CCNA Cloud Security Operations Questions

75 of 79 questions · Page 1/2 · Cloud Security Operations · Answers revealed

1
Multi-Selectmedium

A security analyst is configuring Azure Defender for Cloud to protect a hybrid environment. Which THREE resource types can be protected by enabling Azure Defender plans? (Choose three.)

Select 3 answers
A.Azure SQL databases (Defender for Databases)
B.Azure Key Vault (Defender for Key Vault)
C.Azure AD identities
D.Virtual machines (Defender for Servers)
E.Azure DNS zones
AnswersA, B, D

Defender for Databases covers SQL and other database types.

Why this answer

Azure Defender for Cloud provides integrated security protections for Azure resources. Enabling the 'Defender for Databases' plan specifically protects Azure SQL databases by detecting anomalous activities, SQL injection attempts, and potential vulnerabilities. This plan extends to other database types like Azure SQL Managed Instance and Azure Synapse SQL pools, ensuring comprehensive database security.

Exam trap

Cisco often tests the distinction between Azure Defender plans (which protect specific resource types like VMs, databases, and Key Vault) and other Azure security services (like Azure AD Identity Protection or Azure DNS security features), leading candidates to incorrectly select Azure AD identities or DNS zones as protected resources.

2
MCQhard

A cloud security team implements correlation rules in their SIEM to detect 'impossible travel' scenarios. Which combination of log sources is essential for detecting a user logging in from two different countries within a short time frame?

A.Amazon GuardDuty findings and Security Hub
B.AWS Config history and resource inventory
C.CloudTrail management events and AWS CloudTrail authentication events
D.VPC Flow Logs and DNS logs
AnswerC

CloudTrail logs include console login events with source IP; combining with timestamps allows impossible travel detection.

Why this answer

Detecting impossible travel requires authentication logs (who logged in and from where) and timestamps. Cloud provider authentication logs (e.g., AWS CloudTrail for console logins, Azure AD sign-in logs) provide the necessary data.

3
MCQmedium

A security engineer needs to automate the remediation of any S3 bucket that is publicly accessible. The solution should work within a single AWS account and not require manual intervention. Which combination of services is MOST appropriate?

A.AWS Config rule + AWS Lambda auto-remediation
B.Amazon GuardDuty + AWS Step Functions
C.AWS CloudTrail + Amazon SNS
D.AWS Trusted Advisor + AWS Systems Manager
AnswerA

Config detects, Lambda remediates.

Why this answer

AWS Config can continuously evaluate S3 bucket settings against a custom or managed rule (e.g., s3-bucket-public-read-prohibited). When the rule detects a noncompliant bucket, it triggers an AWS Lambda function via auto-remediation, which can modify the bucket's ACL or policy to remove public access. This combination provides fully automated, event-driven remediation without manual steps.

Exam trap

Cisco often tests the distinction between detection services (GuardDuty, CloudTrail) and configuration enforcement services (AWS Config), leading candidates to choose a monitoring-only solution that lacks remediation capabilities.

How to eliminate wrong answers

Option B is wrong because Amazon GuardDuty is a threat detection service that identifies malicious activity (e.g., unusual API calls), not a configuration compliance tool; it cannot directly enforce S3 bucket policies. Option C is wrong because AWS CloudTrail records API activity but does not evaluate or remediate configurations, and Amazon SNS only sends notifications, not automated fixes. Option D is wrong because AWS Trusted Advisor provides best-practice checks and recommendations, but it does not offer native auto-remediation; AWS Systems Manager can automate actions but requires custom runbooks and is not designed for real-time S3 bucket compliance enforcement.

4
MCQmedium

A security team is configuring AWS CloudTrail to enable detection of unauthorized API calls. They want to ensure that log files cannot be tampered with after delivery. Which CloudTrail feature should they enable?

A.CloudTrail Insights
B.CloudTrail Log File Validation
C.CloudTrail Multi-Region Trail
D.CloudTrail Event History
AnswerB

This feature creates a signed digest file for each log file, enabling integrity verification.

Why this answer

CloudTrail Log File Validation (option B) uses a SHA-256 hash chain to create a digital signature for each log file, enabling integrity verification. When enabled, CloudTrail delivers digest files that contain hashes of log files, allowing you to confirm that log files were not modified, deleted, or tampered with after delivery. This directly addresses the requirement to detect unauthorized API calls by ensuring the logs themselves are trustworthy.

Exam trap

Cisco often tests the distinction between detection features (like Insights) and integrity features (like Log File Validation), so candidates mistakenly choose Insights because it sounds like it 'detects' tampering, but it only detects unusual patterns, not file integrity.

How to eliminate wrong answers

Option A is wrong because CloudTrail Insights identifies unusual API activity and potential misuse, but it does not provide any mechanism to validate the integrity of log files after delivery. Option C is wrong because a multi-region trail aggregates logs from all AWS regions into a single trail, which improves visibility but does not protect against tampering of delivered log files. Option D is wrong because CloudTrail Event History provides a view of the last 90 days of management events for a region, but it is a read-only record and does not include any file validation or integrity checks.

5
MCQhard

A security analyst is investigating a potential breach and needs to verify the integrity of CloudTrail logs stored in S3. Which CloudTrail feature should the analyst rely on to confirm that logs have not been tampered with?

A.AWS KMS encryption of logs
B.CloudTrail log file validation
C.CloudTrail Insights events
D.S3 Object Lock
AnswerB

This feature generates digests that can be used to validate that log files have not been modified.

Why this answer

CloudTrail log file validation provides SHA-256 hashing and RSA digital signing of log files, allowing verification of integrity and authenticity.

6
MCQeasy

Which AWS service uses machine learning to detect threats such as crypto mining activity on EC2 instances and compromised IAM credentials?

A.AWS Shield
B.AWS WAF
C.AWS Inspector
D.Amazon GuardDuty
AnswerD

GuardDuty uses ML to detect threats like crypto mining and credential compromise.

Why this answer

Amazon GuardDuty is a threat detection service that uses machine learning and anomaly detection to identify malicious activity.

7
MCQeasy

An organization uses AWS GuardDuty for threat detection. A finding indicates that an EC2 instance is communicating with a known cryptocurrency mining pool. What type of threat does this represent?

A.Reconnaissance port scanning
B.Ransomware activity
C.Compromised IAM credentials exfiltration
D.Crypto mining on EC2
AnswerD

GuardDuty can detect EC2 instances generating traffic to known mining pools.

Why this answer

AWS GuardDuty detects threats by analyzing VPC Flow Logs, DNS logs, and CloudTrail events. A finding of communication with a known cryptocurrency mining pool indicates that the EC2 instance is likely compromised and running crypto mining software, which consumes excessive compute resources and represents a malicious activity type known as crypto mining.

Exam trap

The trap here is that candidates confuse crypto mining with ransomware or credential theft, but the key differentiator is the specific network communication pattern to a mining pool, not data encryption or API abuse.

How to eliminate wrong answers

Option A is wrong because reconnaissance port scanning involves probing for open ports or services, not communication with a known mining pool, which is a specific outbound connection to a malicious IP/domain. Option B is wrong because ransomware activity typically involves encrypting data and demanding payment, not the sustained CPU usage and network traffic to mining pools characteristic of crypto mining. Option C is wrong because compromised IAM credentials exfiltration would manifest as unauthorized API calls or access to sensitive resources, not direct outbound connections to mining infrastructure.

8
MCQhard

During a security incident in GCP, a forensic analyst needs to determine the exact timeline of events leading to a credential compromise. Which log source provides the most detailed information about IAM policy changes and authentication events?

A.VPC Flow Logs
B.Cloud Audit Logs
C.Cloud DNS logs
D.Cloud Monitoring metrics
AnswerB

Cloud Audit Logs capture all API calls including IAM modifications and authentication events.

Why this answer

GCP Cloud Audit Logs record all admin activities and data access, including IAM changes and authentication, making them the best source for timeline reconstruction.

9
MCQmedium

A security engineer needs to scan all container images stored in Amazon Elastic Container Registry (ECR) for vulnerabilities. The scan must be automated whenever a new image is pushed. Which solution meets this requirement?

A.Use Amazon Macie for image scanning.
B.Configure AWS Security Hub to scan images.
C.Use AWS Lambda to invoke Clair on each push.
D.Enable Amazon Inspector continuous scanning for ECR repositories.
AnswerD

Inspector can automatically scan images on push.

Why this answer

Amazon Inspector continuous scanning for Amazon ECR automatically scans container images for software vulnerabilities whenever a new image is pushed to the repository. This feature is natively integrated with ECR, requires no additional infrastructure, and provides findings directly in the Inspector console and via AWS Security Hub. Option D is correct because it is the only AWS-native, automated, and fully managed solution that meets the requirement.

Exam trap

Cisco often tests the misconception that any security service (like Macie or Security Hub) can perform vulnerability scanning, when in fact only Inspector has the native capability to scan ECR images continuously and automatically.

How to eliminate wrong answers

Option A is wrong because Amazon Macie is designed for discovering and protecting sensitive data (e.g., PII, credentials) in S3 buckets, not for scanning container images for vulnerabilities. Option B is wrong because AWS Security Hub is a centralized security findings aggregator and does not perform image scanning itself; it can consume findings from Inspector but cannot initiate scans. Option C is wrong because while AWS Lambda can invoke Clair (an open-source vulnerability scanner), this approach requires custom code, management of the Clair infrastructure, and is not a native AWS managed service; it also does not automatically trigger on every push without additional event wiring (e.g., S3 events or ECR push notifications), making it less reliable and more complex than the native solution.

10
Multi-Selecthard

An organization is implementing automated remediation for common cloud security misconfigurations using AWS Config and Lambda. Which THREE misconfigurations can be automatically remediated using this approach?

Select 3 answers
A.S3 bucket with public read access
B.EBS volume without encryption
C.EC2 instance type not compliant with corporate standard
D.VPC with default security group allowing all traffic
E.Security group allowing SSH from 0.0.0.0/0
AnswersA, B, E

A Lambda can modify the bucket policy to remove public access.

Why this answer

AWS Config can evaluate S3 bucket public read access against a managed rule (s3-bucket-public-read-prohibited) and trigger a Lambda function to apply a bucket policy that blocks public access. This is a common automated remediation pattern because the fix is deterministic and can be applied via the AWS SDK without manual intervention.

