Certified Cloud Security Professional CCSP (CCSP) — Questions 601675

987 questions total · 14pages · All types, answers revealed

Page 8

Page 9 of 14

Page 10
601
Multi-Selectmedium

Which TWO of the following are effective strategies for protecting sensitive data in a public cloud environment?

Select 2 answers
A.Using the same encryption key for all data to simplify key management.
B.Storing encryption keys in the same storage bucket as the encrypted data.
C.Consolidating all sensitive data into a single storage bucket for easier management.
D.Data masking to obscure sensitive fields in non-production environments.
E.Tokenization to replace sensitive data with non-sensitive placeholders.
AnswersD, E

Correct. Data masking protects data in development and testing.

Why this answer

A (data masking) and B (tokenization) are both common techniques. C (storing encryption keys with data) is insecure. D (storing all data in one bucket) violates least privilege.

E (using same key for all data) is poor practice.

602
MCQmedium

A company wants to encrypt data at rest in a cloud object storage service. They require that the cloud provider has no access to the encryption keys. Which key management approach should they use?

A.Server-side encryption with customer-managed keys stored in a cloud HSM
B.Client-side encryption
C.Server-side encryption with cloud-managed keys
D.Server-side encryption with envelope encryption
AnswerB

Encryption happens on the client side; cloud provider never sees the keys.

Why this answer

Client-side encryption (B) is the correct approach because the data is encrypted before it is sent to the cloud provider, ensuring that the cloud provider never has access to the plaintext data or the encryption keys. With server-side encryption, even if the keys are customer-managed and stored in a cloud HSM (A), the encryption and decryption operations occur on the provider's infrastructure, meaning the provider's software stack could theoretically access the keys or plaintext. Options C and D also involve server-side operations, where the cloud provider manages or processes the keys, violating the requirement that the provider has no access to the keys.

Exam trap

The trap here is that candidates confuse 'customer-managed keys' (CMK) with 'client-side encryption,' assuming that storing keys in a cloud HSM (A) prevents provider access, but the CCSP exam emphasizes that server-side encryption inherently involves the provider's infrastructure in the encryption process, which violates the 'no access' requirement.

How to eliminate wrong answers

Option A is wrong because server-side encryption with customer-managed keys stored in a cloud HSM still requires the cloud provider's infrastructure to perform the encryption/decryption operations, and the provider's HSM service may have administrative access to the keys. Option C is wrong because server-side encryption with cloud-managed keys explicitly gives the cloud provider full control over the keys, directly violating the requirement. Option D is wrong because server-side encryption with envelope encryption still involves the cloud provider managing the key encryption key (KEK) and performing the encryption/decryption on its servers, so the provider retains access to the data encryption key (DEK) during processing.

603
MCQhard

A large enterprise is migrating its data center workloads to a public cloud. The security policy requires that all sensitive data stored in cloud storage services be encrypted with keys managed by the enterprise's on-premises HSM. The cloud storage service offers server-side encryption with customer-provided keys (SSE-C). However, compliance regulations prohibit the transmission of encryption keys over the public internet. The enterprise also has a dedicated network connection to the cloud provider (e.g., AWS Direct Connect). The security team is considering several options. Which solution meets all requirements: (1) data encrypted at rest on the cloud service, (2) keys controlled by the enterprise, (3) keys never transmitted over the internet?

A.Use a cloud-based HSM (e.g., AWS CloudHSM) and keep the key material in the cloud HSM.
B.Use SSE-C with the enterprise's HSM, sending keys over the dedicated connection (Direct Connect) as it is private.
C.Use server-side encryption with KMS using an imported key material protected by the enterprise's HSM, accessed via KMS API over the dedicated connection.
D.Use client-side encryption on-premises before uploading data, using keys from the HSM.
AnswerD

Keys never leave the on-premises HSM; only encrypted data is sent.

Why this answer

Option D is correct because client-side encryption encrypts data on-premises using keys from the enterprise's HSM before the data is ever transmitted to the cloud. This ensures the data is encrypted at rest in the cloud, the enterprise retains full control of the keys, and the keys never traverse any network—public or private—to the cloud provider. The dedicated connection (Direct Connect) is irrelevant for key transmission since the keys never leave the on-premises HSM.

Exam trap

ISC2 often tests the misconception that a private or dedicated network connection (like Direct Connect) satisfies a 'no transmission over the internet' requirement, but the trap here is that the regulation prohibits any network transmission of keys, not just over the public internet, so even a private link is disallowed if keys are sent over it.

How to eliminate wrong answers

Option A is wrong because using a cloud-based HSM (e.g., AWS CloudHSM) means the key material is stored and managed within the cloud provider's environment, not controlled exclusively by the enterprise's on-premises HSM, violating the requirement that keys be managed by the enterprise's on-premises HSM. Option B is wrong because SSE-C requires the customer to provide the encryption key with each API call (e.g., PUT Object), and even though the dedicated connection (Direct Connect) is private, the key is still transmitted over a network path that is not the public internet but is still a network transmission, which the compliance regulations prohibit (the regulation forbids transmission over any network, not just the public internet). Option C is wrong because using KMS with imported key material still requires the key to be transmitted to the KMS service via API calls over the dedicated connection, and the KMS service itself stores and manages the key, not the enterprise's on-premises HSM; the enterprise loses direct control and the key is transmitted over the network.

604
Multi-Selectmedium

A cloud application is deployed on Kubernetes and uses an IAM role for service accounts. Which TWO practices should be implemented to ensure least privilege?

Select 2 answers
A.Grant only the specific permissions required for the application
B.Hardcode the role's access key in the application code
C.Grant the role the 'iam:*' wildcard permission
D.Restrict the role to specific resources using ARNs
E.Use a single role for all services in the cluster
AnswersA, D

Specific permissions limit access to only what is needed.

Why this answer

Least privilege for IAM roles means granting only necessary permissions and using specific resource ARNs to limit scope.

605
Multi-Selecteasy

A cloud security team is auditing a cloud environment and needs to ensure compliance with logging requirements. Which TWO actions are essential? (Choose two.)

Select 2 answers
A.Store logs in a publicly accessible bucket.
B.Allow users to modify logs.
C.Encrypt logs at rest.
D.Enable CloudTrail (or equivalent) for all regions.
E.Delete logs after 30 days.
AnswersC, D

Encryption protects log data at rest.

Why this answer

Encrypting logs at rest (Option C) is essential to protect sensitive audit data from unauthorized access if the storage medium is compromised. Cloud providers like AWS offer server-side encryption (SSE-S3 or SSE-KMS) for log buckets, ensuring compliance with standards such as SOC 2, PCI DSS, and ISO 27001. Without encryption, logs could be read by anyone with physical or administrative access to the storage infrastructure.

Exam trap

ISC2 often tests the misconception that deleting logs after a short period is a security best practice, but the trap is that compliance mandates specific retention durations, and premature deletion can lead to audit failures.

606
Multi-Selecthard

A cloud application exposes an API that allows users to view their own orders. Which TWO vulnerabilities could allow an attacker to view another user's orders?

Select 2 answers
A.Excessive Data Exposure
B.SQL Injection
C.Insecure Direct Object Reference (IDOR)
D.Broken Object Level Authorization (BOLA)
E.Cross-Site Scripting (XSS)
AnswersC, D

IDOR occurs when user input directly references objects without authorization checks.

Why this answer

Broken Object Level Authorization (BOLA) occurs when the API does not verify that the user owns the object, and IDOR (Insecure Direct Object Reference) allows access by manipulating object IDs.

607
MCQmedium

A cloud provider's data center is located in Country A, but the customer's data is subject to litigation in Country B. The court in Country B orders the cloud provider to produce data. The cloud provider refuses, citing Country A's laws that prohibit disclosure. This situation best illustrates which challenge in eDiscovery?

A.Data portability
B.Jurisdiction issues
C.Data preservation
D.Forensic soundness
AnswerB

This demonstrates conflicting legal requirements across jurisdictions.

Why this answer

Jurisdictional issues arise when data is stored in multiple legal jurisdictions, and courts in one country may not have authority over data in another, leading to conflicts of law.

608
Multi-Selectmedium

A development team builds a serverless application using AWS Lambda. The security team wants to prevent hardcoded credentials. Which TWO methods should they enforce for secure secrets management?

Select 2 answers
A.Store secrets in environment variables in plain text
B.Assign an IAM role to the Lambda function and retrieve temporary credentials via the AWS SDK
C.Embed secrets directly in the Lambda function code but encrypt the code
D.Use a third-party secrets manager with a hardcoded API key in the code
E.Use AWS Systems Manager Parameter Store with KMS encryption
AnswersB, E

Correct. IAM roles provide temporary credentials without hardcoding.

Why this answer

Using cloud-native secret managers and IAM roles are secure ways to manage secrets without hardcoding. AWS Systems Manager Parameter Store is a secret manager; Lambda execution roles eliminate the need for embedded credentials.

609
MCQeasy

A company wants to ensure that its cloud infrastructure can automatically add capacity during traffic spikes and remove capacity during low demand. Which cloud characteristic is primarily needed?

A.Broad network access
B.Measured service
C.Rapid elasticity
D.Resource pooling
AnswerC

Correct: Allows automatic scaling of resources.

Why this answer

Rapid elasticity is the cloud characteristic that enables automatic scaling of resources up or down in response to demand, often leveraging orchestration tools like AWS Auto Scaling or Azure VM Scale Sets. This ensures that capacity matches workload spikes and troughs without manual intervention, directly addressing the requirement for dynamic capacity adjustment.

Exam trap

ISC2 often tests the distinction between rapid elasticity and resource pooling, where candidates mistakenly think that sharing resources (pooling) inherently enables scaling, but pooling is about multi-tenancy, not dynamic capacity adjustment.

How to eliminate wrong answers

Option A is wrong because broad network access refers to the ability to access cloud services over standard network protocols (e.g., HTTPS, SSH) from various devices, not the dynamic scaling of resources. Option B is wrong because measured service involves metering and billing based on usage (e.g., per-hour or per-GB charges), not the automatic adjustment of capacity. Option D is wrong because resource pooling describes the multi-tenant model where physical resources are shared among multiple customers using virtualization, not the elasticity to scale resources on demand.

610
MCQmedium

A cloud security team is investigating a data breach in their AWS environment. The logs show that an EC2 instance with an attached IAM role was compromised. The attacker used the instance's temporary credentials to access an S3 bucket containing sensitive data. Which design change would BEST prevent this type of attack in the future?

A.Implement a network ACL that denies all outbound traffic from the EC2 instance to the S3 service.
B.Enable IMDSv2 with a hop limit of 1 on the EC2 instance.
C.Restrict S3 bucket access to the EC2 instance's private IP address only.
D.Disable public access on the S3 bucket using a bucket policy.
AnswerB

IMDSv2 with hop limit 1 prevents the attacker from using the instance as a proxy to retrieve credentials.

Why this answer

Option B is correct because enabling IMDSv2 with a hop limit of 1 forces the EC2 instance to use a session-oriented method to retrieve temporary credentials from the Instance Metadata Service (IMDS). This prevents SSRF attacks or other techniques that trick the instance into leaking its IAM role credentials, as the attacker would need to be on the instance itself to obtain the token. By setting the hop limit to 1, the metadata response is not forwarded beyond the instance's network interface, blocking remote access to the credentials.

Exam trap

ISC2 often tests the distinction between IMDSv1 (which is vulnerable to SSRF) and IMDSv2 with hop limit enforcement, and the trap here is that candidates mistakenly choose network-level controls (like NACLs or IP restrictions) instead of addressing the metadata service vulnerability that directly enables credential theft.

