CCNA Cloud Data Security Questions

45 of 120 questions · Page 2/2 · Cloud Data Security · Answers revealed

76
Multi-Selectmedium

Which TWO of the following are effective strategies for protecting sensitive data in a public cloud environment?

Select 2 answers
A.Using the same encryption key for all data to simplify key management.
B.Storing encryption keys in the same storage bucket as the encrypted data.
C.Consolidating all sensitive data into a single storage bucket for easier management.
D.Data masking to obscure sensitive fields in non-production environments.
E.Tokenization to replace sensitive data with non-sensitive placeholders.
AnswersD, E

Correct. Data masking protects data in development and testing.

Why this answer

A (data masking) and B (tokenization) are both common techniques. C (storing encryption keys with data) is insecure. D (storing all data in one bucket) violates least privilege.

E (using same key for all data) is poor practice.

77
MCQmedium

A company wants to encrypt data at rest in a cloud object storage service. They require that the cloud provider has no access to the encryption keys. Which key management approach should they use?

A.Server-side encryption with customer-managed keys stored in a cloud HSM
B.Client-side encryption
C.Server-side encryption with cloud-managed keys
D.Server-side encryption with envelope encryption
AnswerB

Encryption happens on the client side; cloud provider never sees the keys.

Why this answer

Client-side encryption (B) is the correct approach because the data is encrypted before it is sent to the cloud provider, ensuring that the cloud provider never has access to the plaintext data or the encryption keys. With server-side encryption, even if the keys are customer-managed and stored in a cloud HSM (A), the encryption and decryption operations occur on the provider's infrastructure, meaning the provider's software stack could theoretically access the keys or plaintext. Options C and D also involve server-side operations, where the cloud provider manages or processes the keys, violating the requirement that the provider has no access to the keys.

Exam trap

The trap here is that candidates confuse 'customer-managed keys' (CMK) with 'client-side encryption,' assuming that storing keys in a cloud HSM (A) prevents provider access, but the CCSP exam emphasizes that server-side encryption inherently involves the provider's infrastructure in the encryption process, which violates the 'no access' requirement.

How to eliminate wrong answers

Option A is wrong because server-side encryption with customer-managed keys stored in a cloud HSM still requires the cloud provider's infrastructure to perform the encryption/decryption operations, and the provider's HSM service may have administrative access to the keys. Option C is wrong because server-side encryption with cloud-managed keys explicitly gives the cloud provider full control over the keys, directly violating the requirement. Option D is wrong because server-side encryption with envelope encryption still involves the cloud provider managing the key encryption key (KEK) and performing the encryption/decryption on its servers, so the provider retains access to the data encryption key (DEK) during processing.

78
MCQhard

A large enterprise is migrating its data center workloads to a public cloud. The security policy requires that all sensitive data stored in cloud storage services be encrypted with keys managed by the enterprise's on-premises HSM. The cloud storage service offers server-side encryption with customer-provided keys (SSE-C). However, compliance regulations prohibit the transmission of encryption keys over the public internet. The enterprise also has a dedicated network connection to the cloud provider (e.g., AWS Direct Connect). The security team is considering several options. Which solution meets all requirements: (1) data encrypted at rest on the cloud service, (2) keys controlled by the enterprise, (3) keys never transmitted over the internet?

A.Use a cloud-based HSM (e.g., AWS CloudHSM) and keep the key material in the cloud HSM.
B.Use SSE-C with the enterprise's HSM, sending keys over the dedicated connection (Direct Connect) as it is private.
C.Use server-side encryption with KMS using an imported key material protected by the enterprise's HSM, accessed via KMS API over the dedicated connection.
D.Use client-side encryption on-premises before uploading data, using keys from the HSM.
AnswerD

Keys never leave the on-premises HSM; only encrypted data is sent.

Why this answer

Option D is correct because client-side encryption encrypts data on-premises using keys from the enterprise's HSM before the data is ever transmitted to the cloud. This ensures the data is encrypted at rest in the cloud, the enterprise retains full control of the keys, and the keys never traverse any network—public or private—to the cloud provider. The dedicated connection (Direct Connect) is irrelevant for key transmission since the keys never leave the on-premises HSM.

Exam trap

ISC2 often tests the misconception that a private or dedicated network connection (like Direct Connect) satisfies a 'no transmission over the internet' requirement, but the trap here is that the regulation prohibits any network transmission of keys, not just over the public internet, so even a private link is disallowed if keys are sent over it.

How to eliminate wrong answers

Option A is wrong because using a cloud-based HSM (e.g., AWS CloudHSM) means the key material is stored and managed within the cloud provider's environment, not controlled exclusively by the enterprise's on-premises HSM, violating the requirement that keys be managed by the enterprise's on-premises HSM. Option B is wrong because SSE-C requires the customer to provide the encryption key with each API call (e.g., PUT Object), and even though the dedicated connection (Direct Connect) is private, the key is still transmitted over a network path that is not the public internet but is still a network transmission, which the compliance regulations prohibit (the regulation forbids transmission over any network, not just the public internet). Option C is wrong because using KMS with imported key material still requires the key to be transmitted to the KMS service via API calls over the dedicated connection, and the KMS service itself stores and manages the key, not the enterprise's on-premises HSM; the enterprise loses direct control and the key is transmitted over the network.

79
Multi-Selectmedium

A cloud security team is implementing a data discovery and classification program for their SaaS applications. Which TWO statements accurately describe best practices for data classification in the cloud?

Select 2 answers
A.Manual classification by users is more accurate than automated methods in large-scale cloud environments.
B.Tokenization can replace data classification by eliminating the need to identify sensitive data.
C.Automated tools can scan cloud storage and apply classification labels based on content inspection.
D.Data loss prevention (DLP) policies can enforce classification by monitoring and controlling data in motion and at rest.
E.Data classification labels must be applied by the cloud service provider to ensure consistency.
AnswersC, D

Correct: Automated tools are effective for identifying and labeling sensitive data across cloud environments.

Why this answer

Automated tools can efficiently scan cloud storage for sensitive data, and DLP policies can enforce classification during data usage. Manual classification is not more accurate than automated for large-scale cloud data, classification labels are not solely applied by the provider, and tokenization is a separate technique.

80
MCQmedium

A company is designing a data retention policy for cloud storage. Regulatory requirements mandate that certain records be kept for 7 years and then securely destroyed. Which combination of controls should be used?

A.Lifecycle policy and secure deletion
B.Data masking and encryption
C.Versioning and MFA delete
D.Lifecycle policy and object lock
AnswerA

Lifecycle policy automates deletion; cloud providers ensure secure deletion.

Why this answer

A lifecycle policy automates the transition and expiration of objects, allowing you to set a rule to delete objects after 7 years. Secure deletion (e.g., overwriting or cryptographic erasure) ensures the data is irrecoverable, meeting the regulatory requirement for secure destruction. Together, they provide a fully automated, auditable process for retention and destruction.

Exam trap

ISC2 often tests the distinction between 'preventing deletion' (object lock) and 'ensuring secure destruction' (secure deletion), leading candidates to choose object lock because it sounds like it handles retention, but it does not guarantee irrecoverable deletion after the retention period ends.

How to eliminate wrong answers

Option B is wrong because data masking and encryption protect data at rest or in use but do not automate deletion or ensure secure destruction after a retention period. Option C is wrong because versioning preserves multiple versions of an object, which could prevent complete deletion, and MFA delete only adds an extra authentication step to deletion operations, not secure destruction. Option D is wrong because object lock enforces a write-once-read-many (WORM) model that prevents deletion or modification during a retention period, but it does not provide secure deletion (e.g., overwriting or cryptographic erasure) after the lock expires; it only allows normal deletion, which may leave recoverable data.

