CCNA Cloud Application Security Questions

75 of 111 questions · Page 1/2 · Cloud Application Security · Answers revealed

1
Multi-Selectmedium

Which TWO are effective strategies for securing cloud application data at rest?

Select 2 answers
A.Role-based access control
B.Database activity monitoring
C.File-level encryption
D.Transparent data encryption
E.Network segmentation
AnswersC, D

File-level encryption encrypts individual files or directories, protecting data at rest.

Why this answer

File-level encryption (C) encrypts individual files or directories, ensuring that data at rest remains protected even if the underlying storage is compromised. This is a direct data-at-rest security control because it applies cryptographic protection to the data itself, independent of the storage layer. Transparent data encryption (D) encrypts data at the database level, typically at the page or file level, without requiring changes to the application, making it another effective strategy for securing data at rest.

Exam trap

ISC2 often tests the distinction between access control (RBAC) and encryption, where candidates mistakenly think that restricting access is sufficient to secure data at rest, ignoring that encryption is required to protect against physical theft or unauthorized storage-level access.

2
Multi-Selecthard

Which TWO of the following are effective methods to protect against server-side request forgery (SSRF) in a cloud application? (Choose two.)

Select 2 answers
A.Use SSL inspection to check for malicious payloads
B.Whitelist allowed outbound destinations
C.Block all outbound network traffic from the application
D.Disable unused URL schemes such as file:// and dict://
E.Sanitize all user input for URL parameters
AnswersB, D

Whitelisting prevents requests to internal or malicious hosts.

Why this answer

Option B is correct because whitelisting allowed outbound destinations is a primary defense against SSRF. By explicitly permitting only trusted external hosts (e.g., specific API endpoints or internal services), the application cannot be tricked into making requests to arbitrary internal or external targets, even if an attacker controls the URL parameter.

Exam trap

ISC2 often tests the misconception that input sanitization alone is sufficient for SSRF protection, when in reality the attack exploits the server's trust in the destination, not the input format, making whitelisting and scheme restrictions the effective controls.

3
MCQmedium

A cloud application experiences intermittent failures during peak load. Logs show database connection timeouts. Which architecture change would best address this issue?

A.Implement connection pooling
B.Enable auto-scaling on the application tier
C.Use read replicas
D.Increase database instance size
AnswerA

Connection pooling reuses connections, reducing overhead and preventing timeouts under load.

Why this answer

Connection pooling reuses a set of established database connections, avoiding the overhead of repeatedly opening and closing connections during high concurrency. This directly resolves intermittent timeouts caused by connection exhaustion or slow connection establishment under peak load, without requiring additional infrastructure.

Exam trap

ISC2 often tests the misconception that scaling the application tier or database size alone solves connection management issues, when the real bottleneck is connection establishment overhead and pool limits.

How to eliminate wrong answers

Option B is wrong because auto-scaling the application tier adds more compute instances, which increases the number of concurrent database connection requests and can worsen connection exhaustion, not fix it. Option C is wrong because read replicas only offload read queries, not the connection management overhead or write-related timeouts. Option D is wrong because increasing database instance size provides more memory/CPU but does not address the fundamental issue of connection churn or exhaustion; the database may still hit its max_connections limit.

4
MCQeasy

A developer is writing code that will be deployed as a serverless function (e.g., AWS Lambda). The function needs to read data from an Amazon S3 bucket. According to the principle of least privilege, how should the developer grant access?

A.Store the AWS access key and secret key in environment variables in the function
B.Use the root user credentials of the AWS account
C.Set the S3 bucket policy to allow public read access
D.Create an IAM role with an S3 read policy and attach it to the function
AnswerD

This grants only the necessary permissions and follows least privilege.

Why this answer

Option D is correct because AWS Lambda functions should assume an IAM role that grants only the specific permissions needed—in this case, an S3 read policy. This follows the principle of least privilege by avoiding hardcoded credentials and instead using temporary, automatically rotated credentials provided by the AWS Security Token Service (STS) via the IAM role. The role is attached to the Lambda function at deployment, ensuring the function can securely access the S3 bucket without exposing long-term access keys.

Exam trap

ISC2 often tests the misconception that environment variables are a secure way to store credentials in serverless functions, but the trap is that AWS Lambda’s native IAM role integration provides temporary, automatically rotated credentials that are far more secure and align with least privilege, whereas static keys in environment variables introduce long-term exposure risks.

How to eliminate wrong answers

Option A is wrong because storing AWS access key and secret key in environment variables violates the principle of least privilege by introducing long-term, static credentials that must be managed, rotated, and could be exposed in logs or function output; AWS Lambda natively supports IAM roles for temporary credentials. Option B is wrong because using root user credentials grants unrestricted, full administrative access to the entire AWS account, which is a severe security risk and directly contradicts least privilege; root credentials should never be used for programmatic access. Option C is wrong because setting the S3 bucket policy to allow public read access makes the data accessible to anyone on the internet, bypassing authentication and authorization entirely, which is the opposite of least privilege and could lead to data exposure.

5
MCQmedium

A healthcare SaaS provider is deploying a new application that processes protected health information (PHI). The application uses a microservices architecture running on Kubernetes. Each microservice stores its data in a separate database. The compliance team requires that all data at rest be encrypted and that encryption keys be managed by the customer (CMEK). The cloud provider supports KMS with CMEK. However, the development team wants to use a single customer-managed key for all databases to simplify key management. The security architect is concerned about the blast radius if the key is compromised. Which of the following recommendations best balances security and operational efficiency?

A.Use the cloud provider's default encryption keys for all databases
B.Use a separate customer-managed key for each database, with automated key rotation
C.Disable encryption to improve performance and use network segmentation instead
D.Use one customer-managed key for all databases, but enable automatic key rotation
AnswerB

Separate keys limit blast radius and rotation reduces risk.

Why this answer

Option B is correct because it minimizes the blast radius by ensuring that compromise of one key does not expose data in other databases, while automated key rotation reduces the window of vulnerability and operational overhead. This aligns with the principle of least privilege and the compliance requirement for customer-managed encryption keys (CMEK). Using separate keys per database is a standard security best practice for microservices architectures, especially when handling PHI.

Exam trap

ISC2 often tests the tension between operational simplicity and security blast radius, where candidates may choose a single key with rotation (Option D) thinking it balances both, but fail to recognize that rotation does not shrink the blast radius of a compromised key that has already been used to encrypt data.

How to eliminate wrong answers

Option A is wrong because using the cloud provider's default encryption keys violates the compliance requirement that encryption keys be managed by the customer (CMEK), and it does not allow the customer to control key lifecycle or rotation. Option C is wrong because disabling encryption for PHI at rest is a direct violation of compliance mandates (e.g., HIPAA) and security best practices; network segmentation alone does not protect data at rest. Option D is wrong because using a single customer-managed key for all databases creates a single point of failure and a large blast radius—if that key is compromised, all databases are exposed, and automatic rotation does not mitigate the risk of a key already being compromised.

6
MCQmedium

A cloud security engineer is reviewing the authentication mechanism for a web application. The application currently uses API keys transmitted in the URL query string. What is the primary security concern with this approach?

A.API keys in URLs are often logged in plaintext in server logs and browser history.
B.API keys in query strings are not encrypted, even with HTTPS.
C.API keys provide weak authentication because they are not tied to a user session.
D.API keys are not valid for use in query strings; they require a certificate.
AnswerA

Logging exposes the key to anyone with log access.

Why this answer

The primary security concern with transmitting API keys in URL query strings is that URLs are frequently logged in plaintext by web servers, proxies, and browsers. This means the API key can be inadvertently exposed in server access logs, browser history, and referrer headers, making it accessible to anyone with access to those logs. Even with HTTPS encrypting the data in transit, the URL itself is often logged before decryption or after encryption at the termination point, so the key remains visible in log files.

Exam trap

ISC2 often tests the misconception that HTTPS fully protects the URL from all exposure, but the trap here is that while HTTPS encrypts data in transit, it does not prevent logging, caching, or referrer leakage of the URL.

How to eliminate wrong answers

Option B is wrong because HTTPS does encrypt the entire HTTP request, including the query string, during transit; the issue is not lack of encryption on the wire but exposure in logs and history. Option C is wrong because API keys are a valid authentication method and can be tied to a user session or application identity; the weakness here is not about session binding but about exposure in URLs. Option D is wrong because API keys are valid for use in query strings; they do not require a certificate, and certificates are used for TLS mutual authentication, not for API key transmission.

7
Multi-Selecteasy

A security team is reviewing controls for a cloud application that transmits personally identifiable information (PII) over the internet. Which TWO controls are essential for protecting data in transit?

Select 2 answers
A.Use of signed certificates from a trusted CA
B.Regular penetration testing
C.Implementation of IPsec VPNs
D.Use of TLS 1.2 or higher
E.Encryption at rest using AES-256
AnswersA, D

Certificates provide authentication and enable trust in TLS connections.

Why this answer

Signed certificates from a trusted Certificate Authority (CA) are essential for authenticating the server's identity and establishing a chain of trust. Without them, a client cannot verify that it is communicating with the legitimate server, making the connection vulnerable to man-in-the-middle (MITM) attacks. This is a foundational requirement for any secure communication channel over the internet.

Exam trap

ISC2 often tests the distinction between 'essential' controls for data in transit versus 'helpful' or 'related' controls, so candidates mistakenly pick IPsec VPNs (Option C) because they associate VPNs with secure transmission, even though TLS is the standard and essential control for web-based cloud applications.

8
MCQmedium

You are a cloud security engineer for a financial services company. The company has developed a cloud-native application that processes credit card transactions and stores sensitive financial data. The application is deployed on a Kubernetes cluster in a public cloud provider. The compliance team requires that all data at rest be encrypted using a customer-managed key (CMK) with automatic rotation. The application uses a managed database service (e.g., Amazon RDS) and object storage (e.g., Amazon S3) for storing transaction logs. The current configuration uses cloud-provider-managed keys for both services. The development team is concerned that enabling CMK with automatic rotation might cause application downtime due to key rotation latency. Additionally, the security team wants to ensure that access to the keys is auditable. Which course of action BEST addresses the compliance requirement while minimizing risk?

A.Create a CMK with automatic rotation enabled, grant the database and storage service access via IAM roles, and validate the rotation process in a staging environment before production deployment.
B.Continue using cloud-provider-managed keys and implement additional logging to meet audit requirements.
C.Use a CMK with manual rotation to have full control over the rotation schedule and avoid any potential downtime.
D.Implement client-side encryption with a key stored in a secure vault and disable server-side encryption.
AnswerA

This meets compliance using CMK, ensures auditable access via IAM, and mitigates risk by testing rotation in staging.

Why this answer

Option A is correct because it directly satisfies the compliance requirement for customer-managed keys (CMK) with automatic rotation, while mitigating the risk of downtime by validating the rotation process in a staging environment. Using IAM roles to grant the database and storage service access to the CMK ensures that key access is auditable via CloudTrail, meeting the security team's audit requirement. This approach allows the development team to test and confirm that key rotation latency does not cause application downtime before production deployment.

Exam trap

ISC2 often tests the misconception that manual rotation gives more control and avoids downtime, but the requirement explicitly states 'automatic rotation,' and manual rotation introduces operational risk and does not guarantee zero downtime.

How to eliminate wrong answers

Option B is wrong because continuing with cloud-provider-managed keys does not meet the compliance requirement for customer-managed keys (CMK) with automatic rotation, and additional logging does not address the encryption key ownership mandate. Option C is wrong because manual rotation of a CMK introduces operational overhead and risk of human error, and it does not satisfy the 'automatic rotation' requirement; it also does not inherently avoid downtime, as key rotation latency can still occur. Option D is wrong because implementing client-side encryption with a key stored in a secure vault and disabling server-side encryption would require significant application changes, increase complexity, and may not integrate seamlessly with managed services like Amazon RDS and S3, potentially causing more downtime risk than server-side CMK rotation.

9
MCQhard

A SaaS provider uses a customer-managed encryption key (CMEK) model for data-at-rest. The provider's application runs in a multi-tenant cloud environment. Which attack surface is MOST directly mitigated by this approach?

A.Misconfigured storage buckets exposing data
B.Insider threats from cloud provider employees
C.SQL injection vulnerabilities in the application
D.Side-channel attacks on shared physical hardware
AnswerB

CMEK prevents provider access to customer data without the key.

Why this answer

A customer-managed encryption key (CMEK) model gives the customer control over the key used to encrypt data at rest. This directly mitigates the risk of a cloud provider employee accessing the plaintext data, because even if the employee has administrative access to the storage infrastructure, they cannot decrypt the data without the customer's key. The provider holds the encrypted data, but the decryption key is managed and controlled by the customer, creating a logical separation that protects against insider threats from the provider's personnel.

Exam trap

ISC2 often tests the misconception that encryption alone prevents all data exposure, but the trap here is that candidates confuse data-at-rest encryption with access control or application security, failing to recognize that CMEK specifically addresses the insider threat from the cloud provider's staff who might otherwise access raw storage.