How to eliminate wrong answers

Option A is wrong because a network ACL denying all outbound traffic to S3 would block legitimate access from the EC2 instance to S3, breaking functionality, and does not address the root cause of credential theft from the instance metadata service. Option C is wrong because S3 bucket policies cannot restrict access based on the EC2 instance's private IP address; S3 uses source IP conditions, but private IPs are not routable over the internet and this approach would not prevent an attacker from using the stolen credentials from another location. Option D is wrong because disabling public access on the S3 bucket does not prevent an attacker who has valid temporary credentials from accessing the bucket; the attacker is using the instance's IAM role permissions, not public access.

611
MCQhard

An organization has a cloud environment with many accounts. They want to prevent any account from using certain services that are not approved (e.g., outside of a defined list). What is the BEST way to enforce this at the organizational level?

A.Configure each account's IAM policy to deny the services.
B.Enable AWS Config rules to detect and disable non-approved services.
C.Apply a service control policy (SCP) that denies the services.
D.Use resource-based policies on each resource to restrict usage.
AnswerC

SCPs are applied at the OU or account level and cannot be overridden by account admins.

Why this answer

Service Control Policies (SCPs) are the correct mechanism because they operate at the organizational level in AWS Organizations, allowing you to centrally define a whitelist or blacklist of services for all member accounts. Unlike IAM policies, SCPs set a permissions boundary that cannot be overridden by account administrators, ensuring that non-approved services are denied across the entire organization. This provides a preventive control that blocks the use of prohibited services before any action can occur.

Exam trap

The trap here is that candidates confuse detective controls (like AWS Config) with preventive controls (like SCPs), or assume that IAM policies applied per account can achieve the same centralized enforcement, missing the fact that SCPs are the only mechanism that cannot be bypassed by account-level administrators.

How to eliminate wrong answers

Option A is wrong because configuring each account's IAM policy individually is not an organizational-level enforcement; it is decentralized, error-prone, and can be overridden by account administrators with full IAM permissions. Option B is wrong because AWS Config rules are detective controls that can only detect and report non-compliant resources, not prevent their creation or usage; they cannot disable services in real time. Option D is wrong because resource-based policies are attached to individual resources (e.g., S3 buckets, KMS keys) and cannot restrict the use of entire services or apply at the organizational level across all accounts.

612
Multi-Selectmedium

A cloud security team is implementing a data discovery and classification program for their SaaS applications. Which TWO statements accurately describe best practices for data classification in the cloud?

Select 2 answers
A.Manual classification by users is more accurate than automated methods in large-scale cloud environments.
B.Tokenization can replace data classification by eliminating the need to identify sensitive data.
C.Automated tools can scan cloud storage and apply classification labels based on content inspection.
D.Data loss prevention (DLP) policies can enforce classification by monitoring and controlling data in motion and at rest.
E.Data classification labels must be applied by the cloud service provider to ensure consistency.
AnswersC, D

Correct: Automated tools are effective for identifying and labeling sensitive data across cloud environments.

Why this answer

Automated tools can efficiently scan cloud storage for sensitive data, and DLP policies can enforce classification during data usage. Manual classification is not more accurate than automated for large-scale cloud data, classification labels are not solely applied by the provider, and tokenization is a separate technique.

613
MCQmedium

A company's security team is investigating an anomalous spike in outbound traffic from a cloud workload. The workload is a web server running in an IaaS environment. The team suspects data exfiltration. Which of the following is the BEST initial step to identify the source and type of traffic?

A.Immediately isolate the workload by blocking all outbound traffic in the security group.
B.Deploy a host-based intrusion detection system (HIDS) agent on the workload.
C.Run a vulnerability scanner against the workload to identify possible entry points.
D.Enable VPC flow logs for the subnet hosting the workload and analyze the logs.
AnswerD

VPC flow logs provide network-level visibility and can quickly show anomalous outbound connections without requiring agent installation.

Why this answer

Option D is correct because VPC flow logs capture metadata about all IP traffic to and from network interfaces in a subnet, including source/destination IPs, ports, protocols, and packet/byte counts. Analyzing these logs allows the security team to identify the external destination IPs and ports involved in the anomalous outbound traffic, which is the fastest way to pinpoint the source workload and characterize the exfiltration pattern without disrupting service or requiring agent deployment.

Exam trap

ISC2 often tests the distinction between investigative actions and reactive containment; the trap here is that candidates may choose immediate isolation (Option A) as a 'best first step' when the question explicitly asks for the step to 'identify the source and type of traffic,' not to stop it.

How to eliminate wrong answers

Option A is wrong because immediately blocking all outbound traffic via security group is a reactive containment step, not an investigative one; it would halt all egress, potentially breaking legitimate services and destroying forensic evidence of the exfiltration path. Option B is wrong because deploying a HIDS agent is a proactive monitoring measure that requires installation time and may not capture the current traffic burst; it also does not provide immediate visibility into the network-level flow details needed to identify the exfiltration destination. Option C is wrong because running a vulnerability scanner identifies potential entry points but does not reveal current outbound traffic patterns or the specific data being exfiltrated; it is a post-incident forensic step, not an initial investigative action.

614
MCQmedium

A cloud operations team manages a critical application on AWS that uses EC2 instances behind an Application Load Balancer (ALB). The application experiences occasional high latency and timeout errors. The team has enabled detailed monitoring and CloudWatch Logs. They notice that during peak hours, the CPU utilization on some instances reaches 95%, while others remain around 40%. The security group allows traffic from a wide range of IP addresses. The team needs to improve both performance and security. Which of the following actions would BEST address the performance imbalance and also enhance security posture?

A.Schedule a periodic cron job to launch additional instances during expected peak hours and configure the ALB to use sticky sessions.
B.Create an auto scaling group with a dynamic scaling policy based on average CPU utilization, change the ALB to a Network Load Balancer for lower latency, and restrict the security group rules to the minimal required IP addresses.
C.Increase the instance size to a larger type that can handle peak loads and reduce the security group to allow only known IP ranges.
D.Replace the ALB with a Classic Load Balancer and configure it to use round-robin routing without health checks to balance traffic quickly.
AnswerB

Dynamic auto scaling adjusts capacity based on load, NLB provides lower latency, and restricting security groups enhances security.

Why this answer

Option D is correct because implementing an auto scaling policy based on CPU and swapping the ALB to a Network Load Balancer (NLB) for better performance, combined with tightening security group rules, addresses both issues. Option A is wrong because increasing instance size is not a dynamic solution and does not help with the imbalance. Option B is wrong because scheduling scaling based on time may not align with unpredictable traffic.

Option C is wrong because a Classic Load Balancer is older and less capable; also, round-robin without considering load may not fix the imbalance.

615
MCQmedium

A company is designing a data retention policy for cloud storage. Regulatory requirements mandate that certain records be kept for 7 years and then securely destroyed. Which combination of controls should be used?

A.Lifecycle policy and secure deletion
B.Data masking and encryption
C.Versioning and MFA delete
D.Lifecycle policy and object lock
AnswerA

Lifecycle policy automates deletion; cloud providers ensure secure deletion.

Why this answer

A lifecycle policy automates the transition and expiration of objects, allowing you to set a rule to delete objects after 7 years. Secure deletion (e.g., overwriting or cryptographic erasure) ensures the data is irrecoverable, meeting the regulatory requirement for secure destruction. Together, they provide a fully automated, auditable process for retention and destruction.

Exam trap

ISC2 often tests the distinction between 'preventing deletion' (object lock) and 'ensuring secure destruction' (secure deletion), leading candidates to choose object lock because it sounds like it handles retention, but it does not guarantee irrecoverable deletion after the retention period ends.

How to eliminate wrong answers

Option B is wrong because data masking and encryption protect data at rest or in use but do not automate deletion or ensure secure destruction after a retention period. Option C is wrong because versioning preserves multiple versions of an object, which could prevent complete deletion, and MFA delete only adds an extra authentication step to deletion operations, not secure destruction. Option D is wrong because object lock enforces a write-once-read-many (WORM) model that prevents deletion or modification during a retention period, but it does not provide secure deletion (e.g., overwriting or cryptographic erasure) after the lock expires; it only allows normal deletion, which may leave recoverable data.

616
Matchingmedium

Match each cloud security tool to its primary purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Cloud security posture management

Cloud workload protection platform

Cloud access security broker

Security information and event management

Why these pairings

These tools address different aspects of cloud security; CSPM focuses on configuration, CWPP on workloads.

617
MCQmedium

A security team is implementing a web application firewall (WAF) for a cloud-based e-commerce application. The application is built on a microservices architecture and uses a RESTful API. Which of the following is the PRIMARY reason to deploy the WAF at the API gateway level rather than at the individual service level?

A.To provide centralized protection against common web exploits before traffic reaches the microservices.
B.To reduce latency by caching responses at the API gateway.
C.To offload authentication from the microservices to the API gateway.
D.To monitor API usage and detect anomalies in traffic patterns.
AnswerA

Centralized WAF at the API gateway ensures consistent policy enforcement and reduces attack surface.

Why this answer

Deploying the WAF at the API gateway provides a centralized security enforcement point that inspects and filters all incoming HTTP/HTTPS traffic before it is routed to any individual microservice. This ensures that common web exploits—such as SQL injection, cross-site scripting (XSS), and OWASP Top 10 attacks—are blocked at the perimeter, reducing the attack surface and preventing malicious payloads from ever reaching the internal services. It also simplifies policy management and avoids the need to configure and maintain separate WAF instances for each microservice, which would introduce operational complexity and potential gaps in coverage.

Exam trap

The trap here is that candidates confuse the WAF's primary security purpose (centralized exploit prevention) with other common API gateway features like caching, authentication offloading, or traffic monitoring, leading them to select a technically valid but non-primary reason for WAF placement.

How to eliminate wrong answers

Option B is wrong because caching responses at the API gateway is a performance optimization, not a primary security reason for deploying a WAF; WAFs do not inherently cache responses, and caching is typically handled by a separate reverse proxy or CDN. Option C is wrong because offloading authentication to the API gateway is an identity and access management function, not a WAF function; while an API gateway can handle authentication, a WAF's primary role is to inspect and filter traffic for malicious content, not to authenticate users. Option D is wrong because monitoring API usage and detecting anomalies in traffic patterns is typically the responsibility of an API management platform or a dedicated security analytics tool, not the core function of a WAF; a WAF focuses on blocking known attack signatures and behavioral anomalies, but its primary deployment reason is centralized threat protection, not monitoring alone.

618
Multi-Selectmedium

Which THREE of the following are recommended practices for securing cloud application APIs? (Select three.)

Select 3 answers
A.Validate and sanitize all user inputs
B.Expose all API endpoints automatically for transparency
C.Allow mass assignment for ease of development
D.Implement rate limiting to prevent abuse
E.Apply least privilege to API keys and roles
AnswersA, D, E

Input validation prevents injection attacks.

Why this answer

Rate limiting, input validation, and least privilege are key API security practices. Mass assignment is a vulnerability to avoid, not a practice, and exposing all endpoints is contrary to security.

619
MCQmedium

A healthcare provider is subject to HIPAA regulations. They are planning to use a public cloud provider. Which design consideration is most important to ensure compliance?

A.Containerization
B.Cost optimization
C.Multi-cloud strategy
D.Data residency
AnswerD

Data residency ensures data is stored in approved locations, meeting HIPAA requirements.

