CCNA Cloud Application Security Questions

36 of 111 questions · Page 2/2 · Cloud Application Security · Answers revealed

76
MCQeasy

A cloud security architect is designing a multi-tier application that processes sensitive customer data. To protect data in transit between the web tier and the application tier, which of the following is the MOST appropriate approach?

A.Use standard TLS with server-side certificates only
B.Establish SSH tunnels for all inter-tier communication
C.Use mutual TLS (mTLS) between the tiers
D.Implement IPsec VPN between the tiers
AnswerC

mTLS provides bidirectional authentication and encryption, ideal for service-to-service communication.

Why this answer

Mutual TLS (mTLS) is the most appropriate approach because it provides bidirectional authentication and encryption between the web tier and application tier. In a multi-tier application processing sensitive customer data, mTLS ensures that both the client (web tier) and server (application tier) present valid certificates, preventing man-in-the-middle attacks and unauthorized inter-tier communication. This is critical for protecting data in transit in zero-trust or internal network segments where simple server-side TLS would not verify the identity of the calling service.

Exam trap

ISC2 often tests the misconception that standard TLS (server-side only) is sufficient for internal service-to-service communication, but the trap here is that without mutual authentication, an attacker who compromises the web tier could impersonate it to the application tier, or a rogue service could connect to the application tier undetected.

How to eliminate wrong answers

Option A is wrong because standard TLS with server-side certificates only authenticates the server to the client, but does not authenticate the client (web tier) to the application tier, leaving the application tier vulnerable to unauthorized or spoofed connections. Option B is wrong because SSH tunnels provide point-to-point encryption but are designed for interactive shell access or port forwarding, not for high-throughput, persistent inter-tier service communication; they introduce management overhead and lack the certificate-based identity verification that mTLS offers for service-to-service authentication. Option D is wrong because IPsec VPN operates at the network layer and encrypts all traffic between subnets, but it is overly complex for application-layer communication, adds latency, and does not provide application-level identity verification between specific services; it is more suited for site-to-site connectivity rather than fine-grained inter-tier authentication.

77
MCQeasy

An organization is developing a mobile app that communicates with a cloud API. To ensure secure authentication, which of the following should be used?

A.Session cookies for state management
B.Basic authentication with username and password
C.OAuth 2.0 with OpenID Connect
D.API keys sent in HTTP headers
AnswerC

Provides delegated authorization and authentication for mobile apps.

Why this answer

OAuth 2.0 with OpenID Connect (OIDC) is the correct choice because it provides a delegated authorization framework (OAuth 2.0) combined with an identity layer (OIDC) that enables secure authentication and single sign-on (SSO) for mobile apps communicating with cloud APIs. This combination issues short-lived access tokens and ID tokens (typically JWTs) rather than exposing long-lived credentials, and supports token refresh, scoped permissions, and PKCE (Proof Key for Code Exchange) to prevent authorization code interception on mobile devices.

Exam trap

ISC2 often tests the misconception that API keys or Basic auth are sufficient for mobile-to-cloud authentication, but the trap is that these methods lack the delegation, token lifecycle management, and identity verification that OAuth 2.0 with OpenID Connect provides, which is the industry standard (RFC 6749, RFC 7519) for securing mobile API access.

How to eliminate wrong answers

Option A is wrong because session cookies are designed for server-side web applications with browser-based state management; mobile apps lack a browser context for cookie handling and are vulnerable to CSRF and session hijacking, making cookies unsuitable for native mobile-to-API communication. Option B is wrong because Basic authentication transmits credentials (Base64-encoded username:password) in every request, exposing them to interception and replay attacks; it offers no token expiration, no scoping, and no support for multi-factor authentication, violating cloud security best practices. Option D is wrong because API keys sent in HTTP headers are static, long-lived secrets that are easily leaked in client-side code (e.g., mobile app binaries), provide no user authentication or delegation, and lack built-in revocation mechanisms beyond key rotation.

78
MCQmedium

A cloud application uses customer-managed encryption keys (CMK) stored in a cloud HSM. The application needs to decrypt data on demand. How should the key be accessed?

A.Use the HSM to decrypt without exposing the key
B.Use a key management service with IAM permissions
C.Store the key in application configuration
D.Copy the key to the application's memory
AnswerB

KMS provides secure access to keys with IAM controls, allowing decryption requests without exposing the key material.

Why this answer

Option B is correct because cloud key management services (e.g., AWS KMS, Azure Key Vault) allow you to use customer-managed keys (CMK) stored in a cloud HSM without ever exposing the plaintext key to the application. The application calls the KMS API with IAM permissions to request decryption, and the HSM performs the decryption inside its hardware boundary, returning only the decrypted data. This ensures the key material never leaves the HSM's secure enclave, maintaining the security posture required for CMK usage.

Exam trap

ISC2 often tests the misconception that 'using an HSM directly' is the correct answer, but the trap is that cloud environments require a key management service (KMS) as the intermediary to enforce IAM policies, audit logging, and key lifecycle management—the HSM alone does not provide these access control features.

How to eliminate wrong answers

Option A is wrong because while the HSM can decrypt without exposing the key, the question asks how the application should access the key; directly calling the HSM API is not the standard cloud pattern—a key management service (KMS) abstracts HSM operations and provides IAM-based access control, auditing, and key rotation. Option C is wrong because storing the key in application configuration violates the fundamental principle of CMK security—keys must never be stored in plaintext outside the HSM or KMS, as configuration files are easily exposed via misconfigurations or breaches. Option D is wrong because copying the key to the application's memory exposes the plaintext key material, defeating the purpose of using a hardware security module (HSM) and violating the 'never export the key' rule that CMK policies enforce.

79
MCQmedium

A security team is reviewing a cloud application's CI/CD pipeline. They want to ensure that only approved open-source libraries are used in production builds. Which approach best addresses this requirement?

A.Segment the build network to limit internet access
B.Perform static code analysis after each build
C.Implement a software composition analysis (SCA) tool in the pipeline
D.Require manual approval for all library updates
AnswerC

SCA identifies and blocks unapproved open-source components.

Why this answer

A Software Composition Analysis (SCA) tool is specifically designed to automatically scan open-source libraries for known vulnerabilities, licensing issues, and version compliance. By integrating SCA into the CI/CD pipeline, the team can enforce a policy that only approved libraries (e.g., those passing a security and license review) are allowed in production builds, blocking unapproved or vulnerable components before deployment.

Exam trap

ISC2 often tests the distinction between SAST (static code analysis), DAST (dynamic analysis), and SCA, expecting candidates to recognize that only SCA directly addresses the management and approval of third-party open-source components and their associated risks.