Exam trap

Cisco often tests the distinction between misconfigurations that can be automatically fixed without downtime (like S3 bucket policies or security group rules) versus those that require instance state changes or manual approval (like EC2 instance type or VPC default security group modifications).

11
MCQmedium

During a cloud security incident, the incident response team needs to contain a compromised EC2 instance. Which action should be taken FIRST to prevent further malicious activity while preserving evidence?

A.Revoke the IAM role associated with the instance.
B.Create a snapshot of the instance volume for forensic analysis.
C.Terminate the EC2 instance immediately.
D.Modify the security group associated with the instance to deny all traffic.
AnswerD

This isolates the instance, stopping further malicious activity.

Why this answer

Option D is correct because modifying the security group to deny all traffic immediately isolates the compromised EC2 instance, preventing further malicious network activity while preserving the instance's state for forensic analysis. This containment step is reversible and does not destroy volatile data or system processes, unlike termination or snapshot creation, which can alter evidence.

Exam trap

Cisco often tests the distinction between containment and preservation, and the trap here is that candidates mistakenly choose snapshot creation (Option B) as the first step, confusing forensic preservation with immediate containment, or choose IAM role revocation (Option A) thinking it stops all activity, when it only affects AWS API calls, not network traffic.

How to eliminate wrong answers

Option A is wrong because revoking the IAM role stops API-level access but does not block network traffic to or from the instance, so ongoing malicious network activity (e.g., data exfiltration or lateral movement) continues unimpeded. Option B is wrong because creating a snapshot is a forensic preservation step that should occur after containment, not first; the snapshot captures the disk state but does not stop active malicious traffic or processes. Option C is wrong because terminating the instance immediately destroys volatile memory, running processes, and network connections, which are critical for forensic analysis and may violate chain-of-custody requirements.

12
MCQhard

During incident response in a cloud environment, a team needs to collect evidence from a compromised EC2 instance without altering the system. Which of the following is the best method to obtain a forensic memory dump?

A.Create an AMI of the instance
B.Enable detailed billing reports
C.Use the AWS CLI to run a 'memory-dump' command
D.Take a snapshot of the root EBS volume
AnswerD

This captures the disk state, which is essential for forensic analysis, though not memory.

Why this answer

While memory dump is ideal, taking a snapshot of the EBS volume preserves the disk state for forensic analysis, which is part of evidence collection.

13
MCQeasy

An organization uses Azure Sentinel as its SIEM. Which Azure service provides native integration to stream audit logs into Sentinel?

A.Azure Security Center
B.Azure Monitor
C.Azure Policy
D.Azure Advisor
AnswerB

Azure Monitor collects logs and metrics and can send them to Sentinel.

Why this answer

Azure Monitor Activity Log (and other logs) can be streamed directly to Azure Sentinel via connectors. Sentinel is built on Azure Monitor and integrates natively.

14
MCQmedium

An organization uses Azure Defender for Cloud to protect their hybrid environment. They want to receive alerts about suspicious activities on their Azure Key Vault. Which Defender plan should they enable?

A.Defender for Databases
B.Defender for Containers
C.Defender for Servers
D.Defender for Key Vault
AnswerD

Specifically protects Key Vault.

Why this answer

Defender for Key Vault is the specific plan designed to provide advanced threat protection for Azure Key Vault. It monitors access patterns and operations on the vault to detect suspicious activities such as unauthorized access attempts, credential theft, or anomalous secret retrieval, and generates security alerts accordingly.

Exam trap

Cisco often tests the ability to match Azure Defender plans to their specific protected resources, and the trap here is that candidates might assume a general plan like Defender for Servers covers all Azure services, when in fact each plan is scoped to a particular service category.

How to eliminate wrong answers

Option A is wrong because Defender for Databases protects Azure SQL, SQL Server on VMs, and other database services, not Key Vault. Option B is wrong because Defender for Containers secures containerized environments like AKS, ACR, and Kubernetes workloads, not Key Vault. Option C is wrong because Defender for Servers provides threat detection for virtual machines and on-premises servers, not for Key Vault.

15
MCQmedium

An incident response playbook for a cloud environment includes containment steps. For a compromised IAM user in AWS, which action is least likely to be effective for containment?

A.Disable the IAM user
B.Change the IAM user's password
C.Attach a DenyAll policy to the user
D.Disable the IAM user's access keys
AnswerB

Changing password alone does not revoke existing sessions or access keys; the user might still have active sessions.

Why this answer

Changing the IAM user's password does not invalidate existing authenticated sessions or tokens (such as temporary credentials from STS or access keys). An attacker who has already established a session or obtained access keys can continue to use them until they expire or are explicitly revoked. Therefore, password change alone is ineffective for immediate containment.

Exam trap

Cisco often tests the misconception that changing a password is a universal containment action, but in cloud environments with multiple credential types (access keys, STS tokens), password changes alone are insufficient to stop ongoing abuse.

How to eliminate wrong answers

Option A is wrong because disabling the IAM user immediately revokes all permissions and terminates any active sessions, making it a highly effective containment step. Option C is wrong because attaching a DenyAll policy explicitly denies all actions for that user, effectively blocking any further malicious activity even if the user remains enabled. Option D is wrong because disabling the user's access keys prevents any API calls signed with those keys, cutting off a common attack vector for programmatic access.

16
Multi-Selecthard

A cloud security analyst is configuring a SIEM correlation rule to detect mass data exfiltration from an AWS S3 bucket. Which THREE log sources should be ingested to create an effective detection? (Choose three.)

Select 3 answers
A.AWS Config configuration history
B.CloudTrail data events for S3
C.VPC Flow Logs
D.S3 server access logs
E.CloudTrail management events
AnswersB, C, D

These log S3 object-level operations like GetObject.

Why this answer

CloudTrail data events for S3 capture object-level API operations such as GetObject, PutObject, and DeleteObject. By monitoring these events, a SIEM can detect anomalous patterns like a sudden spike in read requests from a single IP, which is a strong indicator of mass data exfiltration. This log source provides the granularity needed to identify the specific actions and actors involved in data access.

Exam trap

Cisco often tests the distinction between CloudTrail management events and data events, tricking candidates into selecting management events for data-level monitoring when only data events capture object access.

17
Multi-Selecthard

A cloud security team is designing an incident response playbook for a suspected data exfiltration via an AWS S3 bucket. Which TWO actions should be included for containment and evidence collection? (Choose two.)

Select 2 answers
A.Immediately notify all users to change passwords.
B.Revoke IAM credentials associated with the compromised access.
C.Take a snapshot of the S3 bucket using AWS Backup.
D.Enable VPC Flow Logs for the VPC where the bucket is accessed.
E.Delete the S3 bucket to prevent further access.
AnswersB, D

Stops further API calls.

Why this answer

For containment, revoking the IAM credentials used by the attacker stops further access. For evidence, enabling VPC Flow Logs (if not already enabled) captures network traffic for analysis.

18
MCQmedium

A security engineer is evaluating vulnerability management options for cloud workloads and wants to identify vulnerabilities without installing agents on the operating system. Which approach should be used?

A.Network-based vulnerability scanning
B.Agentless scanning using cloud API-based assessment
C.Agent-based scanning using AWS Inspector
D.Container image scanning in a registry
AnswerB

Agentless scanning leverages cloud APIs to assess vulnerabilities without an agent.

Why this answer

Option B is correct because agentless scanning leverages cloud provider APIs (e.g., AWS Systems Manager, Azure Resource Graph, GCP Cloud Asset Inventory) to assess the configuration and patch state of cloud workloads without requiring an OS-level agent. This approach directly meets the requirement of identifying vulnerabilities without installing agents on the operating system, as it reads metadata and configuration snapshots from the cloud control plane.

Exam trap

The trap here is that candidates often confuse 'agentless scanning' with 'network-based scanning,' assuming that any scan without an OS agent must be network-based, but the CCSP exam specifically tests the cloud-native API-driven assessment model as the correct agentless approach for cloud workloads.

How to eliminate wrong answers

Option A is wrong because network-based vulnerability scanning (e.g., Nmap, Nessus) requires network connectivity and often relies on OS fingerprinting or banner grabbing, but it cannot reliably assess internal OS-level vulnerabilities (e.g., missing patches, registry misconfigurations) without agent-based or authenticated access, and it still does not avoid the need for some form of OS interaction. Option C is wrong because agent-based scanning using AWS Inspector explicitly requires installing an agent on the EC2 instance to collect OS-level telemetry, which contradicts the requirement to avoid agents. Option D is wrong because container image scanning in a registry (e.g., Amazon ECR scanning, Trivy) only analyzes static images at rest, not running cloud workloads, and does not address vulnerabilities in the OS of running instances or virtual machines.

19
Multi-Selecthard

During a cloud incident response, the security team needs to eradicate a malicious Lambda function that was created by an attacker. Which THREE steps should be part of the eradication process? (Choose three.)

Select 3 answers
A.Delete the Lambda function
B.Review and remove any CloudWatch Events triggers
C.Revoke any IAM roles associated with the function
D.Disable CloudTrail logging in the affected region
E.Place the function in a quarantine VPC
AnswersA, B, C

This removes the malicious code.

Why this answer

Deleting the Lambda function is a direct eradication step because it removes the attacker's malicious code from the AWS environment. Once deleted, the function can no longer be invoked, and any associated execution logs or metrics will cease. This action is irreversible and ensures the attacker's foothold is eliminated.

Exam trap

Cisco often tests the misconception that placing a resource in a quarantine network (like a VPC) is sufficient for containment, but in serverless environments, the function's code and execution permissions remain active, so deletion and role revocation are mandatory.

20
MCQeasy

A security analyst notices a spike in failed login attempts from an IP address in a country where the company has no operations. Which SIEM correlation rule would be most effective in detecting this type of activity?

A.Root account usage – alert when root user performs any action
B.Impossible travel – login from two geographically distant locations within minutes
C.Mass S3 download – high volume of GetObject requests from a single IP
D.New IAM admin user creation – detection of privileged role assignment
AnswerB

This rule detects anomalous logins that may indicate credential theft or unauthorized access.

Why this answer

An impossible travel rule detects logins from geographically distant locations within a short timeframe, which may indicate compromised credentials. The other rules address different scenarios: mass S3 download for data exfiltration, new IAM admin for privilege escalation, and root account usage for unauthorized access.

