CCNA Cloud Security Operations Questions

17 of 92 questions · Page 2/2 · Cloud Security Operations · Answers revealed

76
Multi-Selecthard

Which THREE of the following are essential steps in the incident response process for a cloud security incident?

Select 3 answers
A.Perform a full forensic analysis of all systems before containment.
B.Contain the incident to prevent further damage.
C.Reward the team that discovered the incident to encourage reporting.
D.Eradicate the root cause of the incident.
E.Identify and classify the incident based on severity and impact.
AnswersB, D, E

Containment is critical to limit scope.

Why this answer

Correct answers are A, B, and D. Identification (A), containment (B), and eradication (D) are key phases. Option C is wrong because rewarding staff is not part of incident response.

Option E is wrong because forensics typically occurs after containment, but is not an essential step in the core process (it is part of analysis).

77
Matchingmedium

Match each virtualization security concept to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Software that manages virtual machines

Attack breaking out of VM isolation

Virtual machine introspection for monitoring

Moving a running VM between hosts

Why these pairings

Virtualization is foundational to cloud; security concerns include isolation and hypervisor integrity.

78
MCQmedium

A company is migrating its on-premises virtualized environment to the Azure cloud. The security team wants to ensure they can detect and respond to security incidents in the cloud. They plan to use Azure Security Center and Azure Sentinel. The on-premises environment uses a SIEM tool and logs from all servers are forwarded to it. In the cloud, they have provisioned virtual machines (VMs) running various workloads. The team needs to ensure that all security events from these VMs are captured and analyzed. Which of the following steps should they take FIRST to achieve comprehensive log collection?

A.Enable Azure Diagnostics extension and install the Log Analytics agent on all VMs to send logs to a Log Analytics workspace.
B.Set up a jump box VM with administrative tools and restrict access to it using just-in-time VM access.
C.Enable Azure Security Center's standard tier and rely on its built-in security events collection.
D.Configure network security group flow logs and send them to a storage account for analysis.
AnswerA

This collects OS-level events and allows Security Center and Sentinel to analyze them.

Why this answer

Option A is correct because enabling Azure Diagnostics and the Log Analytics agent on all VMs sends logs to Azure Monitor and Log Analytics workspace, which is the foundation for Sentinel and Security Center. Option B is wrong because enabling network security group flow logs is important for network data, but not for VM-level logs. Option C is wrong while the Security Center collects security events, it may not cover all custom logs; the agent is needed for full coverage.

Option D is wrong because configuring VDI for administrators does not address general VM logging.

79
Multi-Selectmedium

Which TWO of the following are key components of a cloud incident response plan that should be tested regularly?

Select 2 answers
A.Encryption key management procedures.
B.Automation playbooks for containment and eradication.
C.Communication channels for alerting stakeholders.
D.Backup and restore procedures.
E.Service level agreements (SLAs) with cloud provider.
AnswersB, C

Automation playbooks must be tested to ensure they execute correctly.

Why this answer

Automation playbooks for containment and eradication (B) are critical because they enable rapid, consistent response to incidents in cloud environments, where manual intervention can be too slow to prevent lateral movement or data exfiltration. Regular testing ensures these playbooks execute correctly against live cloud APIs (e.g., AWS Lambda, Azure Automation) and that they properly isolate compromised resources without disrupting legitimate workloads.

Exam trap

ISC2 often tests the distinction between incident response plan components and broader operational or contractual elements, so candidates mistakenly select backup/restore procedures (D) or SLAs (E) because they seem related to incident handling, but they are not core to the detection, containment, and eradication phases that require regular testing.

80
Multi-Selecteasy

Which TWO of the following are valid methods for securing data at rest in a cloud storage service?

Select 2 answers
A.Disabling encryption to reduce latency.
B.Implementing client-side encryption before uploading data.
C.Using server-side encryption with customer-managed keys.
D.Setting the storage bucket to public read access.
E.Enabling access logging for the storage bucket.
AnswersB, C

Client-side encryption ensures data is encrypted before transmission.