How to eliminate wrong answers

Option A is wrong because segmenting the build network to limit internet access only restricts network connectivity, but does not prevent developers from introducing unapproved libraries already cached or stored locally; it also breaks legitimate dependency resolution from approved repositories. Option B is wrong because static code analysis (SAST) focuses on source code flaws (e.g., SQL injection, buffer overflows) and does not inspect third-party library metadata, licenses, or known CVEs in dependencies. Option D is wrong because requiring manual approval for all library updates is an operational process that does not scale, lacks automated detection of unapproved libraries, and introduces human error and delay without providing a technical enforcement gate in the pipeline.

80
MCQmedium

A healthcare SaaS company runs containerized microservices on Google Kubernetes Engine (GKE). The security team scans containers with a vulnerability scanner and finds that base images have several critical vulnerabilities. The container build process uses a Dockerfile that pulls the latest Ubuntu image from Docker Hub. The team wants to reduce the attack surface without delaying feature releases. What is the best approach?

A.Place a network security policy to restrict outbound traffic from pods
B.Schedule weekly automated rebuilds with the latest base image
C.Adopt minimal hardened base images and integrate vulnerability scanning into CI/CD
D.Refactor all applications to use scratch as base image
AnswerC

Hardened images minimize vulnerabilities and scanning ensures early detection.

Why this answer

Option D is correct because using minimal hardened images (e.g., distroless) reduces vulnerabilities and attack surface. Option A (weekly patching) leaves windows open. Option B (rebuild from scratch) is time-consuming and error-prone.

Option C (network segmentation) does not address vulnerable images.

81
MCQeasy

A cloud application uses OAuth 2.0 for authorization. What is the primary purpose of using a refresh token in this flow?

A.To obtain a new access token when the current one expires without user interaction.
B.To grant the same access token indefinitely.
C.To authenticate the user without a password.
D.To store user credentials on the resource server for later use.
AnswerA

Refresh tokens are long-lived and can be used to request new access tokens.

Why this answer

In OAuth 2.0, access tokens are short-lived by design to limit the window of compromise. A refresh token is a long-lived credential that allows the client to obtain a new access token from the authorization server without requiring the user to re-authenticate or re-consent. This enables seamless, ongoing access to protected resources while maintaining security through short-lived access tokens.

Exam trap

ISC2 often tests the misconception that refresh tokens are used for authentication or that they extend the life of the same access token, rather than understanding they are a separate credential used to obtain a new access token.

How to eliminate wrong answers

Option B is wrong because refresh tokens do not grant indefinite access; they can be revoked, have their own expiration, and are used to obtain new access tokens, not to extend the life of the same token. Option C is wrong because refresh tokens are not used for authentication; they are an authorization grant that assumes prior authentication has already occurred. Option D is wrong because refresh tokens are stored on the client (or client's backend), not on the resource server, and they are never used to store user credentials.

82
MCQhard

Refer to the exhibit. A Kubernetes pod is configured as shown. Which security enhancement should be added to follow cloud security best practices?

A.Set allowPrivilegeEscalation to true
B.Use a more restrictive runAsUser value like 2000
C.Set readOnlyRootFilesystem to true
D.Use a trusted image from a private registry
AnswerC

Read-only root filesystem prevents unauthorized modifications.

Why this answer

Setting `readOnlyRootFilesystem` to true ensures the container's root filesystem is mounted as read-only, preventing attackers from modifying binaries, libraries, or configuration files at runtime. This is a key container hardening practice that limits the blast radius of a compromise, aligning with the CIS Benchmark for Kubernetes and cloud security best practices.

Exam trap

ISC2 often tests the distinction between runtime hardening (like read-only filesystem) and identity/access controls (like runAsUser or image trust), expecting candidates to recognize that a non-root user alone does not prevent file tampering.

How to eliminate wrong answers

Option A is wrong because setting `allowPrivilegeEscalation` to true allows processes within the container to gain more privileges than their parent (e.g., via setuid binaries), which directly violates the principle of least privilege and increases risk. Option B is wrong because while using a non-root user like 2000 is good practice, the question asks for a security enhancement to add; the pod already specifies `runAsUser: 1000`, which is already non-root, so changing the UID does not address the missing read-only filesystem or other hardening gaps. Option D is wrong because using a trusted image from a private registry is a supply chain security measure, but it does not mitigate runtime attacks that modify the container's filesystem; the pod configuration shown lacks filesystem-level protection, which is the immediate gap.

83
MCQhard

An organization is migrating a legacy application to the cloud and plans to use a cloud access security broker (CASB). Which of the following is the PRIMARY function of a CASB in securing cloud applications?

A.Performing vulnerability scans on cloud infrastructure
B.Encrypting data at rest in cloud storage
C.Protecting against distributed denial-of-service (DDoS) attacks
D.Enforcing security policies across cloud applications and controlling access
AnswerD

CASBs provide visibility, policy enforcement, and threat protection for cloud apps.

Why this answer

The primary function of a CASB is to enforce security policies and control access across cloud applications, acting as an intermediary between users and cloud providers. It provides visibility into cloud usage, applies data loss prevention (DLP) rules, and enforces authentication and authorization policies, which directly addresses the need to secure a legacy application migrated to the cloud.

Exam trap

ISC2 often tests the distinction between a CASB's primary role (policy enforcement and access control) and secondary capabilities (like encryption or DLP), leading candidates to mistake a supporting feature for the core function.

How to eliminate wrong answers

Option A is wrong because vulnerability scanning of cloud infrastructure is typically performed by a cloud security posture management (CSPM) tool or a vulnerability scanner, not a CASB, which focuses on application-level policy enforcement and user access control. Option B is wrong because while a CASB can apply encryption for data in transit or at rest via tokenization or proxy-based encryption, its primary function is not encrypting data at rest; that is a feature of cloud storage services or dedicated encryption tools. Option C is wrong because protecting against DDoS attacks is handled by web application firewalls (WAFs) or DDoS mitigation services, not a CASB, which is designed for visibility, compliance, and access control for cloud applications.

84
Multi-Selectmedium

Which TWO measures are effective for securing container images in a cloud environment?

Select 2 answers
A.Store images in a public registry without scanning
B.Sign images to ensure integrity
C.Use latest tags without version pinning
D.Run containers with root privileges
E.Scan images for vulnerabilities before deployment
AnswersB, E

Image signing verifies the image has not been tampered with.

Why this answer

Signing container images (e.g., using Docker Content Trust or Notary) ensures integrity and authenticity by cryptographically verifying that the image has not been tampered with since it was signed. This prevents man-in-the-middle attacks and the deployment of malicious images, which is a critical security measure in cloud environments where images are pulled from remote registries.

Exam trap

ISC2 often tests the misconception that 'latest tags are safe because they always point to the most recent version,' but the trap is that 'latest' is a mutable tag that can silently introduce breaking changes or vulnerabilities, whereas version pinning (e.g., using a specific digest or semantic version) ensures deterministic and auditable deployments.

