CCNA Cloud Concepts Design Questions

44 questions · Cloud Concepts Design topic · All types, answers revealed

1
Multi-Selecthard

A cloud architect is designing a multi-cloud strategy to avoid vendor lock-in. Which three design considerations should be included? (Choose three.)

Select 3 answers
A.Implement abstraction layers such as containers or cloud-agnostic APIs
B.Design applications with portability in mind using microservices
C.Choose cloud-agnostic data formats and storage interfaces
D.Standardize on one cloud provider for core services
E.Use provider-specific APIs for optimal performance
AnswersA, B, C

Abstraction layers decouple the application from underlying cloud provider APIs.

Why this answer

Option A is correct because implementing abstraction layers such as containers (e.g., Docker, Kubernetes) or cloud-agnostic APIs (e.g., Terraform, OpenStack) decouples application code from underlying cloud infrastructure. This allows workloads to be migrated between providers without rewriting core logic, directly addressing vendor lock-in by standardizing deployment and orchestration interfaces.

Exam trap

ISC2 often tests the misconception that standardizing on a single provider's core services is part of a multi-cloud strategy, when in fact it increases lock-in, and that provider-specific APIs are acceptable for portability, when they directly undermine the abstraction goal.

2
MCQhard

Refer to the exhibit. An organization has attached this IAM policy to a role used by a backup application to access encrypted objects in an S3 bucket. The application is failing with an access denied error when trying to download objects. What is the most likely cause?

A.The policy uses wildcard resource for KMS, which is not allowed.
B.The policy does not specify the SSE-KMS key ARN in the KMS action.
C.The policy does not grant s3:GetObject on the bucket itself.
D.The policy omits kms:DescribeKey permission.
AnswerB

Correct: To decrypt objects, the policy must include the specific key ARN or the key's policy must grant the role permission.

Why this answer

The policy grants kms:Decrypt using a wildcard resource ("arn:aws:kms:*:*:key/*") instead of specifying the exact KMS key ARN used to encrypt the S3 objects. When an S3 object is encrypted with SSE-KMS, the backup application must have explicit permission to use that specific KMS key. Without the correct key ARN in the KMS action's Resource element, KMS denies the decryption request, causing the access denied error.

Exam trap

ISC2 often tests the nuance that KMS resource ARNs must be explicit for decrypt operations, not wildcarded, even though wildcards are syntactically valid in IAM policies.

How to eliminate wrong answers

Option A is wrong because AWS KMS does allow wildcard resources in IAM policies for KMS actions, though it is not a best practice; the real issue is that the wildcard does not match the specific key ARN required. Option B is correct as explained. Option C is wrong because the policy does grant s3:GetObject on the bucket (the Resource includes "arn:aws:s3:::bucket-name/*"), so the S3 permission is present.

Option D is wrong because kms:DescribeKey is not required for decrypting objects; only kms:Decrypt is needed, and the failure is due to the missing key ARN, not the absence of DescribeKey.

3
MCQmedium

Refer to the exhibit. A security auditor is reviewing the security group configuration for a web server. Which change would improve the security posture without breaking the application functionality?

A.Remove Rule 2 because HTTPS should be restricted to a specific IP range.
B.Remove Rule 1 because SSH should not be open to the internet.
C.Remove Rule 4 because outbound traffic should be restricted.
D.Remove Rule 3 because RDP should be allowed from anywhere.
AnswerB

Correct: Reduces attack surface without affecting web service.

Why this answer

Option B is correct because SSH (port 22) should never be open to the internet (0.0.0.0/0) on a web server. Removing Rule 1 eliminates this unnecessary exposure while the web server's HTTP/HTTPS rules remain intact, preserving application functionality. This aligns with the principle of least privilege and reduces the attack surface.

Exam trap

ISC2 often tests the misconception that all common ports (like HTTPS or outbound traffic) must be restricted to improve security, when in fact the critical mistake is leaving management protocols (SSH, RDP) open to the internet.

How to eliminate wrong answers

Option A is wrong because HTTPS (port 443) is typically required to be open to the internet for a public web server to serve encrypted traffic; restricting it to a specific IP range would break functionality for external users. Option C is wrong because outbound traffic (Rule 4) is necessary for the web server to fetch updates, resolve DNS, or communicate with backend services; removing it would likely break application functionality. Option D is wrong because RDP (port 3389) should never be allowed from anywhere (0.0.0.0/0) due to its high risk of brute-force attacks; the statement suggests allowing it, which worsens security posture.

4
MCQmedium

A healthcare organization is migrating sensitive patient data to a public cloud. The compliance team requires that data be encrypted at rest and in transit, and that the cloud provider cannot access the encryption keys. Which cloud service model should the organization use to maintain sole control over encryption keys?

A.Software as a Service (SaaS)
B.Infrastructure as a Service (IaaS)
C.Hybrid Cloud
D.Platform as a Service (PaaS)
AnswerB

IaaS gives the customer control over the OS, storage, and encryption keys.

Why this answer

IaaS provides the customer with full control over the underlying infrastructure, including virtual machines, storage, and networking. This allows the organization to implement their own encryption mechanisms and manage their own keys using a Hardware Security Module (HSM) or a key management service (KMS) that the cloud provider cannot access. In contrast, SaaS and PaaS typically abstract away the infrastructure, limiting customer control over encryption key management.

Exam trap

ISC2 often tests the distinction between service models (IaaS, PaaS, SaaS) and deployment models (public, private, hybrid), so the trap here is that candidates mistakenly choose Hybrid Cloud (Option C) because they think it allows key control, but it is a deployment model that does not guarantee sole key management in the public cloud component.

How to eliminate wrong answers

Option A is wrong because SaaS delivers a fully managed application where the cloud provider controls the entire stack, including encryption key management, making it impossible for the customer to maintain sole control over keys. Option C is wrong because Hybrid Cloud is a deployment model (not a service model) that combines on-premises and cloud resources; it does not inherently grant sole control over encryption keys in the public cloud portion. Option D is wrong because PaaS abstracts the underlying infrastructure, and while it may offer some encryption options, the provider often retains access to the keys or manages them on behalf of the customer, violating the requirement for sole customer control.

5
MCQhard

Refer to the exhibit. A security engineer is reviewing this S3 bucket policy. The bucket contains sensitive documents that should only be accessible from the internal network (10.0.0.0/24) and only over HTTPS. What is the most likely effect of this policy?

A.The policy allows access from any IP if the request uses HTTPS.
B.The policy allows GetObject from the internal network only when using HTTPS.
C.The policy allows access from any IP in 10.0.0.0/24, but blocks access from the VPC.
D.The policy denies all access to the bucket because of the explicit Deny statement.
AnswerB

The Allow with IP condition permits internal requests, and the Deny on non-SecureTransport blocks HTTP requests, effectively requiring HTTPS.

Why this answer

The policy includes an explicit Deny for any request that does not use HTTPS (i.e., aws:SecureTransport is false), which overrides any Allow. The Allow statement grants s3:GetObject only when the source IP is within 10.0.0.0/24. Therefore, the effective result is that GetObject is allowed only from the internal network and only over HTTPS, making option B correct.

Exam trap

ISC2 often tests the interplay between explicit Deny and Allow statements, where candidates mistakenly think a Deny only applies to the specific action listed, or they overlook that the Deny for non-HTTPS effectively blocks all requests that are not encrypted, even if the IP condition is met.