Why this answer

Option B is correct because client-side encryption ensures data is encrypted before it leaves the client environment, so the cloud provider never has access to the plaintext. This is a valid method for securing data at rest in cloud storage, as the encrypted objects are stored in the service and can only be decrypted by the client holding the keys.

Exam trap

ISC2 often tests the distinction between encryption methods (client-side vs. server-side) and security controls (e.g., logging vs. encryption), so the trap here is that candidates may confuse access logging or public access settings with data-at-rest protection mechanisms.

81
MCQhard

During a security incident in a multi-tenant cloud environment, the cloud provider's logging system indicates that a virtual machine (VM) on a shared hypervisor has been compromised. The provider wants to assist the customer with forensic analysis while minimizing impact to other tenants. Which approach is most appropriate?

A.Rebuild the VM from a known good image and then run security scans.
B.Provide the customer with a memory snapshot of the compromised VM.
C.Clone the entire hypervisor and give the customer access to the clone.
D.Power off the VM immediately to contain the incident.
AnswerB

Memory snapshot preserves volatile data and allows forensic analysis without impacting other tenants.

Why this answer

Option B is correct because providing a memory snapshot of the compromised VM preserves volatile forensic data (e.g., running processes, network connections, encryption keys) without disrupting the hypervisor or other tenants. This approach adheres to the cloud provider's responsibility to isolate forensic evidence while maintaining multi-tenant isolation, as memory snapshots can be taken via hypervisor-level APIs (e.g., VMware VMotion or libvirt) without powering off the VM or cloning the entire host.

Exam trap

ISC2 often tests the distinction between forensic acquisition (preserving evidence) and incident containment/remediation, where candidates mistakenly choose immediate power-off (Option D) or rebuild (Option A) instead of the correct memory snapshot approach that balances evidence preservation with multi-tenant isolation.

How to eliminate wrong answers

Option A is wrong because rebuilding the VM from a known good image destroys all volatile evidence (e.g., memory-resident malware, active network connections) and is a remediation step, not a forensic acquisition step. Option C is wrong because cloning the entire hypervisor is excessively disruptive, exposes other tenants' data to the customer, and violates the shared responsibility model by breaking tenant isolation at the hypervisor level. Option D is wrong because powering off the VM immediately destroys volatile memory evidence and may trigger anti-forensic mechanisms in malware (e.g., self-deletion on shutdown), while also causing unnecessary downtime for the customer.

82
MCQmedium

The security team notices that the request above is from a known malicious IP address. However, the load balancer did not block it. What is the most likely reason?

A.The user-agent indicates it is a legitimate search engine
B.The response code indicates success
C.The load balancer's access control list does not include the IP address
D.The request was encrypted with TLS
AnswerC

If the IP is not in the deny list, the request will be allowed.

Why this answer

C is correct because a load balancer's access control list (ACL) is a stateless or stateful rule set that explicitly defines which source IP addresses are allowed or denied. If the malicious IP address is not listed in the ACL, the load balancer will not block the traffic, regardless of the request's content or encryption status. The security team's observation that the request was from a known malicious IP but was not blocked directly points to a missing or incomplete ACL entry.

Exam trap

ISC2 often tests the misconception that encryption (TLS) or response codes can override access control decisions, but the trap here is that candidates forget ACLs operate at a lower layer and are independent of application-layer details like user-agent or HTTP status codes.

How to eliminate wrong answers

Option A is wrong because the user-agent header is easily spoofed and does not determine the legitimacy of the source IP; a malicious actor can set a user-agent string to mimic a legitimate search engine. Option B is wrong because the response code (e.g., HTTP 200) indicates the request was processed successfully, but it does not imply that the request should have been blocked; blocking decisions are based on pre-configured rules, not on the outcome of the request. Option D is wrong because TLS encryption protects data in transit but does not affect IP-based access control; a load balancer can inspect the source IP before or after TLS termination, and encryption does not bypass ACL rules.

83
MCQmedium

A company runs its production workloads on a cloud platform. The security team wants to ensure that all compute instances are patched within 30 days of a patch release. Which of the following is the BEST approach to enforce this requirement?

