CCNA Ccsp Data Security Questions

75 of 101 questions · Page 1/2 · Ccsp Data Security topic · Answers revealed

1
Multi-Selectmedium

A cloud security team is implementing encryption for data at rest in a cloud storage service. They require that the encryption keys be managed by the customer and that the cloud provider has access to the keys only when authorized by the customer. Which TWO key management options meet these requirements? (Select TWO.)

Select 2 answers
A.Customer-Managed Encryption Keys (CMEK)
B.Cloud Provider Default Encryption
C.Customer-Supplied Encryption Keys (CSEK)
D.Hold Your Own Key (HYOK)
E.Bring Your Own Key (BYOK)
AnswersA, E

Customer creates keys in cloud KMS and controls access.

Why this answer

CMEK (Customer-Managed Encryption Keys) allows the customer to create and manage keys in cloud KMS, and BYOK (Bring Your Own Key) allows importing keys into cloud KMS. In both cases, the provider can access the keys when authorized.

2
MCQhard

A multinational corporation must comply with GDPR and store EU customer data only within the European Union. Which cloud storage security measure directly addresses this requirement?

A.Pre-signed URLs
B.Data residency configuration
C.Bucket policies with IAM conditions
D.Cross-region replication
AnswerB

Data residency settings ensure data is stored only in chosen geographic regions.

Why this answer

Data residency policies restrict data storage to specific geographic regions. By selecting cloud regions within the EU, the organization ensures data does not leave the EU, complying with GDPR data localization requirements.

3
MCQmedium

A company is required to encrypt all data in transit between its on-premises data center and its cloud environment. They have a hybrid cloud setup and need a secure tunnel for all traffic. Which solution should they implement?

A.Client-side encryption
B.Pre-signed URLs
C.VPN connection
D.TLS 1.2+ for all API calls
AnswerC

VPN provides an encrypted tunnel for all hybrid traffic.

Why this answer

A VPN (Virtual Private Network) creates an encrypted tunnel between the on-premises network and the cloud VPC, ensuring all traffic in transit is encrypted.

4
MCQmedium

A global e-commerce company must store customer payment data in a specific geographic region to comply with local data residency laws. Which cloud configuration ensures that data never leaves the required region?

A.Use a global load balancer to route traffic
B.Enable cross-region replication to a secondary region for disaster recovery
C.Store data in a private cloud on-premises
D.Select a specific cloud region for the storage and disable cross-region replication
AnswerD

Choosing a single region and ensuring no replication to other regions keeps data within that geographic boundary.

Why this answer

Data residency is achieved by selecting a cloud region (e.g., 'EU-West-1') and configuring storage buckets or databases with region-specific policies. Additionally, bucket policies can explicitly deny access from outside the region, and replication features should be disabled or configured to stay within the region.

5
MCQeasy

Which phase of the cloud data lifecycle involves making data available for processing by applications and users?

A.Archive
B.Store
C.Use
D.Create
AnswerC

Use involves reading, processing, and transforming data.

Why this answer

The cloud data lifecycle consists of Create, Store, Use, Share, Archive, Destroy. The 'Use' phase is when data is accessed and processed.

6
MCQhard

A company uses cloud KMS with customer-managed keys (CMEK) to encrypt data in a cloud storage bucket. The security team wants to ensure that if a key is compromised, they can revoke the cloud service's ability to decrypt the data immediately. What should they do?

A.Rotate the key to a new version.
B.Delete the key permanently from the cloud KMS.
C.Regenerate the key material by importing a new key.
D.Disable the key in the cloud KMS or revoke the key's IAM permissions for the cloud service.
AnswerD

Disabling the key or revoking permissions immediately prevents the service from decrypting data.

Why this answer

With CMEK, the customer controls the key and can revoke the cloud service's access by disabling the key or removing the IAM permission that allows the service to use the key. Deleting the key would also work but is irreversible. Disabling the key is reversible and immediate.

7
MCQmedium

A DevOps team is deploying an application that will store encryption keys in a cloud KMS. The security policy requires that keys be stored in a hardware security module (HSM) and that key material never leaves the HSM boundary. Which key management option should they choose?

A.Customer-managed encryption keys (CMEK) with software-backed storage
B.Cloud KMS with HSM-backed key storage
C.Hold your own key (HYOK) with on-premises HSM
D.Bring your own key (BYOK) with key import to cloud KMS
AnswerB

HSM-backed keys ensure key material is protected by hardware and never leaves the HSM.

Why this answer

Cloud KMS with HSM-backed key storage ensures keys are generated and stored in an HSM. CMEK and BYOK typically use software-backed keys unless HSM is specified. HYOK keeps keys on-premises, not in cloud HSM.

8
MCQmedium

A security team is setting up a DLP solution to scan cloud storage for credit card numbers. They want to automatically mask the detected credit card numbers so that only the last four digits are visible. Which DLP de-identification transform should they use?

A.Pseudonymization
B.Bucketing
C.Tokenization
D.Masking
AnswerD

Masking partially obscures data, e.g., showing only last four digits.

Why this answer

Masking is a de-identification transform that replaces part of the sensitive data with a placeholder, such as showing only the last four digits of a credit card number.

9
MCQhard

A multinational corporation uses a cloud DLP service to scan data stored in cloud storage and BigQuery for personally identifiable information (PII). The DLP scan identifies credit card numbers in a dataset. According to the cloud data lifecycle, at which stage should the DLP scan ideally be performed to minimize exposure?

A.Store
B.Use
C.Create
D.Share
AnswerC

Scanning at creation prevents sensitive data from being stored unprotected.

Why this answer

DLP scanning should ideally occur during the Create stage, as data is being created or ingested, to prevent sensitive data from being stored without proper protections. Scanning at Store stage may allow data to persist. Scanning at Use or Share stages is reactive and may already have exposed data.

10
Multi-Selectmedium

A cloud architect is designing key management for a multi-tenant SaaS application. The architect must ensure that each customer's encryption keys are isolated and that the cloud provider cannot access the keys. Which TWO key management strategies meet these requirements? (Select TWO.)