21
MCQmedium

A security team is implementing vulnerability management in a hybrid cloud environment. They need to scan virtual machines without installing an agent. Which approach is most suitable?

A.Deploying a third-party vulnerability scanner on each VM
B.Agentless scanning using cloud APIs
C.Agent-based scanning with AWS Inspector
D.Using container image scanning in registry
AnswerB

Agentless scanning leverages cloud provider APIs to assess VM vulnerabilities.

Why this answer

Agentless scanning using cloud APIs (Option B) is the correct approach because it allows the security team to scan virtual machines without installing any software on the VMs themselves. This method leverages cloud provider APIs (e.g., AWS EC2 DescribeInstances, Azure VM REST APIs) to query the hypervisor or management plane for VM configurations, patch levels, and vulnerabilities, making it ideal for hybrid cloud environments where agent deployment may be impractical or restricted.

Exam trap

The trap here is that candidates often confuse 'agentless scanning' with 'agent-based scanning' or assume that container image scanning applies to VMs, but Cisco tests the specific requirement of scanning VMs without installing an agent, which only agentless cloud API-based scanning satisfies.

How to eliminate wrong answers

Option A is wrong because deploying a third-party vulnerability scanner on each VM requires installing an agent, which directly contradicts the requirement to scan without installing an agent. Option C is wrong because agent-based scanning with AWS Inspector requires the AWS Systems Manager Agent (SSM Agent) to be installed on each EC2 instance, which is an agent-based approach. Option D is wrong because container image scanning in a registry (e.g., Amazon ECR scanning) is designed for container images, not for virtual machines, and does not address the requirement to scan VMs.

22
MCQhard

During a forensic investigation of a suspected data exfiltration incident in AWS, a security team needs to analyze network traffic to identify the destination IP addresses and volume of data transferred. Which data source is most appropriate for this analysis?

A.VPC Flow Logs
B.AWS Config configuration history
C.AWS CloudTrail management events
D.Amazon S3 access logs
AnswerA

VPC Flow Logs provide detailed network traffic information needed for exfiltration analysis.

Why this answer

VPC Flow Logs capture metadata about IP traffic flowing to and from network interfaces in a VPC, including source/destination IP addresses, ports, protocols, and the number of bytes transferred. This makes them the ideal data source for identifying the destination IP addresses and volume of data exfiltrated, as they provide per-flow byte counts and packet-level details without requiring packet capture.

Exam trap

Cisco often tests the distinction between logs that capture API-level activity (CloudTrail) versus network-level metadata (Flow Logs), and candidates mistakenly choose CloudTrail because they think 'management events' includes network traffic, but it only records control plane operations, not data plane flows.

How to eliminate wrong answers

Option B (AWS Config configuration history) is wrong because it records resource configuration changes (e.g., security group rules, instance types) over time, not network traffic or data transfer volumes. Option C (AWS CloudTrail management events) is wrong because it logs API calls that modify AWS resources (e.g., CreateInstance, AuthorizeSecurityGroupIngress), not the actual network packets or byte counts flowing through the VPC. Option D (Amazon S3 access logs) is wrong because they only log requests made to S3 buckets (e.g., GET, PUT, DELETE operations) and do not capture general VPC network traffic or destination IP addresses for exfiltration outside of S3 interactions.

23
MCQeasy

A cloud security team wants to automatically detect and remediate S3 buckets that are publicly accessible. Which combination of AWS services can achieve this?

A.Amazon Inspector and AWS Security Hub
B.AWS WAF and Amazon Route 53
C.AWS Config and AWS Lambda
D.AWS CloudTrail and Amazon GuardDuty
AnswerC

Config evaluates rules and can invoke Lambda for auto-remediation.

Why this answer

AWS Config continuously evaluates S3 bucket configurations against rules (e.g., s3-bucket-public-read-prohibited) and can trigger an AWS Lambda function via Amazon EventBridge when a non-compliant change is detected. The Lambda function then automatically applies a remediation action, such as removing the public access block or updating the bucket policy, achieving automated detection and remediation without manual intervention.

Exam trap

Cisco often tests the distinction between detection-only services (like Inspector, GuardDuty, CloudTrail) and services that can both detect and trigger automated remediation (Config + Lambda), leading candidates to pick a service that only detects but cannot remediate.

How to eliminate wrong answers

Option A is wrong because Amazon Inspector is a vulnerability assessment service for EC2 instances and container workloads, not for S3 bucket configuration monitoring; Security Hub aggregates findings from other services but does not directly detect or remediate S3 public access. Option B is wrong because AWS WAF is a web application firewall that protects against web exploits at the application layer (HTTP/HTTPS), not for S3 bucket-level access controls; Route 53 is a DNS service and has no role in S3 bucket policy evaluation. Option D is wrong because AWS CloudTrail records API activity (e.g., PutBucketPolicy) but does not evaluate current bucket configurations for public access, and Amazon GuardDuty detects threats like suspicious API calls or compromised credentials, not misconfigured bucket permissions.

24
Multi-Selecteasy

A cloud security engineer needs to ensure that logs from multiple AWS accounts are centrally stored in a security account for analysis. Which TWO services can be used to aggregate logs across accounts? (Choose two.)

Select 2 answers
A.Amazon CloudWatch Logs with cross-account subscription filters
B.AWS Config
C.AWS Security Hub
D.Amazon S3 with cross-account bucket policies
E.Amazon GuardDuty
AnswersA, D

CloudWatch Logs can forward log events to a central account via subscription filters.

Why this answer

Amazon CloudWatch Logs supports cross-account subscription filters, which allow you to stream log data from log groups in multiple source accounts to a single destination (e.g., a Kinesis stream or Lambda function) in a central security account. This enables real-time aggregation of logs across accounts without requiring agents in each account to send logs directly to a different destination.

Exam trap

Cisco often tests the distinction between services that aggregate raw logs (CloudWatch Logs, S3) versus services that aggregate security findings or metadata (Security Hub, GuardDuty), leading candidates to incorrectly select Security Hub or GuardDuty for log aggregation.

25
MCQmedium

A security team wants to detect when the root user account is used in AWS. Which service can generate an alert for this activity?

A.AWS CloudTrail
B.AWS Config
C.AWS Security Hub
D.Amazon GuardDuty
AnswerD

GuardDuty has a finding for 'RootCredentialUsage' and can generate alerts.

Why this answer

Amazon GuardDuty is a threat detection service that continuously monitors for malicious or unauthorized behavior, including the use of the root user account. It uses machine learning and integrated threat intelligence to generate findings for such activities, which can then trigger alerts via Amazon CloudWatch Events or AWS Lambda. This makes it the correct choice for detecting root user usage.

Exam trap

The trap here is that candidates often confuse AWS CloudTrail's logging capability with alerting, assuming it can directly generate alerts, when in fact it only records events and requires integration with other services for notification.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail is a logging service that records API calls, but it does not natively generate alerts; it requires additional services like CloudWatch Alarms or EventBridge to create alerts for root user activity. Option B is wrong because AWS Config is a configuration management and compliance service that evaluates resource configurations against rules, not a threat detection service, and it cannot directly detect root user login events. Option C is wrong because AWS Security Hub aggregates findings from multiple services (like GuardDuty) and provides a centralized view, but it does not generate its own alerts for root user activity; it relies on other services to produce those findings.

26
MCQhard

During a cloud incident response, a security team needs to collect memory from a compromised EC2 instance for forensic analysis. Which method is most appropriate for acquiring a memory dump?

A.Analyze CloudTrail logs for the instance's API calls.
B.Take a snapshot of the EBS volumes attached to the instance.
C.Review VPC Flow Logs for network traffic.
D.Use AWS Systems Manager to run a memory acquisition script on the instance.
AnswerD

Systems Manager can execute commands to capture memory using tools like LiME.

Why this answer

Taking a snapshot of the instance and then analyzing the snapshot can capture memory if the instance is not stopped; however, the best practice is to use forensic tools to capture memory before taking a snapshot. But among the options, snapshot is a valid approach to capture the state, though memory is volatile. Actually, memory dump requires live acquisition; but given the options, the most appropriate is to take a snapshot and use it for memory analysis (though not perfect).

Alternatively, using AWS Systems Manager to run a memory capture script. However, typical CCSP guidance: take a snapshot of the EBS volumes, which includes the memory swap file. But the correct answer here is to use a snapshot for forensic analysis, as it captures the disk including swap.

But let's think: memory dump is captured via tools like LiME; snapshot alone does not capture RAM. So perhaps the best answer is to use a tool like AWS Systems Manager to run a memory capture script. Since the question is hard and expects knowledge of forensic acquisition, the correct answer should be: Use a memory acquisition tool via Systems Manager.

But options may not include that. Let's assume options include: A) Take a snapshot of the EBS volume; B) Use AWS Systems Manager to run a memory dump script; C) Use AWS CloudTrail to analyze API calls; D) Use VPC Flow Logs. The best is B.

So I'll write accordingly.

27
MCQeasy

Which of the following is a primary purpose of a SOAR (Security Orchestration, Automation and Response) platform in cloud security operations?

A.To automate response to security incidents by executing predefined playbooks.
B.To provide a centralized dashboard for cloud cost management.
C.To scan container images for vulnerabilities.
D.To enforce identity and access management policies.
AnswerA

SOAR automates incident response workflows.

Why this answer

SOAR platforms automate incident response processes, orchestrating actions across multiple tools and reducing manual effort.

28
MCQmedium

A company uses Azure and wants to ensure that all activity log events are retained for seven years to meet compliance requirements. What is the most efficient way to implement this?

A.Export activity logs to an Azure Storage account and apply a lifecycle management policy to delete logs after 7 years.
B.Enable Azure Monitor and configure the activity log to be stored in a Log Analytics workspace with a retention of 7 years.
C.Use Azure Backup to back up activity logs and retain them for 7 years.
D.Configure activity logs to be sent to an Event Hub and then to a third-party archival service.
AnswerA

Storage accounts can hold logs for any duration with lifecycle policies to manage retention.

Why this answer

Azure Monitor Activity Logs can be streamed to a storage account, and a lifecycle management policy can be applied to automatically delete logs after the required retention period.

29
MCQhard

A security team is investigating a potential data exfiltration incident where a large volume of data was downloaded from an S3 bucket. Which log source would provide the most granular details about the S3 GET requests, including the requester identity and source IP?