Why this answer

Data residency is the most critical design consideration for a healthcare provider subject to HIPAA when using a public cloud, because HIPAA requires that protected health information (PHI) be stored and processed only in jurisdictions where the cloud provider can guarantee compliance with the HIPAA Privacy and Security Rules. If the cloud provider replicates data across regions or countries without explicit control, the organization may violate the HIPAA requirement to ensure that PHI is not exposed to unauthorized access or disclosure, and may also breach the Breach Notification Rule if data crosses borders into regions with weaker protections.

Exam trap

ISC2 often tests the misconception that technical controls like containerization or multi-cloud strategies are primary compliance tools, when in reality, foundational legal and geographic controls like data residency are the first and most critical step for regulated data in the cloud.

How to eliminate wrong answers

Option A is wrong because containerization (e.g., Docker, Kubernetes) is a deployment and isolation technology that does not inherently address data location, access controls, or compliance with HIPAA's administrative, physical, and technical safeguards; it is a means to package applications, not a compliance mechanism. Option B is wrong because cost optimization focuses on reducing cloud spending, which is irrelevant to HIPAA's core requirements for protecting PHI; prioritizing cost over compliance could lead to using cheaper, non-compliant storage or processing regions. Option C is wrong because a multi-cloud strategy involves using multiple cloud providers, which can increase complexity and risk of non-compliance if data residency and data flow across providers are not meticulously controlled; it does not directly ensure that PHI remains in compliant jurisdictions.

620
Multi-Selecteasy

Which TWO of the following are valid data states that must be protected in cloud computing?

Select 2 answers
A.Data encryption
B.Data at rest
C.Data in transit
D.Data integrity
E.Data in database
AnswersB, C

Data at rest is a standard state requiring protection.

Why this answer

In cloud computing, data exists in three primary states: at rest (stored on disk or in memory), in transit (moving across networks), and in use (being processed). The CCSP exam specifically identifies 'data at rest' and 'data in transit' as the two fundamental data states that require protection through encryption, access controls, and integrity mechanisms. Option B is correct because data at rest refers to inactive data stored physically on any digital device, such as databases, backups, or archives, and must be safeguarded against unauthorized access or theft.

Exam trap

ISC2 often tests the distinction between security controls (like encryption or integrity) and the actual data states that must be protected, causing candidates to confuse a protection mechanism with a state classification.

621
Multi-Selecthard

A company is implementing a cloud risk management program. Which THREE of the following are essential components of a risk assessment according to NIST SP 800-30?

Select 3 answers
A.Control implementation
B.Risk determination
C.Threat identification
D.Impact analysis
E.Vulnerability scanning
AnswersB, C, D

Determining risk level based on likelihood and impact is an essential component.

Why this answer

NIST SP 800-30 risk assessment includes threat identification, impact analysis, and risk determination. Vulnerability scanning is a method used to identify vulnerabilities, not a component of the assessment itself. Control implementation is part of risk mitigation.

622
MCQmedium

A multinational corporation operates across multiple cloud providers (AWS, Azure, GCP) and uses a variety of data storage services. They have a requirement to enforce a consistent encryption policy across all providers: all data at rest must be encrypted using a centrally managed key that is rotated every 90 days. The cloud security team is evaluating different key management solutions. They want to minimize operational overhead and avoid vendor lock-in. The team has experience with configuring cloud-native key management services (KMS) but is concerned about managing keys across different regions and providers. Which solution best meets the requirements?

A.Deploy a third-party cloud-agnostic key management solution that supports BYOK and integrates with all providers' KMS
B.Use each cloud provider's native KMS and create identical key policies manually
C.Store the key in an internal secrets manager and configure each provider's KMS to use that key as a root key
D.Implement client-side encryption using a single master key stored in the application configuration
AnswerA

Centralized policy management, consistent enforcement, and reduces vendor lock-in.

Why this answer

Option A is correct because a third-party cloud-agnostic key management solution (e.g., HashiCorp Vault, Thales CipherTrust) that supports Bring Your Own Key (BYOK) allows the organization to centrally manage and rotate a single root key every 90 days, while integrating with each provider's native KMS via external key stores (e.g., AWS KMS custom key store, Azure Key Vault managed HSM, GCP Cloud HSM). This minimizes operational overhead by avoiding manual per-provider policy replication and prevents vendor lock-in by decoupling key management from any single cloud provider's proprietary KMS.

Exam trap

ISC2 often tests the misconception that cloud-native KMS services can be centrally managed by simply replicating policies or using an internal secrets manager as a root key, but the trap is that cloud KMS does not allow external key material to be used as a root key for automatic rotation across providers—only a third-party agnostic solution with BYOK can enforce consistent, centrally controlled rotation.

How to eliminate wrong answers

Option B is wrong because manually creating identical key policies across AWS, Azure, and GCP KMS does not centralize key management; each provider's KMS would still use its own independent key material, making consistent rotation every 90 days operationally complex and error-prone. Option C is wrong because storing the key in an internal secrets manager and configuring each provider's KMS to use that key as a root key is technically infeasible—cloud-native KMS services do not accept external keys as root keys; they require keys to be imported as customer-managed keys (CMKs) but still manage them independently, and the secrets manager cannot enforce rotation across all providers' KMS. Option D is wrong because client-side encryption using a single master key stored in application configuration violates the requirement for centrally managed key rotation (the key would be static in config files) and introduces significant security risks, such as key exposure in code repositories or configuration management systems.

623
MCQmedium

A security team needs to implement automated remediation for non-compliant resources in AWS. They want to automatically fix public S3 bucket policies. Which combination of services should be used?

A.AWS CloudTrail and AWS Lambda
B.Amazon GuardDuty and AWS Step Functions
C.AWS Security Hub and Amazon Inspector
D.AWS Config and AWS Lambda
AnswerD

Config evaluates rules and can trigger Lambda for auto-remediation.

Why this answer

AWS Config rules can evaluate resources, and when a rule is non-compliant, an AWS Config rule can invoke a Lambda function for remediation.

624
MCQeasy

A DevOps team is building a container image for a cloud-native application. To minimize the attack surface and reduce the number of vulnerabilities, which type of base image should they use?

A.A full distribution image like Ubuntu
B.An Alpine-based image
C.A distroless image
D.The 'latest' tag of any official image
AnswerC

Distroless images contain only the necessary runtime files, reducing attack surface.

Why this answer

Distroless images contain only the application and its runtime dependencies, removing package managers, shells, and other utilities that could be exploited. This reduces the attack surface significantly.

625
MCQmedium

A cloud security engineer needs to de-identify a dataset containing credit card numbers before sharing it with a third-party analytics team. The engineer wants to replace each credit card number with a unique token that can be used for correlation but cannot be reversed to obtain the original number. Which de-identification technique should be used?

A.Tokenization
B.Pseudonymisation
C.Masking
D.Bucketing
AnswerA

Tokenization provides a non-reversible substitute for the original data.

Why this answer

Tokenization replaces sensitive data with a non-reversible token, preserving the ability to correlate records without exposing the original values.

626
Multi-Selecteasy

Which TWO of the following are essential characteristics of cloud computing as defined by NIST SP 800-145?

Select 2 answers
A.Measured service
B.Multitenancy
C.Virtualization
D.Auditability
E.Resource pooling
AnswersA, E

Correct; usage is metered and optimized.

Why this answer

NIST defines five essential characteristics: on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service. Measured service and resource pooling are correct; multitenancy and virtualization are enablers, not characteristics.

627
MCQhard

A multi-tier web application is deployed across two VPCs connected via VPC peering. The web tier in VPC A must communicate with the database tier in VPC B on port 3306. Security groups are used for instance-level security. Which security group configuration is MOST secure?

A.In the database security group, add an inbound rule allowing TCP/3306 from the security group ID of the web servers.
B.Configure a VPN connection between VPCs and use route tables to direct traffic.
C.In the network ACL for VPC B's subnet, add an inbound rule allowing TCP/3306 from VPC A CIDR.
D.In the database security group, add an inbound rule allowing TCP/3306 from the VPC A CIDR.
AnswerA

Security group referencing ensures only instances in the web security group can connect.

Why this answer

The most secure approach is to allow inbound traffic to the database security group from the web server security group by referencing its ID (security group ID). This ensures that only instances in the web server security group can reach the database, regardless of IP changes. Option A is less secure because any instance in the CIDR range could connect.

Option B is correct. Options C and D involve network ACLs or routing, which are not instance-level.

628
MCQmedium

A cloud application allows users to upload profile pictures that are stored in Azure Blob Storage. Which vulnerability is most likely if the application does not validate the content type or size of uploaded files?

A.Unrestricted File Upload
B.Server-Side Request Forgery (SSRF)
C.Mass Assignment
D.Broken Object Level Authorization (BOLA)
AnswerA

Unrestricted file upload can lead to remote code execution if dangerous file types are allowed.

Why this answer

Without validation, an attacker could upload a malicious file (e.g., a web shell) that could be executed on the server, leading to remote code execution.

629
Multi-Selectmedium

A security team is enhancing logging in AWS to capture detailed data events for S3 buckets. Which TWO of the following should be enabled to achieve comprehensive monitoring of S3 data access? (Choose two.)

Select 2 answers
A.S3 server access logs
B.AWS CloudTrail data events for S3
C.AWS Config
D.VPC Flow Logs
E.Amazon GuardDuty
AnswersA, B

S3 access logs provide detailed records of requests made to S3.

Why this answer

S3 server access logs provide detailed records of requests made to an S3 bucket, including the requester, bucket name, request time, action, and response status. This is essential for auditing all data access events at the object level, such as GET, PUT, and DELETE operations, directly from the S3 service.

Exam trap

Cisco often tests the distinction between configuration auditing (AWS Config) and data access logging (S3 server access logs and CloudTrail data events), leading candidates to incorrectly select AWS Config for monitoring data access instead of actual log sources.

630
MCQmedium

A cloud customer wants to ensure that their data is not accessible to the cloud provider's employees. Which of the following controls would best address this requirement?

A.Enable detailed audit logging of all data access.
B.Implement strict IAM policies for CSP employees.
C.Encrypt data client-side before uploading to the cloud.
D.Enable server-side encryption with customer-provided keys.
AnswerC

Client-side encryption ensures only the customer holds the decryption keys.

Why this answer

Client-side encryption ensures that data is encrypted before it leaves the customer's environment, so the cloud provider never has access to the plaintext or the encryption keys. This means that even if a cloud provider employee gains administrative access to the storage infrastructure, they can only retrieve ciphertext, which is useless without the customer-held keys. This control directly addresses the requirement of preventing the provider's employees from accessing the data.

Exam trap

ISC2 often tests the distinction between client-side encryption and server-side encryption with customer-provided keys (SSE-C), where candidates mistakenly think SSE-C gives the customer full control over key access, but the provider's server still handles the plaintext during encryption/decryption.

How to eliminate wrong answers

Option A is wrong because audit logging only records who accessed data and when, but does not prevent access by cloud provider employees. Option B is wrong because IAM policies for CSP employees are managed by the provider, not the customer, and the customer cannot enforce or verify those policies to guarantee data inaccessibility. Option D is wrong because server-side encryption with customer-provided keys (SSE-C) still involves the cloud provider's server performing the encryption/decryption, meaning the plaintext is exposed to the provider's infrastructure during processing, and the provider's employees could potentially access the data if they have administrative privileges to the key management or storage systems.

631
MCQmedium

A financial services company is migrating to the cloud and must retain transaction records for seven years for regulatory compliance. They plan to use object storage with lifecycle policies. What is the most secure configuration for long-term data retention?