How to eliminate wrong answers

Option A is wrong because misconfigured storage buckets expose data through incorrect access control policies (e.g., public read/write ACLs), which encryption does not prevent—encryption protects data at rest but does not enforce access controls. Option C is wrong because SQL injection is an application-layer attack that exploits improper input validation in the application code, and encryption of data at rest does not prevent injection or protect data while it is being processed in memory. Option D is wrong because side-channel attacks on shared physical hardware exploit timing, power consumption, or electromagnetic leaks to infer data; encryption keys managed by the customer do not prevent these physical-layer attacks, which target the compute or memory operations rather than the stored encrypted data.

10
MCQmedium

A security architect is designing access controls for a cloud-based microservices application. Which approach best aligns with the principle of least privilege for service-to-service authentication?

A.Use long-lived bearer tokens
B.Implement mutual TLS with unique certificates per service
C.Assign IAM roles with broad permissions
D.Use a shared API key across all services
AnswerB

Mutual TLS with unique certificates enforces service identity and least privilege.

Why this answer

Mutual TLS (mTLS) with unique certificates per service enforces least privilege by ensuring each microservice authenticates with a distinct identity, and access can be scoped to specific certificates. This prevents a compromised service from impersonating others, as each service has its own private key and certificate, and the TLS handshake requires both sides to present and validate certificates.

Exam trap

ISC2 often tests the misconception that shared secrets or broad IAM roles are acceptable for service-to-service communication, but the trap is that candidates overlook the need for per-service identity and cryptographic proof of identity, which mTLS uniquely provides.

How to eliminate wrong answers

Option A is wrong because long-lived bearer tokens, such as static OAuth2 tokens, increase the risk of token theft and reuse; they lack the per-request cryptographic binding of mTLS and violate least privilege by providing persistent access without rotation. Option C is wrong because assigning IAM roles with broad permissions (e.g., wildcard actions or resources) grants excessive privileges, directly contradicting the principle of least privilege by allowing a service to access more than necessary. Option D is wrong because a shared API key across all services creates a single point of failure and common credential; if the key is compromised, all services are exposed, and there is no way to isolate or revoke access per service.

11
MCQeasy

Refer to the exhibit. A log entry shows a suspected SQL injection attack. Which security control would have prevented this attack?

A.Encrypt the database connection
B.Implement rate limiting on the login endpoint
C.Enforce strong password policies
D.Use parameterized SQL queries
AnswerD

Parameterized queries prevent injection by treating input as data.

Why this answer

Option D is correct because SQL injection attacks exploit unsanitized user input that is concatenated into SQL queries. Parameterized queries (also known as prepared statements) separate SQL logic from data by using placeholders, ensuring that user input is always treated as data, not executable code. This prevents an attacker from injecting malicious SQL commands, regardless of the input content.

Exam trap

ISC2 often tests the distinction between network-layer controls (like encryption) and application-layer controls (like input validation), and the trap here is that candidates confuse encryption of the connection with prevention of injection, thinking encrypted traffic cannot carry malicious payloads.

How to eliminate wrong answers

Option A is wrong because encrypting the database connection (e.g., using TLS/SSL) protects data in transit from eavesdropping but does not prevent the execution of malicious SQL statements; the injection still occurs at the application layer. Option B is wrong because rate limiting on the login endpoint only mitigates brute-force or credential-stuffing attacks by restricting request frequency; it has no effect on the content of a single request that contains SQL injection payload. Option C is wrong because enforcing strong password policies (e.g., complexity, length) reduces the risk of credential compromise but does not address the vulnerability of unsanitized input in SQL queries; an attacker can still inject SQL without needing valid credentials.

12
Multi-Selectmedium

A cloud application uses AWS Lambda functions in a serverless architecture. The security team wants to enforce least privilege access for these functions. Which THREE practices should be implemented?

Select 3 answers
A.Use AWS Parameter Store or Secrets Manager for sensitive data
B.Store secrets in Lambda environment variables encrypted with KMS
C.Assign a dedicated IAM role to each Lambda function
D.Grant permissions based on the principle of minimal necessary access
E.Use a single IAM role for all Lambda functions for simplicity
AnswersA, C, D

External secrets management reduces exposure.

Why this answer

AWS Parameter Store or Secrets Manager are correct because they provide secure, auditable storage for sensitive data like database credentials and API keys. Lambda functions can retrieve these values at runtime via the AWS SDK, avoiding hard-coded secrets in code or environment variables. This aligns with the principle of least privilege by granting the Lambda IAM role only the specific permissions needed to access the secret, not the secret value itself in plaintext.

Exam trap

ISC2 often tests the misconception that encrypting environment variables with KMS is a sufficient substitute for using a dedicated secrets management service, but the trap is that environment variables are still visible in plaintext to anyone with console access or CloudTrail logs of the function configuration.

13
MCQeasy

A developer wants to ensure that sensitive data in a cloud database is protected even if the database backup files are stolen. Which best practice should be implemented?

A.Restrict access to the backup files using IAM roles.
B.Use a virtual private cloud (VPC) to isolate the database from the internet.
C.Enable transparent data encryption (TDE) with customer-managed keys for the database and its backups.
D.Implement data tokenization for all sensitive fields.
AnswerC

Data is encrypted at rest; keys are separate.

Why this answer

Option C is correct because Transparent Data Encryption (TDE) with customer-managed keys encrypts the database at rest and, when properly configured, also encrypts backup files. This ensures that even if backup files are stolen, the data remains unreadable without the decryption keys, providing a strong defense against data breaches involving physical or logical theft of backups.

Exam trap

The trap here is that candidates often confuse network-level controls (VPC isolation) or access controls (IAM) with data-at-rest encryption, failing to recognize that backup files are a separate attack surface requiring encryption specifically applied to the backup media.

How to eliminate wrong answers

Option A is wrong because restricting access with IAM roles protects against unauthorized access to the backup files but does not encrypt the data within them; if the files are stolen (e.g., via physical theft or a compromised storage layer), the data is still readable. Option B is wrong because using a VPC isolates the database from the internet but does not encrypt backup files; a VPC controls network traffic, not data at rest, so stolen backups remain unprotected. Option D is wrong because data tokenization replaces sensitive data with tokens, but it requires an external tokenization service and does not inherently protect backup files; if the token mapping is compromised or the backup contains tokens, the original data may still be exposed, and tokenization is not a direct backup encryption mechanism.

14
MCQeasy

A fintech startup deploys a customer-facing web application on Azure App Service. The application uses OAuth 2.0 with Azure AD for authentication. Recently, users report being logged out unexpectedly during active sessions. Security logs show multiple token refresh attempts failing with 'invalid_grant' errors. The application uses a standard library for token management. What is the most likely cause and recommended action?

A.The Azure AD API is throttling requests; implement exponential backoff
B.The access token and refresh token lifetimes are misconfigured; align token lifetimes
C.The authorization code was reused; implement PKCE to prevent reuse
D.The user consent was revoked; advise users to re-consent
AnswerB

If the access token outlives the refresh token, refresh attempts fail.

Why this answer

The 'invalid_grant' error during token refresh typically indicates that the refresh token has expired or been revoked. In Azure AD, refresh token lifetimes are configurable and, if set too short or misaligned with the access token lifetime, users will be logged out unexpectedly when the refresh token expires before a new access token is requested. The standard library correctly handles the OAuth 2.0 flow, but the token lifetime configuration in the Azure AD app registration is the root cause.

Exam trap

ISC2 often tests the distinction between token refresh errors (invalid_grant) and other OAuth 2.0 errors (e.g., throttling, consent issues), and candidates mistakenly attribute the problem to PKCE or throttling without recognizing that token lifetime misconfiguration is the most common cause of unexpected logouts in Azure AD.

How to eliminate wrong answers

Option A is wrong because Azure AD API throttling would return HTTP 429 (Too Many Requests) or 'temporarily_unavailable' errors, not 'invalid_grant', and exponential backoff would not fix token expiration issues. Option C is wrong because authorization code reuse is prevented by the OAuth 2.0 spec itself (codes are single-use), and PKCE is designed to mitigate authorization code interception attacks, not to fix refresh token expiration; the error occurs during token refresh, not during the initial authorization code exchange. Option D is wrong because consent revocation would cause an 'invalid_grant' error only if the user explicitly revoked consent, but the scenario describes multiple users experiencing the same issue simultaneously, pointing to a configuration problem rather than individual consent changes.

15
MCQmedium

A SaaS application allows users to upload profile pictures. The development team wants to prevent upload of malicious files that could compromise the server. Which control is most effective?

A.Store files in a CDN that only serves static content.
B.Set a maximum file size limit to 2 MB.
C.Implement server-side antivirus scanning on all uploaded files before saving.
D.Restrict file uploads to only image file types by checking the file extension.
AnswerC

Scans for known malware and can block dangerous files.

Why this answer

Option A is correct because scanning files for malware before storage prevents malicious content from reaching the server. Option B is wrong because file extension validation alone is insufficient. Option C is wrong because limiting size does not address malicious content.

Option D is wrong because CDN does not inspect file content.

16
MCQhard

An organization uses a CI/CD pipeline that automatically builds and deploys container images to a Kubernetes cluster. A security scanner flags that the base image contains a critical vulnerability. What is the best course of action to prevent vulnerable images from being deployed?

A.Replace the base image with a minimal image like Alpine.
B.Manually review and patch the base image before each build.
C.Integrate a container image scanning tool into the CI/CD pipeline that blocks builds if critical vulnerabilities are found.
D.Configure the scanner to send alerts after deployment.
AnswerC

Automated prevention at the pipeline stage.

Why this answer

Option C is correct because integrating a container image scanning tool directly into the CI/CD pipeline and configuring it to block the build when critical vulnerabilities are found ensures that vulnerable images never reach the Kubernetes cluster. This shift-left approach enforces security gates automatically, preventing deployment of non-compliant images without relying on manual intervention or post-deployment alerts.

Exam trap

The trap here is that candidates may think replacing the base image with a minimal one (Option A) is sufficient, but ISC2 often tests that security must be automated and enforced as a gate in the pipeline, not just a manual or reactive measure.

How to eliminate wrong answers

Option A is wrong because simply replacing the base image with a minimal image like Alpine does not guarantee the absence of critical vulnerabilities; Alpine images can also contain vulnerabilities, and the approach does not address the need for automated scanning and blocking in the pipeline. Option B is wrong because manually reviewing and patching the base image before each build is not scalable, error-prone, and contradicts the automation principles of CI/CD; it also introduces delays and does not prevent human oversight. Option D is wrong because configuring the scanner to send alerts after deployment allows vulnerable images to be deployed into production, which defeats the purpose of preventing vulnerable images from being deployed; alerts after the fact do not block the deployment.

17
MCQhard

An organization deploys a serverless application using AWS Lambda functions that access an RDS database. Which practice best ensures that the database credentials are protected?

A.Store credentials in the function code
B.Use AWS Systems Manager Parameter Store with KMS encryption and IAM roles
C.Hardcode credentials in environment variables
D.Use database temporary tokens generated on the fly
AnswerB

Parameter Store with KMS and IAM roles provides secure storage and access control.

Why this answer

Option B is correct because AWS Systems Manager Parameter Store, combined with AWS KMS for encryption and IAM roles for access control, provides a secure, auditable, and managed way to store and retrieve database credentials. This approach avoids embedding secrets in code or environment variables, and it integrates natively with AWS Lambda via the IAM execution role, ensuring that only authorized functions can decrypt and access the credentials.

Exam trap

The trap here is that candidates often confuse 'temporary tokens' (Option D) with a secure credential storage method, but the CCSP exam expects you to recognize that managing the initial secret (the token's root of trust) is still required, and Parameter Store with KMS is the definitive best practice for protecting static credentials in serverless architectures.

How to eliminate wrong answers

Option A is wrong because storing credentials directly in the function code exposes them to anyone with read access to the code repository or deployment artifacts, violating the principle of least privilege and making secrets management impossible. Option C is wrong because hardcoding credentials in environment variables is insecure; environment variables can be viewed in the Lambda console, CloudWatch logs, or through AWS CLI, and they are not encrypted by default, leading to potential credential leakage. Option D is wrong because database temporary tokens generated on the fly (e.g., using IAM database authentication for RDS) are a valid security practice for some databases, but the question specifically asks about protecting database credentials; temporary tokens are not credentials themselves but an alternative authentication method, and the option does not specify how the initial secret (e.g., the token generation key) is secured, making it an incomplete or misleading answer in this context.

18
MCQhard

A security analyst reviews the above S3 bucket policy. The bucket stores sensitive application data. What is the primary security issue with this policy?

A.The resource ARN should not include a wildcard
B.The Deny statement will block all access, including from authorized IPs
C.The policy should use a condition with aws:SourceVpc instead of IP
D.The IP address range is too broad
AnswerB

Deny statements override Allow, so the Allow with IP condition is ineffective.

Why this answer

The Deny statement with a NotIpAddress condition denies all requests that do not match the specified IP range. However, because the Deny effect overrides any Allow, this statement will block access from any IP address that is not in the listed range, including authorized IPs that the policy intended to allow. This creates a complete denial of service for legitimate users, making it the primary security issue.

Exam trap

ISC2 often tests the nuance that a Deny statement with a NotIpAddress condition will block all traffic not matching the IP range, including traffic from authorized IPs, because candidates mistakenly think the Allow statement will override the Deny.

