam trap

ISC2 often tests the distinction between preventive controls (DLP) and detective/reactive controls (versioning, encryption, ACLs), leading candidates to choose bucket versioning because it allows rollback, but versioning does not prevent the initial exposure of sensitive data.

How to eliminate wrong answers

Option B (Bucket versioning) is wrong because versioning retains multiple copies of an object, which would actually increase the exposure by preserving the compromised file even after deletion attempts, and does not prevent the initial upload. Option C (Access control lists) is wrong because ACLs only restrict who can access the bucket after the file is stored; they do not prevent a developer from uploading sensitive content to a publicly accessible bucket. Option D (Server-side encryption) is wrong because encryption protects data at rest from unauthorized access but does not prevent the upload of plaintext credentials; the credentials would still be readable by anyone with access to the bucket.

491
Multi-Selectmedium

Which TWO of the following are required for GDPR compliance when processing personal data in the cloud?

Select 2 answers
A.Appoint a Data Protection Officer (DPO) for all organizations
B.Store data only within the European Union
C.Use only ISO 27001 certified cloud service providers
D.Conduct a Data Protection Impact Assessment (DPIA) when processing is likely to result in high risk
E.Maintain a record of processing activities
AnswersD, E

GDPR requires DPIA for high-risk processing.

Why this answer

Options A and B are correct. DPIA is required for high-risk processing, and records of processing activities are mandatory. Option C is wrong because data can be stored outside EU with adequate safeguards.

Option D is wrong because DPO is only required in certain cases. Option E is wrong because CSP certification is not a legal requirement.

492
Multi-Selectmedium

Which TWO of the following are best practices for securing a cloud-based container orchestration platform?

Select 2 answers
A.Use minimal base images to reduce the attack surface.
B.Store secrets in environment variables for ease of use.
C.Run containers with root privileges by default.
D.Enable audit logging for all administrative actions.
E.Disable TLS certificate validation for internal communications.
AnswersA, D

Minimal images reduce vulnerabilities.

Why this answer

Using minimal base images (e.g., Alpine or distroless images) reduces the number of installed packages and libraries, thereby shrinking the attack surface. This practice limits the potential vectors for privilege escalation or remote code execution within containers, which is a core security principle for containerized workloads in platforms like Kubernetes.

Exam trap

ISC2 often tests the misconception that environment variables are a safe place for secrets because they are 'not stored on disk,' but in reality they are accessible to any process or user with access to the container's runtime environment.

493
MCQhard

A company uses AWS Organizations with multiple accounts. A security team wants to ensure that a specific S3 bucket in the production account cannot be deleted by anyone, including the root user of that account. Which control should be implemented?

A.Use S3 event notifications to alert when a delete is attempted.
B.Enable S3 Versioning on the bucket.
C.Enable AWS CloudTrail to log any deletion attempt.
D.Apply a service control policy (SCP) to deny s3:DeleteBucket on the production account.
AnswerD

SCPs apply to all principals including root, and cannot be overridden within the account.

Why this answer

Option D is correct because a service control policy (SCP) is an AWS Organizations policy that can be applied to an account (or OU) to restrict permissions for all IAM users, roles, and even the root user of that account. By attaching an SCP that denies the s3:DeleteBucket action, the security team ensures that no principal in the production account, including the root user, can delete the specified S3 bucket. This provides a preventive control that overrides any allow permissions within the account.

Exam trap

ISC2 often tests the distinction between preventive controls (like SCPs) and detective/reactive controls (like CloudTrail or notifications), and the trap here is that candidates confuse logging or versioning with actual deletion prevention.

How to eliminate wrong answers

Option A is wrong because S3 event notifications are only reactive alerts; they do not prevent the deletion from occurring, so the bucket can still be deleted. Option B is wrong because S3 Versioning protects objects within the bucket from being overwritten or deleted, but it does not prevent the bucket itself from being deleted. Option C is wrong because AWS CloudTrail logs API calls for auditing purposes but does not block the deletion action; it only records it after the fact.

494
MCQeasy

Which of the following is the best way to protect a web application from cross-site scripting (XSS) attacks?