Select 2 answers
A.Client-side encryption
B.Customer-managed encryption keys (CMEK)
C.Hold your own key (HYOK)
D.Bring your own key (BYOK)
E.Cloud provider default server-side encryption
AnswersA, C

Data is encrypted before upload; cloud never sees keys.

Why this answer

Client-side encryption ensures data is encrypted before it reaches the cloud, so the cloud provider never sees plaintext or keys. Hold Your Own Key (HYOK) keeps the key on-premises in an HSM, never exposing it to the cloud. Both give the customer exclusive control.

11
MCQeasy

Which of the following is the correct order of phases in the cloud data lifecycle?

A.Store, Create, Use, Share, Destroy, Archive
B.Create, Store, Use, Share, Archive, Destroy
C.Create, Use, Store, Share, Archive, Destroy
D.Create, Share, Store, Use, Archive, Destroy
AnswerB

This is the standard sequence.

Why this answer

The standard cloud data lifecycle is Create, Store, Use, Share, Archive, Destroy.

12
MCQmedium

A company is required by a data sovereignty law to ensure that all data generated by its EU customers is stored and processed within the EU. The company uses a cloud provider with data centers in multiple regions. Which cloud storage configuration should they implement?

A.Enable cross-region replication to a region in the same country.
B.Select a cloud region located in the EU and disable cross-region replication.
C.Use client-side encryption for all EU data.
D.Apply data classification labels to all EU data.
AnswerB

Choosing an EU region and disabling replication ensures data stays in the EU.

Why this answer

Data residency is achieved by choosing a specific geographic region (e.g., EU) for storage and processing. Cross-region replication would copy data to other regions, potentially violating sovereignty. Data classification and encryption help protect data but do not restrict location.

13
MCQhard

A financial institution must ensure that sensitive data processed in the cloud cannot be decrypted by the cloud provider under any circumstances. They also need low latency for data operations. Which encryption model best meets these requirements?

A.HYOK
B.Client-side encryption
C.Server-side encryption with CMEK
D.Server-side encryption with CSEK
AnswerB

Client-side encryption ensures keys never leave the customer's control, providing maximum security.

Why this answer

Client-side encryption ensures that only the customer holds the decryption keys; the cloud provider never has access to plaintext or keys. This provides maximum control and meets the requirement, though it may introduce some latency if not optimized.

14
MCQeasy

An organization wants to classify data in the cloud and assign labels such as 'Public', 'Internal', 'Confidential', and 'Restricted'. What is the primary purpose of this classification scheme?

A.To reduce cloud storage costs by moving data to cheaper tiers
B.To enable public sharing of data
C.To comply with data localization laws
D.To apply appropriate security controls based on sensitivity
AnswerD

Classification dictates the level of protection needed (e.g., encryption, access controls).

Why this answer

Data classification helps determine appropriate security controls, such as encryption requirements, access permissions, and handling procedures. It guides policy enforcement.

15
MCQhard

An organization is deploying a cloud DLP solution to scan data at rest. They want to automatically classify and tag sensitive data, and then apply access controls based on the tags. Which cloud service capability is most directly used to enforce access decisions based on data classification tags?

A.Bucket policies with Principal ARN
B.Object ACLs with canned ACLs
C.Pre-signed URLs with expiration time
D.IAM policies with tag-based conditions
AnswerD

Tag-based conditions allow access control based on the classification tags applied to resources.

Why this answer

Cloud services often use IAM policies that can conditionally grant access based on resource tags. For example, AWS IAM policies can use Condition blocks to allow access only if the resource has a specific tag (e.g., classification=confidential).

16
MCQmedium

A multinational corporation must store customer data in specific geographic regions to comply with data sovereignty laws. Which cloud storage feature should they configure to ensure data does not leave a designated region?

A.Signed URLs
B.Cross-region replication
C.Object versioning
D.Region selection for storage buckets
AnswerD

Choosing a specific region and blocking cross-region operations ensures data stays within that region.

Why this answer

Cloud providers allow selecting a specific region for storage resources, and data localization policies can be enforced via bucket location constraints and IAM policies restricting cross-region replication.

17
MCQmedium

A healthcare organization is migrating electronic health records (EHR) to the cloud and must comply with HIPAA. They want to use cloud-native encryption but retain the ability to immediately revoke access to all encrypted data. Which key management strategy best meets this requirement?

A.Customer-managed encryption keys (CMEK)
B.Hold your own key (HYOK)
C.Bring your own key (BYOK)
D.Cloud provider default server-side encryption
AnswerA

CMEK enables the customer to control key lifecycle and revoke access by disabling the key in KMS.

Why this answer

Customer-managed encryption keys (CMEK) allow the customer to create and manage keys in the cloud KMS. The cloud service is authorized to use the key, but the customer can revoke access at any time by disabling the key, effectively rendering the data inaccessible. This provides control without the complexity of client-side encryption.

18
MCQmedium

An organization uses cloud object storage with versioning enabled. After a ransomware attack, they discover that many objects were encrypted by the attacker. How does versioning help in this scenario?

A.It allows restoration of the previous unencrypted version of each object
B.It replicates objects to a different region for disaster recovery
C.It prevents any object from being overwritten or deleted
D.It automatically encrypts all objects with customer-managed keys
AnswerA

Correct: Previous versions are preserved and can be restored.

Why this answer

Versioning retains previous versions of objects, so if the current version is encrypted or modified, the last unmodified version can be restored, provided the attacker did not delete versions.

19
MCQmedium

An organization wants to use cloud KMS to manage encryption keys. They require automatic key rotation every 90 days and the ability to define granular access policies for who can use the keys. Which key management model should they choose?

A.Cloud provider default encryption
B.Customer-managed encryption keys (CMEK)
C.Customer-supplied encryption keys (CSEK)
D.Bring your own key (BYOK)
AnswerB

CMEK allows customers to manage keys in KMS, including rotation and access policies.

Why this answer

Customer-managed encryption keys (CMEK) allow the customer to create and manage keys in cloud KMS, enabling automatic rotation and fine-grained access policies.

20
Multi-Selecthard

A financial services company is implementing a data loss prevention (DLP) solution to protect sensitive data in cloud storage. They need to identify and classify data containing personally identifiable information (PII) such as credit card numbers and social security numbers. Which three capabilities should the DLP solution provide? (Choose three.)

