Certified Cloud Security Professional CCSP (CCSP) — Questions 526600

987 questions total · 14pages · All types, answers revealed

Page 7

Page 8 of 14

Page 9
526
MCQeasy

Which cloud-specific attack involves an application making HTTP requests to internal metadata endpoints such as 169.254.169.254 to retrieve cloud instance credentials?

A.Dependency Confusion
B.Server-Side Request Forgery (SSRF)
C.Cross-Site Scripting (XSS)
D.SQL Injection
AnswerB

SSRF tricks the server into making requests to internal endpoints.

Why this answer

The attack described is Server-Side Request Forgery (SSRF), where an attacker exploits a vulnerable application to make HTTP requests to internal metadata endpoints like 169.254.169.254 (the link-local address for cloud instance metadata services). This allows the attacker to retrieve cloud instance credentials (e.g., AWS IAM role temporary credentials) that are normally accessible only from within the instance, leading to privilege escalation and lateral movement.

Exam trap

Cisco often tests SSRF by pairing it with the specific IP 169.254.169.254, and the trap here is that candidates may confuse SSRF with Dependency Confusion (both involve external resources) or think XSS/SQLi can be used to access internal endpoints, but only SSRF exploits server-side request handling to reach cloud metadata.

How to eliminate wrong answers

Option A (Dependency Confusion) is wrong because it involves an attacker uploading a malicious package with the same name as an internal dependency to a public repository, tricking the package manager into installing it; it does not involve HTTP requests to metadata endpoints. Option C (Cross-Site Scripting) is wrong because it injects malicious scripts into web pages viewed by other users, targeting client-side browsers rather than server-side requests to internal IPs. Option D (SQL Injection) is wrong because it manipulates database queries through input fields, not HTTP requests to cloud metadata services.

527
MCQeasy

What is the primary purpose of a Data Processing Agreement (DPA) between a data controller and a cloud service provider?

A.To set data retention periods for processed data
B.To specify encryption algorithms to be used
C.To establish data backup and recovery procedures
D.To define roles and responsibilities for data processing
AnswerD

The DPA clarifies the controller-processor relationship.

Why this answer

A Data Processing Agreement (DPA) is a legally binding contract required under regulations like GDPR. Its primary purpose is to define the roles and responsibilities of the data controller and the data processor (the cloud service provider), ensuring the processor acts only on the controller's documented instructions and meets compliance obligations. Without a DPA, the controller cannot legally transfer data to the processor, as the agreement establishes the lawful basis and accountability for processing activities.

Exam trap

ISC2 often tests the distinction between legal/compliance documents (DPA) and operational/technical documents (SLA, security policies), so the trap here is confusing the DPA's role in defining processing roles with specific technical controls like encryption or backup procedures.

How to eliminate wrong answers

Option A is wrong because data retention periods are typically defined in a separate data retention policy or contract clause, not the DPA; the DPA focuses on processing instructions and compliance, not specific retention schedules. Option B is wrong because encryption algorithms are a technical security measure specified in a Security Addendum or SLA, not the DPA; the DPA addresses legal and contractual roles, not cryptographic implementation details. Option C is wrong because backup and recovery procedures are operational controls documented in a Business Continuity Plan or Disaster Recovery Plan, not the DPA; the DPA governs data processing boundaries and liability, not specific recovery steps.

528
MCQhard

A security engineer is investigating an incident where an attacker exploited a server-side request forgery (SSRF) vulnerability in a cloud application. The application runs on AWS and uses internal metadata endpoints. Which mitigation should be prioritized to prevent future SSRF attacks?

A.Implement input validation to block malicious URLs
B.Restrict outbound network access from the application instances using security groups
C.Deploy a web application firewall (WAF) to inspect outgoing requests
D.Disable the IMDSv1 endpoint and require IMDSv2 tokens
AnswerB

Blocking outbound traffic to the metadata IP (169.254.169.254) and other internal IPs prevents SSRF exploitation.

Why this answer

Option B is correct because restricting outbound network access from application instances using security groups directly prevents the application from reaching the internal metadata endpoint (169.254.169.254) and other internal services. This is a fundamental network-layer control that stops SSRF attacks at the source, regardless of input validation or request inspection, by blocking the outbound traffic that the attacker would exploit.

Exam trap

ISC2 often tests the misconception that input validation or WAFs are sufficient to stop SSRF, when in reality the most effective mitigation is network-layer egress filtering that blocks access to internal metadata endpoints.

How to eliminate wrong answers

Option A is wrong because input validation to block malicious URLs is easily bypassed by attackers using URL encoding, redirects, or alternative representations of the metadata endpoint (e.g., decimal IP, DNS rebinding), and it does not address the root cause of the application making unauthorized outbound requests. Option C is wrong because a web application firewall (WAF) inspects incoming HTTP requests, not outgoing requests from the application; it cannot block the outbound SSRF traffic that originates from the application server itself. Option D is wrong because disabling IMDSv1 and requiring IMDSv2 tokens only protects the metadata service from unauthorized access via token-based authentication, but it does not prevent the application from making SSRF requests to other internal endpoints or external systems; the attacker could still exploit the application to make outbound requests to arbitrary targets.

529
MCQhard

An organization uses cloud databases and needs to protect sensitive fields such as credit card numbers. They want to preserve the ability to perform exact match searches and joins on these fields. Which data protection technique best meets these requirements?

A.Tokenization with a secure token vault
B.Format-preserving encryption (FPE)
C.Dynamic data masking
D.Deterministic encryption
AnswerA

Tokens can be designed to preserve format and allow exact match joins.

Why this answer

Tokenization with a secure token vault is correct because it replaces sensitive data (e.g., credit card numbers) with unique, randomly generated tokens that have no mathematical relationship to the original values. The token vault stores the mapping, allowing exact match searches and joins on the tokens while keeping the original data secure, as the tokens are consistent for the same input value.

Exam trap

ISC2 often tests the distinction between tokenization and deterministic encryption, where candidates mistakenly choose deterministic encryption because it also supports exact match searches, but they overlook that tokenization provides stronger security by removing the mathematical link between the token and the original data, making it resistant to key compromise and frequency analysis.

How to eliminate wrong answers

Option B (Format-preserving encryption) is wrong because FPE produces ciphertext that preserves the original format but is still encrypted, meaning it does not eliminate the risk of exposing sensitive data if the encryption key is compromised, and it may not be suitable for all cloud environments where key management is complex. Option C (Dynamic data masking) is wrong because it only hides data from unauthorized users at query time without changing the underlying stored data, so it does not protect the data at rest and cannot prevent access to the original values if the masking rules are bypassed. Option D (Deterministic encryption) is wrong because while it allows exact match searches by always producing the same ciphertext for a given plaintext, it is vulnerable to frequency analysis attacks and does not provide the same level of security as tokenization, as the encrypted values are still mathematically reversible with the key.

530
Multi-Selecteasy

Which TWO of the following are examples of data sovereignty laws that directly affect cloud data storage?

Select 2 answers
A.General Data Protection Regulation (GDPR)
B.Sarbanes-Oxley Act (SOX)
C.California Consumer Privacy Act (CCPA)
D.Payment Card Industry Data Security Standard (PCI DSS)
E.Health Insurance Portability and Accountability Act (HIPAA)
AnswersA, C

GDPR applies to personal data of EU residents and includes data sovereignty principles.

Why this answer

The General Data Protection Regulation (GDPR) is a data sovereignty law because it imposes strict requirements on the storage and processing of personal data of EU residents, mandating that data be stored within the EU or in jurisdictions with equivalent protection, directly affecting where cloud providers can host data. It enforces data localization principles through mechanisms such as Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs), requiring cloud customers to ensure their provider's storage regions comply with these territorial restrictions.

Exam trap

ISC2 often tests the distinction between data sovereignty (geographic storage restrictions) and data security/privacy regulations (which focus on protection controls but not location), causing candidates to mistakenly select PCI DSS or HIPAA as sovereignty laws when they are actually security and privacy frameworks without territorial mandates.

531
MCQeasy

A company receives an erasure request under GDPR. The cloud provider can delete from active storage within 24 hours but requires 90 days to delete from archives. The company has a contractual obligation to ensure deletion within 30 days. What should the company do?

A.Delete the data from the application layer only and rely on provider for archives.
B.Accept the 90-day timeline and inform the data subject accordingly.
C.Request the provider to delete from archives within 30 days and verify.
D.Reject the request as impractical.
AnswerC

This actively pursues compliance with both the contract and GDPR by expediting deletion.

Why this answer

Option C is correct because the company has a contractual obligation to ensure deletion within 30 days, which overrides the provider's default 90-day archive retention policy. The company must formally request the provider to expedite the deletion from archives and verify compliance, as GDPR Article 17 requires the controller to ensure erasure without undue delay, and the provider as processor must assist. Relying on the provider's standard timeline without action would breach the contract and GDPR accountability requirements.

Exam trap

ISC2 often tests the misconception that a cloud provider's default retention policy absolves the controller of contractual or regulatory deadlines, when in fact the controller must actively manage the processor's actions or employ alternative technical controls like key destruction to meet the timeline.

How to eliminate wrong answers

Option A is wrong because deleting only from the application layer while leaving data in archives violates the GDPR erasure principle, as the data remains accessible and recoverable, and the controller remains responsible for complete deletion. Option B is wrong because accepting the 90-day timeline and merely informing the data subject does not fulfill the contractual obligation of 30-day deletion, and GDPR does not allow the controller to unilaterally extend the erasure deadline based on the processor's limitations. Option D is wrong because rejecting the request as impractical ignores the controller's duty to use contractual leverage or technical measures (e.g., encryption key destruction) to meet the 30-day deadline, and GDPR does not permit refusal solely due to archive retention policies.

532
MCQhard

An AWS S3 bucket policy is configured as shown in the exhibit. The security team wants to ensure that only requests from the corporate IP range (203.0.113.0/24) can read objects in the bucket. However, they notice that a CloudFront distribution configured to serve content from this bucket is returning 403 Forbidden errors. What is the MOST likely cause?

A.The bucket policy has a syntax error in the Condition block.
B.There is an implicit deny that overrides the explicit allow.
C.The bucket policy does not allow the s3:GetObject action.
D.CloudFront requests originate from CloudFront IP addresses, not the end user's IP.
AnswerD

The condition on aws:SourceIp checks the IP of the requestor, which is CloudFront's IP, not the viewer's IP.