A.VPC Flow Logs
B.S3 server access logs
C.AWS CloudTrail management events
D.Amazon CloudWatch Logs for S3
AnswerB

These logs record detailed information about each request to the bucket.

Why this answer

S3 server access logs provide detailed records of requests made to a bucket, including requester, source IP, and objects accessed. CloudTrail data events can also log S3 operations, but S3 server access logs are more granular for this purpose.

30
MCQmedium

An organization is implementing a cloud SIEM solution to centralize security monitoring across multiple AWS accounts. Which service should be used to aggregate security findings and send them to a third-party SIEM like Splunk?

A.AWS CloudTrail
B.AWS Security Hub
C.AWS GuardDuty
D.AWS Config
AnswerB

Security Hub is designed to aggregate and prioritize security findings from across AWS accounts and services.

Why this answer

AWS Security Hub is the correct service because it is designed to aggregate security findings from multiple AWS services (e.g., GuardDuty, Inspector, Macie) and AWS accounts, and then forward them to third-party SIEM solutions like Splunk via AWS EventBridge or direct integration. This centralizes security alerts into a single dashboard and stream, enabling efficient monitoring across a multi-account environment.

Exam trap

Cisco often tests the distinction between services that generate findings (like GuardDuty) versus services that aggregate and normalize findings (like Security Hub), leading candidates to pick GuardDuty because they confuse detection with centralization.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail records API activity logs, not security findings, and it does not aggregate findings across accounts or natively forward to a SIEM. Option C is wrong because AWS GuardDuty is a threat detection service that generates findings, but it cannot aggregate findings from multiple accounts or services; it relies on Security Hub for centralization. Option D is wrong because AWS Config tracks resource configuration changes and compliance, not security findings, and it lacks the aggregation and SIEM forwarding capabilities of Security Hub.

31
Multi-Selecthard

An organization is designing an incident response playbook for a compromised AWS IAM user. Which THREE actions should be included in the containment phase? (Choose three.)

Select 3 answers
A.Disable the user's access keys.
B.Take a snapshot of all EC2 instances for forensic analysis.
C.Attach an IAM policy that denies all actions to the user.
D.Terminate any EC2 instances launched by the user.
E.Revoke the user's IAM credentials.
AnswersA, C, E

Disabling access keys prevents further programmatic access.

Why this answer

Containment involves stopping the attacker's access. Revoking credentials, disabling the user's access keys, and attaching a deny-all policy are effective containment steps. Terminating resources is eradication, and taking snapshots is evidence collection.

32
MCQhard

During a cloud security incident, the response team needs to collect evidence from a compromised AWS EC2 instance. Which method is most appropriate for capturing volatile data while preserving forensic integrity?

A.Terminate the instance and launch a replacement
B.Create a memory dump by SSH and save to S3
C.Take an EBS snapshot of the instance's volumes
D.Reboot the instance and collect logs
AnswerC

Snapshots are point-in-time copies that preserve disk data for forensic analysis.

Why this answer

Option C is correct because an EBS snapshot captures the entire volume state, including memory swap and temporary files, at a point in time without altering the instance's runtime state. This preserves forensic integrity by avoiding writes to the disk (which would occur with SSH or reboot) and provides a forensically sound copy for offline analysis.

Exam trap

Cisco often tests the misconception that SSH-based memory dumps are acceptable for forensics, but the trap is that any interactive access (SSH, RDP) modifies the system state and violates the principle of non-interference in evidence collection.

How to eliminate wrong answers

Option A is wrong because terminating the instance destroys all volatile data (memory, process state) and may trigger cleanup scripts that overwrite evidence, violating forensic preservation. Option B is wrong because SSHing into the instance to create a memory dump modifies the system state (e.g., writes to disk, changes process tables) and the dump file itself alters the evidence chain; memory acquisition should be done via hypervisor-level tools like LiME or AWS Nitro's memory capture, not over SSH. Option D is wrong because rebooting the instance clears RAM and resets kernel data structures, losing all volatile evidence such as running processes, network connections, and encryption keys.

33
MCQeasy

What is the primary purpose of cloud security posture management (CSPM) tools such as AWS Security Hub, Azure Secure Score, and GCP Security Command Center?

A.To provide a centralized log storage solution.
B.To detect real-time threats like malware and intrusions.
C.To manage user identities and access permissions.
D.To assess and improve the security configuration of cloud resources against benchmarks.
AnswerD

CSPM focuses on configuration and compliance.

Why this answer

CSPM tools like AWS Security Hub, Azure Secure Score, and GCP Security Command Center are designed to continuously monitor cloud environments, assess configurations against industry benchmarks (e.g., CIS, NIST, PCI DSS), and provide remediation guidance. Their primary purpose is to identify misconfigurations and compliance gaps, not to perform real-time threat detection or centralized logging.

Exam trap

Cisco often tests the distinction between CSPM (configuration assessment) and other security tools (e.g., SIEM, IDS/IPS, IAM), so the trap here is confusing CSPM's proactive compliance monitoring with reactive threat detection or log management.

How to eliminate wrong answers

Option A is wrong because centralized log storage is the function of services like AWS CloudTrail, Azure Monitor, or GCP Cloud Logging, not CSPM tools which focus on configuration assessment. Option B is wrong because real-time threat detection for malware and intrusions is handled by dedicated security tools like AWS GuardDuty, Azure Defender, or GCP Threat Detection, whereas CSPM tools are configuration-focused and not designed for active threat hunting. Option C is wrong because managing user identities and access permissions is the role of IAM services (e.g., AWS IAM, Azure AD, GCP IAM), not CSPM tools which evaluate the security posture of resources but do not directly manage identities or permissions.

34
MCQhard

During a cloud incident response, a security team needs to isolate a compromised EC2 instance to prevent further communication with an external command-and-control server. Which step should be taken first?

A.Take a forensic snapshot of the instance’s EBS volume
B.Revoke the IAM credentials associated with the instance’s role
C.Stop the EC2 instance
D.Modify the security group to deny all outbound traffic
AnswerD

This immediately stops all network communication from the instance.

Why this answer

Modifying the security group to deny all outbound traffic is the fastest way to cut communication between the compromised EC2 instance and the external C2 server without destroying volatile data. Security groups act as a stateful virtual firewall at the instance level, and changing the outbound rule to deny all traffic immediately blocks any existing or new connections to the C2 IP. This preserves the instance's runtime state for later forensic analysis while containing the threat.

Exam trap

Cisco often tests the distinction between containment (blocking network traffic) and preservation (snapshotting or stopping), and the trap here is that candidates mistakenly choose 'Stop the EC2 instance' thinking it is the most definitive containment action, not realizing it destroys volatile evidence and is slower to implement than a security group change.

How to eliminate wrong answers

Option A is wrong because taking a forensic snapshot of the EBS volume is a preservation step that should occur after containment, not first; it does not stop active C2 communication. Option B is wrong because revoking IAM credentials prevents the instance from making API calls to AWS services but does not block network-layer traffic to an external C2 server, which operates at the IP/port level. Option C is wrong because stopping the EC2 instance would terminate the operating system and lose volatile memory (RAM) evidence, and it is a more disruptive action than simply blocking outbound traffic via security group rules.

35
Multi-Selectmedium

An organization is using GCP and wants to implement cloud security posture management (CSPM) to continuously monitor configurations against the CIS Benchmark. Which TWO GCP services can be used for this purpose? (Choose two.)

Select 2 answers
A.Cloud VPN
B.Cloud Asset Inventory
C.Security Command Center
D.Cloud Audit Logs
E.Cloud Functions
AnswersB, C

Provides a complete view of resources and can be used for compliance checks.

Why this answer

Cloud Asset Inventory provides a historical view of all GCP resources and their configurations, enabling continuous monitoring against compliance frameworks like the CIS Benchmark. Security Command Center offers built-in CSPM capabilities, including automated scanning for CIS Benchmark violations and actionable recommendations to remediate misconfigurations.

Exam trap

Cisco often tests the distinction between logging services (Cloud Audit Logs) and active monitoring/compliance services (CSPM), leading candidates to mistakenly choose Cloud Audit Logs for configuration monitoring instead of Security Command Center or Cloud Asset Inventory.

36
MCQeasy

An organization is using GCP and wants to collect audit logs for all API calls made within the project. Which GCP service should be enabled to capture these logs?

A.VPC Flow Logs
B.Cloud Audit Logs
C.Cloud Monitoring
D.Cloud Security Command Center
AnswerB

Cloud Audit Logs record all API calls and are enabled by default for many services.

Why this answer

GCP Cloud Audit Logs record administrative activities and data access within GCP projects. They are the primary source for API call logging. Security Command Center provides security and risk management but does not generate audit logs.

Cloud Monitoring collects metrics and uptime checks. VPC Flow Logs capture network traffic, not API calls.

37
MCQmedium

An organization is using Azure and wants to ensure that all resources are compliant with CIS benchmarks. Which Azure service provides a unified view of compliance posture and recommendations?

A.Azure Sentinel
B.Azure Secure Score
C.Azure Monitor
D.Azure Policy
AnswerB

Secure Score in Microsoft Defender for Cloud gives a score and recommendations based on benchmarks.

Why this answer

Azure Secure Score (now part of Microsoft Defender for Cloud) provides a unified, centralized view of an organization's security and compliance posture, including specific recommendations aligned with CIS benchmarks. It aggregates findings from Azure Policy and other security controls into a single score and actionable guidance, making it the correct service for monitoring compliance against CIS standards.

Exam trap

The trap here is that candidates confuse Azure Policy (which enforces rules) with Azure Secure Score (which provides the unified compliance posture and scoring), or they mistakenly think Azure Monitor or Sentinel can serve as a compliance dashboard when they are designed for monitoring and security operations, respectively.

How to eliminate wrong answers

Option A is wrong because Azure Sentinel is a cloud-native SIEM/SOAR solution focused on threat detection, investigation, and response, not on providing a unified compliance posture view or CIS benchmark recommendations. Option C is wrong because Azure Monitor collects and analyzes telemetry data (metrics, logs) for performance and health monitoring, but it does not natively aggregate compliance posture or provide CIS benchmark-specific recommendations. Option D is wrong because Azure Policy enforces and audits compliance rules (e.g., tagging, allowed locations) but does not present a unified, scored compliance posture view; it is a building block that feeds into Secure Score, not the unified dashboard itself.