81
Multi-Selecteasy

Which TWO of the following are valid data states that must be protected in cloud computing?

Select 2 answers
A.Data encryption
B.Data at rest
C.Data in transit
D.Data integrity
E.Data in database
AnswersB, C

Data at rest is a standard state requiring protection.

Why this answer

In cloud computing, data exists in three primary states: at rest (stored on disk or in memory), in transit (moving across networks), and in use (being processed). The CCSP exam specifically identifies 'data at rest' and 'data in transit' as the two fundamental data states that require protection through encryption, access controls, and integrity mechanisms. Option B is correct because data at rest refers to inactive data stored physically on any digital device, such as databases, backups, or archives, and must be safeguarded against unauthorized access or theft.

Exam trap

ISC2 often tests the distinction between security controls (like encryption or integrity) and the actual data states that must be protected, causing candidates to confuse a protection mechanism with a state classification.

82
MCQmedium

A multinational corporation operates across multiple cloud providers (AWS, Azure, GCP) and uses a variety of data storage services. They have a requirement to enforce a consistent encryption policy across all providers: all data at rest must be encrypted using a centrally managed key that is rotated every 90 days. The cloud security team is evaluating different key management solutions. They want to minimize operational overhead and avoid vendor lock-in. The team has experience with configuring cloud-native key management services (KMS) but is concerned about managing keys across different regions and providers. Which solution best meets the requirements?

A.Deploy a third-party cloud-agnostic key management solution that supports BYOK and integrates with all providers' KMS
B.Use each cloud provider's native KMS and create identical key policies manually
C.Store the key in an internal secrets manager and configure each provider's KMS to use that key as a root key
D.Implement client-side encryption using a single master key stored in the application configuration
AnswerA

Centralized policy management, consistent enforcement, and reduces vendor lock-in.

Why this answer

Option A is correct because a third-party cloud-agnostic key management solution (e.g., HashiCorp Vault, Thales CipherTrust) that supports Bring Your Own Key (BYOK) allows the organization to centrally manage and rotate a single root key every 90 days, while integrating with each provider's native KMS via external key stores (e.g., AWS KMS custom key store, Azure Key Vault managed HSM, GCP Cloud HSM). This minimizes operational overhead by avoiding manual per-provider policy replication and prevents vendor lock-in by decoupling key management from any single cloud provider's proprietary KMS.

Exam trap

ISC2 often tests the misconception that cloud-native KMS services can be centrally managed by simply replicating policies or using an internal secrets manager as a root key, but the trap is that cloud KMS does not allow external key material to be used as a root key for automatic rotation across providers—only a third-party agnostic solution with BYOK can enforce consistent, centrally controlled rotation.

How to eliminate wrong answers

Option B is wrong because manually creating identical key policies across AWS, Azure, and GCP KMS does not centralize key management; each provider's KMS would still use its own independent key material, making consistent rotation every 90 days operationally complex and error-prone. Option C is wrong because storing the key in an internal secrets manager and configuring each provider's KMS to use that key as a root key is technically infeasible—cloud-native KMS services do not accept external keys as root keys; they require keys to be imported as customer-managed keys (CMKs) but still manage them independently, and the secrets manager cannot enforce rotation across all providers' KMS. Option D is wrong because client-side encryption using a single master key stored in application configuration violates the requirement for centrally managed key rotation (the key would be static in config files) and introduces significant security risks, such as key exposure in code repositories or configuration management systems.

83
MCQmedium

A financial services company is migrating to the cloud and must retain transaction records for seven years for regulatory compliance. They plan to use object storage with lifecycle policies. What is the most secure configuration for long-term data retention?

A.Configure a lifecycle policy to transition to archive storage after seven years
B.Enable object lock with retention mode set to compliance
C.Store objects in write-once-read-many (WORM) storage class
D.Use server-side encryption with KMS key
AnswerB

Compliance lock prevents any deletion or modification until the retention period expires.

Why this answer

Option B is correct because Object Lock with compliance retention mode provides the strongest guarantee against data modification or deletion, even by root users. This mode ensures that once an object is written, it cannot be overwritten or deleted until the retention period expires, which is critical for meeting the seven-year regulatory retention requirement. Unlike other options, compliance mode enforces a legal hold that cannot be removed by any user, including cloud administrators, making it the most secure configuration for immutable long-term retention.

Exam trap

ISC2 often tests the distinction between data protection mechanisms (encryption, lifecycle policies) and data immutability (Object Lock with compliance mode), leading candidates to choose encryption or archive transitions as sufficient for retention requirements.

How to eliminate wrong answers

Option A is wrong because transitioning to archive storage after seven years does not prevent deletion or modification during the retention period; lifecycle policies only move data between tiers but do not enforce immutability, so records could be altered or deleted before the seven-year mark. Option C is wrong because while WORM storage classes (e.g., S3 Glacier Instant Retrieval with Object Lock) can provide immutability, the term 'WORM storage class' is ambiguous and not a specific service; the correct implementation requires Object Lock with a retention mode, not just a storage class. Option D is wrong because server-side encryption with KMS key protects data at rest and in transit but does not prevent deletion or overwriting of objects; encryption alone does not enforce retention or immutability, so records could still be deleted before seven years.

84
MCQhard

A security architect applies the above bucket policy to an Amazon S3 bucket containing sensitive data. What is the net effect of this policy?

A.It denies all PutObject requests, regardless of encryption.
B.It denies all PutObject requests that do not specify an encryption header, enforcing encryption at rest.
C.It allows only PutObject requests using SSE-KMS (AWS KMS managed keys).
D.It allows PutObject requests only from principals that use an IAM role with encryption permissions.
AnswerB

Correct: The Deny with Null condition blocks requests where the encryption header is null (missing), thus requiring encryption.

Why this answer

The bucket policy uses a condition key `s3:x-amz-server-side-encryption` with a `StringNotEquals` condition to deny `PutObject` requests that do not include the `x-amz-server-side-encryption` header set to `AES256`. This effectively denies any upload that does not specify server-side encryption with S3-Managed Keys (SSE-S3), enforcing encryption at rest for all objects written to the bucket.

Exam trap

ISC2 often tests the distinction between SSE-S3 (`AES256`) and SSE-KMS (`aws:kms`) in bucket policy conditions, leading candidates to confuse the required header value and incorrectly select an option involving KMS.

How to eliminate wrong answers

Option A is wrong because the policy does not deny all PutObject requests; it only denies those that lack the required encryption header, so requests that include the correct encryption header are allowed. Option C is wrong because the policy requires the encryption header value `AES256`, which corresponds to SSE-S3, not SSE-KMS (which would require `aws:kms`). Option D is wrong because the policy does not reference IAM roles or encryption permissions; it only checks for the presence and value of the encryption header, regardless of the principal's IAM role.

85
Multi-Selecteasy

Which TWO of the following are benefits of using tokenization for credit card data?

Select 2 answers
A.Maintains data format for existing systems
B.Reversible without a key vault
C.Reduces PCI DSS compliance scope
D.Eliminates the need for encryption
E.Slows down database queries
AnswersA, C

Tokens can preserve format, aiding integration.

Why this answer

Tokenization replaces sensitive credit card data with a non-sensitive token that retains the same format (e.g., a 16-digit number) and length, allowing existing systems, databases, and applications to process the token without modification. This format-preserving property ensures that legacy systems, such as payment gateways or CRM platforms, can continue to operate without requiring costly re-engineering. By using a token instead of the actual PAN, the organization reduces the scope of PCI DSS compliance because the tokenized data is not considered cardholder data under the PCI DSS standard.