Why this answer

D is correct because when CloudFront fetches objects from an S3 origin, it uses its own IP addresses, not the end user's IP address. The bucket policy restricts access to the corporate IP range (203.0.113.0/24), but CloudFront's requests come from AWS's CloudFront edge IP range, which falls outside that range. This causes S3 to deny the request, resulting in a 403 Forbidden error.

Exam trap

ISC2 often tests the misconception that the end user's IP address is preserved through a CDN or proxy, leading candidates to incorrectly assume the bucket policy's IP restriction will work as intended.

How to eliminate wrong answers

Option A is wrong because the Condition block syntax is valid; the policy uses standard AWS IAM policy language with IpAddress condition key, and there is no syntax error indicated. Option B is wrong because there is no implicit deny overriding the explicit allow; the issue is that the condition does not match CloudFront's source IP, not a deny override. Option C is wrong because the policy explicitly allows the s3:GetObject action for the specified IP range, so the action is permitted when the condition is met.

533
MCQmedium

A security engineer is implementing container image security. They want to ensure that only signed images from a trusted registry can be deployed in the Kubernetes cluster. Which tool should they use to enforce this at the admission controller level?

A.Clair
B.Trivy
C.Cosign
D.Snyk Container
AnswerC

Cosign supports image signing and verification, and can be used with admission controllers.

Why this answer

Cosign is a tool for signing and verifying container images. It integrates with admission controllers like Kyverno or OPA Gatekeeper to enforce that only signed images are deployed.

534
MCQmedium

A medium-sized e-commerce company uses a cloud provider's container orchestration service (e.g., Amazon ECS or Google Kubernetes Engine). They have a security requirement to ensure that all containers run with the least privilege principle. The development team often requests containers to run as root for debugging purposes. The security team wants to enforce a policy that prevents containers from running as root in the production environment. However, the development team still needs the ability to troubleshoot occasionally. The cloud security architect must design a solution that restricts root privilege in production but allows controlled troubleshooting. Which of the following approaches is the most effective?

A.Allow containers to run as root but configure host-based intrusion detection to alert on suspicious activities.
B.Grant developers SSH access to the host nodes for troubleshooting.
C.Use a security context constraint (or PodSecurityPolicy) to deny all containers running as root, and require developers to use a sidecar container for debugging.
D.Create two separate clusters, one for production with root restriction, and one for debugging where root is allowed.
AnswerC

Enforces non-root and provides controlled debugging via sidecar.

Why this answer

Option C is correct because it uses a security context constraint (SCC) or PodSecurityPolicy (PSP) to enforce a deny-all policy for root containers in production, which aligns with the least privilege principle. The sidecar container provides a controlled debugging mechanism without granting root access to the main application container, allowing developers to troubleshoot via a separate, privileged sidecar that can be audited and restricted.

Exam trap

ISC2 often tests the misconception that allowing root in containers with monitoring (Option A) or using separate clusters (Option D) is acceptable, but the CCSP emphasizes that least privilege must be enforced at the container level, not compensated for by external controls.

How to eliminate wrong answers

Option A is wrong because allowing containers to run as root and relying solely on host-based intrusion detection (HIDS) does not prevent the violation of the least privilege principle; root access in containers can still lead to container breakout or privilege escalation before any alert is triggered. Option B is wrong because granting developers SSH access to host nodes undermines the security boundary, as it exposes the underlying host OS and potentially other containers, violating the principle of isolation and increasing the attack surface. Option D is wrong because maintaining two separate clusters (production and debugging) introduces operational complexity, configuration drift, and does not enforce least privilege in production; developers might still need root access in production for debugging, which the separate cluster does not address without additional controls.

535
MCQhard

An organization is migrating a legacy application to the cloud and wants to minimize vendor lock-in. They plan to use containers orchestrated by Kubernetes. Which design principle is the organization primarily applying?

A.Elasticity
B.Multitenancy isolation
C.Reversibility
D.Portability
AnswerD

Using open standards like Kubernetes and containers enhances workload portability across clouds.

Why this answer

Portability focuses on avoiding vendor lock-in by using open standards and technologies like Kubernetes and Docker that can run across different cloud providers.

536
MCQmedium

A cloud customer is migrating a legacy application to a cloud platform. The application currently runs on physical servers and uses local storage. The migration plan involves rehosting the application on virtual machines (VMs) in the cloud. The security team wants to ensure that the VMs are properly hardened before deployment. During the migration testing, the team discovers that the base image used for the VMs contains several unnecessary services and default credentials. The team is concerned that these vulnerabilities could be exploited. The cloud provider offers a shared responsibility model where the customer is responsible for securing the OS. Which of the following is the BEST course of action to address this issue?

A.Deploy the VMs and run vulnerability scans to identify and fix issues after deployment
B.Ask the cloud provider to provide a hardened OS image
C.Create a custom golden image with necessary hardening and approved software only
D.Deploy the VMs and manually apply security patches and remove services after deployment
AnswerC

Ensures consistent and secure base.

Why this answer

Option C is correct because creating a custom golden image allows the customer to enforce a hardened baseline that removes unnecessary services, disables default credentials, and includes only approved software before any VM is deployed. This aligns with the shared responsibility model, where the customer controls OS-level security, and prevents vulnerabilities from ever reaching production. Pre-hardening the image is more secure and efficient than fixing issues post-deployment, as it eliminates the window of exposure during initial boot and configuration.

Exam trap

The trap here is that candidates may choose Option D (manual patching after deployment) because it seems practical, but they overlook that this approach leaves VMs vulnerable during the initial boot and configuration phase, whereas pre-hardening the image eliminates that risk entirely.

How to eliminate wrong answers

Option A is wrong because deploying VMs with known vulnerabilities and relying on post-deployment vulnerability scans introduces a window of exposure where the VMs could be compromised before patches are applied, and it violates the principle of secure-by-default. Option B is wrong because the cloud provider is responsible for the hypervisor and infrastructure, not the OS image; asking them to provide a hardened OS image shifts responsibility that the customer must own under the shared responsibility model, and providers typically offer only generic base images. Option D is wrong because manually patching and removing services after deployment is error-prone, time-consuming, and leaves the VMs exposed during the time between deployment and remediation, which is especially risky in automated scaling scenarios.

537
MCQeasy

Under the General Data Protection Regulation (GDPR), if a cloud service provider (acting as a data processor) suffers a personal data breach, what is the provider's obligation regarding notification?

A.The processor must notify the data controller without undue delay upon becoming aware of the breach.
B.The processor must notify the supervisory authority within 72 hours.
C.The processor does not have any notification obligation under GDPR.
D.The processor must notify the affected data subjects directly within 72 hours.
AnswerA

This is correct per GDPR Article 33(2).

Why this answer

GDPR Article 33 requires the data processor to notify the data controller without undue delay after becoming aware of a breach. The controller then has 72 hours to notify the supervisory authority.

538
MCQhard

A company needs to export data from a cloud service in a machine-readable format to comply with a data subject's right to data portability under GDPR. Which format is most appropriate?

A.HTML
B.PDF
C.CSV (Comma-Separated Values)
D.JPEG
AnswerC

CSV is machine-readable and commonly used for data portability.

Why this answer

GDPR requires data to be provided in a structured, commonly used, machine-readable format; CSV is widely accepted.

539
MCQhard

An organization must implement encryption for data in transit between its on-premises data center and a cloud provider. The data is sensitive and the organization requires a dedicated, encrypted tunnel. Which solution should be used?

A.Client-side encryption before upload
B.TLS 1.2 for API communication
C.VPN connection
D.Cloud KMS for key exchange
AnswerC

VPN creates an encrypted tunnel over the internet for secure connectivity.

Why this answer

A VPN (Virtual Private Network) provides a dedicated, encrypted tunnel for hybrid connectivity between on-premises and cloud.

540
MCQhard

In a Kubernetes environment, a security team wants to enforce that only images signed by a trusted authority can be deployed. Which component can be used to validate image signatures at admission time?

A.Network policies
B.Admission controller (e.g., OPA Gatekeeper)
C.RBAC policies
D.Secrets management with Vault
AnswerB

Admission controllers can enforce policies such as requiring signed images.

Why this answer

Admission controllers like OPA Gatekeeper or Kyverno can verify image signatures before a pod is created. RBAC controls access, not image validity; network policies manage traffic; secrets management handles credentials.

541
MCQhard

A cloud security team needs to implement a logging strategy that captures user activity, API calls, and resource changes across multiple cloud services. The logs must be tamper-proof and retained for at least one year. Which combination of actions best meets these requirements?

A.Stream all logs to a Security Information and Event Management (SIEM) system and retain raw logs for one year on standard storage.
B.Enable logging for all services, encrypt logs at rest, and store them in a centralized log management system.
C.Use separate logging accounts for each cloud service and retain logs in their native format.
D.Centralize logs into a dedicated log archive account with write-once-read-many (WORM) storage and enable anomaly detection alerts.
AnswerD

WORM storage prevents modification or deletion, meeting tamper-proof requirement.

Why this answer

Option C is correct because centralizing logs with write-once storage ensures tamper-proof retention, and alerting on anomalies provides security monitoring. Option A is wrong because encryption alone does not prevent tampering, and simple log management may allow deletion. Option B is wrong because using separate log accounts for each service creates silos and complexity.

Option D is wrong because exporting to SIEM is good but retention should be in immutable storage.

542
MCQeasy

Which cloud service model provides the consumer with the ability to deploy and run custom applications using the provider's programming languages, libraries, and tools, but does not allow management of the underlying infrastructure?

A.PaaS
B.SaaS
C.IaaS
D.CaaS
AnswerA

PaaS allows deployment of custom applications without managing infrastructure.

Why this answer

PaaS provides a platform for customers to develop and run applications without managing the underlying infrastructure. IaaS provides infrastructure, SaaS provides software.

543
MCQmedium

An organization is setting up a centralized logging solution across multiple AWS accounts. The security team requires that logs from all accounts be sent to a single security account, with lifecycle policies to transition logs to cheaper storage after 90 days. Which approach should be used?

A.Enable CloudTrail in each account and manually copy logs daily to the security account.
B.Create a CloudTrail trail in each account and export logs to CloudWatch Logs, then cross-account subscription filter to a central S3 bucket.
C.Use AWS Lambda to copy logs from each account's S3 bucket to the central bucket.
D.Use AWS Organizations and enable a single CloudTrail trail that delivers logs to a central S3 bucket in the management account.
AnswerD

AWS Organizations allows a single trail to be applied to all accounts, delivering to a central bucket.