A.Configure a lifecycle policy to transition to archive storage after seven years
B.Enable object lock with retention mode set to compliance
C.Store objects in write-once-read-many (WORM) storage class
D.Use server-side encryption with KMS key
AnswerB

Compliance lock prevents any deletion or modification until the retention period expires.

Why this answer

Option B is correct because Object Lock with compliance retention mode provides the strongest guarantee against data modification or deletion, even by root users. This mode ensures that once an object is written, it cannot be overwritten or deleted until the retention period expires, which is critical for meeting the seven-year regulatory retention requirement. Unlike other options, compliance mode enforces a legal hold that cannot be removed by any user, including cloud administrators, making it the most secure configuration for immutable long-term retention.

Exam trap

ISC2 often tests the distinction between data protection mechanisms (encryption, lifecycle policies) and data immutability (Object Lock with compliance mode), leading candidates to choose encryption or archive transitions as sufficient for retention requirements.

How to eliminate wrong answers

Option A is wrong because transitioning to archive storage after seven years does not prevent deletion or modification during the retention period; lifecycle policies only move data between tiers but do not enforce immutability, so records could be altered or deleted before the seven-year mark. Option C is wrong because while WORM storage classes (e.g., S3 Glacier Instant Retrieval with Object Lock) can provide immutability, the term 'WORM storage class' is ambiguous and not a specific service; the correct implementation requires Object Lock with a retention mode, not just a storage class. Option D is wrong because server-side encryption with KMS key protects data at rest and in transit but does not prevent deletion or overwriting of objects; encryption alone does not enforce retention or immutability, so records could still be deleted before seven years.

632
Multi-Selectmedium

A security team is implementing container image scanning in a CI pipeline. Which TWO of the following actions should be performed? (Select TWO)

Select 2 answers
A.Disable scanning to speed up the pipeline
B.Scan the image before pushing to the registry
C.Scan the image after deployment to production
D.Sign the image to ensure integrity
E.Scan the image only if it is based on a public base image
AnswersB, D

Scanning before push prevents vulnerable images from being stored.

Why this answer

Scanning the image before pushing to a registry prevents vulnerable images from being stored. Signing images ensures integrity and authenticity, preventing tampered images from being deployed.

633
MCQmedium

A company uses a cloud database that stores customer financial information. To ensure compliance with PCI DSS, which control is required?

A.Encryption of cardholder data stored in the database
B.Network segmentation between the database and other systems
C.Annual external vulnerability scans of the database
D.Multi-factor authentication for database administrators
AnswerA

PCI DSS requires encryption of stored cardholder data.

Why this answer

PCI DSS Requirement 3.4 specifically mandates that stored cardholder data must be rendered unreadable anywhere it is stored, including in cloud databases. Encryption at rest (e.g., AES-256) is the primary control to achieve this, as it directly protects the confidentiality of Primary Account Numbers (PANs) if the storage layer is compromised. Without encryption, the data remains in clear text, violating PCI DSS compliance.

Exam trap

ISC2 often tests the distinction between required controls (e.g., encryption for data at rest) and recommended or supporting controls (e.g., network segmentation, MFA, vulnerability scans), leading candidates to pick a broader security measure that is not the specific PCI DSS mandate for stored data.

How to eliminate wrong answers

Option B is wrong because network segmentation is a recommended security practice (PCI DSS Requirement 1) but is not a required control specifically for stored data; it addresses scope reduction, not the direct protection of cardholder data at rest. Option C is wrong because annual external vulnerability scans (PCI DSS Requirement 11.2) are required for internet-facing systems, but they are a detection control, not a required control for protecting stored data; they do not render data unreadable. Option D is wrong because multi-factor authentication for database administrators (PCI DSS Requirement 8.3) is required for administrative access to systems handling cardholder data, but it is an access control, not a direct requirement for protecting the stored data itself; encryption is the specific mandate for data at rest.

634
MCQeasy

A cloud security team wants to integrate security testing early in the development lifecycle to reduce vulnerabilities. Which approach best describes this concept?

A.Runtime application self-protection (RASP)
B.Software bill of materials (SBOM)
C.Web application firewall (WAF)
D.Shift-left security
AnswerD

Shift-left security refers to integrating security early in the SDLC, which aligns with the question.

Why this answer

Shift-left security is the practice of integrating security testing and controls early in the software development lifecycle (SDLC), such as during design and coding phases, rather than waiting until deployment. This proactive approach reduces vulnerabilities by catching flaws when they are cheaper and easier to fix, aligning with DevSecOps principles.

Exam trap

Cisco often tests the distinction between runtime controls (RASP, WAF) and lifecycle integration practices (shift-left), so candidates mistakenly choose a runtime tool because they associate 'security testing' with active monitoring rather than early development phases.

How to eliminate wrong answers

Option A is wrong because Runtime Application Self-Protection (RASP) is a runtime security technology that monitors and blocks attacks from within the application during execution, not an early lifecycle integration approach. Option B is wrong because a Software Bill of Materials (SBOM) is a formal inventory of software components and dependencies, used for supply chain risk management and vulnerability tracking, not for shifting security left in the development process. Option C is wrong because a Web Application Firewall (WAF) is a network-level security control that filters HTTP traffic to protect applications in production, operating at runtime rather than early in the SDLC.

635
MCQhard

A security architect applies the above bucket policy to an Amazon S3 bucket containing sensitive data. What is the net effect of this policy?

A.It denies all PutObject requests, regardless of encryption.
B.It denies all PutObject requests that do not specify an encryption header, enforcing encryption at rest.
C.It allows only PutObject requests using SSE-KMS (AWS KMS managed keys).
D.It allows PutObject requests only from principals that use an IAM role with encryption permissions.
AnswerB

Correct: The Deny with Null condition blocks requests where the encryption header is null (missing), thus requiring encryption.

Why this answer

The bucket policy uses a condition key `s3:x-amz-server-side-encryption` with a `StringNotEquals` condition to deny `PutObject` requests that do not include the `x-amz-server-side-encryption` header set to `AES256`. This effectively denies any upload that does not specify server-side encryption with S3-Managed Keys (SSE-S3), enforcing encryption at rest for all objects written to the bucket.

Exam trap

ISC2 often tests the distinction between SSE-S3 (`AES256`) and SSE-KMS (`aws:kms`) in bucket policy conditions, leading candidates to confuse the required header value and incorrectly select an option involving KMS.

How to eliminate wrong answers

Option A is wrong because the policy does not deny all PutObject requests; it only denies those that lack the required encryption header, so requests that include the correct encryption header are allowed. Option C is wrong because the policy requires the encryption header value `AES256`, which corresponds to SSE-S3, not SSE-KMS (which would require `aws:kms`). Option D is wrong because the policy does not reference IAM roles or encryption permissions; it only checks for the presence and value of the encryption header, regardless of the principal's IAM role.

636
MCQmedium

A cloud security architect is designing a defense-in-depth strategy for a multi-tenant IaaS environment. Which of the following controls would BEST protect against workload isolation failure due to a hypervisor vulnerability?

A.Perform weekly vulnerability scans of the hypervisor and tenant workloads.
B.Deploy a dedicated virtual firewall instance for each tenant to enforce network segmentation.
C.Apply the latest hypervisor security patches and disable unnecessary services.
D.Use encrypted virtual disks for all tenant virtual machines.
AnswerB

Network segmentation using virtual firewalls provides an additional layer of isolation even if the hypervisor is compromised.

Why this answer

Option D is correct because a dedicated firewall instance for each tenant provides network-level isolation independent of the hypervisor. Option A is wrong because hypervisor hardening is necessary but does not guarantee isolation if a vulnerability exists. Option B is wrong because vulnerability scanning is detective, not preventive.

Option C is wrong while encryption protects data at rest, it does not prevent a hypervisor escape.

637
MCQeasy

A cloud application uses a RESTful API that handles payment transactions. The security team identifies that the API is vulnerable to brute-force attacks on the authentication endpoint. Which control should be implemented to mitigate this?

A.Implement rate limiting on the authentication endpoint
B.Require API keys for all requests
C.Use TLS to encrypt the communication channel
D.Add input validation for all parameters
AnswerA

Rate limiting reduces the number of allowed attempts, blocking brute-force attacks.

Why this answer

Rate limiting restricts the number of authentication requests from a single source within a given time window, directly mitigating brute-force attacks by making it infeasible to guess credentials at high speed. This control is specifically designed for authentication endpoints where repeated failed attempts are the primary attack vector, and it is a standard recommendation in OWASP and NIST guidelines for API security.

Exam trap

ISC2 often tests the distinction between authentication-specific controls (rate limiting) and general security measures (encryption, input validation), leading candidates to choose TLS or API keys because they are commonly associated with API security but do not address brute-force frequency.

How to eliminate wrong answers

Option B is wrong because API keys authenticate the client application, not the user, and do not prevent an attacker from repeatedly trying different passwords or tokens against the authentication endpoint. Option C is wrong because TLS encrypts data in transit to prevent eavesdropping and tampering, but it does not limit the number of requests an attacker can send, leaving the endpoint vulnerable to brute-force attempts. Option D is wrong because input validation prevents injection attacks (e.g., SQLi, XSS) but does not restrict the frequency of requests, so an attacker can still submit unlimited login attempts with valid parameter formats.

638
Multi-Selectmedium

A cloud security team is developing an incident response plan for a SaaS application hosted on a public cloud. During the preparation phase, which TWO steps are most critical to include?

Select 2 answers
A.Conduct regular tabletop exercises to simulate incident scenarios
B.Conduct a post-mortem analysis of previous incidents
C.Implement automated isolation of compromised instances
D.Define and document communication escalation paths
E.Deploy a security information and event management (SIEM) system
AnswersA, D

Tabletop exercises help validate the plan and train the response team before an incident.

Why this answer

Conducting regular tabletop exercises (Option A) is critical during the preparation phase because it validates the incident response plan's effectiveness, identifies gaps in team coordination, and ensures stakeholders understand their roles without impacting production systems. This proactive simulation aligns with NIST SP 800-61 and CCSP best practices for readiness testing before an actual incident occurs.

Exam trap

ISC2 often tests the distinction between preparation-phase activities (planning, training, documentation) and operational-phase activities (detection, containment, recovery), leading candidates to mistakenly select automated response or monitoring tools as preparation steps.

639
MCQhard

A healthcare organization recently migrated a patient records management application from on-premises infrastructure to a cloud environment using Infrastructure as a Service (IaaS). The application was originally designed as a monolithic workload running on bare-metal servers. After migration, the application is deployed on a fleet of virtual machines (VMs) of the same instance type. The organization is using a combination of Reserved Instances for baseline capacity and On-Demand instances to handle spikes. However, two months after the migration, the cloud bill is 40% higher than the estimated on-premises total cost of ownership. Additionally, performance reports indicate that the application experiences inconsistent latency and occasional timeouts during peak hours. The operations team has confirmed that the application code has not changed, and the cloud provider's infrastructure is healthy. There is no issue with network bandwidth or storage I/O. The team is considering several options to address both cost and performance issues. What should the team do first?

A.Migrate the application to serverless compute to eliminate the need to manage VMs.
B.Perform a rightsizing analysis of the current VM usage and adjust instance types accordingly.
C.Consolidate the workload into fewer, larger instances to reduce overhead and licensing costs.
D.Replace On-Demand instances with Spot Instances to reduce costs during spikes.
AnswerB

Rightsizing addresses both cost and performance by matching instance resources to actual workload demands. It is a standard first step in cloud optimization.

Why this answer

Option B is correct. The symptoms (high cost and inconsistent performance) strongly suggest that the instances are not appropriately sized for the workload. Rightsizing based on actual metrics (CPU, memory, I/O) is the most direct and effective first step to reduce waste and improve performance.