How to eliminate wrong answers

Option A is wrong because using a wildcard in the Resource ARN is acceptable for bucket-level policies when the intent is to apply the policy to all objects in the bucket, and it is not inherently a security issue. Option C is wrong because using aws:SourceVpc is a valid condition for restricting access to a specific VPC, but it is not required here; the IP-based condition is also valid, and the primary issue is the logic error in the Deny statement, not the condition type. Option D is wrong because the IP address range being broad is not the primary issue; the critical flaw is that the Deny statement incorrectly blocks all traffic outside the range, including authorized IPs, rather than the breadth of the range itself.

19
Multi-Selecthard

Which THREE of the following are essential components of a Secure Software Development Lifecycle (SSDLC) for cloud applications?

Select 3 answers
A.Manual penetration testing after every code commit.
B.Security awareness training for all developers.
C.Security regression testing to validate that new code does not reintroduce vulnerabilities.
D.Static application security testing (SAST) integrated into the CI/CD pipeline.
E.Dynamic application security testing (DAST) against staging environments.
AnswersC, D, E

Regression testing ensures that security fixes remain effective over time.

Why this answer

Security regression testing (C) is essential because it ensures that new code changes do not reintroduce previously fixed vulnerabilities, which is critical in the continuous integration/continuous delivery (CI/CD) pipelines typical of cloud applications. This testing validates that security patches remain effective across rapid iterations, directly supporting the 'verify' phase of the SSDLC.

Exam trap

ISC2 often tests the distinction between 'essential SSDLC components' (technical controls integrated into the pipeline) and 'supporting activities' (like training or manual testing), leading candidates to select B or A as they confuse general best practices with mandatory lifecycle components.

20
MCQeasy

A security analyst is reviewing application logs and notices that a large number of requests from a single IP address are attempting to access a REST API endpoint with invalid session tokens. Which cloud-based mitigation is MOST effective at blocking such automated attacks?

A.Rotate API keys more frequently
B.Implement cross-origin resource sharing (CORS) policies
C.Configure a web application firewall (WAF) with rate limiting and IP blacklisting
D.Require encryption of session tokens
AnswerC

WAF can detect and block malicious traffic patterns.

Why this answer

Option C is correct because a Web Application Firewall (WAF) with rate limiting and IP blacklisting directly addresses the described attack: a single IP flooding a REST API with invalid session tokens. Rate limiting throttles the number of requests from that IP, while IP blacklisting blocks it entirely, preventing automated brute-force or credential-stuffing attempts at the cloud edge before they reach the application.

Exam trap

The trap here is that candidates may confuse session token management (e.g., rotation, encryption) with the need for a perimeter defense that controls request volume and source, leading them to pick options that address token validity rather than the automated, high-volume nature of the attack.

How to eliminate wrong answers

Option A is wrong because rotating API keys more frequently does not mitigate automated attacks using invalid session tokens; API keys are typically used for service-to-service authentication, not for user session validation, and rotation does not stop a flood of requests from a single IP. Option B is wrong because CORS policies control which origins (domains) can make cross-origin requests from a browser, but they do not block automated scripts or tools (e.g., cURL, Postman) that ignore CORS headers, nor do they rate-limit or blacklist IPs. Option D is wrong because requiring encryption of session tokens (e.g., via TLS) protects token confidentiality in transit but does not prevent an attacker from sending many requests with invalid tokens; encryption does not address the volume or source of the attack.

21
MCQhard

A media streaming company uses a multi-cloud strategy with AWS and GCP. Their application uses a message queue (Amazon SQS and Google Pub/Sub) for asynchronous processing. The security team discovers that messages contain sensitive user data (e.g., email addresses) that are not encrypted at the broker level. The compliance team mandates encryption of data at rest and in transit for all sensitive data. However, the application already uses TLS for message delivery. What is the most secure and operationally efficient way to meet compliance?

A.Enable server-side encryption with SQS (SSE-SQS) and Pub/Sub (CSEK) and rely on TLS for in transit
B.Separate sensitive and non-sensitive messages into different queues with different retention policies
C.Implement client-side encryption of message payloads before sending to the queue, using a centralized key management service
D.Use a third-party encryption gateway that wraps messages before they reach the queues
AnswerC

Client-side encryption ensures data is encrypted end-to-end, both in transit and at rest in the broker.

Why this answer

Option C is correct because client-side encryption ensures that sensitive data is encrypted before it ever leaves the application, meeting the compliance mandate for encryption at rest and in transit regardless of the broker's native encryption capabilities. Since TLS already protects data in transit, adding client-side encryption with a centralized key management service (e.g., AWS KMS or GCP Cloud KMS) provides end-to-end confidentiality: the message payload is encrypted by the producer, remains encrypted in the queue, and is decrypted only by the authorized consumer. This approach is operationally efficient because it avoids vendor lock-in and works uniformly across AWS SQS and GCP Pub/Sub without relying on broker-specific SSE features that may not cover all states (e.g., broker logs or backups).

Exam trap

ISC2 often tests the misconception that server-side encryption (SSE) alone satisfies 'encryption at rest' requirements, but the trap here is that SSE does not protect data from exposure within the broker's internal processing or logs, and client-side encryption is the only way to guarantee end-to-end confidentiality across heterogeneous multi-cloud environments.

How to eliminate wrong answers

Option A is wrong because server-side encryption (SSE-SQS and CSEK) only protects data at rest within the broker's storage, but the compliance mandate requires encryption at rest and in transit; TLS already covers in transit, but SSE does not protect the data while it is being processed or if the broker's internal logs capture the plaintext payload. Option B is wrong because separating messages into different queues with different retention policies does not encrypt the sensitive data; it merely segregates it, leaving the sensitive payloads still in plaintext within the queue, which fails the encryption requirement. Option D is wrong because a third-party encryption gateway introduces additional latency, operational complexity, and a potential single point of failure; it also does not provide end-to-end encryption if the gateway itself must decrypt and re-encrypt, potentially exposing plaintext in transit between the application and the gateway.

22
MCQhard

A software company develops a mobile application that communicates with a cloud backend using REST APIs. The application uses OAuth 2.0 with the authorization code grant and PKCE for authentication. After a security audit, the team identifies that the backend API accepts both a client secret (from the authorization code grant) and a PKCE code verifier. The security team wants to remove unnecessary attack surface. Which change should be made?

A.Switch to the implicit grant (response_type=token) to avoid client secrets
B.Keep both mechanisms but use short-lived tokens to reduce risk
C.Remove the client_secret parameter from the token endpoint and rely solely on PKCE
D.Require a stronger client secret (e.g., 256-bit) and store it in the app's encrypted storage
AnswerC

PKCE is designed for public clients without a secret, reducing attack surface.

Why this answer

Option C is correct because PKCE (Proof Key for Code Exchange, RFC 7636) was specifically designed to secure the authorization code grant for public clients like mobile apps, where a client secret cannot be reliably kept confidential. By removing the client_secret parameter and relying solely on PKCE, the team eliminates an unnecessary attack surface—since the secret is effectively a static credential that can be extracted from the app binary—while maintaining strong protection against authorization code interception attacks. The backend should enforce PKCE verification using the code_challenge and code_verifier, making the client_secret redundant for public clients.

Exam trap

ISC2 often tests the misconception that removing the client_secret weakens security, when in fact for public clients (mobile apps, SPAs) PKCE makes the secret unnecessary and its removal reduces attack surface; candidates may incorrectly think keeping the secret adds a layer of defense, but it actually introduces a static credential that can be stolen.

How to eliminate wrong answers

Option A is wrong because switching to the implicit grant (response_type=token) would actually increase attack surface by exposing the access token directly in the URL fragment, making it vulnerable to leakage via browser history, referrer headers, and other side channels; it also removes the authorization code exchange step that PKCE protects. Option B is wrong because keeping both mechanisms does not reduce attack surface—it leaves the client_secret as an exploitable static credential that can be extracted from the app, and short-lived tokens do not mitigate the risk of secret theft or replay of the secret at the token endpoint. Option D is wrong because requiring a stronger client secret and storing it in encrypted storage still leaves the secret extractable from the mobile device at runtime (via memory dumps or reverse engineering), and encrypted storage keys are also accessible on the device; the fundamental issue is that public clients cannot securely hold secrets, so any reliance on a client_secret is a design flaw.

23
MCQhard

A company deploys microservices in Kubernetes. Each service communicates via gRPC with mutual TLS. A security assessment reveals that some services use self-signed certificates. What is the primary risk?

A.Inability to revoke certificates
B.Exposure of private keys in the container image
C.Increased latency due to certificate validation
D.Man-in-the-middle (MITM) attacks between services
AnswerD

Without trusted CA validation, MITM is possible.

Why this answer

The primary risk of using self-signed certificates in a gRPC mutual TLS environment is that there is no trusted Certificate Authority (CA) to verify the identity of the communicating services. Without proper CA-signed certificates, an attacker can easily perform a man-in-the-middle (MITM) attack by presenting a forged self-signed certificate, intercepting and modifying gRPC traffic between microservices.

Exam trap

ISC2 often tests the misconception that self-signed certificates are only a problem for revocation or key exposure, when the core issue is the lack of trusted identity verification enabling MITM attacks.

How to eliminate wrong answers

Option A is wrong because self-signed certificates can still be revoked using mechanisms like CRLs or OCSP, though it is more cumbersome; the inability to revoke is not the primary risk. Option B is wrong because private keys are not inherently exposed in the container image; exposure is a separate misconfiguration issue, not a direct consequence of using self-signed certificates. Option C is wrong because certificate validation does not introduce significant latency; the overhead of TLS handshake is negligible compared to the security benefits, and self-signed certificates do not inherently increase validation time.

24
MCQeasy

A developer is tasked with securely storing a session token in a browser-based web application. Which storage mechanism is most secure?

A.HTTP-only cookies with Secure and SameSite flags
B.sessionStorage
C.URL query parameters
D.localStorage
AnswerA

HTTP-only cookies are not accessible via JavaScript and Secure flag ensures HTTPS.

Why this answer

HTTP-only cookies with Secure and SameSite flags are the most secure storage mechanism for session tokens because they prevent client-side script access (mitigating XSS-based token theft), ensure transmission only over HTTPS (mitigating network eavesdropping), and restrict cross-origin request inclusion (mitigating CSRF). This combination aligns with OWASP best practices for session management, as the token is never exposed to JavaScript or sent over unencrypted channels.

Exam trap

ISC2 often tests the misconception that localStorage or sessionStorage is secure because they are 'client-side only,' but the trap is that both are fully accessible via JavaScript and thus vulnerable to XSS, whereas HTTP-only cookies are the only option that prevents script-level access.

How to eliminate wrong answers

Option B is wrong because sessionStorage is accessible via JavaScript, making it vulnerable to XSS attacks where an attacker can read the token directly. Option C is wrong because URL query parameters are logged in server logs, browser history, and referrer headers, exposing the session token to interception and persistent storage. Option D is wrong because localStorage persists data indefinitely and is fully accessible via JavaScript, offering no protection against XSS or CSRF, and lacks built-in expiration or secure transmission controls.

25
Multi-Selecthard

Which THREE of the following are effective controls to secure a RESTful API in the cloud?

Select 3 answers
A.Enabling CORS (Cross-Origin Resource Sharing) for all domains
B.Using HTTP basic authentication over plain HTTP
C.Implementing rate limiting and throttling
D.Enforcing strong authentication and authorization mechanisms
E.Validating and sanitizing all inputs to avoid injection attacks
AnswersC, D, E

Prevents DoS and brute-force attacks.

Why this answer

Rate limiting and throttling are effective controls for RESTful APIs because they prevent abuse by limiting the number of requests a client can make within a specified time window, mitigating denial-of-service (DoS) attacks and brute-force attempts. In cloud environments, these controls are often implemented at the API gateway or load balancer level using token bucket or leaky bucket algorithms, ensuring fair resource usage and protecting backend services from overload.

Exam trap

ISC2 often tests the misconception that CORS is a security control that should be broadly enabled, when in fact it is a relaxation of the same-origin policy and must be tightly scoped to prevent cross-origin attacks.

26
MCQhard

A company is deploying a containerized application on Kubernetes. The security team requires that containers run with the least privilege, and that any attempt to escalate privileges within a container is blocked. Which Kubernetes security context setting should be applied to the pod specification?

A.runAsNonRoot: true
B.capabilities: drop: ['ALL']
C.readOnlyRootFilesystem: true
D.allowPrivilegeEscalation: false
AnswerD

Prevents privilege escalation, which is the exact requirement.

Why this answer

Option D is correct because setting `allowPrivilegeEscalation: false` in the pod's security context directly blocks any attempt by a container process to gain more privileges than its parent process, such as through setuid binaries or syscalls like `setuid()`. This satisfies the requirement to prevent privilege escalation within the container, aligning with the least privilege principle.

Exam trap

ISC2 often tests the distinction between preventing privilege escalation and other security controls like dropping capabilities or running as non-root, leading candidates to confuse capability removal with escalation prevention.

How to eliminate wrong answers

Option A is wrong because `runAsNonRoot: true` only ensures the container runs with a non-root user, but it does not block privilege escalation mechanisms (e.g., a non-root user could still execute a setuid binary to become root). Option B is wrong because dropping all capabilities (`capabilities: drop: ['ALL']`) removes kernel capabilities but does not prevent privilege escalation via other means like setuid binaries or file system capabilities. Option C is wrong because `readOnlyRootFilesystem: true` only makes the container's root filesystem read-only, which does not address privilege escalation at all.

