CCNA Ccsp Data Security Questions

26 of 101 questions · Page 2/2 · Ccsp Data Security topic · Answers revealed

76
MCQhard

A company is implementing a data loss prevention (DLP) strategy for cloud storage. They need to detect and mask credit card numbers in documents stored in a cloud storage bucket. The DLP service provides de-identification transforms including masking, tokenization, and pseudonymization. Which transform should the company use to irreversibly replace the credit card numbers with a placeholder while maintaining the original format for analytics?

A.Pseudonymisation
B.Bucketing
C.Masking
D.Tokenization
AnswerC

Masking irreversibly obscures data while preserving format.

Why this answer

Masking replaces sensitive data with a masked version, such as showing only the last four digits, preserving format for analytics. Tokenization substitutes with a token that requires a mapping table. Pseudonymization replaces with a consistent pseudonym that can be reversed.

Bucketing groups values into ranges.

77
MCQeasy

Which of the following is the primary benefit of using client-side encryption for data stored in the cloud?

A.Automatic key rotation
B.Maximum control over encryption keys
C.Simplified key management
D.Reduced latency for data access
AnswerB

Cloud provider never has access to keys or data.

Why this answer

Client-side encryption ensures that the cloud provider never has access to the encryption keys or the plaintext data, giving the customer maximum control.

78
Multi-Selecthard

A company is implementing a DLP strategy to protect PII in cloud storage. They need to discover sensitive data and then apply de-identification transforms. Which THREE de-identification transforms are appropriate for anonymizing PII while maintaining data utility for analytics? (Select THREE.)

Select 3 answers
A.Encryption
B.Bucketing
C.Pseudonymisation
D.Tokenization
E.Masking
AnswersC, D, E

Pseudonymisation replaces with consistent pseudonyms.

Why this answer

Masking, tokenization, and pseudonymisation are de-identification transforms that protect PII while preserving some utility. Masking obscures parts of data (e.g., showing only last four digits). Tokenization replaces with tokens that can be mapped back.

Pseudonymisation replaces with consistent pseudonyms that are reversible with additional data. Bucketing groups values into ranges, which can be useful but may reduce utility. Encryption is not considered a de-identification transform in DLP context.

79
MCQeasy

An organization is moving sensitive customer data to the cloud and must ensure that data is encrypted before being sent to the cloud provider. They want to maintain full control over the encryption keys and not rely on the cloud provider for any key management. Which approach should they use?

A.VPN encryption
B.Server-side encryption with AWS KMS
C.Transparent Data Encryption (TDE)
D.Client-side encryption
AnswerD

Client-side encryption encrypts data before upload, giving the customer full control.

Why this answer

Client-side encryption involves encrypting data on-premises or on the client side before uploading to the cloud. The keys are controlled entirely by the customer, and the cloud provider never has access to the plaintext or keys.

80
Multi-Selectmedium

A security architect is designing a key management strategy for a cloud environment. They need to ensure that keys are rotated automatically and that the cloud service cannot access the key without explicit authorization. Which TWO options should they consider? (Choose two.)

Select 2 answers
A.Customer-supplied keys (CSEK) for each operation
B.Bring your own key (BYOK) with rotation configured in cloud KMS
C.Default server-side encryption using provider-managed keys
D.Customer-managed keys (CMEK) with automatic rotation in cloud KMS
E.Hold your own key (HYOK) with on-premises HSM
AnswersB, D

BYOK allows importing keys and managing rotation in cloud KMS.

Why this answer

Customer-managed keys (CMEK) allow the customer to control key lifecycle in cloud KMS, and BYOK enables importing keys from on-premises while still using cloud KMS for rotation.

81
MCQmedium

A healthcare organization stores patient records in a cloud object storage bucket. The compliance team requires that all files containing Protected Health Information (PHI) be automatically identified and classified. Which service should the organization implement to scan the bucket for PHI and label the data accordingly?

A.Cloud Audit Logs
B.Cloud KMS
C.Cloud DLP API
D.Identity and Access Management (IAM)
AnswerC

Cloud DLP API can discover and classify sensitive data such as PHI.

Why this answer

Cloud DLP (Data Loss Prevention) APIs can scan cloud storage for sensitive data like PHI and perform classification and labeling.

82
MCQmedium

A financial services company must comply with a regulation that requires encryption keys used for cloud services to be generated and stored on-premises in a Hardware Security Module (HSM). The cloud provider must not have any access to the keys. Which key management approach should the company adopt?