Exam trap

ISC2 often tests the misconception that tokenization eliminates the need for encryption entirely, but the correct understanding is that tokenization reduces PCI DSS scope while encryption (for the vault and transit) remains essential.

86
MCQhard

A company uses a cloud key management service (KMS) and wants to ensure that keys can be used only within a specific geographic region. Which of the following should be configured?

A.VPC endpoint for KMS
B.CloudTrail logging
C.Key policy with a condition for allowed regions
D.Key rotation policy
AnswerC

Key policies with conditions can restrict use to specific regions.

Why this answer

Option C is correct because a key policy with a condition using the `kms:CallerRegion` or `aws:RequestRegion` condition key can explicitly restrict the geographic region where the KMS key can be used. This ensures that any cryptographic operation (e.g., Encrypt, Decrypt) attempted from an unauthorized region is denied, enforcing regional data sovereignty requirements.

Exam trap

ISC2 often tests the distinction between network-level controls (like VPC endpoints) and policy-level controls (like key policy conditions), leading candidates to mistakenly choose VPC endpoints for geographic restrictions when only a condition-based policy can enforce regional key usage.

How to eliminate wrong answers

Option A is wrong because a VPC endpoint for KMS only restricts network access to the KMS API via a private IP within a VPC, but does not enforce geographic region restrictions on key usage; the key could still be used from any region if the request reaches the endpoint. Option B is wrong because CloudTrail logging records API calls for auditing but does not enforce any access control or geographic restriction on key usage. Option D is wrong because a key rotation policy controls how often the key material is rotated, not where the key can be used; it has no effect on geographic restrictions.

87
MCQeasy

A company is deploying a cloud application that processes credit card transactions. Which standard must they comply with regarding data security?

A.GDPR
B.PCI DSS
C.HIPAA
D.ISO 27001
AnswerB

PCI DSS applies to credit card data handling.

Why this answer

PCI DSS (Payment Card Industry Data Security Standard) is the mandatory security standard for any organization that handles credit card transactions. It defines strict requirements for protecting cardholder data, including encryption, access control, and network segmentation. Since the application processes credit card transactions, compliance with PCI DSS is legally and contractually required.

Exam trap

ISC2 often tests the distinction between mandatory regulatory standards (like PCI DSS) and voluntary frameworks (like ISO 27001), leading candidates to mistakenly choose ISO 27001 because it is a well-known security standard.

How to eliminate wrong answers

Option A is wrong because GDPR (General Data Protection Regulation) governs the protection of personal data of EU citizens, not specifically credit card transaction security. Option C is wrong because HIPAA (Health Insurance Portability and Accountability Act) applies to protected health information (PHI) in healthcare, not payment card data. Option D is wrong because ISO 27001 is a voluntary international standard for information security management systems (ISMS), not a mandatory compliance requirement for credit card processing.

88
MCQhard

The exhibit shows a key policy for a customer master key (CMK) in a cloud KMS. An administrator wants to prevent the AppRole from using the key to decrypt data. Which change to the policy would accomplish this?

A.Add a deny statement for AppRole with effect "Deny" for kms:Decrypt.
B.Remove the entire "Allow use of the key" statement.
C.Change the AppRole action list to include only kms:Encrypt.
D.Remove "kms:Decrypt" from the action list in the AppRole statement.
AnswerD

Decrypt is the specific action needed for decryption. Removing it prevents decryption but allows encryption.

Why this answer

Option D is correct because the AppRole's current policy statement explicitly includes 'kms:Decrypt' in the action list, granting it permission to decrypt data. By removing 'kms:Decrypt' from that action list, the AppRole retains its other allowed actions (such as kms:Encrypt) but can no longer perform decryption operations. This is the most precise and least disruptive change, as it only removes the specific permission needed to prevent decryption without affecting other allowed actions.

Exam trap

ISC2 often tests the principle of least privilege and the precise modification of permissions, where candidates may incorrectly choose to add a deny statement (Option A) instead of simply removing the specific action from the allow list, misunderstanding that an explicit deny is not the most efficient or correct way to revoke a permission that was previously granted.

How to eliminate wrong answers

Option A is wrong because adding a deny statement for kms:Decrypt would create an explicit deny, which in IAM policy evaluation logic overrides any allow, but it is unnecessarily complex and could introduce unintended conflicts; the simpler and more direct approach is to remove the permission from the allow statement. Option B is wrong because removing the entire 'Allow use of the key' statement would revoke all permissions for the AppRole, including necessary actions like kms:Encrypt, which is overly broad and not the minimal change required. Option C is wrong because changing the action list to include only kms:Encrypt would also remove kms:Decrypt, but it would also remove any other actions currently allowed (e.g., kms:GenerateDataKey, kms:DescribeKey) that might be needed; the question specifically asks to prevent decryption, so removing only kms:Decrypt is more targeted.

89
MCQeasy

A DevOps engineer runs the above command and gets the error. What is the MOST likely missing permission?

A.storage.buckets.get
B.storage.buckets.list
C.storage.objects.get
D.storage.objects.list
AnswerD

List permission is required to list objects in a bucket.

Why this answer

The command likely involves listing objects within a bucket (e.g., `gsutil ls` or an equivalent `GET /b/{bucket}/o` API call). The error indicates the principal lacks the `storage.objects.list` permission, which is required to enumerate objects in a bucket. Without this permission, the API returns a 403 Forbidden error even if the principal has other storage permissions.

Exam trap

ISC2 often tests the distinction between object-level permissions (like `storage.objects.get`) and bucket-level listing permissions (like `storage.objects.list`), trapping candidates who assume read access to objects implies the ability to list them.

How to eliminate wrong answers

Option A is wrong because `storage.buckets.get` is needed to retrieve bucket metadata (e.g., IAM configuration, location), not to list objects. Option B is wrong because `storage.buckets.list` is required to list all buckets in a project, not objects within a specific bucket. Option C is wrong because `storage.objects.get` is needed to read a specific object's data or metadata, not to list objects in a bucket.

90
MCQhard

A healthcare organization wants to perform analytics on encrypted patient data without decrypting it first, to maintain privacy. Which cryptographic technique supports this use case?

A.Homomorphic encryption
B.Tokenization
C.Format-preserving encryption (FPE)
D.Cryptographic hashing
AnswerA

Allows computation on encrypted data without decryption.

Why this answer

Homomorphic encryption allows computations to be performed directly on ciphertext, producing an encrypted result that, when decrypted, matches the result of operations performed on the plaintext. This enables the healthcare organization to run analytics on encrypted patient data without ever exposing the underlying sensitive information, thus preserving privacy throughout the processing lifecycle.

Exam trap

ISC2 often tests the distinction between 'processing on encrypted data' and 'protecting data at rest or in transit'—candidates mistakenly choose FPE or tokenization because they see 'encrypted' or 'token' and assume it supports analytics, but neither allows computation without decryption.

How to eliminate wrong answers

Option B (Tokenization) is wrong because it replaces sensitive data with non-sensitive tokens, but the original data must be stored in a separate vault and analytics cannot be performed on the tokens without detokenization, which breaks the 'no decryption' requirement. Option C (Format-preserving encryption) is wrong because it produces ciphertext that retains the original data format (e.g., 16-digit credit card numbers), but all operations require decryption first; it does not support computation on encrypted data. Option D (Cryptographic hashing) is wrong because it is a one-way function that cannot be reversed, and it does not allow any meaningful analytics on the hash values (e.g., you cannot compute an average or sum of hashed patient ages).

91
MCQhard

A company uses a hybrid cloud architecture with on-premises key management and cloud services. They need to ensure that encryption keys used for cloud data are never exposed to the cloud provider. Which key management approach best meets this requirement?