27
MCQhard

During a security audit, it is discovered that a cloud application's API endpoints are vulnerable to injection attacks. Which defense in depth measure would be most effective in preventing such attacks?

A.Web application firewall (WAF)
B.Prepared statements in code
C.Rate limiting
D.Regular expression input validation
AnswerB

Prepared statements ensure user input is never interpreted as code, preventing injection.

Why this answer

Prepared statements (parameterized queries) are the most effective defense against injection attacks because they separate SQL logic from user input, ensuring that input is treated as data only, never as executable code. This prevents attackers from manipulating query syntax, regardless of the input content. In cloud applications, this is a foundational secure coding practice that addresses the root cause of injection vulnerabilities at the application layer.

Exam trap

ISC2 often tests the misconception that a WAF or input validation is sufficient for injection prevention, but the exam emphasizes that only prepared statements (or parameterized queries) address the root cause by enforcing strict separation of code and data at the database layer.

How to eliminate wrong answers

Option A is wrong because a Web Application Firewall (WAF) operates at the network or HTTP layer and can only detect and block known injection patterns via signatures or heuristics; it cannot prevent novel or obfuscated injection payloads that bypass its rules, and it does not fix the underlying insecure code. Option C is wrong because rate limiting controls the frequency of API requests to mitigate denial-of-service or brute-force attacks, but it has no effect on the content of individual requests and cannot prevent injection attacks. Option D is wrong because regular expression input validation is a blacklisting or whitelisting approach that can be bypassed by carefully crafted payloads (e.g., using encoding, comments, or alternative syntax), and it is not a reliable defense against injection; prepared statements are the only option that guarantees separation of code and data.

28
Multi-Selecteasy

Which TWO of the following are common best practices for securing cloud application APIs? (Choose two.)

Select 2 answers
A.Implement rate limiting
B.Validate and sanitize all input
C.Disable HTTPS to reduce latency
D.Return detailed error messages for debugging
E.Allow all origins with CORS
AnswersA, B

Rate limiting prevents DDoS and brute force.

Why this answer

Rate limiting is a critical best practice for securing cloud application APIs because it prevents abuse by limiting the number of requests a client can make within a specific time window. This mitigates brute-force attacks, denial-of-service (DoS) attacks, and resource exhaustion. By enforcing rate limits, the API maintains availability and protects backend services from being overwhelmed.

Exam trap

ISC2 often tests the misconception that disabling HTTPS improves performance for cloud APIs, but the correct priority is always encryption for data in transit, even at the cost of slight latency.

29
Drag & Dropmedium

Drag and drop the steps for implementing a cloud data encryption strategy using a customer-managed key (CMK) in AWS KMS into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

The correct order starts with creating the CMK, then enabling rotation, setting permissions, configuring application integration, and finally monitoring usage.

30
MCQeasy

A DevOps team wants to prevent insecure code from being deployed to production. Which gate should be implemented in the CI/CD pipeline?

A.Automated security scanning with failure conditions
B.Run penetration testing after release
C.Dependency scanning only on weekly basis
D.Manual code review after deployment
AnswerA

Automated scanning can block insecure code from progressing.

Why this answer

Automated security scanning with failure conditions (option A) is the correct gate because it enforces security checks directly within the CI/CD pipeline, preventing any code that fails static application security testing (SAST) or software composition analysis (SCA) from progressing to production. This shift-left approach ensures that vulnerabilities are caught before deployment, aligning with DevSecOps principles and reducing risk.

Exam trap

ISC2 often tests the misconception that any security activity after deployment (like penetration testing or manual review) can serve as a preventive gate, when in fact only automated checks with failure conditions integrated into the pipeline can block insecure code before it reaches production.

How to eliminate wrong answers

Option B is wrong because running penetration testing after release does not prevent insecure code from being deployed; it only identifies vulnerabilities post-deployment, which violates the principle of shifting security left. Option C is wrong because dependency scanning only on a weekly basis introduces a significant delay, allowing vulnerable dependencies to be deployed before they are detected, whereas real-time scanning in the pipeline is needed. Option D is wrong because manual code review after deployment cannot block insecure code from reaching production; it is a reactive measure that does not serve as a pipeline gate.

31
MCQmedium

A financial services company is adopting a cloud-native microservices architecture. They want to ensure that only authorized services can communicate with each other, and that all inter-service communication is encrypted. Which of the following is the BEST approach?

A.Use network security groups to restrict traffic between service subnets
B.Implement a service mesh with mutual TLS (mTLS) and fine-grained access policies
C.Connect services using VPC peering and enable encryption in transit
D.Deploy an API gateway and route all internal traffic through it
AnswerB

Service mesh provides encryption, identity, and policy enforcement at the application layer.

Why this answer

Option C is correct because a service mesh (e.g., Istio) provides sidecar proxies that handle mTLS and access policies transparently. Option A (security groups) operate at network level but do not encrypt nor provide service identity. Option B (API gateways) centralize external traffic but not internal.

Option D (VPC peering) connects networks but does not enforce application-level authorization or encryption per service.

32
MCQhard

A financial services company deploys a containerized application on Amazon ECS with Fargate. The application needs to access an encrypted RDS database. The security policy mandates that database credentials must never be stored in the application code or configuration files and must be rotated automatically every 90 days. Which solution should the DevOps team implement to satisfy these requirements?

A.Store credentials in AWS Secrets Manager, grant ECS task role access, and enable automatic rotation
B.Encrypt credentials with AWS KMS and pass them as environment variables during task definition
C.Store credentials in AWS Systems Manager Parameter Store (SecureString) and retrieve them at container startup
D.Use a secrets vault like Hashicorp Vault deployed on EC2 and mount secrets via sidecar container
AnswerA

Secrets Manager supports rotation and integrates with ECS, meeting all requirements.

Why this answer

AWS Secrets Manager is the correct choice because it is designed to securely store, retrieve, and automatically rotate database credentials on a schedule (e.g., every 90 days) without storing them in code or configuration. By granting the ECS task role (via IAM) permission to access the secret, the Fargate task can retrieve the credentials at runtime using the AWS SDK or CLI, ensuring they are never hardcoded. This satisfies both the no-storage-in-code and automatic rotation requirements mandated by the security policy.

Exam trap

ISC2 often tests the distinction between AWS Secrets Manager and Systems Manager Parameter Store, where candidates mistakenly choose Parameter Store because it is cheaper, but they overlook that Secrets Manager provides native automatic rotation for RDS credentials, which is explicitly required by the policy.

How to eliminate wrong answers

Option B is wrong because passing encrypted credentials as environment variables in the task definition still embeds them in the container's environment, which violates the policy of never storing credentials in code or configuration files, and it does not provide automatic rotation. Option C is wrong because AWS Systems Manager Parameter Store (SecureString) can store encrypted secrets but does not natively support automatic rotation of RDS database credentials; it requires custom Lambda functions or additional services to implement rotation, making it less suitable for the 90-day rotation requirement. Option D is wrong because deploying Hashicorp Vault on EC2 adds operational overhead, requires managing the EC2 instances and Vault cluster, and does not integrate natively with ECS Fargate's task role for seamless credential retrieval; it also does not automatically rotate RDS credentials without additional configuration.

33
MCQhard

A financial organization is migrating a critical application to a cloud environment. The application processes sensitive customer data and must comply with PCI DSS. The security architect proposes using serverless functions for the compute layer. Which security control is essential to protect the application from injection attacks?

A.Enable function-level logging for audit trails
B.Use parameterized queries in the functions' database calls
C.Encrypt all data in transit between functions
D.Implement a web application firewall (WAF) in front of the functions
AnswerB

Parameterized queries prevent injection by separating SQL code from user input.

Why this answer

Injection attacks (e.g., SQL injection) exploit untrusted input that is concatenated into database queries. Parameterized queries (prepared statements) separate SQL logic from data, ensuring user input is treated as data only, not executable code. This is the foundational control for preventing injection in serverless functions that interact with databases, as required by PCI DSS Requirement 6.5.1.

Exam trap

ISC2 often tests the misconception that a WAF is a universal injection defense, but in serverless architectures, injection can occur through non-HTTP triggers (e.g., S3 events, DynamoDB Streams) where a WAF has no visibility, making parameterized queries the essential control.

How to eliminate wrong answers

Option A is wrong because function-level logging provides audit trails for compliance and incident response, but does not prevent injection attacks; it only records events after the fact. Option C is wrong because encrypting data in transit (e.g., TLS) protects against eavesdropping and tampering during transmission, but does not address injection vulnerabilities within the application logic itself. Option D is wrong because a WAF can detect and block some injection patterns at the HTTP layer, but serverless functions often receive events from multiple sources (e.g., queues, storage triggers) that bypass the WAF, and WAFs cannot prevent injection in non-HTTP contexts or when input is already inside the function; parameterized queries are the definitive defense.

34
MCQeasy

A team is adopting DevSecOps. Which practice best integrates security into the development lifecycle?

A.Security awareness training
B.Annual penetration testing
C.Automated security testing in CI/CD pipeline
D.Manual code review before release
AnswerC

Automated security testing as part of CI/CD ensures security checks are performed with every build.

Why this answer

Automated security testing in the CI/CD pipeline (Option C) is the correct practice because it embeds security checks—such as static application security testing (SAST), dynamic application security testing (DAST), and software composition analysis (SCA)—directly into the build and deployment process. This ensures that vulnerabilities are detected and remediated early, aligning with the DevSecOps principle of 'shifting left' and enabling continuous security validation without slowing down development velocity.

Exam trap

ISC2 often tests the misconception that manual or periodic security activities (like annual pen tests or pre-release code reviews) are sufficient for DevSecOps, when the core requirement is continuous, automated security integration within the CI/CD pipeline itself.

How to eliminate wrong answers

Option A is wrong because security awareness training, while important for culture, is a people-focused activity that does not integrate automated, code-level security checks into the development lifecycle; it lacks the technical enforcement needed for continuous security in CI/CD. Option B is wrong because annual penetration testing is a point-in-time, manual assessment that occurs long after code is deployed, failing to provide the continuous, automated feedback required in a DevSecOps pipeline to catch vulnerabilities during development. Option D is wrong because manual code review before release is a gate-based, human-dependent process that introduces delays and inconsistency, and it does not scale or integrate with automated CI/CD workflows, whereas DevSecOps demands automated, frequent security validation.

35
Multi-Selectmedium

Which TWO of the following are considered best practices for securing containerized applications in a cloud environment?

Select 2 answers
A.Run containers with a non-root user.
B.Enable SSH inside the container for remote administration.
C.Use the 'latest' tag for base images to get the newest features.
D.Include debugging tools inside the container for troubleshooting.
E.Use a read-only filesystem for the container.
AnswersA, E

Limits potential damage if container is compromised.

Why this answer

Running containers with a non-root user is a fundamental security best practice because it limits the potential damage from a container breakout. By default, Docker containers run as root, which means if an attacker compromises the container, they have root privileges on the host kernel. Using the USER directive in a Dockerfile or specifying a non-root user at runtime reduces the attack surface and enforces the principle of least privilege.

Exam trap

ISC2 often tests the misconception that SSH or debugging tools are necessary for container management, when in fact they violate the immutable and ephemeral principles of container security; the trap is that candidates confuse traditional server administration with cloud-native container operations.

36
MCQmedium

An organization uses infrastructure as code (IaC) to deploy cloud resources. The security team wants to prevent misconfigurations such as open security groups from being deployed. Which two practices should be integrated into the IaC pipeline? (Select TWO)

A.Limit access to the cloud management console
B.Perform manual code reviews for every change
C.Segment the network using security groups
D.Implement policy-as-code to enforce security rules
E.Use automated security scanning tools for IaC templates
AnswerD, E

Policy-as-code can block non-compliant templates from being applied.

Why this answer

Policy-as-code (D) allows security rules to be defined in a machine-readable format (e.g., using Open Policy Agent or HashiCorp Sentinel) and automatically evaluated during the IaC pipeline, preventing non-compliant configurations from being deployed. Automated security scanning tools (E) analyze IaC templates (e.g., Terraform, CloudFormation) for known misconfigurations, such as overly permissive security group rules, before they reach production. Together, these practices enforce security guardrails early in the development lifecycle.

Exam trap

ISC2 often tests the distinction between operational controls (like manual reviews or console access) and automated pipeline controls (like policy-as-code and scanning), expecting candidates to recognize that only automated, integrated checks can prevent misconfigurations at the code level before deployment.

How to eliminate wrong answers

Option A is wrong because limiting access to the cloud management console is an administrative control that does not prevent misconfigurations in IaC templates; it only restricts who can manually make changes after deployment. Option B is wrong because manual code reviews are slow, error-prone, and cannot scale to catch all misconfigurations, especially in large IaC codebases; automated checks are required for consistent enforcement. Option C is wrong because segmenting the network using security groups is a network architecture practice, not a pipeline integration; it does not prevent misconfigurations in the IaC templates themselves.

37
Multi-Selecteasy

Which TWO best practices help secure a cloud application's runtime environment?