Option A is too drastic; moving to serverless would require significant architectural changes and is not a quick fix. Option C (Spot Instances) is unsuitable for baseline capacity because they can be terminated with little notice, which would disrupt a monolithic application. Option D (consolidation into fewer, larger instances) might reduce licensing costs but assumes that the current instances are underutilized; it could exacerbate performance issues if the application is not designed to scale horizontally.

640
MCQmedium

A cloud customer wants to ensure that when the contract ends, the cloud provider deletes all customer data, including from backups. Which contractual clause is essential?

A.Right to audit clause
B.Data deletion clause
C.Data portability clause
D.Service Level Agreement
AnswerB

This clause mandates the provider to delete all copies of customer data.

Why this answer

A data deletion clause should specify the obligation to delete customer data, including backups, upon termination.

641
MCQhard

A cloud security architect is designing a CI/CD pipeline for a serverless application using AWS Lambda. The application processes sensitive user data and requires encryption at rest and in transit. Which of the following is the BEST approach to securely manage database credentials used by the Lambda function?

A.Store the credentials in AWS Systems Manager Parameter Store with a SecureString parameter.
B.Use AWS Secrets Manager to store the credentials and retrieve them at runtime with least-privilege IAM roles.
C.Store the credentials as encrypted environment variables in the Lambda function configuration.
D.Hardcode the credentials in the Lambda function code and encrypt the deployment package.
AnswerB

Secrets Manager provides secure storage, automatic rotation, and fine-grained access control via IAM.

Why this answer

AWS Secrets Manager is the best choice because it is purpose-built for securely storing, rotating, and retrieving secrets such as database credentials. It integrates natively with AWS Lambda via the Secrets Manager API, allowing the function to fetch credentials at runtime using a least-privilege IAM role. This approach avoids embedding secrets in code or configuration and supports automatic rotation, which is critical for compliance with encryption and access control requirements.

Exam trap

ISC2 often tests the distinction between AWS Systems Manager Parameter Store (for configuration) and AWS Secrets Manager (for secrets), trapping candidates who think encryption alone is sufficient without considering rotation and lifecycle management.

How to eliminate wrong answers

Option A is wrong because AWS Systems Manager Parameter Store with SecureString provides encryption but lacks native automatic rotation and fine-grained access control for secrets; it is designed for configuration data, not secrets management. Option C is wrong because encrypted environment variables are still stored in the Lambda configuration and can be exposed through logs, error messages, or the AWS Management Console; they also do not support rotation. Option D is wrong because hardcoding credentials in code, even with an encrypted deployment package, violates the principle of not embedding secrets in code and makes rotation impossible without redeployment; the encryption key management also adds unnecessary complexity.

642
MCQeasy

A developer accidentally launched an EC2 instance with an overly permissive security group that allows SSH from 0.0.0.0/0. After a security review, the team wants to ensure this cannot happen again. What is the MOST effective preventive control?

A.Grant developers full access to EC2 and rely on training.
B.Attach an IAM policy to developer roles that denies the ec2:AuthorizeSecurityGroupIngress action if the CIDR is 0.0.0.0/0.
C.Use AWS Systems Manager to automatically remediate open SSH rules.
D.Enable AWS Config rules to detect and alert on open SSH.
AnswerB

This IAM policy condition prevents the action at the time of request.

Why this answer

Option B is correct because IAM policies can enforce preventive controls by denying the ec2:AuthorizeSecurityGroupIngress action when the CIDR is 0.0.0.0/0, which blocks the action at the API level before any rule is created. This is a preventive control because it stops the insecure configuration from being applied, rather than detecting or remediating it after the fact. By attaching this policy to developer roles, the team ensures that even if a developer attempts to add an overly permissive SSH rule, the request is denied by AWS IAM.

Exam trap

ISC2 often tests the distinction between preventive controls (IAM deny policies) and detective/reactive controls (AWS Config, Systems Manager remediation), and the trap here is that candidates may choose a detective or reactive option because they think 'alerting' or 'auto-remediation' is sufficient, when the question explicitly asks for the 'most effective preventive control.'

How to eliminate wrong answers

Option A is wrong because granting full EC2 access and relying solely on training is not a technical control; it depends on human behavior and does not prevent the action from occurring. Option C is wrong because AWS Systems Manager automation for remediation is a detective/reactive control, not preventive; it only fixes the issue after the insecure rule has already been created. Option D is wrong because AWS Config rules are detective controls that alert on non-compliant resources after they exist, but they do not block the initial creation of the overly permissive security group rule.

643
Multi-Selectmedium

Which TWO practices help protect against insecure deserialization attacks in cloud applications?

Select 2 answers
A.Allow deserialization from untrusted sources
B.Use strong encryption for all serialized data
C.Implement custom deserialization without validation
D.Validate serialized objects before deserialization
E.Restrict deserialization to a whitelist of classes
AnswersD, E

Validation can detect tampered objects.

Why this answer

Option D is correct because validating serialized objects before deserialization ensures that the data conforms to expected schemas and constraints, preventing malicious payloads from triggering arbitrary code execution. This practice is critical in cloud applications where deserialization of user-supplied data (e.g., JSON or XML) can lead to remote code execution (RCE) or denial-of-service (DoS) attacks if not validated.

Exam trap

ISC2 often tests the misconception that encryption alone (Option B) is sufficient to secure serialized data, but encryption only protects data at rest or in transit, not the deserialization process itself, which is where the attack occurs.

644
Multi-Selecteasy

Which TWO of the following are benefits of using tokenization for credit card data?

Select 2 answers
A.Maintains data format for existing systems
B.Reversible without a key vault
C.Reduces PCI DSS compliance scope
D.Eliminates the need for encryption
E.Slows down database queries
AnswersA, C

Tokens can preserve format, aiding integration.

Why this answer

Tokenization replaces sensitive credit card data with a non-sensitive token that retains the same format (e.g., a 16-digit number) and length, allowing existing systems, databases, and applications to process the token without modification. This format-preserving property ensures that legacy systems, such as payment gateways or CRM platforms, can continue to operate without requiring costly re-engineering. By using a token instead of the actual PAN, the organization reduces the scope of PCI DSS compliance because the tokenized data is not considered cardholder data under the PCI DSS standard.

Exam trap

ISC2 often tests the misconception that tokenization eliminates the need for encryption entirely, but the correct understanding is that tokenization reduces PCI DSS scope while encryption (for the vault and transit) remains essential.

645
MCQmedium

A cloud security engineer reviews the IAM policy shown in the exhibit, which is attached to an S3 bucket. The engineer finds that users from outside the 10.0.0.0/8 network can still download objects from the bucket. What is the most likely reason for this behavior?

A.The condition key 'aws:SourceIp' does not apply to S3 operations
B.The first statement's condition explicitly denies access to IPs outside 10.0.0.0/8
C.The second Allow statement does not include the IP restriction, allowing any IP to read objects
D.The policy document has a syntax error that causes the first statement to be ignored
AnswerC

The policy grants unrestricted GetObject access via the second statement.

Why this answer

Option C is correct because the second Allow statement in the IAM policy grants s3:GetObject access to all principals without any condition, effectively overriding the IP restriction in the first statement. AWS IAM policy evaluation is explicit deny by default, but when multiple statements apply, an Allow without conditions will permit the action even if another statement restricts it. Since the second statement has no aws:SourceIp condition, any IP address, including those outside 10.0.0.0/8, can download objects.

Exam trap

ISC2 often tests the nuance that an unconditional Allow statement can override a conditional Deny statement in IAM policies, leading candidates to incorrectly assume that the Deny with an IP restriction will block all access from outside the specified range.

How to eliminate wrong answers

Option A is wrong because the aws:SourceIp condition key does apply to S3 operations when used in a bucket policy; it is a valid condition key for controlling access based on the requester's IP address. Option B is wrong because the first statement uses 'Deny' with the condition, which would deny access to IPs outside 10.0.0.0/8, but the second Allow statement without the condition overrides this deny for the allowed action. Option D is wrong because there is no syntax error; the policy is valid and both statements are evaluated, but the Allow statement without the IP restriction permits the access.

646
MCQmedium

A company has multiple VPCs in the same region and wants to enable direct IP connectivity between them using private IP addresses. However, they do not need a transitive routing across multiple VPCs. Which solution should they use?

A.VPN Gateway
B.VPC Peering
C.Private Link
D.Transit Gateway
AnswerB

VPC peering directly connects two VPCs and is not transitive.

Why this answer

VPC peering provides direct one-to-one connectivity without transitive routing.

647
MCQhard

In a cloud environment using KVM, a security auditor wants to ensure that a tenant VM cannot access the memory of another tenant VM on the same physical host. Which resource isolation mechanism is specifically designed to prevent such memory access?

A.Seccomp profiles
B.CPU pinning
C.Extended Page Tables (EPT)
D.IOMMU
AnswerC

Correct; EPT provides hardware-assisted memory isolation between VMs.

Why this answer

Memory isolation is enforced by the hypervisor using Extended Page Tables (EPT) or similar technologies. EPT ensures that each VM's memory mappings are isolated, preventing one VM from accessing another's memory.

648
MCQeasy

Under the CSA STAR program, which tier involves a third-party assessment resulting in a certification based on ISO 27001?

A.Tier 4: Nonexistent
B.Tier 1: Self-assessment
C.Tier 3: Continuous monitoring
D.Tier 2: Third-party assessment
AnswerD

Tier 2 includes STAR Certification (ISO 27001 + cloud controls) and STAR Attestation (SOC 2).

Why this answer

CSA STAR Tier 2 includes STAR Certification, which builds on ISO 27001 certification and includes cloud-specific controls.

649
Multi-Selectmedium

A company is evaluating cloud providers for compliance with the GDPR. Which TWO of the following are mandatory data protection roles under the GDPR?

Select 2 answers
A.Data Processor
B.Data Protection Officer (DPO)
C.Cloud Security Architect
D.Data Controller
E.Data Steward
AnswersA, D

The Data Processor is a mandatory role under GDPR.

Why this answer

The GDPR defines the Data Controller and Data Processor as mandatory roles. The Data Protection Officer (DPO) is required only under certain conditions (e.g., large-scale monitoring). Cloud Security Architect and Data Steward are not GDPR-defined roles.

650
MCQhard

A company uses a cloud key management service (KMS) and wants to ensure that keys can be used only within a specific geographic region. Which of the following should be configured?

A.VPC endpoint for KMS
B.CloudTrail logging
C.Key policy with a condition for allowed regions
D.Key rotation policy
AnswerC

Key policies with conditions can restrict use to specific regions.

Why this answer

Option C is correct because a key policy with a condition using the `kms:CallerRegion` or `aws:RequestRegion` condition key can explicitly restrict the geographic region where the KMS key can be used. This ensures that any cryptographic operation (e.g., Encrypt, Decrypt) attempted from an unauthorized region is denied, enforcing regional data sovereignty requirements.

Exam trap

ISC2 often tests the distinction between network-level controls (like VPC endpoints) and policy-level controls (like key policy conditions), leading candidates to mistakenly choose VPC endpoints for geographic restrictions when only a condition-based policy can enforce regional key usage.

How to eliminate wrong answers

Option A is wrong because a VPC endpoint for KMS only restricts network access to the KMS API via a private IP within a VPC, but does not enforce geographic region restrictions on key usage; the key could still be used from any region if the request reaches the endpoint. Option B is wrong because CloudTrail logging records API calls for auditing but does not enforce any access control or geographic restriction on key usage. Option D is wrong because a key rotation policy controls how often the key material is rotated, not where the key can be used; it has no effect on geographic restrictions.