A.Cloud KMS with HSM-backed keys
B.Customer-Managed Encryption Keys (CMEK)
C.Bring Your Own Key (BYOK)
D.Hold Your Own Key (HYOK)
AnswerD

HYOK keeps the key on-premises at all times.

Why this answer

Hold Your Own Key (HYOK) ensures the key never leaves the on-premises HSM, providing the highest level of control and preventing cloud provider access.

83
Multi-Selecteasy

A cloud storage administrator wants to ensure that only authorized users can access objects in a bucket, and they need to provide time-limited access to a specific object for an external partner. Which TWO access control methods should they use? (Choose two.)

Select 2 answers
A.Cross-region replication
B.Bucket versioning
C.Pre-signed URLs for the object
D.Object ACLs with public read access
E.Bucket policies using IAM
AnswersC, E

Pre-signed URLs provide temporary, specific access.

Why this answer

Pre-signed URLs (Option C) are the correct method for granting time-limited access to a specific object for an external partner because they embed authentication credentials (e.g., AWS Signature Version 4) directly into the URL, allowing temporary access without requiring the partner to have AWS credentials or IAM permissions. This mechanism enforces a configurable expiration time, ensuring access is revoked automatically after the specified period.

Exam trap

The trap here is that candidates often confuse bucket policies (Option E) with pre-signed URLs, but bucket policies are used for broad, persistent access control across the entire bucket, not for time-limited, object-specific access to an external partner without IAM credentials.

84
MCQeasy

A cloud security analyst is reviewing access logs and notices that a pre-signed URL for an object was used after its expiration time. What should be the outcome of such an access attempt?

A.The request is redirected to a new URL automatically
B.The request is allowed because the URL was generated with valid credentials
C.The request is denied with an access denied error
D.The request is logged but still granted
AnswerC

Correct: Expired pre-signed URLs return 403 Forbidden.

Why this answer

Pre-signed URLs are time-limited; once expired, the URL is invalid and access is denied.

85
MCQhard

A multinational corporation must comply with GDPR and local data residency laws. They are designing a cloud storage architecture that will store customer data in the EU region. However, to improve disaster recovery, they want to replicate data to a secondary region outside the EU. Which approach meets compliance requirements?

A.Use cross-region replication to a non-EU region but apply client-side encryption before upload
B.Use same-region replication within the EU and disable cross-region replication
C.Use cross-region replication to a US region and encrypt data with SSE-S3
D.Use cross-region replication to a non-EU region and rely on a Data Processing Agreement (DPA)
AnswerB

Same-region replication keeps data within the EU, complying with data residency requirements.

Why this answer

To comply with data residency laws, data must stay within the EU. Replicating to a non-EU region violates GDPR. Instead, they should replicate to another EU region or use encryption with customer-managed keys and ensure the key is stored in the EU.

86
MCQeasy

Which data classification level typically includes information that, if disclosed, could cause serious damage to an organization, such as trade secrets or personally identifiable information (PII)?

A.Internal
B.Confidential
C.Restricted
D.Public
AnswerC

Restricted is the highest classification for most sensitive data.

Why this answer

Restricted data is the highest classification level, covering data that could cause severe damage if disclosed.

87
MCQmedium

A company uses a cloud object storage service to host a public website. The website content is static and needs to be accessible to anyone on the internet, but the company wants to prevent direct listing of the bucket contents. Which combination of access controls should be configured?

A.IAM policies granting public access to the bucket
B.Enable versioning and cross-region replication
C.Bucket ACLs set to public and block public access disabled
D.Block public access to the bucket and use pre-signed URLs for objects
AnswerD

Prevents listing and provides controlled access.

Why this answer

Blocking public access to the bucket while allowing access via signed URLs provides time-limited access to specific objects without exposing the entire bucket.

88
MCQmedium

A company has enabled object versioning on its cloud storage bucket to protect against accidental deletion. A ransomware attack encrypts all objects and creates new versions. To recover the data, the company needs to restore the previous unencrypted versions. What is the most efficient recovery method?

A.Delete the current versions or use the previous versions directly
B.Use the object lifecycle policy to delete current versions
C.Request the cloud provider to restore from their backups
D.Restore from a backup stored in a different region
AnswerA

Versioning allows direct access to previous unencrypted versions.