85
MCQmedium

A company is migrating a legacy monolithic application to a cloud-native microservices architecture. The security architect is concerned about securing inter-service communication. Which of the following should be implemented to ensure mutual authentication and encryption between services?

A.Deploy a service mesh with mutual TLS (mTLS) for all inter-service communication.
B.Use shared API keys embedded in each service's configuration.
C.Implement TLS termination at the load balancer with internal certificates.
D.Place all services in the same Virtual Private Cloud (VPC) and restrict ingress with security groups.
AnswerA

A service mesh like Istio automates mTLS, providing strong encryption and mutual authentication.

Why this answer

A service mesh with mutual TLS (mTLS) provides both encryption and mutual authentication for inter-service communication, ensuring that each service verifies the identity of the other before exchanging data. This is the recommended approach for cloud-native microservices because it offloads security concerns from application code and uses X.509 certificates to establish trust, aligning with zero-trust principles.

Exam trap

ISC2 often tests the misconception that network segmentation (VPC/security groups) alone is sufficient for securing inter-service communication, but the CCSP emphasizes that encryption and mutual authentication are required for data-in-transit security in a zero-trust model.

How to eliminate wrong answers

Option B is wrong because shared API keys embedded in configuration do not provide mutual authentication (only one-way authentication) and are vulnerable to leakage, rotation issues, and replay attacks. Option C is wrong because TLS termination at the load balancer means traffic between services is decrypted and re-encrypted, leaving internal traffic potentially unencrypted and without mutual authentication between services themselves. Option D is wrong because placing services in the same VPC with security groups restricts network access but does not provide encryption or mutual authentication for inter-service communication; it relies on network perimeter controls rather than cryptographic identity.

86
MCQhard

A security auditor is reviewing a cloud application's data encryption strategy. The application stores sensitive data in a cloud database. Which configuration would best ensure data confidentiality in the event of a database dump?

A.Tokenization of sensitive fields with a separate token vault
B.Entire database encryption at rest using cloud provider managed keys
C.Column-level encryption using application-managed keys
D.Transport layer security for all connections
AnswerC

Column-level encryption protects sensitive data at the database level.

Why this answer

Option C is correct because column-level encryption with application-managed keys ensures that even if the entire database is dumped, the sensitive columns remain encrypted and unreadable without the keys held by the application. This approach decouples key management from the cloud provider, preventing the provider from accessing the plaintext data and maintaining confidentiality during a breach or dump.

Exam trap

ISC2 often tests the distinction between encryption at rest and column-level encryption, trapping candidates who assume that full database encryption (Option B) protects against all data exposure scenarios, when in fact it does not protect data during a dump because the database engine decrypts it automatically.

How to eliminate wrong answers

Option A is wrong because tokenization replaces sensitive data with tokens, but if the token vault is compromised or the database dump includes the token mapping, confidentiality can be broken; it does not encrypt the data itself. Option B is wrong because encryption at rest using cloud provider managed keys protects data while stored on disk, but during a database dump (which extracts data in transit or in memory), the data is decrypted by the database engine and exposed in plaintext; the provider also has access to the keys. Option D is wrong because transport layer security (TLS) only protects data in transit between client and server, not data at rest or during a database dump, which occurs after the data has been stored.

87
MCQmedium

A cloud security team is implementing a Web Application Firewall (WAF) for a public-facing web application. The application uses a REST API with JSON payloads. Which of the following is the WAF's primary benefit?

A.Scanning for data loss prevention (DLP) violations
B.Preventing network-layer DDoS attacks
C.Encrypting data in transit between client and server
D.Inspecting HTTP traffic for malicious payloads
AnswerD

WAFs filter application-layer attacks.

Why this answer

A WAF operates at Layer 7 (application layer) and is specifically designed to inspect HTTP/HTTPS traffic for malicious payloads such as SQL injection, cross-site scripting (XSS), and JSON-based attacks. For a REST API using JSON, the WAF can parse and validate the JSON structure, blocking malformed or malicious payloads before they reach the application server. This is the primary benefit because it directly protects the application logic from web-based exploits.

Exam trap

ISC2 often tests the distinction between Layer 7 (application) and Layer 3/4 (network) security controls, so candidates mistakenly choose network-layer DDoS protection (Option B) because they confuse WAF with a general-purpose firewall.

How to eliminate wrong answers

Option A is wrong because DLP scanning is a function of data loss prevention tools, not a WAF; a WAF does not inspect data for policy violations like credit card numbers or PII. Option B is wrong because preventing network-layer DDoS attacks (e.g., SYN floods) is the role of a network firewall or DDoS mitigation appliance, not a WAF which focuses on application-layer attacks. Option C is wrong because encrypting data in transit is the job of TLS/SSL (e.g., HTTPS), not a WAF; a WAF inspects decrypted traffic after TLS termination or uses a reverse proxy model, but it does not perform encryption itself.

88
MCQeasy

A development team is migrating a legacy application to the cloud. Which security testing approach should be adopted early in the CI/CD pipeline to catch vulnerabilities as code is written?

A.Dynamic application security testing (DAST)
B.Penetration testing
C.Runtime application self-protection (RASP)
D.Static application security testing (SAST)
AnswerD

SAST scans source code early in the pipeline.

Why this answer

Static application security testing (SAST) analyzes source code, bytecode, or binary code without executing the application, making it ideal for integration early in the CI/CD pipeline to catch vulnerabilities like SQL injection, buffer overflows, and XSS as code is written. This 'white-box' approach provides immediate feedback to developers, aligning with the shift-left security principle for cloud-native development.

Exam trap

ISC2 often tests the distinction between SAST (white-box, early pipeline) and DAST (black-box, post-deployment), and candidates mistakenly choose DAST because they think 'dynamic' implies early testing, but DAST requires a running application.

How to eliminate wrong answers

Option A is wrong because DAST tests the running application from the outside (black-box), which requires a deployed environment and cannot catch vulnerabilities at the code-writing stage. Option B is wrong because penetration testing is a manual or automated simulated attack on a live system, performed later in the SDLC, not during development. Option C is wrong because RASP is a runtime protection technology embedded in the application runtime environment that monitors and blocks attacks in production, not a testing tool for the CI/CD pipeline.

89
MCQmedium

Refer to the exhibit. A developer reports that users are being denied access to a cloud application. The error log shows the above. What is the most likely cause of the denial?

A.The token was issued by an untrusted issuer
B.The token lacks required permissions
C.The token's expiration time has passed
D.The token's signature is invalid
AnswerC

The log explicitly states 'Token expired at 2024-11-20T10:30:00Z', indicating expiration.

Why this answer

The error log indicates that the token's expiration time has passed, which is a standard validation check in OAuth 2.0 and OpenID Connect (OIDC) flows. When a token's `exp` claim is less than the current server time, the authorization server or resource server rejects the request with an 'access denied' or similar error. This is the most direct cause of the denial shown in the exhibit.

