CCSP · topic practice

Cloud Application Security practice questions

Practise Certified Cloud Security Professional CCSP Cloud Application Security practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Cloud Application Security

What the exam tests

What to know about Cloud Application Security

Cloud concepts questions usually test the service model (IaaS/PaaS/SaaS) and deployment model (public/private/hybrid/community) appropriate for a given scenario.

IaaS, PaaS and SaaS responsibilities and examples.

Public, private, hybrid and community cloud deployment models.

On-premises vs cloud trade-offs: cost, control, scalability.

How cloud connectivity options (VPN, Direct Connect, ExpressRoute) work.

Watch out for

Common Cloud Application Security exam traps

  • IaaS gives you infrastructure control; SaaS gives you only the application.
  • Hybrid cloud combines on-premises and public cloud — not two public clouds.
  • Cloud does not automatically mean cheaper or more secure.
  • Management responsibility shifts with each service model (IaaSPaaSSaaS).

Practice set

Cloud Application Security questions

20 questions · select your answer, then reveal the explanation

A company is migrating a legacy application to the cloud. The application uses hardcoded database credentials. Which secure development practice should be implemented to address this?

Question 2mediummultiple choice
Read the full NAT/PAT explanation →

A security architect is designing a CI/CD pipeline for a cloud-native application. The team wants to automatically scan container images for vulnerabilities before deployment. Which of the following is the most effective approach?

A SaaS provider uses a customer-managed encryption key (CMEK) model for data-at-rest. The provider's application runs in a multi-tenant cloud environment. Which attack surface is MOST directly mitigated by this approach?

An organization is developing a mobile app that communicates with a cloud API. To ensure secure authentication, which of the following should be used?

A cloud security team is implementing a Web Application Firewall (WAF) for a public-facing web application. The application uses a REST API with JSON payloads. Which of the following is the WAF's primary benefit?

A company deploys microservices in Kubernetes. Each service communicates via gRPC with mutual TLS. A security assessment reveals that some services use self-signed certificates. What is the primary risk?

A developer is tasked with securely storing a session token in a browser-based web application. Which storage mechanism is most secure?

A cloud application uses a third-party identity provider (IdP) for SSO. The security team notices that tokens are being reused across different applications. Which token binding mechanism should be implemented?

A company is implementing a serverless application using AWS Lambda. The function processes S3 events and writes to a DynamoDB table. Which of the following is the MOST secure way to grant the necessary permissions?

Which TWO of the following are common best practices for securing cloud application APIs? (Choose two.)

Which THREE of the following are essential components of a Secure Software Development Lifecycle (SSDLC) in the cloud? (Choose three.)

Which TWO of the following are effective methods to protect against server-side request forgery (SSRF) in a cloud application? (Choose two.)

Refer to the exhibit. A security administrator is reviewing an S3 bucket policy. What is the primary security concern with this policy?

Exhibit

Refer to the exhibit.

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject"
      ],
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "203.0.113.0/24"
        }
      }
    }
  ]
}
```

Refer to the exhibit. A Kubernetes pod is configured as shown. Which security enhancement should be added to follow cloud security best practices?

Exhibit

Refer to the exhibit.

```
apiVersion: v1
kind: Pod
metadata:
  name: web-app
spec:
  containers:
  - name: web
    image: nginx:latest
    securityContext:
      runAsUser: 1000
      runAsGroup: 3000
      allowPrivilegeEscalation: false
    ports:
    - containerPort: 80
```

Refer to the exhibit. A log entry shows a suspected SQL injection attack. Which security control would have prevented this attack?

Exhibit

Refer to the exhibit.

```
[ERROR] 2025-03-01 12:34:56,789 - myapp - CRITICAL - SQL Injection detected on endpoint /api/login
Input: ' OR '1'='1
```

A financial services company uses a multi-region cloud deployment for its trading application. The application consists of a web frontend, a REST API, and a relational database. Recently, a penetration test revealed that an attacker could perform a time-based blind SQL injection through the API's search functionality. The injection allows the attacker to enumerate database contents by observing response times. The development team was already aware of the issue but had prioritized other features. The security team now demands immediate remediation. The application is critical and cannot be taken offline. Which of the following is the most effective immediate action to mitigate the risk without modifying the application code?

Question 17mediummultiple choice
Study the full AAA explanation →

A healthcare SaaS provider is deploying a new application that processes protected health information (PHI). The application uses a microservices architecture running on Kubernetes. Each microservice stores its data in a separate database. The compliance team requires that all data at rest be encrypted and that encryption keys be managed by the customer (CMEK). The cloud provider supports KMS with CMEK. However, the development team wants to use a single customer-managed key for all databases to simplify key management. The security architect is concerned about the blast radius if the key is compromised. Which of the following recommendations best balances security and operational efficiency?

A cloud security architect is designing a CI/CD pipeline for a serverless application using AWS Lambda. The application processes sensitive user data and requires encryption at rest and in transit. Which of the following is the BEST approach to securely manage database credentials used by the Lambda function?

A security team is implementing a web application firewall (WAF) for a cloud-based e-commerce application. The application is built on a microservices architecture and uses a RESTful API. Which of the following is the PRIMARY reason to deploy the WAF at the API gateway level rather than at the individual service level?

A cloud application developer is using a containerized application with Docker. The security team requires that the application runs with the least privilege possible. Which of the following is the BEST practice to ensure the container does not run as root?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Cloud Application Security sessions

Start a Cloud Application Security only practice session

Every question in these sessions is drawn from the Cloud Application Security domain — nothing else.

Related practice questions

Related CCSP topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the CCSP exam test about Cloud Application Security?
Cloud concepts questions usually test the service model (IaaS/PaaS/SaaS) and deployment model (public/private/hybrid/community) appropriate for a given scenario.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Cloud Application Security questions in a focused session?
Yes — the session launcher on this page draws every question from the Cloud Application Security domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CCSP topics?
Use the topic links above to move to related areas, or go back to the CCSP question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CCSP exam covers. They are not copied from any real exam or dump site.