Why this answer

For cross-account log aggregation, CloudTrail can be configured to deliver logs from multiple accounts to a central S3 bucket in the security account. Lifecycle policies on that bucket can then manage transitions to lower-cost storage classes.

544
MCQmedium

A company is evaluating the risk of using a single cloud provider for all critical workloads. Which risk is most directly associated with this scenario?

A.Inherent risk of shared infrastructure
B.Third-party risk
C.Concentration risk
D.Control effectiveness risk
AnswerC

Correct. Concentration risk is the risk of relying on a single provider.

Why this answer

Concentration risk refers to the over-reliance on a single provider, leading to high impact if that provider suffers an outage or data loss.

545
MCQeasy

A cloud operations team is setting up a new virtual network in the cloud. They need to segment traffic between different tiers of an application (web, application, database). Which security control should they implement?

A.Network access control lists and security groups
B.Intrusion detection system
C.Data loss prevention
D.Web application firewall
AnswerA

NACLs and security groups filter traffic based on rules, enabling segmentation.

Why this answer

Option D is correct because network access control lists (NACLs) and security groups provide network segmentation by controlling traffic between tiers. Option A (IDS) detects threats but does not control traffic. Option B (WAF) protects web applications at layer 7.

Option C (DLP) prevents data loss.

546
Multi-Selecthard

Which THREE of the following are key components of a cloud data governance framework?

Select 3 answers
A.Data retention policies
B.Data access controls
C.Data masking
D.Data classification
E.Data encryption at rest
AnswersA, B, D

Policies define how long data is kept and when to delete.

Why this answer

Data retention policies are a key component of a cloud data governance framework because they define the lifecycle of data, specifying how long data must be kept and when it should be securely deleted. This ensures compliance with legal, regulatory, and business requirements, such as GDPR or HIPAA, and prevents unnecessary storage costs and security risks from outdated data.

Exam trap

ISC2 often tests the distinction between governance components (policies, roles, processes) and technical security controls (encryption, masking), leading candidates to mistakenly select data masking or encryption as governance framework elements.

547
MCQmedium

A cloud operations team is implementing a logging strategy for their hybrid cloud environment. They need to ensure that logs from on-premises systems are collected and stored in a centralized cloud logging service with low latency. Which configuration is most appropriate?

A.Transfer logs via email attachments
B.Use a VPN connection and forward syslog directly to the cloud endpoint
C.Configure on-premises systems to send logs via syslog over the internet with TLS
D.Use a cloud logging agent on-premises that buffers and sends logs via HTTPS
AnswerB

A dedicated VPN reduces latency and ensures consistent connectivity.

Why this answer

Option A is correct because using a VPN connection and forwarding syslog directly to the cloud endpoint provides a dedicated, low-latency path. Option B (syslog over the internet) may introduce latency. Option C (cloud logging agent) may buffer and delay logs.

Option D (email) is not suitable for real-time logging.

548
Multi-Selectmedium

A cloud security architect is designing access controls for a cloud storage bucket that contains sensitive customer data. The architect needs to implement a solution that provides granular, time-limited access to specific objects for external auditors. Which TWO methods should the architect consider? (Select TWO.)

Select 2 answers
A.Bucket policies
B.Signed URLs
C.IAM roles
D.Access keys
E.Pre-signed URLs
AnswersB, E

Signed URLs are similar to pre-signed URLs, providing time-limited access.

Why this answer

Pre-signed URLs and signed URLs are both used to grant time-limited access to specific objects without requiring the user to have cloud credentials. IAM roles provide broader access. Bucket policies provide blanket access.

Access keys are long-lived.

549
MCQhard

A security analyst discovers that a container running in a Kubernetes cluster has been compromised. The attacker escalated privileges and accessed the host's kernel. Which of the following misconfigurations most likely allowed this container escape?

A.The container was run with the --privileged flag
B.The container was run with a default Seccomp profile
C.The container was run with a read-only root filesystem
D.The container was run with an AppArmor profile in enforce mode
AnswerA

The --privileged flag gives the container almost unrestricted access to the host kernel, enabling easy escape.

Why this answer

Running a container with the --privileged flag grants all capabilities and disables most security mechanisms, making container escape trivial. Other options like Seccomp or AppArmor would restrict actions, and read-only root filesystem would prevent writes, but the privileged mode is the most direct enabler.

550
MCQmedium

A company has a disaster recovery (DR) plan that includes failing over to a secondary cloud region. The plan was tested six months ago and worked, but since then significant infrastructure changes have been made. Which of the following should the company do to ensure the DR plan remains effective?

A.Wait until the next annual DR test to verify the changes.
B.Automate the entire failover process to eliminate human error.
C.Update the DR documentation to reflect the changes and assume the plan still works.
D.Conduct a tabletop exercise now, followed by a partial failover test of critical applications.
AnswerD

Tabletop and partial failover identify gaps quickly and are less disruptive.

Why this answer

Option B is correct because iterative tabletop exercises and partial failovers validate changes without full disruption. Option A is wrong because one annual test is insufficient given the changes. Option C is wrong because documentation updates without testing are risky.

Option D is wrong because automating fails reduces human error but still requires validation.

551
Multi-Selectmedium

Which TWO of the following are common risk treatment options in cloud risk management?

Select 2 answers
A.Ignorance
B.Transference
C.Avoidance
D.Deletion
E.Acceptance
AnswersB, C

Correct. Transferring risk to a third party (e.g., insurance) is a treatment option.

Why this answer

Transference (Option B) is correct because it shifts the financial or operational impact of a risk to a third party, such as purchasing cyber insurance or outsourcing to a cloud provider with contractual liability. In cloud risk management, transference does not eliminate the risk but moves the burden of loss, which is a standard treatment option per NIST SP 800-37 and ISO 31000 frameworks.

Exam trap

Cisco often tests the distinction between 'acceptance' (a valid risk treatment) and 'ignorance' (not a treatment), tricking candidates into selecting acceptance when the question asks for 'common' options—here, transference and avoidance are the intended pair, while acceptance is a distractor that appears correct but is not listed as correct in the answer key.

552
Multi-Selecteasy

A company is adopting a multi-cloud strategy to reduce concentration risk. Which two benefits are directly associated with this approach? (Choose two.)

Select 2 answers
A.Reduced vendor lock-in
B.Increased resilience
C.Simplified compliance management
D.Unified security controls
E.Lower network latency
AnswersA, B

Multiple providers reduce dependency on one vendor.

Why this answer

Multi-cloud reduces dependency on a single provider (concentration risk) and allows flexibility to use best-of-breed services.

553
MCQeasy

A cloud customer is decommissioning a storage service that contains sensitive data. The cloud provider offers several data destruction options. Which method provides the HIGHEST assurance that data is irrecoverable?

A.Degaussing the storage media
B.Physical shredding of the storage drives
C.Multiple overwrite passes with zeros and ones
D.Cryptographic erasure of encryption keys
AnswerB

Guarantees data is irrecoverable.

Why this answer

Option C is correct because physical destruction of the storage media ensures data cannot be recovered by any means. Option A is wrong because cryptographic erasure is effective but if the key is not properly destroyed, data may still be recoverable. Option B is wrong because overwriting with zeros may leave residual data in some cases.

Option D is wrong because degaussing is effective for magnetic media but not for SSDs, and some drives may still be recoverable.

554
MCQmedium

A cloud security architect needs to allow an application in a VPC to access a cloud database service without traversing the public internet. Which AWS-specific feature should be implemented?

A.VPN Connection
B.Internet Gateway
C.VPC Endpoint (PrivateLink)
D.NAT Gateway
AnswerC

VPC Endpoints provide private connectivity to supported services.

Why this answer

VPC Endpoint (PrivateLink) enables private connectivity to AWS services without internet exposure.

555
MCQmedium

A financial services company stores customer transaction data in a cloud object storage service. The security team wants to ensure that if a malicious insider gains access to the storage bucket, they cannot read the data. Which encryption approach provides the highest level of protection against the cloud provider and insiders?

A.Client-side encryption using a customer-managed key
B.Server-side encryption with AES-256 (SSE-S3)
C.Server-side encryption with customer-provided keys (SSE-C)
D.Transport Layer Security (TLS) for data in transit
AnswerA

Client-side encryption ensures data is encrypted before upload; the cloud never sees plaintext, and keys are managed by the customer.

Why this answer

Client-side encryption means data is encrypted before it is uploaded to the cloud. The cloud provider never has access to the encryption keys, and data remains encrypted at rest and in transit (if TLS is also used). This protects against both the cloud provider and insiders with administrative access to the storage service.

556
MCQmedium

A cloud-native application is deployed on AWS. During a security review, the team discovers that if an attacker can send a crafted request to the application, the application will make an HTTP request to http://169.254.169.254/latest/meta-data/iam/security-credentials/. Which vulnerability is being exploited?

A.SQL injection
B.Cross-site scripting (XSS)
C.Insecure deserialization
D.Server-Side Request Forgery (SSRF)
AnswerD

SSRF allows an attacker to induce the server to make requests to internal resources, such as the cloud metadata endpoint.

Why this answer

Server-Side Request Forgery (SSRF) targeting the cloud metadata endpoint can expose IAM credentials. The IP 169.254.169.254 is the link-local address for cloud metadata services.

557
MCQhard

An attacker publishes a malicious package to a public registry using the same name as an internal package used by a cloud application. This attack is known as:

A.Dependency confusion
B.Supply chain poisoning
C.Man-in-the-middle attack
D.Typosquatting
AnswerA

Dependency confusion exploits package resolution order to install a malicious public package.

Why this answer

Dependency confusion occurs when an attacker publishes a malicious package to a public registry (e.g., npm, PyPI, Maven Central) using the same name as an internal, private package. When a cloud application's build system is configured to fetch dependencies from both public and private registries, the package manager may prioritize the public registry (often due to higher version numbers or default resolution order), causing the malicious package to be installed instead of the legitimate internal one. This exploits the trust in package resolution algorithms and is a specific form of supply chain attack targeting cloud-native CI/CD pipelines.

Exam trap

Cisco often tests the distinction between dependency confusion and typosquatting, so the trap here is that candidates confuse the exact-name-match technique (dependency confusion) with the misspelling-based technique (typosquatting), leading them to incorrectly select typosquatting when the question explicitly states 'same name.'