Exam trap

ISC2 often tests the distinction between token validation steps (signature, issuer, expiration, permissions) and the specific error messages each step produces, so candidates must match the error log text to the correct validation failure rather than assuming a generic 'access denied' reason.

How to eliminate wrong answers

Option A is wrong because an untrusted issuer would trigger an 'invalid issuer' or 'untrusted issuer' error, not a token expiration error; the issuer is validated via the `iss` claim against a pre-configured trusted issuer list. Option B is wrong because missing permissions would result in a '403 Forbidden' or 'insufficient_scope' error, not a token expiration error; permissions are checked after token validity. Option D is wrong because an invalid signature would cause a 'signature verification failed' or 'invalid token' error, not a token expiration error; signature validation occurs before expiration checks.

90
MCQmedium

An IAM policy named S3ReadOnlyAccess has DefaultVersionId v3. What does this indicate?

A.The policy is newly created.
B.The policy is currently using version v3 as the default.
C.The policy has three custom versions.
D.The policy cannot be attached to any entity.
AnswerB

DefaultVersionId indicates the active version.

Why this answer

The DefaultVersionId of an IAM policy indicates which version is currently active and enforced when the policy is attached to an IAM user, group, or role. Since the policy is named S3ReadOnlyAccess and has DefaultVersionId v3, version v3 is the default and is being used for access control decisions. This is the standard behavior for IAM policies in AWS, where you can have multiple versions but only one is designated as the default.

Exam trap

ISC2 often tests the misconception that DefaultVersionId indicates the total number of versions or that a policy with a non-v1 default is somehow broken or unattachable, when in fact it simply shows which version is active.

How to eliminate wrong answers

Option A is wrong because a newly created policy would have DefaultVersionId v1, not v3, as the first version is always v1. Option C is wrong because DefaultVersionId v3 does not imply there are exactly three custom versions; there could be more versions (e.g., v1, v2, v3, v4) and only v3 is set as default, or some versions may be non-default. Option D is wrong because a policy with a default version can be attached to any entity; the DefaultVersionId simply indicates which version is active, and the policy remains attachable unless explicitly restricted.

91
MCQmedium

A global e-commerce platform uses AWS API Gateway to expose REST APIs to third-party developers. The security team notices that a malicious user is repeatedly sending large payloads to a /submit endpoint, causing high CPU usage on backend Lambda functions. The API uses a simple API key for authentication. Which combination of controls should be implemented to mitigate this attack while preserving legitimate access?

A.Configure API Gateway throttling and request body size validation
B.Subscribe to AWS Shield Advanced for DDoS protection
C.Change authentication to IAM roles with temporary credentials
D.Enable AWS WAF with a rate-based rule and block IP addresses
AnswerA

Throttling limits request rate, and size validation rejects large payloads before reaching Lambda.

Why this answer

Option A is correct because it directly addresses the two attack vectors: large payloads causing CPU exhaustion and excessive request volume. API Gateway request body size validation (up to 10 MB by default, configurable) rejects oversized payloads before they reach the backend Lambda, while throttling (e.g., 10,000 requests per second with a burst limit) prevents a single user from overwhelming the system. Together, these controls preserve legitimate access by only limiting anomalous traffic, not blocking all users.

Exam trap

ISC2 often tests the distinction between network-layer DDoS protection (Shield Advanced) and application-layer controls (throttling, WAF, payload validation), leading candidates to choose Shield Advanced when the attack is clearly at the application layer.

How to eliminate wrong answers

Option B is wrong because AWS Shield Advanced provides protection against volumetric DDoS attacks (e.g., SYN floods, UDP amplification), but it does not filter application-layer attacks like oversized payloads or high-volume requests to a specific endpoint; it also incurs significant cost and is overkill for this scenario. Option C is wrong because switching to IAM roles with temporary credentials (e.g., using AWS Signature Version 4) improves authentication security but does not mitigate the attack—the malicious user could still send large payloads and high request volumes after obtaining valid credentials. Option D is wrong because AWS WAF with a rate-based rule can block IP addresses that exceed a request threshold, but this is a reactive measure that may block legitimate users sharing the same IP (e.g., via NAT) and does not prevent the CPU impact from large payloads; it also requires additional configuration and cost.

92
MCQhard

A company uses a serverless architecture with AWS Lambda to process user-uploaded files. The Lambda function is triggered by an S3 bucket event. While reviewing security, the architect wants to ensure that the Lambda function cannot be invoked by unauthorized S3 buckets or accounts. What is the most secure configuration?

A.Use a condition in the policy that checks the source IP address.
B.Place the Lambda function inside a VPC with a VPC endpoint for S3.
C.Configure the Lambda function's resource-based policy to grant permission only to the specific S3 bucket ARN and its owner account.
D.Attach a resource-based policy that allows any S3 bucket to invoke the function.
AnswerC

Restricts invocation to a known source.

Why this answer

Option C is correct because the most secure way to restrict Lambda invocation to a specific S3 bucket is to use a resource-based policy that explicitly grants the `lambda:InvokeFunction` permission only to the trusted bucket's ARN and the owning AWS account. This ensures that even if another S3 bucket or account attempts to trigger the function, the invocation is denied by the Lambda permission model, which evaluates both the resource-based policy and the caller's identity.

Exam trap

The trap here is that candidates often confuse network-level controls (like VPC placement or IP filtering) with identity-based access controls, failing to realize that S3 event notifications invoke Lambda through AWS's internal service-to-service channel, which bypasses network restrictions and requires explicit resource-based policy conditions.

How to eliminate wrong answers

Option A is wrong because checking the source IP address is ineffective for S3 event notifications, as S3 invokes Lambda via AWS internal services, not from a fixed public IP; the source IP can vary and is not a reliable control for cross-account or cross-bucket invocation. Option B is wrong because placing the Lambda function inside a VPC with a VPC endpoint for S3 controls network traffic but does not restrict which S3 buckets or accounts can invoke the function; invocation permissions are governed by IAM and resource-based policies, not network placement. Option D is wrong because allowing any S3 bucket to invoke the function violates the principle of least privilege and would permit unauthorized buckets or accounts to trigger the Lambda, leading to potential data exfiltration or abuse.

93
MCQeasy

A cloud application is being designed to handle highly sensitive financial data. The security architect wants to ensure that encryption keys are managed outside the application's memory space. Which service model should they use?

A.Cloud Hardware Security Module (CloudHSM)
B.Key Management Service (KMS)
C.Trusted Platform Module (TPM)
D.Hardware Security Module (HSM)
AnswerD

HSM stores keys in tamper-resistant hardware, isolated from application memory.