A.Use the cloud provider's native key management service
B.Store keys in a cloud key vault with access logs
C.Use a BYOK solution with an on-premises HSM and key caching
D.Deploy a cloud-based HSM and store keys only there
AnswerC

BYOK allows key generation and lifetime outside the cloud.

Why this answer

Option C is correct because a Bring Your Own Key (BYOK) solution with an on-premises Hardware Security Module (HSM) allows the company to generate and store encryption keys locally, then securely transfer them to the cloud for use without exposing the raw key material to the cloud provider. Key caching ensures that the cloud service can perform operations without the provider ever having persistent access to the plaintext keys, meeting the requirement that keys are never exposed to the cloud provider.

Exam trap

ISC2 often tests the misconception that a cloud-based HSM (Option D) is equivalent to on-premises key control, but the trap is that any key stored in the cloud provider's infrastructure is still accessible to the provider, whereas BYOK with an on-premises HSM ensures the provider never has access to the plaintext key material.

How to eliminate wrong answers

Option A is wrong because using the cloud provider's native key management service means the provider generates, stores, and manages the keys, giving them full access to the key material and violating the requirement. Option B is wrong because storing keys in a cloud key vault with access logs still places the keys under the cloud provider's control and infrastructure, exposing them to the provider's administrators and potential breaches. Option D is wrong because deploying a cloud-based HSM and storing keys only there still means the keys reside within the cloud provider's environment, subject to their physical and logical access controls, thus exposing the keys to the provider.

92
Multi-Selecteasy

A company needs to ensure that data stored in the cloud is securely deleted when no longer needed. Which TWO of the following are secure deletion methods? (Choose two.)

Select 2 answers
A.Cryptographic erasure (destroying encryption keys)
B.Deleting the file metadata
C.Multiple overwrite of the storage blocks
D.Wiping the swap space
E.Degaussing the storage medium
AnswersA, C

Without key, encrypted data is unrecoverable.

Why this answer

Cryptographic erasure renders data unrecoverable by securely destroying the encryption keys used to encrypt the data at rest. Without the keys, the ciphertext becomes effectively indecipherable, even if the underlying storage blocks remain intact. This method is recognized by NIST SP 800-88 as a valid sanitization technique for cloud environments where physical access to storage is limited.

Exam trap

ISC2 often tests the distinction between logical deletion (e.g., deleting metadata) and secure deletion, and candidates mistakenly choose 'deleting file metadata' because they confuse it with secure file deletion in operating systems, ignoring that cloud storage APIs do not guarantee physical block erasure.

93
MCQeasy

After decommissioning a cloud database, a company is concerned about data remanence. They have overwritten all storage blocks with zeros. However, regulatory auditors require proof that the data is unrecoverable. What additional step should the company take?

A.Physically destroy the storage media
B.Shred the hard drives
C.Request a certificate of destruction from the cloud provider
D.Degauss the drives
AnswerC

Certification provides audit evidence of proper sanitization.

Why this answer

Option C is correct because most cloud providers offer a certification of destruction that confirms data has been sanitized according to standards. Option A is wrong because physical destruction is not always possible in cloud. Option B is wrong because degaussing is for magnetic media, not cloud storage.

Option D is wrong because the provider typically does not provide raw disk drives.

94
Multi-Selectmedium

A cloud security team is implementing tokenization for a payment system. Which THREE statements correctly describe tokenization characteristics?

Select 3 answers
A.Tokenization uses encryption algorithms to protect data.
B.The original sensitive data is stored in a secure token vault.
C.The token is a randomly generated string with no mathematical relationship to the original data.
D.Tokens can be used for transactions without exposing the original data.
E.Tokenization is reversible using the token alone.
AnswersB, C, D

Correct: The mapping between token and original data is stored in a vault.

Why this answer

Option B is correct because tokenization replaces sensitive data (e.g., credit card numbers) with a token, and the original data is stored securely in a token vault. This vault is isolated and access-controlled, ensuring that only authorized systems can detokenize the data when needed. The vault is the authoritative source for mapping tokens back to original values, which is fundamental to tokenization's security model.

Exam trap

ISC2 often tests the misconception that tokenization is a form of encryption, but the key distinction is that tokenization uses a lookup table (vault) rather than a mathematical algorithm, making it non-reversible without vault access.

95
MCQmedium

A company is storing sensitive customer data in an S3 bucket. They need to ensure data is encrypted at rest and that the encryption keys are managed by the cloud provider. Which encryption strategy should they use?

A.SSE-C (Server-Side Encryption with Customer-Provided Keys)
B.Client-side encryption
C.SSE-KMS (Server-Side Encryption with AWS KMS)
D.SSE-S3 (Server-Side Encryption with S3-Managed Keys)
AnswerD

SSE-S3 uses keys managed by AWS, meeting the requirement.

Why this answer

SSE-S3 (Server-Side Encryption with S3-Managed Keys) encrypts data at rest using AES-256, with the encryption keys fully managed by AWS. This meets the requirement for the cloud provider to handle key management without any customer involvement in key generation, storage, or rotation.

Exam trap

ISC2 often tests the distinction between 'managed by the provider' and 'managed by the customer' — candidates confuse SSE-KMS (customer-managed KMS keys) with provider-managed keys, but SSE-KMS still gives the customer control over key lifecycle, making SSE-S3 the only option where the provider fully manages keys.

How to eliminate wrong answers

Option A is wrong because SSE-C requires the customer to provide and manage their own encryption keys, which contradicts the requirement that the cloud provider manages the keys. Option B is wrong because client-side encryption occurs before data is sent to S3, meaning the customer manages the keys and encryption process, not the cloud provider. Option C is wrong because SSE-KMS uses AWS Key Management Service, which gives the customer control over key policies, rotation, and auditing, meaning the customer retains management responsibility even though AWS hosts the keys.

96
MCQmedium

An organization uses cloud object storage for backup data and requires that once written, data cannot be modified or deleted for a specified retention period. Which feature should they enable?

A.Bucket versioning
B.Object lock with write-once-read-many (WORM) protection
C.Encryption at rest with customer-managed keys
D.Lifecycle management to expire objects old objects
AnswerB

Ensures immutability during retention period.

Why this answer

Object lock with WORM protection is the correct feature because it enforces a retention policy that prevents any user, including the root account, from modifying or deleting objects until the retention period expires. This is specifically designed for compliance requirements such as SEC 17a-4(f) and ensures data immutability at the object level, which bucket versioning, encryption, or lifecycle rules cannot guarantee.

Exam trap

ISC2 often tests the misconception that bucket versioning alone provides data immutability, but versioning only protects against accidental overwrites by preserving old versions, not against intentional deletion or modification of the current version.

How to eliminate wrong answers

Option A is wrong because bucket versioning preserves multiple versions of an object but does not prevent deletion or overwrite of the current version; it only allows recovery of previous versions, not immutability. Option C is wrong because encryption at rest with customer-managed keys protects data confidentiality but does not enforce any write-once or retention constraints; data can still be modified or deleted by authorized users. Option D is wrong because lifecycle management automates the transition or expiration of objects based on age or rules, but it does not prevent deletion or modification during the retention period; in fact, it can delete objects prematurely if misconfigured.

97
Multi-Selectmedium

A company uses a cloud key management service (KMS) with automatic key rotation enabled. Which TWO statements about key rotation are true?

Select 2 answers
A.The key ID changes after each rotation.
B.The old key is immediately destroyed after rotation.
C.New key material is generated, and the old key material is retained for decryption.
D.Applications using the key continue to work without modification.
E.All data encrypted with the old key must be re-encrypted.
AnswersC, D

Correct: Automatic rotation creates a new version; the old version is kept for decryption.