Select 2 answers
A.Use immutable infrastructure
B.Implement host-based intrusion detection
C.Run applications with least privilege
D.Enable automatic patching of dependencies
E.Use container orchestration platform
AnswersA, C

Immutable infrastructure ensures that runtime environments are not modified after deployment, reducing drift and attack surface.

Why this answer

Immutable infrastructure ensures that once a cloud application's runtime environment is deployed, it is never modified in place. Any change requires building a new image and redeploying, which eliminates configuration drift, reduces the attack surface, and prevents unauthorized modifications from persisting. This directly secures the runtime environment by enforcing a known-good state at all times.

Exam trap

ISC2 often tests the distinction between security controls that are preventive (like immutable infrastructure and least privilege) versus detective or reactive controls (like HIDS), leading candidates to mistakenly select host-based intrusion detection as a runtime security best practice.

38
MCQhard

A cloud application uses a service mesh for inter-service communication. The security team wants to enforce mutual TLS (mTLS) between all services and ensure that service identities are verified. What is the most effective way to achieve this?

A.Set up Kerberos authentication between services
B.Configure a VPN between all service subnets
C.Implement IPsec in the network layer
D.Use the service mesh's built-in mTLS and certificate management
AnswerD

Service mesh handles mTLS and identity natively.

Why this answer

The service mesh's built-in mTLS and certificate management is the most effective approach because it provides automatic, transparent mutual TLS encryption and identity verification at the application layer, using X.509 certificates issued by the mesh's certificate authority (e.g., Istio's Citadel or Linkerd's identity controller). This ensures that every inter-service communication is authenticated and encrypted without requiring changes to application code, and it integrates directly with the service mesh's identity model (e.g., Kubernetes service accounts).

Exam trap

ISC2 often tests the misconception that network-layer encryption (IPsec or VPN) is sufficient for service-to-service authentication, but the key requirement here is per-service identity verification at the application layer, which only a service mesh's mTLS with certificate management can provide.

How to eliminate wrong answers

Option A is wrong because Kerberos is a network authentication protocol that requires a centralized Key Distribution Center (KDC) and is not designed for per-request mTLS in a service mesh; it adds complexity and does not provide transport-layer encryption natively. Option B is wrong because a VPN encrypts traffic at the network layer between subnets but does not provide per-service identity verification or mutual authentication at the application layer, and it cannot enforce mTLS between individual services within the same subnet. Option C is wrong because IPsec operates at the network layer (Layer 3) and can encrypt traffic between hosts or subnets, but it lacks the granularity to verify individual service identities and does not integrate with service mesh certificate management for dynamic, short-lived certificates.

39
Matchingmedium

Match each cloud service model to its primary responsibility area according to the shared responsibility model.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Application security

Platform security

Infrastructure security

Full stack security

Why these pairings

The shared responsibility model delineates security obligations; SaaS offloads most to provider, on-premises retains all.

40
Matchingmedium

Match each compliance framework to its primary jurisdiction or industry.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

European Union data protection

US healthcare information privacy

Payment card industry security

US financial reporting controls

Why these pairings

Compliance frameworks are often region- or industry-specific; cloud providers must support customer compliance.

41
MCQeasy

A company is implementing a secure software development lifecycle (SSDLC) for its cloud-native applications. Which practice should be automated to detect vulnerabilities early in the development process?

A.Static application security testing (SAST)
B.Penetration testing in production
C.Dynamic application security testing (DAST)
D.Manual code review
AnswerA

SAST scans source code early in development, enabling early vulnerability detection.

Why this answer

Static application security testing (SAST) analyzes source code, bytecode, or binaries without executing the application, making it ideal for early detection of vulnerabilities during the coding phase of the SSDLC. By integrating SAST into the CI/CD pipeline, developers receive immediate feedback on security flaws such as SQL injection or buffer overflows, enabling remediation before the code is built or deployed. This aligns with the 'shift left' principle, catching issues when they are cheapest and easiest to fix.

Exam trap

ISC2 often tests the distinction between SAST (white-box, early) and DAST (black-box, late), and the trap here is that candidates mistakenly choose DAST because they confuse 'dynamic' with 'automated,' forgetting that DAST requires a running application and cannot detect vulnerabilities in source code.

How to eliminate wrong answers

Option B is wrong because penetration testing in production occurs after deployment, not early in development, and can introduce risks to live systems. Option C is wrong because dynamic application security testing (DAST) requires a running application to test, making it a later-stage practice that cannot detect vulnerabilities in code before it is compiled or deployed. Option D is wrong because manual code review is not automated and is slower, less consistent, and more error-prone than automated SAST, failing to meet the requirement for automation to detect vulnerabilities early.

42
Multi-Selecthard

Which THREE are best practices for implementing secrets management in cloud applications?

Select 3 answers
A.Embed secrets in application logs for debugging
B.Store secrets in version control repositories
C.Use a dedicated secrets management service
D.Rotate secrets regularly
E.Encrypt secrets at rest and in transit
AnswersC, D, E

Dedicated services provide secure storage, access control, and audit.

Why this answer

Option C is correct because dedicated secrets management services (e.g., AWS Secrets Manager, Azure Key Vault, HashiCorp Vault) provide centralized, auditable, and policy-controlled storage for secrets like API keys and database credentials. These services enforce encryption at rest (e.g., using envelope encryption with AWS KMS) and in transit (TLS 1.2+), and support automatic rotation, reducing the risk of exposure compared to ad-hoc methods.

Exam trap

ISC2 often tests the misconception that logging secrets is acceptable for debugging (Option A) or that version control with .gitignore is sufficient to protect secrets (Option B), but the CCSP exam emphasizes that secrets must never be stored in logs or repositories, and must always be managed via dedicated, rotation-capable services.

43
MCQeasy

A developer needs to store session state for a cloud-based web application. Which of the following is the most secure approach?

A.Store session data in an encrypted server-side storage
B.Store session data in a database with SSL
C.Store session data in client-side cookies
D.Store session data in a distributed cache
AnswerA

Server-side storage with encryption protects session data from unauthorized access.

Why this answer

Option A is correct because storing session state in encrypted server-side storage ensures that session data is never exposed to the client, mitigating risks of tampering, replay, or information disclosure. Encryption at rest (e.g., using AES-256) protects against unauthorized access to the storage layer, while server-side control prevents client-side manipulation of session tokens or data. This approach aligns with the principle of least privilege and is recommended by OWASP for secure session management in cloud applications.

Exam trap

ISC2 often tests the misconception that SSL/TLS alone provides sufficient security for session data, but the trap here is that SSL only protects data in transit, not at rest, so candidates who choose 'database with SSL' overlook the need for encryption at rest and server-side control.

How to eliminate wrong answers

Option B is wrong because SSL/TLS only protects data in transit between client and server, not data at rest in the database; an attacker with database access could read session data if it is not encrypted. Option C is wrong because storing session data in client-side cookies exposes it to XSS attacks, cookie theft, and tampering, as cookies can be modified by the client or intercepted over HTTP if not properly secured with HttpOnly and Secure flags. Option D is wrong because a distributed cache (e.g., Redis or Memcached) typically does not provide built-in encryption at rest and may be accessible to other cloud tenants or attackers if misconfigured, making it less secure than dedicated encrypted storage.

44
Multi-Selecteasy

Which TWO of the following are key components of a secure software development lifecycle (SSDLC) in a cloud environment?

Select 2 answers
A.Automated static application security testing (SAST) during code commit.
B.Conducting code reviews with a security focus.
C.Performing security testing only after deployment to production.
D.Mandatory security awareness training for developers.
E.Integration of unit tests that check for security functionality.
AnswersA, B

Identifies vulnerabilities early in development.

Why this answer

Automated SAST during code commit is a key component of a secure software development lifecycle (SSDLC) in a cloud environment because it enables early detection of vulnerabilities (e.g., injection flaws, buffer overflows) by scanning source code as it is committed to the repository. This shift-left approach integrates security directly into the CI/CD pipeline, preventing flaws from progressing to later stages where remediation is more costly and complex.

Exam trap

ISC2 often tests the distinction between core technical components of the SSDLC (like automated SAST and security-focused code reviews) versus supporting activities (like training or unit tests) that are beneficial but not mandatory for the lifecycle itself.

45
MCQeasy

A company is migrating a legacy application to the cloud. The application uses hardcoded database credentials. Which secure development practice should be implemented to address this?

A.Use code signing for all deployments
B.Implement input validation on all user inputs
C.Enable encryption at rest for the database
D.Use a secrets management service
AnswerD

Secrets management securely stores and rotates credentials, eliminating hardcoding.

Why this answer

Hardcoded database credentials in application code create a severe security risk because they are exposed in version control, logs, and static analysis. Using a secrets management service (e.g., AWS Secrets Manager, HashiCorp Vault, Azure Key Vault) allows credentials to be stored securely, rotated automatically, and accessed at runtime via API calls, eliminating the need to embed secrets in code. This aligns with the principle of least privilege and secure credential management in cloud application security.

Exam trap

ISC2 often tests the distinction between 'protecting data at rest' (encryption) and 'protecting access credentials' (secrets management), leading candidates to mistakenly choose encryption at rest when the real issue is credential exposure in code.

How to eliminate wrong answers

Option A is wrong because code signing ensures the integrity and authenticity of the deployed code, but it does not address the problem of hardcoded credentials—it does not remove secrets from the codebase. Option B is wrong because input validation prevents injection attacks (e.g., SQLi, XSS) by sanitizing user-supplied data, but it has no effect on static credentials embedded in the application source code. Option C is wrong because encryption at rest protects data stored in the database (e.g., on disk), but it does not protect the credentials used to access the database—those credentials remain exposed in the code.

46
MCQmedium

A company is adopting a serverless architecture using AWS Lambda. The security team is concerned about potential injection attacks via event payloads. Which practice is most effective at mitigating such attacks?

A.Use a web application firewall (WAF) in front of the API Gateway
B.Assign the least privilege IAM role to each Lambda function
C.Validate and sanitize all input data from event sources
D.Encrypt environment variables containing sensitive configuration
AnswerC

Input validation prevents malicious payloads from being processed.

Why this answer

Option C is correct because serverless functions like AWS Lambda are directly invoked by event payloads, and without input validation and sanitization, an attacker can inject malicious code (e.g., SQL, NoSQL, OS commands) that the function executes. This is the most effective mitigation as it addresses the root cause at the application layer, regardless of any perimeter controls.

Exam trap

ISC2 often tests the misconception that perimeter controls (like WAFs) or IAM permissions are sufficient to prevent application-layer attacks, but the trap here is that injection vulnerabilities are code-level flaws that only input validation can directly remediate.

How to eliminate wrong answers

Option A is wrong because a WAF operates at the HTTP/HTTPS layer and cannot inspect or block injection attacks that originate from non-HTTP event sources (e.g., S3 events, DynamoDB Streams, SQS messages) or from payloads that are already inside the trusted network path. Option B is wrong because least privilege IAM roles control what resources the Lambda function can access (e.g., read from a database), but they do not prevent the function from executing malicious input passed in the event payload. Option D is wrong because encrypting environment variables protects sensitive configuration data at rest and in transit, but it has no effect on injection attacks that exploit unsanitized input in the event payload.

47
MCQmedium

A company is adopting DevSecOps and wants to incorporate security testing into their continuous integration pipeline. They have decided to run SAST (static analysis) and SCA (software composition analysis) tools. Which of the following is the PRIMARY reason for including SCA in addition to SAST?

A.To detect insecure runtime behavior
B.To identify known vulnerabilities in third-party libraries and dependencies
C.To reduce false positives identified by SAST
D.To scan for vulnerabilities in custom APIs
AnswerB

SCA specifically scans open source components for known CVEs.

Why this answer

SCA (Software Composition Analysis) is specifically designed to identify known vulnerabilities in third-party libraries and dependencies by comparing their versions against public vulnerability databases like the National Vulnerability Database (NVD) or OWASP Dependency-Check. SAST (Static Application Security Testing) analyzes custom source code for security flaws but cannot inspect external libraries that are often pulled in via package managers (e.g., npm, Maven, pip). Including SCA ensures that the organization addresses supply chain risks, which is a primary goal in DevSecOps pipelines.

Exam trap

ISC2 often tests the distinction between SAST (custom code analysis) and SCA (third-party dependency analysis), and the trap here is that candidates may confuse SCA with DAST or think SCA can reduce SAST false positives, when in reality SCA addresses a completely different attack surface—open-source library vulnerabilities.

How to eliminate wrong answers

Option A is wrong because detecting insecure runtime behavior is the domain of DAST (Dynamic Application Security Testing) or IAST (Interactive Application Security Testing), not SCA, which focuses on static analysis of dependency manifests. Option C is wrong because SCA does not reduce false positives from SAST; false positive reduction is typically achieved by tuning SAST rules, using IAST for verification, or implementing manual triage processes. Option D is wrong because scanning for vulnerabilities in custom APIs is a function of SAST (for code-level flaws) or DAST (for runtime API endpoints), not SCA, which only analyzes third-party components and their known CVEs.

48
MCQhard

A company is implementing a serverless application using AWS Lambda. The function processes S3 events and writes to a DynamoDB table. Which of the following is the MOST secure way to grant the necessary permissions?

A.Use resource-based policies on the Lambda function
B.Attach a managed policy that grants full access to S3 and DynamoDB
C.Use the root user credentials of the AWS account
D.Create a custom IAM role with only the required actions on specific resources
AnswerD

Least privilege with scoped actions and resources.