651
MCQhard

During a security incident in AWS, the security team suspects that an attacker has tampered with CloudTrail logs to cover their tracks. Which CloudTrail feature would the team use to verify that the log files have not been modified since they were delivered?

A.CloudTrail Insights
B.CloudTrail log file validation
C.S3 server access logs
D.AWS Config rules
AnswerB

Log file validation provides cryptographic verification of log file integrity.

Why this answer

CloudTrail log file validation uses a SHA-256 hash chain to create a digital signature for each log file, which is stored in a separate digest file. By computing the hash of a delivered log file and comparing it to the hash in the digest, the team can detect any tampering or modification after delivery. This feature is specifically designed to verify the integrity and authenticity of CloudTrail logs.

Exam trap

Cisco often tests the distinction between features that detect suspicious activity (like CloudTrail Insights) and features that provide cryptographic integrity verification (like log file validation), so candidates may confuse the two and select Insights because it sounds like it would detect tampering.

How to eliminate wrong answers

Option A is wrong because CloudTrail Insights is a feature that detects unusual API activity and potential security threats by analyzing management and data events, but it does not provide any mechanism to verify the integrity or detect tampering of log files after delivery. Option C is wrong because S3 server access logs record requests made to an S3 bucket, not CloudTrail logs, and they do not offer a cryptographic validation mechanism to confirm that CloudTrail log files have not been modified. Option D is wrong because AWS Config rules evaluate resource configurations against desired policies and can detect changes to resources, but they cannot validate the cryptographic integrity of CloudTrail log files or confirm that the logs have not been altered after delivery.

652
Multi-Selecthard

Which THREE of the following are typical requirements for compliance with eDiscovery in a cloud environment?

Select 3 answers
A.Documentation of chain of custody
B.Search and retrieval capabilities across data sources
C.Ability to place legal hold on data
D.Encryption of data at rest
E.Data minimization principles
AnswersA, B, C

Ensures evidence integrity.

Why this answer

Legal hold preservation, search capabilities, and chain-of-custody documentation are fundamental to eDiscovery. Encryption is about security, not discovery; data minimization is a privacy principle but not specific to eDiscovery.

653
Matchingmedium

Match each cloud auditing term to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Service organization control report for security

Assessment of cloud provider controls

Analysis of logs for incident investigation

Real-time assessment of security controls

Why these pairings

Auditing in cloud requires continuous monitoring and third-party attestations like SOC 2.

654
MCQeasy

A company is deploying a cloud application that processes credit card transactions. Which standard must they comply with regarding data security?

A.GDPR
B.PCI DSS
C.HIPAA
D.ISO 27001
AnswerB

PCI DSS applies to credit card data handling.

Why this answer

PCI DSS (Payment Card Industry Data Security Standard) is the mandatory security standard for any organization that handles credit card transactions. It defines strict requirements for protecting cardholder data, including encryption, access control, and network segmentation. Since the application processes credit card transactions, compliance with PCI DSS is legally and contractually required.

Exam trap

ISC2 often tests the distinction between mandatory regulatory standards (like PCI DSS) and voluntary frameworks (like ISO 27001), leading candidates to mistakenly choose ISO 27001 because it is a well-known security standard.

How to eliminate wrong answers

Option A is wrong because GDPR (General Data Protection Regulation) governs the protection of personal data of EU citizens, not specifically credit card transaction security. Option C is wrong because HIPAA (Health Insurance Portability and Accountability Act) applies to protected health information (PHI) in healthcare, not payment card data. Option D is wrong because ISO 27001 is a voluntary international standard for information security management systems (ISMS), not a mandatory compliance requirement for credit card processing.

655
MCQmedium

An organization uses a continuous integration/continuous deployment (CI/CD) pipeline to deploy infrastructure as code. The security team wants to ensure that all cloud resources comply with internal security policies before deployment. Which of the following is the MOST effective method to enforce this?

A.Restrict the IAM permissions of developers to only approved roles.
B.Run automated policy compliance checks as part of the CI/CD pipeline.
C.Conduct manual security reviews after each deployment.
D.Deploy resources and then scan for compliance after deployment.
AnswerB

Policy-as-code checks block non-compliant deployments before they go live.

Why this answer

Option D is correct because integrating policy-as-code scanning into the CI/CD pipeline catches non-compliance before deployment. Option A is incorrect because manual reviews are error-prone and slow. Option B is incorrect because post-deployment scanning is reactive.

Option C is incorrect because only limiting user permissions does not prevent misconfigurations from valid users.

656
MCQeasy

Which risk assessment method uses subjective scales to assign probabilities and impacts?

A.Semi-quantitative risk assessment
B.Quantitative risk assessment
C.Qualitative risk assessment
D.Bottom-up risk assessment
AnswerC

Uses subjective scales like high/medium/low.

Why this answer

Qualitative risk assessment (option C) is correct because it relies on subjective scales (e.g., high, medium, low) to assign probabilities and impacts, rather than numerical data. This method is commonly used in cloud security to quickly evaluate risks when precise data is unavailable, aligning with the CCSP domain of Legal, Risk and Compliance.

Exam trap

ISC2 often tests the distinction between qualitative and semi-quantitative methods, where candidates confuse subjective scales (qualitative) with ordinal numerical scales (semi-quantitative), leading them to incorrectly select semi-quantitative risk assessment.

How to eliminate wrong answers

Option A is wrong because semi-quantitative risk assessment uses numerical values (e.g., 1-5 scales) to assign probabilities and impacts, not purely subjective scales. Option B is wrong because quantitative risk assessment uses objective numerical data (e.g., monetary values, statistical probabilities) to calculate risk, not subjective scales. Option D is wrong because bottom-up risk assessment is a structural approach that identifies risks from individual components upward, not a method for assigning probabilities and impacts via subjective scales.

657
MCQhard

The exhibit shows a key policy for a customer master key (CMK) in a cloud KMS. An administrator wants to prevent the AppRole from using the key to decrypt data. Which change to the policy would accomplish this?

A.Add a deny statement for AppRole with effect "Deny" for kms:Decrypt.
B.Remove the entire "Allow use of the key" statement.
C.Change the AppRole action list to include only kms:Encrypt.
D.Remove "kms:Decrypt" from the action list in the AppRole statement.
AnswerD

Decrypt is the specific action needed for decryption. Removing it prevents decryption but allows encryption.

Why this answer

Option D is correct because the AppRole's current policy statement explicitly includes 'kms:Decrypt' in the action list, granting it permission to decrypt data. By removing 'kms:Decrypt' from that action list, the AppRole retains its other allowed actions (such as kms:Encrypt) but can no longer perform decryption operations. This is the most precise and least disruptive change, as it only removes the specific permission needed to prevent decryption without affecting other allowed actions.

Exam trap

ISC2 often tests the principle of least privilege and the precise modification of permissions, where candidates may incorrectly choose to add a deny statement (Option A) instead of simply removing the specific action from the allow list, misunderstanding that an explicit deny is not the most efficient or correct way to revoke a permission that was previously granted.

How to eliminate wrong answers

Option A is wrong because adding a deny statement for kms:Decrypt would create an explicit deny, which in IAM policy evaluation logic overrides any allow, but it is unnecessarily complex and could introduce unintended conflicts; the simpler and more direct approach is to remove the permission from the allow statement. Option B is wrong because removing the entire 'Allow use of the key' statement would revoke all permissions for the AppRole, including necessary actions like kms:Encrypt, which is overly broad and not the minimal change required. Option C is wrong because changing the action list to include only kms:Encrypt would also remove kms:Decrypt, but it would also remove any other actions currently allowed (e.g., kms:GenerateDataKey, kms:DescribeKey) that might be needed; the question specifically asks to prevent decryption, so removing only kms:Decrypt is more targeted.

658
MCQhard

Refer to the exhibit. A cloud security analyst is reviewing an S3 bucket policy. The bucket contains sensitive data and must only be accessible over HTTPS from the internal network (10.0.0.0/24). Which of the following correctly describes the behavior of this policy?

A.Requests from 10.0.0.0/24 over HTTPS are allowed; all other requests are denied.
B.Requests from 10.0.0.0/24 over HTTP are allowed because the Allow statement matches.
C.The policy is invalid because it combines Allow and Deny statements.
D.All requests from 10.0.0.0/24 are denied because the Deny statement applies to all actions.
AnswerA

The Allow statement permits GetObject from the internal IP range, and the Deny blocks non-HTTPS requests. Requests from external IPs are implicitly denied.

Why this answer

The policy uses an explicit Deny for any request that is not using HTTPS (i.e., aws:SecureTransport is false) or does not originate from the 10.0.0.0/24 IP range. This Deny overrides the Allow statement, ensuring that only requests meeting both conditions (source IP 10.0.0.0/24 AND HTTPS) are permitted. Requests from 10.0.0.0/24 over HTTPS satisfy the Allow and are not caught by the Deny, so they are allowed; all other requests are denied.

Exam trap

ISC2 often tests the misconception that an Allow statement alone is sufficient to grant access, ignoring that an explicit Deny with broader conditions can override it, or that a policy with both Allow and Deny is automatically invalid.

How to eliminate wrong answers

Option B is wrong because the Deny statement explicitly denies requests over HTTP (when aws:SecureTransport is false), so even if the source IP matches 10.0.0.0/24, the request is blocked. Option C is wrong because combining Allow and Deny statements is valid in AWS IAM policy evaluation; explicit Deny always takes precedence, but the policy is syntactically and logically correct. Option D is wrong because the Deny statement does not apply to all actions from 10.0.0.0/24; it only denies requests that are not using HTTPS (i.e., aws:SecureTransport is false) or that come from outside the 10.0.0.0/24 range, so requests from 10.0.0.0/24 over HTTPS are allowed.

659
MCQmedium

A company uses a cloud-based CI/CD pipeline with GitLab. Developers push code to a repository, triggering a build. The security team notices that sensitive API keys are being logged in build output. Which practice best prevents this?

A.Implement a secrets detection tool in the pipeline
B.Use environment variables in the pipeline configuration
C.Use a separate build server
D.Encrypt the Git repository
AnswerA

Automated secrets detection scans for and blocks credentials in build output.

Why this answer

A secrets detection tool (e.g., GitLab Secret Detection, TruffleHog, or Gitleaks) scans code and build output for patterns matching API keys, tokens, or passwords before they are logged or stored. This directly prevents sensitive credentials from appearing in build logs, which is the specific issue described. Unlike other options, it actively identifies and blocks secrets at the point of exposure.

Exam trap

The trap here is that candidates often confuse 'using environment variables' (a secure storage method) with 'preventing secrets from being logged' (a detection and blocking mechanism), leading them to choose Option B even though environment variables do not stop accidental output.

How to eliminate wrong answers

Option B is wrong because environment variables in pipeline configuration (e.g., CI/CD variables in GitLab) are a secure way to pass secrets, but they do not prevent secrets from being accidentally logged in build output if the application or script explicitly prints them. Option C is wrong because using a separate build server does not address the root cause—secrets can still be logged regardless of where the build runs; it only changes the execution environment. Option D is wrong because encrypting the Git repository protects data at rest but does not prevent secrets from being exposed in plaintext during the build process or in logs.

660
Multi-Selectmedium

Which TWO of the following are primary objectives of a cloud application security program?

Select 2 answers
A.Maintaining application availability
B.Performing continuous deployment
C.Implementing a microservices architecture
D.Ensuring data confidentiality and integrity
E.Adopting Agile development practices
AnswersA, D

Availability is a key security objective (CIA triad).