Why this answer

Option D is correct because a Hardware Security Module (HSM) is a dedicated hardware appliance that manages encryption keys in a physically and logically isolated environment, entirely separate from the application's memory space. For highly sensitive financial data, an HSM provides FIPS 140-2 Level 3 or higher certification, ensuring keys never leave the device and are protected against memory-scraping attacks. This aligns with the requirement to keep key management outside the application's memory.

Exam trap

The trap here is that candidates confuse CloudHSM (a specific vendor service) with the generic HSM model, or they assume KMS provides the same hardware-level isolation, when in fact KMS often relies on software-based key management that may not guarantee keys are kept outside application memory.

How to eliminate wrong answers

Option A is wrong because CloudHSM is a cloud-based HSM service that still operates as a dedicated hardware appliance, but the question asks for the service model itself, not a specific cloud vendor implementation; the generic term 'HSM' is the correct model. Option B is wrong because Key Management Service (KMS) typically uses software-based key storage and may cache keys in memory, failing to guarantee that keys are managed entirely outside the application's memory space. Option C is wrong because Trusted Platform Module (TPM) is a hardware chip integrated into the motherboard for platform integrity and local key storage, but it is not designed for scalable, external key management for cloud applications and does not isolate keys from the application's memory in the same way a dedicated HSM does.

94
Multi-Selecthard

Which THREE are key considerations when designing a secure software development lifecycle (SSDLC) for cloud applications?

Select 3 answers
A.Static code analysis during development
B.Threat modeling at design phase
C.Security testing in production
D.Using a single cloud provider
E.Secure coding standards
AnswersA, B, E

Static analysis tools scan code for vulnerabilities without executing it, catching issues early.

Why this answer

Static code analysis (SAST) is a key SSDLC practice because it automatically scans source code for security vulnerabilities (e.g., SQL injection, buffer overflows) during the development phase, enabling early remediation before code is deployed. This aligns with the 'shift left' principle, reducing the cost and effort of fixing flaws later in the lifecycle.

Exam trap

ISC2 often tests the distinction between activities that are part of the secure development lifecycle (design, code, test) versus operational security tasks (production testing), and candidates mistakenly select 'Security testing in production' because they confuse it with runtime security monitoring or penetration testing.

95
Multi-Selectmedium

Which THREE of the following are common challenges in securing serverless applications?

Select 3 answers
A.Lack of control over the underlying kernel and OS
B.Insecure handling of event source inputs
C.Vulnerabilities in third-party libraries and dependencies
D.Increased attack surface due to many small functions
E.Difficulty in applying stateful firewall rules
AnswersB, C, D

Events from various sources may include malicious payloads.

Why this answer

Option B is correct because serverless functions rely on event-driven architectures where inputs from sources like HTTP requests, database changes, or message queues are processed directly. If these inputs are not properly validated and sanitized, attackers can inject malicious payloads (e.g., SQL injection, command injection) that execute within the function's runtime, leading to data breaches or unauthorized actions. This is a primary attack vector unique to serverless, as the function code directly consumes untrusted data without traditional perimeter defenses.

Exam trap

ISC2 often tests the misconception that serverless eliminates all infrastructure security concerns, leading candidates to overlook the critical need for input validation and dependency management, while incorrectly assuming that network controls like firewalls are still applicable.

96
Multi-Selectmedium

Which THREE of the following are essential components of a Secure Software Development Lifecycle (SSDLC) in the cloud? (Choose three.)

Select 3 answers
A.Static application security testing (SAST) in CI/CD
B.Dynamic application security testing (DAST) in staging
C.Manual code reviews without automation
D.Threat modeling during design phase
E.Annual penetration testing only
AnswersA, B, D

SAST finds vulnerabilities in source code early.

Why this answer

Option A is correct because SAST tools scan source code, bytecode, or binaries for vulnerabilities like SQL injection or buffer overflows early in the development cycle. Integrating SAST into the CI/CD pipeline enables automated, continuous security checks on every commit or build, which is a core practice of a Secure Software Development Lifecycle (SSDLC) in the cloud. This shift-left approach catches flaws before they reach production, reducing remediation cost and risk.

Exam trap

ISC2 often tests the misconception that manual reviews are a primary or essential component of an SSDLC in the cloud, when in fact automation is critical for speed and consistency, and they also test the trap that annual penetration testing is sufficient for cloud environments, which require continuous security validation.

97
MCQhard

During a security review, a cloud security architect discovers that a PaaS database service has public network access enabled. The application team claims they need it for external integrations. What is the most secure alternative to allow necessary access?

A.Encrypt all data at rest and in transit to the database.
B.Use Azure Private Link or AWS PrivateLink to connect via private IP within the cloud network.
C.Move the database to a VM-hosted instance with a VPN connection.
D.Restrict public access using IP whitelisting to only required external IPs.
AnswerB

Traffic never traverses the public internet, and access is restricted to private endpoints.

Why this answer

Option C is correct because private link creates a private endpoint, eliminating exposure to the public internet. Option A is wrong because firewall rules still allow public IP addresses. Option B is wrong because it changes the service but still may have public exposure.

Option D is wrong because it is not a security control.

98
MCQmedium

A large enterprise is migrating a legacy .NET application to Azure App Service. The application currently stores session state in-memory on the web server. During the migration, the team plans to horizontally scale the application across multiple instances. The security team requires that session data remain confidential and be available even if an instance fails. Which solution should the team implement?

A.Store session data in Azure SQL Database with column-level encryption
B.Use Azure Redis Cache to store session state with encryption enabled
C.Encrypt session data and store it as a client-side cookie
D.Configure Application Gateway with cookie-based affinity (sticky sessions)
AnswerB

Redis provides scalable, encrypted, persistent session storage independent of instances.

Why this answer

Azure Redis Cache with encryption enabled provides a secure, centralized session store that persists data independently of individual web server instances. This ensures session data remains available even if an instance fails, and encryption protects confidentiality in transit and at rest, meeting the security team's requirements for horizontal scaling.

Exam trap

ISC2 often tests the distinction between availability and affinity, where candidates mistakenly choose sticky sessions (Option D) thinking they solve availability, but sticky sessions actually create a single point of failure by binding a user to one instance.

How to eliminate wrong answers

Option A is wrong because Azure SQL Database with column-level encryption does not provide the low-latency, in-memory performance needed for session state in a horizontally scaled web application, and it introduces unnecessary database overhead and cost. Option C is wrong because storing encrypted session data as a client-side cookie violates the requirement for availability after instance failure, as the data is tied to the client and not centrally managed, and cookies have size limits (typically 4 KB) that cannot accommodate large session states. Option D is wrong because Application Gateway with cookie-based affinity (sticky sessions) pins a client to a specific instance, which prevents true horizontal scaling and does not ensure session data availability if that instance fails, as the session remains in-memory on that single server.

