CCNA Cloud Data Security Questions

75 of 120 questions · Page 1/2 · Cloud Data Security topic · Answers revealed

1
MCQhard

A multi-national corporation uses a cloud storage service to store files that are subject to data residency requirements. Data must remain within a specific geographic region. Which of the following controls provides the STRONGEST assurance that data does not leave the region?

A.Contractual clauses with the cloud provider
B.Implementing strict IAM policies to limit data access
C.Using the cloud provider's data residency policy with region-restricted storage buckets
D.Client-side encryption with keys managed on-premises
AnswerC

Technical enforcement provides strong assurance.

Why this answer

Option C is correct because using the cloud provider's data residency policy with region-restricted storage buckets enforces data at rest to be physically stored only in the specified geographic region. This is a technical control implemented at the infrastructure layer, ensuring that the cloud provider's storage service will not replicate or move data outside the designated region, providing the strongest assurance against data leaving the region.

Exam trap

ISC2 often tests the distinction between legal/administrative controls (contracts, IAM) and technical controls (region-restricted storage), where candidates mistakenly believe that encryption or access policies can enforce data residency, but only infrastructure-level location restrictions provide the strongest assurance.

How to eliminate wrong answers

Option A is wrong because contractual clauses are legal agreements that rely on trust and enforcement after a breach; they do not provide technical enforcement and cannot prevent accidental or malicious data movement. Option B is wrong because IAM policies control who can access data, not where data is stored or replicated; they do not restrict the geographic location of data. Option D is wrong because client-side encryption protects data confidentiality but does not control the physical storage location; encrypted data can still be stored or replicated in any region the cloud provider supports.

2
MCQhard

A financial institution is migrating sensitive transaction data to the cloud. They must comply with a regulation that requires data to be retained for 7 years, but also support immediate legal holds. The cloud storage service offers object lock with governance mode. What is the best practice to ensure compliance?

A.Use object lock in compliance mode with a 7-year retention period
B.Use object lock in governance mode with a 7-year retention period and grant legal hold permissions to authorized users
C.Apply a lifecycle policy to delete objects after 7 years and rely on backups
D.Encrypt all objects with a client-managed key and store deletion timestamps in a database
AnswerB

Governance mode allows users with special permissions to override for legal holds.

Why this answer

Option B is correct because governance mode allows authorized users to override retention settings for legal holds while still enforcing a 7-year minimum retention period. This balances compliance with the need for immediate legal holds, as users with appropriate permissions can place a legal hold on objects without extending the retention period for all data.

Exam trap

ISC2 often tests the distinction between governance mode and compliance mode, trapping candidates who assume compliance mode is always better for regulatory requirements without considering the need for legal hold flexibility.

How to eliminate wrong answers

Option A is wrong because compliance mode locks objects immutably and prevents any user, including cloud administrators, from shortening the retention period or removing legal holds, which would hinder the ability to support immediate legal holds that may require adjustments. Option C is wrong because lifecycle policies only manage deletion based on age and do not provide immutability or legal hold capabilities, risking data modification or deletion before the 7-year retention period ends. Option D is wrong because client-managed keys and deletion timestamps do not enforce retention or prevent data deletion; they only track when data should be deleted, leaving the data vulnerable to accidental or malicious deletion.

3
MCQeasy

A healthcare organization is migrating to AWS and must protect electronic protected health information (ePHI) stored in S3. They use AWS KMS with a custom key policy that restricts key usage to specific IAM roles. The compliance team discovers that some S3 objects are encrypted with AWS managed keys (SSE-S3) instead of the required SSE-KMS using the custom key. The security architect needs to ensure all future uploads use the customer-managed KMS key. After implementing a bucket policy that denies s3:PutObject if the required encryption is not present, the development team reports that their existing automation scripts fail with access denied errors. The scripts use the AWS SDK and do not explicitly set encryption headers. The security architect must find a solution that enforces encryption with the custom key while minimizing disruption. Which course of action BEST resolves the issue?

A.Modify the bucket policy to use a Deny effect with a condition on the s3:x-amz-server-side-encryption-aws-kms-key-id header being null, and also enable S3 default encryption with the custom KMS key so that objects uploaded without explicit headers are automatically encrypted with the correct key.
B.Implement AWS Config rules to detect non-compliant objects and automatically re-encrypt them with the correct key, while keeping the bucket policy unchanged.
C.Remove the bucket policy and rely solely on S3 default encryption with the custom KMS key, because default encryption applies to all objects.
D.Create a new S3 bucket with the required policy and migrate all data using AWS DataSync, then delete the old bucket.
AnswerA

Correct: Default encryption catches objects without headers, and the bucket policy denies explicit mismatches, enforcing both backward compatibility and compliance.

Why this answer

Option A is correct because it combines a bucket policy that denies s3:PutObject when the s3:x-amz-server-side-encryption-aws-kms-key-id header is null (ensuring the custom KMS key ID is explicitly provided) with S3 default encryption configured to use the same custom KMS key. This dual approach ensures that even if the SDK scripts do not set encryption headers, the default encryption will automatically apply the required KMS key, making the policy condition pass and avoiding access denied errors. The Deny condition on the null header forces explicit encryption headers when they are set, while default encryption handles the case where no headers are provided, thus enforcing compliance without breaking existing automation.

Exam trap

ISC2 often tests the misconception that S3 default encryption alone is sufficient to enforce encryption compliance, but the trap here is that default encryption does not prevent explicit overrides, so a bucket policy with a Deny condition is still needed to block non-compliant uploads.

How to eliminate wrong answers

Option B is wrong because AWS Config rules are reactive and can only detect and remediate non-compliant objects after they are uploaded; they do not prevent the initial upload failure caused by the bucket policy, so the access denied errors would still occur. Option C is wrong because relying solely on S3 default encryption without a bucket policy does not enforce that all uploads use the custom KMS key; a user or script could still override the default encryption by explicitly specifying SSE-S3 or another key, leading to non-compliant objects. Option D is wrong because migrating to a new bucket with AWS DataSync is unnecessarily disruptive, does not address the root cause of the automation scripts not setting encryption headers, and would still require a similar policy and default encryption setup on the new bucket.

4
Multi-Selectmedium

A company's cloud security policy mandates strict control over encryption keys used for data at rest. Which THREE practices are recommended for secure key management in the cloud?

Select 3 answers
A.Rotate encryption keys on a regular schedule.
B.Use a single master key for all encryption operations.
C.Store keys in the same cloud region as the data to reduce latency.
D.Store keys in a separate account from the data storage.
E.Use a hardware security module (HSM) to generate and protect keys.
AnswersA, D, E

Limits the amount of data exposed if a key is compromised.

Why this answer

Option A is correct because regular key rotation limits the window of exposure if a key is compromised and aligns with cryptographic best practices (e.g., NIST SP 800-57). In cloud environments, automated rotation policies (e.g., AWS KMS automatic yearly rotation or manual rotation for customer-managed keys) ensure that even if an attacker obtains an old key, it cannot decrypt current data.

Exam trap

ISC2 often tests the misconception that storing keys in the same region as data is acceptable for performance, but the CCSP emphasizes that security controls (like geographic separation) override minor latency concerns in key management.

5
Multi-Selecthard

Which THREE of the following are effective data sanitization methods for cloud environments?

Select 3 answers
A.Degaussing magnetic media
B.Truncating database tables
C.Cryptographic erasure
D.Overwriting with multiple patterns
E.Formatting storage volumes
AnswersA, C, D

Degaussing disrupts magnetic fields.

Why this answer

Degaussing (A) is effective because it uses a strong magnetic field to completely randomize the magnetic domains on hard disk drives (HDDs), rendering all stored data unrecoverable even with advanced forensic tools. This method is approved for the highest security classifications (e.g., NSA/CSS Policy Manual 9-12) but physically destroys the media's ability to store data, making it suitable only for end-of-life disposal.

Exam trap

ISC2 often tests the misconception that logical operations like truncation or formatting are sufficient for data sanitization, when in reality they leave data intact at the physical storage layer and require cryptographic erasure or overwriting to meet compliance standards like PCI DSS or HIPAA.

6
Multi-Selecteasy

A cloud architect is designing a data classification scheme for a financial services firm. The data includes public marketing materials, internal emails, customer account numbers, and credit card information. Which two data categories should be classified as 'restricted' under PCI DSS and other regulations?

Select 2 answers
A.Public marketing materials
B.Credit card information
C.Internal emails
D.Customer account numbers
AnswersB, D

Correct: Credit card information is subject to PCI DSS and must be classified as restricted.

Why this answer

Credit card information (Option B) is classified as 'restricted' because PCI DSS explicitly mandates strict controls for cardholder data, including primary account numbers (PANs), expiration dates, and CVV codes. This data requires encryption at rest and in transit, access controls, and regular security audits to comply with the Payment Card Industry Data Security Standard.

Exam trap

ISC2 often tests the misconception that all internal communications (like emails) are automatically 'restricted' under PCI DSS, when in fact only data containing specific regulated elements (e.g., PANs, SAD) qualifies for that classification.

7
MCQeasy

An analyst receives the above error when trying to download a file from an S3 bucket. The bucket policy and user permissions appear correct. What is the most likely cause?

A.The object is encrypted with SSE-S3, which requires additional grants
B.The bucket is configured to block all public access
C.The bucket policy denies all s3:GetObject actions
D.The user lacks permission to decrypt the object using the KMS key
AnswerD

The error indicates missing KMS decrypt permission.

Why this answer

When an S3 object is encrypted with a customer-managed KMS key (SSE-KMS), the s3:GetObject API call requires the user to have both s3:GetObject permission on the bucket policy and kms:Decrypt permission on the specific KMS key. Even if the bucket policy and user IAM permissions appear correct for S3 actions, the absence of the KMS decrypt grant will cause an access denied error. This is a common misconfiguration because the error message does not explicitly mention KMS, leading analysts to overlook the key permission.

Exam trap

ISC2 often tests the misconception that S3 bucket policies and IAM permissions alone control access to encrypted objects, ignoring the separate KMS permission layer required for SSE-KMS encrypted objects.

How to eliminate wrong answers

Option A is wrong because SSE-S3 (AES-256) uses server-side encryption with Amazon S3-managed keys, which do not require any additional grants or KMS permissions; the error would not occur due to missing grants. Option B is wrong because if the bucket were configured to block all public access, the error would typically be a 403 Access Denied, but the scenario states the bucket policy and user permissions appear correct, implying the bucket is not blocking all access. Option C is wrong because if the bucket policy denied all s3:GetObject actions, the user would consistently fail to download any object, but the analyst would likely see a different error or the policy would be obviously incorrect; the question states the policy 'appears correct,' so a blanket deny is not the most likely cause.

8
MCQeasy

A company is migrating its customer database to a cloud object storage service. The database contains personally identifiable information (PII). The security team requires that all data be encrypted at rest and that the company retains exclusive control over the encryption keys. Which solution BEST meets these requirements?

A.Use server-side encryption with cloud provider-managed keys (SSE-S3).
B.Use SSL/TLS encryption for data in transit only.
C.Use client-side encryption with customer-managed keys stored on-premises.
D.Use server-side encryption with customer-provided keys (SSE-C).
AnswerC

Keys never leave the company; exclusive control maintained.

Why this answer

Option C is correct because client-side encryption with customer-managed keys stored on-premises ensures that the encryption keys never leave the company's control, and the data is encrypted before it is uploaded to the cloud object storage service. This satisfies both the requirement for encryption at rest and exclusive key control, as the cloud provider never has access to the plaintext keys or the ability to decrypt the data.

Exam trap

The trap here is that candidates often confuse SSE-C with client-side encryption, assuming that providing your own key to the server (SSE-C) gives you exclusive control, but in SSE-C the cloud provider still handles the encryption/decryption process and may retain the key in memory, whereas client-side encryption ensures the provider never sees the key at all.

How to eliminate wrong answers

Option A is wrong because server-side encryption with cloud provider-managed keys (SSE-S3) means the cloud provider generates, manages, and stores the encryption keys, giving the provider potential access to the keys and violating the requirement for exclusive customer control. Option B is wrong because SSL/TLS encryption only protects data in transit between the client and the cloud service; it does not provide encryption at rest for the stored database, so it fails the core requirement. Option D is wrong because server-side encryption with customer-provided keys (SSE-C) still involves the cloud provider performing the encryption and decryption operations using keys supplied by the customer, meaning the provider has temporary access to the keys in memory during operations, which does not meet the requirement for exclusive customer control over the keys.

9
MCQhard

A developer receives the above error when trying to encrypt an object using a customer-managed KMS key. What is the MOST likely cause?

A.The KMS key policy does not grant encrypt permission to the user
B.The S3 bucket policy denies KMS actions
C.The user is not in the same region as the key
D.The KMS key is disabled
AnswerA

Key policy controls who can use the key.

Why this answer

The error indicates the user lacks permission to encrypt with the specified KMS key. Since the key is customer-managed, its key policy must explicitly grant the `kms:Encrypt` action to the user or role. Without this permission, AWS KMS denies the request, even if the user has other IAM permissions.

Exam trap

ISC2 often tests the distinction between key policies and IAM policies, trapping candidates who assume IAM permissions alone are sufficient for KMS operations.

How to eliminate wrong answers

Option B is wrong because S3 bucket policies control access to S3 objects, not KMS encryption actions; KMS permissions are governed by key policies and IAM policies, not S3 bucket policies. Option C is wrong because KMS keys are regional resources, but a user can call KMS from any region as long as they specify the correct key ARN and have permissions; the error is not region-related. Option D is wrong because a disabled key would return a `DisabledException` or `KMSInvalidStateException`, not a generic access denied error.

10
MCQeasy

A cloud security architect is designing a key management strategy for a multi-cloud environment. Which of the following is a BEST practice for key management?