A.Encode all output that is rendered in HTML.
B.Implement a Content Security Policy (CSP) as the sole defense.
C.Use a combination of input validation, output encoding, and Content Security Policy.
D.Validate all user input on the server side.
AnswerC

Defense in depth reduces the risk of XSS.

Why this answer

Option C is correct because cross-site scripting (XSS) attacks exploit multiple vectors, and no single defense is sufficient. Input validation prevents malicious payloads from being stored or processed, output encoding ensures that any residual dangerous characters are rendered inert in the HTML context, and Content Security Policy (CSP) provides a robust, browser-enforced layer that can block inline scripts and restrict script sources even if other defenses fail. This defense-in-depth approach aligns with the OWASP XSS prevention cheat sheet and is the recommended strategy for cloud-hosted web applications.

Exam trap

ISC2 often tests the misconception that a single security control (like output encoding or CSP alone) is sufficient, when the correct answer always requires a defense-in-depth combination of input validation, output encoding, and CSP.

How to eliminate wrong answers

Option A is wrong because output encoding alone does not prevent XSS in all contexts (e.g., JavaScript event handlers, CSS, or URL contexts require context-specific encoding) and does not address stored XSS where the payload is executed before encoding is applied. Option B is wrong because implementing CSP as the sole defense is insufficient; CSP can be bypassed if the application has JSONP endpoints, unsafe-inline fallbacks, or misconfigured directives, and it does not remediate existing XSS vulnerabilities in the application code. Option D is wrong because server-side input validation alone cannot stop XSS; it can be bypassed with encoding variations (e.g., double URL encoding, Unicode escapes) and does not protect against reflected or DOM-based XSS where the payload is generated client-side without server validation.

495
MCQhard

A cloud security analyst is investigating a potential data breach. They discover that an employee's credentials were used to access a cloud storage bucket containing sensitive files. The access logs show the employee accessed the bucket from an IP address in a different country during the time of the incident. Which of the following is the MOST likely attack vector?

A.The employee intentionally accessed the data from that country
B.A distributed denial-of-service (DDoS) attack overwhelmed access controls
C.The cloud storage bucket was misconfigured as public
D.The employee's credentials were stolen via a phishing attack
AnswerD

Phishing could compromise credentials used from a foreign IP.

Why this answer

The correct answer is D because the scenario describes a classic credential theft attack: an employee's credentials are used from an anomalous geographic location to access sensitive cloud storage. Phishing is the most common vector for stealing credentials, as it tricks users into revealing their passwords, which are then reused by attackers to authenticate to cloud services like AWS S3 or Azure Blob Storage. The access logs showing a foreign IP address strongly indicate the credentials were compromised and used by an unauthorized party, not the employee.

Exam trap

ISC2 often tests the distinction between credential theft and misconfiguration; the trap here is that candidates see 'different country' and assume a public bucket (option C) because they confuse geographic anomaly with open access, but the logs explicitly show credential usage, ruling out anonymous access.

How to eliminate wrong answers

Option A is wrong because the employee intentionally accessing data from a different country would not constitute a breach unless they were acting maliciously, but the scenario is about investigating a potential breach, and the anomalous IP suggests unauthorized use, not a routine business trip. Option B is wrong because a DDoS attack overwhelms network resources or application availability, not access controls; it does not grant an attacker valid credentials to authenticate to a cloud storage bucket. Option C is wrong because a misconfigured public bucket would allow anonymous access without requiring any credentials, but the logs show the employee's credentials were used, indicating authentication occurred, not anonymous public access.

496
Drag & Dropmedium

Drag and drop the steps for managing identity and access in a multi-cloud environment using a centralized identity provider (IdP) into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First integrate IdP, then create groups/roles, configure mapping, assign users with MFA, and audit.

497
MCQhard

A security engineer reviews the S3 bucket policy shown in the exhibit. Which security concern should be addressed immediately?

A.The principal "*" grants access to all AWS services
B.The second statement allows unrestricted public read access to all objects
C.The policy version is outdated and should be updated
D.The resource ARN does not include the bucket itself, only objects
AnswerB

The second statement has no condition, so it grants s3:GetObject to anyone, overriding the IP restriction.