99
MCQmedium

Refer to the exhibit. A security administrator is reviewing an S3 bucket policy. What is the primary security concern with this policy?

A.The policy allows delete access from a trusted IP range without additional controls
B.The policy does not enforce server-side encryption
C.The bucket is publicly accessible from any IP
D.The policy does not require MFA for delete operations
AnswerA

Delete access should be restricted further or require MFA.

Why this answer

Option A is correct because the policy grants s3:DeleteObject permission to a trusted IP range without requiring additional controls like MFA or versioning safeguards. This means an attacker who compromises a machine within that IP range can permanently delete objects without any secondary authentication, leading to potential data loss. The lack of a condition such as 'aws:MultiFactorAuthPresent': true or a Deny for delete operations without MFA is the primary security concern.

Exam trap

ISC2 often tests the distinction between 'publicly accessible' and 'accessible from a trusted IP range'—candidates may mistakenly think any IP-based restriction is sufficient, overlooking that delete operations without MFA or versioning are still a critical risk.

How to eliminate wrong answers

Option B is wrong because the policy does not explicitly enforce server-side encryption, but that is not the primary security concern; the question focuses on the most critical risk, which is unauthorized deletion. Option C is wrong because the policy restricts access to a specific IP range (e.g., 'aws:SourceIp': '192.0.2.0/24'), so the bucket is not publicly accessible from any IP. Option D is wrong because while MFA for delete operations is a best practice, the policy does not require it, but the core issue is that delete access is granted to a trusted IP range without any additional controls—MFA is just one possible control, and the absence of any control is the primary concern.

100
MCQhard

A financial services company uses a CI/CD pipeline to deploy microservices to a Kubernetes cluster. The security team wants to ensure container images are scanned for vulnerabilities before deployment. Which integration point in the pipeline is most effective?

A.Runtime security monitoring
B.Pre-commit hook in source control
C.Post-build image scanning in registry
D.Admission controller in Kubernetes
AnswerC

Scanning images in the registry after build ensures vulnerabilities are detected before deployment.

Why this answer

Post-build image scanning in the registry (Option C) is the most effective integration point because it automatically scans container images after they are built and pushed, catching vulnerabilities before the image is deployed to production. This ensures that only compliant images proceed through the pipeline, aligning with the principle of shift-left security without blocking developer velocity.

Exam trap

ISC2 often tests the distinction between proactive pipeline controls (like post-build scanning) and reactive runtime controls (like admission controllers), leading candidates to choose admission controllers because they seem directly related to Kubernetes security, but they miss the earlier, more effective integration point.

How to eliminate wrong answers

Option A is wrong because runtime security monitoring detects threats during execution, not before deployment, so it cannot prevent vulnerable images from being deployed. Option B is wrong because pre-commit hooks scan source code, not container images, and cannot detect vulnerabilities in base layers or dependencies added during the build process. Option D is wrong because an admission controller in Kubernetes can block deployment based on image policies, but it acts after the image is already built and pushed, making it a reactive control rather than a proactive integration point in the CI/CD pipeline.

101
MCQmedium

During a code review, a developer identifies that an application uses input from an HTTP request to generate a SQL query string. What is the primary security concern?

A.Buffer overflow
B.Insecure deserialization
C.Cross-site scripting (XSS)
D.SQL injection
AnswerD

User input in SQL queries can lead to injection attacks.

Why this answer

Option D is correct because directly concatenating user-supplied input from an HTTP request into a SQL query string allows an attacker to inject arbitrary SQL commands. This can lead to unauthorized data access, data manipulation, or even complete database compromise. The primary security concern is SQL injection, which violates the confidentiality and integrity of cloud-hosted databases.

Exam trap

ISC2 often tests the distinction between input validation issues (like SQL injection) and output encoding issues (like XSS), so the trap here is confusing a server-side injection attack with a client-side script injection attack.

How to eliminate wrong answers

Option A is wrong because buffer overflow exploits typically target memory corruption in low-level languages like C/C++, not SQL query string generation in application code. Option B is wrong because insecure deserialization involves untrusted data being deserialized into objects, not the direct injection of SQL syntax into a query string. Option C is wrong because cross-site scripting (XSS) involves injecting client-side scripts into web pages viewed by other users, whereas this scenario directly manipulates a server-side SQL query.

102
MCQhard

A financial services company uses a multi-region cloud deployment for its trading application. The application consists of a web frontend, a REST API, and a relational database. Recently, a penetration test revealed that an attacker could perform a time-based blind SQL injection through the API's search functionality. The injection allows the attacker to enumerate database contents by observing response times. The development team was already aware of the issue but had prioritized other features. The security team now demands immediate remediation. The application is critical and cannot be taken offline. Which of the following is the most effective immediate action to mitigate the risk without modifying the application code?

A.Deploy a Web Application Firewall (WAF) with a rule to block SQL injection patterns
B.Implement rate limiting on the API endpoint
C.Enable DDoS protection on the cloud load balancer
D.Enable transparent data encryption (TDE) on the database
AnswerA

WAF provides virtual patching without code changes.

Why this answer

A WAF can inspect incoming HTTP requests and block those matching SQL injection patterns (e.g., SQL keywords, special characters) without modifying application code. Since the vulnerability is a time-based blind SQL injection, a WAF with a dedicated SQL injection rule set can immediately stop the attack vector by filtering malicious payloads at the edge, providing a virtual patch while the code fix is developed. This is the only option that directly addresses the injection vector without requiring code changes or downtime.

Exam trap

ISC2 often tests the misconception that rate limiting or DDoS protection can mitigate application-layer attacks like SQL injection, but these controls address availability threats, not data exfiltration or injection vulnerabilities.

How to eliminate wrong answers

Option B is wrong because rate limiting only restricts the number of requests per time window, which does not prevent a single crafted SQL injection payload from executing; it merely slows down enumeration but does not block the injection itself. Option C is wrong because DDoS protection mitigates volumetric attacks aimed at overwhelming resources, not application-layer attacks like SQL injection; it does not inspect payload content. Option D is wrong because transparent data encryption (TDE) protects data at rest in the database, but the SQL injection attack exploits the API to extract data in transit or via response timing, so encryption does not prevent the injection or the data exfiltration.

103
MCQeasy

A cloud security engineer reviews this Terraform configuration for a security group. Which change is necessary to improve security?

A.Use a broader CIDR for ingress.
B.Restrict egress to specific ports.
C.Change protocol to UDP.
D.Remove the ingress rule.
AnswerB

Restricting egress limits data exfiltration risks.

Why this answer

The egress rule allows all outbound traffic (all ports to any IP). Restricting egress to specific ports reduces the attack surface. The ingress is already restricted to VPC CIDR.

Removing ingress would break functionality. Broader ingress is worse. Changing protocol does not improve security.