How to eliminate wrong answers

Option A is wrong because the Deny statement explicitly blocks any request that does not use HTTPS, regardless of the source IP, so access is not allowed from any IP even with HTTPS unless the IP is also in 10.0.0.0/24. Option C is wrong because the policy does not block access from the VPC; it allows access from the 10.0.0.0/24 IP range, which could include VPC resources, and there is no VPC-specific condition. Option D is wrong because the explicit Deny only applies to requests without HTTPS; requests with HTTPS from the allowed IP range are permitted, so not all access is denied.

6
MCQmedium

A cloud architect is designing a disaster recovery plan for a financial application with RTO of 15 minutes and RPO of 5 minutes. Which recovery strategy is most appropriate?

A.Multi-region active-active
B.Backup and restore
C.Pilot light
D.Warm standby
AnswerA

Multi-region active-active provides continuous replication and instant failover, meeting both RTO and RPO.

Why this answer

Multi-region active-active is the only strategy that can meet both a 15-minute RTO and a 5-minute RPO because it maintains synchronous or near-synchronous replication between two or more regions, allowing traffic to be instantly redirected with zero or minimal data loss. This approach eliminates the recovery time needed to spin up infrastructure or restore data, as the application is already fully operational in multiple regions.

Exam trap

ISC2 often tests the distinction between RTO and RPO by presenting a scenario where candidates confuse warm standby (which can meet a low RTO but not a tight RPO) with active-active, leading them to choose warm standby despite its inability to guarantee the 5-minute RPO.

How to eliminate wrong answers

Option B (Backup and restore) is wrong because restoring from backups typically takes hours, far exceeding the 15-minute RTO, and the RPO of 5 minutes cannot be guaranteed with periodic backups. Option C (Pilot light) is wrong because while it can achieve a low RTO, the RPO is often higher than 5 minutes due to the need to replicate data and start application servers, and the failover process introduces delay. Option D (Warm standby) is wrong because even though it has a reduced recovery time compared to pilot light, the RPO of 5 minutes is difficult to achieve consistently without active-active replication, and the failover still requires time to promote the standby environment.

7
MCQmedium

A cloud architect is designing a cost-optimized architecture for a batch processing job that runs once per day. The job requires high compute capacity for approximately 5 hours. Which cloud service model is most suitable?

A.Reserved instances
B.On-demand instances
C.Spot instances
D.Dedicated hosts
AnswerC

Correct: Cost-effective for fault-tolerant, short-lived workloads.

Why this answer

Spot instances are the most suitable for this batch processing job because they offer significant cost savings (up to 90% compared to on-demand) and are ideal for fault-tolerant, stateless workloads that can handle interruptions. The job runs once per day for only 5 hours, so it can easily be designed to checkpoint progress and resume if a spot instance is reclaimed, making the cost-optimized choice clear.

Exam trap

ISC2 often tests the misconception that spot instances are unreliable and unsuitable for any production workload, but the trap here is that they are perfectly appropriate for fault-tolerant, short-lived batch jobs where cost optimization is the primary goal.

How to eliminate wrong answers

Option A is wrong because Reserved instances require a 1- or 3-year commitment and are designed for steady-state, predictable workloads, not a short 5-hour daily batch job, leading to wasted cost for unused hours. Option B is wrong because On-demand instances provide full pricing flexibility but are the most expensive option, making them suboptimal for a cost-optimized architecture when spot instances can handle the same workload at a fraction of the cost. Option D is wrong because Dedicated hosts are physical servers dedicated to a single tenant, used for compliance or licensing needs, and are the most expensive option, offering no cost benefit for a batch processing job that does not require physical isolation.

8
Drag & Dropmedium

Drag and drop the steps for implementing a data retention policy for cloud storage (e.g., Amazon S3) into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First classify data, then define retention, configure lifecycle, enable immutability, and test.

9
Multi-Selecteasy

An organization wants to ensure compliance with industry regulations by implementing data classification in the cloud. Which two actions should the organization take? (Choose two.)

Select 2 answers
A.Implement auditing of access to sensitive data.
B.Store all data in a single repository for easy management.
C.Define data sensitivity levels and apply labels.
D.Encrypt all data regardless of classification.
E.Automatically tag all data as it is created.
AnswersA, C

Correct: Provides tracking and accountability.

Why this answer

Option A is correct because auditing access to sensitive data is a fundamental compliance requirement under regulations like GDPR, HIPAA, and PCI DSS. It provides a verifiable record of who accessed what data, when, and from where, enabling detection of unauthorized access and supporting forensic investigations. Without auditing, an organization cannot demonstrate compliance with data protection mandates that require monitoring and reporting of access to classified data.

Exam trap

ISC2 often tests the misconception that encryption alone satisfies compliance requirements, but the trap here is that encryption is a control, not a classification mechanism, and without auditing and defined sensitivity levels, compliance cannot be proven.

10
MCQeasy

A company wants to ensure that their cloud deployment has the highest level of isolation between tenants. Which deployment model is most appropriate?

A.Public cloud
B.Hybrid cloud
C.Private cloud
D.Community cloud
AnswerC

Private cloud is dedicated to a single organization, providing maximum isolation.

Why this answer

Private cloud (Option C) is correct because it is a single-tenant environment where the cloud infrastructure is dedicated exclusively to one organization, providing the highest level of isolation between tenants. In a private cloud, network segmentation is achieved through technologies such as VLANs (IEEE 802.1Q), VXLANs (RFC 7348), and dedicated hypervisor-level resource pools, ensuring that no other tenant's workloads share the same physical or virtual resources. This eliminates the multi-tenancy risks inherent in public and community clouds, where isolation relies on shared infrastructure and logical separation mechanisms like hypervisor-enforced memory isolation and network overlays.

Exam trap

ISC2 often tests the misconception that hybrid cloud provides the highest isolation because it includes a private component, but the trap is that hybrid cloud still incorporates a public cloud element, which inherently introduces multi-tenancy and reduces overall isolation compared to a fully private cloud.

How to eliminate wrong answers

Option A is wrong because public cloud deployments rely on multi-tenant architectures where multiple customers share the same physical infrastructure, with isolation achieved through logical controls such as hypervisor memory isolation, network ACLs, and tenant-specific encryption keys; this inherently provides lower isolation compared to a dedicated private cloud. Option B is wrong because hybrid cloud combines private and public cloud resources, and while the private portion offers high isolation, the public cloud component introduces multi-tenancy, reducing the overall isolation level across the deployment. Option D is wrong because community cloud is a multi-tenant model shared among several organizations with common concerns (e.g., regulatory compliance), and while it offers some isolation via policy-based segmentation, it does not achieve the dedicated, single-tenant isolation of a private cloud.

11
MCQeasy

A cloud architect is designing a multi-region application to ensure high availability. The application must automatically fail over to a secondary region if the primary region becomes unavailable. Which strategy best meets this requirement?

A.Active-passive with manual failover
B.Active-passive with automated failover using health checks
C.Active-active with load balancing across regions
D.Read replicas in secondary region
AnswerB

Correct: Health checks trigger automatic failover.

Why this answer

Active-passive with automated failover using health checks is the correct strategy because it ensures that the secondary region automatically takes over when the primary region fails, without manual intervention. Health checks continuously monitor the primary region's endpoints (e.g., via HTTP/HTTPS probes or TCP checks), and upon detecting consecutive failures (e.g., 3 failed health checks), the failover mechanism—such as DNS-based routing with a low TTL (e.g., 60 seconds) or a global load balancer—automatically redirects traffic to the passive secondary region. This meets the high availability requirement by minimizing downtime while keeping the secondary region idle to reduce costs.