Why this answer

Option C is correct because cloud KMS services (e.g., AWS KMS, Azure Key Vault) implement automatic key rotation by generating new cryptographic key material while retaining the old key material. This allows data encrypted with the previous key version to still be decrypted, as the old key material is not destroyed but simply marked as retired for encryption operations.

Exam trap

ISC2 often tests the misconception that key rotation changes the key identifier or requires immediate re-encryption, when in fact the key ID remains stable and old key material is preserved for decryption.

98
MCQmedium

A software-as-a-service (SaaS) provider hosts customer data in a multi-tenant cloud environment. Each customer's data is stored in separate databases but shares a common infrastructure. A customer reports that they can see another customer's data in their application dashboard. The development team investigates and finds no application-level bugs. The security team suspects the issue is related to cloud data isolation. The provider uses a public cloud database service with separate schemas per customer. The database service uses shared compute resources. The provider's compliance team is concerned about data leakage between tenants. Which of the following is the MOST effective way to ensure data isolation in this environment?

A.Implement row-level security (RLS) on the database tables to restrict access based on customer ID.
B.Use application-level encryption with different keys per customer.
C.Enable database auditing and monitor for anomalies.
D.Move each customer to a separate database instance.
AnswerA

RLS provides fine-grained access control at the row level.

Why this answer

Row-level security (RLS) is the most effective because it enforces data isolation directly within the shared database engine, filtering rows based on the customer ID predicate. This prevents any cross-tenant data access even if the application layer is compromised or misconfigured, as the database itself evaluates the security policy on every query. Unlike encryption or auditing, RLS provides a deterministic access control mechanism that operates at the query execution level, ensuring that each tenant sees only their own data.

Exam trap

ISC2 often tests the misconception that encryption alone ensures data isolation, but encryption does not control access to the decrypted data once it is retrieved; the trap here is choosing application-level encryption (Option B) because it sounds security-focused, while RLS directly addresses the access control gap at the database layer.

How to eliminate wrong answers

Option B is wrong because application-level encryption with per-customer keys protects data at rest and in transit but does not prevent a query from returning another customer's encrypted data; the application could still decrypt it if the wrong key is used or if the key management is flawed. Option C is wrong because database auditing only logs access events for after-the-fact review; it does not prevent unauthorized data exposure in real time. Option D is wrong because moving each customer to a separate database instance would achieve isolation but is not the most effective use of shared resources in a multi-tenant SaaS environment; it increases operational complexity and cost, and RLS can achieve the same isolation without requiring separate instances.

99
MCQeasy

A cloud administrator is rotating encryption keys for a data storage service. The administrator wants to ensure that previously encrypted data remains accessible after the rotation. What is the best practice?

A.Delete the old key after rotation
B.Retain the old key and use envelope encryption so the new key can decrypt the old key
C.Re-encrypt all data with the new key immediately
D.Disable the old key and only use the new key for new writes
AnswerB

Old keys are kept but not active; new wrapped keys allow access.

Why this answer

Envelope encryption allows the new key to decrypt the old key, which in turn decrypts the data. This ensures that previously encrypted data remains accessible without re-encrypting it, as the old key is retained and protected under the new key. This is the best practice for key rotation in cloud storage services like AWS KMS or Azure Key Vault.

Exam trap

ISC2 often tests the misconception that key rotation requires immediate re-encryption of all data, but the correct approach is to retain old keys and use envelope encryption to maintain access without re-encryption.

How to eliminate wrong answers

Option A is wrong because deleting the old key immediately after rotation would render all data encrypted with that key permanently inaccessible, violating the requirement to maintain access. Option C is wrong because re-encrypting all data with the new key immediately is inefficient, resource-intensive, and unnecessary when envelope encryption can provide seamless access. Option D is wrong because disabling the old key without retaining it for decryption would break access to existing encrypted data, as the new key alone cannot decrypt data encrypted with the old key.

100
MCQhard

An administrator notices the log entries in the exhibit from a cloud-hosted server. What is the MOST likely security concern indicated by these logs?

A.A brute-force attack succeeded in logging into the system, and a database password was exposed in the command line
B.Data was exfiltrated from the MySQL database
C.The MySQL database was accessed by an unauthorized user
D.A failed SSH login attempt indicates a misconfigured firewall
AnswerA

Failed then accepted login indicates brute-force success; password in plaintext is a credential exposure.

Why this answer

The log entries show a successful SSH login followed by a MySQL command that includes the database password in plaintext on the command line (e.g., `mysql -u root -pPassword123`). This indicates a brute-force attack succeeded, and the password was exposed in the process list or shell history, which is a critical data security concern.

Exam trap

ISC2 often tests the distinction between a successful brute-force attack and data exfiltration, where candidates confuse a successful login with actual data theft, but the logs here only show the password exposure, not data movement.

How to eliminate wrong answers

Option B is wrong because data exfiltration from MySQL would require evidence of SELECT or export commands (e.g., INTO OUTFILE) transferring data to an external location, which is not present in the logs. Option C is wrong because the logs show a successful SSH login, not direct MySQL access; the MySQL access is subsequent and authorized by the logged-in user, not an unauthorized user. Option D is wrong because a failed SSH login attempt would show authentication failure messages (e.g., 'Failed password'), not a successful login; the logs show a successful login, so a misconfigured firewall is irrelevant.

101
Multi-Selectmedium

A company is designing a data at rest encryption strategy for their cloud environment. Which TWO of the following are valid approaches? (Choose two.)

Select 2 answers
A.Server-side encryption with customer-provided keys (SSE-C)
B.Hashing data before storage
C.Client-side encryption
D.Tokenization of sensitive fields
E.Server-side encryption with cloud-managed keys (SSE-S3)
AnswersA, C

Customer provides the encryption key, which the cloud uses temporarily.

Why this answer

Server-side encryption with customer-provided keys (SSE-C) is a valid data-at-rest encryption approach because the customer retains control over the encryption keys while the cloud provider performs the encryption/decryption operations. This allows the customer to manage key lifecycle and compliance requirements without exposing plaintext keys to the provider. Client-side encryption is also valid because data is encrypted before being sent to the cloud, ensuring the provider never has access to plaintext data or encryption keys.

Exam trap

ISC2 often tests the distinction between encryption and other data protection methods like hashing or tokenization, and the trap here is that candidates may confuse hashing or tokenization with encryption, or incorrectly assume that server-side encryption with cloud-managed keys is not a valid approach when it actually is, but the question requires selecting exactly two correct answers from the list.

102
MCQmedium

The exhibit shows a bucket policy that grants public read access. What is the most effective way to remove this public access?

A.Add an access control list (ACL) that denies public access.
B.Change the bucket policy to deny all access.
C.Enable S3 Block Public Access settings at the bucket or account level.
D.Enable bucket versioning and delete the public objects.
AnswerC

Block Public Access settings explicitly deny public access, overriding any bucket policies.

Why this answer

Option C is correct because S3 Block Public Access settings provide a definitive, override-capable mechanism to prevent any public access to an S3 bucket, regardless of other policies or ACLs. These settings can be applied at the bucket or account level and will block all public access even if a bucket policy explicitly grants it, making them the most effective and secure method to remove public access.

Exam trap

ISC2 often tests the misconception that modifying the bucket policy or ACLs is sufficient to remove public access, but the trap is that these can be overridden or misconfigured, whereas S3 Block Public Access settings provide a guaranteed, centralized control that cannot be bypassed by other permissions.