A.Use the same key for all data to simplify rotation
B.Store keys in each cloud provider's native KMS separately
C.Embed keys in application code for simplicity
D.Use a centralized key management system that integrates with all clouds
AnswerD

Centralized management ensures consistency and simplifies compliance.

Why this answer

Option D is correct because a centralized key management system (KMS) that integrates with all cloud providers enables consistent key lifecycle management, reduces the risk of key sprawl, and ensures uniform access control policies across a multi-cloud environment. This approach aligns with the principle of separation of duties and allows for centralized auditing and rotation without vendor lock-in.

Exam trap

ISC2 often tests the misconception that using each cloud provider's native KMS separately is a best practice for multi-cloud, but the trap is that this ignores the need for centralized control, auditability, and cross-cloud interoperability, which are critical for enterprise security.

How to eliminate wrong answers

Option A is wrong because using the same key for all data violates the cryptographic isolation principle; if that single key is compromised, all data is exposed, and rotation becomes a massive operational burden. Option B is wrong because storing keys separately in each cloud provider's native KMS creates fragmented key management, increases complexity for cross-cloud data sharing, and makes consistent policy enforcement nearly impossible. Option C is wrong because embedding keys in application code is a severe security violation; keys can be extracted from code repositories, logs, or decompiled binaries, directly contradicting the NIST SP 800-57 recommendation to never store keys in plaintext or in code.

11
MCQmedium

An organization uses a cloud database service and needs to protect data at rest. They enable Transparent Data Encryption (TDE) with a customer-managed key stored in the cloud provider's key management service. Which additional control should they implement to ensure the key cannot be used by unauthorized personnel?

A.Enable SSL/TLS for all database connections
B.Enable audit logging on key management operations
C.Implement key rotation with a short rotation interval
D.Disable automatic key rotation and rely on manual rotation
AnswerC

Regular key rotation limits the impact of a compromised key.

Why this answer

Option C is correct because implementing key rotation with a short interval ensures that even if a customer-managed key is compromised or accessed by unauthorized personnel, the window of exposure is minimized. TDE with a customer-managed key in a cloud KMS relies on the key's secrecy; frequent rotation invalidates older key material, reducing the risk of long-term unauthorized decryption of data at rest.

Exam trap

ISC2 often tests the distinction between preventive and detective controls, and candidates mistakenly choose audit logging (Option B) thinking it prevents unauthorized use, when it only records it after the fact.

How to eliminate wrong answers

Option A is wrong because SSL/TLS protects data in transit between clients and the database, not data at rest or the key used for TDE; it does not prevent unauthorized use of the key stored in the KMS. Option B is wrong because audit logging on key management operations is a detective control that records unauthorized access attempts after they occur, but does not prevent the key from being used by unauthorized personnel. Option D is wrong because disabling automatic key rotation and relying on manual rotation increases the risk of human error and delays in key refresh, leaving the key vulnerable for longer periods and failing to ensure it cannot be used by unauthorized personnel.

12
MCQmedium

A company uses a cloud-based data loss prevention (DLP) tool to monitor data access. They notice that a user is bypassing DLP by accessing data directly via cloud APIs from a non-corporate device. What is the most effective way to prevent this?

A.Deploy a virtual private network (VPN) and require all API traffic to originate from within the VPN
B.Configure the cloud service to require all API requests to go through a proxy that enforces DLP
C.Implement a conditional access policy to block non-corporate devices
D.Use tokenization to replace sensitive data before allowing API access
AnswerB

Forces all API traffic through a proxy that can apply DLP rules.

Why this answer

Option B is correct because routing all API traffic through a proxy that enforces DLP ensures that every API request is inspected for sensitive data before reaching the cloud service. This approach closes the gap where a user bypasses the DLP tool by accessing data directly via cloud APIs from a non-corporate device, as the proxy acts as a mandatory intermediary that can apply content inspection, policy enforcement, and logging regardless of the device or network.

Exam trap

ISC2 often tests the misconception that network-level controls like VPNs or device-based conditional access are sufficient to prevent data exfiltration via APIs, when in fact only content-aware inspection at the API layer can enforce DLP on the actual data being transferred.

How to eliminate wrong answers

Option A is wrong because a VPN only encrypts traffic and provides a corporate IP address; it does not inspect API payloads for sensitive data, so DLP policies are not enforced on the content of API requests. Option C is wrong because blocking non-corporate devices via conditional access does not prevent the user from accessing data from a corporate device that is compromised or from using a different method to bypass DLP; it also does not address the core issue of API-level data exfiltration. Option D is wrong because tokenization replaces sensitive data with tokens, but if the user already has access to the original sensitive data via API calls, tokenization does not prevent them from retrieving the actual data; it is a data masking technique, not a DLP enforcement mechanism for API traffic.

13
MCQhard

A multinational financial services company uses a hybrid cloud environment with workloads in AWS and Azure. They recently acquired a smaller firm and must integrate their data while maintaining compliance with GDPR and PCI DSS. The acquired firm stores customer payment data in an on-premises Oracle database and wants to migrate it to the cloud. During the migration, they must ensure that the data is encrypted at all times—at rest, in transit, and during processing. The security team has implemented TLS for data in transit and plans to use cloud-native encryption for at-rest data. However, they are concerned about data being processed in memory or temporary storage. They also need to maintain key separation so that the cloud provider cannot access the encryption keys. The CISO wants to implement a solution that minimizes performance impact while meeting compliance requirements. Which of the following is the BEST course of action?

A.Use the cloud provider's native KMS with automatic key rotation and rely on encryption at rest.
B.Implement a cloud-based HSM (Hardware Security Module) for key management and use confidential computing for processing.
C.Encrypt data with client-side encryption before upload and store keys in the cloud KMS.
D.Use tokenization for all sensitive data and store tokens in a separate cloud database.
AnswerB

HSM provides key separation; confidential computing protects data in use.

Why this answer

Option B is correct because it addresses the requirement for data to be encrypted during processing (in memory) via confidential computing, which uses hardware-based trusted execution environments (TEEs) to protect data in use. A cloud-based HSM ensures key separation by keeping encryption keys under the customer's exclusive control, preventing the cloud provider from accessing them, and minimizes performance impact compared to software-based encryption.

Exam trap

ISC2 often tests the misconception that encryption at rest and in transit is sufficient for compliance, ignoring the requirement for data to be protected during processing, and that cloud KMS alone provides key separation when it does not prevent provider access to keys.

How to eliminate wrong answers

Option A is wrong because relying solely on cloud-native KMS and encryption at rest does not protect data during processing (in memory or temporary storage), and the cloud provider may have access to the keys, violating key separation. Option C is wrong because storing keys in the cloud KMS still gives the provider potential access to the keys, failing key separation, and client-side encryption does not protect data during processing. Option D is wrong because tokenization replaces sensitive data with tokens but does not encrypt the data during processing; the original data must still be processed somewhere, and storing tokens in a separate cloud database does not address in-memory protection or key separation.

14
MCQeasy

A cloud security team is implementing a key management system for encrypting data in a multi-cloud environment. They need to ensure that keys are available even if one cloud provider experiences an outage. What is the BEST approach?

A.Implement a multi-cloud key management system that replicates keys across providers
B.Use a single cloud provider's key management service
C.Store encryption keys in the same storage as encrypted data
D.Use hardware security modules (HSMs) in one data center
AnswerA

Replication ensures availability.

Why this answer

Option A is correct because a multi-cloud key management system that replicates keys across providers ensures high availability and fault tolerance. If one cloud provider experiences an outage, the keys remain accessible from another provider, preventing data decryption failures. This approach aligns with the principle of avoiding a single point of failure in key distribution, which is critical for maintaining continuous data access in a multi-cloud architecture.

Exam trap

ISC2 often tests the misconception that storing keys with data or using a single provider's KMS is acceptable for availability, but the trap here is that candidates overlook the need for geographic and provider-level redundancy to ensure continuous key access during an outage.

How to eliminate wrong answers

Option B is wrong because using a single cloud provider's key management service creates a single point of failure; if that provider experiences an outage, all keys become unavailable, blocking access to encrypted data. Option C is wrong because storing encryption keys in the same storage as encrypted data violates the fundamental security principle of separation of duties and key management best practices, as an attacker who compromises the storage can access both the ciphertext and the keys. Option D is wrong because using hardware security modules (HSMs) in one data center still presents a single point of failure; if that data center goes offline, keys are inaccessible, and this approach does not address multi-cloud availability requirements.

15
MCQmedium

A company uses a cloud-based file sharing service and wants to prevent sensitive data from being shared externally. Which cloud data security capability is most appropriate?

A.Inspecting data in use within applications
B.Monitoring network traffic for data exfiltration
C.Scanning data at rest in cloud storage with DLP
D.Encrypting data in transit
AnswerC

DLP scanning identifies sensitive data and can enforce policies to block external sharing.

Why this answer

Option C is correct because Data Loss Prevention (DLP) scanning of data at rest in cloud storage directly identifies and blocks sensitive content (e.g., PII, PCI-DSS data) stored in files before it can be shared externally. This capability is purpose-built for preventing unauthorized sharing by inspecting the actual content of files in the cloud repository, such as Amazon S3 or Azure Blob Storage, using pattern matching and fingerprinting.

Exam trap

ISC2 often tests the distinction between preventive controls (DLP at rest) and detective/monitoring controls (network traffic analysis), leading candidates to choose network monitoring because it sounds like 'data exfiltration prevention' but fails to address the sharing action itself.

How to eliminate wrong answers

Option A is wrong because inspecting data in use within applications (e.g., via runtime application self-protection) focuses on protecting data while it is being processed in memory, not on preventing external sharing of stored files. Option B is wrong because monitoring network traffic for data exfiltration (e.g., via network DLP or IDS/IPS) detects data leaving the network after it has been shared, but does not prevent the initial sharing action at the storage layer. Option D is wrong because encrypting data in transit (e.g., TLS 1.3) protects data during transmission but does not prevent authorized users from sharing encrypted files externally or control access to the stored content.

16
MCQeasy

A development team is working with production-like data in a non-production cloud environment. To comply with data privacy regulations, sensitive fields must be obscured without being retrievable. Which technique should they apply?

A.Format-preserving encryption
B.Reversible masking
C.Irreversible masking
D.Tokenization
AnswerC

Irreversible masking prevents reconstruction.

Why this answer

Irreversible masking (C) is correct because it transforms sensitive data into a non-reversible format, ensuring that the original values cannot be retrieved. This meets the requirement of obscuring production-like data in a non-production environment while complying with data privacy regulations that prohibit reversible transformations. Unlike encryption or tokenization, irreversible masking does not provide any decryption or mapping mechanism, making it suitable for scenarios where data must be permanently de-identified.

Exam trap

ISC2 often tests the distinction between reversible and irreversible data protection methods, and the trap here is that candidates confuse 'masking' (which can be reversible or irreversible) with 'encryption' or 'tokenization,' assuming any transformation that hides data is sufficient, without recognizing the critical requirement of non-retrievability.

How to eliminate wrong answers

Option A is wrong because format-preserving encryption (FPE) is a reversible cryptographic technique that allows the original data to be recovered with the correct key, which violates the requirement that sensitive fields must be obscured without being retrievable. Option B is wrong because reversible masking, by definition, includes a method to restore the original data (e.g., via a lookup table or deterministic algorithm), which does not satisfy the 'not retrievable' condition. Option D is wrong because tokenization replaces sensitive data with a token that is mapped back to the original value in a secure vault, providing reversibility and thus failing the requirement for irreversible obscuration.

17
MCQhard

A healthcare organization uses a cloud-based electronic health record (EHR) system that stores protected health information (PHI). They recently enabled direct API access for a new mobile application. Shortly after, the security team detected that a large volume of PHI was being exfiltrated through the API by an attacker who obtained valid API keys from a compromised developer workstation. The organization has data loss prevention (DLP) tools but they were not inspecting API traffic. The EHR system supports attribute-based access control (ABAC) and has logging for all API calls. The organization needs to prevent similar incidents while maintaining the functionality of the mobile app. Which course of action should be taken first?

A.Rotate all API keys and implement key management best practices such as regular rotation and short-lived keys
B.Enable DLP on API gateway to inspect outgoing data
C.Restrict API access to specific IP addresses used by the mobile app's backend
D.Implement ABAC policies to limit which data each API key can access
AnswerA

Stops current exfiltration and reduces future risk.

Why this answer

The immediate priority is to revoke the compromised API keys and prevent further unauthorized access. Rotating all keys and implementing key management best practices, such as short-lived keys and regular rotation, directly addresses the root cause—the attacker's possession of valid keys from a compromised workstation. This action stops the exfiltration immediately while preserving the mobile app's functionality, as new keys can be issued to legitimate clients.

Exam trap

The trap here is that candidates often choose a long-term preventive control (like DLP or ABAC) first, failing to recognize that the immediate, critical step is to invalidate the compromised credentials to stop the active breach.

How to eliminate wrong answers

Option B is wrong because enabling DLP on the API gateway is a detective control that would inspect outgoing data but does not stop the ongoing exfiltration using already compromised keys; it also requires time to configure and tune, leaving the attack active. Option C is wrong because restricting API access to specific IP addresses used by the mobile app's backend is ineffective if the attacker can spoof those IPs or if the mobile app communicates directly from user devices with dynamic IPs, and it does not address the compromised key issue. Option D is wrong because implementing ABAC policies to limit data access per API key is a preventive measure that should be applied after key rotation, but it does not revoke the already stolen keys, so the attacker can continue exfiltration until the keys are invalidated.

18
MCQmedium

A security team is implementing Data Loss Prevention (DLP) for a SaaS application that stores customer PII. They want to detect when sensitive data is shared externally via email. Which is the best approach?