Select 3 answers
A.Encryption at rest using AES-256
B.Classification of data based on content
C.De-identification transforms such as masking and tokenization
D.Blocking public access to buckets
E.Automated scanning for sensitive data patterns
AnswersB, C, E

Classification labels data according to sensitivity.

Why this answer

Cloud DLP solutions typically include discovery (scanning for sensitive data), classification (labeling data types), and de-identification transforms (masking, tokenization) to protect data.

21
MCQhard

A cloud architect is designing a secure data sharing mechanism for a third-party partner. The partner needs temporary access to download a specific object from a private cloud storage bucket, but should not have broader access to the bucket. Which approach should be used?

A.Make the object publicly readable
B.Use cross-region replication to the partner's account
C.Grant the partner IAM role with read access to the bucket
D.Use a pre-signed URL
AnswerD

Correct: Pre-signed URL provides time-limited access to a specific object.

Why this answer

Pre-signed URLs grant time-limited access to a specific object without requiring the partner to have AWS credentials or bucket-level permissions.

22
MCQeasy

Which phase of the cloud data lifecycle involves the removal of data in a manner that ensures it cannot be reconstructed, typically using techniques like cryptographic erasure or degaussing?

A.Destroy
B.Store
C.Share
D.Archive
AnswerA

Correct: Destroy securely eliminates data.

Why this answer

The Destroy phase is when data is securely disposed of, ensuring it cannot be recovered.

23
MCQeasy

A company is implementing a data classification policy for cloud storage. They want to label objects with tags indicating the sensitivity level (e.g., 'Confidential'). Which benefit does tagging resources with classification labels provide?

A.It provides client-side encryption keys
B.It automatically encrypts data at rest
C.It reduces storage costs by moving data to cheaper tiers
D.It allows enforcement of data handling policies based on sensitivity
AnswerD

Tags enable policy-based controls such as preventing public access or requiring specific encryption for tagged objects.

Why this answer

Tags enable automated enforcement of access controls, encryption requirements, and retention policies. For example, a policy can prevent objects tagged 'Confidential' from being made public. Tags also facilitate auditing and reporting.

24
MCQhard

An organization uses a cloud storage service with versioning enabled. They discover that a ransomware attack encrypted all current versions of their files. However, they can still recover the data. Which feature protects them?

A.Pre-signed URLs
B.Versioning
C.Cross-region replication
D.Object lock
AnswerB

Versioning preserves previous object versions, allowing restoration of unencrypted versions.

Why this answer

Versioning retains previous versions of objects, so even if current versions are encrypted, previous unencrypted versions can be restored. This protects against ransomware and accidental deletion.

25
MCQeasy

A healthcare company stores patient records in a cloud storage bucket. They need to encrypt the data at rest using encryption keys that they manage themselves, but they want to generate the keys within the cloud provider's key management service. Which encryption option should they choose?

A.Client-side encryption
B.Server-side encryption with Amazon S3-managed keys (SSE-S3)
C.Customer-Managed Encryption Keys (CMEK)
D.Customer-Supplied Encryption Keys (CSEK)
AnswerC

CMEK allows customers to create and manage keys in the cloud KMS, meeting the requirement.

Why this answer

CMEK (Customer-Managed Encryption Keys) allows the customer to create and manage keys within the cloud provider's KMS, giving them control over key lifecycle without the operational overhead of generating keys externally.

26
Multi-Selecthard

A cloud architect is implementing data loss prevention (DLP) for a data lake containing PII. They want to automatically detect and transform sensitive data like Social Security numbers and medical record numbers. Which THREE actions should they take? (Choose three.)

Select 3 answers
A.Apply de-identification transforms such as masking or tokenization
B.Enable bucket versioning
C.Use cloud DLP API to scan for sensitive data types
D.Configure automated classification labels based on DLP findings
E.Set up cross-region replication for durability
AnswersA, C, D

Transforms protect sensitive data by obscuring it.

Why this answer

Cloud DLP can scan data, apply de-identification transforms, and categorize data for further protection. These are core DLP capabilities.

27
MCQhard

A company is using client-side encryption to encrypt data before uploading to cloud storage. They want to ensure that the cloud provider cannot access the encryption keys. However, they need to allow a cloud-based analytics service to process the data. Which approach should they take?

A.Use client-side encryption but store the key in the cloud provider's key vault
B.Use envelope encryption with a cloud KMS key and store the data key alongside the encrypted data
C.Continue using client-side encryption and provide the analytics service with the encryption key
D.Switch to server-side encryption with CMEK and grant the analytics service access to the KMS key
AnswerD

CMEK allows the customer to control keys and grant granular access to the analytics service via KMS policies.

Why this answer

Client-side encryption typically prevents the cloud provider from accessing keys, but to allow processing, the data must be decrypted. Using customer-managed keys (CMEK) and granting the analytics service access to the keys via KMS policies enables processing while keeping key control with the customer.

28
MCQeasy

A security engineer needs to provide temporary access to a specific object in a cloud storage bucket for a third-party auditor, without granting them any other permissions. The access should expire automatically after 24 hours. Which method should the engineer use?

A.Create a pre-signed URL for the object with a 24-hour expiration.
B.Configure a bucket policy that allows access from the auditor's IP address.
C.Assign the auditor an IAM role with read-only access to the bucket.
D.Generate an access key pair for the auditor and attach a user policy.
AnswerA

Pre-signed URLs allow time-limited access to a single object.

Why this answer

Pre-signed URLs (signed URLs) grant time-limited access to a specific object without requiring the auditor to have AWS credentials. IAM roles would grant broader permissions. Bucket policies provide blanket access.

Access keys would be long-lived and insecure.

29
Multi-Selecteasy

A company is planning to implement data classification for its cloud environment. Which TWO components are essential for an effective data classification scheme? (Select TWO.)

Select 2 answers
A.Encryption at rest for all classified data
B.A process to tag resources with the appropriate classification labels
C.Access control policies based on classification
D.Automated DLP scanning to enforce classification
E.A classification scheme with defined labels (e.g., public, internal, confidential, restricted)
AnswersB, E

Tagging ensures resources are labeled correctly.