How to eliminate wrong answers

Option A is wrong because ACLs are legacy and cannot deny access; they only grant permissions, and adding a deny ACL is not a valid operation. Option B is wrong because changing the bucket policy to deny all access would conflict with the existing grant and could lead to ambiguous evaluation results; S3 evaluates policies with an explicit deny override, but the most effective approach is to use Block Public Access settings which are designed for this purpose. Option D is wrong because enabling versioning and deleting public objects does not remove the bucket policy that grants public read access; the policy would still allow access to any remaining or future objects.

103
MCQmedium

An organization uses a cloud storage service to share files with external partners. They want to ensure that the files are automatically deleted after 30 days. Which data lifecycle control should be implemented?

A.Object lock
B.Lifecycle policy
C.Versioning
D.Access control list
AnswerB

Lifecycle policies automate expiration and deletion.

Why this answer

A lifecycle policy is the correct data lifecycle control because it allows administrators to define rules that automatically expire and delete objects after a specified period, such as 30 days. This is a native feature of cloud storage services like Amazon S3, Azure Blob Storage, and Google Cloud Storage, enabling automated data retention and deletion without manual intervention.

Exam trap

ISC2 often tests the distinction between data protection controls (Object Lock, Versioning) and data lifecycle controls (Lifecycle Policy), leading candidates to confuse retention with deletion.

How to eliminate wrong answers

Option A is wrong because Object Lock is designed to prevent objects from being deleted or overwritten for a fixed retention period or indefinitely (legal hold), which is the opposite of automatic deletion. Option C is wrong because Versioning preserves multiple versions of an object, allowing recovery of deleted or overwritten versions, but does not automatically delete data after a time period. Option D is wrong because Access Control Lists (ACLs) manage permissions for who can read or write objects, not the lifecycle or scheduled deletion of data.

104
Multi-Selecthard

Which THREE of the following are essential steps in a cloud data discovery process?

Select 3 answers
A.Map data flows between systems
B.Encrypt all discovered data
C.Classify data based on sensitivity
D.Identify where sensitive data resides
E.Create backup copies of data
AnswersA, C, D

Understanding data movement is critical.

Why this answer

Option A is correct because mapping data flows between systems is a foundational step in cloud data discovery. It enables organizations to understand how data moves across cloud services, APIs, and storage tiers, which is critical for identifying where sensitive data may be transmitted or stored. Without this mapping, discovery efforts may miss data in transit or in transient storage, leading to incomplete visibility.

Exam trap

ISC2 often tests the distinction between discovery steps and subsequent security controls, so the trap here is that candidates mistakenly treat encryption or backup as part of the discovery process when they are actually post-discovery remediation or protection actions.

105
MCQhard

An Azure application uses a key vault key for client-side encryption of data. The application also communicates with a cloud service over HTTPS. After deploying, the handshake failure occurs. Which of the following is the most likely cause?

A.The application is using the wrong key version
B.The key vault key is not accessible due to network restrictions
C.The client and server do not have a common TLS version or cipher suite
D.The key vault key is not enabled for encryption
AnswerC

Alert 40 indicates handshake failure due to version/cipher mismatch.

Why this answer

The handshake failure occurs at the transport layer (TLS/SSL), which is independent of client-side encryption using a key vault key. The most likely cause is a mismatch in TLS versions or cipher suites between the client and server, as HTTPS relies on a successful TLS handshake. Options A, B, and D relate to the key vault key's availability or configuration, which would not cause a TLS handshake failure.

Exam trap

The trap here is that candidates confuse client-side encryption (using a key vault key) with transport-layer security (TLS), assuming a key-related issue causes the handshake failure, when in fact the handshake is a separate protocol layer.

How to eliminate wrong answers

Option A is wrong because using the wrong key version would cause decryption failures on the client side, not a TLS handshake failure during HTTPS communication. Option B is wrong because network restrictions to the key vault would result in an access denied or timeout error when the application tries to retrieve the key, not a handshake failure in the TLS layer. Option D is wrong because if the key vault key is not enabled for encryption, the application would fail to encrypt data locally, but the HTTPS handshake is a separate process that does not depend on the key's encryption status.

106
MCQhard

A cloud security architect is designing a data classification and labeling solution for a multinational corporation with offices in multiple countries. The corporation uses various SaaS applications (Office 365, Salesforce, etc.) and IaaS services. They require automatic classification of documents based on content (e.g., credit card numbers, social security numbers) and enforcement of protection policies (e.g., encryption, access restrictions) based on the classification. The solution must work across all cloud services and provide a unified management console. The corporation also needs to maintain data residency—data must not be stored in a different geographic region than where it was classified. Which cloud security solution BEST meets these requirements?

A.Deploy a cloud access security broker (CASB) with integrated DLP capabilities that can classify and enforce policies across multiple cloud apps.
B.Use each cloud provider's native DLP service (e.g., Microsoft Information Protection, AWS Macie) and manage them individually.
C.Use a third-party encryption gateway that encrypts all data leaving the on-premises network.
D.Implement a custom data classification system running on a virtual machine that inspects data via APIs.
AnswerA

Provides unified management, cross-cloud classification, and policy enforcement.

Why this answer

Option A is correct. A CASB with integrated DLP can classify content across multiple cloud apps and enforce policies from a single console, while also supporting data residency through policy configuration. Option B lacks unified management.

Option C is complex and may not scale. Option D does not provide classification.

107
MCQeasy

The exhibit shows the versioning configuration for an S3 bucket. What effect does enabling MFADelete have on data protection?

A.It automatically encrypts all new object versions
B.It requires MFA to permanently delete an object version
C.It prevents any version of an object from being overwritten
D.It requires MFA for all operations on the bucket
AnswerB

MFADelete adds MFA protection for delete operations.

Why this answer

Enabling MFADelete on an S3 bucket requires multi-factor authentication to permanently delete an object version or to suspend versioning on the bucket. This adds a critical layer of protection against accidental or malicious deletion of object versions, ensuring that even with administrative credentials, a second factor is needed to complete the destructive operation. It does not affect encryption, overwrite prevention, or all operations—only permanent deletion and versioning suspension.

Exam trap

ISC2 often tests the misconception that MFADelete applies to all bucket operations, when in fact it only applies to permanent deletion of object versions and suspension of versioning, not to reads, writes, or other management actions.

How to eliminate wrong answers

Option A is wrong because MFADelete does not automatically encrypt objects; encryption is managed separately via server-side encryption (SSE-S3, SSE-KMS, SSE-C) or client-side encryption. Option C is wrong because MFADelete does not prevent overwriting an object version; it only protects against permanent deletion of a version, while new versions can still be written (overwriting the current version). Option D is wrong because MFADelete does not require MFA for all operations; it only applies to two specific actions: permanently deleting an object version and suspending versioning on the bucket.

108
Multi-Selectmedium

Which TWO statements about data classification are correct?

Select 2 answers
A.Data classification is performed once at creation.
B.Data classification must be automated to be effective.
C.Data classification can be based on context and content.
D.Data classification is solely based on regulatory requirements.
E.Data classification labels determine access controls.
AnswersC, E

Classification uses both content inspection and contextual metadata.

Why this answer

Option C is correct because data classification can be based on both context (e.g., source, creator, location) and content (e.g., keywords, patterns, data values). This dual approach allows organizations to apply classification rules that consider the environment and the actual data, enabling more accurate and granular protection. For example, a document containing a credit card number (content) created by the finance department (context) could be classified as 'Confidential'.

Exam trap

ISC2 often tests the misconception that data classification is a static, one-time activity (Option A) or that automation is mandatory (Option B), when in reality classification is a continuous process and can be manual or hybrid.