Why this answer

Since versioning is enabled, the company can delete the current (encrypted) versions or use the previous versions directly, effectively reverting to the state before the attack.

89
MCQeasy

A healthcare organization is storing patient records in a cloud object storage service. They must encrypt data at rest with keys they control and rotate regularly, but they do not want to manage the encryption process themselves. Which encryption option should they use?

A.Server-side encryption with cloud provider default keys
B.Customer-managed encryption keys (CMEK)
C.Customer-supplied encryption keys (CSEK)
D.Client-side encryption
AnswerB

Correct: customer creates keys in KMS, authorizes cloud service, and retains control.

Why this answer

CMEK allows the customer to create and manage keys in the cloud KMS, while the cloud service performs encryption/decryption using those keys, providing control without operational burden.

90
MCQhard

An organization uses a cloud-based data analytics platform with data stored in a data warehouse. The security team discovers that some tables contain unencrypted personally identifiable information (PII). They need to automatically scan the data warehouse for PII and apply pseudonymization to protect sensitive columns. Which cloud service should be used?

A.Cloud Storage bucket policies
B.Cloud Access Security Broker (CASB)
C.Cloud Data Loss Prevention (DLP) API
D.Cloud Key Management Service (KMS)
AnswerC

DLP API provides scanning and de-identification transforms for sensitive data.

Why this answer

Cloud DLP (Data Loss Prevention) APIs can scan data stores like BigQuery for sensitive data types (PII, credit card numbers, etc.) and apply de-identification transforms such as pseudonymization, masking, tokenization, etc. This is the intended service for automated discovery and protection.

91
MCQhard

A company uses a cloud key management service (KMS) with an HSM-backed key for encrypting sensitive data. They want to ensure that the key is automatically rotated every 90 days and that older key versions are retained for decryption of previously encrypted data. Which KMS feature should be configured?

A.Automatic key rotation with version retention
B.Key aliasing
C.Key destruction schedule
D.Key revocation policy
AnswerA

Automatic rotation creates new key versions; old versions are retained for decryption.

Why this answer

Key rotation in cloud KMS (e.g., AWS KMS, Azure Key Vault, GCP Cloud KMS) can be set to automatic rotation with a specified period. Old key versions are retained so that data encrypted with older keys can still be decrypted. The key material changes, but key ID remains the same.

92
Multi-Selecteasy

A cloud security team needs to ensure that all data in transit between on-premises systems and the cloud is encrypted. Which TWO options should they consider? (Choose two.)

Select 2 answers
A.Set up a VPN between on-premises and cloud
B.Use signed URLs for access
C.Enable bucket versioning
D.Enable server-side encryption with CMEK
E.Use TLS 1.2+ for all API calls
AnswersA, E

VPN encrypts all traffic between networks.

Why this answer

TLS 1.2+ encrypts API communications, and VPN establishes an encrypted tunnel for hybrid connectivity. Both protect data in transit.

93
MCQhard

A cloud security architect is designing a key management strategy for a hybrid cloud environment. The organization requires that encryption keys never leave their on-premises hardware security module (HSM) due to strict regulatory mandates, yet cloud services must be able to perform encryption operations on data at rest. Which key management approach meets these requirements?

A.Customer-managed encryption keys (CMEK)
B.Hold Your Own Key (HYOK)
C.Cloud provider default encryption
D.Bring Your Own Key (BYOK)
AnswerB

Correct: HYOK keeps the key in the customer's HSM; cloud service calls back to on-prem for crypto operations.

Why this answer

HYOK (Hold Your Own Key) keeps the key in the customer's on-prem HSM; the cloud service sends data to be encrypted/decrypted on-prem, which can introduce latency but satisfies key location constraints.

94
Multi-Selectmedium

An organization is designing a data residency strategy for compliance with data sovereignty laws. They must ensure that customer data remains within specific geographic boundaries. Which three measures should they implement? (Choose three.)

Select 3 answers
A.Use pre-signed URLs for all access
B.Use IAM policies to restrict API calls to specific regions
C.Configure bucket policies to deny storage outside allowed regions
D.Enable cross-region replication for disaster recovery
E.Select cloud regions within the required geographic area
AnswersB, C, E

IAM conditions can limit operations to allowed regions.

Why this answer

To enforce data residency, organizations should choose cloud regions in the required geography, configure bucket policies to restrict storage location, and use IAM policies to limit access from other regions. Cross-region replication would violate data residency.