Why this answer

A classification scheme with defined labels (e.g., public, internal, confidential, restricted) and a process for tagging resources with those labels are essential. Automated DLP scanning can enforce classification but is not essential for the scheme itself. Encryption and access controls are separate security controls.

30
MCQeasy

A financial services company is migrating sensitive customer data to the cloud. They require that encryption keys be generated and stored on-premises in their own hardware security module (HSM), with the cloud provider never having access to the plaintext keys. Which key management model should they implement?

A.Customer-managed encryption keys (CMEK)
B.Bring your own key (BYOK)
C.Cloud provider default encryption (SSE-S3)
D.Hold your own key (HYOK)
AnswerD

HYOK keeps keys on-premises in the customer's HSM, and the cloud provider does not have access to the plaintext keys.

Why this answer

HYOK (Hold Your Own Key) allows the customer to keep keys on-premises in their own HSM, never exposing them to the cloud provider. This provides maximum control but can introduce latency.

31
Multi-Selectmedium

A cloud security team is evaluating DLP techniques to protect sensitive data in a cloud data warehouse. They want to replace sensitive values with realistic but fictitious data for non-production environments while preserving referential integrity. Which TWO de-identification techniques are suitable?

Select 2 answers
A.Pseudonymization
B.Bucketing
C.Masking
D.Tokenization
E.Date shifting
AnswersA, D

Correct: Pseudonymization replaces identifiers with consistent pseudonyms, preserving relationships.

Why this answer

Tokenization replaces sensitive data with a token that can be consistent across tables, preserving referential integrity. Pseudonymization replaces identifiers with consistent pseudonyms, also preserving relationships.

32
MCQeasy

A data governance team is developing a classification scheme for cloud-stored data. They want to label data based on sensitivity, from least to most restrictive. Which of the following is a typical classification category for highly sensitive data that could cause severe damage if disclosed?

A.Internal
B.Confidential
C.Restricted
D.Public
AnswerC

Correct: Restricted is highest sensitivity, e.g., trade secrets, PII with legal constraints.

Why this answer

In common classification schemes, 'Restricted' is the highest level, used for data that requires strict access control and protection.

33
MCQmedium

A cloud security engineer needs to protect a storage bucket from accidental deletion and ransomware attacks. Which two features should be enabled together for maximum protection?

A.IAM policies and MFA delete
B.Bucket versioning and object lock
C.Cross-region replication and lifecycle policies
D.Server access logging and bucket policies
AnswerB

Versioning allows recovery of previous versions; object lock prevents deletion/overwrite during retention.

Why this answer

Versioning keeps multiple variants of an object, allowing recovery from accidental deletion or overwrite. Object lock (immutability) prevents objects from being deleted or overwritten for a specified retention period, protecting against ransomware. Combining both provides defense in depth.

34
MCQmedium

A company is using a cloud provider's key management service (KMS) with HSM-backed keys. They want to ensure that key material is automatically replaced periodically to limit the impact of a potential key compromise. Which KMS feature should they configure?

A.Key export
B.Key revocation
C.Key policies
D.Key rotation
AnswerD

Correct: Key rotation automatically updates key material.

Why this answer

Key rotation automatically generates new key material at defined intervals, reducing the risk of key compromise.

35
MCQmedium

A multinational corporation must ensure that customer data from the European Union is stored and processed only within EU regions to comply with GDPR. They are using a cloud provider with data centers globally. What is the primary mechanism to enforce this requirement?

A.Selecting cloud regions located within the EU for all services
B.Client-side encryption with keys stored in the EU
C.Using a VPN to route all traffic through an EU gateway
D.Configuring IAM policies to restrict access to EU-based administrators
AnswerA

Correct: Region selection ensures data is stored and processed in designated geographic areas.

Why this answer

Cloud providers allow customers to select specific geographic regions for resource deployment, ensuring data residency compliance.

36
Multi-Selectmedium

A cloud security architect is designing a key management strategy for a multi-cloud environment. They want to ensure that encryption keys are generated and stored on-premises but can be used by cloud services for encryption operations. Which two key management models meet these requirements? (Choose two.)

Select 2 answers
A.Customer-Managed Encryption Key (CMEK)
B.Cloud provider default encryption
C.Hold Your Own Key (HYOK)
D.Bring Your Own Key (BYOK)
E.Client-side encryption
AnswersC, D

HYOK keeps keys on-premises and cloud services use them remotely.

Why this answer

BYOK allows generating keys on-premises and importing them into cloud KMS. HYOK keeps keys on-premises and cloud services call back to the on-premises HSM for operations. Both involve keys originating on-premises.

37
Multi-Selectmedium

An organization is implementing a data loss prevention (DLP) solution to protect sensitive data in cloud storage. Which TWO of the following are capabilities of a cloud DLP service? (Select TWO.)

Select 2 answers
A.Automatic encryption key rotation
C.De-identification transforms such as masking and tokenization
D.Inspection of data for sensitive information types
E.Automated backup of sensitive data
AnswersC, D

DLP can apply transforms to obscure sensitive data.

Why this answer

Cloud DLP services can scan data for sensitive patterns (like credit card numbers) and apply de-identification transforms to redact or mask data. They do not manage encryption keys or automate backup.

38
Multi-Selecteasy

A company is deploying a cloud application that processes customers' personal data. They need to ensure data in transit is protected. Which THREE of the following are appropriate controls for data in transit? (Select THREE.)

Select 3 answers
A.Establishing a VPN for hybrid connectivity
B.Setting data classification labels on the data
C.Enforcing HTTPS for web application access
D.Encrypting data at rest using AES-256
E.Using TLS 1.2 for all API communications
AnswersA, C, E

A VPN encrypts all traffic between on-premises and cloud.

Why this answer

TLS 1.2+, VPNs, and HTTPS are standard controls for encrypting data in transit. Data classification is a policy, not a technical control. Encryption at rest protects stored data, not in transit.

39
MCQmedium

A healthcare organization stores patient records in a cloud object storage service. They require that all data be encrypted at rest using keys that they generate and manage on-premises, but they want to minimize operational overhead. Which encryption approach should they choose?