Why this answer

Maintaining application availability is a primary objective of a cloud application security program because it directly supports the security triad of confidentiality, integrity, and availability (CIA). In a cloud environment, availability ensures that authorized users can access applications and data when needed, which is critical for business continuity and is often enforced through SLAs, redundancy, and DDoS protection mechanisms. Without availability, security controls become irrelevant as the service is effectively denied.

Exam trap

ISC2 often tests the distinction between security objectives and operational or architectural practices, trapping candidates who confuse 'continuous deployment' or 'microservices' with security goals because they are commonly discussed in cloud security contexts but are not primary objectives.

661
MCQmedium

A cloud security team wants to automatically block malicious requests to a web application before they reach the application servers. Which solution should they implement?

A.Intrusion Detection System (IDS)
B.Runtime Application Self-Protection (RASP)
C.Cloud Web Application Firewall (WAF)
D.Static Application Security Testing (SAST)
AnswerC

A cloud WAF inspects incoming traffic and blocks malicious requests at the network edge.

Why this answer

A Cloud Web Application Firewall (WAF) is the correct solution because it operates at the application layer (Layer 7) to inspect HTTP/HTTPS traffic and block malicious requests—such as SQL injection, cross-site scripting (XSS), and OWASP Top 10 attacks—before they reach the application servers. Unlike an IDS, a WAF can actively block traffic in real time, and it is deployed at the network edge or cloud gateway, providing inline prevention without requiring changes to the application code.

Exam trap

The trap here is that candidates confuse IDS (passive alerting) with IPS (inline blocking), or assume RASP can block traffic before it reaches the application, when in fact RASP operates within the application runtime and cannot prevent initial request arrival at the server boundary.

How to eliminate wrong answers

Option A is wrong because an Intrusion Detection System (IDS) is a passive monitoring tool that only alerts on suspicious activity (e.g., via signature matching or anomaly detection) and cannot automatically block malicious requests; it lacks inline enforcement capabilities. Option B is wrong because Runtime Application Self-Protection (RASP) runs inside the application runtime environment (e.g., integrated into the JVM or .NET CLR) to detect and block attacks from within the application, but it does not operate before requests reach the application servers—it protects the application from the inside, not at the perimeter. Option D is wrong because Static Application Security Testing (SAST) is a development-phase code analysis tool that scans source code for vulnerabilities (e.g., buffer overflows, insecure APIs) but does not provide runtime protection or block live traffic; it is a preventive measure, not a real-time defense.

662
MCQhard

A cloud customer is considering adopting a multi-cloud strategy to avoid vendor lock-in. Which risk is this strategy primarily intended to mitigate?

A.Third-party risk from a specific provider
B.Concentration risk
C.Residual risk after controls
D.Inherent risk of data leaving premises
AnswerB

Multi-cloud spreads workloads across providers to avoid single point of failure.

Why this answer

Multi-cloud reduces dependency on a single provider, thus mitigating concentration risk.

663
MCQhard

A cloud application uses containers orchestrated by Kubernetes. The security team wants to enforce that containers cannot run as root and that file systems are read-only at runtime. Which Kubernetes security context configuration should be applied?

A.Use a RuntimeClass that disables root capabilities
B.Set the container's user to a non-root user in the Dockerfile
C.Apply a PodSecurityPolicy that blocks privileged containers
D.Configure a SecurityContext with runAsNonRoot: true and readOnlyRootFilesystem: true
AnswerD

Directly sets the required properties in the container specification.

Why this answer

Option D is correct because Kubernetes SecurityContext allows fine-grained control over container permissions at the pod or container level. Setting `runAsNonRoot: true` ensures the container cannot run as UID 0, and `readOnlyRootFilesystem: true` mounts the container's root filesystem as read-only, preventing unauthorized writes at runtime. This directly satisfies the security team's requirements without relying on external policies or image-level configurations.

Exam trap

The trap here is that candidates confuse image-level defaults (like a non-root user in a Dockerfile) with runtime enforcement via SecurityContext, or they think PodSecurityPolicy (a deprecated feature) is the only way to enforce these restrictions, when in fact SecurityContext is the direct and correct mechanism.

How to eliminate wrong answers

Option A is wrong because a RuntimeClass primarily selects a container runtime (e.g., gVisor, Kata Containers) for isolation, not a mechanism to disable root capabilities or enforce read-only filesystems; it does not directly set runAsNonRoot or readOnlyRootFilesystem. Option B is wrong because setting a non-root user in the Dockerfile only affects the image's default user; it can be overridden at runtime (e.g., by specifying `securityContext.runAsUser: 0`), so it does not enforce the restriction. Option C is wrong because PodSecurityPolicy (PSP) is a deprecated, cluster-level admission controller that can block privileged containers but does not directly enforce `runAsNonRoot: true` or `readOnlyRootFilesystem: true`; it requires additional policy rules and is being replaced by Pod Security Standards.

664
MCQmedium

A healthcare organization has deployed a cloud-based application that handles protected health information (PHI). The application runs on virtual machines in a virtual private cloud (VPC). The security team has implemented security groups to control traffic to the VMs. Recently, an external penetration test revealed that a web server VM is accessible from the internet on port 22 (SSH) from any IP address (0.0.0.0/0). The security team also discovered that the SSH key pair used for the web server was created with a weak algorithm (1024-bit RSA). The team needs to remediate these issues without causing downtime for the application. Additionally, the application logs must be sent to a centralized logging solution that is encrypted in transit and at rest. Which combination of actions should the security team take?

A.Restrict inbound SSH access to only a bastion host's IP address, generate a new 2048-bit RSA key pair, configure the application to send logs via TLS to a centralized logging service, and enable server-side encryption for the logging bucket.
B.Implement a VPN connection for all administrative access, keep the existing key pair, and use a third-party logging tool with TLS.
C.Change the SSH port to a non-standard port, keep the existing key pair, and enable logging to a cloud storage bucket without encryption.
D.Disable SSH access entirely and use a serial console for administration, keep the existing key pair, and send logs via plaintext syslog to a logging server.
AnswerA

This fully addresses both vulnerabilities and logging requirements.

Why this answer

Option A is correct because it addresses both critical vulnerabilities without downtime: restricting SSH to a bastion host's IP eliminates internet-wide exposure, and generating a new 2048-bit RSA key pair replaces the weak 1024-bit key. For logging, TLS ensures encryption in transit, and server-side encryption for the logging bucket ensures encryption at rest, meeting compliance requirements for PHI.

Exam trap

ISC2 often tests the distinction between security by obscurity (e.g., changing ports) and actual security controls (e.g., restricting IPs and using strong keys), leading candidates to pick options that seem quick but fail compliance requirements.

How to eliminate wrong answers

Option B is wrong because keeping the existing 1024-bit RSA key pair leaves a weak cryptographic algorithm in place, which is a security risk and non-compliant with standards like NIST SP 800-57. Option C is wrong because changing the SSH port to a non-standard port is security by obscurity and does not prevent scanning or brute-force attacks, and sending logs to a bucket without encryption violates encryption-at-rest requirements for PHI. Option D is wrong because disabling SSH entirely and using a serial console is impractical for cloud VMs and often causes downtime, and sending logs via plaintext syslog lacks encryption in transit, violating HIPAA and other regulations.

665
MCQeasy

A DevOps engineer runs the above command and gets the error. What is the MOST likely missing permission?

A.storage.buckets.get
B.storage.buckets.list
C.storage.objects.get
D.storage.objects.list
AnswerD

List permission is required to list objects in a bucket.

Why this answer

The command likely involves listing objects within a bucket (e.g., `gsutil ls` or an equivalent `GET /b/{bucket}/o` API call). The error indicates the principal lacks the `storage.objects.list` permission, which is required to enumerate objects in a bucket. Without this permission, the API returns a 403 Forbidden error even if the principal has other storage permissions.

Exam trap

ISC2 often tests the distinction between object-level permissions (like `storage.objects.get`) and bucket-level listing permissions (like `storage.objects.list`), trapping candidates who assume read access to objects implies the ability to list them.

How to eliminate wrong answers

Option A is wrong because `storage.buckets.get` is needed to retrieve bucket metadata (e.g., IAM configuration, location), not to list objects. Option B is wrong because `storage.buckets.list` is required to list all buckets in a project, not objects within a specific bucket. Option C is wrong because `storage.objects.get` is needed to read a specific object's data or metadata, not to list objects in a bucket.

666
MCQmedium

A company uses a cloud provider's managed database service. The security team is concerned about the shared responsibility model for patching the operating system and database engine. According to the shared responsibility model, who is responsible for applying security patches to the database engine?

A.The customer, because they control the database configuration
B.A third-party vendor contracted by the customer
C.The cloud provider, because it is a managed service
D.Both the customer and the cloud provider equally
AnswerC

Managed services include engine patching by the provider.

Why this answer

Option C is correct because for managed services, the cloud provider is responsible for patching the underlying database engine. Option A is wrong because the customer is responsible for the data and access, not the engine. Option B is wrong because both parties do not share this responsibility.

Option D is wrong because the database engine is part of the service.

667
MCQhard

A company is deploying a multi-tier application in a public cloud and needs to restrict traffic between tiers. The web tier must only accept HTTPS from the internet, and the app tier must only accept HTTP from the web tier. Which cloud networking feature should be used to enforce this?

A.Network access control lists (ACLs) attached to the subnets.
B.Security groups applied to each tier’s instances.
C.Internet gateway with appropriate routes.
D.VPC peering connection between tier subnets.
AnswerA

Network ACLs are stateless and can enforce explicit allow rules between subnets.

Why this answer

Network ACLs are stateless, meaning they filter traffic based on source and destination IP addresses, ports, and protocols at the subnet level. By configuring inbound rules on the web tier subnet to allow HTTPS (TCP/443) from the internet and outbound rules to allow HTTP (TCP/80) to the app tier subnet, and inbound rules on the app tier subnet to allow HTTP only from the web tier subnet, you enforce the required traffic restrictions without maintaining session state. This stateless behavior is essential for explicitly controlling traffic between tiers in a multi-tier architecture.

Exam trap

ISC2 often tests the distinction between stateless (network ACLs) and stateful (security groups) filtering, and the trap here is that candidates assume security groups can enforce inter-tier traffic restrictions as effectively as ACLs, overlooking that security groups are stateful and instance-specific, not subnet-wide.

How to eliminate wrong answers

Option B is wrong because security groups are stateful, meaning if you allow inbound HTTPS to the web tier, the return traffic is automatically allowed, but they cannot enforce outbound restrictions from the web tier to the app tier without additional rules; more critically, security groups are applied at the instance level, not the subnet level, making them less suitable for controlling traffic between entire tiers. Option C is wrong because an internet gateway only provides a target for routing traffic to and from the internet; it does not filter or restrict traffic between subnets or tiers. Option D is wrong because VPC peering connects two VPCs for routing, but it does not provide any filtering or access control; it merely establishes a network path, leaving traffic restrictions to ACLs or security groups.

668
MCQhard

A healthcare company, MedSecure, is migrating its critical patient record application to a public cloud IaaS environment. The application processes Protected Health Information (PHI) subject to HIPAA in the US and also includes some patient data from EU residents subject to GDPR. MedSecure has signed Business Associate Agreements (BAAs) with the cloud provider covering US HIPAA compliance. However, the compliance officer is concerned about GDPR requirements for EU patient data. The architecture uses AWS EC2 instances behind an Application Load Balancer, with data stored in Amazon RDS (MySQL) using encryption at rest and TLS for transmission. The company uses AWS CloudTrail for logging but only retains logs for 90 days. The compliance officer has identified that the current logging retention does not meet the GDPR requirement for logs to be retained for a minimum of 12 months for audit purposes. Additionally, the data stored in RDS is in a single AWS region in the US (us-east-1). The company plans to expand to EU customers. The GDPR requires that personal data of EU residents be stored in the EU or have adequate safeguards for transfer. Currently, the company has not implemented any data residency controls. What course of action should MedSecure take to address the most critical compliance gaps?