A.Implement database DLP to monitor queries to the PII database
B.Install endpoint DLP agents on all user devices
C.Use the SaaS application's API DLP rules to scan email content and attachments
D.Deploy network DLP at the cloud provider's network perimeter
AnswerC

Content-based scanning effectively detects sensitive data.

Why this answer

Option B is correct because content-based DLP scanning of email attachments is the standard way to detect sensitive data in transit. Option A is wrong because network DLP at the cloud perimeter cannot inspect encrypted email traffic. Option C is wrong because endpoint DLP on user devices is not effective for cloud email.

Option D is wrong because database DLP is for structured data at rest, not email.

19
MCQhard

An organization is migrating a legacy application to the cloud and must comply with PCI DSS. The application currently logs credit card numbers in plaintext. Which data security control should be implemented FIRST?

A.Implement tokenization for credit card numbers
B.Deploy a data loss prevention (DLP) solution
C.Encrypt the database at rest
D.Perform data discovery and classification
AnswerD

First step is to find and classify sensitive data to understand scope.

Why this answer

Before any remediation can be applied, the organization must first perform data discovery and classification to locate where all credit card numbers (PANs) are stored, including logs, databases, and backups. PCI DSS Requirement 3.1 mandates that cardholder data be identified and classified before implementing controls like tokenization or encryption. Without discovery, subsequent controls may miss critical data stores, leaving plaintext PANs exposed.

Exam trap

ISC2 often tests the principle that security controls must be preceded by a discovery and classification phase, trapping candidates who jump to a technical solution like encryption or tokenization without first understanding the full scope of data exposure.

How to eliminate wrong answers

Option A is wrong because tokenization is a remediation step that cannot be correctly applied until the organization knows where all PANs reside; implementing it first risks missing data in logs or other unindexed locations. Option B is wrong because deploying a DLP solution without first discovering and classifying the data would result in poorly tuned policies that may fail to detect PANs in legacy log formats or generate excessive false positives. Option C is wrong because encrypting the database at rest does not address PANs stored in plaintext logs, application memory, or backup files, and PCI DSS requires protection of cardholder data wherever it exists, not just in the database.

20
MCQeasy

A company must ensure that cloud storage data is retained even if authorized users attempt to delete it, to comply with a legal hold. Which configuration is most effective?

A.Implement data classification labels
B.Enable immutable storage (WORM) on the bucket
C.Enable versioning on the storage bucket
D.Encrypt data with customer-managed keys
AnswerB

Immutable storage prevents any deletion or overwrite until hold expires.

Why this answer

Immutable storage (WORM) on a bucket prevents any object from being deleted or overwritten for a specified retention period, even by authorized users or the root account. This directly enforces legal hold requirements by making data tamper-proof and deletion-proof at the storage layer, regardless of user permissions.

Exam trap

ISC2 often tests the misconception that versioning alone provides legal hold protection, but versioning only preserves previous versions and does not block deletion of the current version or all versions via a lifecycle policy.

How to eliminate wrong answers

Option A is wrong because data classification labels only tag data with metadata (e.g., sensitivity level) but do not enforce any retention or deletion prevention; they are a governance tool, not a technical control. Option C is wrong because versioning retains overwritten or deleted object versions but still allows deletion of the current version and does not prevent permanent deletion of all versions; it is not a legal hold mechanism. Option D is wrong because encryption with customer-managed keys protects data confidentiality but does not prevent deletion of the encrypted objects; the storage system can still delete the ciphertext and keys.

21
MCQhard

A financial institution uses a cloud-based data warehouse to store customer transaction records. They must comply with a regulation that requires deletion of data after 7 years. Which approach should they use to ensure data is irrecoverably destroyed?

A.Overwrite the data with multiple patterns of zeros and ones
B.Encrypt the data and then destroy the encryption keys (cryptographic erasure)
C.Tokenize the data and retain the token mapping
D.Delete the data using the cloud provider's API and remove pointers
AnswerB

Cryptographic erasure renders data unreadable without keys.

Why this answer

Cryptographic erasure (Option B) is the correct approach because it renders the encrypted data irrecoverable by securely destroying the encryption keys, making the ciphertext permanently undecipherable. This method is recognized by standards like NIST SP 800-88 as an effective sanitization technique for data at rest, especially in cloud environments where physical access to storage media is unavailable. It ensures compliance with the 7-year deletion requirement without needing to overwrite or physically destroy the underlying cloud storage.

Exam trap

ISC2 often tests the misconception that simply deleting data via the cloud provider's API or overwriting data is sufficient for irrecoverable destruction, but the trap is that cloud storage systems maintain multiple copies, snapshots, and version histories that are not addressed by these methods, making cryptographic erasure the only practical option for compliance.

How to eliminate wrong answers

Option A is wrong because overwriting data with multiple patterns of zeros and ones (e.g., DoD 5220.22-M) is impractical in a cloud data warehouse where data is stored on distributed, shared, and often versioned storage systems; the cloud provider may retain snapshots, replicas, or previous versions that are not overwritten, leaving residual data recoverable. Option C is wrong because tokenization replaces sensitive data with tokens but retains the token mapping, which does not destroy the original data; the mapping can be reversed, and the original data remains stored elsewhere, failing to achieve irrecoverable deletion. Option D is wrong because deleting data via the cloud provider's API and removing pointers only removes logical references; the underlying data blocks remain on physical media and can be recovered through forensic techniques or provider-side snapshots, making it insufficient for compliance with irrecoverable destruction requirements.

22
MCQmedium

An administrator configured the above key policy for a KMS key used to encrypt S3 backup data. The backup role 'BackupRole' is in the same account. However, when the backup service attempts to use the key to decrypt objects, the operation fails. What is the most likely cause?

A.The principal ARN is incorrect because the role name contains uppercase letters
B.The 'kms:ViaService' condition restricts calls to those originating from S3, but the backup service uses direct KMS API
C.The key policy requires a grant token that is not being provided
D.The action list does not include 'kms:Decrypt' for S3
AnswerB

The condition prevents direct KMS calls.

Why this answer

The 'kms:ViaService' condition key restricts KMS API calls to those that originate from a specific AWS service, in this case S3. However, the backup service is likely making direct KMS API calls (e.g., Decrypt) rather than having S3 proxy the request, so the condition fails. The key policy explicitly denies access unless the call comes via S3, which is why decryption fails.

Exam trap

ISC2 often tests the nuance that 'kms:ViaService' only applies when the request is made through the specified service's integration, not when the client calls KMS directly, leading candidates to overlook the direct API call scenario.

How to eliminate wrong answers

Option A is wrong because principal ARNs in AWS IAM are case-sensitive but role names can contain uppercase letters; the ARN format uses the role name exactly as defined, so uppercase letters are valid and not the cause of failure. Option C is wrong because grant tokens are used with KMS grants, not key policies; the key policy here does not require a grant token, and the error is unrelated to grants. Option D is wrong because the action list includes 'kms:Decrypt' for the backup role (as shown in the policy snippet), so the missing action is not the issue.

23
Multi-Selectmedium

Which TWO of the following are valid methods to protect data at rest in a cloud environment?

Select 2 answers
A.Client-side encryption
B.Data loss prevention (DLP) policies
C.Tokenization
D.Server-side encryption
E.Transport Layer Security (TLS)
AnswersA, D

Encrypts data before sending to cloud.

Why this answer

Client-side encryption (A) is a valid method to protect data at rest because the data is encrypted by the client before being transmitted to the cloud provider. This ensures that the cloud provider never has access to the plaintext data or the encryption keys, which remain under the customer's control. It is a strong approach for maintaining data confidentiality and compliance with regulatory requirements.

Exam trap

ISC2 often tests the distinction between data at rest and data in transit, so the trap here is that candidates may incorrectly select TLS (Option E) as a method for protecting data at rest, confusing it with encryption of data in transit.

24
MCQmedium

A healthcare organization stores patient records in a cloud database. They need to ensure that database administrators cannot view sensitive columns like SSN and diagnosis. Which data masking technique should be applied?

A.Dynamic data masking
B.Static data masking
C.Encryption at rest
D.Tokenization
AnswerA

DDM masks data in query results based on user privileges.

Why this answer

Dynamic data masking (DDM) is the correct choice because it allows the healthcare organization to mask sensitive columns (e.g., SSN, diagnosis) in real-time at the database query layer, based on user permissions. DDM does not alter the underlying stored data; it transforms the result set on-the-fly for unauthorized users (like DBAs), ensuring they see masked values while authorized personnel see the actual data. This meets the requirement of preventing database administrators from viewing sensitive columns without changing the data at rest.

Exam trap

ISC2 often tests the distinction between masking at query time (dynamic) versus masking at rest (static), and candidates mistakenly choose static masking because they think it 'permanently' protects data, but the key requirement is that DBAs cannot view sensitive columns in the live production database, which only dynamic masking addresses without altering the original data.

How to eliminate wrong answers

Option B (Static data masking) is wrong because it creates a separate, permanently masked copy of the database, which does not prevent DBAs from accessing the original unmasked data in the production database. Option C (Encryption at rest) is wrong because it protects data on disk but does not control visibility at query time; DBAs with database access can still decrypt and view the data when querying. Option D (Tokenization) is wrong because it replaces sensitive data with tokens and stores the mapping in a separate vault, which is overkill for this use case and does not provide real-time, role-based masking within the database itself.

25
MCQeasy

An organization stores archival data in cloud cold storage and requires each customer's data to be encrypted with unique keys managed by the customer. Which encryption approach meets this requirement?

A.Server-side encryption with customer-managed keys (SSE-KMS)
B.Server-side encryption with cloud-provider keys (SSE-S3)
C.Server-side encryption with customer-provided keys (SSE-C)
D.Client-side encryption
AnswerD

Customer encrypts data before upload with their own keys, ensuring uniqueness and control.

Why this answer

Client-side encryption ensures that data is encrypted before it is sent to the cloud, and the customer retains sole control over the encryption keys. This approach meets the requirement for each customer's data to be encrypted with unique keys managed by the customer, as the cloud provider never has access to the keys or the unencrypted data.

Exam trap

ISC2 often tests the distinction between where encryption occurs (client-side vs. server-side) and who manages the keys, leading candidates to mistakenly choose SSE-C because it involves customer-provided keys, even though the encryption still happens on the server side.

How to eliminate wrong answers

Option A is wrong because SSE-KMS uses a key managed by the customer but stored and managed within the cloud provider's KMS service, meaning the provider has potential access to the key material and the decryption process occurs server-side. Option B is wrong because SSE-S3 uses keys managed entirely by the cloud provider, not the customer, violating the requirement for customer-managed keys. Option C is wrong because SSE-C allows the customer to provide their own encryption key, but the encryption operation is performed server-side by the cloud provider, meaning the provider temporarily has access to the key during the encryption/decryption process, which does not meet the strict requirement for customer-managed keys where the provider never has access.

26
Multi-Selecthard

Which THREE statements about tokenization compared to encryption are correct?

Select 3 answers
A.Encryption is always more secure than tokenization.
B.Tokenization is typically used for payment card data.
C.Tokenization preserves data format and length.
D.Tokenization is reversible if the mapping is maintained.
E.Tokenization requires a secure token vault.
AnswersB, D, E

Tokenization is widely used for PCI DSS compliance.

Why this answer

Tokenization is commonly used for payment card data (e.g., PCI DSS compliance) because it replaces sensitive PANs with non-sensitive tokens that have no exploitable value outside the tokenization system. This allows organizations to reduce their compliance scope by not storing actual card numbers, while encryption still leaves ciphertext that could be decrypted if keys are compromised.

Exam trap

ISC2 often tests the misconception that tokenization always preserves format and length, but in reality, format preservation is an optional feature, not a core requirement, and many tokenization systems produce tokens of different lengths or formats.

27
MCQeasy

An enterprise uses a cloud access security broker (CASB) to protect data in cloud applications. They want to prevent users from uploading files containing credit card numbers to a cloud storage service. Which CASB feature should be configured?

A.Encryption in transit settings
B.User activity monitoring
C.Single sign-on (SSO) integration
D.Data loss prevention (DLP) policies
AnswerD

DLP scans content and can block uploads containing sensitive data.

Why this answer

Data loss prevention (DLP) policies are the correct CASB feature because they allow the enterprise to define content inspection rules that scan files for sensitive data patterns, such as credit card numbers (matching Luhn algorithm or regex patterns like those in PCI DSS). When a match is detected, the CASB can block the upload, quarantine the file, or trigger an alert, directly preventing data exfiltration to the cloud storage service.

Exam trap

The trap here is that candidates confuse user activity monitoring (which logs behavior) with DLP (which enforces content-based policies), or they assume encryption alone can prevent data leakage, not realizing encryption protects data in transit but does not inspect or block the data itself.

How to eliminate wrong answers

Option A is wrong because encryption in transit (e.g., TLS 1.2/1.3) protects data during transmission between the user and the cloud service, but it does not inspect or block the content of files being uploaded; it only ensures confidentiality over the network. Option B is wrong because user activity monitoring tracks and logs user actions (e.g., login times, file access) for auditing and anomaly detection, but it lacks the content-aware inspection engine needed to identify and block specific data patterns like credit card numbers. Option C is wrong because single sign-on (SSO) integration (e.g., SAML 2.0 or OIDC) manages authentication and access control, but it does not perform deep packet inspection or content analysis on uploaded files to prevent sensitive data leakage.