A.BYOK
B.Client-side encryption
C.Server-side encryption with CSEK
D.Server-side encryption with CMEK
AnswerC

CSEK allows the customer to supply their own key for server-side encryption, balancing control and minimal overhead.

Why this answer

CSEK (customer-supplied encryption keys) allows the customer to provide their own encryption key for each operation, giving them full control while the cloud provider handles the encryption/decryption. This minimizes overhead compared to client-side encryption.

40
MCQmedium

An organization wants to protect its cloud storage data from ransomware attacks that might encrypt or delete objects. The security team decides to enable a feature that maintains previous versions of objects when changes are made. Which feature is being described?

A.Object versioning
B.Access control lists
C.Cross-region replication
D.Bucket locking
AnswerA

Versioning preserves previous versions, enabling recovery from ransomware.

Why this answer

Object versioning keeps multiple variants of an object, allowing restoration to a previous state if data is encrypted or deleted. Cross-region replication is for disaster recovery. Bucket locking prevents deletion but does not maintain versions.

Access controls prevent unauthorized access but do not protect against authorized actions.

41
Multi-Selecthard

A global enterprise is designing a cloud storage architecture with cross-region replication for disaster recovery. They must ensure that data replicated to a secondary region is encrypted with keys managed by the customer, and that those keys are stored in the secondary region's KMS. Which THREE capabilities must be enabled?

Select 3 answers
A.Default encryption with provider keys
B.Client-side encryption before upload
C.IAM permission for the replication service to use the secondary region's key
D.Cross-region replication
E.Customer-managed encryption keys (CMEK) in the secondary region
AnswersC, D, E

Correct: The replication service must be authorized to use the CMEK key.

Why this answer

To meet the requirements, the customer must use CMEK (customer-managed keys) in the secondary region, enable cross-region replication, and ensure the replication service has permission to use the target region's key via IAM permission.

42
MCQmedium

A cloud security team is implementing data loss prevention (DLP) for sensitive data in a cloud data warehouse. They need to detect and classify Social Security numbers (SSNs) stored in tables. Which cloud service capability is most appropriate for this task?

A.Object storage bucket policies
B.Cloud DLP API
C.Key management service
D.Identity and access management (IAM)
AnswerB

Correct: DLP API scans for sensitive data patterns and classifies them.

Why this answer

Cloud DLP APIs can scan structured data like BigQuery tables for sensitive patterns (e.g., SSNs) and classify them.

43
MCQmedium

A healthcare organization is storing protected health information (PHI) in a cloud object storage service. They want to ensure that if a storage bucket is accidentally made public, the data remains unreadable. Which combination of controls best addresses this risk?

A.Enable server-side encryption with AES-256 and block public access
B.Apply data classification labels and enable DLP scanning
C.Enable bucket versioning and cross-region replication
D.Use pre-signed URLs and IAM policies
AnswerA

Encryption at rest and blocking public access protect against data exposure even if the bucket is misconfigured.

Why this answer

Enabling object-level encryption with customer-managed keys (CMEK) and blocking public access at the bucket level ensures that even if the bucket is misconfigured, data is encrypted and inaccessible without the key.

44
MCQmedium

A cloud security team is implementing data loss prevention for a data lake that stores customer support logs. They need to redact credit card numbers from the logs before they are used for analytics. Which DLP de-identification technique should be applied?

A.Date shifting
B.Bucketing
C.Masking
D.Tokenization
AnswerC

Masking obscures parts of the data (e.g., 'XXXX-XXXX-XXXX-1234') and is a common redaction technique.

Why this answer

Masking replaces sensitive data with a placeholder, such as replacing credit card digits with asterisks, while preserving format for analytics. Tokenization replaces data with tokens but requires a token vault. Masking is simpler for one-way redaction.

45
Multi-Selecthard

A company uses a cloud KMS with HSM-backed keys for regulatory compliance. They need to allow a cloud service to use a key for encryption while retaining the ability to revoke access at any time. Which TWO key management models satisfy this? (Choose two.)

Select 2 answers
A.Hold your own key (HYOK)
B.Bring your own key (BYOK)
C.Customer-supplied keys (CSEK)
D.Customer-managed keys (CMEK)
E.Cloud provider-managed keys
AnswersB, D

BYOK keys are managed in cloud KMS and access can be controlled.

Why this answer

BYOK is correct because it allows the customer to import their own key material into the cloud KMS, which is backed by an HSM, and the customer retains full control over the key's lifecycle, including the ability to revoke access at any time by disabling or deleting the key. CMEK is correct because it gives the customer direct management of the key (e.g., rotation, disabling, deletion) within the cloud KMS, while the HSM provides hardware-level protection, and the customer can revoke the cloud service's access by modifying key permissions or disabling the key.

Exam trap

Cisco often tests the distinction between BYOK and HYOK, where candidates mistakenly think HYOK allows cloud service usage, but HYOK actually keeps the key on-premises and only provides a proxy or token, not direct cloud KMS integration.

46
MCQmedium

An organization uses a cloud DLP API to scan data in Cloud Storage and BigQuery for sensitive information. They need to replace social security numbers (SSNs) with a non-reversible token that can be used for consistent mapping without exposing the original SSN. Which de-identification technique should they use?

A.Masking
B.Date shifting
C.Tokenization
D.Pseudonymization
AnswerC

Tokenization replaces SSNs with tokens that cannot be reversed to the original.

Why this answer

Tokenization replaces sensitive data with a unique, non-reversible token that maintains referential integrity. Unlike masking, it completely replaces the original value.

47
Multi-Selecthard

A multinational corporation must comply with data residency requirements that mandate certain data must remain within the European Union. Additionally, the company needs to ensure high availability and disaster recovery for this data. Which THREE measures should be implemented? (Select THREE.)

Select 3 answers
A.Configure cross-region replication to another EU region
B.Implement IAM policies with conditions restricting data access to EU regions
C.Use cross-region replication to a region outside the EU
D.Select cloud regions located within the EU
E.Enable public access to the bucket for all users
AnswersA, B, D

Provides DR while keeping data within EU.

Why this answer

Choosing EU regions ensures data stays within the EU. Cross-region replication within the EU provides DR. IAM policies with region conditions enforce access controls.