38
Multi-Selecteasy

A security engineer is implementing automated incident response for common cloud threats. Which TWO AWS services can be used together to create a serverless orchestration workflow for incident response? (Choose two.)

Select 2 answers
A.AWS Step Functions
B.AWS Lambda
C.AWS CloudFormation
D.Amazon EC2
E.Amazon Inspector
AnswersA, B

Step Functions allows you to coordinate multiple AWS services into workflows.

Why this answer

AWS Step Functions can orchestrate multi-step workflows, and AWS Lambda can execute the remediation actions. Together they form a serverless incident response pipeline.

39
MCQhard

An organization uses GCP and wants to detect container threats such as privilege escalation attempts within Kubernetes Engine. Which GCP service is designed specifically for this purpose?

A.Container Threat Detection
B.Cloud Security Scanner
C.Event Threat Detection
D.Cloud Audit Logs
AnswerA

Container Threat Detection is a service within Security Command Center for GKE threats.

Why this answer

Container Threat Detection (CTD) is a GCP service purpose-built to identify threats within Google Kubernetes Engine (GKE) containers, including privilege escalation attempts, by analyzing runtime behavior and Kubernetes audit logs. It uses machine learning and rule-based detection to spot anomalies like container breakout, unauthorized system calls, and attempts to escalate privileges via capabilities or security contexts. This makes it the correct choice for detecting container-specific threats in GKE.

Exam trap

Cisco often tests the distinction between general threat detection services (like Event Threat Detection) and container-specific services (like Container Threat Detection), so candidates may confuse Event Threat Detection as covering all cloud threats, missing that it does not analyze container runtime behavior.

How to eliminate wrong answers

Option B (Cloud Security Scanner) is wrong because it is designed to scan web applications for vulnerabilities like XSS and SQL injection, not to detect runtime container threats or privilege escalation in Kubernetes. Option C (Event Threat Detection) is wrong because it focuses on identifying threats from cloud events such as suspicious IAM activity or compromised service accounts, not container-level runtime threats within GKE. Option D (Cloud Audit Logs) is wrong because it is a logging service that records API calls and administrative actions, not a detection service; it provides raw data but does not analyze or alert on container threats like privilege escalation.

40
MCQmedium

A security analyst is investigating a potential compromise of an AWS EC2 instance. Which step should be taken FIRST to contain the incident and prevent further damage?

A.Terminate the EC2 instance immediately.
B.Take a snapshot of the instance for forensic analysis.
C.Isolate the EC2 instance by updating the security group to deny all traffic.
D.Disable the IAM role attached to the instance.
AnswerC

Modifying the security group effectively isolates the instance.

Why this answer

Option C is correct because the first priority in incident response is containment. Updating the security group to deny all traffic immediately isolates the EC2 instance from network communication, preventing lateral movement or data exfiltration while preserving the instance for further investigation. This aligns with the NIST SP 800-61 incident response framework, which emphasizes containment before eradication or recovery.

Exam trap

Cisco often tests the misconception that immediate termination (Option A) is the fastest containment method, but the trap is that termination destroys forensic evidence and violates the 'preserve evidence' principle of incident response.

How to eliminate wrong answers

Option A is wrong because terminating the instance destroys volatile data (e.g., memory, running processes, network connections) and prevents forensic analysis, which may be critical for understanding the attack vector. Option B is wrong because taking a snapshot is a forensic step that should occur after containment, not before; performing it first could allow the attacker to continue exfiltrating data or spreading to other resources. Option D is wrong because disabling the IAM role does not stop network-level attacks or data exfiltration; the instance could still communicate with external hosts, and the attacker might already have established persistence or backdoor access.

41
MCQeasy

An organization wants to implement a cloud security automation solution that can automatically remediate non-compliant resources in Azure. Which Azure service should be used to create remediation tasks?

A.Azure Policy
B.Azure Security Center
C.Azure Automation
D.Azure Logic Apps
AnswerA

Azure Policy has built-in remediation tasks for automatic fixes.

Why this answer

Azure Policy includes 'remediation tasks' that can automatically fix non-compliant resources, often using managed identities.

42
MCQmedium

An organization ingests AWS CloudTrail logs into a centralized SIEM for correlation. They want to detect an attacker who exfiltrates data by downloading large volumes from an S3 bucket. Which SIEM correlation rule would best detect this?

A.Alert on multiple failed login attempts
B.Alert on high volume of GetObject requests from a single IP
C.Alert on root account usage
D.Alert when a new IAM user is created
AnswerB

High volume of downloads from one source is a classic exfiltration indicator.

Why this answer

Option B is correct because exfiltration of data from S3 typically involves a high volume of GetObject API calls from a single source IP. A SIEM correlation rule that triggers on a threshold of GetObject requests from the same IP address directly detects this anomalous download behavior, which is a key indicator of data exfiltration.

Exam trap

Cisco often tests the distinction between detection of the exfiltration action itself (high volume of GetObject requests) versus precursor or unrelated events (failed logins, root usage, IAM creation), leading candidates to choose a rule that detects a different phase of the attack chain.

How to eliminate wrong answers

Option A is wrong because multiple failed login attempts indicate a brute-force attack on authentication, not data exfiltration from S3. Option C is wrong because root account usage is a security concern for privilege escalation or configuration changes, but it does not specifically detect bulk data downloads from S3. Option D is wrong because creating a new IAM user is an administrative action that could be part of an attack chain, but it does not directly detect the exfiltration event itself.

43
MCQmedium

A company uses Azure Policy with remediation tasks to automatically fix non-compliant resources. Which scenario can be automatically remediated using a built-in policy?

A.A virtual machine missing the Log Analytics agent
B.A user creating a new Azure subscription
C.A SQL database with advanced data security disabled
D.A storage account with public network access enabled
AnswerA

Built-in policy can deploy the Log Analytics agent extension automatically.

Why this answer

The built-in Azure Policy 'Deploy Log Analytics agent to Windows VMs' includes a remediation task that automatically installs the Log Analytics agent on existing VMs that are missing it. This is a DeployIfNotExists policy effect, which triggers a remediation task to correct non-compliance without manual intervention.

Exam trap

Cisco often tests the distinction between policy effects (Audit, Deny, DeployIfNotExists) and which ones support automatic remediation, leading candidates to assume any non-compliance can be auto-fixed if a policy exists, but only DeployIfNotExists and Modify effects enable remediation tasks.

How to eliminate wrong answers

Option B is wrong because Azure Policy cannot automatically remediate the creation of a new Azure subscription; subscription creation is a tenant-level action that requires Azure RBAC or Azure Blueprints, not a policy with remediation. Option C is wrong because disabling advanced data security on a SQL database is a configuration that can be audited by Azure Policy, but the built-in policies for SQL advanced data security typically use AuditIfNotExists or Deny effects, not DeployIfNotExists with remediation tasks, so automatic remediation is not available out-of-the-box. Option D is wrong because while Azure Policy can audit or deny storage accounts with public network access enabled, the built-in policies for this setting use Deny or Audit effects, not DeployIfNotExists, meaning they block or report non-compliance but do not automatically remediate existing non-compliant resources.

44
MCQmedium

A security engineer is investigating a potential data exfiltration incident involving an Amazon S3 bucket. Which set of logs would provide the most relevant information to identify the source IP and API calls made to the bucket?

A.VPC Flow Logs for the subnet where the bucket resides
B.AWS Config configuration history for the S3 bucket
C.AWS CloudTrail data events for the S3 bucket
D.Amazon CloudWatch Logs for the EC2 instance accessing the bucket
AnswerC

CloudTrail data events capture S3 object-level API calls, including source IP and identity.

Why this answer

S3 access logs record details of requests made to an S3 bucket, including the requester's IP and the operation performed. CloudTrail data events also capture S3 API calls at the object level. VPC Flow Logs show network traffic but not API calls.

CloudWatch logs could contain application logs but are not specific to S3 access.

45
MCQmedium

An organization is setting up a centralized logging solution across multiple AWS accounts. The security team requires that logs from all accounts be sent to a single security account, with lifecycle policies to transition logs to cheaper storage after 90 days. Which approach should be used?

A.Enable CloudTrail in each account and manually copy logs daily to the security account.
B.Create a CloudTrail trail in each account and export logs to CloudWatch Logs, then cross-account subscription filter to a central S3 bucket.
C.Use AWS Lambda to copy logs from each account's S3 bucket to the central bucket.
D.Use AWS Organizations and enable a single CloudTrail trail that delivers logs to a central S3 bucket in the management account.
AnswerD

AWS Organizations allows a single trail to be applied to all accounts, delivering to a central bucket.

Why this answer

For cross-account log aggregation, CloudTrail can be configured to deliver logs from multiple accounts to a central S3 bucket in the security account. Lifecycle policies on that bucket can then manage transitions to lower-cost storage classes.

46
MCQmedium

A security team needs to implement automated remediation for non-compliant resources in AWS. They want to automatically fix public S3 bucket policies. Which combination of services should be used?

A.AWS CloudTrail and AWS Lambda
B.Amazon GuardDuty and AWS Step Functions
C.AWS Security Hub and Amazon Inspector
D.AWS Config and AWS Lambda
AnswerD

Config evaluates rules and can trigger Lambda for auto-remediation.

Why this answer

AWS Config rules can evaluate resources, and when a rule is non-compliant, an AWS Config rule can invoke a Lambda function for remediation.

47
Multi-Selectmedium

A security team is enhancing logging in AWS to capture detailed data events for S3 buckets. Which TWO of the following should be enabled to achieve comprehensive monitoring of S3 data access? (Choose two.)

Select 2 answers
A.S3 server access logs
B.AWS CloudTrail data events for S3
C.AWS Config
D.VPC Flow Logs
E.Amazon GuardDuty
AnswersA, B

S3 access logs provide detailed records of requests made to S3.

Why this answer

S3 server access logs provide detailed records of requests made to an S3 bucket, including the requester, bucket name, request time, action, and response status. This is essential for auditing all data access events at the object level, such as GET, PUT, and DELETE operations, directly from the S3 service.

Exam trap

Cisco often tests the distinction between configuration auditing (AWS Config) and data access logging (S3 server access logs and CloudTrail data events), leading candidates to incorrectly select AWS Config for monitoring data access instead of actual log sources.