109
MCQeasy

A customer requires complete control over encryption keys used to protect data at rest in the cloud. Which cloud service model provides the most direct control?

A.Infrastructure as a Service (IaaS)
B.Anything as a Service (XaaS)
C.Platform as a Service (PaaS)
D.Software as a Service (SaaS)
AnswerA

IaaS provides the most control over the operating system, storage, and encryption keys.

Why this answer

Option A is correct. IaaS gives customers control over the entire infrastructure stack, including encryption key management. PaaS and SaaS abstract away much of that control, limiting customer-managed key options.

110
MCQmedium

A cloud administrator applies the bucket policy shown in the exhibit to an S3 bucket. What is the expected outcome?

A.All objects uploaded must be encrypted using server-side encryption with S3-managed keys (SSE-S3)
B.All upload requests will be denied unless they include encryption metadata
C.All objects must be encrypted with AWS KMS keys
D.All objects uploaded must be client-side encrypted before uploading
AnswerA

The condition requires x-amz-server-side-encryption: AES256, which is SSE-S3.

Why this answer

Option A is correct because the bucket policy explicitly denies uploads unless the `x-amz-server-side-encryption` header is set to `AES256`, which corresponds to SSE-S3. This ensures all objects uploaded to the bucket are encrypted at rest using server-side encryption with S3-managed keys, as the policy condition enforces the presence of that specific encryption header.

Exam trap

The trap here is that candidates often confuse the requirement for any encryption metadata (option B) with the specific requirement for SSE-S3 (AES256), or they mistakenly think the policy enforces KMS (option C) because they overlook the exact header value `AES256` in the condition.

How to eliminate wrong answers

Option B is wrong because the policy does not merely require encryption metadata; it specifically requires the `x-amz-server-side-encryption` header to be set to `AES256`, not just any encryption metadata. Option C is wrong because the policy enforces SSE-S3 (AES256), not AWS KMS keys (which would require `aws:kms` in the header). Option D is wrong because the policy enforces server-side encryption, not client-side encryption; client-side encryption is performed before upload and does not involve the `x-amz-server-side-encryption` header.

111
MCQhard

An enterprise uses a Cloud Access Security Broker (CASB) to monitor cloud application usage. The CASB generates alerts about potential data loss prevention events. What is the primary purpose of the CASB's DLP capabilities?

A.To block all uploads of sensitive data to cloud apps
B.To classify data automatically using machine learning
C.To detect and prevent unauthorized sharing of sensitive data based on policies
D.To encrypt data before it is sent to cloud apps
AnswerC

DLP policies allow controlled sharing while blocking unauthorized transfers.

Why this answer

The primary purpose of a CASB's DLP capabilities is to enforce policies that detect and prevent unauthorized sharing of sensitive data. This is achieved by inspecting content in transit (e.g., via API or proxy) and applying rules such as blocking, quarantining, or alerting on policy violations. Option C correctly captures this core function of policy-based detection and prevention, which goes beyond simple blocking or classification.

Exam trap

ISC2 often tests the misconception that DLP's primary purpose is to block all sensitive data or to classify data, when in fact it is to enforce granular policies that detect and prevent unauthorized sharing based on context (e.g., user, location, device).

How to eliminate wrong answers

Option A is wrong because blocking all uploads of sensitive data is too restrictive and not the primary purpose; CASB DLP uses granular policies to allow legitimate transfers while blocking only unauthorized ones. Option B is wrong because automatic classification using machine learning is a feature of data discovery and classification tools, not the primary DLP purpose; DLP focuses on enforcing policies on already-classified or pattern-matched data. Option D is wrong because encryption is a separate control often handled by key management or tokenization services, not the primary DLP function; CASB DLP may trigger encryption but its core role is policy enforcement, not encryption itself.

112
Multi-Selectmedium

An organization is evaluating techniques to protect data while it is being processed in memory. The goal is to prevent unauthorized access even if the operating system or hypervisor is compromised. Which TWO techniques are suitable for protecting data in use?

Select 2 answers
A.Hashing
B.Data masking
C.Secure enclaves (e.g., Intel SGX)
D.Homomorphic encryption
E.Tokenization
AnswersC, D

Hardware-based isolation for code and data in memory.

Why this answer

Secure enclaves, such as Intel SGX, provide hardware-enforced isolation by creating trusted execution environments (TEEs) that encrypt memory pages in use, protecting data even if the OS or hypervisor is compromised. This makes them suitable for protecting data in use because the CPU itself enforces access controls, preventing any privileged software from reading the enclave's memory.

Exam trap

ISC2 often tests the distinction between 'data at rest' and 'data in use' protections, and candidates mistakenly choose hashing or tokenization because they associate them with security, but neither protects data during active processing in memory.

113
MCQmedium

A cloud architect is designing a data loss prevention (DLP) solution for a SaaS application. The DLP must inspect data in transit between end users and the cloud as well as data at rest. Which combination of controls is most appropriate?

A.Use network segmentation and security groups.
B.Deploy a cloud DLP service for content inspection and enforce encryption at rest.
C.Use encryption at rest and backup retention policies.
D.Implement a web application firewall (WAF) and a VPN.
AnswerB

Cloud DLP inspects data in transit and at rest; encryption protects at rest.

Why this answer

Option B is correct because a cloud DLP service (e.g., AWS Macie, Microsoft Purview) can inspect data in transit by analyzing API calls or traffic patterns, and encryption at rest (e.g., AES-256) protects stored data. This combination directly addresses both inspection of data in transit and protection of data at rest, which is the core requirement of the question.

Exam trap

The trap here is that candidates confuse a WAF (which inspects for attacks) with a DLP service (which inspects for sensitive data content), leading them to choose Option D despite it lacking content inspection for data in transit.

How to eliminate wrong answers

Option A is wrong because network segmentation and security groups control traffic flow and access, but they do not inspect the content of data in transit or protect data at rest. Option C is wrong because encryption at rest protects stored data, but backup retention policies only manage data lifecycle, not inspect data in transit. Option D is wrong because a WAF inspects HTTP traffic for web attacks, not data content for DLP, and a VPN encrypts the tunnel but does not inspect the data payload.

114
MCQeasy

A company is migrating sensitive customer data to a public cloud storage service. They want to ensure that even the cloud provider cannot access the plaintext data. Which encryption strategy should they implement?

A.Client-side encryption before uploading data
B.Server-side encryption with cloud-provider-managed keys
C.Tokenization of sensitive fields at the application layer
D.Enforcing role-based access control (RBAC) on the storage bucket
AnswerA

Client-side encryption ensures the provider never sees plaintext.

Why this answer

Client-side encryption ensures that data is encrypted before it leaves the customer's environment, so the cloud provider only ever receives ciphertext. This means the cloud provider cannot access the plaintext data, even if the storage service is compromised or the provider is legally compelled to disclose data. The encryption keys are managed and stored by the customer, not the cloud provider.

Exam trap

ISC2 often tests the distinction between encryption at rest (server-side) and encryption in transit or before upload (client-side), and the trap is that candidates confuse server-side encryption with the ability to prevent provider access, not realizing that the provider still holds the keys.

How to eliminate wrong answers

Option B is wrong because server-side encryption with cloud-provider-managed keys means the cloud provider holds the encryption keys and can decrypt the data on demand, which does not prevent the provider from accessing plaintext. Option C is wrong because tokenization replaces sensitive data with tokens, but the token mapping and original data are typically stored elsewhere and may still be accessible to the provider; it also does not encrypt the entire data payload, leaving other fields in plaintext. Option D is wrong because RBAC controls access to the storage bucket but does not encrypt the data; the cloud provider can still read the plaintext data stored in the bucket.