104
MCQmedium

A security architect is designing a CI/CD pipeline for a cloud-native application. The team wants to automatically scan container images for vulnerabilities before deployment. Which of the following is the most effective approach?

A.Manually review images before each deployment
B.Integrate a container image scanner into the pipeline
C.Perform vulnerability scanning at runtime using a host-based agent
D.Scan the network for open ports on the container hosts
AnswerB

Automated scanning in the pipeline prevents vulnerable images from being deployed.

Why this answer

Integrating a container image scanner into the CI/CD pipeline ensures that vulnerabilities are detected early, before the image is deployed to production. This approach automates security checks as part of the build process, aligning with DevSecOps principles by shifting security left. Tools like Trivy, Clair, or Anchore can be configured to fail the pipeline if critical vulnerabilities are found, preventing insecure images from reaching runtime.

Exam trap

The trap here is that candidates confuse runtime host-based scanning (Option C) with image scanning, but the question specifically asks for scanning before deployment, making pipeline integration the only correct choice that enforces security gates early in the lifecycle.

How to eliminate wrong answers

Option A is wrong because manual review is not scalable, error-prone, and cannot keep pace with the frequency of deployments in a CI/CD pipeline, violating the automation principle of secure DevOps. Option C is wrong because runtime scanning with a host-based agent detects vulnerabilities only after the container is already running, missing the opportunity to block deployment of vulnerable images and potentially exposing the environment to exploitation. Option D is wrong because scanning the network for open ports on container hosts addresses network-level exposure, not the vulnerabilities within the container image itself, and is a reactive measure unrelated to image security.

105
MCQhard

A security architect is designing a cloud-native application using microservices. They decide to implement mutual TLS (mTLS) for service-to-service communication in a Kubernetes cluster with hundreds of services. What is the primary challenge in managing mTLS certificates in this dynamic environment?

A.High latency due to encryption overhead
B.Certificate revocation and rotation
C.Incompatibility with HTTP/2
D.Increased complexity in load balancer configuration
AnswerB

Dynamic environments require automated, frequent certificate refreshes and effective revocation.

Why this answer

In a dynamic Kubernetes environment with hundreds of microservices, mTLS certificates must be frequently rotated and revoked to maintain security, especially as services scale up/down and pods are replaced. Manual certificate management is impractical, so automated solutions like SPIFFE/SPIRE or Istio’s Citadel are required to handle the lifecycle at scale. The primary challenge is not the encryption overhead but the operational complexity of ensuring every service has a valid, non-expired certificate and that compromised certificates can be promptly revoked across the mesh.

Exam trap

The trap here is that candidates confuse the operational challenge of certificate lifecycle management with perceived performance issues (latency) or compatibility concerns, when in fact mTLS is designed to work efficiently with modern protocols and the real difficulty is maintaining trust in a rapidly changing service mesh.

How to eliminate wrong answers

Option A is wrong because mTLS encryption overhead is minimal with modern hardware and optimized libraries (e.g., AES-NI, TLS 1.3), and latency is not the primary challenge in a dynamic environment. Option C is wrong because mTLS is fully compatible with HTTP/2; in fact, gRPC (which uses HTTP/2) commonly relies on mTLS for secure service-to-service communication. Option D is wrong because mTLS does not inherently increase load balancer configuration complexity; load balancers can terminate or pass-through mTLS, and the challenge lies in certificate lifecycle management, not load balancer setup.

106
MCQhard

Refer to the exhibit. A security analyst reviews the S3 bucket policy shown. Which security issue should be flagged?

A.The policy restricts read access to a specific role, which is too permissive
B.The policy does not enable server-side encryption
C.The policy allows unauthenticated write access to the bucket
D.The policy contains a syntax error in the JSON
AnswerC

The second statement allows any principal to put objects, which is a security risk.

Why this answer

Option C is correct because the S3 bucket policy contains a Principal element set to "*" with an Effect of "Allow" on the s3:PutObject action, which grants unauthenticated write access to the bucket. This means anyone on the internet can upload objects without any authentication, leading to potential data corruption, storage cost abuse, or malware hosting. The policy does not include any condition (e.g., aws:SourceIp or aws:SecureTransport) to restrict the write operation, making it a critical security misconfiguration.

Exam trap

ISC2 often tests the distinction between read and write permissions in S3 bucket policies, and the trap here is that candidates focus on the read access being restricted (Option A) or missing encryption (Option B) while overlooking the glaring unauthenticated write access.

How to eliminate wrong answers

Option A is wrong because restricting read access to a specific role is a security best practice (least privilege), not too permissive; the issue is with write access, not read. Option B is wrong because server-side encryption is not enforced by the bucket policy itself—it is a separate bucket setting or can be enforced via a condition key (e.g., s3:x-amz-server-side-encryption) in the policy, but its absence is not the flagged security issue here. Option D is wrong because the JSON syntax appears valid (no missing commas, brackets, or quotes) based on the exhibit; the policy is syntactically correct but semantically flawed.

107
MCQeasy

Which of the following is the best way to protect a web application from cross-site scripting (XSS) attacks?

A.Encode all output that is rendered in HTML.
B.Implement a Content Security Policy (CSP) as the sole defense.
C.Use a combination of input validation, output encoding, and Content Security Policy.
D.Validate all user input on the server side.
AnswerC

Defense in depth reduces the risk of XSS.

Why this answer

Option C is correct because cross-site scripting (XSS) attacks exploit multiple vectors, and no single defense is sufficient. Input validation prevents malicious payloads from being stored or processed, output encoding ensures that any residual dangerous characters are rendered inert in the HTML context, and Content Security Policy (CSP) provides a robust, browser-enforced layer that can block inline scripts and restrict script sources even if other defenses fail. This defense-in-depth approach aligns with the OWASP XSS prevention cheat sheet and is the recommended strategy for cloud-hosted web applications.

Exam trap

ISC2 often tests the misconception that a single security control (like output encoding or CSP alone) is sufficient, when the correct answer always requires a defense-in-depth combination of input validation, output encoding, and CSP.

How to eliminate wrong answers

Option A is wrong because output encoding alone does not prevent XSS in all contexts (e.g., JavaScript event handlers, CSS, or URL contexts require context-specific encoding) and does not address stored XSS where the payload is executed before encoding is applied. Option B is wrong because implementing CSP as the sole defense is insufficient; CSP can be bypassed if the application has JSONP endpoints, unsafe-inline fallbacks, or misconfigured directives, and it does not remediate existing XSS vulnerabilities in the application code. Option D is wrong because server-side input validation alone cannot stop XSS; it can be bypassed with encoding variations (e.g., double URL encoding, Unicode escapes) and does not protect against reflected or DOM-based XSS where the payload is generated client-side without server validation.