Exam trap

ISC2 often tests the misconception that active-active architectures inherently provide automatic failover, but they actually require both regions to be active and healthy, and failover is a separate mechanism; the trap is that candidates confuse load balancing with failover, leading them to choose active-active when the requirement explicitly calls for automatic failover from an unavailable primary region.

How to eliminate wrong answers

Option A is wrong because manual failover introduces significant downtime due to human reaction time and operational procedures, which contradicts the requirement for automatic failover. Option C is wrong because active-active with load balancing across regions is designed for distributing traffic and scaling, not for automatic failover from an unavailable primary region; it requires both regions to be active and healthy, and does not inherently provide a failover mechanism when one region fails. Option D is wrong because read replicas in a secondary region only support read operations and cannot serve as a failover target for write traffic; they lack the capability to automatically promote to a primary role without manual intervention or additional configuration.

12
MCQmedium

What is the most likely cause of the failure?

A.Instance type not available in that region
B.Resource exhaustion in the availability zone
C.Incorrect region
D.Insufficient CPU quota
AnswerB

The 'insufficient capacity' error is most commonly due to lack of available resources in that AZ.

Why this answer

The failure is most likely due to resource exhaustion in the availability zone. When launching instances in a specific Availability Zone, the cloud provider may have insufficient capacity to fulfill the request, even if the instance type is available in the region. This is a common transient condition that occurs when demand exceeds available compute resources in that zone.

Exam trap

ISC2 often tests the distinction between resource exhaustion (capacity) and quota limits, where candidates mistakenly select quota errors when the real issue is transient capacity unavailability in a specific Availability Zone.

How to eliminate wrong answers

Option A is wrong because the instance type not being available in the region would typically result in a different error message indicating the instance type is not supported in that region, and the error would occur regardless of the specific Availability Zone selected. Option C is wrong because an incorrect region would cause a different failure, such as the region not being found or the resource not existing, not a capacity-related error. Option D is wrong because insufficient CPU quota would produce a quota exceeded error, which is distinct from a capacity or resource exhaustion error; quota limits are account-level, not zone-level.

13
MCQmedium

A company uses a cloud provider's object storage service for backup data. The security policy requires that data be encrypted at rest using keys managed by the company's on-premises hardware security module (HSM). Which encryption method should be used?

A.Client-side encryption
B.Server-side encryption with customer-provided keys (SSE-C)
C.Server-side encryption with cloud provider-managed keys (SSE-S3)
D.Server-side encryption with customer-managed keys (SSE-KMS)
AnswerA

Correct: Encrypts data on-premises, keys remain on-premises HSM.

Why this answer

Client-side encryption is the only method where the encryption keys are generated and managed entirely within the customer's on-premises HSM, and data is encrypted before it is sent to the cloud provider's object storage. This ensures that the cloud provider never has access to the plaintext data or the encryption keys, fully satisfying the policy requirement that keys be managed by the company's on-premises HSM.

Exam trap

ISC2 often tests the distinction between 'customer-provided keys' (SSE-C) and 'customer-managed keys' (SSE-KMS) versus true client-side encryption, where candidates mistakenly assume that providing or managing keys in the cloud satisfies on-premises HSM control, but the trap is that SSE-C and SSE-KMS still involve the cloud provider's servers performing encryption/decryption, which exposes the key or plaintext to the provider's environment.

How to eliminate wrong answers

Option B (SSE-C) is wrong because while the customer provides the encryption key, the encryption and decryption operations are performed by the cloud provider's server, meaning the key is temporarily exposed to the provider's infrastructure, which violates the requirement that keys be managed solely by the on-premises HSM. Option C (SSE-S3) is wrong because the cloud provider manages the encryption keys entirely, giving the provider full control over key lifecycle and access, which does not meet the policy of customer-managed keys on an on-premises HSM. Option D (SSE-KMS) is wrong because although the customer manages the key through a cloud-based KMS, the key material is stored and used within the cloud provider's environment, not on the customer's on-premises HSM, thus failing the requirement for on-premises key management.

14
MCQhard

A company is deploying a new application that processes sensitive personal data. The cloud provider operates in a specific region that adheres to the EU General Data Protection Regulation (GDPR). The company requires that data never leave the region. Which combination of cloud architecture controls should be implemented?

A.Use a virtual private cloud (VPC) with a route table that only allows egress to the internet through a NAT gateway.
B.Use data sovereignty policies, restrict geographic deployment to the region, and disable cross-region replication.
C.Use encryption at rest and in transit with keys stored in a cloud HSM.
D.Use a cloud provider's CDN service to cache content within the region.
AnswerB

Correct: Policy and configuration ensure data residency.

Why this answer

Option B is correct because data sovereignty policies explicitly enforce that data remains within a specific jurisdiction, restricting geographic deployment to the region ensures all cloud resources are provisioned only in that region, and disabling cross-region replication prevents any automated or manual data transfer to other regions. This combination directly addresses the GDPR requirement that data never leave the designated region, as it controls both resource placement and data movement at the infrastructure level.

Exam trap

ISC2 often tests the misconception that encryption alone ensures data residency, but encryption protects data confidentiality, not its geographic location, so candidates must recognize that data sovereignty requires explicit location-based controls rather than cryptographic measures.

How to eliminate wrong answers

Option A is wrong because a VPC with a NAT gateway only controls outbound internet traffic from private subnets; it does not prevent data from being stored or processed in other regions, nor does it enforce geographic boundaries for data residency. Option C is wrong because encryption at rest and in transit, even with keys in a cloud HSM, protects data confidentiality but does not control where data is stored or processed; data could still be replicated or moved to another region. Option D is wrong because a CDN caches content at edge locations, which are often distributed across multiple regions and countries, potentially causing data to leave the specified region and violating the data residency requirement.

15
MCQeasy

A multinational corporation operates a cloud-based application that stores customer data across multiple regions to comply with local data residency laws. The application is deployed on virtual machines in a Infrastructure as a Service (IaaS) environment. Recently, the compliance team discovered that some user data from the European region was accidentally stored in a storage bucket located in the United States due to a misconfigured storage class. The company needs to immediately ensure that no further data breaches occur and that all future data storage actions comply with regional restrictions. The cloud architect proposes implementing a data loss prevention (DLP) solution, but the compliance team wants a more preventative approach. Which of the following is the BEST course of action to prevent this issue?

A.Configure a network firewall to block traffic to the IP addresses of storage endpoints in unauthorized regions.
B.Apply a tag to all storage resources that must remain in a specific region and enable a tag-based policy to enforce location.
C.Implement a DLP solution that scans all uploads and rejects those not meeting location requirements.
D.Use a service control policy (SCP) to deny access to storage resources outside the approved regions.
AnswerD

Correct: SCPs provide preventative, organization-wide control over resource creation and access.

Why this answer

A service control policy (SCP) can centrally deny access to storage resources in unauthorized regions across the entire organization, providing a preventative control that cannot be overridden by users.

16
MCQhard

A cloud architect is designing a disaster recovery (DR) solution for a critical application with a recovery time objective (RTO) of 30 minutes and a recovery point objective (RPO) of 5 minutes. The application runs on virtual machines in a private cloud. The architect is considering using a colocation facility as the DR site. Which replication method will meet the RPO requirement?

A.Synchronous replication
B.Periodic snapshots every 15 minutes
C.Periodic snapshots every 5 minutes
D.Asynchronous replication with a delay of 10 minutes
AnswerC

Correct: Provides RPO of 5 minutes if snapshots are taken every 5 minutes.

