Back to Certified Cloud Security Professional CCSP questions

Scenario-based practice

Refer to the Exhibit Practice Questions

Practise Certified Cloud Security Professional CCSP practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

15
scenario questions
CCSP
exam code
ISC2
vendor

Scenario guide

How to approach refer to the exhibit practice questions

Practise exhibit-style questions that ask you to read a topology, table, command output or diagram before choosing the best answer.

Quick answer

Exhibit-style questions test whether you can read a topology, command output, diagram or table before choosing the best answer.

How to extract the relevant detail from an exhibit.

How topology, command output or routing information affects the answer.

How to avoid answering from memory before reading the evidence.

How to map the exhibit back to the exam objective.

Related practice questions

Related CCSP topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1mediummultiple choice
Full question →

Refer to the exhibit. An administrator is reviewing an AWS S3 bucket policy. Based on the policy, which of the following is true?

Exhibit

Refer to the exhibit.

exhibit:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "StringEquals": {
          "aws:SourceIp": "192.0.2.0/24"
        }
      }
    }
  ]
}
Question 2hardmultiple choice
Full question →

Refer to the exhibit. A security analyst reviews the S3 bucket policy shown. Which security issue should be flagged?

Exhibit

Refer to the exhibit.

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/MyAppRole"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-bucket/*"
    },
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::my-bucket/uploads/*"
    }
  ]
}
```
Question 3hardmultiple choice
Review the full subnetting walkthrough →

Refer to the exhibit. A security engineer discovers that the S3 bucket policy allows public read access from the entire corporate network (10.0.0.0/16). However, the company wants to restrict access only to the security team's subnet (10.0.1.0/24). What modification should be made to the policy?

Exhibit

Refer to the exhibit.
Bucket: my-company-logs
Region: us-east-1
Policy:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-company-logs/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/16"
        }
      }
    }
  ]
}
Question 4hardmultiple choice
Read the full NAT/PAT explanation →

A cloud security engineer reviews the S3 bucket policy shown in the exhibit. What is the net effect of this policy when a request originates from IP address 203.0.113.10 over HTTPS?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::company-data/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "true"
        }
      }
    },
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::company-data/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "203.0.113.0/24"
        }
      }
    }
  ]
}
Question 5mediummultiple choice
Full question →

A cloud security engineer reviews the IAM policy shown in the exhibit, which is attached to an S3 bucket. The engineer finds that users from outside the 10.0.0.0/8 network can still download objects from the bucket. What is the most likely reason for this behavior?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:DeleteObject"
      ],
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/8"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject"
      ],
      "Resource": "arn:aws:s3:::example-bucket/*"
    }
  ]
}
Question 6hardmultiple choice
Full question →

Refer to the exhibit. A cloud security analyst is reviewing an S3 bucket policy. The bucket contains sensitive data and must only be accessible over HTTPS from the internal network (10.0.0.0/24). Which of the following correctly describes the behavior of this policy?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/24"
        }
      }
    },
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}
Question 7hardmultiple choice
Full question →

An AWS S3 bucket policy is configured as shown in the exhibit. The security team wants to ensure that only requests from the corporate IP range (203.0.113.0/24) can read objects in the bucket. However, they notice that a CloudFront distribution configured to serve content from this bucket is returning 403 Forbidden errors. What is the MOST likely cause?

Exhibit

Refer to the exhibit.

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-secure-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "203.0.113.0/24"
        }
      }
    }
  ]
}
```
Question 8hardmultiple choice
Full question →

Refer to the exhibit. A cloud security analyst reviews the bucket policy for example-bucket. Based on the policy, which of the following is true?

Exhibit

Refer to the exhibit.

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "192.0.2.0/24"
        }
      }
    },
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}
```
Question 9hardmultiple choice
Full question →

Refer to the exhibit. A Kubernetes pod is configured as shown. Which security enhancement should be added to follow cloud security best practices?

Exhibit

Refer to the exhibit.

```
apiVersion: v1
kind: Pod
metadata:
  name: web-app
spec:
  containers:
  - name: web
    image: nginx:latest
    securityContext:
      runAsUser: 1000
      runAsGroup: 3000
      allowPrivilegeEscalation: false
    ports:
    - containerPort: 80
```
Question 10easymultiple choice
Full question →

Refer to the exhibit. A cloud administrator ran the Azure CLI command to list virtual machines. One VM shows a ProvisioningState of 'Failed'. What is the most likely cause of this state?

Network Topology
$ az vm listoutput tableRefer to the exhibit.```Name ResourceGroup Location ProvisioningStatevm-prod-1 rg-prod eastus Succeededvm-prod-2 rg-prod eastus Succeededvm-dev-1 rg-dev eastus Failed
Question 11mediummultiple choice
Full question →

Refer to the exhibit. A cloud administrator sees this error log from AWS CloudTrail. The user [email protected] is a member of the 'Analysts' group. Which of the following is the most likely cause of the AccessDenied error?

Exhibit

Refer to the exhibit.
Error Log Entry:
Timestamp: 2024-08-15T14:23:10Z
User: [email protected]
Action: PutObject
Resource: s3://finance-reports/quarterly.xlsx
Status: AccessDenied
Source IP: 203.0.113.45
UserAgent: [ConsoleLogin]
Additional: The user does not have permissions to write to this bucket.
Question 12easymultiple choice
Full question →

Refer to the exhibit. A log entry shows a suspected SQL injection attack. Which security control would have prevented this attack?

Exhibit

Refer to the exhibit.

```
[ERROR] 2025-03-01 12:34:56,789 - myapp - CRITICAL - SQL Injection detected on endpoint /api/login
Input: ' OR '1'='1
```
Question 13mediummultiple choice
Full question →

Refer to the exhibit. A security analyst is investigating a potential unauthorized key pair creation. The CloudTrail log shows a successful CreateKeyPair event for an admin user. What additional step should the analyst take to determine if this was an authorized action?

Network Topology
$ aws cloudtrail lookup-eventslookup-attributes AttributeKey=EventNamequery 'Events[?ErrorCode==`nil`]'output textRefer to the exhibit.```Events:- EventId: abc123EventName: CreateKeyPairEventTime: 2023-10-01T10:00:00ZUserIdentity: {"type":"IAMUser","arn":"arn:aws:iam::123456789012:user/admin"}Resources: [{"resourceType":"AWS::EC2::KeyPair","resourceName":"mykey"}]SourceIPAddress: 203.0.113.50UserAgent: console.amazonaws.com
Question 14mediummultiple choice
Full question →

Refer to the exhibit. A security administrator is reviewing an S3 bucket policy. What is the primary security concern with this policy?

Exhibit

Refer to the exhibit.

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject"
      ],
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "203.0.113.0/24"
        }
      }
    }
  ]
}
```
Question 15hardmultiple choice
Full question →

Refer to the exhibit. A security engineer has attached the above IAM policy to a user. What is the effect of this policy?

Exhibit

Refer to the exhibit.

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Condition": {
        "StringEquals": {
          "s3:x-amz-server-side-encryption": "AES256"
        }
      }
    }
  ]
}
```

These CCSP practice questions are part of Courseiva's free ISC2 certification practice question bank. Courseiva provides original exam-style CCSP questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.