CCSP · topic practice

Cloud Concepts, Architecture and Design practice questions

Practise Certified Cloud Security Professional CCSP Cloud Concepts, Architecture and Design practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Cloud Concepts, Architecture and Design

What the exam tests

What to know about Cloud Concepts, Architecture and Design

Cloud concepts questions usually test the service model (IaaS/PaaS/SaaS) and deployment model (public/private/hybrid/community) appropriate for a given scenario.

IaaS, PaaS and SaaS responsibilities and examples.

Public, private, hybrid and community cloud deployment models.

On-premises vs cloud trade-offs: cost, control, scalability.

How cloud connectivity options (VPN, Direct Connect, ExpressRoute) work.

Watch out for

Common Cloud Concepts, Architecture and Design exam traps

  • IaaS gives you infrastructure control; SaaS gives you only the application.
  • Hybrid cloud combines on-premises and public cloud — not two public clouds.
  • Cloud does not automatically mean cheaper or more secure.
  • Management responsibility shifts with each service model (IaaSPaaSSaaS).

Practice set

Cloud Concepts, Architecture and Design questions

20 questions · select your answer, then reveal the explanation

Question 1mediummultiple choice
Read the full NAT/PAT explanation →

A healthcare organization is migrating sensitive patient data to a public cloud. The compliance team requires that data be encrypted at rest and in transit, and that the cloud provider cannot access the encryption keys. Which cloud service model should the organization use to maintain sole control over encryption keys?

Question 2easymultiple choice
Read the full NAT/PAT explanation →

A company is designing a multi-tier application in the cloud. The web tier must automatically scale based on CPU utilization, while the database tier should remain fixed to maintain data consistency. Which architectural pattern best meets these requirements?

Question 3hardmultiple choice
Study the full ACL explanation →

A financial services firm is designing a cloud environment that must comply with PCI DSS. The security architect proposes using a virtual private cloud (VPC) with subnets, security groups, and network ACLs. However, the compliance officer is concerned about the risk of data exposure due to misconfiguration. Which additional control would BEST address this concern?

A cloud architect is tasked with designing a disaster recovery plan for a critical application. The recovery time objective (RTO) is 1 hour, and the recovery point objective (RPO) is 15 minutes. The application runs on IaaS with data stored in a relational database. Which replication strategy is MOST cost-effective while meeting the objectives?

Which THREE of the following are key characteristics of cloud computing as defined by NIST SP 800-145?

Refer to the exhibit. A security engineer is reviewing this S3 bucket policy. The bucket contains sensitive documents that should only be accessible from the internal network (10.0.0.0/24) and only over HTTPS. What is the most likely effect of this policy?

Exhibit

Refer to the exhibit.

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/24"
        }
      }
    },
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}
```
Question 7mediummultiple choice
Review the full routing breakdown →

Your company, a global e-commerce platform, operates on a multi-cloud environment with workloads in AWS and Azure. You are the lead cloud architect. The platform experiences peak traffic during promotional events, with traffic spikes up to 10x normal. The application is composed of microservices running in containers orchestrated by Kubernetes on both clouds. Each cloud provider's Kubernetes cluster uses cluster autoscaler and horizontal pod autoscaler. Recently, during a flash sale, the AWS cluster failed to scale adequately, causing latency spikes and timeouts. AWS support indicated that the cluster hit a service quota limit for EC2 instances. You need to prevent this from recurring. You have the following options: A) Implement a multi-region deployment on AWS to distribute load. B) Pre-warm the AWS environment by requesting a service quota increase and using a pod priority class to ensure critical pods scale first. C) Migrate all workloads to Azure to simplify management. D) Use a global load balancer to route traffic to the cloud with the most available capacity. Which option is the best course of action?

Drag and drop the steps for performing a cloud migration using the 'lift and shift' strategy into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Drag and drop the steps for implementing a data retention policy for cloud storage (e.g., Amazon S3) into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Match each NIST SP 800-53 control family to its focus area.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Access Control

Audit and Accountability

System and Communications Protection

System and Information Integrity

Physical and Environmental Protection

Match each cloud auditing term to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Service organization control report for security

Assessment of cloud provider controls

Analysis of logs for incident investigation

Real-time assessment of security controls

A company is migrating to the cloud to reduce capital expenditures. They want to pay only for the resources they consume with no upfront investment. Which financial model does this describe?

A healthcare provider is subject to HIPAA regulations. They are planning to use a public cloud provider. Which design consideration is most important to ensure compliance?

Question 14hardmultiple choice
Read the full NAT/PAT explanation →

An organization is designing a cloud application that must remain available even if an entire AWS availability zone fails. Which architecture pattern should they implement?

A company wants to ensure that their cloud deployment has the highest level of isolation between tenants. Which deployment model is most appropriate?

Question 16mediummultiple choice
Read the full NAT/PAT explanation →

A developer is designing a microservices-based application in the cloud. They need to ensure communication between services is loosely coupled and resilient to failures. Which design pattern should they implement?

An auditor is reviewing a cloud provider's SOC 2 Type II report. Which aspect of the report is most relevant for assessing the effectiveness of controls over a period?

A cloud architect is designing a disaster recovery plan for a financial application with RTO of 15 minutes and RPO of 5 minutes. Which recovery strategy is most appropriate?

A small business wants to use a cloud service but has limited in-house IT expertise. Which cloud service model requires the least customer management responsibility?

During a cloud migration, a company decides to move a legacy application with no code changes. Which migration strategy are they using?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Cloud Concepts, Architecture and Design sessions

Start a Cloud Concepts, Architecture and Design only practice session

Every question in these sessions is drawn from the Cloud Concepts, Architecture and Design domain — nothing else.

Related practice questions

Related CCSP topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the CCSP exam test about Cloud Concepts, Architecture and Design?
Cloud concepts questions usually test the service model (IaaS/PaaS/SaaS) and deployment model (public/private/hybrid/community) appropriate for a given scenario.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Cloud Concepts, Architecture and Design questions in a focused session?
Yes — the session launcher on this page draws every question from the Cloud Concepts, Architecture and Design domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CCSP topics?
Use the topic links above to move to related areas, or go back to the CCSP question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CCSP exam covers. They are not copied from any real exam or dump site.