How to eliminate wrong answers

Option B (Supply chain poisoning) is wrong because it is a broader category encompassing any attack that compromises a component in the software supply chain (e.g., injecting malicious code into a legitimate package, compromising build servers), whereas dependency confusion is a specific technique that relies on name collision and registry priority. Option C (Man-in-the-middle attack) is wrong because it involves intercepting or altering communications between two parties (e.g., between a client and a registry), not exploiting package name resolution logic; dependency confusion does not require network interception. Option D (Typosquatting) is wrong because it relies on registering a package with a name that is a common misspelling or typo of a popular package (e.g., 'requrests' instead of 'requests'), whereas dependency confusion uses the exact same name as an internal package, not a misspelling.

558
MCQeasy

A company uses a cloud storage service to store sensitive customer data. They need to ensure that data is encrypted at rest using keys managed by the cloud provider. Which encryption model should they use?

A.Server-Side Encryption with S3-Managed Keys (SSE-S3)
B.Server-Side Encryption with AWS KMS (SSE-KMS)
C.Client-Side Encryption (CSE)
D.Server-Side Encryption with Customer-Provided Keys (SSE-C)
AnswerA

SSE-S3 uses cloud provider-managed keys.

Why this answer

The requirement specifies that the cloud provider manages the encryption keys. SSE-S3 uses keys that are entirely managed by AWS (S3) for encrypting data at rest, with each object encrypted by a unique key that is itself encrypted by a regularly rotated master key. This aligns perfectly with the scenario where the customer does not want to manage keys.

Exam trap

ISC2 often tests the distinction between 'provider-managed keys' (SSE-S3) and 'customer-managed keys' (SSE-KMS or SSE-C), where candidates mistakenly choose SSE-KMS because it offers more control, but the question explicitly requires keys managed solely by the provider.

How to eliminate wrong answers

Option B is wrong because SSE-KMS uses AWS KMS keys, which are still managed by the cloud provider but offer additional control (e.g., key rotation policies, audit trails) and are not the default 'provider-managed' model; the question explicitly asks for keys managed by the cloud provider, and SSE-S3 is the simplest provider-managed option. Option C is wrong because Client-Side Encryption (CSE) requires the customer to encrypt data before uploading, meaning the customer manages the keys, not the cloud provider. Option D is wrong because SSE-C requires the customer to provide their own encryption keys, which the cloud provider uses temporarily but does not manage or store; the customer retains full key management responsibility.

559
MCQmedium

An organization wants to share a large file from a cloud storage bucket with an external partner for a limited time. They need to ensure that the partner can only access the specific file and that the access expires automatically. Which method should they use?

A.Make the bucket public
B.Create a new IAM user for the partner and attach a policy to the bucket
C.Use cross-region replication
D.Use a pre-signed URL
AnswerD

Pre-signed URLs provide temporary, object-specific access.

Why this answer

Pre-signed URLs (or signed URLs) grant time-limited access to a specific object. The URL contains authentication information and an expiration time, allowing the partner to download the object without needing AWS credentials.

560
MCQmedium

During a security audit, a cloud application is found to have numerous container images with critical vulnerabilities. The DevOps team wants to prevent vulnerable images from being deployed to production. Which two controls should be implemented? (Select TWO)

A.Implement image vulnerability scanning in the CI/CD pipeline
B.Regularly update base images
C.Only allow signed images to be pulled from a trusted registry
D.Use network segmentation to isolate production containers
E.Run all containers as non-root users
AnswerA, C

Scanning can fail the build if critical vulnerabilities are found, preventing deployment.

Why this answer

Option A is correct because integrating image vulnerability scanning into the CI/CD pipeline ensures that every container image is automatically checked for known Common Vulnerabilities and Exposures (CVEs) before it can be promoted to production. This shift-left approach blocks vulnerable images at build time, preventing them from ever reaching the production environment. Option C is correct because enforcing signed images from a trusted registry (e.g., using Docker Content Trust or Notary) cryptographically verifies the image's integrity and origin, ensuring only authorized, non-tampered images are deployed.

Exam trap

ISC2 often tests the distinction between preventive controls (like scanning and signing) that stop vulnerable images from being deployed versus mitigative controls (like network segmentation or non-root users) that reduce the impact after deployment, leading candidates to select the latter as a substitute for prevention.

How to eliminate wrong answers

Option B is wrong because regularly updating base images is a good security hygiene practice but does not prevent already-built vulnerable images from being deployed; it only reduces future vulnerabilities. Option D is wrong because network segmentation isolates production containers at the network layer to limit lateral movement, but it does not prevent a vulnerable image from being deployed in the first place. Option E is wrong because running containers as non-root users reduces the blast radius of a compromise but does not stop a vulnerable image from being deployed to production.

561
MCQeasy

A cloud service provider (CSP) offers a shared responsibility model. According to this model, who is responsible for patching the hypervisor?

A.The customer.
B.The regulatory authority.
C.The cloud service provider.
D.A third-party auditor.
AnswerC

The CSP manages the hypervisor as part of the shared responsibility model.

Why this answer

In a cloud shared responsibility model, the hypervisor is part of the underlying infrastructure that the cloud service provider (CSP) manages. The CSP is responsible for patching the hypervisor because it controls the virtualization layer that separates tenant workloads. Customers are responsible only for securing their guest operating systems and applications, not the hypervisor itself.

Exam trap

Cisco often tests the misconception that customers are responsible for all software patching, but the trap here is that the hypervisor is part of the CSP's infrastructure layer, not the customer's virtual environment.

How to eliminate wrong answers

Option A is wrong because the customer does not have administrative access to the hypervisor; patching it would violate the separation of duties and could compromise multi-tenant isolation. Option B is wrong because regulatory authorities (e.g., GDPR, PCI DSS) set compliance requirements but do not perform patching operations. Option D is wrong because a third-party auditor assesses compliance and security controls but has no operational responsibility for applying patches.

562
MCQmedium

A software company develops an API for third-party integrations. They want to ensure that only authorized partners can access the API. Which authentication mechanism is most appropriate?

A.Basic authentication with API keys
B.OAuth 2.0 with client credentials
C.SAML 2.0
D.X.509 certificates
AnswerB

OAuth 2.0 client credentials grant is a standard for machine-to-machine API authentication.

Why this answer

OAuth 2.0 with the client credentials grant is the most appropriate mechanism for machine-to-machine API access because it allows the API to authenticate the third-party application itself (the client) using a client ID and client secret, without involving end-user credentials. This grant type is specifically designed for server-to-server integrations where the client is acting on its own behalf, providing a secure, token-based approach that avoids sharing long-lived secrets directly with each API call.

Exam trap

ISC2 often tests the distinction between authentication mechanisms by presenting SAML 2.0 as a plausible answer for API security, but the trap here is that SAML is designed for browser-based user authentication and federation, not for direct API access from third-party applications, leading candidates to confuse identity federation with API authorization.

How to eliminate wrong answers

Option A is wrong because Basic authentication with API keys transmits the API key in plaintext (Base64-encoded) with every request, offering no cryptographic protection and requiring the API key to be stored and sent repeatedly, which increases exposure risk and lacks the token expiration and scoping capabilities of OAuth 2.0. Option C is wrong because SAML 2.0 is an XML-based federated identity protocol designed for browser-based single sign-on (SSO) with user authentication, not for direct API access from third-party applications; it is heavy, not optimized for RESTful APIs, and does not provide a simple client credentials flow. Option D is wrong because X.509 certificates are used for mutual TLS (mTLS) authentication, which is more complex to manage (certificate issuance, renewal, revocation) and is typically reserved for high-security environments or regulatory compliance, not as a standard mechanism for third-party API integrations where OAuth 2.0 is the industry norm.

563
MCQhard

An organization is evaluating cloud service providers and notices that one provider's SLA offers 99.99% availability for a specific service, while another offers 99.9%. If the service costs $100,000 per month, what is the maximum allowable downtime per month for the 99.99% SLA?

A.8.64 minutes
B.43.2 minutes
C.2.16 minutes
D.4.32 minutes
AnswerD

Correct. 99.99% = 0.01% downtime = 4.32 minutes per month.

Why this answer

99.99% availability allows 0.01% downtime. Monthly downtime = 30 days * 24 hours * 60 minutes = 43,200 minutes. 0.01% of 43,200 = 4.32 minutes.

564
MCQeasy

What does this bucket policy enforce?

A.The policy denies all uploads unless they use SSE-KMS.
B.All objects must be encrypted with a specific KMS key.
C.Any object uploaded without encryption will be denied.
D.Only objects encrypted with SSE-S3 are allowed.
AnswerA

The Deny effect applies when the encryption is not 'aws:kms'.

Why this answer

The bucket policy uses a Condition block with `s3:x-amz-server-side-encryption` set to `aws:kms`, which means any upload must include the `x-amz-server-side-encryption` header with the value `aws:kms`. If the header is missing or set to any other value (e.g., `AES256` for SSE-S3), the request is denied. This enforces that all uploads use SSE-KMS, but does not require a specific KMS key unless a `kms:EncryptionContext` or `kms:KeyArn` condition is also present.

Exam trap

ISC2 often tests the distinction between 'requiring SSE-KMS' and 'requiring a specific KMS key'—candidates mistakenly think that any SSE-KMS condition implies a specific key, but the policy only checks the encryption type, not the key ARN.

How to eliminate wrong answers

Option B is wrong because the policy does not specify a particular KMS key ARN or ID in the Condition block; it only requires the encryption type to be `aws:kms`, not a specific key. Option C is wrong because the policy does not deny unencrypted uploads outright—it denies uploads that do not have the `x-amz-server-side-encryption` header set to `aws:kms`, meaning an upload with no encryption header would be denied, but the statement is too broad because it implies any object without encryption is denied, which is true only if the header is absent; however, the policy also denies uploads with SSE-S3 or other encryption types, so the core issue is that the policy enforces SSE-KMS, not just 'no encryption'. Option D is wrong because the policy explicitly requires `aws:kms`, not `AES256` (SSE-S3), so objects encrypted with SSE-S3 would be denied.

565
Multi-Selecthard

A company is adopting a microservices architecture on Kubernetes and needs to ensure least privilege for pod-to-pod communication. Which THREE controls should be implemented?