48
MCQhard

During a security incident in AWS, the security team suspects that an attacker has tampered with CloudTrail logs to cover their tracks. Which CloudTrail feature would the team use to verify that the log files have not been modified since they were delivered?

A.CloudTrail Insights
B.CloudTrail log file validation
C.S3 server access logs
D.AWS Config rules
AnswerB

Log file validation provides cryptographic verification of log file integrity.

Why this answer

CloudTrail log file validation uses a SHA-256 hash chain to create a digital signature for each log file, which is stored in a separate digest file. By computing the hash of a delivered log file and comparing it to the hash in the digest, the team can detect any tampering or modification after delivery. This feature is specifically designed to verify the integrity and authenticity of CloudTrail logs.

Exam trap

Cisco often tests the distinction between features that detect suspicious activity (like CloudTrail Insights) and features that provide cryptographic integrity verification (like log file validation), so candidates may confuse the two and select Insights because it sounds like it would detect tampering.

How to eliminate wrong answers

Option A is wrong because CloudTrail Insights is a feature that detects unusual API activity and potential security threats by analyzing management and data events, but it does not provide any mechanism to verify the integrity or detect tampering of log files after delivery. Option C is wrong because S3 server access logs record requests made to an S3 bucket, not CloudTrail logs, and they do not offer a cryptographic validation mechanism to confirm that CloudTrail log files have not been modified. Option D is wrong because AWS Config rules evaluate resource configurations against desired policies and can detect changes to resources, but they cannot validate the cryptographic integrity of CloudTrail log files or confirm that the logs have not been altered after delivery.

49
Multi-Selectmedium

A company is using Azure and wants to implement cloud security posture management (CSPM) to detect misconfigurations. Which TWO services can provide CSPM capabilities? (Choose two.)

Select 2 answers
A.Azure Key Vault
B.Azure Policy
C.Azure Monitor
D.Azure Sentinel
E.Microsoft Defender for Cloud
AnswersB, E

Azure Policy can enforce and evaluate compliance with security benchmarks, contributing to CSPM.

Why this answer

Azure Policy is correct because it enforces organizational standards and assesses compliance at scale, providing CSPM capabilities by evaluating Azure resources against defined rules to detect misconfigurations. It integrates with Microsoft Defender for Cloud to offer continuous monitoring and remediation of security posture issues.

Exam trap

Cisco often tests the distinction between CSPM (configuration assessment) and SIEM/SOAR (threat detection), so candidates mistakenly choose Azure Sentinel or Azure Monitor because they associate 'security monitoring' with CSPM, but Sentinel focuses on log analysis and incident response, not configuration compliance.

50
MCQmedium

A cloud security team wants to automatically remediate misconfigured S3 buckets that are publicly accessible. Which combination of AWS services can be used to detect and automatically fix this issue?

A.AWS GuardDuty and AWS Lambda
B.AWS CloudTrail and AWS Lambda
C.AWS Config and AWS Lambda
D.AWS Security Hub and AWS CloudTrail
AnswerC

AWS Config rule triggers a Lambda function to remediate non-compliant S3 buckets.

Why this answer

AWS Config evaluates resource configurations against rules (e.g., 's3-bucket-public-read-prohibited'). When a non-compliant resource is detected, AWS Config can trigger a Lambda function via a custom remediation action to modify the bucket policy. GuardDuty detects threats but does not remediate.

Security Hub aggregates findings but does not automatically fix issues. CloudTrail logs events but does not evaluate configurations.

51
MCQeasy

A security engineer needs to ensure that all API calls made to AWS resources are logged for auditing. Which AWS service should be enabled to capture management and data events?

A.Amazon CloudWatch Logs
B.AWS Config
C.AWS GuardDuty
D.AWS CloudTrail
AnswerD

CloudTrail records API calls and is the correct service for auditing.

Why this answer

AWS CloudTrail is the service designed to log API calls for auditing. It can capture management events (control plane) and data events (data plane) such as S3 object-level operations and Lambda invocations.

52
MCQmedium

A company uses Azure Defender for Cloud to protect its hybrid environment. Which of the following is a feature of Azure Defender that provides vulnerability assessment for virtual machines?

A.Azure Secure Score
B.Azure Policy
C.Defender for Servers
D.Azure Sentinel
AnswerC

Defender for Servers includes vulnerability assessment and threat detection.

Why this answer

Azure Defender includes integrated vulnerability assessment via Qualys or Microsoft built-in scanner, available for Defender for Servers.

53
MCQmedium

An organization is using Azure and wants to centrally collect activity logs from multiple subscriptions into a single Log Analytics workspace for cross-account analysis and retention management. What is the best approach?

A.Use Azure Monitor Agent on all VMs to collect logs.
B.Enable Azure Sentinel on each subscription and aggregate using cross-workspace queries.
C.Use Azure Policy to deploy Diagnostic Settings on each subscription to stream Activity Logs to a central Log Analytics workspace.
D.Use Azure Storage account with event grid to forward logs to a central location.
AnswerC

Diagnostic settings can stream Activity Logs to a Log Analytics workspace, and Azure Policy can enforce this across subscriptions.

Why this answer

Option C is correct because Azure Policy can enforce the deployment of Diagnostic Settings across all subscriptions, automatically streaming Activity Logs to a central Log Analytics workspace. This ensures centralized collection, cross-account analysis, and retention management without manual configuration per subscription.

Exam trap

Cisco often tests the distinction between Azure Monitor Agent (for VM guest OS logs) and Diagnostic Settings (for Azure platform logs), leading candidates to mistakenly choose agent-based collection for subscription-level Activity Logs.

How to eliminate wrong answers

Option A is wrong because Azure Monitor Agent collects OS-level performance and event logs from VMs, not Azure Activity Logs (which are subscription-level control plane logs). Option B is wrong because Azure Sentinel is a SIEM that can use cross-workspace queries, but it does not natively aggregate Activity Logs from multiple subscriptions into a single workspace; it requires Diagnostic Settings to forward logs first, making it an unnecessary extra layer. Option D is wrong because Azure Storage with Event Grid can forward logs, but it introduces latency, complexity, and lacks the native querying and retention management capabilities of Log Analytics workspaces.

54
Multi-Selectmedium

An organization is implementing a SOAR solution for cloud incident response. Which THREE capabilities are essential for automating incident response workflows? (Choose three.)

Select 3 answers
A.Integration with threat intelligence feeds
B.Automated playbook execution
C.Case management and reporting
D.Manual ticketing system
E.Real-time user activity monitoring
AnswersA, B, C

Enriches alerts with context.

Why this answer

Integration with threat intelligence feeds (A) is essential because SOAR platforms ingest external threat data (e.g., STIX/TAXII feeds, CISA alerts) to enrich alerts and trigger automated responses. This allows the SOAR to correlate cloud events with known indicators of compromise (IOCs) and adjust playbooks dynamically without manual intervention.

Exam trap

Cisco often tests the distinction between SOAR's core capabilities (automation, orchestration, and case management) and adjacent technologies like SIEM or UEBA, leading candidates to mistakenly select monitoring or manual processes as essential SOAR features.

55
Multi-Selectmedium

A company uses GCP and wants to implement agentless vulnerability scanning for their Compute Engine instances. Which TWO services can provide this capability? (Choose two.)

Select 2 answers
A.GCP Web Security Scanner
B.GCP Cloud Armor
C.Rapid7 InsightVM (agentless via API)
D.GCP Security Command Center
E.Qualys Cloud Agent
AnswersC, D

Rapid7 can perform agentless scanning using cloud APIs.

Why this answer

Rapid7 InsightVM can perform agentless vulnerability scanning of GCP Compute Engine instances by leveraging the cloud provider's API to query instance configurations, installed software, and patch levels without requiring an agent on each VM. This is achieved through read-only API integrations that collect system metadata and compare it against vulnerability databases, making it a valid agentless scanning solution for GCP.

Exam trap

The trap here is that candidates often confuse agentless scanning with cloud-native services like Security Command Center (which provides vulnerability findings but relies on agents or API-based scanning partners) or mistakenly think Qualys Cloud Agent can operate agentlessly, when in fact it requires an installed agent.

56
MCQhard

A cloud security architect is designing a log aggregation strategy for a multi-account AWS environment. The security team needs to ensure logs from all accounts are stored centrally and cannot be altered. Which combination of services meets these requirements?

A.CloudTrail with cross-account log delivery to a central S3 bucket and enable log file validation
B.CloudWatch Logs to a centralized log group with IAM policies
C.S3 server access logs delivered to each account's own bucket
D.VPC Flow Logs to CloudWatch Logs in each account
AnswerA

This provides centralized storage and integrity verification.

Why this answer

Option A is correct because AWS CloudTrail supports cross-account log delivery to a central S3 bucket, and enabling log file validation uses a digest file signed with the CloudTrail private key to cryptographically verify that log files have not been modified, deleted, or tampered with since delivery. This combination ensures centralized storage and immutability, meeting the security team's requirements.

Exam trap

The trap here is that candidates may confuse centralized logging (e.g., CloudWatch Logs cross-account) with immutability, overlooking that only CloudTrail's log file validation provides cryptographic proof of non-repudiation and tamper detection.

How to eliminate wrong answers

Option B is wrong because CloudWatch Logs to a centralized log group with IAM policies does not provide cryptographic integrity verification; logs can be altered by anyone with sufficient permissions, and CloudWatch Logs does not offer built-in log file validation like CloudTrail. Option C is wrong because S3 server access logs delivered to each account's own bucket are not centralized; they remain in individual accounts and lack cross-account aggregation, and S3 server access logs do not support log file validation for tamper-proofing. Option D is wrong because VPC Flow Logs to CloudWatch Logs in each account are not stored centrally and have no mechanism to prevent alteration; they are per-account and lack the cryptographic integrity checks required for immutability.

57
MCQmedium

A cloud security architect is evaluating vulnerability management solutions for a hybrid cloud environment. The team needs to scan both on-premises servers and cloud workloads without installing agents on every system. Which approach is most suitable for cloud workloads?

A.Agent-based scanning using Amazon Inspector
B.Network vulnerability scanning from a remote scanner
C.Container image scanning only
D.Agentless scanning via cloud APIs (CSPM)
AnswerD

CSPM tools like AWS Security Hub use API-based scanning to check configurations and vulnerabilities without agents.