Why this answer

Option D is correct because AWS Lambda functions require an IAM role (execution role) to access other AWS services. By creating a custom IAM role with only the required actions (e.g., s3:GetObject for the specific S3 bucket and dynamodb:PutItem for the specific DynamoDB table), you adhere to the principle of least privilege, minimizing the attack surface and ensuring secure, auditable access.

Exam trap

ISC2 often tests the misconception that resource-based policies on the Lambda function can grant the function permissions to other services, when in fact they only control invocation permissions, not the function's outbound access to resources like S3 or DynamoDB.

How to eliminate wrong answers

Option A is wrong because resource-based policies on a Lambda function control who can invoke the function, not what the function can access; they do not grant the function permissions to S3 or DynamoDB. Option B is wrong because attaching a managed policy that grants full access to S3 and DynamoDB violates least privilege, potentially allowing the function to perform unintended actions (e.g., delete data) and increasing the blast radius of a compromise. Option C is wrong because using root user credentials is a severe security risk—root credentials have unrestricted access, should never be used for programmatic access, and violate AWS best practices and compliance requirements.

49
MCQeasy

A cloud application developer is using a containerized application with Docker. The security team requires that the application runs with the least privilege possible. Which of the following is the BEST practice to ensure the container does not run as root?

A.Use the --no-root flag when starting the container.
B.Include a USER directive in the Dockerfile to specify a non-root user.
C.Set the securityContext.runAsNonRoot parameter in the container manifest.
D.Use the --cap-drop=ALL option when running the container.
AnswerB

This is the standard way to run a container as a non-root user.

Why this answer

The USER directive in a Dockerfile sets the user for any subsequent RUN, CMD, or ENTRYPOINT instructions, ensuring the container process runs as a non-root user by default. This is the most direct and persistent method to enforce least privilege at build time, as it becomes part of the image itself and applies regardless of runtime flags.

Exam trap

ISC2 often tests the distinction between runtime flags (like --user or --cap-drop) and build-time directives (like USER), and candidates mistakenly think dropping capabilities is equivalent to running as a non-root user.

How to eliminate wrong answers

Option A is wrong because Docker does not have a --no-root flag; the correct approach is to use the --user flag at runtime or the USER directive in the Dockerfile. Option C is wrong because securityContext.runAsNonRoot is a Kubernetes pod-level setting, not a Docker-native construct, and it only enforces a policy that the container must not run as root, but does not actually set a non-root user. Option D is wrong because --cap-drop=ALL removes all Linux capabilities but does not change the user identity; the container could still run as root with no capabilities, which violates the least privilege principle for user context.

50
MCQeasy

Which of the following is a key benefit of using a software composition analysis (SCA) tool in a cloud application security program?

A.Detects known vulnerabilities in open-source libraries
B.Enforces runtime policies
C.Simulates attacks on running applications
D.Identifies vulnerabilities in proprietary code
AnswerA

SCA specifically identifies vulnerabilities in third-party components.

Why this answer

SCA tools automate the identification of open-source components within a codebase and cross-reference them against databases like the National Vulnerability Database (NVD) to detect known vulnerabilities (CVEs). This is a key benefit because cloud applications often heavily rely on open-source libraries, and SCA provides a scalable way to manage that risk without manual auditing.

Exam trap

ISC2 often tests the distinction between SCA (open-source dependency scanning) and SAST (proprietary code scanning), so the trap here is confusing which tool analyzes which type of code, leading candidates to incorrectly select option D.

How to eliminate wrong answers

Option B is wrong because enforcing runtime policies is the function of a Runtime Application Self-Protection (RASP) tool or a cloud workload protection platform (CWPP), not an SCA tool which focuses on static analysis of dependencies. Option C is wrong because simulating attacks on running applications is the purpose of a dynamic application security testing (DAST) tool or a penetration testing framework, not SCA which does not execute code. Option D is wrong because identifying vulnerabilities in proprietary code is the domain of static application security testing (SAST) tools that analyze custom source code, whereas SCA specifically targets open-source and third-party components.

51
MCQeasy

A cloud application processes data subject to GDPR. The security team needs to ensure that all personally identifiable information (PII) is encrypted at rest and that access is logged. Which combination of controls should be implemented? (Select THREE)

A.Implement strict least privilege access controls
B.Use TLS for all network connections
C.Configure logging for all data access
D.Enable database encryption at rest
E.Implement a key management system
AnswerA, C, D

Limits who can access PII, reducing unauthorized access.

Why this answer

Option A is correct because strict least privilege access controls ensure that only authorized users or services can access PII, minimizing the risk of unauthorized exposure. This is a fundamental security principle for GDPR compliance, as it directly supports the data minimization and access control requirements. By restricting access to only what is necessary for a role, the organization reduces the attack surface and ensures that any access is intentional and auditable.

Exam trap

ISC2 often tests the distinction between encryption at rest and in transit, so candidates may incorrectly select TLS (Option B) thinking it covers encryption requirements, but the question explicitly specifies 'at rest'.

How to eliminate wrong answers

Option B is wrong because TLS encrypts data in transit, not at rest; the question specifically requires encryption at rest, so TLS does not address that requirement. Option E is wrong because while a key management system is important for managing encryption keys, it is not a direct control for encrypting data at rest or logging access; the question asks for controls that ensure PII is encrypted at rest and access is logged, and key management is a supporting process, not a primary control.

52
MCQmedium

A security analyst is reviewing CloudTrail logs and sees the above event. The analyst suspects that the AMI used may be outdated and vulnerable. Which action should the analyst take to verify the security posture of the launched instance?

A.Verify that the instance is not assigned a public IP address
B.Check the security groups associated with the instance
C.Check the AMI ID for known vulnerabilities using the AWS Systems Manager Patch Manager
D.Look up the AMI in the EC2 console and review its description and security bulletins
AnswerD

Reviewing the AMI details helps determine if it is outdated or has known issues.

Why this answer

Option D is correct because the AMI ID in the CloudTrail log can be used to look up the AMI in the EC2 console, where its description, release notes, and associated security bulletins are available. This allows the analyst to determine if the AMI is outdated or has known vulnerabilities, directly addressing the suspicion about the AMI's security posture.

Exam trap

ISC2 often tests the distinction between checking the AMI itself (via its ID and associated bulletins) versus checking runtime configurations (like security groups or public IPs) or using patching tools that apply to instances, not AMI metadata.

How to eliminate wrong answers

Option A is wrong because verifying the absence of a public IP address checks network exposure, not the security posture of the AMI itself; an instance can be vulnerable regardless of public IP assignment. Option B is wrong because security groups control network traffic rules, not the underlying AMI's software vulnerabilities; they do not reveal if the AMI is outdated. Option C is wrong because AWS Systems Manager Patch Manager is used to patch running instances, not to check an AMI ID for known vulnerabilities; it operates on instances, not on AMI metadata or security bulletins.

53
Multi-Selecthard

Which THREE of the following are valid techniques to protect application programming interfaces (APIs) from abuse?

Select 3 answers
A.Use API gateways to enforce authentication and authorization policies.
B.Use JSON Web Tokens (JWT) without encryption.
C.Use only HTTP GET requests for all API calls.
D.Implement rate limiting and throttling.
E.Require API keys or OAuth tokens for every request.
AnswersA, D, E

Centralizes security controls.

Why this answer

API gateways act as a centralized policy enforcement point, intercepting all API traffic to validate authentication (e.g., OAuth 2.0, SAML) and authorization (e.g., RBAC, ABAC) before requests reach backend services. This prevents unauthorized access and ensures that only authenticated clients with proper permissions can invoke protected endpoints, directly mitigating abuse such as credential stuffing or privilege escalation.

Exam trap

The trap here is that candidates may think JWT without encryption is acceptable because JWTs are often signed (JWS), but the CCSP exam emphasizes that confidentiality is a separate requirement—signing alone does not protect sensitive data in the payload, and encryption (JWE) is mandatory when tokens contain private information.

54
MCQmedium

A cloud application uses a third-party identity provider (IdP) for SSO. The security team notices that tokens are being reused across different applications. Which token binding mechanism should be implemented?

A.Use of bearer tokens without additional protection
B.Short token expiration times
C.Token binding to TLS session
D.Audience restriction
AnswerC

Token binding ties the token to a specific TLS connection.

Why this answer

Token binding cryptographically ties an access token to a specific TLS session, preventing token export and replay across different applications. This directly addresses the reuse of tokens across applications by binding the token to the TLS layer, so even if an attacker intercepts the token, it cannot be used with a different TLS connection. RFC 8471 defines token binding for OAuth 2.0, ensuring the token is only valid when presented over the same TLS channel that was established during issuance.

Exam trap

ISC2 often tests the distinction between token binding and audience restriction, where candidates mistakenly think audience restriction prevents reuse across applications, but audience restriction only limits which application can accept the token, not that the token is bound to a specific TLS session.

How to eliminate wrong answers

Option A is wrong because bearer tokens without additional protection are inherently vulnerable to replay and reuse, which is exactly the problem described in the scenario. Option B is wrong because short token expiration times reduce the window of opportunity but do not prevent token reuse across applications during the token's lifetime; an attacker can still replay the token within that window. Option D is wrong because audience restriction limits which application can accept the token based on the 'aud' claim, but it does not prevent the token from being reused across different applications if the attacker can present it to the intended audience; it controls scope, not binding to a specific session.

55
MCQeasy

A company is moving a legacy application to the cloud. The application uses hard-coded passwords for database connections. Which secure development practice should be implemented to address this issue?

A.Multi-factor authentication
B.Input validation
C.Encryption at rest
D.Secrets management
AnswerD

Secrets management securely stores and retrieves credentials, removing the need for hard-coded passwords.

Why this answer

Hard-coded passwords in application code violate the principle of least privilege and create a persistent security risk if the code is exposed. Secrets management (D) addresses this by storing database credentials in a secure, centralized vault (e.g., HashiCorp Vault, AWS Secrets Manager) and retrieving them at runtime via API calls, eliminating the need to embed passwords in source code or configuration files.

Exam trap

ISC2 often tests the distinction between 'encryption at rest' (protecting stored data) and 'secrets management' (protecting credentials used to access that data), leading candidates to confuse data protection with credential protection.

How to eliminate wrong answers

Option A is wrong because multi-factor authentication (MFA) is an identity verification mechanism for user access, not a method to securely store or manage application-level database credentials. Option B is wrong because input validation prevents injection attacks (e.g., SQL injection) by sanitizing user-supplied data, but it does not address the storage or retrieval of hard-coded passwords. Option C is wrong because encryption at rest protects data stored on disk (e.g., database files) from unauthorized access, but it does not prevent the exposure of credentials hard-coded in application code or configuration.

56
MCQmedium

A company wants to enforce that all API calls to its cloud services are authenticated and authorized. Which design pattern should be implemented?

A.Implement OAuth 2.0 with scopes
B.Use API keys with IP whitelisting
C.Allow basic authentication over HTTPS
D.Use shared secrets with HMAC
AnswerA

OAuth 2.0 with scopes enables delegated, scoped access.

Why this answer

OAuth 2.0 with scopes is the correct design pattern because it provides a standardized, token-based authorization framework that allows fine-grained access control to API resources. Scopes define specific permissions (e.g., read, write) and are validated by the resource server, ensuring that each API call is both authenticated (via the access token) and authorized (via the scopes). This aligns with the principle of least privilege and is widely adopted for securing cloud APIs.

Exam trap

The trap here is that candidates often confuse authentication (verifying identity) with authorization (granting permissions) and choose a method like API keys or basic auth that only authenticates, failing to address the authorization requirement explicitly stated in the question.

How to eliminate wrong answers

Option B is wrong because API keys with IP whitelisting only authenticate the client application, not the user or the request context, and IP whitelisting can be bypassed via spoofing or compromised networks; it lacks granular authorization. Option C is wrong because basic authentication over HTTPS sends credentials (username/password) in every request, which is vulnerable to credential leakage if the client or server is compromised, and it does not support scoped authorization. Option D is wrong because shared secrets with HMAC provide message integrity and authentication but do not offer a standardized way to enforce fine-grained authorization scopes; managing shared secrets at scale is also a security risk.

57
MCQhard

A security engineer is investigating an incident where an attacker exploited a server-side request forgery (SSRF) vulnerability in a cloud application. The application runs on AWS and uses internal metadata endpoints. Which mitigation should be prioritized to prevent future SSRF attacks?

A.Implement input validation to block malicious URLs
B.Restrict outbound network access from the application instances using security groups
C.Deploy a web application firewall (WAF) to inspect outgoing requests
D.Disable the IMDSv1 endpoint and require IMDSv2 tokens
AnswerB

Blocking outbound traffic to the metadata IP (169.254.169.254) and other internal IPs prevents SSRF exploitation.

Why this answer

Option B is correct because restricting outbound network access from application instances using security groups directly prevents the application from reaching the internal metadata endpoint (169.254.169.254) and other internal services. This is a fundamental network-layer control that stops SSRF attacks at the source, regardless of input validation or request inspection, by blocking the outbound traffic that the attacker would exploit.

Exam trap

ISC2 often tests the misconception that input validation or WAFs are sufficient to stop SSRF, when in reality the most effective mitigation is network-layer egress filtering that blocks access to internal metadata endpoints.