Why this answer

Option C is correct because periodic snapshots every 5 minutes align exactly with the RPO of 5 minutes, ensuring that at most 5 minutes of data is lost in a disaster. This method captures the VM state at the required interval without the complexity or latency constraints of synchronous replication, which is often impractical over long distances or limited bandwidth.

Exam trap

ISC2 often tests the misconception that synchronous replication is always the best choice for low RPO, but the trap here is that RPO is not the only constraint—RTO and network latency must also be considered, and periodic snapshots can meet a 5-minute RPO without the performance penalties of synchronous replication over a WAN link.

How to eliminate wrong answers

Option A is wrong because synchronous replication requires the primary and DR sites to have extremely low latency (typically <1-2 ms) and high bandwidth to avoid impacting application performance; over a colocation facility link, this is rarely achievable and would likely violate the RTO by causing application slowdowns. Option B is wrong because periodic snapshots every 15 minutes would allow up to 15 minutes of data loss, exceeding the 5-minute RPO requirement. Option D is wrong because asynchronous replication with a 10-minute delay means the DR site could be up to 10 minutes behind the primary, which exceeds the 5-minute RPO and does not guarantee recovery within the specified data loss window.

17
Multi-Selectmedium

A company is moving a legacy application to a public cloud. The application requires low latency and high throughput between two application tiers. Which two cloud design principles should be applied? (Choose two.)

Select 2 answers
A.Use dedicated network connections between tiers.
B.Deploy both tiers in the same region but different availability zones.
C.Use a single large instance for both tiers.
D.Place the tiers in different VPCs with a transit gateway.
E.Deploy both tiers in the same availability zone.
AnswersA, E

Correct: Provides dedicated throughput and reduces contention.

Why this answer

Option A is correct because dedicated network connections, such as AWS Direct Connect or Azure ExpressRoute, provide consistent low latency and high throughput by bypassing the public internet and reducing jitter. This ensures predictable performance for latency-sensitive inter-tier communication, which is critical for legacy applications with strict performance requirements.

Exam trap

ISC2 often tests the misconception that deploying across availability zones always improves performance, but the trap here is that inter-zone latency can harm low-latency requirements, making same-zone deployment (Option E) the correct choice alongside dedicated connections.

18
Multi-Selecthard

Which THREE of the following are key characteristics of cloud computing as defined by NIST SP 800-145?

Select 3 answers
A.Broad network access
B.On-demand self-service
C.Location independence
D.Dedicated hardware per tenant
E.Rapid elasticity
AnswersA, B, E

Resources are available over the network and accessed through standard mechanisms.

Why this answer

Option A is correct because NIST SP 800-145 defines broad network access as the capability for cloud capabilities to be accessed over the network by standard mechanisms (e.g., HTTPS, SSH, VPN) that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, workstations). This characteristic ensures that resources are available from any location with internet connectivity, not limited to a single physical network segment.

Exam trap

ISC2 often tests the distinction between 'location independence' (a common misconception) and the actual NIST-defined characteristic of 'resource pooling,' where the consumer generally has no control over the exact physical location of resources but may specify at a higher level of abstraction (e.g., country, region, or availability zone).

19
MCQhard

An auditor is reviewing a cloud provider's SOC 2 Type II report. Which aspect of the report is most relevant for assessing the effectiveness of controls over a period?

A.System description
B.Description of tests and results
C.Opinion letter
D.Management's assertion
AnswerB

This section details the tests performed and their outcomes, proving controls operated effectively over the period.

Why this answer

The SOC 2 Type II report evaluates the operational effectiveness of controls over a specified period (typically 6–12 months). The 'Description of tests and results' section provides the auditor's detailed testing procedures and outcomes, directly showing whether controls operated effectively throughout that period. This makes it the most relevant aspect for assessing control effectiveness over time.

Exam trap

ISC2 often tests the distinction between Type I (point-in-time design) and Type II (period-of-time effectiveness), and candidates mistakenly choose the opinion letter or system description because they focus on the report's overall conclusion rather than the detailed test evidence that proves effectiveness over time.

How to eliminate wrong answers

Option A is wrong because the system description merely outlines the system's boundaries and control objectives, not the actual testing or effectiveness over time. Option C is wrong because the opinion letter gives the auditor's overall conclusion but lacks the granular test details needed to assess specific control effectiveness. Option D is wrong because management's assertion is a self-declaration of control design and implementation, not an independent verification of operational effectiveness over the period.

20
MCQhard

During a cloud migration, a company decides to move a legacy application with no code changes. Which migration strategy are they using?

A.Refactor
B.Repurchase
C.Replatform
D.Rehost (lift and shift)
AnswerD

Rehosting migrates the application as-is, requiring no code changes.

Why this answer

Option A is correct because rehost (lift and shift) moves applications without modification. Options B, C, and D involve changes to the application or purchasing a new solution.

21
MCQhard

Which type of threat is this log most likely indicating?

A.Account takeover
B.Malware infection
C.Insider threat
D.Data exfiltration
AnswerD

Anomalous large data transfer to an unknown location at unusual time is a classic sign of data exfiltration.

Why this answer

The log shows a large volume of outbound data transfers from a cloud storage bucket to an external IP address, which is characteristic of data exfiltration. In cloud environments, such activity often involves unauthorized copying of sensitive data to an attacker-controlled location, bypassing normal access controls.

Exam trap

ISC2 often tests the distinction between data exfiltration and insider threat by presenting a log of outbound data transfer without user context, leading candidates to incorrectly assume insider intent when the pattern itself defines the threat type.

How to eliminate wrong answers

Option A is wrong because account takeover typically involves anomalous login patterns, failed authentication attempts, or access from unusual locations, not sustained outbound data transfers. Option B is wrong because malware infection usually manifests as unusual process execution, registry changes, or internal lateral movement, not direct bulk data uploads to external IPs. Option C is wrong because insider threat could involve data exfiltration, but the log alone does not indicate the user's intent or authorization level; the pattern of large outbound transfers to an external IP is more specifically indicative of exfiltration regardless of insider or external actor.

22
Multi-Selecteasy

Which THREE of the following are essential characteristics of cloud computing as defined by NIST SP 800-145?

Select 3 answers
A.Multi-tenancy
B.Resource pooling
C.Virtualization
D.On-demand self-service
E.Measured service
AnswersB, D, E

Correct. Resource pooling is one of the five essential characteristics.

Why this answer

Resource pooling is correct because NIST SP 800-145 defines it as one of the five essential characteristics, where the provider's computing resources are pooled to serve multiple consumers using a multi-tenant model, with physical and virtual resources dynamically assigned and reassigned according to consumer demand. This enables economies of scale and location independence, as the customer generally has no control or knowledge over the exact location of the provided resources.

Exam trap

ISC2 often tests the distinction between 'multi-tenancy' (a design goal) and 'resource pooling' (the NIST-defined characteristic), and between 'virtualization' (an implementation detail) and the essential characteristics, leading candidates to incorrectly select options that are common in cloud but not in the NIST definition.

23
Multi-Selectmedium

A cloud architect is evaluating cloud service models for a new application. Which two characteristics are advantages of PaaS over IaaS? (Choose two.)

Select 2 answers
A.Greater control over the underlying OS
B.Lower cost due to shared infrastructure
C.Reduced management of middleware and runtime
D.Higher flexibility to customize networking
E.Built-in scalability and high availability
AnswersC, E

PaaS manages middleware and runtime, reducing customer management overhead.