28
MCQhard

A large e-commerce company uses a multi-cloud environment with workloads in AWS and Azure. They store customer payment data in an AWS S3 bucket and use Azure SQL Database for transactional data. The company requires that all data at rest be encrypted using keys managed by their on-premises HSM. They have implemented AWS KMS with custom key store (CloudHSM) for S3, and Azure SQL TDE with Azure Key Vault (using BYOK) for the database. Recently, the security team noticed that some S3 objects are not encrypted with the expected key, and there are intermittent access failures to the Azure SQL database. Investigation reveals that the AWS KMS key ID changed after a recent security incident, and the Azure Key Vault key has been disabled due to a misconfigured access policy. What is the most effective course of action to restore encryption compliance and service availability?

A.Re-establish synchronization between on-premises HSM and cloud key stores: update AWS KMS custom key store with correct key and fix Azure Key Vault access policies.
B.Implement client-side encryption for all data, bypassing cloud KMS.
C.Switch S3 to use SSE-S3 and Azure SQL to use service-managed keys.
D.Roll back all encryption to use cloud-provided managed keys to simplify operations.
AnswerA

Correct: This directly resolves the key ID change and access policy issues, restoring compliance and availability.

Why this answer

Option A is correct because the root cause is a loss of synchronization between the on-premises HSM and the cloud key stores. Updating the AWS KMS custom key store (CloudHSM) with the correct key restores S3 encryption compliance, while fixing the Azure Key Vault access policy re-enables the BYOK key for SQL TDE, restoring service availability. This directly addresses the specific failures: the changed KMS key ID and the disabled Key Vault key.

Exam trap

ISC2 often tests the misconception that switching to simpler cloud-managed keys (SSE-S3 or service-managed) is a valid fix, but the trap is that this violates the explicit compliance requirement for on-premises HSM-managed keys, making such options non-compliant.

How to eliminate wrong answers

Option B is wrong because client-side encryption would bypass the required on-premises HSM key management, violating the compliance mandate that all keys be managed by the on-premises HSM. Option C is wrong because switching to SSE-S3 and service-managed keys would replace the customer-managed keys (CMK) with cloud-provided keys, which does not meet the requirement for keys managed by the on-premises HSM. Option D is wrong because rolling back to cloud-provided managed keys abandons the on-premises HSM key control, failing the compliance requirement and not addressing the specific access policy misconfiguration in Azure Key Vault.

29
MCQeasy

An organization is adopting a cloud-based data warehouse and needs to ensure data masking is applied to personally identifiable information (PII) for analysts who should not see actual values. Which technique is most appropriate?

A.Dynamic data masking in the data warehouse.
B.Static data masking on the source database.
C.Encrypt the PII columns and restrict the decryption key.
D.Tokenization of the PII fields.
AnswerA

Dynamic masking applies policies at query runtime without altering stored data.

Why this answer

Dynamic data masking (DDM) is the correct choice because it applies masking rules at query runtime directly within the data warehouse, allowing analysts to see obfuscated PII without altering the underlying stored data. This meets the requirement for on-the-fly masking for specific users while preserving the original values for authorized roles.

Exam trap

The trap here is that candidates confuse dynamic data masking with encryption or tokenization, assuming that any technique that 'hides' data is equivalent, but CCSP emphasizes that DDM is the only method that applies masking at query time without altering the stored data or requiring a separate mapping system.

How to eliminate wrong answers

Option B is wrong because static data masking creates a separate, permanently masked copy of the source database, which introduces data staleness and storage overhead, and does not provide real-time masking for analysts querying the live warehouse. Option C is wrong because encrypting PII columns and restricting decryption keys still exposes the encrypted data to analysts (who cannot decrypt it), but encryption does not obfuscate the data format or allow partial masking (e.g., showing last four digits) — it either reveals the ciphertext or nothing, which is not data masking. Option D is wrong because tokenization replaces PII with non-reversible tokens, but this requires a separate token vault and mapping system, and it permanently transforms the data, making it unsuitable for scenarios where analysts need to perform pattern-based analysis (e.g., partial display) without seeing the original values.

30
MCQeasy

A cloud consumer uses an IaaS provider for storage of archived financial records. Regulatory requirements mandate that data at rest be encrypted using a key that is under the consumer's sole control. Which encryption approach should the consumer implement?

A.Use client-side encryption with keys stored in the consumer's on-premises HSM
B.Use a TLS tunnel to the storage service
C.Enable server-side encryption with keys managed by the cloud provider
D.Use server-side encryption with customer-provided keys (SSE-C)
AnswerA

Client-side encryption gives the consumer sole control over encryption keys.

Why this answer

Option A is correct because client-side encryption ensures the data is encrypted before it leaves the consumer's environment, and storing the keys in the consumer's on-premises HSM guarantees sole control over the encryption keys, meeting the regulatory requirement for data-at-rest encryption with keys under the consumer's sole control.

Exam trap

ISC2 often tests the distinction between 'customer-provided keys' (SSE-C) and 'client-side encryption' — candidates confuse SSE-C as giving sole control, but the key is still used by the provider's infrastructure, not solely under the consumer's control.

How to eliminate wrong answers

Option B is wrong because TLS protects data in transit, not data at rest; it does not encrypt the stored archived financial records. Option C is wrong because server-side encryption with provider-managed keys means the cloud provider controls the encryption keys, violating the requirement for sole consumer control. Option D is wrong because SSE-C allows the consumer to provide the encryption key, but the key is used by the cloud provider's server-side encryption process, and the provider may retain access to the key material or metadata, potentially compromising sole control.

31
Multi-Selecthard

An organization is implementing data masking to protect sensitive data in non-production environments. Which THREE of the following are common data masking techniques? (Choose three.)

Select 3 answers
A.Shuffling
B.Nulling
C.Perturbation
D.Encryption
E.Substitution
AnswersA, B, E

Randomly reorders values within a column.

Why this answer

Shuffling is a common data masking technique that randomly reorders values within a column to break the link between records while preserving the overall distribution and statistical properties. This ensures that sensitive data, such as names or account numbers, cannot be traced back to the original individuals, making it suitable for non-production environments where referential integrity is not required.

Exam trap

ISC2 often tests the distinction between reversible protections (encryption) and irreversible obfuscation (masking), so candidates mistakenly select encryption because they confuse data masking with data encryption, not realizing masking must prevent reverse engineering of the original values.

32
MCQmedium

The exhibit shows a bucket policy applied to a cloud storage bucket. After applying this policy, the security team notices that objects in the bucket are publicly accessible. Which additional condition should be added to restrict access to only authorized applications?

A.Add a condition that limits access to specific IP addresses or VPC endpoints.
B.Remove the 'Principal': '*' statement to make the bucket private.
C.Change the Action to s3:PutObject to limit exposure.
D.Add a condition to require Multi-Factor Authentication (MFA).
AnswerA

Conditions like 'aws:SourceIp' restrict access to authorized network locations.

Why this answer

Option A is correct because the bucket policy already grants public access via 'Principal': '*', so removing that principal or changing actions won't fix the underlying exposure. By adding a condition that restricts access to specific IP addresses or VPC endpoints, you ensure that only requests originating from authorized network sources can access the bucket, effectively overriding the broad principal wildcard.

Exam trap

ISC2 often tests the misconception that removing the principal wildcard or changing the action alone is sufficient to secure a bucket, when in fact network-level restrictions via conditions are necessary to enforce access control for authorized applications.

How to eliminate wrong answers

Option B is wrong because simply removing the 'Principal': '*' statement would not automatically make the bucket private; the bucket policy might still have other statements granting access, or the bucket's ACLs could allow public access. Option C is wrong because changing the Action to s3:PutObject only restricts the type of operation (e.g., uploads), but the bucket would still be publicly readable if other actions like s3:GetObject are allowed. Option D is wrong because requiring MFA only adds an authentication factor for the request, but if the principal is '*', any unauthenticated user can still access the bucket without MFA; MFA conditions only apply to requests that include a valid session token from AWS STS.

33
MCQeasy

A cloud architect is designing a data classification scheme for a SaaS application. Data must be classified based on sensitivity and regulatory requirements. Which of the following is the PRIMARY reason to classify data?

A.To reduce storage costs by identifying obsolete data
B.To comply with a specific data protection regulation
C.To improve data access speeds for high-priority data
D.To apply appropriate security controls based on data sensitivity
AnswerD

Classification guides security control selection.

Why this answer

The primary reason to classify data in a cloud environment is to enable the application of appropriate security controls based on data sensitivity. Classification drives the selection of encryption standards, access control policies, and data loss prevention (DLP) rules, ensuring that sensitive data receives stronger protection while lower-sensitivity data is handled with less restrictive measures. Without classification, security controls would be applied uniformly, leading to either over-protection of trivial data or under-protection of critical data.

Exam trap

ISC2 often tests the misconception that compliance is the primary reason for classification, but the trap is that compliance is a downstream requirement—classification is the foundational step to identify which data is subject to which regulation, and the primary goal is always to apply appropriate security controls based on sensitivity.

How to eliminate wrong answers

Option A is wrong because reducing storage costs by identifying obsolete data is a secondary benefit of data lifecycle management, not the primary driver for classification; classification focuses on sensitivity and regulatory requirements, not storage optimization. Option B is wrong because while compliance with a specific data protection regulation (e.g., GDPR, HIPAA) is a common use case, it is not the primary reason—classification must occur first to determine which data falls under which regulation, and the core purpose is to map sensitivity to controls, not to comply with a single regulation. Option C is wrong because improving data access speeds for high-priority data is a performance optimization concern, typically addressed through caching, CDN, or storage tiering, not through data classification; classification does not inherently affect access latency.

34
MCQhard

A financial services company is migrating a critical database to the cloud. The database contains columns with PII that must be encrypted. Performance is the highest priority, and the system must support queries on encrypted data. Which technique should be used?

A.Hashing
B.Application-level encryption
C.Transparent Data Encryption (TDE)
D.Tokenization
AnswerD

Tokenization replaces sensitive data with tokens that preserve format and length, enabling efficient queries without encryption overhead.

Why this answer

Tokenization is correct because it replaces sensitive PII with non-sensitive tokens that retain the format and length of the original data, allowing queries to run on the tokens without exposing the actual values. This approach provides strong security while maintaining high performance, as the token mapping is stored separately and queries are executed against the tokenized data without decryption overhead.

Exam trap

ISC2 often tests the misconception that TDE supports queries on encrypted data, but TDE only encrypts data at rest and decrypts it during access, failing the 'query on encrypted data' requirement without performance degradation.

How to eliminate wrong answers

Option A is wrong because hashing is a one-way function that does not support direct queries on the original data (e.g., range queries, pattern matching) and is not reversible for decryption. Option B is wrong because application-level encryption requires decrypting data in the application layer for each query, introducing significant latency and performance degradation, which conflicts with the performance priority. Option C is wrong because Transparent Data Encryption (TDE) encrypts data at rest but does not support queries on encrypted data; it decrypts data on-the-fly during reads, which adds overhead and still exposes plaintext in memory.

35
MCQmedium

A company uses a Cloud Access Security Broker (CASB) to enforce security policies on SaaS applications. They want to ensure that data uploaded to a file-sharing service does not contain Social Security numbers (SSNs). Which CASB capability is most effective?

A.Contextual access control
B.Inline DLP scanning
C.API-based data discovery
D.Encryption of data in transit
AnswerB

Inline scanning blocks sensitive data in real time.

Why this answer

Inline DLP scanning is the most effective CASB capability for preventing data containing Social Security numbers from being uploaded to a file-sharing service because it inspects the content of files in real time as they are being uploaded. The CASB acts as a proxy, intercepting the HTTP/HTTPS traffic, parsing the file payload, and applying pattern-matching algorithms (e.g., regex for SSN format) to block the upload before it reaches the SaaS application. This proactive, real-time enforcement is essential for data loss prevention (DLP) at the point of upload.

Exam trap

The trap here is that candidates often confuse API-based data discovery (which is excellent for identifying sensitive data at rest) with inline DLP scanning (which is required for real-time prevention), leading them to choose Option C even though it cannot block the upload in progress.

How to eliminate wrong answers

Option A is wrong because contextual access control focuses on who, when, and from where access is attempted (e.g., location, device posture), not on inspecting the content of uploaded files for sensitive data like SSNs. Option C is wrong because API-based data discovery scans data already stored in the SaaS application via its API, which is reactive and cannot prevent the initial upload of SSNs; it can only detect them after the fact. Option D is wrong because encryption of data in transit (e.g., TLS 1.2/1.3) protects data from eavesdropping during transmission but does not inspect or block the content of the data being uploaded.

36
Multi-Selecteasy

Which TWO of the following are best practices for cloud key management?

Select 2 answers
A.Use separate keys for different tenants or applications.
B.Hard-code encryption keys in application source code for simplicity.
C.Store keys in the same geographic region as the data for low latency.
D.Rotate encryption keys on a regular schedule.
E.Use a single master key for all encryption operations.
AnswersA, D

Correct. Isolation reduces impact of a key compromise.

Why this answer

A (rotate keys) and B (separate keys per tenant) are recommended. C (hard-code keys) is bad. D (store keys in same region) is not a security practice.

E (use same key for all) is poor.

37
MCQmedium

A financial institution uses a cloud data warehouse to store transaction data. The data is classified into three tiers: public, internal, and confidential. The current architecture stores all data in a single dataset with column-level encryption for confidential fields. A recent internal penetration test revealed that an analyst with access to the data warehouse could query aggregated statistics that inadvertently revealed confidential individual transactions. The security team needs to implement a solution that prevents such data leakage while preserving analytical capabilities. Which solution BEST addresses this?

A.Deploy a differential privacy framework that adds noise to query results.
B.Implement row-level security to restrict each analyst to only view data related to their assigned region.
C.Use dynamic data masking to obscure confidential fields based on the user's clearance.
D.Encrypt the entire dataset with a key that is only available to a privileged group.
AnswerA

Preserves aggregate analysis while protecting individual records.