How to eliminate wrong answers

Option A is wrong because input validation to block malicious URLs is easily bypassed by attackers using URL encoding, redirects, or alternative representations of the metadata endpoint (e.g., decimal IP, DNS rebinding), and it does not address the root cause of the application making unauthorized outbound requests. Option C is wrong because a web application firewall (WAF) inspects incoming HTTP requests, not outgoing requests from the application; it cannot block the outbound SSRF traffic that originates from the application server itself. Option D is wrong because disabling IMDSv1 and requiring IMDSv2 tokens only protects the metadata service from unauthorized access via token-based authentication, but it does not prevent the application from making SSRF requests to other internal endpoints or external systems; the attacker could still exploit the application to make outbound requests to arbitrary targets.

58
Drag & Dropmedium

Drag and drop the steps for conducting a cloud security risk assessment using the NIST CSF framework into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Start with identification, then threat/vulnerability assessment, risk analysis, treatment, and monitoring.

59
MCQhard

An AWS S3 bucket policy is configured as shown in the exhibit. The security team wants to ensure that only requests from the corporate IP range (203.0.113.0/24) can read objects in the bucket. However, they notice that a CloudFront distribution configured to serve content from this bucket is returning 403 Forbidden errors. What is the MOST likely cause?

A.The bucket policy has a syntax error in the Condition block.
B.There is an implicit deny that overrides the explicit allow.
C.The bucket policy does not allow the s3:GetObject action.
D.CloudFront requests originate from CloudFront IP addresses, not the end user's IP.
AnswerD

The condition on aws:SourceIp checks the IP of the requestor, which is CloudFront's IP, not the viewer's IP.

Why this answer

D is correct because when CloudFront fetches objects from an S3 origin, it uses its own IP addresses, not the end user's IP address. The bucket policy restricts access to the corporate IP range (203.0.113.0/24), but CloudFront's requests come from AWS's CloudFront edge IP range, which falls outside that range. This causes S3 to deny the request, resulting in a 403 Forbidden error.

Exam trap

ISC2 often tests the misconception that the end user's IP address is preserved through a CDN or proxy, leading candidates to incorrectly assume the bucket policy's IP restriction will work as intended.

How to eliminate wrong answers

Option A is wrong because the Condition block syntax is valid; the policy uses standard AWS IAM policy language with IpAddress condition key, and there is no syntax error indicated. Option B is wrong because there is no implicit deny overriding the explicit allow; the issue is that the condition does not match CloudFront's source IP, not a deny override. Option C is wrong because the policy explicitly allows the s3:GetObject action for the specified IP range, so the action is permitted when the condition is met.

60
MCQmedium

During a security audit, a cloud application is found to have numerous container images with critical vulnerabilities. The DevOps team wants to prevent vulnerable images from being deployed to production. Which two controls should be implemented? (Select TWO)

A.Implement image vulnerability scanning in the CI/CD pipeline
B.Regularly update base images
C.Only allow signed images to be pulled from a trusted registry
D.Use network segmentation to isolate production containers
E.Run all containers as non-root users
AnswerA, C

Scanning can fail the build if critical vulnerabilities are found, preventing deployment.

Why this answer

Option A is correct because integrating image vulnerability scanning into the CI/CD pipeline ensures that every container image is automatically checked for known Common Vulnerabilities and Exposures (CVEs) before it can be promoted to production. This shift-left approach blocks vulnerable images at build time, preventing them from ever reaching the production environment. Option C is correct because enforcing signed images from a trusted registry (e.g., using Docker Content Trust or Notary) cryptographically verifies the image's integrity and origin, ensuring only authorized, non-tampered images are deployed.

Exam trap

ISC2 often tests the distinction between preventive controls (like scanning and signing) that stop vulnerable images from being deployed versus mitigative controls (like network segmentation or non-root users) that reduce the impact after deployment, leading candidates to select the latter as a substitute for prevention.

How to eliminate wrong answers

Option B is wrong because regularly updating base images is a good security hygiene practice but does not prevent already-built vulnerable images from being deployed; it only reduces future vulnerabilities. Option D is wrong because network segmentation isolates production containers at the network layer to limit lateral movement, but it does not prevent a vulnerable image from being deployed in the first place. Option E is wrong because running containers as non-root users reduces the blast radius of a compromise but does not stop a vulnerable image from being deployed to production.

61
MCQmedium

A software company develops an API for third-party integrations. They want to ensure that only authorized partners can access the API. Which authentication mechanism is most appropriate?

A.Basic authentication with API keys
B.OAuth 2.0 with client credentials
C.SAML 2.0
D.X.509 certificates
AnswerB

OAuth 2.0 client credentials grant is a standard for machine-to-machine API authentication.

Why this answer

OAuth 2.0 with the client credentials grant is the most appropriate mechanism for machine-to-machine API access because it allows the API to authenticate the third-party application itself (the client) using a client ID and client secret, without involving end-user credentials. This grant type is specifically designed for server-to-server integrations where the client is acting on its own behalf, providing a secure, token-based approach that avoids sharing long-lived secrets directly with each API call.

Exam trap

ISC2 often tests the distinction between authentication mechanisms by presenting SAML 2.0 as a plausible answer for API security, but the trap here is that SAML is designed for browser-based user authentication and federation, not for direct API access from third-party applications, leading candidates to confuse identity federation with API authorization.

How to eliminate wrong answers

Option A is wrong because Basic authentication with API keys transmits the API key in plaintext (Base64-encoded) with every request, offering no cryptographic protection and requiring the API key to be stored and sent repeatedly, which increases exposure risk and lacks the token expiration and scoping capabilities of OAuth 2.0. Option C is wrong because SAML 2.0 is an XML-based federated identity protocol designed for browser-based single sign-on (SSO) with user authentication, not for direct API access from third-party applications; it is heavy, not optimized for RESTful APIs, and does not provide a simple client credentials flow. Option D is wrong because X.509 certificates are used for mutual TLS (mTLS) authentication, which is more complex to manage (certificate issuance, renewal, revocation) and is typically reserved for high-security environments or regulatory compliance, not as a standard mechanism for third-party API integrations where OAuth 2.0 is the industry norm.

62
MCQhard

An architect reviews this S3 bucket policy. What security concern should be raised?

A.The policy grants access to all users from the specified IP range.
B.The policy allows s3:GetObject from any source.
C.The policy allows s3:GetObject only to the specific bucket.
D.The policy does not restrict access to authenticated users.
AnswerA

Without a Principal, the policy applies to all users (including anonymous) from that IP range.

Why this answer

Option A is correct because the policy grants s3:GetObject access to all users (Principal: "*") from the specified IP range, which means any unauthenticated user on the internet within that IP range can read objects in the bucket. This violates the principle of least privilege and exposes data to potential unauthorized access, as the policy does not require authentication or additional authorization checks.

Exam trap

ISC2 often tests the misconception that an IP restriction alone ensures security, when in fact it still allows anonymous access from any user within that range, bypassing authentication and IAM controls.

How to eliminate wrong answers

Option B is wrong because the policy explicitly restricts access to a specific IP range via the `aws:SourceIp` condition, so it does not allow s3:GetObject from any source. Option C is wrong because while the policy does restrict s3:GetObject to the specific bucket (via the Resource ARN), this is not a security concern—it is a correct scoping of permissions. Option D is wrong because the policy does not require authenticated users; it grants access to all users (Principal: "*") within the IP range, which is the actual security concern, not the lack of authentication restriction.

63
MCQhard

An organization uses a multi-cloud architecture with applications running on both AWS and Azure. They need to implement a secrets management solution that works across both platforms and supports automated rotation. Which approach best meets these requirements?

A.Deploy HashiCorp Vault as a centralized secrets manager
B.Store secrets as encrypted environment variables in each environment
C.Use Azure Key Vault with a federation bridge to AWS
D.Use AWS Secrets Manager for all secrets
AnswerA

Vault is cloud-agnostic, supports automated rotation, and integrates with both AWS and Azure.

Why this answer

HashiCorp Vault provides a cloud-agnostic secrets management service with automated rotation and cross-cloud capabilities. AWS Secrets Manager is AWS-specific. Azure Key Vault is Azure-specific.

Encrypted environment variables are not easily rotated and require redeployment.

64
MCQmedium

A company runs a multi-tier cloud application with a web frontend, an API layer, and a database. The application uses OAuth 2.0 for authentication. Recently, users have been experiencing session hijacking attacks. Upon investigation, the security team finds that session tokens are being intercepted in transit. The application uses HTTPS for all communications, but a developer discovers that the application is also accessible via HTTP due to a misconfiguration. The team wants to implement additional security controls to prevent token theft. Which course of action should be taken first?

A.Use IP address binding for session tokens
B.Implement HTTP Strict Transport Security (HSTS) to enforce HTTPS connections
C.Switch from OAuth to SAML for authentication
D.Shorten the session token expiration time
AnswerB

HSTS forces browsers to use HTTPS only, eliminating HTTP access and reducing token interception risk.

Why this answer

The root cause is that the application is accessible via HTTP due to a misconfiguration, allowing session tokens to be intercepted in transit despite HTTPS being available. Implementing HTTP Strict Transport Security (HSTS) forces the browser to always use HTTPS, preventing any HTTP connections and thus eliminating the interception vector. This directly addresses the misconfiguration before other controls, which would only mitigate but not prevent the theft.

Exam trap

ISC2 often tests the concept that session hijacking prevention must address the root cause (insecure transport) rather than just mitigating the impact of token theft, leading candidates to choose options like shortening expiration or IP binding instead of enforcing HTTPS with HSTS.

How to eliminate wrong answers

Option A is wrong because IP address binding for session tokens is a server-side binding that can help prevent token reuse from different IPs, but it does not prevent the initial interception of the token over HTTP; the token can still be stolen in transit. Option C is wrong because switching from OAuth 2.0 to SAML does not change the transport security issue; both protocols can be used over HTTP and are equally vulnerable to interception if HTTPS is not enforced. Option D is wrong because shortening the session token expiration time reduces the window of opportunity for an attacker to use a stolen token, but it does not prevent the token from being intercepted in the first place over an HTTP connection.

65
MCQmedium

A security team is implementing a web application firewall (WAF) for a cloud-based e-commerce application. The application is built on a microservices architecture and uses a RESTful API. Which of the following is the PRIMARY reason to deploy the WAF at the API gateway level rather than at the individual service level?

A.To provide centralized protection against common web exploits before traffic reaches the microservices.
B.To reduce latency by caching responses at the API gateway.
C.To offload authentication from the microservices to the API gateway.
D.To monitor API usage and detect anomalies in traffic patterns.
AnswerA

Centralized WAF at the API gateway ensures consistent policy enforcement and reduces attack surface.

Why this answer

Deploying the WAF at the API gateway provides a centralized security enforcement point that inspects and filters all incoming HTTP/HTTPS traffic before it is routed to any individual microservice. This ensures that common web exploits—such as SQL injection, cross-site scripting (XSS), and OWASP Top 10 attacks—are blocked at the perimeter, reducing the attack surface and preventing malicious payloads from ever reaching the internal services. It also simplifies policy management and avoids the need to configure and maintain separate WAF instances for each microservice, which would introduce operational complexity and potential gaps in coverage.

Exam trap

The trap here is that candidates confuse the WAF's primary security purpose (centralized exploit prevention) with other common API gateway features like caching, authentication offloading, or traffic monitoring, leading them to select a technically valid but non-primary reason for WAF placement.

How to eliminate wrong answers

Option B is wrong because caching responses at the API gateway is a performance optimization, not a primary security reason for deploying a WAF; WAFs do not inherently cache responses, and caching is typically handled by a separate reverse proxy or CDN. Option C is wrong because offloading authentication to the API gateway is an identity and access management function, not a WAF function; while an API gateway can handle authentication, a WAF's primary role is to inspect and filter traffic for malicious content, not to authenticate users. Option D is wrong because monitoring API usage and detecting anomalies in traffic patterns is typically the responsibility of an API management platform or a dedicated security analytics tool, not the core function of a WAF; a WAF focuses on blocking known attack signatures and behavioral anomalies, but its primary deployment reason is centralized threat protection, not monitoring alone.

66
MCQeasy

A cloud application uses a RESTful API that handles payment transactions. The security team identifies that the API is vulnerable to brute-force attacks on the authentication endpoint. Which control should be implemented to mitigate this?

A.Implement rate limiting on the authentication endpoint
B.Require API keys for all requests
C.Use TLS to encrypt the communication channel
D.Add input validation for all parameters
AnswerA

Rate limiting reduces the number of allowed attempts, blocking brute-force attacks.

Why this answer

Rate limiting restricts the number of authentication requests from a single source within a given time window, directly mitigating brute-force attacks by making it infeasible to guess credentials at high speed. This control is specifically designed for authentication endpoints where repeated failed attempts are the primary attack vector, and it is a standard recommendation in OWASP and NIST guidelines for API security.

Exam trap

ISC2 often tests the distinction between authentication-specific controls (rate limiting) and general security measures (encryption, input validation), leading candidates to choose TLS or API keys because they are commonly associated with API security but do not address brute-force frequency.