A.Extend CloudTrail log retention to 12 months by configuring a new trail in a separate account and storing logs in an S3 bucket with a lifecycle policy to delete after 12 months. For data residency, use AWS DMS to replicate the RDS database to a second RDS instance in the eu-west-1 region and enable cross-region replication for continuous sync.
B.Implement AWS Config rules to monitor compliance with both HIPAA and GDPR, and enable AWS CloudTrail Insights to detect unusual activity. For data residency, sign a Standard Contractual Clauses (SCCs) with the cloud provider for the existing US-based data.
C.Enable S3 Object Lock for CloudTrail logs to ensure they cannot be deleted before 12 months, and use AWS DMS with CDC to replicate data to a eu-west-1 region. Also, sign a Data Processing Agreement (DPA) with AWS specifically for GDPR coverage.
D.Use AWS Lambda to copy CloudTrail logs from the existing trail to a separate S3 bucket with a retention policy of 12 months. For data residency, configure the RDS instance to have a read replica in eu-west-1 and implement a DPA with AWS for GDPR.
AnswerC

This comprehensively addresses both gaps: immutable log retention, EU data replication, and a DPA to cover legal transfer safeguards.

Why this answer

Option C is correct because it directly addresses the two most critical compliance gaps: GDPR log retention (12 months) and data residency for EU patient data. Enabling S3 Object Lock on CloudTrail logs ensures they cannot be deleted or altered before 12 months, meeting GDPR audit requirements. Using AWS DMS with Change Data Capture (CDC) to replicate the RDS database to eu-west-1 provides a continuous, low-latency copy of PHI within the EU, satisfying GDPR data residency.

Signing a Data Processing Agreement (DPA) with AWS specifically for GDPR coverage is essential because the existing BAA only covers HIPAA, and GDPR requires a separate DPA to establish the cloud provider as a data processor under EU law.

Exam trap

ISC2 often tests the distinction between data replication mechanisms (e.g., read replicas vs. DMS with CDC) and the specific legal documents required for different regulations (BAA for HIPAA vs. DPA for GDPR), leading candidates to choose options that mix correct concepts with incorrect implementations.

How to eliminate wrong answers

Option A is wrong because configuring a new trail in a separate account does not prevent premature deletion of logs; a lifecycle policy alone does not enforce immutability, and GDPR requires logs to be retained for 12 months with protection against deletion or alteration. Additionally, using AWS DMS to replicate the RDS database to a second RDS instance with cross-region replication does not inherently provide continuous CDC synchronization for real-time data residency compliance. Option B is wrong because AWS Config rules and CloudTrail Insights are monitoring and detection tools, not mechanisms to enforce log retention or data residency; signing SCCs for existing US-based data does not satisfy the GDPR requirement that EU personal data be stored in the EU or have adequate safeguards for transfer, and SCCs alone do not replace the need for a DPA with the cloud provider.

Option D is wrong because using a Lambda function to copy logs to a separate S3 bucket does not ensure immutability or prevent deletion before 12 months; a read replica in eu-west-1 is read-only and cannot accept writes, so it does not provide a writable copy of the database for EU data residency, and implementing a DPA is correct but the log retention and data residency solutions are insufficient.

669
MCQmedium

A developer receives the above error when trying to create a route in an API Gateway. Which action should the developer take to resolve the issue?

A.Change the endpoint type to private
B.Add an authentication mechanism to the API
C.Verify that the API is deployed to the correct stage
D.Delete the existing route or use a different route key
AnswerD

Removing the duplicate or choosing a unique key resolves the conflict.

Why this answer

The error indicates that a route with the same key already exists in the API Gateway. API Gateway enforces unique route keys within an API; attempting to create a duplicate route key (e.g., the same HTTP method and path combination) will fail. Deleting the existing route or using a different route key resolves the conflict by ensuring each route key is unique.

Exam trap

ISC2 often tests the misconception that deployment stages or authentication mechanisms can resolve configuration conflicts, when in fact the error is a direct result of violating a uniqueness constraint on route keys within the API Gateway resource hierarchy.

How to eliminate wrong answers

Option A is wrong because changing the endpoint type to private does not address a duplicate route key error; endpoint type controls network accessibility, not route uniqueness. Option B is wrong because adding an authentication mechanism (e.g., IAM, Lambda authorizer) does not resolve a conflict where a route key already exists; authentication is unrelated to route key duplication. Option C is wrong because verifying the API deployment stage does not fix a duplicate route key error; deployment stages affect which version of the API is live, not the uniqueness of route keys within the API definition.

670
Multi-Selecteasy

Which TWO of the following are secure coding practices that help prevent injection attacks?

Select 2 answers
A.Printing stack traces in production error messages
B.Using parameterized queries for database calls
C.Using stored procedures exclusively
D.Validating and sanitizing all user inputs
E.Storing user passwords in plaintext
AnswersB, D

Parameterized queries separate SQL logic from data, preventing injection.

Why this answer

Option B is correct because parameterized queries (also known as prepared statements) separate SQL logic from data by using placeholders (e.g., `?` in MySQLi or `:param` in PDO). The database driver treats the user-supplied values strictly as data, never as executable code, which prevents an attacker from injecting malicious SQL commands even if the input contains special characters like `' OR 1=1 --`.

Exam trap

ISC2 often tests the misconception that stored procedures are inherently safe against injection, but the trap is that stored procedures can still be vulnerable if they dynamically construct SQL strings using concatenated input, so parameterization must be applied inside the procedure as well.

671
MCQeasy

Which characteristic of cloud computing allows a user to provision resources automatically without requiring human interaction with the service provider?

A.Rapid elasticity
B.Broad network access
C.On-demand self-service
D.Resource pooling
AnswerC

Correct. On-demand self-service allows automatic provisioning.

Why this answer

On-demand self-service enables users to provision and manage resources as needed via a web portal or API without manual provider intervention.

672
Multi-Selectmedium

A company is using Azure and wants to implement cloud security posture management (CSPM) to detect misconfigurations. Which TWO services can provide CSPM capabilities? (Choose two.)

Select 2 answers
A.Azure Key Vault
B.Azure Policy
C.Azure Monitor
D.Azure Sentinel
E.Microsoft Defender for Cloud
AnswersB, E

Azure Policy can enforce and evaluate compliance with security benchmarks, contributing to CSPM.

Why this answer

Azure Policy is correct because it enforces organizational standards and assesses compliance at scale, providing CSPM capabilities by evaluating Azure resources against defined rules to detect misconfigurations. It integrates with Microsoft Defender for Cloud to offer continuous monitoring and remediation of security posture issues.

Exam trap

Cisco often tests the distinction between CSPM (configuration assessment) and SIEM/SOAR (threat detection), so candidates mistakenly choose Azure Sentinel or Azure Monitor because they associate 'security monitoring' with CSPM, but Sentinel focuses on log analysis and incident response, not configuration compliance.

673
MCQmedium

A cloud security team wants to automatically remediate misconfigured S3 buckets that are publicly accessible. Which combination of AWS services can be used to detect and automatically fix this issue?

A.AWS GuardDuty and AWS Lambda
B.AWS CloudTrail and AWS Lambda
C.AWS Config and AWS Lambda
D.AWS Security Hub and AWS CloudTrail
AnswerC

AWS Config rule triggers a Lambda function to remediate non-compliant S3 buckets.

Why this answer

AWS Config evaluates resource configurations against rules (e.g., 's3-bucket-public-read-prohibited'). When a non-compliant resource is detected, AWS Config can trigger a Lambda function via a custom remediation action to modify the bucket policy. GuardDuty detects threats but does not remediate.

Security Hub aggregates findings but does not automatically fix issues. CloudTrail logs events but does not evaluate configurations.

674
Multi-Selectmedium

A company is deploying a critical application on a public cloud IaaS platform. To ensure high availability and disaster recovery, which TWO of the following strategies should the company implement? (Choose two.)

Select 2 answers
A.Deploy the application across multiple availability zones within a region.
B.Use an active-passive configuration with both instances in the same availability zone.
C.Configure the application to run in only one region to simplify management.
D.Implement automated snapshots and replicate data to a different geographic region.
E.Use a single, large virtual machine instance to handle all traffic.
AnswersA, D

This provides high availability within a region.

Why this answer

Deploying across multiple availability zones (AZs) within a region ensures that if one AZ experiences an outage, the application can continue serving traffic from another AZ, providing high availability. This is a fundamental cloud architecture pattern for fault tolerance, as each AZ is an isolated data center with independent power, cooling, and networking.

Exam trap

ISC2 often tests the distinction between high availability (fault tolerance within a region using multiple AZs) and disaster recovery (cross-region data replication and failover), and the trap is that candidates confuse active-passive in the same AZ (which is not HA) with a valid HA strategy.

675
MCQmedium

A multinational corporation uses a SaaS application for customer relationship management (CRM). The CRM application stores customer data including names, email addresses, and purchase history. The company has operations in the EU, California, and Japan. A new regulation in Japan requires that any transfer of personal data outside Japan must have the data subject's consent if the destination country does not have an adequacy decision. The company's cloud provider stores data in the United States. The company currently relies on the provider's data processing agreement that includes standard contractual clauses (SCCs). However, the Japanese regulator has stated that SCCs are not sufficient for transfers from Japan unless supplemented. You are tasked with ensuring compliance for Japanese data subjects. Which of the following is the most appropriate next step? A. Obtain explicit consent from each Japanese data subject for data transfer to the US. B. Move the data for Japanese subjects to a data center in Japan. C. Continue using SCCs as they are recognized internationally. D. Pseudonymize the data before transfer. Which option best addresses the compliance requirement while considering the operational impact?

A.Move the data for Japanese subjects to a data center in Japan.
B.Continue using SCCs as they are recognized internationally.
C.Pseudonymize the data before transfer.
D.Obtain explicit consent from each Japanese data subject for data transfer to the US.
AnswerD

Correct. Explicit consent is a valid legal basis under Japanese law when other mechanisms are insufficient.

Why this answer

Option D is correct because the Japanese regulator has explicitly stated that SCCs alone are insufficient for transfers from Japan, and obtaining explicit consent from each data subject directly satisfies the requirement for a valid transfer mechanism under Japanese law. This approach ensures compliance without requiring infrastructure changes, though it may be operationally burdensome. The other options either fail to meet regulatory requirements or introduce unnecessary operational impact.

Exam trap

ISC2 often tests the misconception that pseudonymization or data localization alone can bypass cross-border transfer restrictions, when in fact explicit consent or an approved mechanism is required under the specific regulation.

How to eliminate wrong answers

Option A (moving data to a Japan data center) is wrong because it does not address the transfer to the US for processing; the data would still need to be transferred to the US for the SaaS CRM to function, and the regulation applies to any transfer outside Japan. Option B (continuing with SCCs) is wrong because the Japanese regulator has stated SCCs are not sufficient unless supplemented, so relying on them alone would violate the regulation. Option C (pseudonymization) is wrong because pseudonymization does not eliminate the need for a valid transfer mechanism under Japanese law; the data remains personal data subject to transfer restrictions.

Page 8

Page 9 of 14

Page 10