48
MCQmedium

A financial institution is implementing a data classification scheme for their cloud environment. They have data that, if exposed, could cause severe damage to the organization and is subject to strict regulatory requirements. Which classification level should be applied to this data?

A.Confidential
B.Restricted
C.Public
D.Internal
AnswerB

Restricted is the highest classification, used for data with severe impact if exposed.

Why this answer

Restricted data is the highest classification level, typically used for data that, if compromised, could cause severe damage and is subject to strict regulations.

49
MCQeasy

When data is in transit between an on-premises data center and a cloud service, which of the following is the minimum encryption standard recommended by security best practices?

A.IPsec with 3DES
B.TLS 1.2
C.TLS 1.0
D.SSL 3.0
AnswerB

TLS 1.2 is the minimum recommended version for secure communications.

Why this answer

TLS 1.2 or higher is the minimum standard for encrypting data in transit to protect against eavesdropping and tampering.

50
Multi-Selectmedium

A data governance officer wants to classify all data in a cloud environment using a classification scheme. They need to tag resources automatically and enforce access controls based on the tags. Which THREE steps should they take? (Choose three.)

Select 3 answers
A.Enable cross-region replication for tagged resources
B.Define classification labels (e.g., public, internal, confidential, restricted)
C.Configure signed URLs for public data
D.Use IAM conditions to restrict access based on tags
E.Automatically tag resources based on DLP scanning results
AnswersB, D, E

Labels are the basis for classification.

Why this answer

Creating tags based on classification levels, applying them automatically using DLP or policy, and using IAM conditions to enforce access based on tags are key steps.

51
MCQeasy

A small business uses a cloud provider's default server-side encryption (SSE) to encrypt data at rest in their cloud storage. They are concerned about key management overhead. Which statement best describes the key management responsibility for SSE?

A.The customer and provider share key management responsibilities.
B.Keys are not used; encryption is transparent.
C.The customer generates and manages the keys.
D.The cloud provider manages the keys entirely.
AnswerD

Default SSE is provider-managed key encryption.

Why this answer

With default SSE (e.g., SSE-S3 in AWS), the cloud provider manages the encryption keys entirely. The customer is not involved in key generation, rotation, or storage. CMEK and CSEK require customer involvement.

BYOK involves importing customer keys.

52
Multi-Selectmedium

A security analyst is reviewing a cloud storage bucket that contains archived customer records. The analyst wants to ensure that no object in the bucket can be modified or deleted for 7 years to meet regulatory retention requirements. Which TWO features should be enabled? (Select TWO.)

Select 2 answers
A.Bucket versioning
B.Bucket ACL restricting write access
C.Lifecycle policy to transition to archival storage
D.Object lock with retention period
E.Cross-region replication
AnswersA, D

Versioning protects against accidental deletion or overwrites.

Why this answer

Object lock (retention mode) enforces a retention period on objects, preventing deletion or modification. Versioning allows recovery in case of accidental deletion of lock or creation of delete markers. Together they provide a comprehensive retention solution, though object lock alone may suffice if versioning is not required.

53
MCQhard

A cloud architect is designing a data lifecycle policy for a SaaS application. According to the cloud data lifecycle, which phase immediately follows the 'Share' phase?

A.Store
B.Archive
C.Use
D.Destroy
AnswerB

Correct order: Create -> Store -> Use -> Share -> Archive -> Destroy.

Why this answer

The cloud data lifecycle is: Create, Store, Use, Share, Archive, Destroy. After sharing, data is typically archived for long-term retention before eventual destruction.

54
MCQmedium

A company wants to use a cloud KMS to encrypt data but requires that the encryption key never leaves their on-premises hardware security module (HSM) due to compliance. Which key management model should they adopt?

A.Customer-Managed Encryption Key (CMEK)
B.Customer-Supplied Encryption Key (CSEK)
C.Hold Your Own Key (HYOK)
D.Bring Your Own Key (BYOK)
AnswerC

HYOK keeps the key in the on-premises HSM, meeting the compliance requirement.

Why this answer

Hold Your Own Key (HYOK) allows the customer to retain the key in their on-premises HSM, and the cloud service must call back to the on-premises HSM for each encryption/decryption operation. This provides maximum control but introduces latency.

55
MCQmedium

A data lifecycle policy requires that data be destroyed after a retention period. In a cloud object storage service, what is the most secure method to ensure that data is irretrievably destroyed?

A.Use a lifecycle policy to expire objects and delete delete markers
B.Overwrite the objects with random data multiple times before deletion
C.Enable MFA delete and then delete the objects
D.Delete the objects and then delete the bucket
AnswerA

Lifecycle policies can delete objects permanently, and with delete marker expiration, all traces are removed.

Why this answer

Object deletion with versioning disabled ensures that the data is removed and cannot be recovered. If versioning is enabled, a delete marker is added; previous versions remain. Configuring a lifecycle policy to expire objects after a retention period automates deletion.

56
MCQmedium

A healthcare organization is migrating electronic health records to the cloud and must comply with data residency requirements that mandate all patient data remain within the European Union. The cloud provider offers multiple regions globally. Which of the following is the most appropriate action to ensure compliance?

A.Select a cloud region located in the European Union for data storage.
B.Enable cross-region replication to a secondary EU region.
C.Configure object-level access controls to restrict access to EU-based users only.
D.Apply data classification labels to all objects to indicate EU data.
AnswerA

Choosing an EU region ensures data is stored physically within the EU, meeting residency requirements.

Why this answer

Selecting a cloud region located within the EU (e.g., Frankfurt or London) physically stores data in that geography, satisfying data residency requirements. Object-level access controls manage permissions but do not affect data location. Data classification is a governance step but does not ensure residency.

Cross-region replication would copy data outside the EU, violating compliance.

57
MCQeasy

Which of the following is the most granular method to grant time-limited access to a specific object in a cloud storage bucket without requiring the requester to have AWS credentials?

A.Bucket ACLs
B.Bucket policies with conditions
C.IAM policies
D.Pre-signed URLs
AnswerD

Pre-signed URLs provide time-limited access to a specific object without requiring the requester to have cloud credentials.