Why this answer

Differential privacy is the correct solution because it directly addresses the core issue: aggregated statistics can be reverse-engineered to infer individual records. By adding calibrated noise to query results, it ensures that the output of any query does not reveal whether a specific individual's data is present, thus preventing leakage from aggregate queries while still allowing analysts to derive meaningful trends and patterns.

Exam trap

ISC2 often tests the distinction between access control mechanisms (row-level security, masking, encryption) and privacy-preserving techniques (differential privacy), trapping candidates who confuse restricting direct data access with preventing inference from aggregated outputs.

How to eliminate wrong answers

Option B is wrong because row-level security restricts access based on region, but it does not prevent an analyst from querying aggregated statistics that could reveal confidential individual transactions within their allowed region. Option C is wrong because dynamic data masking obscures fields at the column level, but it does not protect against inference attacks on aggregated results; an analyst could still compute sums or averages that leak individual values. Option D is wrong because encrypting the entire dataset with a key available only to a privileged group would block all analysts from querying the data, destroying analytical capabilities entirely, which is not the goal.

38
MCQhard

During a cloud migration, a company discovers that some sensitive data was inadvertently stored in an object storage bucket with public read access. The security team needs to determine the scope of exposure and remediate. What is the FIRST step they should take?

A.Notify the data protection authority.
B.Change the bucket's permission to private.
C.Immediately delete all objects in the bucket.
D.Review the bucket's access logs to identify any unauthorized access.
AnswerD

Access logs reveal who has accessed the data, which is crucial for scope assessment.

Why this answer

The first step is to review the bucket's access logs (e.g., AWS CloudTrail or S3 server access logs) to identify any unauthorized access. This determines the scope of exposure—who accessed the data, when, and from where—before taking any remediation action. Without this forensic step, the company cannot assess breach notification obligations or legal liability.

Exam trap

ISC2 often tests the principle of 'preserve evidence first'—candidates mistakenly jump to remediation (changing permissions or deleting objects) without first conducting forensic analysis to determine the scope of exposure.

How to eliminate wrong answers

Option A is wrong because notifying the data protection authority is a post-forensic step that should only occur after confirming actual unauthorized access and determining the scope of exposure. Option B is wrong because changing the bucket's permission to private without first reviewing logs could destroy evidence of unauthorized access (e.g., logs may be overwritten or deleted). Option C is wrong because immediately deleting all objects in the bucket would destroy forensic evidence and potentially violate legal hold or e-discovery requirements.

39
MCQmedium

A company is migrating sensitive customer data to the cloud. They need to classify data according to the organization's data classification policy, which includes public, internal, confidential, and restricted categories. Which of the following is the MOST important step to ensure data classification is effective in the cloud?

A.Assign a data custodian to manually tag data objects
B.Implement encryption for all data at rest and in transit
C.Integrate classification labels with DLP and access control policies
D.Store each classification level in separate cloud regions
AnswerC

Automation and integration with DLP enforce policies consistently.

Why this answer

Integrating classification labels with DLP and access control policies ensures that the classification scheme is enforced automatically, not just documented. This allows the cloud infrastructure to apply appropriate protections (e.g., blocking unauthorized access or preventing data exfiltration) based on the label, making classification actionable and effective in a dynamic cloud environment.

Exam trap

ISC2 often tests the misconception that encryption alone is sufficient for data classification, but encryption is a protection mechanism, not a classification or enforcement mechanism; the trap is confusing security controls with data governance processes.

How to eliminate wrong answers

Option A is wrong because manually tagging data objects is error-prone, does not scale in a cloud environment with potentially millions of objects, and lacks automated enforcement; data custodians should define policy, not perform manual tagging. Option B is wrong because encryption protects data confidentiality and integrity but does not classify data or enforce classification-based access controls; it is a security control, not a classification mechanism. Option D is wrong because storing each classification level in separate cloud regions is impractical, costly, and does not inherently enforce access controls; classification should be enforced through policy and labels, not physical or logical separation alone.

40
Multi-Selecthard

Which THREE of the following are required components of a cloud data lifecycle policy?

Select 3 answers
A.Legal hold process
B.Data deletion procedures
C.Data classification
D.Data retention schedule
E.Data encryption algorithm selection
AnswersB, C, D

Correct. Deletion is the final stage of the lifecycle.

Why this answer

Data deletion procedures are a required component of a cloud data lifecycle policy because they define how data is securely and irreversibly removed at the end of its useful life. This includes methods such as cryptographic erasure, overwriting with patterns (e.g., NIST SP 800-88), or degaussing, ensuring compliance with legal and regulatory requirements. Without explicit deletion procedures, data may persist in cloud storage, leading to unauthorized access or retention violations.

Exam trap

ISC2 often tests the distinction between operational security controls (like encryption algorithms) and governance-level lifecycle policy components, leading candidates to mistakenly include technical implementation details as required policy elements.

41
MCQeasy

A cloud security architect is implementing a data classification scheme. They need to ensure that data labeled 'confidential' is automatically encrypted when stored in cloud storage. Which approach best achieves this?

A.Use a separate storage bucket for confidential data with default encryption enabled
B.Deploy a data loss prevention (DLP) tool to scan and encrypt on upload
C.Configure cloud storage bucket policies to enforce encryption for objects with a 'confidential' tag
D.Train users to manually encrypt files before uploading
AnswerC

Automated enforcement based on classification labels.

Why this answer

Option C is correct because cloud storage bucket policies can be configured to enforce server-side encryption for objects that carry a specific metadata tag (e.g., 'confidential'). This approach automates encryption at the point of storage without requiring separate buckets or manual intervention, ensuring that all tagged data is encrypted as a condition of the write operation.

Exam trap

ISC2 often tests the misconception that DLP tools can enforce encryption at the point of upload, when in fact DLP is typically a post-storage or in-transit scanning mechanism, not a storage-layer encryption enforcer.

How to eliminate wrong answers

Option A is wrong because using a separate bucket with default encryption does not automatically enforce encryption based on data classification; it only encrypts all objects in that bucket, which may include non-confidential data and does not scale with dynamic tagging. Option B is wrong because DLP tools typically scan data after it is stored or in transit, not at the moment of upload, and they cannot enforce encryption at the storage layer; they may trigger alerts or remediation but do not directly encrypt objects during the write operation. Option D is wrong because training users to manually encrypt files is error-prone, non-scalable, and violates the principle of automated policy enforcement required for consistent data protection in cloud environments.

42
MCQeasy

A startup provides a cloud-based document collaboration platform. They store user-uploaded documents in a cloud object storage bucket. Compliance with data privacy laws requires that when a user deletes an account, all their documents must be permanently deleted within 30 days. The current process uses object versioning and lifecycle policies to expire objects after 30 days. However, during a recent audit, it was discovered that deleted user documents were still accessible via the bucket's previous versions for months after the deletion. The security team needs to ensure that all traces of a user's data are removed immediately upon account deletion. Which solution should be implemented?

A.Configure bucket policies to deny read access to all objects after the user deletion date.
B.Change the bucket's default encryption to use customer-managed keys and delete the key after 30 days.
C.Enable MFA Delete on the bucket to require additional authentication for deletions.
D.Use a lifecycle policy to permanently delete current and previous object versions immediately after the user deletion request.
AnswerD

Ensures immediate removal of all versions.

Why this answer

Option D is correct because object versioning in cloud storage (e.g., AWS S3) retains both current and previous versions of objects. A lifecycle policy that immediately expires both current and noncurrent versions upon user deletion ensures that all copies of the data are permanently removed, satisfying the 30-day compliance requirement. Without explicitly targeting previous versions, the default lifecycle policy only deletes current versions, leaving older versions accessible indefinitely.

Exam trap

ISC2 often tests the misconception that lifecycle policies automatically delete all object versions, when in fact they require separate rules for current and noncurrent versions, and candidates may overlook the need to explicitly target previous versions.

How to eliminate wrong answers

Option A is wrong because denying read access does not delete the objects; the data remains stored and recoverable, violating the permanent deletion requirement. Option B is wrong because deleting a customer-managed key (CMK) renders the data cryptographically inaccessible but does not remove the encrypted objects from the bucket; they still exist and could be recovered if the key is restored, and this approach does not meet the explicit deletion mandate. Option C is wrong because MFA Delete adds an authentication step for deletions but does not automate the deletion process or address the need to remove previous versions; it only prevents accidental or unauthorized deletions.

43
MCQeasy

A financial services company is migrating sensitive customer data to a cloud environment. The compliance team requires that all data at rest be encrypted using a key managed by the organization, not the cloud provider. Which solution should the company implement?

A.Enforce TLS 1.2 for all data transfers
B.Implement tokenization for all sensitive fields
C.Client-side encryption using a customer-managed key
D.Server-side encryption with AWS S3 managed keys (SSE-S3)
AnswerC

Correct: Data encrypted before upload; keys held by customer.

Why this answer

Option C is correct because client-side encryption ensures that data is encrypted before it leaves the organization's control, and the customer retains sole possession of the encryption key. This satisfies the compliance requirement that the cloud provider never has access to the key, as the provider only stores the encrypted ciphertext. In contrast, server-side encryption options (like SSE-S3) involve the provider managing or having access to the key material.

Exam trap

The trap here is that candidates often confuse server-side encryption with customer-managed keys (SSE-C) as meeting the requirement, but SSE-C still involves the cloud provider performing the encryption on their infrastructure, whereas client-side encryption ensures the provider never sees the plaintext or the key.

How to eliminate wrong answers

Option A is wrong because TLS 1.2 protects data in transit, not data at rest, and does not address encryption of stored data or key management. Option B is wrong because tokenization replaces sensitive data with non-sensitive tokens but does not encrypt the original data at rest; the mapping table or vault must still be secured, and it does not inherently use a customer-managed key for encryption. Option D is wrong because SSE-S3 uses AWS-managed keys, meaning the cloud provider controls the key material, which violates the requirement that the organization manages the key.

44
Multi-Selectmedium

Which THREE of the following are key considerations when designing a key management lifecycle for cloud data encryption?

Select 3 answers
A.Key rotation
B.Key usage monitoring
C.Key escrow
D.Key generation
E.Key storage
AnswersA, D, E

Rotation is a key lifecycle phase.

Why this answer

Key rotation is a critical lifecycle operation that limits the exposure of encrypted data if a key is compromised. By periodically replacing encryption keys with new ones, organizations reduce the window of vulnerability and comply with standards like NIST SP 800-57, which recommends cryptographic key rotation based on the key's usage period and security strength.

Exam trap

ISC2 often tests the distinction between lifecycle phases (generate, store, rotate, destroy) and operational controls (monitoring, escrow), so candidates mistakenly include monitoring or escrow as core design steps when they are actually supporting processes.

45
MCQhard

Based on the CloudTrail log, why did the Decrypt call fail?

A.The encryption algorithm mismatch.
B.The ciphertext was tampered.
C.The key policy denied access.
D.The CMK was disabled.
AnswerC

The error message indicates the user lacks authorization on the key.

Why this answer

The Decrypt call failed because the key policy attached to the AWS KMS CMK explicitly denied the IAM role or user making the request. CloudTrail logs show the error code 'AccessDenied' or 'UnauthorizedOperation', which indicates that the key policy did not grant the necessary kms:Decrypt permission to the principal. Even if the CMK is enabled and the ciphertext is valid, a restrictive key policy will block the operation.

Exam trap

ISC2 often tests the distinction between key policy denials and CMK state issues; the trap here is that candidates confuse 'AccessDenied' errors with 'DisabledException' or 'InvalidCiphertextException', assuming the key is disabled or the ciphertext is corrupted when the real cause is a missing or explicit deny in the key policy.

How to eliminate wrong answers

Option A is wrong because an encryption algorithm mismatch would produce a 'ValidationException' or 'InvalidCiphertextException', not an access-denied error. Option B is wrong because tampered ciphertext would cause a 'InvalidCiphertextException' due to integrity check failure (e.g., AWS KMS uses authenticated encryption with AES-GCM, which detects tampering). Option D is wrong because a disabled CMK would result in a 'DisabledException' or 'KMSInvalidStateException', not an access-denied error.

46
MCQmedium

Refer to the exhibit. An administrator applies this S3 bucket policy. What is the overall effect?

A.Only requests originating from VPC vpc-12345678 are allowed to retrieve objects
B.All requests are denied because the Deny statement overrides the Allow statement
C.All requests are allowed because there is an Allow statement
D.Only requests made with HTTPS are allowed
AnswerA

The policy explicitly allows from that VPC and denies from others.

Why this answer

The S3 bucket policy includes an Allow statement that grants s3:GetObject access only to the VPC endpoint vpc-12345678, using the aws:SourceVpce condition key. This means only requests originating from that specific VPC endpoint are permitted to retrieve objects. The Deny statement with a NotPrincipal condition is redundant or misconfigured, but the Allow statement's condition effectively restricts access to the VPC endpoint, making option A correct.

Exam trap

ISC2 often tests the nuance that a Deny statement with NotPrincipal does not automatically deny all requests; candidates mistakenly assume any Deny overrides all Allow statements, but the specific condition in the Allow statement (aws:SourceVpce) is the key to understanding the policy's effect.

How to eliminate wrong answers

Option B is wrong because the Deny statement uses a NotPrincipal condition, which does not create a blanket denial; the Allow statement with the VPC condition is the effective control, and the Deny does not override it in this context. Option C is wrong because the Allow statement is not unconditional—it includes a condition that restricts access to requests from vpc-12345678, so not all requests are allowed. Option D is wrong because the policy does not reference HTTPS or any encryption protocol; it only uses the aws:SourceVpce condition key, not aws:SecureTransport.

47
Matchingmedium

Match each cloud incident response phase to its primary activity.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Develop incident response plan and tools

Identify potential security incidents

Isolate affected systems and prevent spread

Restore normal operations and verify integrity

Why these pairings

Incident response in cloud requires adaptation to shared responsibility and ephemeral resources.