Select 3 answers
A.Service accounts with minimal permissions
B.Network policies to allow only necessary traffic between pods
C.RBAC to limit what pods can do within the cluster
D.Pod Security Admission to enforce that containers run as root
E.Horizontal Pod Autoscaler
AnswersA, B, C

Correct: Service accounts are used for pod identity; minimal permissions reduce risk.

Why this answer

Network policies restrict pod communication, RBAC controls pod permissions, and service accounts with limited permissions enforce least privilege.

566
MCQmedium

A company is migrating on-premises workloads to IaaS. They need to ensure that virtual machine images are secure and free of malware. Which approach is best practice?

A.Use a golden image from the cloud provider's marketplace.
B.Rely on host-based firewalls to protect instances.
C.Perform vulnerability scanning on running instances only.
D.Create a hardened baseline image and store it in a secure repository.
AnswerD

Creating a hardened baseline ensures images are secure before deployment.

Why this answer

Option D is correct because creating a hardened baseline image ensures that the virtual machine is built from a known, secure configuration with all necessary security patches, minimal services, and no malware. Storing this image in a secure repository (e.g., encrypted and access-controlled) prevents tampering and allows consistent deployment of secure instances. This approach follows the principle of immutable infrastructure and is a foundational practice for secure IaaS migrations.

Exam trap

ISC2 often tests the misconception that using a cloud provider's marketplace image is sufficient for security, but the trap is that these images are not tailored to the organization's specific hardening requirements and may contain default credentials or unnecessary services.

How to eliminate wrong answers

Option A is wrong because cloud provider marketplace images are generic and may not meet the organization's specific security requirements; they can contain unnecessary software or default configurations that introduce vulnerabilities. Option B is wrong because host-based firewalls only control network traffic and do not detect or remove malware already present in the virtual machine image; they are a perimeter control, not a secure image creation practice. Option C is wrong because vulnerability scanning on running instances only identifies issues after deployment, leaving the initial image potentially compromised; it does not prevent the deployment of a malicious or unhardened image.

567
Multi-Selecthard

Which TWO of the following are required elements of a valid Business Continuity Plan (BCP) in the cloud?

Select 2 answers
A.Communication plan for notifying stakeholders during a disruption.
B.Strategy to avoid vendor lock-in with the CSP.
C.A detailed risk assessment for all cloud services.
D.Network topology diagrams of the cloud environment.
E.Recovery Point Objective (RPO) and Recovery Time Objective (RTO) for critical systems.
AnswersA, E

A communication plan is critical for coordinating response.

Why this answer

Option A is correct because a communication plan is a mandatory component of any BCP, as defined by ISO 22301 and NIST SP 800-34. In a cloud context, this plan must specify how to notify stakeholders—including the CSP, internal teams, and customers—during a disruption, ensuring coordinated response and compliance with SLAs.

Exam trap

ISC2 often tests the distinction between what is required *in* a BCP versus what is required *to create* a BCP, causing candidates to mistakenly include risk assessments or network diagrams as core BCP elements.

568
Multi-Selecthard

A company is deploying a microservices architecture on Kubernetes and wants to implement supply chain security. Which THREE of the following practices should be adopted?

Select 3 answers
A.Signing container images with Cosign
B.Allowing all images from public registries
C.Scanning images for CVEs using Trivy
D.Using the :latest tag for all images
E.Configuring an admission controller like Kyverno to verify image signatures
AnswersA, C, E

Correct; signing ensures image provenance.

Why this answer

Image signing ensures integrity, scanning for CVEs identifies vulnerabilities, and using admission controllers to verify signatures enforces policy.

569
MCQhard

An architect reviews this S3 bucket policy. What security concern should be raised?

A.The policy grants access to all users from the specified IP range.
B.The policy allows s3:GetObject from any source.
C.The policy allows s3:GetObject only to the specific bucket.
D.The policy does not restrict access to authenticated users.
AnswerA

Without a Principal, the policy applies to all users (including anonymous) from that IP range.

Why this answer

Option A is correct because the policy grants s3:GetObject access to all users (Principal: "*") from the specified IP range, which means any unauthenticated user on the internet within that IP range can read objects in the bucket. This violates the principle of least privilege and exposes data to potential unauthorized access, as the policy does not require authentication or additional authorization checks.

Exam trap

ISC2 often tests the misconception that an IP restriction alone ensures security, when in fact it still allows anonymous access from any user within that range, bypassing authentication and IAM controls.

How to eliminate wrong answers

Option B is wrong because the policy explicitly restricts access to a specific IP range via the `aws:SourceIp` condition, so it does not allow s3:GetObject from any source. Option C is wrong because while the policy does restrict s3:GetObject to the specific bucket (via the Resource ARN), this is not a security concern—it is a correct scoping of permissions. Option D is wrong because the policy does not require authenticated users; it grants access to all users (Principal: "*") within the IP range, which is the actual security concern, not the lack of authentication restriction.

570
MCQeasy

Which of the following is a key difference between a security group and a network ACL in a VPC?

A.Security groups are stateless, while NACLs are stateful
B.Security groups are applied at the subnet level, while NACLs are applied at the instance level
C.Security groups support both allow and deny rules
D.Security groups are stateful, while NACLs are stateless
AnswerD

Correct: Stateful security groups automatically allow return traffic.

Why this answer

Security groups are stateful, meaning return traffic is automatically allowed regardless of inbound rules. NACLs are stateless, requiring explicit inbound and outbound rules.

571
MCQmedium

A company uses Azure Functions for serverless data processing. To securely access an Azure SQL database, which of the following is the most secure method for managing the database connection string?

A.Embed the connection string in the function code and encrypt the code file
B.Store the connection string as an environment variable in the function app settings
C.Use Azure Policy to enforce encryption of the connection string at rest
D.Reference the connection string from Azure Key Vault using a managed identity
AnswerD

Correct: Managed identity and Key Vault provide secure, auditable access.

Why this answer

Using managed identities and Azure Key Vault removes hardcoded secrets and provides automatic rotation and access control.

572
Multi-Selectmedium

A cloud security architect is designing a data loss prevention (DLP) strategy for a cloud environment that stores sensitive customer data. Which TWO techniques should be implemented to proactively identify and protect sensitive data? (Select TWO.)

Select 2 answers
A.Cross-region replication
B.De-identification transforms
C.Automated DLP scanning for sensitive data
D.Bucket policies blocking all public access
E.Enabling object versioning
AnswersB, C

Transforms protect sensitive data by anonymizing it.

Why this answer

Automated DLP scanning can discover sensitive data, and de-identification transforms can protect data by masking or tokenizing sensitive elements.

573
MCQeasy

A cloud architect needs to protect data in transit between an on-premises data center and a cloud virtual private cloud (VPC). Which solution is MOST appropriate?

A.SSL certificate on web server
B.TLS for each application
C.VPN with IPsec
D.Direct Connect without encryption
AnswerC

IPsec VPN encrypts all traffic between sites.

Why this answer

An IPsec VPN is the most appropriate solution for protecting data in transit between an on-premises data center and a cloud VPC because it provides network-layer encryption and authentication for all IP traffic between the two sites. IPsec operates at Layer 3, securing the entire tunnel without requiring per-application configuration, and is designed specifically for site-to-site connectivity. This ensures confidentiality, integrity, and replay protection for all data traversing the public internet or a direct connect link.

Exam trap

ISC2 often tests the misconception that TLS or SSL is sufficient for all data-in-transit scenarios, but the trap here is that TLS is application-layer and cannot secure non-HTTP traffic or provide a site-to-site tunnel, whereas IPsec is the correct network-layer solution for connecting entire networks.

How to eliminate wrong answers

Option A is wrong because an SSL certificate on a web server only protects HTTP traffic (Layer 7) and does not secure other protocols or the entire data stream between the data center and VPC. Option B is wrong because implementing TLS for each application is application-specific, requires individual configuration per service, and does not provide a unified, network-level security boundary for all traffic between the two sites. Option D is wrong because Direct Connect without encryption leaves all data in transit unencrypted, exposing it to potential interception or tampering, and does not meet the requirement to protect data in transit.

574
MCQhard

Your organization, a healthcare provider subject to HIPAA, has migrated electronic protected health information (ePHI) to a public cloud IaaS provider. The cloud provider offers default encryption at rest using their managed key service. During a recent audit, it was discovered that the encryption keys are generated and stored by the cloud provider without any customer involvement. The auditor states that this arrangement may violate HIPAA requirements because the covered entity does not have exclusive control over the keys. You need to ensure compliance while maintaining cost efficiency. After discussing with the cloud provider, they suggest the following options: A. Enable client-side encryption using a custom key management system (KMS) on the customer's premises. B. Use the provider's default encryption and rely on their BAA that states they will protect the keys. C. Implement a third-party key management solution that stores keys in the cloud but is controlled by the customer. D. Disable encryption and rely on access controls and auditing only. Which option best addresses the compliance requirement while considering the operational impact?

A.Enable client-side encryption using a custom key management system (KMS) on the customer's premises.
B.Disable encryption and rely on access controls and auditing only.
C.Use the provider's default encryption and rely on their BAA that states they will protect the keys.
D.Implement a third-party key management solution that stores keys in the cloud but is controlled by the customer.
AnswerA

Correct. Client-side encryption with customer-controlled keys ensures compliance and maintains security.

Why this answer

Option A is correct because client-side encryption with a customer-controlled KMS ensures the covered entity retains exclusive control over the encryption keys, meeting HIPAA's requirement that the covered entity must be able to prevent the cloud provider from accessing ePHI. By encrypting data before it leaves the customer premises, the cloud provider never has access to the plaintext keys, and the customer maintains full lifecycle management, including key rotation and revocation. This approach is cost-efficient as it avoids complex third-party integrations and leverages existing on-premises infrastructure.

Exam trap

ISC2 often tests the misconception that a Business Associate Agreement (BAA) alone is sufficient to satisfy HIPAA encryption requirements, when in fact the covered entity must maintain exclusive control over encryption keys to prevent unauthorized access by the cloud provider.

How to eliminate wrong answers

Option B is wrong because disabling encryption entirely violates HIPAA's Security Rule requirement to implement encryption as an addressable implementation specification for ePHI at rest, and relying solely on access controls and auditing does not provide the necessary confidentiality protection. Option C is wrong because using the provider's default encryption with a BAA does not give the covered entity exclusive control over the keys; the provider still generates and stores the keys, which the auditor has identified as non-compliant. Option D is wrong because implementing a third-party KMS that stores keys in the cloud but is controlled by the customer still exposes the keys to the cloud provider's infrastructure, potentially allowing the provider to access them via hypervisor or storage layers, and introduces additional latency and cost without guaranteeing exclusive control.