Why this answer

Pre-signed URLs (or signed URLs) grant time-limited access to a specific object, and the requester does not need to be authenticated with cloud credentials.

58
MCQhard

A company needs to encrypt data in transit between its on-premises data center and a cloud virtual private cloud (VPC). They require a dedicated, encrypted tunnel with consistent throughput. Which solution should be used?

A.Cloud VPN (IPsec) connection
B.Client-side encryption before upload
C.TLS 1.2 for all API communication
D.Cloud KMS key for envelope encryption
AnswerA

Site-to-site VPN creates an encrypted tunnel over the internet between on-prem and cloud.

Why this answer

A site-to-site VPN (IPsec VPN) provides an encrypted tunnel over the public internet between on-premises and cloud VPC. For higher throughput and reliability, dedicated connections like AWS Direct Connect or Azure ExpressRoute can be used with optional encryption. However, the question specifies 'encrypted tunnel', which VPN provides.

59
MCQmedium

A company uses a cloud KMS to manage encryption keys for its cloud storage buckets. The security team wants to ensure that keys are rotated automatically every 90 days and that access to keys is restricted based on user roles. Which key management feature should they configure?

A.Key versioning and deletion policies
B.Key rotation policy and IAM-based key policies
C.Key import and export policies
D.Key expiration and renewal policies
AnswerB

Key rotation policies automate rotation; IAM policies control access.

Why this answer

Key rotation policies allow automatic generation of new key material on a schedule, and IAM-based key policies restrict access to keys based on roles. Key versions manage the history of rotated keys. Key deletion is a separate operation.

Key import is for BYOK scenarios.

60
MCQhard

An organization is required to use client-side encryption for all data uploaded to a cloud storage service to ensure that the cloud provider has no access to plaintext. However, they also need to allow the cloud provider to perform server-side operations like indexing and search on the encrypted data. Which technology can address this conflict?

A.Format-preserving encryption
B.Searchable encryption
C.Tokenization
D.Homomorphic encryption
AnswerB

Correct: Searchable encryption enables server-side search on encrypted data.

Why this answer

Searchable encryption allows certain operations (e.g., keyword search) on encrypted data without decrypting it, enabling server-side processing while maintaining confidentiality.

61
MCQhard

A company uses a cloud KMS service with an HSM backing for key storage. The security policy requires that keys be rotated automatically every 90 days and that old keys be retained for at least one year to decrypt archived data. Which key management feature should be configured to meet these requirements?

A.Key hierarchy with root key separation
B.Key versioning with rotation schedule
C.Key policy with conditions for automatic rotation
D.Key import with manual rotation
AnswerB

Key versioning allows automatic rotation and retention of old versions.

Why this answer

Key rotation schedules and key version management allow automatic rotation and retention of old key versions for decryption of older data.

62
MCQmedium

A financial services company uses a cloud DLP API to scan data stored in Cloud Storage and BigQuery. They need to reduce the risk of exposing credit card numbers in reports by replacing the first 12 digits with asterisks while preserving the last four. Which de-identification technique should they apply?

A.Pseudonymization
B.Bucketing
C.Tokenization
D.Masking
AnswerD

Correct: Masking obscures part of the data, e.g., showing only last 4 digits.

Why this answer

Masking allows selective obfuscation of parts of a data value, such as showing only the last four digits of a credit card number.

63
Multi-Selectmedium

A cloud architect is designing a data classification strategy for a multi-cloud environment. The strategy must automatically tag resources with classification labels and enforce access controls based on those labels. Which THREE components are essential for this automated classification and enforcement?

Select 3 answers
A.IAM policies that reference classification tags
B.Tagging resources with classification labels
C.Pre-signed URLs for temporary access
D.Automated DLP scanning to identify sensitive data
E.HSM-backed key generation
AnswersA, B, D

Correct: IAM policies can conditionally allow/deny based on tags.

Why this answer

Automated DLP scanning detects and classifies data, tagging applies labels, and IAM policies enforce access based on those labels.

64
Multi-Selecthard

A financial institution is migrating to the cloud and must comply with regulations requiring that sensitive data be stored only in specific geographic regions and that access to data is logged and monitored. Which THREE controls should be implemented? (Select THREE.)

Select 3 answers
A.Enable server access logs for the storage bucket
B.Use default server-side encryption with cloud-managed keys
C.Enable cross-region replication for disaster recovery
D.Configure bucket policies to deny access from outside the allowed region
E.Implement VPC Service Controls to create a data perimeter
AnswersA, D, E

Logs provide audit trail of all access requests.

Why this answer

To enforce data residency, the cloud region must be restricted via IAM or organization policies. Server access logging captures all requests to storage. VPC Service Controls create a security perimeter around cloud resources, preventing data exfiltration.

Cross-region replication would violate residency, and default encryption is not sufficient.

65
MCQeasy

A financial services company stores customer transaction data in a cloud object storage bucket. The company requires that all data be encrypted at rest using keys that it generates and manages on-premises, with the cloud provider having no access to the keys. Which encryption approach should the company use?

A.Server-side encryption with AES-256
B.Customer-supplied encryption keys (CSEK)
C.Bring your own key (BYOK)
D.Customer-managed encryption keys (CMEK)
AnswerB

CSEK allows the customer to supply keys that the provider does not retain, giving maximum control.

Why this answer

CSEK (customer-supplied encryption keys) allows the customer to provide their own keys for encrypting cloud storage objects, and the cloud provider does not retain access to the keys. BYOK involves importing keys into the cloud KMS, which the provider can manage. CMEK uses keys created in the cloud KMS.

Server-side encryption uses provider-managed keys.

66
Multi-Selectmedium

A company stores sensitive data in cloud object storage and wants to protect against ransomware attacks that could encrypt or delete objects. Which TWO measures should they implement? (Choose two.)

Select 2 answers
A.Use cross-region replication
B.Implement immutable storage (e.g., Object Lock)
C.Configure signed URLs for access
D.Enable object versioning
E.Set short object lifetimes using lifecycle policies
AnswersB, D

Immutable storage prevents data from being altered or deleted.