Why this answer

Option B is correct because the second statement in the S3 bucket policy uses `"Effect": "Allow"` with `"Principal": "*"` and `"Action": "s3:GetObject"` without any condition restricting access (e.g., `IpAddress` or `Referer`). This effectively grants anonymous, unauthenticated read access to every object in the bucket, which is a critical data exposure risk. Such a policy violates the principle of least privilege and should be remediated immediately by removing the statement or adding a condition to restrict access.

Exam trap

ISC2 often tests the misconception that `"Principal": "*"` only applies to AWS services, when in fact it grants access to all principals including anonymous users, and candidates may overlook the missing condition that would otherwise restrict access.

How to eliminate wrong answers

Option A is wrong because `"Principal": "*"` grants access to all AWS users and anonymous users, not just AWS services; the misconception is that `*` limits to services, but it actually means any principal (including unauthenticated users). Option C is wrong because the policy version `"2012-10-17"` is the current and valid version for S3 bucket policies; an outdated version would be `"2008-10-17"`, but that is not a security concern here. Option D is wrong because the resource ARN `"arn:aws:s3:::example-bucket/*"` correctly specifies objects within the bucket; while it does not include the bucket itself, this is intentional for object-level permissions and is not a security issue—the bucket ARN would be needed only for bucket-level actions like `s3:ListBucket`, which is not the concern in this policy.

498
MCQhard

A cloud security engineer needs to ensure that a containerized application running in a Kubernetes cluster securely stores and rotates database credentials. Which is the most appropriate solution?

A.Store credentials as environment variables in the pod manifest
B.Embed credentials in the container image during build
C.Use a secrets management system integrated with Kubernetes, such as HashiCorp Vault with CSI driver
D.Use Kubernetes Secrets without encryption at rest
AnswerC

Vault provides secure storage, dynamic credentials, and rotation.

Why this answer

Option C is correct because HashiCorp Vault integrated with the Kubernetes CSI (Container Storage Interface) driver allows dynamic, short-lived database credentials to be injected into pods as volumes, enabling automatic rotation without application changes. This approach ensures secrets are never stored in the cluster's etcd or exposed in environment variables, aligning with the principle of least privilege and compliance requirements for credential rotation.

Exam trap

ISC2 often tests the misconception that Kubernetes Secrets are inherently secure because they are base64-encoded, but the trap is that base64 is not encryption, and without encryption at rest or an external secrets manager, they are vulnerable to etcd compromise.

How to eliminate wrong answers

Option A is wrong because storing credentials as environment variables in the pod manifest exposes them in plaintext in the cluster's etcd and in any logs or dumps that capture environment variables, violating security best practices for secret management. Option B is wrong because embedding credentials in the container image during build makes them immutable and accessible to anyone with image pull access, preventing rotation without rebuilding and redeploying the image. Option D is wrong because Kubernetes Secrets without encryption at rest store secrets in base64-encoded plaintext in etcd, which is not secure against unauthorized access to the underlying storage, and they lack native rotation capabilities.

499
MCQhard

A cloud security engineer is configuring an AWS Lambda function that processes messages from an Amazon SQS queue. The function needs to write results to a DynamoDB table. Which of the following is the SECUREST way to manage the function's credentials?

A.Use AWS Secrets Manager to store credentials and retrieve them at runtime
B.Store the database credentials as ciphertext in the Lambda environment variables
C.Attach an IAM execution role to the Lambda function with fine-grained permissions for SQS and DynamoDB
D.Create an IAM user with Access Key and Secret Key and pass them to the function via encrypted environment variables
AnswerC

This follows least privilege and avoids any static credentials.

Why this answer

Option C is correct because AWS Lambda natively supports IAM execution roles, which provide temporary, automatically rotated credentials via the AWS Security Token Service (STS). By attaching an execution role with fine-grained permissions for SQS (e.g., sqs:ReceiveMessage) and DynamoDB (e.g., dynamodb:PutItem), the function never needs to manage long-lived secrets, eliminating the risk of credential leakage or rotation failures.