575
MCQhard

A security engineer is reviewing an S3 bucket policy that grants 's3:GetObject' access to 'Principal: *' and 'Condition: {IpAddress: {aws:SourceIp: ["1.2.3.4/32"]}}'. Despite the IP restriction, why is this policy still considered risky?

A.The policy uses 'GetObject' instead of 'ListBucket'
B.The IP address is not properly masked
C.The bucket is still exposed to anyone who can spoof that IP
D.The condition uses 'aws:SourceIp' which is deprecated
AnswerC

If an attacker can spoof the allowed IP, they can access the bucket; also, the policy allows the principal '*' which is public.

Why this answer

The policy grants public access to a specific IP, but if that IP is compromised or the condition is misconfigured, it can lead to data exposure; additionally, the bucket policy may override other controls.

576
MCQhard

A cloud application processes credit card numbers. To reduce PCI DSS scope, the company wants to remove the original PAN from its databases and use a surrogate value that can be reversed only by a privileged application. Which data protection technique should they use?

A.Truncation of the first 6 and last 4 digits
B.Dynamic data masking in the application tier
C.Tokenization using a cloud-based token vault
D.Symmetric encryption with a key stored in the database
AnswerC

Tokenization replaces PAN with a token and the token vault controls detokenization.

Why this answer

Tokenization replaces the original PAN with a randomly generated surrogate value (token) that has no mathematical relationship to the original data. The token can be reversed only by a privileged application that has access to the token vault, which stores the mapping between tokens and actual PANs. This effectively removes the PAN from the application's databases, reducing PCI DSS scope because the tokenized data is not considered sensitive cardholder data.

Exam trap

ISC2 often tests the distinction between tokenization and encryption, where candidates mistakenly choose symmetric encryption (Option D) because they think encryption alone removes data from scope, but PCI DSS requires that the decryption key be stored separately from the encrypted data, and even then, encrypted PANs are still considered cardholder data unless the key is managed by a third-party service.

How to eliminate wrong answers

Option A is wrong because truncation (showing only the last 4 digits) still leaves the full PAN stored elsewhere in the system, and the truncated value cannot be reversed to recover the original PAN, so it does not meet the requirement for a reversible surrogate value. Option B is wrong because dynamic data masking only hides data at query time from unauthorized users, but the original PAN remains stored in the database, so it does not remove the PAN from databases or reduce PCI DSS scope. Option D is wrong because symmetric encryption with a key stored in the database keeps the key co-located with the ciphertext, violating the principle of separation of duties and failing to reduce PCI DSS scope, as the encrypted data is still considered cardholder data under PCI DSS requirements.

577
MCQeasy

Which of the following best describes the purpose of the Cloud Security Alliance (CSA) Security, Trust, Assurance, and Risk (STAR) program?

A.To offer a certification program for cloud security professionals
B.To define mandatory security requirements for all cloud services
C.To provide a legal framework for cloud contracts
D.To allow cloud providers to publicly document their security controls and achieve different levels of assurance
AnswerD

STAR includes self-assessment (Tier 1), third-party assessment (Tier 2), and continuous monitoring (Tier 3).

Why this answer

CSA STAR provides a framework for cloud providers to demonstrate their security posture through self-assessment or third-party assessments. It increases transparency and helps customers assess risk.

578
MCQmedium

A company uses cloud storage for sensitive data and wants to ensure that the cloud provider cannot access their encryption keys. Which approach should they implement?

A.Cloud KMS with software keys
B.Cloud KMS with hardware keys
C.Cloud HSM
D.Cloud External Key Manager (EKM)
AnswerD

EKM allows customers to store keys outside the cloud provider, preventing provider access.

Why this answer

Cloud External Key Manager (EKM) allows the customer to manage and store encryption keys outside the cloud provider's infrastructure, often in an on-premises HSM or a third-party key management system. This ensures the cloud provider never has access to the plaintext keys, meeting the requirement that the provider cannot access the encryption keys. EKM typically uses protocols like PKCS#11 or KMIP to allow the cloud service to perform cryptographic operations without exposing the keys to the provider.

Exam trap

ISC2 often tests the distinction between 'cloud-managed' and 'customer-managed' keys, where candidates mistakenly think that using hardware keys (HSM) automatically prevents provider access, but the trap is that provider-managed HSMs still give the provider administrative control over the hardware.

How to eliminate wrong answers

Option A is wrong because Cloud KMS with software keys stores keys within the cloud provider's infrastructure, and the provider can potentially access them, especially if the keys are managed by the provider's software. Option B is wrong because Cloud KMS with hardware keys still stores keys in the cloud provider's HSM, meaning the provider has logical access and control over the key management process, even if the keys are in hardware. Option C is wrong because Cloud HSM, while providing dedicated hardware security modules, is still managed by the cloud provider, and the provider retains administrative access to the HSMs, which could allow them to access keys if they chose to.

579
MCQmedium

A cloud security architect is designing network connectivity between multiple VPCs in the same region. The requirement is to allow full mesh connectivity with centralized management and the ability to apply network policies. Which service should be used?

A.Transit gateway
B.Internet gateway
C.VPC peering
D.VPC endpoint
AnswerA

A transit gateway provides a hub-and-spoke model for multiple VPCs with centralized management.

Why this answer

A transit gateway (or equivalent like AWS Transit Gateway, Azure Virtual WAN) acts as a hub for multiple VPCs, enabling centralized routing and policy management. VPC peering is point-to-point and not transitive.

580
MCQmedium

A company is using AWS Lambda functions that need to access a private RDS database. Which configuration allows the Lambda function to connect securely without traversing the internet?

A.Assign an Elastic IP to the Lambda function
B.Use a Lambda environment variable to store the database endpoint and credentials
C.Place the Lambda function in a public subnet with an internet gateway
D.Configure the Lambda function to use a VPC with private subnets and a VPC endpoint for RDS
AnswerD

Correct: VPC integration and VPC endpoint allow private access.

Why this answer

Attaching the Lambda function to a VPC and placing it in private subnets with a VPC endpoint for RDS or a NAT gateway allows private connectivity.

581
MCQhard

An organization uses a multi-cloud architecture with applications running on both AWS and Azure. They need to implement a secrets management solution that works across both platforms and supports automated rotation. Which approach best meets these requirements?

A.Deploy HashiCorp Vault as a centralized secrets manager
B.Store secrets as encrypted environment variables in each environment
C.Use Azure Key Vault with a federation bridge to AWS
D.Use AWS Secrets Manager for all secrets
AnswerA

Vault is cloud-agnostic, supports automated rotation, and integrates with both AWS and Azure.

Why this answer

HashiCorp Vault provides a cloud-agnostic secrets management service with automated rotation and cross-cloud capabilities. AWS Secrets Manager is AWS-specific. Azure Key Vault is Azure-specific.

Encrypted environment variables are not easily rotated and require redeployment.

582
MCQmedium

A healthcare organization uses a cloud-based electronic health record system. Patient data is encrypted at rest using server-side encryption with AWS KMS keys. The security team notices that during a recent security incident, an attacker used compromised credentials to decrypt and exfiltrate a large number of patient records. The attacker performed decryption operations using the KMS API, which was logged in CloudTrail. The organization wants to implement additional controls to prevent such bulk decryption in the future while still allowing authorized access. Which of the following is the BEST course of action?

A.Implement a key vault with an access broker that requires multi-factor authentication for each decryption request.
B.Change the encryption to client-side encryption using keys stored on-premises.
C.Create a KMS key policy that requires a condition for a specific IP range or VPC endpoint.
D.Enable automatic key rotation on the KMS key.
AnswerA

MFA adds strong authentication for each decryption, preventing bulk decryption even with compromised credentials.

Why this answer

A is correct because implementing a key vault with an access broker that requires multi-factor authentication for each decryption request directly addresses the root cause: compromised credentials. By requiring MFA per decryption operation, even if an attacker steals credentials, they cannot perform bulk decryption without also bypassing the MFA challenge for each API call. This control operates at the application layer, independent of the KMS key policy, and provides granular, per-request authorization.

Exam trap

ISC2 often tests the misconception that network-layer controls (like IP restrictions) or key rotation are sufficient to prevent unauthorized decryption, when in fact they do not address the core issue of compromised credentials being used to make legitimate API calls.

How to eliminate wrong answers

Option B is wrong because moving to client-side encryption with on-premises keys does not prevent bulk decryption if the attacker compromises the client application or the key management system; it also introduces key availability and latency issues for a cloud-based EHR system. Option C is wrong because restricting decryption to a specific IP range or VPC endpoint does not stop an attacker who uses compromised credentials from a legitimate IP or VPC; it only limits the network path, not the authorization of the request. Option D is wrong because automatic key rotation does not prevent an attacker from using compromised credentials to decrypt data with the current key; rotation only limits the window of exposure for future data, not the ability to decrypt already-encrypted records.

583
MCQhard

A company's cloud storage bucket policy inadvertently allowed anonymous users to list and read objects. After discovering the exposure, the security team has corrected the policy. Which additional step is critical to prevent recurrence?

A.Enable logging and monitoring to detect similar exposures.
B.Assign a dedicated security team to manually approve all policy changes.
C.Review all existing bucket policies and correct any other misconfigurations.
D.Implement automated policy validation as part of the infrastructure as code deployment process.
AnswerD

Automated checks in CI/CD prevent misconfigured policies from being applied.

Why this answer

Option D is correct because implementing automated policy validation as part of the infrastructure as code (IaC) deployment process ensures that any bucket policy changes are automatically checked against security rules before they are applied. This prevents misconfigurations like allowing anonymous access from reaching production, addressing the root cause rather than just reacting after exposure. In cloud environments like AWS S3, tools such as AWS CloudFormation with cfn-nag or Terraform with Sentinel can enforce policies programmatically, eliminating human error in manual reviews.

Exam trap

ISC2 often tests the distinction between detective controls (logging/monitoring) and preventive controls (automated validation in IaC), and the trap here is that candidates choose option A because they think monitoring is sufficient, but the question specifically asks for a step to 'prevent recurrence,' which requires a preventive control.