A.Use an automated patch management tool that deploys patches to all instances within 30 days
B.Configure vulnerability scanning to identify unpatched instances and notify administrators
C.Create a change management process that requires approval for all patches
D.Implement a manual patching policy and require each team to submit a patch report monthly
AnswerA

Automation enforces timeline.

Why this answer

Option B is correct because automated patch management with a scheduled deployment ensures compliance with the timeline. Option A is wrong because manual patching is error-prone and may not meet the timeline. Option C is wrong while it helps identify unpatched instances, it does not enforce patching.

Option D is wrong because approval workflow adds delay.

84
MCQeasy

A cloud administrator is configuring log retention for a financial application that must comply with PCI DSS. What is the minimum log retention period required by PCI DSS?

A.At least 90 days.
B.At least six months.
C.At least five years.
D.At least one year with the most recent three months available online.
AnswerD

PCI DSS Requirement 10.7 mandates retention for at least one year, with three months online.

Why this answer

PCI DSS requirement 10.7 mandates that audit trail history must be retained for at least one year, with the most recent three months of logs immediately available for analysis. This ensures that historical data is preserved for forensic investigation while maintaining quick access to recent activity. Option D correctly states this dual requirement.

Exam trap

The trap here is that candidates often confuse the 'immediately available' 90-day requirement with the total retention period, leading them to incorrectly select Option A instead of recognizing the full one-year retention mandate with the three-month online subset.

How to eliminate wrong answers

Option A is wrong because 90 days is only the minimum period for which the most recent logs must be immediately available, not the total retention period. Option B is wrong because six months is not a PCI DSS retention requirement; the standard requires one year total. Option C is wrong because five years exceeds the PCI DSS minimum; that duration is more typical of HIPAA or other regulatory frameworks, not PCI DSS.

85
MCQmedium

A healthcare organization is using a cloud-based electronic health record (EHR) system hosted on a PaaS platform. The platform provides a web interface and an API for integration with internal systems. The organization's security policy requires encryption of all data at rest and in transit. They have implemented SSL/TLS for data in transit and enabled server-side encryption for the database. However, during a recent audit, it was discovered that the API returns diagnostic data in clear text when accessed from internal networks. The internal network is considered trusted. The auditor recommends implementing end-to-end encryption. Which of the following is the BEST approach to meet this requirement?

A.Configure the API to require mutual TLS (mTLS) authentication and use TLS 1.2 or higher for all connections from internal systems.
B.Implement client-side encryption on the internal systems before sending data to the API.
C.Set up a VPN connection between the internal network and the cloud PaaS environment to encrypt all traffic.
D.Create a proxy service in the cloud that encrypts the data before forwarding it to the API.
AnswerA

mTLS ensures both parties are authenticated and the communication is encrypted, providing end-to-end encryption.

Why this answer

Option C is correct because implementing mutual TLS (mTLS) ensures that only authenticated clients (internal systems) can communicate with the API and all data is encrypted end-to-end. Option A is wrong because client-side encryption requires key management and does not guarantee encryption in transit between the internal systems and the API. Option B is wrong because using a VPN adds latency and complexity; mTLS is more lightweight and still encrypts the data.

Option D is wrong because sending data through a separate encryption endpoint adds extra components and potential points of failure.

86
MCQeasy

An organization uses a cloud key management service (KMS) for encryption keys. The security policy requires automatic rotation of keys every 90 days. Which rotation strategy best balances security and operational impact?

A.Retain the original key for decryption and use a new key only for new data.
B.Have administrators manually create new keys every 90 days and update applications.
C.Configure the KMS to automatically generate new key versions and retire old ones with no application changes.
D.Re-encrypt all data with a new master key each rotation to ensure full key separation.
AnswerC

Automatic rotation with versioning is seamless and secure.

Why this answer

Option C is correct because cloud KMS services (e.g., AWS KMS, Azure Key Vault, GCP Cloud KMS) support automatic key rotation by creating new key versions while retaining previous versions for decryption of existing data. This approach satisfies the 90-day rotation policy without requiring application changes, as the KMS handles versioning transparently and the encryption context or key ID abstraction allows seamless use of the latest key for encryption.