Exam trap

ISC2 often tests the misconception that storing encrypted credentials in environment variables or using a secrets manager is always the most secure approach, but for AWS-native services, IAM execution roles are the recommended and most secure method because they eliminate the need for any static, long-lived credentials.

How to eliminate wrong answers

Option A is wrong because AWS Secrets Manager is designed for storing secrets like database passwords, but for AWS-native services (SQS, DynamoDB), IAM roles are the securest and simplest approach; using Secrets Manager adds unnecessary complexity and cost without improving security. Option B is wrong because storing credentials as ciphertext in Lambda environment variables still requires the function to have a decryption key (e.g., KMS key) and manage the decryption process, which is less secure than using an IAM role that never exposes static credentials. Option D is wrong because creating an IAM user with long-lived Access Key and Secret Key violates the principle of least privilege and introduces static credentials that must be rotated, encrypted, and managed, whereas an IAM execution role provides temporary credentials that are automatically rotated and scoped to the function's execution.

500
Multi-Selecthard

Which THREE of the following are key considerations when conducting a cloud risk assessment?

Select 3 answers
A.Reviewing legal and regulatory requirements applicable to the organization
B.Analyzing network latency between cloud regions
C.Identifying threats specific to cloud deployment models (IaaS, PaaS, SaaS)
D.Evaluating the CSP's physical security controls in detail
E.Assessing the impact of shared tenancy on data isolation
AnswersA, C, E

Compliance with laws is a key risk consideration.

Why this answer

Option A is correct because legal and regulatory requirements (e.g., GDPR, HIPAA, PCI DSS) directly dictate data residency, privacy controls, and breach notification obligations. A cloud risk assessment must map these requirements to the specific cloud deployment to identify compliance gaps and potential liabilities.

Exam trap

ISC2 often tests the distinction between operational metrics (like latency) and risk assessment inputs, tricking candidates into selecting performance-related options as risk factors.

501
MCQmedium

A company is implementing a cloud key management system (KMS) to control encryption keys for sensitive data. Which practice is essential to ensure the security of the keys?

A.Use a single key for all encryption operations to simplify management.
B.Export keys to the cloud provider's hardware security module (HSM).
C.Store encryption keys in the same region as the encrypted data.
D.Periodically rotate the encryption keys.
AnswerD

Key rotation limits the lifetime of exposed keys.

Why this answer

Periodic key rotation is essential because it limits the amount of data encrypted under a single key, reducing the impact of a key compromise and complying with cryptographic best practices (e.g., NIST SP 800-57). In a cloud KMS, rotation can be automated using key versions, where old keys are retained for decryption while new keys are used for encryption, ensuring forward secrecy and operational security.

Exam trap

ISC2 often tests the misconception that key rotation is optional or that storing keys in the same region as data is a security best practice, when in fact rotation is a mandatory control for key hygiene and regional separation is a common architectural pattern for isolation.

How to eliminate wrong answers

Option A is wrong because using a single key for all encryption operations violates the principle of key separation and increases the blast radius of a compromise; it also makes key management and auditing impractical. Option B is wrong because exporting keys to a cloud provider's HSM undermines the security model of a KMS, as keys should remain within the HSM's boundary and never be exported in plaintext; cloud HSMs typically do not allow key export to maintain FIPS 140-2/3 compliance. Option C is wrong because storing encryption keys in the same region as the encrypted data does not inherently improve security; it may actually increase risk if a regional breach occurs, and compliance frameworks often require key separation from data (e.g., storing keys in a different region or account) to provide defense in depth.

502
MCQhard

A DevOps team is deploying containers in a Kubernetes cluster. They need to ensure that container images are scanned for vulnerabilities before deployment. Which is the most effective approach?

A.Scan images manually after deployment.
B.Use a container registry with integrated vulnerability scanning and enforce admission controls.
C.Rely on the developer's assurance that images are secure.
D.Use a runtime security tool.
AnswerB

Integrated scanning and admission control prevent vulnerable images from being deployed.

Why this answer

Option B is correct because integrating vulnerability scanning into the container registry (e.g., using tools like Trivy, Clair, or Amazon ECR scanning) combined with admission controllers (e.g., OPA/Gatekeeper or Kyverno) allows automated scanning of images at rest and blocks deployments of non-compliant images before they enter the cluster. This shift-left approach ensures that only images passing security policies are admitted, preventing vulnerable images from reaching production.