Why this answer

Option C is correct because PaaS abstracts away middleware, runtime, and OS management, allowing developers to focus on code rather than patching or configuring these layers. This reduces operational overhead compared to IaaS, where you must manage the OS, runtime, and middleware yourself. Option E is correct because PaaS platforms typically include built-in load balancing, auto-scaling, and redundancy features, whereas in IaaS you must architect and implement these capabilities manually.

Exam trap

ISC2 often tests the misconception that PaaS is always cheaper than IaaS due to shared infrastructure, but the real advantage is reduced management of middleware and runtime, not guaranteed cost savings.

24
Drag & Dropmedium

Drag and drop the steps for performing a cloud migration using the 'lift and shift' strategy into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First assess, then set up target, replicate, transfer data, and finally test and cut over.

25
Matchingmedium

Match each NIST SP 800-53 control family to its focus area.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Access Control

Audit and Accountability

System and Communications Protection

System and Information Integrity

Physical and Environmental Protection

Why these pairings

NIST SP 800-53 provides security and privacy controls; each family addresses a specific domain.

26
MCQeasy

A company is migrating to the cloud to reduce capital expenditures. They want to pay only for the resources they consume with no upfront investment. Which financial model does this describe?

A.Amortization
B.Capex
C.Leasing
D.Opex
AnswerD

Opex is the pay-as-you-go model that aligns with variable costs and no upfront investment.

Why this answer

Option D is correct because the operating expenditure (Opex) model allows a company to pay for cloud resources on a consumption basis without any upfront capital investment. This aligns with the goal of reducing capital expenditures (Capex) by shifting costs to variable, pay-as-you-go operational expenses.

Exam trap

ISC2 often tests the distinction between Capex and Opex by presenting a scenario that describes consumption-based pricing, and the trap is that candidates confuse 'leasing' (which still implies a fixed term) with true pay-as-you-go Opex.

How to eliminate wrong answers

Option A is wrong because amortization is an accounting method that spreads the cost of an intangible asset over its useful life, not a financial model for paying for cloud resources as consumed. Option B is wrong because Capex (capital expenditure) involves upfront investment in physical assets like servers, which contradicts the goal of avoiding upfront costs. Option C is wrong because leasing typically involves fixed periodic payments for a defined term, not a consumption-based model where you pay only for what you use.

27
MCQmedium

Your company, a global e-commerce platform, operates on a multi-cloud environment with workloads in AWS and Azure. You are the lead cloud architect. The platform experiences peak traffic during promotional events, with traffic spikes up to 10x normal. The application is composed of microservices running in containers orchestrated by Kubernetes on both clouds. Each cloud provider's Kubernetes cluster uses cluster autoscaler and horizontal pod autoscaler. Recently, during a flash sale, the AWS cluster failed to scale adequately, causing latency spikes and timeouts. AWS support indicated that the cluster hit a service quota limit for EC2 instances. You need to prevent this from recurring. You have the following options: A) Implement a multi-region deployment on AWS to distribute load. B) Pre-warm the AWS environment by requesting a service quota increase and using a pod priority class to ensure critical pods scale first. C) Migrate all workloads to Azure to simplify management. D) Use a global load balancer to route traffic to the cloud with the most available capacity. Which option is the best course of action?

A.Migrate all workloads to Azure to simplify management.
B.Use a global load balancer to route traffic to the cloud with the most available capacity.
C.Implement a multi-region deployment on AWS to distribute load.
D.Pre-warm the AWS environment by requesting a service quota increase and using a pod priority class to ensure critical pods scale first.
AnswerD

Addresses the quota limit directly and uses priority classes to manage scaling of critical services.

Why this answer

Option D is correct because the root cause is a hard AWS service quota for EC2 instances, which prevents the cluster autoscaler from launching new nodes. Requesting a quota increase removes this bottleneck, while pod priority classes ensure that critical microservices are scheduled first when resources are constrained, preventing latency spikes during flash sales.

Exam trap

ISC2 often tests the misconception that scaling issues are always solved by distributing load (e.g., multi-region or global load balancers), when the actual root cause is a hard resource quota that prevents any new compute capacity from being provisioned.

How to eliminate wrong answers

Option A is wrong because migrating all workloads to Azure does not address the underlying scaling issue—it merely shifts the problem to another cloud, which may also have its own quotas. Option B is wrong because a global load balancer can distribute traffic but does not resolve the AWS quota limit; the cluster will still fail to scale if it cannot launch new EC2 instances. Option C is wrong because multi-region deployment on AWS distributes load but does not increase the per-region EC2 instance quota; the cluster autoscaler would still be blocked by the same quota in each region.

28
MCQmedium

A software development company is migrating its development and test environments to a public cloud. The security team has identified that many developers have assigned overly permissive IAM roles to the resources they create, such as giving full administrative access to databases and virtual machines. The company wants to enforce least privilege without impeding development agility. The cloud architect suggests using a combination of permission boundaries and service control policies. Which of the following approaches BEST enforces least privilege while maintaining development flexibility?

A.Define permission boundaries that limit the maximum permissions a developer can grant to resources, and allow developers to create IAM roles within those boundaries.
B.Implement an automated system that reviews and removes any privileges not used within 60 days.
C.Attach a service control policy at the organizational level that denies all actions unless explicitly allowed, and have developers create their own IAM policies.
D.Create a permission boundary that restricts all users to read-only access and require subordinates to request access for specific privileges.
AnswerA

Correct: Permission boundaries provide a preventative limit while allowing developers flexibility.

Why this answer

Permission boundaries in AWS IAM (or similar constructs in other clouds) allow an administrator to set the maximum permissions that a developer can grant to any IAM role or resource. By defining a permission boundary, developers retain the flexibility to create and attach policies within that boundary, ensuring they cannot exceed the defined limits. This directly enforces least privilege because even if a developer attaches a permissive policy, the boundary caps the effective permissions, preventing full administrative access to databases or VMs.

Exam trap

ISC2 often tests the distinction between preventive controls (like permission boundaries) and detective/reactive controls (like privilege review), leading candidates to choose an option that sounds proactive but actually only audits after the fact.

How to eliminate wrong answers

Option B is wrong because it is a reactive measure that only removes unused privileges after 60 days, which does not prevent developers from initially assigning overly permissive roles; it also introduces a delay that could leave resources exposed. Option C is wrong because attaching a service control policy (SCP) at the organizational level that denies all actions unless explicitly allowed would require developers to create their own IAM policies, but SCPs alone do not prevent developers from creating overly permissive policies within the allowed actions—they lack the granular per-role cap that permission boundaries provide. Option D is wrong because restricting all users to read-only access and requiring subordinates to request specific privileges would severely impede development agility by forcing manual approval for every action, contradicting the goal of maintaining flexibility while enforcing least privilege.

29
MCQeasy

A company is migrating its on-premises workloads to a public cloud environment. The security team is concerned about maintaining visibility into network traffic between virtual machines in the same virtual network. Which cloud architecture component should be implemented to address this concern?

A.Security groups
B.Virtual network traffic mirroring
C.Virtual private cloud (VPC) peering
D.Network access control lists (NACLs)
AnswerB

Correct: Enables packet capture for analysis.

Why this answer

Virtual network traffic mirroring (or port mirroring) enables the capture and inspection of all network packets flowing between virtual machines within the same virtual network, including east-west traffic. This provides the security team with the deep packet visibility needed for threat detection, compliance auditing, and troubleshooting without requiring changes to the VM configurations or routing paths.