Why this answer

Immutable storage (Object Lock) prevents objects from being deleted or overwritten during a specified retention period, directly thwarting ransomware that attempts to encrypt or delete data. This is a foundational defense because even if an attacker gains write access, they cannot modify or remove locked objects, preserving clean backups.

Exam trap

Cisco often tests whether candidates confuse data availability features (like replication or versioning) with data immutability, leading them to pick cross-region replication or versioning as a ransomware defense when only Object Lock provides true write-once protection.

67
MCQhard

An organization must implement encryption for data in transit between its on-premises data center and a cloud provider. The data is sensitive and the organization requires a dedicated, encrypted tunnel. Which solution should be used?

A.Client-side encryption before upload
B.TLS 1.2 for API communication
C.VPN connection
D.Cloud KMS for key exchange
AnswerC

VPN creates an encrypted tunnel over the internet for secure connectivity.

Why this answer

A VPN (Virtual Private Network) provides a dedicated, encrypted tunnel for hybrid connectivity between on-premises and cloud.

68
Multi-Selectmedium

A cloud security architect is designing access controls for a cloud storage bucket that contains sensitive customer data. The architect needs to implement a solution that provides granular, time-limited access to specific objects for external auditors. Which TWO methods should the architect consider? (Select TWO.)

Select 2 answers
A.Bucket policies
B.Signed URLs
C.IAM roles
D.Access keys
E.Pre-signed URLs
AnswersB, E

Signed URLs are similar to pre-signed URLs, providing time-limited access.

Why this answer

Pre-signed URLs and signed URLs are both used to grant time-limited access to specific objects without requiring the user to have cloud credentials. IAM roles provide broader access. Bucket policies provide blanket access.

Access keys are long-lived.

69
MCQmedium

A financial services company stores customer transaction data in a cloud object storage service. The security team wants to ensure that if a malicious insider gains access to the storage bucket, they cannot read the data. Which encryption approach provides the highest level of protection against the cloud provider and insiders?

A.Client-side encryption using a customer-managed key
B.Server-side encryption with AES-256 (SSE-S3)
C.Server-side encryption with customer-provided keys (SSE-C)
D.Transport Layer Security (TLS) for data in transit
AnswerA

Client-side encryption ensures data is encrypted before upload; the cloud never sees plaintext, and keys are managed by the customer.

Why this answer

Client-side encryption means data is encrypted before it is uploaded to the cloud. The cloud provider never has access to the encryption keys, and data remains encrypted at rest and in transit (if TLS is also used). This protects against both the cloud provider and insiders with administrative access to the storage service.

70
MCQmedium

An organization wants to share a large file from a cloud storage bucket with an external partner for a limited time. They need to ensure that the partner can only access the specific file and that the access expires automatically. Which method should they use?

A.Make the bucket public
B.Create a new IAM user for the partner and attach a policy to the bucket
C.Use cross-region replication
D.Use a pre-signed URL
AnswerD

Pre-signed URLs provide temporary, object-specific access.

Why this answer

Pre-signed URLs (or signed URLs) grant time-limited access to a specific object. The URL contains authentication information and an expiration time, allowing the partner to download the object without needing AWS credentials.

71
Multi-Selectmedium

A cloud security architect is designing a data loss prevention (DLP) strategy for a cloud environment that stores sensitive customer data. Which TWO techniques should be implemented to proactively identify and protect sensitive data? (Select TWO.)

Select 2 answers
A.Cross-region replication
B.De-identification transforms
C.Automated DLP scanning for sensitive data
D.Bucket policies blocking all public access
E.Enabling object versioning
AnswersB, C

Transforms protect sensitive data by anonymizing it.

Why this answer

Automated DLP scanning can discover sensitive data, and de-identification transforms can protect data by masking or tokenizing sensitive elements.

72
MCQhard

A multinational corporation is migrating its data to the cloud and needs to ensure that data belonging to EU residents never leaves the EU region due to GDPR data sovereignty requirements. Additionally, the company wants to prevent accidental deletion and protect against ransomware. Which combination of cloud storage features should be implemented to meet these requirements?

A.IAM policies and access logs
B.Cross-region replication and object lock
C.Bucket policy restricting to EU regions and versioning
D.Client-side encryption and signed URLs
AnswerC

Bucket policy enforces region restriction; versioning allows recovery from accidental deletes and ransomware.

Why this answer

Configuring a bucket policy that restricts data storage to EU regions ensures data residency. Enabling versioning protects against accidental deletion and ransomware by allowing recovery of previous object versions.

73
MCQmedium

A cloud security engineer needs to de-identify a dataset containing credit card numbers before sharing it with a third-party analytics team. The engineer wants to replace each credit card number with a unique token that can be used for correlation but cannot be reversed to obtain the original number. Which de-identification technique should be used?

A.Tokenization
B.Pseudonymisation
C.Masking
D.Bucketing
AnswerA

Tokenization provides a non-reversible substitute for the original data.

Why this answer

Tokenization replaces sensitive data with a non-reversible token, preserving the ability to correlate records without exposing the original values.

74
MCQeasy

A company wants to enforce data classification in its cloud environment. They need to automatically identify and label sensitive data such as credit card numbers in cloud storage. Which service should they use?

A.Cloud KMS
B.Cloud DLP
C.Cloud Audit Logs
D.Cloud IAM
AnswerB

Cloud DLP is designed to discover, classify, and protect sensitive data in cloud storage.

Why this answer

Cloud DLP (Data Loss Prevention) can scan cloud storage for sensitive data like credit card numbers and apply classification labels or de-identification transforms.

75
MCQmedium

A cloud storage bucket is configured with versioning enabled. A ransomware attack encrypts all objects in the bucket. How can the organization recover the original data?

A.Use the cloud provider's backup service to restore the bucket
B.Replicate data from the cross-region replica
C.Use the cloud provider's ransomware recovery service
D.Restore from previous versions of the objects
AnswerD

Versioning allows retrieval of previous, unencrypted versions, effectively recovering the data.

Why this answer

Versioning preserves previous versions of objects. The organization can restore previous unencrypted versions, provided they have not been deleted and the ransomware did not delete versions.

Page 1 of 2 · 101 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Ccsp Data Security questions.

CCNA Ccsp Data Security Questions — Page 1 of 2 | Courseiva