Exam trap

The trap here is that candidates often confuse key rotation with re-encryption, assuming that rotating a key requires re-encrypting all existing data, when in fact cloud KMS versioning allows old keys to remain available for decryption without re-encrypting the entire dataset.

How to eliminate wrong answers

Option A is wrong because retaining the original key for decryption while using a new key only for new data does not rotate the original key; it merely adds a new key, leaving the original key active indefinitely, which violates the 90-day rotation policy. Option B is wrong because manual key creation every 90 days introduces operational overhead, risk of human error, and requires application updates to reference new keys, which contradicts the goal of minimizing operational impact. Option D is wrong because re-encrypting all data with a new master key each rotation is impractical and resource-intensive; cloud KMS rotation typically uses versioned keys where old versions remain available for decryption without re-encrypting existing ciphertext.

87
MCQmedium

A company experiences a security breach in its cloud environment, and the security team needs to preserve evidence for legal proceedings. Which of the following is the MOST important step to take first?

A.Disable all logging to prevent the attacker from seeing detection efforts.
B.Isolate the compromised systems from the network to prevent lateral movement.
C.Notify all affected customers of the breach.
D.Contact the legal department to obtain a warrant before any action.
AnswerB

Isolating systems is the first priority to stop the attack and preserve evidence.

Why this answer

Option B is correct because the immediate priority in a cloud security incident is to contain the breach and prevent lateral movement, which preserves the integrity of the evidence by stopping further compromise. Isolating compromised systems (e.g., via network security groups or virtual network segmentation) ensures that volatile data, such as memory contents and active connections, is not altered by ongoing attacker activity. This step aligns with the NIST SP 800-61 incident response framework, which emphasizes containment before evidence collection.

Exam trap

ISC2 often tests the misconception that preserving evidence means immediately collecting logs or notifying stakeholders, when in fact the first step is to contain the incident to prevent evidence from being altered or destroyed by ongoing attacker activity.

How to eliminate wrong answers

Option A is wrong because disabling all logging destroys the very evidence needed for legal proceedings and violates the principle of preserving forensic artifacts; logging should be enabled and protected to capture attacker actions. Option C is wrong because notifying affected customers prematurely can compromise the investigation, alert the attacker, and violate data breach notification laws that require a thorough forensic analysis first. Option D is wrong because obtaining a warrant is not a prerequisite for internal incident response actions; the company owns the cloud environment and can take immediate containment steps without a warrant, and waiting for legal authorization could allow the attacker to destroy evidence.

88
Multi-Selectmedium

A cloud operations team is implementing a disaster recovery plan. Which of the following are valid strategies for data replication in a cloud environment? (Choose three.)

Select 3 answers
A.Asynchronous replication across regions
B.Synchronous replication within the same region
C.Periodic snapshots to object storage
D.Replication via cloud provider's managed replication service
E.Active-active replication with load balancing
AnswersA, B, D

Asynchronous replication handles geographic distance with eventual consistency.

Why this answer

Asynchronous replication across regions is a valid DR strategy because it allows data to be copied to a geographically distant region without requiring an immediate acknowledgment from the target, which minimizes latency impact on the primary site. This approach is suitable for cloud environments where recovery point objectives (RPOs) of minutes to hours are acceptable, and it leverages the cloud provider's high-latency inter-region network links without stalling write operations.

Exam trap

ISC2 often tests the distinction between replication (continuous data copying) and backup (point-in-time snapshots), so candidates mistakenly select periodic snapshots as a replication strategy when it is actually a backup method.

89
MCQhard

A cloud security engineer reviews the Terraform configuration above. Which of the following is a security best practice that has been violated?

A.The user_data script should not be in plain text
B.The security group does not allow SSH access
C.The security group allows unrestricted inbound traffic on port 80
D.The instance uses a public AMI
AnswerC

Allowing inbound HTTP from anywhere broadens the attack surface.