115
Multi-Selectmedium

Which TWO statements about data masking are correct?

Select 2 answers
A.Data masking is a form of encryption.
B.Data masking is primarily used for production environments.
C.Data masking is reversible.
D.Data masking replaces sensitive data with realistic fictional data.
E.Data masking can be static or dynamic.
AnswersD, E

It produces realistic data for development and testing.

Why this answer

Option D is correct because data masking replaces sensitive data (e.g., credit card numbers, SSNs) with realistic but fictitious data that preserves the original data's format and referential integrity, ensuring that the masked data remains usable for testing or analytics without exposing actual sensitive information. This is distinct from encryption, as masking does not use a key to transform data but rather substitutes it with a non-sensitive equivalent.

Exam trap

The trap here is that candidates often confuse data masking with encryption, assuming both are reversible, or mistakenly think masking is used in production environments, whereas the CCSP emphasizes that masking is for non-production use and is irreversible by design.

116
MCQhard

A cloud security engineer reviews the S3 bucket policy shown in the exhibit. What is the net effect of this policy when a request originates from IP address 203.0.113.10 over HTTPS?

A.Deny access because the request does not meet the SecureTransport condition
B.Allow access because the condition for Deny does not include SecureTransport
C.Deny access because the request is from the specified IP range
D.Allow access because the request uses HTTPS
AnswerC

Correct: Explicit Deny blocks the request.

Why this answer

The S3 bucket policy includes a Deny statement that blocks all requests from the IP range 203.0.113.0/24, which includes 203.0.113.10. The SecureTransport condition is only applied to the Allow statement, not the Deny, so HTTPS is irrelevant to the Deny effect. Since the request matches the IP address in the Deny statement, it is denied regardless of protocol.

Exam trap

ISC2 often tests the principle that an explicit Deny overrides any Allow, and candidates mistakenly think HTTPS or SecureTransport conditions apply globally to all statements in the policy.

How to eliminate wrong answers

Option A is wrong because the SecureTransport condition is only on the Allow statement, not the Deny; the Deny does not require HTTPS, so the request is denied based on IP alone. Option B is wrong because the Deny statement does not need a SecureTransport condition to block the request; the IP match is sufficient for denial. Option D is wrong because even though the request uses HTTPS, the Deny statement explicitly blocks the IP address, overriding any Allow that might apply.

117
MCQeasy

A developer accidentally uploaded a file containing API credentials to a public cloud storage bucket. The cloud provider states they cannot guarantee deletion of the object. Which practice could have prevented this incident?

A.Data loss prevention for cloud storage
B.Bucket versioning
C.Access control lists
D.Server-side encryption
AnswerA

DLP can inspect and block uploads containing sensitive data.

Why this answer

Data Loss Prevention (DLP) for cloud storage can automatically scan objects for sensitive content, such as API credentials, before or after upload. When configured with policies to block or quarantine files containing patterns like access keys, DLP prevents the data from ever being stored in a public bucket, eliminating the risk even if the provider cannot guarantee deletion. This proactive control addresses the root cause—sensitive data exposure—rather than relying on post-incident remediation.

Exam trap

ISC2 often tests the distinction between preventive controls (DLP) and detective/reactive controls (versioning, encryption, ACLs), leading candidates to choose bucket versioning because it allows rollback, but versioning does not prevent the initial exposure of sensitive data.

How to eliminate wrong answers

Option B (Bucket versioning) is wrong because versioning retains multiple copies of an object, which would actually increase the exposure by preserving the compromised file even after deletion attempts, and does not prevent the initial upload. Option C (Access control lists) is wrong because ACLs only restrict who can access the bucket after the file is stored; they do not prevent a developer from uploading sensitive content to a publicly accessible bucket. Option D (Server-side encryption) is wrong because encryption protects data at rest from unauthorized access but does not prevent the upload of plaintext credentials; the credentials would still be readable by anyone with access to the bucket.

118
MCQhard

A cloud security analyst is investigating a potential data breach. They discover that an employee's credentials were used to access a cloud storage bucket containing sensitive files. The access logs show the employee accessed the bucket from an IP address in a different country during the time of the incident. Which of the following is the MOST likely attack vector?

A.The employee intentionally accessed the data from that country
B.A distributed denial-of-service (DDoS) attack overwhelmed access controls
C.The cloud storage bucket was misconfigured as public
D.The employee's credentials were stolen via a phishing attack
AnswerD

Phishing could compromise credentials used from a foreign IP.

Why this answer

The correct answer is D because the scenario describes a classic credential theft attack: an employee's credentials are used from an anomalous geographic location to access sensitive cloud storage. Phishing is the most common vector for stealing credentials, as it tricks users into revealing their passwords, which are then reused by attackers to authenticate to cloud services like AWS S3 or Azure Blob Storage. The access logs showing a foreign IP address strongly indicate the credentials were compromised and used by an unauthorized party, not the employee.

Exam trap

ISC2 often tests the distinction between credential theft and misconfiguration; the trap here is that candidates see 'different country' and assume a public bucket (option C) because they confuse geographic anomaly with open access, but the logs explicitly show credential usage, ruling out anonymous access.

How to eliminate wrong answers

Option A is wrong because the employee intentionally accessing data from a different country would not constitute a breach unless they were acting maliciously, but the scenario is about investigating a potential breach, and the anomalous IP suggests unauthorized use, not a routine business trip. Option B is wrong because a DDoS attack overwhelms network resources or application availability, not access controls; it does not grant an attacker valid credentials to authenticate to a cloud storage bucket. Option C is wrong because a misconfigured public bucket would allow anonymous access without requiring any credentials, but the logs show the employee's credentials were used, indicating authentication occurred, not anonymous public access.

119
Drag & Dropmedium

Drag and drop the steps for managing identity and access in a multi-cloud environment using a centralized identity provider (IdP) into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First integrate IdP, then create groups/roles, configure mapping, assign users with MFA, and audit.

120
MCQmedium

A company is implementing a cloud key management system (KMS) to control encryption keys for sensitive data. Which practice is essential to ensure the security of the keys?

A.Use a single key for all encryption operations to simplify management.
B.Export keys to the cloud provider's hardware security module (HSM).
C.Store encryption keys in the same region as the encrypted data.
D.Periodically rotate the encryption keys.
AnswerD

Key rotation limits the lifetime of exposed keys.

Why this answer

Periodic key rotation is essential because it limits the amount of data encrypted under a single key, reducing the impact of a key compromise and complying with cryptographic best practices (e.g., NIST SP 800-57). In a cloud KMS, rotation can be automated using key versions, where old keys are retained for decryption while new keys are used for encryption, ensuring forward secrecy and operational security.

Exam trap

ISC2 often tests the misconception that key rotation is optional or that storing keys in the same region as data is a security best practice, when in fact rotation is a mandatory control for key hygiene and regional separation is a common architectural pattern for isolation.

How to eliminate wrong answers

Option A is wrong because using a single key for all encryption operations violates the principle of key separation and increases the blast radius of a compromise; it also makes key management and auditing impractical. Option B is wrong because exporting keys to a cloud provider's HSM undermines the security model of a KMS, as keys should remain within the HSM's boundary and never be exported in plaintext; cloud HSMs typically do not allow key export to maintain FIPS 140-2/3 compliance. Option C is wrong because storing encryption keys in the same region as the encrypted data does not inherently improve security; it may actually increase risk if a regional breach occurs, and compliance frameworks often require key separation from data (e.g., storing keys in a different region or account) to provide defense in depth.

← PreviousPage 2 of 2 · 120 questions total

Ready to test yourself?

Try a timed practice session using only Cloud Data Security questions.