Exam trap

The trap here is that candidates often confuse security groups or NACLs with visibility tools, mistakenly believing that filtering or logging features (like flow logs) provide the same packet-level capture as traffic mirroring, when in fact flow logs only record metadata (e.g., source/destination IP, port, protocol) and not the full packet payload.

How to eliminate wrong answers

Option A is wrong because security groups act as a stateful virtual firewall that filters traffic based on rules (e.g., source IP, port), but they do not capture or mirror traffic for analysis; they only permit or deny packets. Option C is wrong because VPC peering connects two separate virtual networks, allowing traffic between them, but it does not provide visibility into traffic within a single virtual network. Option D is wrong because network access control lists (NACLs) are stateless packet filters applied at the subnet boundary, not a mechanism for copying or monitoring traffic flows between VMs inside the same subnet.

30
MCQeasy

A company wants to ensure that its cloud infrastructure can automatically add capacity during traffic spikes and remove capacity during low demand. Which cloud characteristic is primarily needed?

A.Broad network access
B.Measured service
C.Rapid elasticity
D.Resource pooling
AnswerC

Correct: Allows automatic scaling of resources.

Why this answer

Rapid elasticity is the cloud characteristic that enables automatic scaling of resources up or down in response to demand, often leveraging orchestration tools like AWS Auto Scaling or Azure VM Scale Sets. This ensures that capacity matches workload spikes and troughs without manual intervention, directly addressing the requirement for dynamic capacity adjustment.

Exam trap

ISC2 often tests the distinction between rapid elasticity and resource pooling, where candidates mistakenly think that sharing resources (pooling) inherently enables scaling, but pooling is about multi-tenancy, not dynamic capacity adjustment.

How to eliminate wrong answers

Option A is wrong because broad network access refers to the ability to access cloud services over standard network protocols (e.g., HTTPS, SSH) from various devices, not the dynamic scaling of resources. Option B is wrong because measured service involves metering and billing based on usage (e.g., per-hour or per-GB charges), not the automatic adjustment of capacity. Option D is wrong because resource pooling describes the multi-tenant model where physical resources are shared among multiple customers using virtualization, not the elasticity to scale resources on demand.

31
MCQmedium

A healthcare provider is subject to HIPAA regulations. They are planning to use a public cloud provider. Which design consideration is most important to ensure compliance?

A.Containerization
B.Cost optimization
C.Multi-cloud strategy
D.Data residency
AnswerD

Data residency ensures data is stored in approved locations, meeting HIPAA requirements.

Why this answer

Data residency is the most critical design consideration for a healthcare provider subject to HIPAA when using a public cloud, because HIPAA requires that protected health information (PHI) be stored and processed only in jurisdictions where the cloud provider can guarantee compliance with the HIPAA Privacy and Security Rules. If the cloud provider replicates data across regions or countries without explicit control, the organization may violate the HIPAA requirement to ensure that PHI is not exposed to unauthorized access or disclosure, and may also breach the Breach Notification Rule if data crosses borders into regions with weaker protections.

Exam trap

ISC2 often tests the misconception that technical controls like containerization or multi-cloud strategies are primary compliance tools, when in reality, foundational legal and geographic controls like data residency are the first and most critical step for regulated data in the cloud.

How to eliminate wrong answers

Option A is wrong because containerization (e.g., Docker, Kubernetes) is a deployment and isolation technology that does not inherently address data location, access controls, or compliance with HIPAA's administrative, physical, and technical safeguards; it is a means to package applications, not a compliance mechanism. Option B is wrong because cost optimization focuses on reducing cloud spending, which is irrelevant to HIPAA's core requirements for protecting PHI; prioritizing cost over compliance could lead to using cheaper, non-compliant storage or processing regions. Option C is wrong because a multi-cloud strategy involves using multiple cloud providers, which can increase complexity and risk of non-compliance if data residency and data flow across providers are not meticulously controlled; it does not directly ensure that PHI remains in compliant jurisdictions.

32
MCQhard

A healthcare organization recently migrated a patient records management application from on-premises infrastructure to a cloud environment using Infrastructure as a Service (IaaS). The application was originally designed as a monolithic workload running on bare-metal servers. After migration, the application is deployed on a fleet of virtual machines (VMs) of the same instance type. The organization is using a combination of Reserved Instances for baseline capacity and On-Demand instances to handle spikes. However, two months after the migration, the cloud bill is 40% higher than the estimated on-premises total cost of ownership. Additionally, performance reports indicate that the application experiences inconsistent latency and occasional timeouts during peak hours. The operations team has confirmed that the application code has not changed, and the cloud provider's infrastructure is healthy. There is no issue with network bandwidth or storage I/O. The team is considering several options to address both cost and performance issues. What should the team do first?

A.Migrate the application to serverless compute to eliminate the need to manage VMs.
B.Perform a rightsizing analysis of the current VM usage and adjust instance types accordingly.
C.Consolidate the workload into fewer, larger instances to reduce overhead and licensing costs.
D.Replace On-Demand instances with Spot Instances to reduce costs during spikes.
AnswerB

Rightsizing addresses both cost and performance by matching instance resources to actual workload demands. It is a standard first step in cloud optimization.

Why this answer

Option B is correct. The symptoms (high cost and inconsistent performance) strongly suggest that the instances are not appropriately sized for the workload. Rightsizing based on actual metrics (CPU, memory, I/O) is the most direct and effective first step to reduce waste and improve performance.

Option A is too drastic; moving to serverless would require significant architectural changes and is not a quick fix. Option C (Spot Instances) is unsuitable for baseline capacity because they can be terminated with little notice, which would disrupt a monolithic application. Option D (consolidation into fewer, larger instances) might reduce licensing costs but assumes that the current instances are underutilized; it could exacerbate performance issues if the application is not designed to scale horizontally.

33
Matchingmedium

Match each cloud auditing term to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Service organization control report for security

Assessment of cloud provider controls

Analysis of logs for incident investigation

Real-time assessment of security controls

Why these pairings

Auditing in cloud requires continuous monitoring and third-party attestations like SOC 2.

34
MCQmedium

A cloud security analyst is troubleshooting an access denied error when an application attempts to read an object from an S3 bucket. The application uses an IAM user that is not associated with the role specified in the policy. Which of the following is the most likely cause of the error?

A.The IAM user is not assuming the role before accessing the bucket.
B.The IAM user is not the specified role and is explicitly denied by the Deny statement.
C.The bucket policy has a conflicting Allow and Deny statement, causing an implicit deny.
D.The bucket policy is missing a condition for region restriction.
AnswerB

The Deny statement explicitly denies all principals that are not the specified role, so any other principal (including this IAM user) is denied access.

Why this answer

Option D is correct because the policy explicitly denies all principals except the specified role. The IAM user is not that role, so the Deny statement blocks access. Option A is irrelevant because the policy does not mention regions.

Option B is incorrect because the policy is syntactically valid and does not cause a conflict; the Deny overrides Allow per IAM evaluation logic. Option C is incorrect because the user is not attempting to assume the role, and the policy does not require it—it simply denies all principals that are not that role.

35
MCQmedium

A cloud architect is tasked with designing a disaster recovery plan for a critical application. The recovery time objective (RTO) is 1 hour, and the recovery point objective (RPO) is 15 minutes. The application runs on IaaS with data stored in a relational database. Which replication strategy is MOST cost-effective while meeting the objectives?

A.Daily full backups to another region
B.Synchronous database mirroring across regions
C.Multi-region active-active deployment with load balancing
D.Asynchronous storage-level replication with 15-minute snapshots
AnswerD

Asynchronous replication with frequent snapshots meets the RPO cost-effectively.