How to eliminate wrong answers

Option B is wrong because API keys authenticate the client application, not the user, and do not prevent an attacker from repeatedly trying different passwords or tokens against the authentication endpoint. Option C is wrong because TLS encrypts data in transit to prevent eavesdropping and tampering, but it does not limit the number of requests an attacker can send, leaving the endpoint vulnerable to brute-force attempts. Option D is wrong because input validation prevents injection attacks (e.g., SQLi, XSS) but does not restrict the frequency of requests, so an attacker can still submit unlimited login attempts with valid parameter formats.

67
MCQhard

A cloud security architect is designing a CI/CD pipeline for a serverless application using AWS Lambda. The application processes sensitive user data and requires encryption at rest and in transit. Which of the following is the BEST approach to securely manage database credentials used by the Lambda function?

A.Store the credentials in AWS Systems Manager Parameter Store with a SecureString parameter.
B.Use AWS Secrets Manager to store the credentials and retrieve them at runtime with least-privilege IAM roles.
C.Store the credentials as encrypted environment variables in the Lambda function configuration.
D.Hardcode the credentials in the Lambda function code and encrypt the deployment package.
AnswerB

Secrets Manager provides secure storage, automatic rotation, and fine-grained access control via IAM.

Why this answer

AWS Secrets Manager is the best choice because it is purpose-built for securely storing, rotating, and retrieving secrets such as database credentials. It integrates natively with AWS Lambda via the Secrets Manager API, allowing the function to fetch credentials at runtime using a least-privilege IAM role. This approach avoids embedding secrets in code or configuration and supports automatic rotation, which is critical for compliance with encryption and access control requirements.

Exam trap

ISC2 often tests the distinction between AWS Systems Manager Parameter Store (for configuration) and AWS Secrets Manager (for secrets), trapping candidates who think encryption alone is sufficient without considering rotation and lifecycle management.

How to eliminate wrong answers

Option A is wrong because AWS Systems Manager Parameter Store with SecureString provides encryption but lacks native automatic rotation and fine-grained access control for secrets; it is designed for configuration data, not secrets management. Option C is wrong because encrypted environment variables are still stored in the Lambda configuration and can be exposed through logs, error messages, or the AWS Management Console; they also do not support rotation. Option D is wrong because hardcoding credentials in code, even with an encrypted deployment package, violates the principle of not embedding secrets in code and makes rotation impossible without redeployment; the encryption key management also adds unnecessary complexity.

68
Multi-Selectmedium

Which TWO practices help protect against insecure deserialization attacks in cloud applications?

Select 2 answers
A.Allow deserialization from untrusted sources
B.Use strong encryption for all serialized data
C.Implement custom deserialization without validation
D.Validate serialized objects before deserialization
E.Restrict deserialization to a whitelist of classes
AnswersD, E

Validation can detect tampered objects.

Why this answer

Option D is correct because validating serialized objects before deserialization ensures that the data conforms to expected schemas and constraints, preventing malicious payloads from triggering arbitrary code execution. This practice is critical in cloud applications where deserialization of user-supplied data (e.g., JSON or XML) can lead to remote code execution (RCE) or denial-of-service (DoS) attacks if not validated.

Exam trap

ISC2 often tests the misconception that encryption alone (Option B) is sufficient to secure serialized data, but encryption only protects data at rest or in transit, not the deserialization process itself, which is where the attack occurs.

69
MCQmedium

A company uses a cloud-based CI/CD pipeline with GitLab. Developers push code to a repository, triggering a build. The security team notices that sensitive API keys are being logged in build output. Which practice best prevents this?

A.Implement a secrets detection tool in the pipeline
B.Use environment variables in the pipeline configuration
C.Use a separate build server
D.Encrypt the Git repository
AnswerA

Automated secrets detection scans for and blocks credentials in build output.

Why this answer

A secrets detection tool (e.g., GitLab Secret Detection, TruffleHog, or Gitleaks) scans code and build output for patterns matching API keys, tokens, or passwords before they are logged or stored. This directly prevents sensitive credentials from appearing in build logs, which is the specific issue described. Unlike other options, it actively identifies and blocks secrets at the point of exposure.

Exam trap

The trap here is that candidates often confuse 'using environment variables' (a secure storage method) with 'preventing secrets from being logged' (a detection and blocking mechanism), leading them to choose Option B even though environment variables do not stop accidental output.

How to eliminate wrong answers

Option B is wrong because environment variables in pipeline configuration (e.g., CI/CD variables in GitLab) are a secure way to pass secrets, but they do not prevent secrets from being accidentally logged in build output if the application or script explicitly prints them. Option C is wrong because using a separate build server does not address the root cause—secrets can still be logged regardless of where the build runs; it only changes the execution environment. Option D is wrong because encrypting the Git repository protects data at rest but does not prevent secrets from being exposed in plaintext during the build process or in logs.

70
Multi-Selectmedium

Which TWO of the following are primary objectives of a cloud application security program?

Select 2 answers
A.Maintaining application availability
B.Performing continuous deployment
C.Implementing a microservices architecture
D.Ensuring data confidentiality and integrity
E.Adopting Agile development practices
AnswersA, D

Availability is a key security objective (CIA triad).

Why this answer

Maintaining application availability is a primary objective of a cloud application security program because it directly supports the security triad of confidentiality, integrity, and availability (CIA). In a cloud environment, availability ensures that authorized users can access applications and data when needed, which is critical for business continuity and is often enforced through SLAs, redundancy, and DDoS protection mechanisms. Without availability, security controls become irrelevant as the service is effectively denied.

Exam trap

ISC2 often tests the distinction between security objectives and operational or architectural practices, trapping candidates who confuse 'continuous deployment' or 'microservices' with security goals because they are commonly discussed in cloud security contexts but are not primary objectives.

71
MCQhard

A cloud application uses containers orchestrated by Kubernetes. The security team wants to enforce that containers cannot run as root and that file systems are read-only at runtime. Which Kubernetes security context configuration should be applied?

A.Use a RuntimeClass that disables root capabilities
B.Set the container's user to a non-root user in the Dockerfile
C.Apply a PodSecurityPolicy that blocks privileged containers
D.Configure a SecurityContext with runAsNonRoot: true and readOnlyRootFilesystem: true
AnswerD

Directly sets the required properties in the container specification.

Why this answer

Option D is correct because Kubernetes SecurityContext allows fine-grained control over container permissions at the pod or container level. Setting `runAsNonRoot: true` ensures the container cannot run as UID 0, and `readOnlyRootFilesystem: true` mounts the container's root filesystem as read-only, preventing unauthorized writes at runtime. This directly satisfies the security team's requirements without relying on external policies or image-level configurations.

Exam trap

The trap here is that candidates confuse image-level defaults (like a non-root user in a Dockerfile) with runtime enforcement via SecurityContext, or they think PodSecurityPolicy (a deprecated feature) is the only way to enforce these restrictions, when in fact SecurityContext is the direct and correct mechanism.

How to eliminate wrong answers

Option A is wrong because a RuntimeClass primarily selects a container runtime (e.g., gVisor, Kata Containers) for isolation, not a mechanism to disable root capabilities or enforce read-only filesystems; it does not directly set runAsNonRoot or readOnlyRootFilesystem. Option B is wrong because setting a non-root user in the Dockerfile only affects the image's default user; it can be overridden at runtime (e.g., by specifying `securityContext.runAsUser: 0`), so it does not enforce the restriction. Option C is wrong because PodSecurityPolicy (PSP) is a deprecated, cluster-level admission controller that can block privileged containers but does not directly enforce `runAsNonRoot: true` or `readOnlyRootFilesystem: true`; it requires additional policy rules and is being replaced by Pod Security Standards.

72
MCQmedium

A developer receives the above error when trying to create a route in an API Gateway. Which action should the developer take to resolve the issue?

A.Change the endpoint type to private
B.Add an authentication mechanism to the API
C.Verify that the API is deployed to the correct stage
D.Delete the existing route or use a different route key
AnswerD

Removing the duplicate or choosing a unique key resolves the conflict.

Why this answer

The error indicates that a route with the same key already exists in the API Gateway. API Gateway enforces unique route keys within an API; attempting to create a duplicate route key (e.g., the same HTTP method and path combination) will fail. Deleting the existing route or using a different route key resolves the conflict by ensuring each route key is unique.

Exam trap

ISC2 often tests the misconception that deployment stages or authentication mechanisms can resolve configuration conflicts, when in fact the error is a direct result of violating a uniqueness constraint on route keys within the API Gateway resource hierarchy.

How to eliminate wrong answers

Option A is wrong because changing the endpoint type to private does not address a duplicate route key error; endpoint type controls network accessibility, not route uniqueness. Option B is wrong because adding an authentication mechanism (e.g., IAM, Lambda authorizer) does not resolve a conflict where a route key already exists; authentication is unrelated to route key duplication. Option C is wrong because verifying the API deployment stage does not fix a duplicate route key error; deployment stages affect which version of the API is live, not the uniqueness of route keys within the API definition.

73
Multi-Selecteasy

Which TWO of the following are secure coding practices that help prevent injection attacks?

Select 2 answers
A.Printing stack traces in production error messages
B.Using parameterized queries for database calls
C.Using stored procedures exclusively
D.Validating and sanitizing all user inputs
E.Storing user passwords in plaintext
AnswersB, D

Parameterized queries separate SQL logic from data, preventing injection.

Why this answer

Option B is correct because parameterized queries (also known as prepared statements) separate SQL logic from data by using placeholders (e.g., `?` in MySQLi or `:param` in PDO). The database driver treats the user-supplied values strictly as data, never as executable code, which prevents an attacker from injecting malicious SQL commands even if the input contains special characters like `' OR 1=1 --`.

Exam trap

ISC2 often tests the misconception that stored procedures are inherently safe against injection, but the trap is that stored procedures can still be vulnerable if they dynamically construct SQL strings using concatenated input, so parameterization must be applied inside the procedure as well.

74
MCQeasy

A developer is implementing a cloud application that stores sensitive user data. To minimize the risk of data exposure during transit, which security control should be enforced as a baseline requirement?

A.Implement IPsec tunnels between components
B.Use HTTPS without additional controls
C.Require SSH for all connections
D.Enforce TLS for all data in transit
AnswerD

TLS encrypts data in transit, protecting confidentiality and integrity.

Why this answer

TLS (Transport Layer Security) is the industry-standard protocol for encrypting data in transit, providing confidentiality, integrity, and authentication. Enforcing TLS for all communications ensures that sensitive user data is protected from eavesdropping and tampering during transmission, making it a baseline requirement for cloud application security.

Exam trap

ISC2 often tests the misconception that HTTPS alone is sufficient, but the trap here is that 'HTTPS without additional controls' (Option B) is not a baseline requirement because it lacks enforcement of strong TLS versions, certificate validation, and protections like HSTS, making it vulnerable to attacks that TLS enforcement (Option D) explicitly mitigates.

How to eliminate wrong answers

Option A is wrong because IPsec tunnels are typically used for site-to-site VPNs or network-layer encryption between entire subnets, not as a baseline for individual application-level connections; they add complexity and overhead without providing the same granular per-connection authentication and encryption as TLS. Option B is wrong because HTTPS without additional controls (like enforcing TLS 1.2 or higher, proper certificate validation, and HSTS) can still be vulnerable to downgrade attacks, man-in-the-middle attacks, and certificate spoofing, so it is not sufficient as a baseline requirement. Option C is wrong because SSH is designed for secure remote shell access and file transfer, not for general application data transit; it is not suitable for encrypting HTTP-based API calls or database connections between cloud components.

75
MCQmedium

A company uses a cloud-based identity provider for single sign-on. An application needs to verify the user's identity without storing credentials. Which token type should the application validate?

A.SAML assertion
B.JWT
C.Kerberos ticket
D.OAuth access token
AnswerA

SAML assertions are used in SSO to convey user identity and attributes.

Why this answer

A SAML assertion is the correct choice because it is specifically designed for single sign-on (SSO) scenarios where an identity provider (IdP) authenticates a user and issues a signed XML token containing the user's identity and attributes. The application validates the assertion's signature and trust relationship with the IdP, verifying the user's identity without ever storing or handling credentials. This aligns with the cloud-based identity provider model described in the question.

Exam trap

ISC2 often tests the distinction between authentication tokens (SAML) and authorization tokens (OAuth access tokens), leading candidates to pick OAuth access token because they confuse it with OpenID Connect ID tokens, which are actually JWTs used for identity in modern SSO.

How to eliminate wrong answers

Option B is wrong because a JWT (JSON Web Token) is a compact, self-contained token often used for stateless API authorization, but it is not inherently tied to SSO identity verification; it typically carries claims like user ID and expiration, but the application would still need to validate the JWT's signature and trust the issuer, which is not the standard SSO token format for cloud-based identity providers. Option C is wrong because a Kerberos ticket is a symmetric-key-based authentication token used in on-premises Windows domain environments, not in cloud-based identity provider SSO scenarios; it relies on a Key Distribution Center (KDC) and is not designed for cross-domain or cloud federation. Option D is wrong because an OAuth access token is primarily an authorization token that grants access to resources, not an identity token; it does not carry user identity claims in a standardized way for SSO verification, and the application would need a separate ID token (like OpenID Connect) to verify the user's identity.

Page 1 of 2 · 111 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Cloud Application Security questions.