Exam trap

ISC2 often tests the distinction between pre-deployment controls (image scanning + admission) and runtime controls, so candidates mistakenly choose runtime tools (Option D) thinking they prevent vulnerabilities, when in fact runtime tools only detect active exploits after deployment.

How to eliminate wrong answers

Option A is wrong because scanning images manually after deployment introduces a delay that allows vulnerable containers to run in the cluster, violating the principle of shift-left security and failing to prevent exploitation. Option C is wrong because relying on developer assurance without automated verification is a security anti-pattern; developers may unknowingly introduce vulnerabilities, and this approach lacks auditability and enforcement. Option D is wrong because runtime security tools (e.g., Falco, Sysdig) monitor container behavior during execution but do not prevent vulnerable images from being deployed; they address post-deployment threats, not pre-deployment image integrity.

503
MCQmedium

A company develops a microservices application and wants to ensure secrets such as API keys and database credentials are not exposed in container images. Which approach best meets this requirement?

A.Hardcode secrets in the application code and obfuscate with encryption.
B.Use a secrets management service such as HashiCorp Vault to inject secrets at runtime.
C.Pass secrets as environment variables during container deployment.
D.Store secrets in a separate configuration file within the image.
AnswerB

Secrets are never stored in the image and are dynamically injected.

Why this answer

Option B is correct because a secrets management service like HashiCorp Vault allows secrets to be dynamically injected into containers at runtime, ensuring they never reside in the image. This approach decouples secrets from the application artifact, adhering to the principle of least privilege and immutable infrastructure. Vault can inject secrets via sidecar containers, init containers, or API calls, preventing exposure in image layers or configuration files.

Exam trap

ISC2 often tests the misconception that environment variables are a secure way to pass secrets because they are not in the image, but the trap is that environment variables are still exposed in the container's runtime environment and orchestration metadata, making them vulnerable to leakage via logs, debugging tools, or misconfigured RBAC.

How to eliminate wrong answers

Option A is wrong because hardcoding secrets in application code, even with obfuscation, is insecure—encryption keys must still be stored somewhere, and obfuscation can be reversed, violating the core security principle of not embedding secrets in code. Option C is wrong because passing secrets as environment variables during deployment, while better than hardcoding, still exposes them in the container's process list, logs, and orchestration metadata, and they can be read from the host or via /proc. Option D is wrong because storing secrets in a separate configuration file within the image means the secrets are baked into the image layers, making them accessible to anyone who can pull the image, and they persist in registries and caches.

504
MCQmedium

A DevSecOps team is integrating static application security testing (SAST) into their CI/CD pipeline. Which of the following is the PRIMARY benefit of performing SAST during the build phase rather than later in the pipeline?

A.It identifies runtime vulnerabilities such as SQL injection
B.It reduces false positives compared to dynamic analysis
C.It enables early detection of vulnerabilities before deployment
D.It scans running applications to find configuration issues
AnswerC

Early detection in the build phase prevents vulnerable code from reaching production.

Why this answer

Performing SAST during the build phase allows the team to identify security vulnerabilities in the source code before the application is compiled, packaged, or deployed. This early detection reduces the cost and effort of remediation because issues are found at the point of code creation, not after deployment. The primary benefit is shifting security left to catch defects before they reach production.

Exam trap

ISC2 often tests the concept of 'shift left' security, and the trap here is confusing SAST's static analysis capability with runtime detection, leading candidates to incorrectly choose options that describe dynamic or runtime testing benefits.

How to eliminate wrong answers

Option A is wrong because SAST analyzes source code statically and cannot identify runtime vulnerabilities like SQL injection that depend on dynamic input and database interaction; those are better detected by DAST or IAST. Option B is wrong because SAST often produces more false positives than dynamic analysis due to its lack of runtime context, not fewer. Option D is wrong because SAST does not scan running applications; it scans source code or binaries without execution, whereas configuration issues in running apps are found by tools like configuration scanning or DAST.

Page 6

Page 7 of 7

All pages