48
MCQhard

A security engineer applies the above bucket policy to an S3 bucket containing sensitive data. Which of the following best describes the effect of this policy?

A.It allows all access to the bucket.
B.It denies access to objects over HTTPS, but allows HTTP.
C.It denies access to objects over HTTP, but allows HTTPS.
D.It denies all access to the bucket.
AnswerC

Correct: The condition denies when SecureTransport is false (HTTP).

Why this answer

The bucket policy uses a `Deny` effect with a `Condition` block that checks `aws:SecureTransport` equals `false`. This condition denies access when the request is made over HTTP (non-secure transport), effectively blocking HTTP requests while allowing HTTPS requests. The policy does not affect HTTPS requests because the condition only triggers when `SecureTransport` is false.

Exam trap

The trap here is that candidates confuse the `Deny` effect with a blanket denial, missing the conditional `aws:SecureTransport` check, or they misinterpret the condition as denying HTTPS instead of HTTP.

How to eliminate wrong answers

Option A is wrong because the policy explicitly denies access under a specific condition (HTTP), not allowing all access. Option B is wrong because the policy denies HTTP access, not HTTPS; it does not deny access over HTTPS. Option D is wrong because the policy does not deny all access; it only denies access when the request uses HTTP (non-secure transport), leaving HTTPS access permitted.

49
MCQmedium

An administrator applies the above bucket policy to an S3 bucket containing sensitive data. What is the EFFECT of this policy?

A.Allows public read access
B.Allows access only from specific IP addresses
C.Denies access if the request does not use HTTPS
D.Denies access if the request uses HTTPS
AnswerC

It denies HTTP requests, enforcing HTTPS.

Why this answer

The bucket policy uses a `Deny` effect with a condition `aws:SecureTransport` set to `false`, which means any request that does not use HTTPS (i.e., plain HTTP) is denied. This enforces encryption in transit for all access to the S3 bucket, ensuring sensitive data is not transmitted over an unencrypted channel. Option C correctly identifies that the policy denies access if the request does not use HTTPS.

Exam trap

ISC2 often tests the distinction between `Deny` and `Allow` effects in S3 bucket policies, and the trap here is that candidates misread the condition as denying HTTPS instead of denying non-HTTPS, or they assume the policy grants public access because they overlook the absence of an `Allow` statement.

How to eliminate wrong answers

Option A is wrong because the policy does not contain any `Effect: Allow` statement for public access; it only has a `Deny` statement, so public read access is not granted. Option B is wrong because the policy does not reference the `aws:SourceIp` condition key or any IP address range; it only checks the `aws:SecureTransport` condition. Option D is wrong because the policy denies access when `aws:SecureTransport` is `false`, meaning it denies HTTP, not HTTPS; requests using HTTPS have `aws:SecureTransport` set to `true` and are not denied by this condition.

50
Multi-Selectmedium

Which TWO data states must be encrypted to meet common compliance requirements for data in the cloud? (Choose two.)

Select 2 answers
A.Data in audit logs
B.Data in backup
C.Data at rest
D.Data in transit
E.Data in use
AnswersC, D

Required by regulations like PCI DSS, HIPAA.

Why this answer

Data at rest (C) must be encrypted because compliance frameworks like PCI DSS, HIPAA, and GDPR require protection of stored data against unauthorized access. Encryption at rest typically uses AES-256 or similar algorithms to secure data on disks, databases, or object storage, ensuring that even if physical media is compromised, the data remains unreadable.

Exam trap

ISC2 often tests the distinction between data states and data locations, so the trap here is that candidates confuse 'data in backup' or 'data in audit logs' as separate states when they are actually subsets of data at rest or in transit.

51
MCQmedium

An organization uses a cloud-based DLP solution to monitor outbound traffic. They want to prevent the exfiltration of credit card numbers. Which detection technique is most appropriate for this requirement?

A.Exact data matching against a list of known card numbers
B.Machine learning classification of sensitive data
C.Fingerprinting of known credit card documents
D.Regular expression matching for credit card number patterns
AnswerD

Regex can identify card numbers based on format.

Why this answer

Regular expression matching (option D) is the most appropriate technique because credit card numbers follow well-defined, predictable patterns (e.g., 16 digits, specific starting digits for each issuer like 4 for Visa, 5 for MasterCard, and Luhn algorithm validation). This allows the DLP solution to detect credit card numbers in outbound traffic without requiring a pre-populated list or prior training, making it ideal for real-time monitoring of unknown or new card numbers.

Exam trap

ISC2 often tests the misconception that machine learning (option B) is always the most advanced or accurate technique, but for structured data like credit card numbers, regex is simpler, faster, and more precise.

How to eliminate wrong answers

Option A is wrong because exact data matching requires a pre-compiled list of known credit card numbers, which is impractical for detecting unknown or newly issued cards and does not scale for outbound traffic monitoring. Option B is wrong because machine learning classification is better suited for identifying unstructured or context-dependent sensitive data (e.g., legal documents) and introduces latency and false positives for a well-defined pattern like credit card numbers. Option C is wrong because fingerprinting of known credit card documents is designed to detect specific files (e.g., PDFs or spreadsheets) containing card numbers, not to identify card numbers in arbitrary outbound traffic such as emails or web requests.

52
MCQeasy

A cloud customer wants to ensure that their data is encrypted during transmission between their on-premises data center and the cloud provider's service. Which protocol should they use?

A.Internet Protocol Security (IPSec)
B.Transport Layer Security (TLS) 1.2
C.Secure Shell (SSH)
D.Remote Desktop Protocol (RDP)
AnswerB

TLS is the standard for encrypting data in transit over networks.

Why this answer

TLS 1.2 is the correct choice because it is specifically designed to secure data in transit over networks, such as between an on-premises data center and a cloud provider. It operates at the transport layer, providing encryption, authentication, and integrity for HTTP-based traffic (HTTPS), which is the most common method for cloud API interactions. IPSec, while also a valid encryption protocol, is typically used for site-to-site VPN tunnels at the network layer, not for securing individual service-to-service transmissions like those to a cloud provider's REST API.

Exam trap

ISC2 often tests the distinction between network-layer encryption (IPSec) and transport-layer encryption (TLS), leading candidates to choose IPSec because it is commonly associated with 'secure transmission' between sites, but the question specifies 'between their on-premises data center and the cloud provider's service,' which implies application-level communication, not a full network tunnel.

How to eliminate wrong answers

Option A is wrong because IPSec operates at the network layer (Layer 3) and is primarily used for establishing VPN tunnels between entire networks, not for encrypting individual application-level data transmissions between a customer's data center and a specific cloud service endpoint. Option C is wrong because SSH is designed for secure remote shell access and command execution, not for encrypting bulk data transmission between data centers and cloud services; it lacks the necessary protocol support for web-based API calls. Option D is wrong because RDP is a proprietary protocol for remote desktop connections to Windows machines, not a general-purpose encryption protocol for data in transit between on-premises and cloud environments.

53
MCQhard

A multinational corporation uses a cloud CASB to enforce data loss prevention (DLP) policies across SaaS applications. The security team discovers that sensitive data is being exfiltrated via encrypted traffic that the CASB cannot inspect. What is the most effective design change to mitigate this risk?

A.Implement user training to prevent data exfiltration.
B.Block all encrypted traffic at the network perimeter.
C.Deploy a forward proxy with SSL/TLS interception capabilities.
D.Disable TLS/SSL encryption for all sensitive data transfers.
AnswerC

Correct: This enables decryption and inspection of traffic while maintaining end-to-end security.

Why this answer

Option C is correct because a forward proxy with SSL/TLS interception capabilities allows the CASB to decrypt, inspect, and re-encrypt traffic, enabling DLP policy enforcement on data in transit. This design change addresses the root cause—encrypted traffic bypassing inspection—without breaking application functionality or security.

Exam trap

ISC2 often tests the misconception that blocking or disabling encryption is a valid DLP solution, when in fact the correct approach is to use interception that maintains encryption end-to-end while enabling inspection.

How to eliminate wrong answers

Option A is wrong because user training addresses human error but does not provide technical control over encrypted traffic, leaving the exfiltration vector open. Option B is wrong because blocking all encrypted traffic at the network perimeter would break legitimate business applications and is not a viable security design; it also violates the principle of least disruption. Option D is wrong because disabling TLS/SSL encryption for sensitive data transfers would expose data to interception and tampering, directly violating confidentiality and integrity requirements.

54
MCQmedium

A company uses a cloud-based database that contains personally identifiable information (PII). They need to allow developers to run queries against the database for testing purposes without exposing actual PII. Which technique should they use?

A.Encrypt the PII fields at rest
B.Grant developers direct access to a copy of the production data
C.Apply dynamic data masking to the PII columns
D.Tokenize the PII fields with a one-way hash
AnswerC

Masking provides realistic but fake data.

Why this answer

Option C is correct because dynamic data masking (DDM) allows the database to return masked PII to developers in real time without altering the underlying stored data. This technique applies masking rules at query runtime, so developers can run functional tests against production-like data while sensitive values are obfuscated. It avoids the need for separate sanitized copies and preserves referential integrity for testing.

Exam trap

ISC2 often tests the distinction between dynamic data masking and tokenization, where candidates mistakenly choose tokenization because they think a one-way hash is sufficient for testing, but they overlook that testing requires reversible or format-preserving transformations to maintain data utility.

How to eliminate wrong answers

Option A is wrong because encrypting PII at rest protects data on disk but does not prevent developers from seeing plaintext when they query the database; decryption keys are typically available to authorized users, so the PII would still be exposed in query results. Option B is wrong because granting developers direct access to a copy of production data, even if it is a copy, still exposes actual PII and violates the principle of least privilege and data minimization for testing environments. Option D is wrong because tokenization with a one-way hash is irreversible and would break the ability to run meaningful queries that require relationships or pattern matching; tokenization for testing typically uses reversible tokens or format-preserving encryption, not a one-way hash.

55
MCQmedium

A healthcare organization stores patient records in a cloud-based object storage service. To comply with HIPAA, they must ensure that data is encrypted at rest and that encryption keys are managed by the organization itself. Which key management approach should they implement?

A.Use server-side encryption with S3-managed keys (SSE-S3).
B.Use server-side encryption with AWS KMS-managed keys (SSE-KMS).
C.Use client-side encryption with customer-supplied encryption keys (CSEKS).
D.Implement a Bring Your Own Key (BYOK) model with a hardware security module (HSM) in the cloud.
AnswerD

Correct: BYOK allows the organization to control the encryption keys and meet compliance requirements.

Why this answer

Option D is correct because HIPAA requires the organization to maintain control over encryption keys, and a Bring Your Own Key (BYOK) model with a hardware security module (HSM) in the cloud allows the healthcare organization to generate, store, and manage their own keys externally while using them for cloud-based encryption. This approach ensures that the cloud provider cannot access the keys, meeting the regulatory requirement for key management by the organization itself.

Exam trap

ISC2 often tests the distinction between server-side encryption (where the provider manages keys) and client-side or BYOK models (where the customer retains key control), and the trap here is that candidates may assume SSE-KMS (Option B) gives the organization full key control, but KMS still allows the provider to manage the key lifecycle, failing the strict HIPAA requirement for the organization to be the sole manager.

How to eliminate wrong answers

Option A is wrong because server-side encryption with S3-managed keys (SSE-S3) uses keys managed entirely by the cloud provider, which does not satisfy the HIPAA requirement for the organization to manage the keys. Option B is wrong because server-side encryption with AWS KMS-managed keys (SSE-KMS) still delegates key management to the cloud provider's KMS service, even though the customer can control key policies; the provider retains potential access to the keys. Option C is wrong because client-side encryption with customer-supplied encryption keys (CSEKS) involves the organization managing keys on the client side, but it does not integrate with a hardware security module (HSM) for secure key storage and is not a cloud-native key management model; it also does not address the need for a dedicated HSM-based key management infrastructure that BYOK provides.

56
MCQmedium

What additional security benefit does the VPC endpoint provide?

A.It encrypts data in transit.
B.It ensures data is not traversing the public internet.
C.It provides an additional layer of authentication.
D.It enables cross-region replication.
AnswerB

VPC endpoints route traffic privately, avoiding the public internet.

Why this answer

A VPC endpoint (specifically an interface or gateway endpoint) allows instances within a VPC to privately connect to supported AWS services (like S3 or DynamoDB) without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect. The core security benefit is that all traffic between the VPC and the service stays entirely within the AWS network backbone and never traverses the public internet, eliminating exposure to internet-based threats.

Exam trap

ISC2 often tests the misconception that VPC endpoints provide encryption or authentication, but the real security benefit is purely about keeping traffic off the public internet, not about adding cryptographic or identity-layer controls.

How to eliminate wrong answers

Option A is wrong because VPC endpoints do not inherently encrypt data in transit; encryption (e.g., TLS) is a separate configuration on the client side or service side, not a feature of the endpoint itself. Option C is wrong because VPC endpoints do not provide an additional layer of authentication; they rely on IAM policies and endpoint policies for access control, but the endpoint itself does not authenticate users or services beyond standard AWS authentication. Option D is wrong because VPC endpoints are used for private connectivity within a region or to a specific service, not for cross-region replication; cross-region replication is handled by services like S3 replication or RDS cross-region read replicas, not by VPC endpoints.

57
Multi-Selecthard

Which THREE statements about cryptographic key lifecycle management are correct?

Select 3 answers
A.Key usage should be logged and audited.
B.Key generation should be performed within a secure cryptographic module.
C.Key destruction should render the key irrecoverable.
D.Key backup must be encrypted and stored separately from the keys they protect.
E.Key rotation policies must ensure all data is re-encrypted with the new key immediately.
AnswersA, B, C

Logging provides accountability and helps detect unauthorized use.