95
Multi-Selectmedium

A cloud security architect is designing a key management strategy to meet regulatory requirements for key separation and tamper evidence. Which TWO of the following are benefits of using hardware security modules (HSMs) backing a cloud KMS? (Select TWO.)

Select 2 answers
A.Compliance with FIPS 140-2 Level 3 or higher
B.Eliminates the need for customer-managed keys
C.Reduced latency for encryption operations
D.Automatic key rotation without customer intervention
E.Tamper-resistant key storage that prevents key extraction
AnswersA, E

HSMs can meet higher FIPS security levels, aiding regulatory compliance.

Why this answer

HSMs provide tamper-resistant hardware for key generation and storage, ensuring keys are protected against physical tampering. They also provide a root of trust for key management.

96
MCQmedium

A data classification scheme for a cloud environment defines labels such as Public, Internal, Confidential, and Restricted. Which label should be applied to data that, if disclosed, would cause severe damage to the organization and is subject to regulatory fines?

A.Restricted
B.Public
C.Confidential
D.Internal
AnswerA

Restricted data is the most sensitive; disclosure causes severe damage and regulatory penalties.

Why this answer

Restricted is the highest classification level, used for data that would cause severe damage if disclosed and is subject to strict regulatory controls.

97
MCQmedium

A security architect is designing a multi-cloud data protection strategy. They need to give a third-party auditor time-limited, read-only access to a specific file in a cloud storage bucket. Which access control method is most appropriate?

A.Cloud VPN connection for the auditor
B.Bucket ACL granting read access to the auditor's cloud account
C.IAM policy granting read access to the auditor's user
D.Pre-signed URL with an expiration time
AnswerD

Pre-signed URLs provide time-limited, object-specific access without requiring the user to have cloud credentials.

Why this answer

Pre-signed URLs (or signed URLs) grant temporary access to a specific object without requiring the auditor to have cloud credentials. They can be configured with expiration times and permissions (e.g., read-only).

98
MCQmedium

A cloud architect is designing a data classification scheme for a SaaS provider. The provider handles customer data that includes public marketing materials, internal policies, and sensitive customer financial records. Which classification level should be assigned to customer financial records to enforce the highest level of protection?

A.Internal
B.Public
C.Restricted
D.Confidential
AnswerC

Restricted is the highest classification, suitable for financial records.

Why this answer

Restricted is the highest classification level, typically used for data that requires the most stringent controls, such as financial records or PII. Public is least sensitive, internal is for company-internal data, confidential is for sensitive but not critical data.

99
MCQeasy

An organization uses cloud storage and wants to protect against accidental deletion of objects. They also want to be able to recover previous versions of objects in case of unintended modifications. Which feature should they enable?

A.Bucket policies
B.Access logs
C.Versioning
D.Server-side encryption
AnswerC

Versioning retains all object versions for recovery.

Why this answer

Versioning in cloud storage preserves every version of an object, allowing recovery from accidental deletions or overwrites.

100
MCQeasy

A company is moving its data to the cloud and must ensure that all data at rest is encrypted using keys that are generated and managed on-premises, with the cloud provider having no access to the keys. Which encryption method should be used?

A.Bring Your Own Key (BYOK)
B.Customer-Managed Encryption Keys (CMEK)
C.AES-256 Server-Side Encryption
D.Customer-Supplied Encryption Keys (CSEK)
AnswerD

CSEK involves the customer supplying their own keys, and the cloud provider does not have access to them.

Why this answer

Customer-supplied encryption keys (CSEK) allow the customer to generate and manage keys outside the cloud, giving the maximum control and ensuring the cloud provider cannot access the keys.

101
MCQmedium

A cloud security engineer is configuring a Data Loss Prevention (DLP) API to scan a cloud storage bucket for personally identifiable information (PII). Which of the following is a de-identification technique that replaces sensitive values with a token that can be mapped back to the original data using a secure lookup table?

A.Tokenization
B.Pseudonymization
C.Bucketing
D.Masking
AnswerA

Tokenization replaces original data with a token that can be mapped back using a secure token vault.

Why this answer

Tokenization replaces sensitive data with a token that can be reversed via a lookup table, preserving referential integrity while protecting the original data.

← PreviousPage 2 of 2 · 101 questions total

Ready to test yourself?

Try a timed practice session using only Ccsp Data Security questions.

CCNA Ccsp Data Security Questions — Page 2 of 2 | Courseiva