Why this answer

Option A is correct because the security group allows unrestricted inbound traffic on port 80 from any source (0.0.0.0/0), violating the principle of least privilege. Option B (public AMI) is not necessarily a violation. Option C (plain text user_data) is a minor concern but not a best practice violation per se; secrets should not be in user_data.

Option D (no SSH access) is acceptable if not needed.

90
MCQhard

During a security audit, it is discovered that a cloud service provider's infrastructure-as-a-service (IaaS) environment has virtual machines that were provisioned with default firewall rules allowing all inbound traffic from the internet. The organization's cloud security policy requires that all VM firewall rules follow a least-privilege model. What is the most effective approach to enforce this policy going forward?

A.Manually review each VM's firewall rules during deployment
B.Use a configuration management tool to periodically audit and correct firewall rules
C.Implement infrastructure as code templates with built-in security controls that enforce least-privilege firewall rules
D.Use a cloud security posture management (CSPM) tool that continuously monitors and alerts on non-compliant rules
AnswerC

Prevents non-compliant deployments from the start.

Why this answer

Option B is correct because using infrastructure as code (IaC) templates with built-in security controls ensures that all new VM deployments comply with the least-privilege policy, preventing non-compliant deployments. Options A and D are reactive or detective. Option C may miss non-compliant resources if not properly configured.

91
Multi-Selectmedium

Which TWO of the following are best practices for securing a cloud-based container orchestration platform?

Select 2 answers
A.Use minimal base images to reduce the attack surface.
B.Store secrets in environment variables for ease of use.
C.Run containers with root privileges by default.
D.Enable audit logging for all administrative actions.
E.Disable TLS certificate validation for internal communications.
AnswersA, D

Minimal images reduce vulnerabilities.

Why this answer

Using minimal base images (e.g., Alpine or distroless images) reduces the number of installed packages and libraries, thereby shrinking the attack surface. This practice limits the potential vectors for privilege escalation or remote code execution within containers, which is a core security principle for containerized workloads in platforms like Kubernetes.

Exam trap

ISC2 often tests the misconception that environment variables are a safe place for secrets because they are 'not stored on disk,' but in reality they are accessible to any process or user with access to the container's runtime environment.

92
MCQhard

A security engineer reviews the S3 bucket policy shown in the exhibit. Which security concern should be addressed immediately?

A.The principal "*" grants access to all AWS services
B.The second statement allows unrestricted public read access to all objects
C.The policy version is outdated and should be updated
D.The resource ARN does not include the bucket itself, only objects
AnswerB

The second statement has no condition, so it grants s3:GetObject to anyone, overriding the IP restriction.

Why this answer

Option B is correct because the second statement in the S3 bucket policy uses `"Effect": "Allow"` with `"Principal": "*"` and `"Action": "s3:GetObject"` without any condition restricting access (e.g., `IpAddress` or `Referer`). This effectively grants anonymous, unauthenticated read access to every object in the bucket, which is a critical data exposure risk. Such a policy violates the principle of least privilege and should be remediated immediately by removing the statement or adding a condition to restrict access.

Exam trap

ISC2 often tests the misconception that `"Principal": "*"` only applies to AWS services, when in fact it grants access to all principals including anonymous users, and candidates may overlook the missing condition that would otherwise restrict access.

How to eliminate wrong answers

Option A is wrong because `"Principal": "*"` grants access to all AWS users and anonymous users, not just AWS services; the misconception is that `*` limits to services, but it actually means any principal (including unauthenticated users). Option C is wrong because the policy version `"2012-10-17"` is the current and valid version for S3 bucket policies; an outdated version would be `"2008-10-17"`, but that is not a security concern here. Option D is wrong because the resource ARN `"arn:aws:s3:::example-bucket/*"` correctly specifies objects within the bucket; while it does not include the bucket itself, this is intentional for object-level permissions and is not a security issue—the bucket ARN would be needed only for bucket-level actions like `s3:ListBucket`, which is not the concern in this policy.

← PreviousPage 2 of 2 · 92 questions total

Ready to test yourself?

Try a timed practice session using only Cloud Security Operations questions.