How to eliminate wrong answers

Option A is wrong because enabling logging and monitoring detects exposures after they occur but does not prevent recurrence; it is a detective control, not a preventive one. Option B is wrong because assigning a dedicated security team to manually approve all policy changes is impractical at scale, introduces delays, and still relies on human review which can miss subtle misconfigurations like a missing condition key in an S3 bucket policy. Option C is wrong because reviewing all existing bucket policies is a one-time remediation step that does not prevent future misconfigurations; it lacks the automated, continuous enforcement needed to stop recurrence.

584
MCQeasy

A company is conducting a risk assessment for a new cloud service. They identify a vulnerability that could lead to a data breach. The likelihood is low, but the impact is high. According to common risk management frameworks, how should this risk be addressed?

A.Ignore the risk until it materializes.
B.Accept the risk because the likelihood is low.
C.Implement controls to reduce the risk.
D.Transfer the risk to a third party.
AnswerC

Mitigation is appropriate for high-impact risks even if likelihood is low.

Why this answer

Option C is correct because, in risk management frameworks like NIST SP 800-37 or ISO 27005, a risk with high impact must be mitigated regardless of low likelihood. The potential for a data breach from this vulnerability means the organization should implement controls (e.g., encryption, access controls, or patching) to reduce the risk to an acceptable level, as the cost of a breach outweighs the low probability.

Exam trap

ISC2 often tests the misconception that low likelihood alone justifies risk acceptance, but the trap here is that high impact overrides low probability in most compliance-driven frameworks, requiring active mitigation.

How to eliminate wrong answers

Option A is wrong because ignoring a risk with high impact violates the fundamental risk management principle of proactive mitigation; waiting for materialization could lead to catastrophic data loss and regulatory penalties. Option B is wrong because accepting a risk solely due to low likelihood ignores the high impact; risk acceptance requires a formal decision based on risk appetite, not just probability, and low likelihood does not negate the need for controls when impact is severe. Option D is wrong because transferring the risk (e.g., via cyber insurance) does not eliminate the vulnerability; the organization remains liable for the breach and must still implement technical controls to meet compliance requirements like GDPR or HIPAA.

585
MCQeasy

A small business uses a cloud file storage service to share project files with external partners. They have enabled versioning on the bucket, and each partner has a unique folder. The security team discovers that a former employee, who had administrative access, deleted all files in a partner's folder and then deleted the folder. The bucket's versioning allows restoration of the files, but the folder deletion cannot be undone. The business wants to prevent similar incidents in the future while still allowing external partners to upload and download files. Which approach should be taken?

A.Use bucket policies to prevent deletion of objects by anyone except a specific admin group, and use lifecycle policies to manage temporary files.
B.Use object lock with compliance mode to prevent object deletion or overwrites.
C.Enable MFA Delete on the bucket.
D.Disable versioning and implement a backup process.
AnswerB

Compliance mode locks objects irrevocably, preventing any deletion.

Why this answer

Option B is correct because Object Lock with compliance mode prevents any object from being deleted or overwritten by any user, including the root account, for the specified retention period. This directly addresses the requirement to prevent file deletion while still allowing partners to upload and download files, as versioning remains enabled and folder structure can be recreated.

Exam trap

ISC2 often tests the distinction between MFA Delete (which only adds an authentication step but does not prevent deletion by authorized users) and Object Lock (which provides immutable protection against deletion or overwrites).

How to eliminate wrong answers

Option A is wrong because bucket policies can restrict deletion but do not prevent a user with administrative access (like the former employee) from modifying the policy or bypassing it, and lifecycle policies manage temporary files but do not prevent deletion. Option C is wrong because MFA Delete only requires multi-factor authentication for delete operations, but a former employee with administrative credentials could still authenticate and delete objects if they have MFA access, and it does not prevent folder deletion. Option D is wrong because disabling versioning and implementing a backup process would remove the ability to restore previous versions and does not prevent deletion; backups are reactive, not preventive.

586
MCQeasy

A cloud security administrator needs to ensure that all API calls to the cloud provider's management plane are logged for audit purposes. Which service should be enabled?

A.Cloud configuration service
B.Cloud threat detection service
C.Cloud audit logging service
D.Cloud monitoring service
AnswerC

Audit logs capture all management plane API calls.

Why this answer

Option C is correct because the cloud audit logging service (e.g., AWS CloudTrail) records API calls for auditing. Option A (monitoring) focuses on performance metrics. Option B (configuration) tracks resource changes but not all API calls.

Option D (threat detection) is for security threats.

587
MCQhard

A multinational corporation is migrating its data to the cloud and needs to ensure that data belonging to EU residents never leaves the EU region due to GDPR data sovereignty requirements. Additionally, the company wants to prevent accidental deletion and protect against ransomware. Which combination of cloud storage features should be implemented to meet these requirements?

A.IAM policies and access logs
B.Cross-region replication and object lock
C.Bucket policy restricting to EU regions and versioning
D.Client-side encryption and signed URLs
AnswerC

Bucket policy enforces region restriction; versioning allows recovery from accidental deletes and ransomware.

Why this answer

Configuring a bucket policy that restricts data storage to EU regions ensures data residency. Enabling versioning protects against accidental deletion and ransomware by allowing recovery of previous object versions.

588
MCQeasy

A company is migrating its on-premises workloads to a public cloud environment. The security team is concerned about maintaining visibility into network traffic between virtual machines in the same virtual network. Which cloud architecture component should be implemented to address this concern?

A.Security groups
B.Virtual network traffic mirroring
C.Virtual private cloud (VPC) peering
D.Network access control lists (NACLs)
AnswerB

Correct: Enables packet capture for analysis.

Why this answer

Virtual network traffic mirroring (or port mirroring) enables the capture and inspection of all network packets flowing between virtual machines within the same virtual network, including east-west traffic. This provides the security team with the deep packet visibility needed for threat detection, compliance auditing, and troubleshooting without requiring changes to the VM configurations or routing paths.

Exam trap

The trap here is that candidates often confuse security groups or NACLs with visibility tools, mistakenly believing that filtering or logging features (like flow logs) provide the same packet-level capture as traffic mirroring, when in fact flow logs only record metadata (e.g., source/destination IP, port, protocol) and not the full packet payload.

How to eliminate wrong answers

Option A is wrong because security groups act as a stateful virtual firewall that filters traffic based on rules (e.g., source IP, port), but they do not capture or mirror traffic for analysis; they only permit or deny packets. Option C is wrong because VPC peering connects two separate virtual networks, allowing traffic between them, but it does not provide visibility into traffic within a single virtual network. Option D is wrong because network access control lists (NACLs) are stateless packet filters applied at the subnet boundary, not a mechanism for copying or monitoring traffic flows between VMs inside the same subnet.

589
Multi-Selectmedium

A cloud security architect is designing a data loss prevention (DLP) strategy for a multi-cloud environment. Which TWO actions are effective in preventing unauthorized exfiltration of sensitive data?

Select 2 answers
A.Enable detailed logging and monitoring of all data access events
B.Encrypt all data at rest using provider-managed keys
C.Use a cloud access security broker (CASB) to enforce data classification
D.Implement strict Identity and Access Management (IAM) policies with least privilege
E.Deploy DLP tools to inspect outbound traffic for sensitive data patterns
AnswersD, E

Correct: Limits access to sensitive data, reducing exfiltration risk.

Why this answer

Option D is correct because implementing strict IAM policies with least privilege ensures that users and services have only the minimum permissions necessary to perform their functions. This directly limits the attack surface and prevents unauthorized access to sensitive data, which is a foundational control against exfiltration. Without least privilege, even with other controls in place, an over-privileged account could be exploited to move or copy data out of the environment.

Exam trap

ISC2 often tests the distinction between preventive and detective controls, and the trap here is that candidates confuse monitoring (detective) or encryption (protective but not preventive against exfiltration by authorized users) with direct prevention mechanisms like least privilege and DLP content inspection.

590
MCQmedium

A company is subject to a legal hold order and uses a cloud storage service with object replication across multiple regions. Which cloud feature should the company use to prevent deletion or modification of relevant data?

A.Versioning of objects
B.Cross-region replication
C.Backup to another provider
D.Legal hold policies (e.g., S3 Object Lock)
AnswerD

Correct. Legal hold policies ensure data cannot be deleted or overwritten.

Why this answer

Legal hold features like S3 Object Lock (AWS) or Azure Immutable Blob prevent data from being deleted or modified during the hold period, even if replication exists.

591
MCQmedium

A company subject to PCI DSS is considering a cloud provider to process credit card transactions. What must the cloud provider present to demonstrate compliance with PCI DSS?

A.A CSA STAR Level 1 self-assessment
B.A PCI DSS Attestation of Compliance (AOC) from a QSA
C.A SOC 2 Type II report
D.An ISO 27001 certificate
AnswerB

The AOC is the formal evidence of a PCI DSS assessment by a Qualified Security Assessor.

Why this answer

PCI DSS allows cloud providers to be assessed by a QSA; the resulting Attestation of Compliance (AOC) demonstrates compliance.

592
Multi-Selecthard

Which THREE controls help protect data in use within a cloud environment? (Choose three.)

Select 3 answers
A.Confidential computing
B.Tokenization
C.Access control lists
D.Secure enclaves (e.g., Intel SGX)
E.Homomorphic encryption
AnswersA, D, E

Encrypts data in use in memory.

Why this answer

Confidential computing protects data in use by executing computations within a hardware-based Trusted Execution Environment (TEE), such as Intel SGX or AMD SEV, which isolates the data and code from the host operating system and hypervisor. This ensures that even privileged users or cloud administrators cannot access the plaintext data while it is being processed in memory.

Exam trap

ISC2 often tests the distinction between data-at-rest, data-in-transit, and data-in-use controls, and the trap here is that candidates confuse tokenization (which protects data at rest) or access control lists (which protect data at rest/in transit) with technologies that specifically protect data during active processing in memory.

593
MCQmedium

An enterprise uses a cloud-based relational database service (e.g., AWS RDS) to store customer order data. The database is encrypted at rest using the cloud provider's default encryption. The security team is concerned about the risk of a rogue database administrator (DBA) exfiltrating data by creating unencrypted backups or snapshots and moving them to a different account. Which of the following controls would BEST mitigate this risk while maintaining operational efficiency?