Why this answer

Agentless scanning uses cloud APIs to assess vulnerabilities without requiring an agent on each instance. This is ideal for cloud workloads where agents may not be desired.

58
MCQeasy

An organization wants to detect potential crypto mining activity on their AWS EC2 instances. Which AWS service uses machine learning to identify such threats?

A.AWS WAF
B.Amazon GuardDuty
C.Amazon Inspector
D.AWS Shield
AnswerB

GuardDuty uses ML to detect threats like crypto mining.

Why this answer

Amazon GuardDuty is a threat detection service that uses machine learning, anomaly detection, and integrated threat intelligence to continuously monitor for malicious activity, including cryptocurrency mining (e.g., connections to known mining pools or unusual compute resource spikes). It analyzes AWS CloudTrail logs, VPC Flow Logs, and DNS logs to identify behavioral patterns indicative of crypto mining, such as sustained outbound traffic to mining pool IPs or unusual EC2 instance launches.

Exam trap

The trap here is that candidates often confuse Amazon Inspector (a vulnerability scanner) with GuardDuty (a threat detection service), mistakenly thinking Inspector's agent-based monitoring can detect runtime threats like crypto mining, when in fact Inspector only assesses configuration and software vulnerabilities.

How to eliminate wrong answers

Option A is wrong because AWS WAF is a web application firewall that protects against common web exploits like SQL injection and cross-site scripting, not a service that uses machine learning to detect crypto mining activity on EC2 instances. Option C is wrong because Amazon Inspector is a vulnerability management service that scans for software vulnerabilities and unintended network exposure, not a machine learning-based threat detection service for behavioral anomalies like crypto mining. Option D is wrong because AWS Shield is a managed DDoS protection service that safeguards against distributed denial-of-service attacks, not a service that identifies crypto mining threats via machine learning.

59
MCQeasy

A security analyst reviews GCP Security Command Center findings and sees a high-severity alert for Event Threat Detection indicating that a service account key was used from an unexpected location. What is the best immediate action to contain the threat?

A.Disable the service account key
B.Create a new service account
C.Delete the service account
D.Rotate the key and monitor
AnswerA

Disabling the key immediately prevents further unauthorized use.

Why this answer

The correct immediate action is to disable the compromised service account key because Event Threat Detection has identified that the key is being used from an unexpected location, indicating potential unauthorized access. Disabling the key stops all further usage without deleting the service account or its other keys, preserving legitimate operations. This aligns with the principle of least privilege and incident response containment, as the key can later be rotated or deleted after investigation.

Exam trap

Cisco often tests the distinction between 'disable' and 'rotate' in key compromise scenarios, where candidates mistakenly choose rotation thinking it invalidates the old key, but rotation only creates a new key without disabling the old one unless explicitly done.

How to eliminate wrong answers

Option B is wrong because creating a new service account does not address the compromised key; the old key remains active and can still be used by the attacker. Option C is wrong because deleting the entire service account would disrupt all applications and resources relying on that account, which is an overly destructive action for a single compromised key. Option D is wrong because rotating the key (generating a new key) does not immediately disable the old compromised key; the old key remains valid until it is explicitly disabled or deleted, allowing continued unauthorized access during the rotation process.

60
MCQeasy

A company uses Azure Sentinel as its SIEM. To ingest Azure Activity Logs and correlate with other data sources, which connector should be configured?

A.Office 365 connector
B.Azure Defender connector
C.Azure Activity connector
D.Windows Security Events connector
AnswerC

This connector ingests Activity Logs for analysis in Sentinel.

Why this answer

The Azure Activity connector is specifically designed to ingest Azure Activity Logs, which contain subscription-level events such as resource creation, modification, and deletion. This connector enables Sentinel to correlate these operational logs with other data sources for comprehensive threat detection and incident response.

Exam trap

The trap here is that candidates confuse Azure Activity Logs (subscription-level operations) with Azure Defender alerts (security findings) or Office 365 logs (SaaS application logs), leading them to select a connector that ingests a different log type.

How to eliminate wrong answers

Option A is wrong because the Office 365 connector ingests logs from Microsoft 365 services (e.g., Exchange, SharePoint, Teams), not Azure subscription-level activity logs. Option B is wrong because the Azure Defender connector ingests security alerts from Azure Defender (formerly Azure Security Center), not raw Azure Activity Logs. Option D is wrong because the Windows Security Events connector ingests security event logs from Windows machines (e.g., Event ID 4625 for failed logons), not Azure platform logs.

61
Multi-Selectmedium

A cloud security analyst is investigating a potential credential compromise in AWS. Which TWO CloudTrail events would be most relevant to establishing a timeline of the compromise?

Select 2 answers
A.DeleteBucket
B.UpdateLoginProfile
C.CreateAccessKey
D.DescribeInstances
E.ConsoleLogin
AnswersC, E

An attacker may create new access keys to maintain persistence.

Why this answer

Option C (CreateAccessKey) is correct because the creation of a new access key pair is a strong indicator of an attacker establishing persistent programmatic access to an AWS account. This event, logged by CloudTrail as 'CreateAccessKey' in the IAM service, provides a precise timestamp for when the attacker may have generated credentials to maintain access outside of the console.

Exam trap

Cisco often tests the distinction between events that indicate the initial compromise (like credential creation) versus events that are merely post-compromise reconnaissance or data destruction, leading candidates to select DescribeInstances or DeleteBucket as they seem suspicious but are not timeline-establishing events.

62
MCQmedium

An organization uses GCP and wants to monitor for threats in real-time, including detecting malicious activity from compromised service accounts. Which GCP service should be used?

A.Cloud Audit Logs
B.Cloud Security Scanner
C.Container Threat Detection
D.Event Threat Detection
AnswerD

It detects threats like compromised credentials and suspicious API calls.

Why this answer

Event Threat Detection is part of GCP Security Command Center and provides real-time threat detection for IAM anomalies, including compromised service accounts.

63
MCQmedium

An organization is using GCP Security Command Center with Event Threat Detection. Which type of event is most likely to generate a finding for 'exfiltration'?

A.A service account creating a new VM
B.A user logging in from a new IP address
C.A firewall rule change allowing all inbound traffic
D.A large number of objects being downloaded from a Cloud Storage bucket
AnswerD

High volume of downloads is a common exfiltration indicator.

Why this answer

Event Threat Detection (ETD) in GCP Security Command Center monitors Cloud Storage access logs for anomalous data access patterns. A large number of object downloads from a single bucket within a short time window is a strong indicator of data exfiltration, as it matches the behavioral signature of bulk data extraction. ETD uses machine learning models trained on normal access baselines to flag such volume-based anomalies as 'exfiltration' findings.

Exam trap

Cisco often tests the distinction between 'exfiltration' (data leaving the environment) and other security events like 'anomalous access' or 'misconfiguration'; the trap here is that candidates confuse a login from a new IP (Option B) with data exfiltration, when in fact exfiltration requires a data transfer action such as downloading objects.

How to eliminate wrong answers

Option A is wrong because creating a new VM is an infrastructure provisioning action, not a data movement event; ETD focuses on data access and network anomalies, not resource creation. Option B is wrong because a login from a new IP address typically triggers an 'anomalous login' or 'brute force' finding, not an exfiltration event; exfiltration requires data leaving the environment. Option C is wrong because a firewall rule change allowing all inbound traffic is a misconfiguration finding related to network security, not data exfiltration; ETD would flag this under 'open firewall' or 'ingress' rules, not data theft.

64
MCQmedium

A SOC analyst notices an alert for 'impossible travel' where a user logged in from New York and then from London within 15 minutes. The SIEM correlation rule likely compares which log fields?

A.User agent and browser type
B.Source IP address and timestamp
C.Destination IP and port
D.Volume of data transferred and timestamp
AnswerB

These are the primary fields used to calculate geographic distance and time difference.

Why this answer

Impossible travel detection typically uses sign-in logs (source IP, geolocation) and event timestamps to identify logins from distant locations within a short time.

65
MCQeasy

Which of the following is a benefit of enabling CloudTrail log file validation?

A.It ensures the integrity of log files by allowing you to confirm that they have not been modified.
B.It automatically deletes old log files based on a retention policy.
C.It encrypts log files at rest.
D.It compresses log files to save storage space.
AnswerA

Log file validation provides integrity verification.

Why this answer

CloudTrail log file validation uses a hash-based digital signature (SHA-256) to create a digest file for each log file. This allows you to verify that the log files have not been tampered with, deleted, or modified after they were delivered by CloudTrail, ensuring their integrity for forensic analysis and compliance.

Exam trap

Cisco often tests the distinction between integrity (log file validation) and other security controls like encryption, compression, or lifecycle management, leading candidates to confuse validation with unrelated features.

How to eliminate wrong answers

Option B is wrong because CloudTrail log file validation does not manage retention or deletion; lifecycle policies are configured separately via S3 lifecycle rules or CloudTrail console settings. Option C is wrong because encryption at rest is provided by S3 server-side encryption (SSE-S3, SSE-KMS, or SSE-C), not by log file validation. Option D is wrong because compression is not a feature of log file validation; CloudTrail logs can be delivered in gzip format if configured, but validation does not compress them.

66
MCQmedium

A security analyst is configuring a SIEM solution and wants to ingest security findings from AWS Security Hub into Splunk. What is the most efficient method?

A.Enable Security Hub cross-Region aggregation, then export to a CSV file.
B.Use AWS Lambda to pull findings from Security Hub API and push to Splunk HTTP Event Collector.
C.Configure Security Hub to publish findings to an S3 bucket, then use Splunk to read from S3.
D.Use AWS Glue to catalog Security Hub data and connect to Splunk via JDBC.
AnswerB

Lambda can subscribe to Security Hub via EventBridge or poll the API, and forward to Splunk.

Why this answer

Option B is correct because AWS Lambda can directly invoke the Security Hub API to retrieve findings and forward them to Splunk's HTTP Event Collector (HEC) in near real-time, avoiding intermediate storage or batch processing. This serverless approach minimizes latency and operational overhead, making it the most efficient method for continuous ingestion.

Exam trap

Cisco often tests the misconception that S3-based export (Option C) is the default or most reliable method, but the trap here is that S3 introduces latency and requires additional polling, whereas a Lambda push is more efficient for real-time security operations.