Why this answer

Option A is correct because auditing key usage is a fundamental requirement for accountability and compliance in cryptographic key management. Logging every key operation (e.g., generation, encryption, decryption, signing) allows detection of unauthorized use or policy violations, and is mandated by standards like NIST SP 800-57 Part 1, which states that audit logs must be protected and reviewed regularly.

Exam trap

ISC2 often tests the misconception that key rotation requires immediate re-encryption of all existing data, when in practice it uses lazy re-encryption or key wrapping to avoid performance and availability impacts.

58
MCQhard

A SaaS provider stores customer data in a multi-tenant database. A new regulation requires that data of former customers be completely erased within 30 days of account closure. Which process should the provider implement?

A.Physically destroy the hard drives containing the data.
B.Mark the data as deleted and exclude it from query results.
C.Overwrite the data with zeros using a secure delete tool.
D.Encrypt each customer's data with a unique key and delete the key upon account closure.
AnswerD

Crypto-shredding ensures data is effectively unrecoverable.

Why this answer

Option D is correct because it implements cryptographic erasure, which renders the data permanently inaccessible by deleting the unique encryption key. This approach satisfies the regulation's requirement for complete erasure within 30 days without physically destroying hardware or risking data remnants, as the encrypted data becomes irrecoverable without the key. In a multi-tenant SaaS environment, this method is efficient, scalable, and avoids service disruption to other tenants sharing the same storage.

Exam trap

ISC2 often tests the distinction between logical deletion (soft delete) and cryptographic erasure, trapping candidates who think marking data as deleted or overwriting with zeros is sufficient in a multi-tenant cloud environment, where shared storage and data redundancy make physical overwrite impractical.

How to eliminate wrong answers

Option A is wrong because physically destroying hard drives is impractical for a multi-tenant database, as it would destroy data for all customers, not just former ones, and violates the principle of shared infrastructure. Option B is wrong because marking data as deleted and excluding it from query results only hides the data logically; the underlying data remains on the storage medium and could be recovered through forensic tools, failing the regulation's requirement for complete erasure. Option C is wrong because overwriting data with zeros using a secure delete tool is not feasible in a multi-tenant database environment where data is stored in shared blocks and may be subject to wear-leveling, snapshots, or copy-on-write mechanisms that prevent guaranteed overwrite of all copies.

59
MCQmedium

A cloud security auditor is assessing a company's data classification policy for their cloud environment. Which finding would be considered a critical deficiency?

A.The data classification policy is reviewed annually.
B.The policy does not specify retention periods for each classification.
C.Employees receive data classification training once during onboarding.
D.The data classification scheme does not include labels for public, internal, confidential, and restricted.
AnswerD

Classes are essential for mapping controls to data sensitivity.

Why this answer

Without data classification labels, it is impossible to enforce appropriate controls. Option A is critical. Other options are important but not as fundamental as missing labels.

60
MCQhard

A company uses a cloud-based file storage service and wants to enable client-side encryption to prevent the cloud provider from accessing plaintext data. Which of the following MUST be implemented?

A.Server-side encryption with customer-provided keys (SSE-C)
B.Envelope encryption with a master key stored on-premises
C.Transport Layer Security (TLS) for all uploads
D.Key management service (KMS) with auto-rotation
AnswerB

Envelope encryption allows client-side encryption; master key on-premises ensures provider cannot access.

Why this answer

Client-side encryption requires that encryption keys are never accessible to the cloud provider. Envelope encryption with a master key stored on-premises ensures the data encryption key (DEK) is encrypted by a master key that remains under the customer's exclusive control, so the cloud service never has the plaintext key or data. This satisfies the requirement of preventing the provider from accessing plaintext data.

Exam trap

ISC2 often tests the distinction between server-side and client-side encryption, where candidates mistakenly think SSE-C or KMS with customer keys qualifies as client-side encryption, but the key differentiator is whether the cloud provider ever has access to the plaintext key or performs any cryptographic operation on the data.

How to eliminate wrong answers

Option A is wrong because server-side encryption with customer-provided keys (SSE-C) still involves the cloud provider performing the encryption/decryption on its servers, meaning the provider temporarily accesses the plaintext key and data during processing. Option C is wrong because Transport Layer Security (TLS) protects data in transit but does not protect data at rest; once the data reaches the cloud provider's servers, it is decrypted and stored in plaintext unless additional encryption is applied. Option D is wrong because a key management service (KMS) with auto-rotation typically stores the master key in the cloud provider's infrastructure, giving the provider potential access to the key material and thus the plaintext data.

61
MCQhard

A multinational corporation uses a cloud access security broker (CASB) to enforce data protection policies across multiple SaaS applications. They discover that sensitive data tagged with 'Confidential' is being shared externally via a file-sharing application. The CASB currently only logs activities. Which action should the security team take to prevent such data loss in the future?

A.Encrypt all files stored in the file-sharing application.
B.Revoke user access to the file-sharing application for all employees.
C.Train employees on data handling policies.
D.Implement a DLP policy that automatically blocks sharing of documents with the 'Confidential' label.
AnswerD

Directly prevents the identified data loss scenario.

Why this answer

Option D is correct because a CASB with Data Loss Prevention (DLP) capabilities can enforce real-time policies to block sharing of documents tagged with a specific sensitivity label (e.g., 'Confidential'). Since the CASB currently only logs activities, implementing a DLP policy that automatically blocks the sharing action addresses the root cause—preventing the data loss at the point of egress—rather than merely detecting it after the fact.

Exam trap

ISC2 often tests the distinction between detection (logging) and prevention (blocking), and the trap here is that candidates may choose training (Option C) as a 'best practice' without recognizing that the question explicitly asks for a technical action to prevent data loss, which requires an automated enforcement mechanism like DLP.

How to eliminate wrong answers

Option A is wrong because encrypting all files in the file-sharing application does not prevent sharing; encryption protects data at rest but does not control who can access or share the decrypted content. Option B is wrong because revoking access for all employees is an overly drastic measure that disrupts business operations and does not address the need for granular, policy-based control over specific data labels. Option C is wrong because training employees on data handling policies is a preventive administrative control, but it does not provide a technical enforcement mechanism to automatically block sharing of 'Confidential' documents in real time, leaving the organization reliant on human compliance.

62
MCQhard

An organization uses cloud databases and needs to protect sensitive fields such as credit card numbers. They want to preserve the ability to perform exact match searches and joins on these fields. Which data protection technique best meets these requirements?

A.Tokenization with a secure token vault
B.Format-preserving encryption (FPE)
C.Dynamic data masking
D.Deterministic encryption
AnswerA

Tokens can be designed to preserve format and allow exact match joins.

Why this answer

Tokenization with a secure token vault is correct because it replaces sensitive data (e.g., credit card numbers) with unique, randomly generated tokens that have no mathematical relationship to the original values. The token vault stores the mapping, allowing exact match searches and joins on the tokens while keeping the original data secure, as the tokens are consistent for the same input value.

Exam trap

ISC2 often tests the distinction between tokenization and deterministic encryption, where candidates mistakenly choose deterministic encryption because it also supports exact match searches, but they overlook that tokenization provides stronger security by removing the mathematical link between the token and the original data, making it resistant to key compromise and frequency analysis.

How to eliminate wrong answers

Option B (Format-preserving encryption) is wrong because FPE produces ciphertext that preserves the original format but is still encrypted, meaning it does not eliminate the risk of exposing sensitive data if the encryption key is compromised, and it may not be suitable for all cloud environments where key management is complex. Option C (Dynamic data masking) is wrong because it only hides data from unauthorized users at query time without changing the underlying stored data, so it does not protect the data at rest and cannot prevent access to the original values if the masking rules are bypassed. Option D (Deterministic encryption) is wrong because while it allows exact match searches by always producing the same ciphertext for a given plaintext, it is vulnerable to frequency analysis attacks and does not provide the same level of security as tokenization, as the encrypted values are still mathematically reversible with the key.

63
Multi-Selecthard

Which THREE of the following are key components of a cloud data governance framework?

Select 3 answers
A.Data retention policies
B.Data access controls
C.Data masking
D.Data classification
E.Data encryption at rest
AnswersA, B, D

Policies define how long data is kept and when to delete.

Why this answer

Data retention policies are a key component of a cloud data governance framework because they define the lifecycle of data, specifying how long data must be kept and when it should be securely deleted. This ensures compliance with legal, regulatory, and business requirements, such as GDPR or HIPAA, and prevents unnecessary storage costs and security risks from outdated data.

Exam trap

ISC2 often tests the distinction between governance components (policies, roles, processes) and technical security controls (encryption, masking), leading candidates to mistakenly select data masking or encryption as governance framework elements.

64
MCQeasy

A company uses a cloud storage service to store sensitive customer data. They need to ensure that data is encrypted at rest using keys managed by the cloud provider. Which encryption model should they use?

A.Server-Side Encryption with S3-Managed Keys (SSE-S3)
B.Server-Side Encryption with AWS KMS (SSE-KMS)
C.Client-Side Encryption (CSE)
D.Server-Side Encryption with Customer-Provided Keys (SSE-C)
AnswerA

SSE-S3 uses cloud provider-managed keys.

Why this answer

The requirement specifies that the cloud provider manages the encryption keys. SSE-S3 uses keys that are entirely managed by AWS (S3) for encrypting data at rest, with each object encrypted by a unique key that is itself encrypted by a regularly rotated master key. This aligns perfectly with the scenario where the customer does not want to manage keys.

Exam trap

ISC2 often tests the distinction between 'provider-managed keys' (SSE-S3) and 'customer-managed keys' (SSE-KMS or SSE-C), where candidates mistakenly choose SSE-KMS because it offers more control, but the question explicitly requires keys managed solely by the provider.

How to eliminate wrong answers

Option B is wrong because SSE-KMS uses AWS KMS keys, which are still managed by the cloud provider but offer additional control (e.g., key rotation policies, audit trails) and are not the default 'provider-managed' model; the question explicitly asks for keys managed by the cloud provider, and SSE-S3 is the simplest provider-managed option. Option C is wrong because Client-Side Encryption (CSE) requires the customer to encrypt data before uploading, meaning the customer manages the keys, not the cloud provider. Option D is wrong because SSE-C requires the customer to provide their own encryption keys, which the cloud provider uses temporarily but does not manage or store; the customer retains full key management responsibility.

65
MCQeasy

What does this bucket policy enforce?

A.The policy denies all uploads unless they use SSE-KMS.
B.All objects must be encrypted with a specific KMS key.
C.Any object uploaded without encryption will be denied.
D.Only objects encrypted with SSE-S3 are allowed.
AnswerA

The Deny effect applies when the encryption is not 'aws:kms'.

Why this answer

The bucket policy uses a Condition block with `s3:x-amz-server-side-encryption` set to `aws:kms`, which means any upload must include the `x-amz-server-side-encryption` header with the value `aws:kms`. If the header is missing or set to any other value (e.g., `AES256` for SSE-S3), the request is denied. This enforces that all uploads use SSE-KMS, but does not require a specific KMS key unless a `kms:EncryptionContext` or `kms:KeyArn` condition is also present.

Exam trap

ISC2 often tests the distinction between 'requiring SSE-KMS' and 'requiring a specific KMS key'—candidates mistakenly think that any SSE-KMS condition implies a specific key, but the policy only checks the encryption type, not the key ARN.

How to eliminate wrong answers

Option B is wrong because the policy does not specify a particular KMS key ARN or ID in the Condition block; it only requires the encryption type to be `aws:kms`, not a specific key. Option C is wrong because the policy does not deny unencrypted uploads outright—it denies uploads that do not have the `x-amz-server-side-encryption` header set to `aws:kms`, meaning an upload with no encryption header would be denied, but the statement is too broad because it implies any object without encryption is denied, which is true only if the header is absent; however, the policy also denies uploads with SSE-S3 or other encryption types, so the core issue is that the policy enforces SSE-KMS, not just 'no encryption'. Option D is wrong because the policy explicitly requires `aws:kms`, not `AES256` (SSE-S3), so objects encrypted with SSE-S3 would be denied.

66
MCQeasy

A cloud architect needs to protect data in transit between an on-premises data center and a cloud virtual private cloud (VPC). Which solution is MOST appropriate?

A.SSL certificate on web server
B.TLS for each application
C.VPN with IPsec
D.Direct Connect without encryption
AnswerC

IPsec VPN encrypts all traffic between sites.

Why this answer

An IPsec VPN is the most appropriate solution for protecting data in transit between an on-premises data center and a cloud VPC because it provides network-layer encryption and authentication for all IP traffic between the two sites. IPsec operates at Layer 3, securing the entire tunnel without requiring per-application configuration, and is designed specifically for site-to-site connectivity. This ensures confidentiality, integrity, and replay protection for all data traversing the public internet or a direct connect link.

Exam trap

ISC2 often tests the misconception that TLS or SSL is sufficient for all data-in-transit scenarios, but the trap here is that TLS is application-layer and cannot secure non-HTTP traffic or provide a site-to-site tunnel, whereas IPsec is the correct network-layer solution for connecting entire networks.

How to eliminate wrong answers

Option A is wrong because an SSL certificate on a web server only protects HTTP traffic (Layer 7) and does not secure other protocols or the entire data stream between the data center and VPC. Option B is wrong because implementing TLS for each application is application-specific, requires individual configuration per service, and does not provide a unified, network-level security boundary for all traffic between the two sites. Option D is wrong because Direct Connect without encryption leaves all data in transit unencrypted, exposing it to potential interception or tampering, and does not meet the requirement to protect data in transit.