A.Use a customer-managed key (CMK) in KMS and configure the database to use that key for encryption, and restrict the DBA's IAM permissions to prevent using the key on snapshots.
B.Disable the ability for any user to create database snapshots.
C.Implement database activity monitoring (DAM) to alert on snapshot creation.
D.Enable automatic snapshot encryption and ensure that only the database service role can access snapshots.
AnswerA

Ensures snapshots are encrypted and DBA cannot decrypt them without key permission.

Why this answer

Option A is correct because using a customer-managed key (CMK) in AWS KMS allows the organization to attach a key policy that explicitly denies the DBA's IAM role the kms:Decrypt permission on the CMK when used with snapshot operations. This prevents the DBA from creating an unencrypted snapshot or from copying an encrypted snapshot to another account, as the snapshot would remain encrypted with the CMK and the DBA cannot decrypt it. This maintains operational efficiency because the DBA can still perform routine database management tasks (e.g., creating backups) but cannot exfiltrate data via snapshots.

Exam trap

ISC2 often tests the misconception that enabling automatic encryption or monitoring alone is sufficient to prevent data exfiltration by a privileged insider, when in reality only a combination of customer-managed keys with strict key policies and IAM permission boundaries can block the DBA's ability to decrypt or re-encrypt snapshots for exfiltration.

How to eliminate wrong answers

Option B is wrong because completely disabling snapshot creation would break critical operational processes such as automated backups, point-in-time recovery, and disaster recovery, making it an impractical and overly restrictive control. Option C is wrong because database activity monitoring (DAM) only provides alerting after the fact; it does not prevent a rogue DBA from successfully exfiltrating data via unencrypted snapshots, as the DBA could still create and move the snapshot before the alert is acted upon. Option D is wrong because enabling automatic snapshot encryption does not prevent the DBA from creating a snapshot that is encrypted with a key they can access (e.g., the default AWS managed key), and restricting access to only the database service role does not stop a DBA with elevated IAM permissions from assuming that role or using their own permissions to copy the snapshot to another account.

594
Multi-Selectmedium

A cloud security team is designing network security for a multi-VPC architecture in AWS. Which TWO of the following are valid considerations for VPC peering?

Select 2 answers
A.VPC peering can be used to connect on-premises networks
B.VPC peering requires an internet gateway for communication
C.VPC peering is a one-to-one relationship
D.VPC peering supports transitive routing across multiple VPCs
E.VPC peering allows private IP connectivity between VPCs
AnswersC, E

Correct; each peering connection is between exactly two VPCs.

Why this answer

VPC peering is a direct, non-transitive connection between two VPCs, and transitive routing is not supported without additional components.

595
MCQmedium

A company runs a multi-tier cloud application with a web frontend, an API layer, and a database. The application uses OAuth 2.0 for authentication. Recently, users have been experiencing session hijacking attacks. Upon investigation, the security team finds that session tokens are being intercepted in transit. The application uses HTTPS for all communications, but a developer discovers that the application is also accessible via HTTP due to a misconfiguration. The team wants to implement additional security controls to prevent token theft. Which course of action should be taken first?

A.Use IP address binding for session tokens
B.Implement HTTP Strict Transport Security (HSTS) to enforce HTTPS connections
C.Switch from OAuth to SAML for authentication
D.Shorten the session token expiration time
AnswerB

HSTS forces browsers to use HTTPS only, eliminating HTTP access and reducing token interception risk.

Why this answer

The root cause is that the application is accessible via HTTP due to a misconfiguration, allowing session tokens to be intercepted in transit despite HTTPS being available. Implementing HTTP Strict Transport Security (HSTS) forces the browser to always use HTTPS, preventing any HTTP connections and thus eliminating the interception vector. This directly addresses the misconfiguration before other controls, which would only mitigate but not prevent the theft.

Exam trap

ISC2 often tests the concept that session hijacking prevention must address the root cause (insecure transport) rather than just mitigating the impact of token theft, leading candidates to choose options like shortening expiration or IP binding instead of enforcing HTTPS with HSTS.

How to eliminate wrong answers

Option A is wrong because IP address binding for session tokens is a server-side binding that can help prevent token reuse from different IPs, but it does not prevent the initial interception of the token over HTTP; the token can still be stolen in transit. Option C is wrong because switching from OAuth 2.0 to SAML does not change the transport security issue; both protocols can be used over HTTP and are equally vulnerable to interception if HTTPS is not enforced. Option D is wrong because shortening the session token expiration time reduces the window of opportunity for an attacker to use a stolen token, but it does not prevent the token from being intercepted in the first place over an HTTP connection.

596
MCQmedium

A security analyst is investigating a data breach in a cloud environment. The analyst needs to preserve evidence for legal proceedings. Which of the following actions is most critical to ensure the chain of custody is maintained?

A.Calculate cryptographic hashes of all relevant files.
B.Isolate all affected systems from the network to prevent further data loss.
C.Begin a detailed log documenting all actions, timestamps, and personnel involved.
D.Immediately notify senior management and legal counsel.
AnswerC

This is the first step in establishing chain of custody.

Why this answer

Chain of custody requires documenting every transfer of evidence. Option B is correct because starting a log of all actions with timestamps and personnel ensures accountability. Option A is wrong because notifying management is important but not the most critical for chain of custody.

Option C is wrong because isolating systems can destroy volatile data. Option D is wrong because while important, unique hashing alone does not document custody.

597
Multi-Selectmedium

A financial services company is migrating its customer account management system to a public cloud provider. The company is subject to SOX compliance requirements for internal controls over financial reporting. Which TWO controls are essential for the cloud environment to meet SOX IT general control requirements? (Choose two.)

Select 2 answers
A.Enforcing role-based access control with least privilege
B.Establishing a formal change management process
C.Enabling detailed audit logging for all user and system activities
D.Implementing encryption for data at rest and in transit
E.Configuring automated backups with daily snapshots
AnswersB, C

Change management is a key ITGC required by SOX to ensure system changes are controlled and documented.

Why this answer

SOX requires IT general controls (ITGC) for systems that support financial reporting. Change management ensures that changes to the system are authorized and tested, and audit logs provide evidence of user activities and system events. While encryption and backup are important security measures, they are not specifically ITGC requirements under SOX.

598
Multi-Selecthard

A company is evaluating cloud providers for a global application. They need to ensure high availability and low latency. Which THREE factors are most important to consider during provider evaluation? (Select THREE.)

Select 3 answers
A.Availability of third-party audit reports (e.g., SOC 2, ISO 27001)
B.SLA uptime guarantees
C.Provider's stock price performance
D.Number of employees at the provider
E.Global data center locations and regions
AnswersA, B, E

Correct. Audit reports verify security and operational controls.

Why this answer

SLA guarantees (e.g., 99.99%) affect availability; global data center presence reduces latency; audit reports like SOC 2 demonstrate operational effectiveness, which impacts reliability.

599
Multi-Selecteasy

Which TWO data lifecycle stages are most critical for applying encryption controls in a cloud object storage service? (Choose two.)

Select 2 answers
A.Data in transit
B.Data in use
C.Data deletion
D.Data at rest
E.Data creation
AnswersA, D

Encryption protects data during API calls.

Why this answer

Encryption for data in transit (e.g., TLS 1.3) protects data as it moves between the client and the cloud object storage service, preventing interception or man-in-the-middle attacks. Data at rest encryption (e.g., server-side encryption with AES-256) protects stored objects from unauthorized access, whether from compromised infrastructure or misconfigured access controls. These two stages cover the primary threat vectors for cloud object storage: network interception and storage compromise.

Exam trap

Cisco often tests the distinction between data lifecycle stages by making candidates confuse 'data in use' with 'data at rest' or 'data in transit,' but cloud object storage does not process data in memory, so encryption for data in use is irrelevant here.

600
MCQhard

A multinational corporation is deploying a containerized microservices application on a public cloud Kubernetes cluster. The cluster spans three availability zones in a single region. The application consists of a front-end service, a payment service, and a database service. The security team requires that the payment service must not be directly accessible from the internet, but must be accessible from the front-end service. The database must only be accessible from the payment service. Additionally, all inter-service communication must be encrypted, and the cluster must be able to scale up to 500 nodes during peak load. The cloud provider's container orchestration service is used. After deployment, the security team discovers that the payment service is still reachable from the internet via a public load balancer that was configured for testing. The team needs to remediate this issue immediately without disrupting the front-end service. Which of the following actions should the team take FIRST?

A.Change the payment service type from LoadBalancer to ClusterIP and update the front-end configuration.
B.Implement a Kubernetes NetworkPolicy that denies ingress to the payment service pods from all sources except the front-end service's pod label.
C.Delete the public load balancer that was used for testing.
D.Apply a security group to the node instances to block inbound traffic on the payment service port.
AnswerB

This immediately restricts access to only the front-end service, without changing the service type or affecting other components.

Why this answer

Option B is correct because a Kubernetes NetworkPolicy can enforce fine-grained ingress rules at the pod level, allowing only traffic from the front-end service's pod label to reach the payment service pods. This directly addresses the requirement to block internet access while preserving front-end-to-payment communication, without modifying the service type or disrupting the front-end service. NetworkPolicies operate at Layer 3/4 and are native to Kubernetes, making them the immediate and precise remediation.

Exam trap

ISC2 often tests the misconception that deleting the load balancer (Option C) is the first step, but the trap is that this ignores the need to maintain front-end-to-payment connectivity and the fact that a NetworkPolicy can immediately block internet traffic without removing the load balancer resource itself.

How to eliminate wrong answers

Option A is wrong because changing the payment service type from LoadBalancer to ClusterIP would remove the public load balancer but also require updating the front-end configuration to point to the new ClusterIP, which could disrupt the front-end service during the transition; it also does not address the immediate need to block internet access without disruption. Option C is wrong because deleting the public load balancer would stop internet traffic but does not ensure that the payment service remains accessible from the front-end service, and it may cause downtime if the load balancer is still referenced; it also does not provide a scalable, policy-based solution. Option D is wrong because applying a security group to the node instances blocks traffic at the infrastructure level, which is coarse-grained and does not account for Kubernetes pod IPs that may change with scaling; it also does not differentiate between traffic from the front-end service and other internal sources, potentially breaking legitimate inter-service communication.

Page 7

Page 8 of 14

Page 9
Certified Cloud Security Professional CCSP CCSP Questions 526–600 | Page 8/14 | Courseiva