Why this answer

Option D is correct because asynchronous storage-level replication with 15-minute snapshots meets the RPO of 15 minutes and the RTO of 1 hour, while being more cost-effective than synchronous replication. Asynchronous replication avoids the latency and bandwidth costs of synchronous mirroring across regions, and the 15-minute snapshot schedule ensures data loss is limited to the RPO window. This strategy is suitable for IaaS relational databases where near-real-time consistency is acceptable.

Exam trap

ISC2 often tests the misconception that synchronous replication is always required for low RPOs, but here the RPO is 15 minutes, which asynchronous replication with snapshots can meet at lower cost, and candidates may incorrectly choose synchronous mirroring due to assuming zero data loss is needed.

How to eliminate wrong answers

Option A is wrong because daily full backups to another region cannot achieve an RPO of 15 minutes; the backup interval is 24 hours, leading to potential data loss of up to a day, which far exceeds the 15-minute RPO. Option B is wrong because synchronous database mirroring across regions introduces significant network latency and cost, and while it can achieve near-zero RPO, it is overkill for a 15-minute RPO and may degrade application performance due to synchronous writes. Option C is wrong because multi-region active-active deployment with load balancing is designed for high availability and traffic distribution, not specifically for data replication with a defined RPO; it does not inherently provide point-in-time recovery snapshots and is more expensive than necessary for the stated RPO/RTO.

36
MCQmedium

A developer is designing a microservices-based application in the cloud. They need to ensure communication between services is loosely coupled and resilient to failures. Which design pattern should they implement?

A.API gateway
B.Event-driven messaging
C.Service mesh
D.Database per service
AnswerB

Event-driven messaging uses asynchronous messages, enabling loose coupling and resilience to failures.

Why this answer

Event-driven messaging (B) is correct because it enables asynchronous, decoupled communication between microservices, allowing them to operate independently and remain resilient to failures. When a service publishes an event, other services consume it at their own pace, preventing cascading failures and ensuring the system can handle partial outages without blocking. This pattern directly supports loose coupling and fault tolerance, which are critical for cloud-based microservices architectures.

Exam trap

ISC2 often tests the distinction between patterns that manage communication (like service mesh) versus patterns that decouple communication (like event-driven messaging), and the trap here is that candidates confuse a service mesh's ability to handle retries and circuit breakers with the fundamental loose coupling provided by asynchronous event-driven architectures.

How to eliminate wrong answers

Option A (API gateway) is wrong because it acts as a single entry point for client requests and typically handles synchronous communication, which can introduce a bottleneck and tight coupling between services, not the loosely coupled, failure-resilient pattern required. Option C (Service mesh) is wrong because it focuses on managing service-to-service communication at the infrastructure layer (e.g., with sidecar proxies like Envoy) and does not inherently provide the asynchronous, event-driven decoupling needed for resilience; it handles traffic management and observability but not failure isolation through loose coupling. Option D (Database per service) is wrong because it is a data management pattern that ensures each microservice has its own database to avoid tight coupling at the data layer, but it does not address communication resilience or asynchronous messaging between services.

37
MCQeasy

A small business wants to use a cloud service but has limited in-house IT expertise. Which cloud service model requires the least customer management responsibility?

D.FaaS
AnswerB

SaaS is fully managed; customer only uses the application.

Why this answer

SaaS (Software as a Service) delivers a complete application managed entirely by the cloud provider, so the customer only needs to use the software without managing underlying infrastructure, platforms, or runtime. For a small business with limited IT expertise, this model minimizes operational overhead because the provider handles maintenance, patching, and availability.

Exam trap

ISC2 often tests the misconception that PaaS requires less management than SaaS because candidates confuse 'platform management' with 'application management,' but PaaS still leaves the customer responsible for application code and its dependencies.

How to eliminate wrong answers

Option A is wrong because IaaS requires the customer to manage virtual machines, storage, and networking, which demands significant IT expertise for OS patching, security groups, and configuration. Option C is wrong because PaaS still requires the customer to manage application code, runtime settings, and sometimes database configurations, though the provider manages the underlying platform. Option D is wrong because FaaS (Function as a Service) involves writing and deploying individual functions, which still requires development skills and management of function triggers, dependencies, and scaling logic.

38
MCQhard

A financial services company is required to maintain audit trails of all user activities in its cloud environment for regulatory compliance. The company uses multiple cloud services and wants a centralized logging solution. The current architecture sends logs to a central storage bucket, but some logs are being lost due to high volume and insufficient throughput. Additionally, the logs must be immutable to prevent tampering. The company needs to ensure that all logs are captured and stored in a tamper-proof manner. Which of the following solutions BEST meets the requirements?

A.Configure the cloud provider's logging service to send logs to a dedicated bucket with versioning and object lock enabled, and set a high throughput.
B.Cache logs locally on each server and have a background job upload them to a bucket.
C.Use multiple log streams with different destinations and aggregate them using a third-party SIEM.
D.Use a message queue to decouple log generation from storage, and store logs in a bucket with immutability settings.
AnswerA

Correct: Versioning and object lock prevent modification; provider logging handles throughput.

Why this answer

Option A is correct because enabling Object Lock with retention modes (Governance or Compliance) on the cloud storage bucket ensures immutability, preventing log tampering. Versioning provides an additional safeguard by preserving all object versions, and configuring a high throughput setting (e.g., increasing the bucket's request rate limits or using a dedicated endpoint) addresses the log loss due to insufficient throughput.

Exam trap

The trap here is that candidates may choose Option D because a message queue addresses throughput, but they overlook that immutability must be enforced at the storage layer, not just by decoupling the pipeline.

How to eliminate wrong answers

Option B is wrong because caching logs locally and uploading via a background job introduces a single point of failure and potential data loss if the server crashes before upload, and it does not guarantee immutability at rest. Option C is wrong because using multiple log streams with different destinations and a third-party SIEM adds complexity and latency but does not inherently solve the throughput bottleneck or provide native immutability for the stored logs. Option D is wrong because while a message queue decouples log generation from storage and can help with throughput, it does not directly ensure immutability of the stored logs unless the storage bucket itself has immutability settings enabled; the question already requires a solution that ensures tamper-proof storage, and the message queue alone does not enforce that.

39
MCQeasy

A company is designing a multi-tier application in the cloud. The web tier must automatically scale based on CPU utilization, while the database tier should remain fixed to maintain data consistency. Which architectural pattern best meets these requirements?

A.Horizontal auto-scaling for the web tier and a fixed database tier
B.Manual scaling for both tiers
C.Vertical scaling of all tiers
D.Single-tier architecture with auto-scaling
AnswerA

This pattern separates stateless and stateful components appropriately.

Why this answer

Option A is correct because it separates the stateless web tier, which can safely scale horizontally using auto-scaling groups triggered by CPU utilization thresholds, from the stateful database tier, which must remain fixed to avoid consistency issues such as split-brain or replication lag. Horizontal scaling adds or removes identical web server instances without affecting session state, while a fixed database tier preserves ACID properties and prevents conflicts from concurrent writes across multiple database nodes.

Exam trap

ISC2 often tests the misconception that auto-scaling should apply uniformly to all tiers, but the trap here is that candidates forget the database tier requires stateful consistency and cannot scale horizontally without introducing eventual consistency or complex distributed transactions.