108
MCQhard

A cloud security engineer needs to ensure that a containerized application running in a Kubernetes cluster securely stores and rotates database credentials. Which is the most appropriate solution?

A.Store credentials as environment variables in the pod manifest
B.Embed credentials in the container image during build
C.Use a secrets management system integrated with Kubernetes, such as HashiCorp Vault with CSI driver
D.Use Kubernetes Secrets without encryption at rest
AnswerC

Vault provides secure storage, dynamic credentials, and rotation.

Why this answer

Option C is correct because HashiCorp Vault integrated with the Kubernetes CSI (Container Storage Interface) driver allows dynamic, short-lived database credentials to be injected into pods as volumes, enabling automatic rotation without application changes. This approach ensures secrets are never stored in the cluster's etcd or exposed in environment variables, aligning with the principle of least privilege and compliance requirements for credential rotation.

Exam trap

ISC2 often tests the misconception that Kubernetes Secrets are inherently secure because they are base64-encoded, but the trap is that base64 is not encryption, and without encryption at rest or an external secrets manager, they are vulnerable to etcd compromise.

How to eliminate wrong answers

Option A is wrong because storing credentials as environment variables in the pod manifest exposes them in plaintext in the cluster's etcd and in any logs or dumps that capture environment variables, violating security best practices for secret management. Option B is wrong because embedding credentials in the container image during build makes them immutable and accessible to anyone with image pull access, preventing rotation without rebuilding and redeploying the image. Option D is wrong because Kubernetes Secrets without encryption at rest store secrets in base64-encoded plaintext in etcd, which is not secure against unauthorized access to the underlying storage, and they lack native rotation capabilities.

109
MCQhard

A cloud security engineer is configuring an AWS Lambda function that processes messages from an Amazon SQS queue. The function needs to write results to a DynamoDB table. Which of the following is the SECUREST way to manage the function's credentials?

A.Use AWS Secrets Manager to store credentials and retrieve them at runtime
B.Store the database credentials as ciphertext in the Lambda environment variables
C.Attach an IAM execution role to the Lambda function with fine-grained permissions for SQS and DynamoDB
D.Create an IAM user with Access Key and Secret Key and pass them to the function via encrypted environment variables
AnswerC

This follows least privilege and avoids any static credentials.

Why this answer

Option C is correct because AWS Lambda natively supports IAM execution roles, which provide temporary, automatically rotated credentials via the AWS Security Token Service (STS). By attaching an execution role with fine-grained permissions for SQS (e.g., sqs:ReceiveMessage) and DynamoDB (e.g., dynamodb:PutItem), the function never needs to manage long-lived secrets, eliminating the risk of credential leakage or rotation failures.

Exam trap

ISC2 often tests the misconception that storing encrypted credentials in environment variables or using a secrets manager is always the most secure approach, but for AWS-native services, IAM execution roles are the recommended and most secure method because they eliminate the need for any static, long-lived credentials.

How to eliminate wrong answers

Option A is wrong because AWS Secrets Manager is designed for storing secrets like database passwords, but for AWS-native services (SQS, DynamoDB), IAM roles are the securest and simplest approach; using Secrets Manager adds unnecessary complexity and cost without improving security. Option B is wrong because storing credentials as ciphertext in Lambda environment variables still requires the function to have a decryption key (e.g., KMS key) and manage the decryption process, which is less secure than using an IAM role that never exposes static credentials. Option D is wrong because creating an IAM user with long-lived Access Key and Secret Key violates the principle of least privilege and introduces static credentials that must be rotated, encrypted, and managed, whereas an IAM execution role provides temporary credentials that are automatically rotated and scoped to the function's execution.

110
MCQmedium

A company develops a microservices application and wants to ensure secrets such as API keys and database credentials are not exposed in container images. Which approach best meets this requirement?

A.Hardcode secrets in the application code and obfuscate with encryption.
B.Use a secrets management service such as HashiCorp Vault to inject secrets at runtime.
C.Pass secrets as environment variables during container deployment.
D.Store secrets in a separate configuration file within the image.
AnswerB

Secrets are never stored in the image and are dynamically injected.

Why this answer

Option B is correct because a secrets management service like HashiCorp Vault allows secrets to be dynamically injected into containers at runtime, ensuring they never reside in the image. This approach decouples secrets from the application artifact, adhering to the principle of least privilege and immutable infrastructure. Vault can inject secrets via sidecar containers, init containers, or API calls, preventing exposure in image layers or configuration files.

Exam trap

ISC2 often tests the misconception that environment variables are a secure way to pass secrets because they are not in the image, but the trap is that environment variables are still exposed in the container's runtime environment and orchestration metadata, making them vulnerable to leakage via logs, debugging tools, or misconfigured RBAC.

How to eliminate wrong answers

Option A is wrong because hardcoding secrets in application code, even with obfuscation, is insecure—encryption keys must still be stored somewhere, and obfuscation can be reversed, violating the core security principle of not embedding secrets in code. Option C is wrong because passing secrets as environment variables during deployment, while better than hardcoding, still exposes them in the container's process list, logs, and orchestration metadata, and they can be read from the host or via /proc. Option D is wrong because storing secrets in a separate configuration file within the image means the secrets are baked into the image layers, making them accessible to anyone who can pull the image, and they persist in registries and caches.

111
MCQmedium

A DevSecOps team is integrating static application security testing (SAST) into their CI/CD pipeline. Which of the following is the PRIMARY benefit of performing SAST during the build phase rather than later in the pipeline?

A.It identifies runtime vulnerabilities such as SQL injection
B.It reduces false positives compared to dynamic analysis
C.It enables early detection of vulnerabilities before deployment
D.It scans running applications to find configuration issues
AnswerC

Early detection in the build phase prevents vulnerable code from reaching production.

Why this answer

Performing SAST during the build phase allows the team to identify security vulnerabilities in the source code before the application is compiled, packaged, or deployed. This early detection reduces the cost and effort of remediation because issues are found at the point of code creation, not after deployment. The primary benefit is shifting security left to catch defects before they reach production.

Exam trap

ISC2 often tests the concept of 'shift left' security, and the trap here is confusing SAST's static analysis capability with runtime detection, leading candidates to incorrectly choose options that describe dynamic or runtime testing benefits.

How to eliminate wrong answers

Option A is wrong because SAST analyzes source code statically and cannot identify runtime vulnerabilities like SQL injection that depend on dynamic input and database interaction; those are better detected by DAST or IAST. Option B is wrong because SAST often produces more false positives than dynamic analysis due to its lack of runtime context, not fewer. Option D is wrong because SAST does not scan running applications; it scans source code or binaries without execution, whereas configuration issues in running apps are found by tools like configuration scanning or DAST.

← PreviousPage 2 of 2 · 111 questions total

Ready to test yourself?

Try a timed practice session using only Cloud Application Security questions.