How to eliminate wrong answers

Option A is wrong because exporting to a CSV file is a manual, batch-oriented process that lacks automation and real-time capabilities, and cross-Region aggregation alone does not provide a direct ingestion pipeline to Splunk. Option C is wrong because publishing findings to an S3 bucket introduces unnecessary storage and latency, requiring Splunk to poll S3 periodically, which is less efficient than a push-based model. Option D is wrong because AWS Glue is designed for ETL and data cataloging, not for real-time streaming; using JDBC would add complexity and latency, and Security Hub does not expose a JDBC interface.

67
MCQmedium

A company is implementing a SIEM solution and needs to ingest security logs from multiple AWS accounts into a centralized security account. Which AWS service can best aggregate findings from all accounts?

A.Amazon GuardDuty
B.Amazon CloudWatch Logs
C.AWS Security Hub
D.AWS Config
AnswerC

Security Hub aggregates security findings across accounts and integrates with SIEM.

Why this answer

AWS Security Hub can be enabled in multiple accounts and configured to send findings to a central administrator account, enabling cross-account aggregation.

68
MCQhard

During a cloud security incident, a security team needs to isolate a compromised EC2 instance that is performing outbound port scanning. Which containment action should be taken first?

A.Terminate the instance immediately
B.Modify the security group to deny outbound traffic
C.Create an AMI of the instance for analysis
D.Detach the instance from the VPC
AnswerB

This stops the malicious activity while preserving the instance for investigation.

Why this answer

Modifying the instance's security group to deny all outbound traffic is a quick and reversible containment action that stops the scanning.

69
MCQhard

During a forensic investigation of a compromised AWS account, the incident response team needs to determine the exact time an attacker created a new IAM user and what permissions were assigned. Which log source would provide the most reliable evidence?

A.AWS Config configuration history for the IAM user
B.S3 access logs for the bucket containing IAM policy files
C.AWS CloudTrail management events
D.VPC Flow Logs for the management console IP
AnswerC

CloudTrail management events capture all IAM API calls with detailed request parameters.

Why this answer

AWS CloudTrail management events capture all API calls made to the AWS Management Console, SDKs, CLI, and AWS services, including IAM CreateUser and AttachUserPolicy actions. These events record the exact timestamp, source IP, user agent, and the identity of the principal making the call, making them the definitive source for determining when an IAM user was created and what permissions were assigned.

Exam trap

Cisco often tests the distinction between management events (CloudTrail) and data events (S3 access logs, VPC Flow Logs), and the trap here is that candidates confuse network-level logs (VPC Flow Logs) or configuration snapshots (AWS Config) with the API-level audit trail that CloudTrail provides.

How to eliminate wrong answers

Option A is wrong because AWS Config configuration history records the state of resources over time but does not capture the exact API call timestamp or the identity of the caller; it only shows the resulting configuration changes. Option B is wrong because S3 access logs record requests to S3 buckets, not IAM user creation or policy assignment events; they are irrelevant for tracking IAM management actions. Option D is wrong because VPC Flow Logs capture network traffic metadata (IP addresses, ports, protocols) but do not log API-level actions like IAM user creation or permission assignments.

70
MCQhard

A company uses AWS CloudTrail with log file validation enabled. An auditor wants to verify that a specific log file has not been tampered with. Which process should the auditor use to confirm the integrity of the CloudTrail log file?

A.Use the AWS CLI command 'aws cloudtrail validate-logs' which automatically verifies the digital signature and hash
B.Check the log file’s last modified timestamp against the CloudTrail delivery timestamp
C.Compare the log file’s SHA-256 hash with the hash stored in AWS Key Management Service (KMS)
D.Review the log file’s integrity using the SHA-256 checksum provided in the S3 object metadata
AnswerA

The validate-logs command performs the verification using the digest files and public key.

Why this answer

CloudTrail log file validation uses SHA-256 hashing and digital signatures. The log file digest file contains the hash of the log file and is signed by a private key. To verify, the auditor uses the public key (from AWS) to verify the signature on the digest, then compares the hash of the log file to the hash in the digest.

71
MCQeasy

A cloud security engineer is tasked with ensuring that all API calls made to AWS resources are logged for audit purposes. Which AWS service should be enabled to capture management events such as creating or deleting EC2 instances?

A.AWS Config
B.AWS CloudTrail
C.Amazon GuardDuty
D.AWS Security Hub
AnswerB

CloudTrail records API calls and can be enabled to capture management events.

Why this answer

AWS CloudTrail is the correct service because it is specifically designed to record API activity in an AWS account, including management events such as creating or deleting EC2 instances. It captures the who, what, when, and source IP for every API call, which is essential for audit logging and compliance. AWS Config, by contrast, records resource configuration changes and compliance history, not API call logs.

Exam trap

The trap here is that candidates confuse AWS Config (which tracks configuration history) with CloudTrail (which tracks API calls), leading them to select AWS Config for audit logging of management events.

How to eliminate wrong answers

Option A is wrong because AWS Config records resource configuration changes and evaluates compliance rules, but it does not capture API call logs or management events like creating or deleting EC2 instances. Option C is wrong because Amazon GuardDuty is a threat detection service that analyzes VPC flow logs, DNS logs, and CloudTrail events for malicious activity, but it does not itself generate or store API audit logs. Option D is wrong because AWS Security Hub aggregates security findings from multiple services (including CloudTrail) and provides a compliance dashboard, but it is not a logging service and does not capture raw API events.

72
MCQmedium

A security analyst notices that an IAM user from a cloud account has logged in from two different countries within a span of 10 minutes. Which type of detection mechanism is most likely to flag this activity as suspicious?

A.A cloud configuration management database (CMDB)
B.A vulnerability scanner
C.An agent-based intrusion detection system (IDS)
D.A correlation rule in a SIEM
AnswerD

SIEM correlation rules can detect impossible travel by analyzing login events.

Why this answer

A correlation rule in a SIEM is designed to aggregate and analyze log data from multiple sources, such as cloud IAM logs, to detect anomalous patterns. The specific scenario of a user logging in from two geographically distant countries within 10 minutes is a classic example of an impossible travel time anomaly, which SIEM correlation rules are built to flag by comparing login timestamps and IP geolocation data.

Exam trap

Cisco often tests the distinction between detection mechanisms that analyze static configurations (CMDB, vulnerability scanners) versus those that analyze dynamic behavioral patterns (SIEM correlation rules), leading candidates to confuse a CMDB's asset inventory function with real-time anomaly detection.

How to eliminate wrong answers

Option A is wrong because a cloud configuration management database (CMDB) is a repository for storing metadata about IT assets and their relationships, not a real-time detection mechanism for user login anomalies. Option B is wrong because a vulnerability scanner is designed to identify security weaknesses in systems (e.g., missing patches, misconfigurations), not to analyze user behavior or login patterns. Option C is wrong because an agent-based intrusion detection system (IDS) monitors network traffic or host-level events for known attack signatures, but it does not typically correlate geolocation data from cloud IAM logs to detect impossible travel scenarios.

73
Multi-Selecthard

An organization is using GCP and wants to implement automated remediation of security misconfigurations. Which TWO services can be used together to achieve this? (Choose two.)

Select 2 answers
A.Cloud Build
B.Cloud Audit Logs
C.Cloud Storage
D.Cloud Functions
E.Cloud Security Command Center
AnswersD, E

Cloud Functions can execute remediation code when triggered by Security Command Center.

Why this answer

Cloud Functions (D) is correct because it can be triggered by events from Cloud Security Command Center (Cloud SCC) to automatically remediate security misconfigurations. Cloud SCC detects vulnerabilities and misconfigurations, and Cloud Functions can execute remediation logic such as modifying IAM policies, enabling logging, or updating firewall rules. Together, they enable event-driven, automated security response without manual intervention.

Exam trap

Cisco often tests the distinction between services that detect or log issues (like Cloud Audit Logs or Cloud SCC alone) versus services that can execute automated remediation (like Cloud Functions), leading candidates to mistakenly select Cloud Audit Logs or Cloud Storage as capable of performing actions.

74
Multi-Selectmedium

A security architect is designing a logging strategy for a multi-cloud environment using AWS and Azure. Which TWO practices should be implemented to ensure log integrity and prevent tampering? (Choose two.)

Select 2 answers
A.Store logs in a publicly readable S3 bucket for transparency
B.Encrypt logs using server-side encryption with AWS KMS
C.Enable CloudTrail log file validation
D.Use S3 Object Lock or Azure Immutable Blob Storage
E.Enable cross-region replication for logs
AnswersC, D

This uses SHA-256 hashing and RSA signatures to verify log integrity.

Why this answer

Log file validation (e.g., CloudTrail log file validation) ensures cryptographic verification of log integrity. Write-once-read-many (WORM) storage, such as S3 Object Lock or Azure Immutable Blob Storage, prevents deletion or modification of logs.

75
MCQhard

A cloud security engineer needs to implement a solution to detect configuration drift against CIS benchmarks for AWS workloads. Which tool or service is specifically designed for cloud security posture management (CSPM) in AWS?

A.AWS CloudTrail
B.AWS Security Hub
C.AWS Config
D.AWS Inspector
AnswerB

Security Hub performs automated CSPM checks against standards like CIS.

Why this answer

AWS Security Hub is a cloud security posture management (CSPM) service that aggregates security findings from multiple AWS services and third-party tools, and it can continuously monitor AWS workloads against CIS AWS Foundations Benchmarks. It provides automated compliance checks, consolidated dashboards, and remediation guidance specifically designed for detecting configuration drift from benchmark standards.

Exam trap

Cisco often tests the distinction between AWS Config (a configuration recorder and evaluator) and AWS Security Hub (a CSPM aggregator with built-in benchmark compliance), leading candidates to mistakenly choose Config because it can evaluate rules, even though it lacks the centralized benchmark reporting and multi-service integration that Security Hub provides.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail is a governance, compliance, and auditing service that records API activity and user actions, but it does not perform configuration drift detection or CIS benchmark checks. Option C is wrong because AWS Config is a configuration tracking and evaluation service that can assess resource compliance against custom rules or managed rules, but it is not a dedicated CSPM tool and lacks the centralized multi-account, multi-service benchmark aggregation that Security Hub provides. Option D is wrong because AWS Inspector is a vulnerability management service focused on scanning EC2 instances and container images for software vulnerabilities and network exposure, not for detecting configuration drift against CIS benchmarks for cloud workloads.

Page 1 of 2 · 79 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Cloud Security Operations questions.