How to eliminate wrong answers

Option B is wrong because manual scaling for both tiers introduces operational overhead and cannot react dynamically to load changes, defeating the purpose of cloud elasticity. Option C is wrong because vertical scaling of all tiers (increasing instance size) has hard limits (maximum VM size) and does not address the need for the web tier to scale out; it also incorrectly scales the database tier, which should remain fixed. Option D is wrong because a single-tier architecture with auto-scaling collapses web and database functions into one layer, causing data consistency problems when multiple instances write to the same local storage and violating the multi-tier design requirement.

40
MCQhard

A financial services firm is designing a cloud environment that must comply with PCI DSS. The security architect proposes using a virtual private cloud (VPC) with subnets, security groups, and network ACLs. However, the compliance officer is concerned about the risk of data exposure due to misconfiguration. Which additional control would BEST address this concern?

A.Use a Web Application Firewall (WAF)
B.Implement a Security Information and Event Management (SIEM) system
C.Integrate Cloud Security Posture Management (CSPM)
D.Deploy Data Loss Prevention (DLP) tools
AnswerC

CSPM automates monitoring and remediation of misconfigurations.

Why this answer

CSPM tools continuously monitor cloud infrastructure configurations against compliance frameworks like PCI DSS, automatically detecting misconfigurations such as overly permissive security group rules or network ACLs that could expose cardholder data. This directly addresses the compliance officer's concern about data exposure due to misconfiguration by providing real-time visibility and remediation guidance, which is more proactive than the other options.

Exam trap

The trap here is that candidates often confuse CSPM with SIEM or DLP, thinking log analysis or data monitoring can catch configuration errors, but CSPM is the only tool specifically designed to audit and enforce cloud infrastructure configurations against compliance standards like PCI DSS.

How to eliminate wrong answers

Option A is wrong because a Web Application Firewall (WAF) protects against application-layer attacks (e.g., SQL injection, XSS) but does not detect or prevent misconfigurations in VPC subnets, security groups, or network ACLs. Option B is wrong because a Security Information and Event Management (SIEM) system aggregates and analyzes logs for threat detection and incident response, but it does not proactively scan cloud infrastructure for compliance misconfigurations or enforce security baselines. Option D is wrong because Data Loss Prevention (DLP) tools monitor and block sensitive data in transit or at rest, but they do not assess the underlying network or access control configurations that could lead to exposure.

41
Multi-Selecteasy

A company is implementing a hybrid cloud architecture. Which two components are essential for establishing a secure connection between on-premises and cloud environments? (Choose two.)

Select 2 answers
A.Direct connect or dedicated interconnect
B.Identity and access management (IAM)
C.Cloud access security broker (CASB)
D.Web application firewall (WAF)
E.Virtual private network (VPN) gateway
AnswersA, E

Direct connect provides a dedicated private network connection for low latency and security.

Why this answer

A Direct Connect or dedicated interconnect provides a private, dedicated network connection from on-premises to the cloud provider, bypassing the public internet for lower latency and more consistent bandwidth. A VPN gateway establishes an encrypted tunnel over the public internet using protocols like IPsec (IKEv2) to secure data in transit. Together, these two components form the essential hybrid connectivity layer: the dedicated circuit for primary, high-throughput traffic and the VPN as a secure backup or for lower-cost, lower-bandwidth needs.

Exam trap

The trap here is that candidates often confuse security controls (IAM, CASB, WAF) with network connectivity components, mistakenly thinking that any security tool is essential for hybrid cloud connectivity, when in fact only dedicated circuits and VPN gateways provide the actual secure link between environments.

42
MCQhard

An organization is designing a cloud application that must remain available even if an entire AWS availability zone fails. Which architecture pattern should they implement?

A.Single region with multiple AZs active-active
B.Single region with multiple AZs active-standby
C.Active-passive in a single region
D.Multi-region active-active
AnswerA

This pattern distributes workloads across AZs, ensuring continued availability if one AZ fails.

Why this answer

The correct architecture is a single region with multiple Availability Zones (AZs) in an active-active configuration. This ensures that if one AZ fails, the application continues to serve traffic from the remaining AZs without any manual intervention, as all AZs are actively handling requests. AWS Availability Zones are physically separate data centers within a region, and an active-active pattern distributes the workload across them to achieve high availability and fault tolerance.

Exam trap

ISC2 often tests the distinction between surviving an AZ failure versus a region failure, and the trap here is that candidates may overcomplicate the solution by choosing multi-region active-active, not realizing that a single region with multiple AZs is sufficient and more cost-effective for the given requirement.

How to eliminate wrong answers

Option B (Single region with multiple AZs active-standby) is wrong because it introduces a standby component that is not actively serving traffic, leading to potential downtime during failover and resource underutilization; the question requires continuous availability even during an AZ failure, which active-standby does not guarantee without a failover delay. Option C (Active-passive in a single region) is wrong because it typically relies on a single AZ for the active component, making it vulnerable to AZ failure, and the passive component requires manual or automated failover, which introduces downtime. Option D (Multi-region active-active) is wrong because while it provides high availability, it is over-engineered for the requirement of surviving a single AZ failure; it adds unnecessary complexity, latency, and cost, and the question specifically asks for an architecture that remains available if an entire AWS availability zone fails, not a full region failure.

43
Multi-Selecthard

A cloud architect is designing a multi-cloud solution that must maintain high availability and disaster recovery across two cloud providers. Which three key considerations should be included in the architecture? (Choose three.)

Select 3 answers
A.Rely on each provider's native high-availability features.
B.Use a single networking interface to simplify connectivity.
C.Use a single DNS provider for failover.
D.Implement consistent identity and access management across providers.
E.Ensure application code is cloud-agnostic.
AnswersA, D, E

Correct: Leverage provider capabilities within each region.

Why this answer

Option A is correct because relying on each provider's native high-availability features (e.g., AWS Auto Scaling and Multi-AZ deployments, Azure Availability Zones) allows the architecture to leverage built-in fault tolerance and automatic failover within each cloud. This avoids reinventing the wheel and ensures that each provider handles its own infrastructure failures, which is a foundational principle for multi-cloud HA/DR design.

Exam trap

ISC2 often tests the misconception that a single DNS provider or single network interface is acceptable for multi-cloud HA, when in reality these create critical single points of failure that violate the redundancy principle.

44
MCQmedium

What is the effective permission for a request coming from IP address 10.1.2.3?

A.Access allowed for all actions
B.Access denied due to explicit deny
C.Access allowed only for GetObject
D.Access denied because no explicit allow
AnswerC

The request IP matches the allow condition, so GetObject is allowed; other actions are implicitly denied.

Why this answer

The effective permission for a request from IP 10.1.2.3 is 'Access allowed only for GetObject' because the bucket policy includes an explicit allow for the s3:GetObject action when the source IP matches 10.1.2.3, and no explicit deny applies to that IP. Since there is no explicit deny for this specific request, the explicit allow grants access only to the GetObject action, not to other actions like PutObject or DeleteObject.

Exam trap

ISC2 often tests the misconception that an explicit allow for one action grants access to all actions, or that the absence of an explicit deny means full access, when in reality the default implicit deny restricts all other actions unless explicitly allowed.

How to eliminate wrong answers

Option A is wrong because an explicit allow for GetObject does not grant access for 'all actions'; AWS S3 bucket policies require explicit allow for each action, and other actions are implicitly denied. Option B is wrong because there is no explicit deny statement in the policy that matches the request from IP 10.1.2.3; explicit deny would override any allow, but it is not present here. Option D is wrong because there is an explicit allow for GetObject for that IP, so access is not denied due to 'no explicit allow'; the request is allowed for that specific action.

Ready to test yourself?

Try a timed practice session using only Cloud Concepts Design questions.