67
MCQhard

A cloud application processes credit card numbers. To reduce PCI DSS scope, the company wants to remove the original PAN from its databases and use a surrogate value that can be reversed only by a privileged application. Which data protection technique should they use?

A.Truncation of the first 6 and last 4 digits
B.Dynamic data masking in the application tier
C.Tokenization using a cloud-based token vault
D.Symmetric encryption with a key stored in the database
AnswerC

Tokenization replaces PAN with a token and the token vault controls detokenization.

Why this answer

Tokenization replaces the original PAN with a randomly generated surrogate value (token) that has no mathematical relationship to the original data. The token can be reversed only by a privileged application that has access to the token vault, which stores the mapping between tokens and actual PANs. This effectively removes the PAN from the application's databases, reducing PCI DSS scope because the tokenized data is not considered sensitive cardholder data.

Exam trap

ISC2 often tests the distinction between tokenization and encryption, where candidates mistakenly choose symmetric encryption (Option D) because they think encryption alone removes data from scope, but PCI DSS requires that the decryption key be stored separately from the encrypted data, and even then, encrypted PANs are still considered cardholder data unless the key is managed by a third-party service.

How to eliminate wrong answers

Option A is wrong because truncation (showing only the last 4 digits) still leaves the full PAN stored elsewhere in the system, and the truncated value cannot be reversed to recover the original PAN, so it does not meet the requirement for a reversible surrogate value. Option B is wrong because dynamic data masking only hides data at query time from unauthorized users, but the original PAN remains stored in the database, so it does not remove the PAN from databases or reduce PCI DSS scope. Option D is wrong because symmetric encryption with a key stored in the database keeps the key co-located with the ciphertext, violating the principle of separation of duties and failing to reduce PCI DSS scope, as the encrypted data is still considered cardholder data under PCI DSS requirements.

68
MCQmedium

A company uses cloud storage for sensitive data and wants to ensure that the cloud provider cannot access their encryption keys. Which approach should they implement?

A.Cloud KMS with software keys
B.Cloud KMS with hardware keys
C.Cloud HSM
D.Cloud External Key Manager (EKM)
AnswerD

EKM allows customers to store keys outside the cloud provider, preventing provider access.

Why this answer

Cloud External Key Manager (EKM) allows the customer to manage and store encryption keys outside the cloud provider's infrastructure, often in an on-premises HSM or a third-party key management system. This ensures the cloud provider never has access to the plaintext keys, meeting the requirement that the provider cannot access the encryption keys. EKM typically uses protocols like PKCS#11 or KMIP to allow the cloud service to perform cryptographic operations without exposing the keys to the provider.

Exam trap

ISC2 often tests the distinction between 'cloud-managed' and 'customer-managed' keys, where candidates mistakenly think that using hardware keys (HSM) automatically prevents provider access, but the trap is that provider-managed HSMs still give the provider administrative control over the hardware.

How to eliminate wrong answers

Option A is wrong because Cloud KMS with software keys stores keys within the cloud provider's infrastructure, and the provider can potentially access them, especially if the keys are managed by the provider's software. Option B is wrong because Cloud KMS with hardware keys still stores keys in the cloud provider's HSM, meaning the provider has logical access and control over the key management process, even if the keys are in hardware. Option C is wrong because Cloud HSM, while providing dedicated hardware security modules, is still managed by the cloud provider, and the provider retains administrative access to the HSMs, which could allow them to access keys if they chose to.

69
MCQmedium

A healthcare organization uses a cloud-based electronic health record system. Patient data is encrypted at rest using server-side encryption with AWS KMS keys. The security team notices that during a recent security incident, an attacker used compromised credentials to decrypt and exfiltrate a large number of patient records. The attacker performed decryption operations using the KMS API, which was logged in CloudTrail. The organization wants to implement additional controls to prevent such bulk decryption in the future while still allowing authorized access. Which of the following is the BEST course of action?

A.Implement a key vault with an access broker that requires multi-factor authentication for each decryption request.
B.Change the encryption to client-side encryption using keys stored on-premises.
C.Create a KMS key policy that requires a condition for a specific IP range or VPC endpoint.
D.Enable automatic key rotation on the KMS key.
AnswerA

MFA adds strong authentication for each decryption, preventing bulk decryption even with compromised credentials.

Why this answer

A is correct because implementing a key vault with an access broker that requires multi-factor authentication for each decryption request directly addresses the root cause: compromised credentials. By requiring MFA per decryption operation, even if an attacker steals credentials, they cannot perform bulk decryption without also bypassing the MFA challenge for each API call. This control operates at the application layer, independent of the KMS key policy, and provides granular, per-request authorization.

Exam trap

ISC2 often tests the misconception that network-layer controls (like IP restrictions) or key rotation are sufficient to prevent unauthorized decryption, when in fact they do not address the core issue of compromised credentials being used to make legitimate API calls.

How to eliminate wrong answers

Option B is wrong because moving to client-side encryption with on-premises keys does not prevent bulk decryption if the attacker compromises the client application or the key management system; it also introduces key availability and latency issues for a cloud-based EHR system. Option C is wrong because restricting decryption to a specific IP range or VPC endpoint does not stop an attacker who uses compromised credentials from a legitimate IP or VPC; it only limits the network path, not the authorization of the request. Option D is wrong because automatic key rotation does not prevent an attacker from using compromised credentials to decrypt data with the current key; rotation only limits the window of exposure for future data, not the ability to decrypt already-encrypted records.

70
MCQhard

A company's cloud storage bucket policy inadvertently allowed anonymous users to list and read objects. After discovering the exposure, the security team has corrected the policy. Which additional step is critical to prevent recurrence?

A.Enable logging and monitoring to detect similar exposures.
B.Assign a dedicated security team to manually approve all policy changes.
C.Review all existing bucket policies and correct any other misconfigurations.
D.Implement automated policy validation as part of the infrastructure as code deployment process.
AnswerD

Automated checks in CI/CD prevent misconfigured policies from being applied.

Why this answer

Option D is correct because implementing automated policy validation as part of the infrastructure as code (IaC) deployment process ensures that any bucket policy changes are automatically checked against security rules before they are applied. This prevents misconfigurations like allowing anonymous access from reaching production, addressing the root cause rather than just reacting after exposure. In cloud environments like AWS S3, tools such as AWS CloudFormation with cfn-nag or Terraform with Sentinel can enforce policies programmatically, eliminating human error in manual reviews.

Exam trap

ISC2 often tests the distinction between detective controls (logging/monitoring) and preventive controls (automated validation in IaC), and the trap here is that candidates choose option A because they think monitoring is sufficient, but the question specifically asks for a step to 'prevent recurrence,' which requires a preventive control.

How to eliminate wrong answers

Option A is wrong because enabling logging and monitoring detects exposures after they occur but does not prevent recurrence; it is a detective control, not a preventive one. Option B is wrong because assigning a dedicated security team to manually approve all policy changes is impractical at scale, introduces delays, and still relies on human review which can miss subtle misconfigurations like a missing condition key in an S3 bucket policy. Option C is wrong because reviewing all existing bucket policies is a one-time remediation step that does not prevent future misconfigurations; it lacks the automated, continuous enforcement needed to stop recurrence.

71
MCQeasy

A small business uses a cloud file storage service to share project files with external partners. They have enabled versioning on the bucket, and each partner has a unique folder. The security team discovers that a former employee, who had administrative access, deleted all files in a partner's folder and then deleted the folder. The bucket's versioning allows restoration of the files, but the folder deletion cannot be undone. The business wants to prevent similar incidents in the future while still allowing external partners to upload and download files. Which approach should be taken?

A.Use bucket policies to prevent deletion of objects by anyone except a specific admin group, and use lifecycle policies to manage temporary files.
B.Use object lock with compliance mode to prevent object deletion or overwrites.
C.Enable MFA Delete on the bucket.
D.Disable versioning and implement a backup process.
AnswerB

Compliance mode locks objects irrevocably, preventing any deletion.

Why this answer

Option B is correct because Object Lock with compliance mode prevents any object from being deleted or overwritten by any user, including the root account, for the specified retention period. This directly addresses the requirement to prevent file deletion while still allowing partners to upload and download files, as versioning remains enabled and folder structure can be recreated.

Exam trap

ISC2 often tests the distinction between MFA Delete (which only adds an authentication step but does not prevent deletion by authorized users) and Object Lock (which provides immutable protection against deletion or overwrites).

How to eliminate wrong answers

Option A is wrong because bucket policies can restrict deletion but do not prevent a user with administrative access (like the former employee) from modifying the policy or bypassing it, and lifecycle policies manage temporary files but do not prevent deletion. Option C is wrong because MFA Delete only requires multi-factor authentication for delete operations, but a former employee with administrative credentials could still authenticate and delete objects if they have MFA access, and it does not prevent folder deletion. Option D is wrong because disabling versioning and implementing a backup process would remove the ability to restore previous versions and does not prevent deletion; backups are reactive, not preventive.

72
Multi-Selectmedium

A cloud security architect is designing a data loss prevention (DLP) strategy for a multi-cloud environment. Which TWO actions are effective in preventing unauthorized exfiltration of sensitive data?

Select 2 answers
A.Enable detailed logging and monitoring of all data access events
B.Encrypt all data at rest using provider-managed keys
C.Use a cloud access security broker (CASB) to enforce data classification
D.Implement strict Identity and Access Management (IAM) policies with least privilege
E.Deploy DLP tools to inspect outbound traffic for sensitive data patterns
AnswersD, E

Correct: Limits access to sensitive data, reducing exfiltration risk.

Why this answer

Option D is correct because implementing strict IAM policies with least privilege ensures that users and services have only the minimum permissions necessary to perform their functions. This directly limits the attack surface and prevents unauthorized access to sensitive data, which is a foundational control against exfiltration. Without least privilege, even with other controls in place, an over-privileged account could be exploited to move or copy data out of the environment.

Exam trap

ISC2 often tests the distinction between preventive and detective controls, and the trap here is that candidates confuse monitoring (detective) or encryption (protective but not preventive against exfiltration by authorized users) with direct prevention mechanisms like least privilege and DLP content inspection.

73
Multi-Selecthard

Which THREE controls help protect data in use within a cloud environment? (Choose three.)

Select 3 answers
A.Confidential computing
B.Tokenization
C.Access control lists
D.Secure enclaves (e.g., Intel SGX)
E.Homomorphic encryption
AnswersA, D, E

Encrypts data in use in memory.

Why this answer

Confidential computing protects data in use by executing computations within a hardware-based Trusted Execution Environment (TEE), such as Intel SGX or AMD SEV, which isolates the data and code from the host operating system and hypervisor. This ensures that even privileged users or cloud administrators cannot access the plaintext data while it is being processed in memory.

Exam trap

ISC2 often tests the distinction between data-at-rest, data-in-transit, and data-in-use controls, and the trap here is that candidates confuse tokenization (which protects data at rest) or access control lists (which protect data at rest/in transit) with technologies that specifically protect data during active processing in memory.

74
MCQmedium

An enterprise uses a cloud-based relational database service (e.g., AWS RDS) to store customer order data. The database is encrypted at rest using the cloud provider's default encryption. The security team is concerned about the risk of a rogue database administrator (DBA) exfiltrating data by creating unencrypted backups or snapshots and moving them to a different account. Which of the following controls would BEST mitigate this risk while maintaining operational efficiency?

A.Use a customer-managed key (CMK) in KMS and configure the database to use that key for encryption, and restrict the DBA's IAM permissions to prevent using the key on snapshots.
B.Disable the ability for any user to create database snapshots.
C.Implement database activity monitoring (DAM) to alert on snapshot creation.
D.Enable automatic snapshot encryption and ensure that only the database service role can access snapshots.
AnswerA

Ensures snapshots are encrypted and DBA cannot decrypt them without key permission.

Why this answer

Option A is correct because using a customer-managed key (CMK) in AWS KMS allows the organization to attach a key policy that explicitly denies the DBA's IAM role the kms:Decrypt permission on the CMK when used with snapshot operations. This prevents the DBA from creating an unencrypted snapshot or from copying an encrypted snapshot to another account, as the snapshot would remain encrypted with the CMK and the DBA cannot decrypt it. This maintains operational efficiency because the DBA can still perform routine database management tasks (e.g., creating backups) but cannot exfiltrate data via snapshots.

Exam trap

ISC2 often tests the misconception that enabling automatic encryption or monitoring alone is sufficient to prevent data exfiltration by a privileged insider, when in reality only a combination of customer-managed keys with strict key policies and IAM permission boundaries can block the DBA's ability to decrypt or re-encrypt snapshots for exfiltration.

How to eliminate wrong answers

Option B is wrong because completely disabling snapshot creation would break critical operational processes such as automated backups, point-in-time recovery, and disaster recovery, making it an impractical and overly restrictive control. Option C is wrong because database activity monitoring (DAM) only provides alerting after the fact; it does not prevent a rogue DBA from successfully exfiltrating data via unencrypted snapshots, as the DBA could still create and move the snapshot before the alert is acted upon. Option D is wrong because enabling automatic snapshot encryption does not prevent the DBA from creating a snapshot that is encrypted with a key they can access (e.g., the default AWS managed key), and restricting access to only the database service role does not stop a DBA with elevated IAM permissions from assuming that role or using their own permissions to copy the snapshot to another account.

75
Multi-Selecteasy

Which TWO data lifecycle stages are most critical for applying encryption controls in a cloud object storage service? (Choose two.)

Select 2 answers
A.Data in transit
B.Data in use
C.Data deletion
D.Data at rest
E.Data creation
AnswersA, D

Encryption protects data during API calls.

Why this answer

At rest and in transit are the lifecycle stages where encryption is typically applied. In use is not fully supported by object storage. Creation and deletion are events, not states.

Page 1 of 2 · 120 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Cloud Data Security questions.