CCNA Cloud Platform Infra Questions

44 questions · Cloud Platform Infra topic · All types, answers revealed

1
MCQmedium

A company uses a cloud provider's key management service. They want to rotate keys automatically every 90 days. What is the correct way to achieve this?

A.Enable automatic key rotation in the KMS settings.
B.Manually update the key alias each quarter.
C.Create a new key and update all applications to use it.
D.Use a third-party HSM.
AnswerA

Automatic rotation meets the requirement with minimal effort.

Why this answer

Option A is correct because cloud KMS services (e.g., AWS KMS, Azure Key Vault, GCP Cloud KMS) offer a built-in automatic key rotation feature that can be configured to rotate the key material every 90 days without any manual intervention. Enabling this setting ensures that new cryptographic material is generated for the key, while the old key material remains available for decrypting data encrypted with it, maintaining seamless security compliance.

Exam trap

ISC2 often tests the misconception that updating a key alias or creating a new key manually is equivalent to automatic rotation, when in fact automatic rotation is a specific KMS feature that preserves key continuity and requires no application changes.

How to eliminate wrong answers

Option B is wrong because updating a key alias does not change the underlying key material; it only reassigns a friendly name to the same key, so it does not achieve rotation. Option C is wrong because creating a new key and updating all applications to use it is a manual, error-prone process that defeats the purpose of automated rotation and can cause decryption failures if old data is not re-encrypted. Option D is wrong because a third-party HSM (Hardware Security Module) is used for generating and storing keys outside the cloud KMS, but it does not provide automatic key rotation; rotation would still need to be implemented separately.

2
MCQhard

Refer to the exhibit. A cloud administrator sees this error when trying to provision an EC2 instance. Which is the best course of action?

A.Launch the instance in a different Availability Zone.
B.Create a new VPC and try again.
C.Wait 24 hours for capacity to become available.
D.Increase the instance size to a larger type.
AnswerA

Different AZs may have available capacity.

Why this answer

The error indicates an 'InsufficientInstanceCapacity' failure, which means the specific Availability Zone lacks enough resources (e.g., CPU, memory, or network capacity) to launch the requested EC2 instance type. The best course of action is to launch the instance in a different Availability Zone within the same region, as capacity constraints are typically zone-specific and not region-wide. This approach avoids unnecessary VPC creation or waiting, and it directly addresses the resource scarcity at the zone level.

Exam trap

ISC2 often tests the misconception that capacity errors are region-wide or can be fixed by modifying the VPC or instance size, when in fact the solution is to change the Availability Zone or instance family to access unused capacity pools.

How to eliminate wrong answers

Option B is wrong because creating a new VPC does not resolve the underlying capacity shortage; the VPC is a logical network container, and the error is a physical resource constraint in the specific Availability Zone. Option C is wrong because waiting 24 hours is not a reliable or recommended practice; capacity may not become available within that timeframe, and AWS does not guarantee replenishment on a fixed schedule. Option D is wrong because increasing the instance size (e.g., from t2.micro to t2.medium) would likely require even more resources, exacerbating the capacity issue rather than solving it, and the error is about the specific instance type requested, not its size.

3
MCQeasy

A company wants to enforce that all EC2 instances launched in a specific AWS account are tagged with the key "Environment" and "Owner". What is the most effective way to enforce this policy?

A.Use AWS Resource Groups to create a group that filters tagged instances.
B.Enable CloudTrail to monitor instance launches and alert on missing tags.
C.Apply a service control policy (SCP) that requires tags on resource creation.
D.Configure AWS Config rules to automatically tag untagged instances.
AnswerC

SCPs can use condition keys like aws:RequestTag to require tags, preventing creation of untagged resources.

Why this answer

Option C is correct because AWS Organizations Service Control Policies (SCPs) can be applied at the account level to deny the creation of EC2 instances that do not include the required 'Environment' and 'Owner' tags. SCPs are evaluated before the resource is created, providing a preventive control that blocks non-compliant launches at the API level, unlike detective or reactive approaches.

Exam trap

ISC2 often tests the distinction between preventive controls (SCPs) and detective/reactive controls (AWS Config, CloudTrail), and the trap here is that candidates confuse AWS Config's auto-remediation with true enforcement, not realizing that Config only acts after the resource is created.

How to eliminate wrong answers

Option A is wrong because AWS Resource Groups are used to organize and manage resources based on tags, but they do not enforce tagging policies or prevent untagged instances from being launched. Option B is wrong because CloudTrail is an auditing service that logs API calls; it can alert on missing tags after the fact but does not prevent the creation of untagged instances. Option D is wrong because AWS Config rules are detective and can trigger auto-remediation to tag instances after creation, but they do not enforce the policy at the time of launch, leaving a window where untagged instances exist and may be used.

4
MCQeasy

A financial services company uses a public IaaS provider to host its customer-facing applications. They have strict compliance requirements (e.g., PCI DSS) mandating that all customer data be encrypted at rest and in transit. The cloud provider recently performed a scheduled hypervisor update that required live migration of all customer VMs to different physical hosts to apply security patches. After the migration, the company's security team discovers that temporary files from one of their VMs remained on the original host's local storage and were accessible by another customer's VM that was subsequently provisioned on that host. Although the files did not contain actual customer data because the VM had encrypted its volumes, the security team is concerned about potential data remanence. Which of the following actions would BEST prevent such data remanence in future hypervisor migrations?

A.Request dedicated (single-tenant) hosts for all VMs.
B.Enable full-disk encryption on all VMs.
C.Perform a secure wipe of the original host after each migration.
D.Use encrypted live migration for all VM moves.
AnswerB

Full-disk encryption protects data at rest, making residual data unreadable even if not securely erased.

Why this answer

Option B is correct because full-disk encryption ensures that any residual data left on the original host's local storage after live migration is unreadable without the encryption key. Even if temporary files remain, encryption at rest renders the data inaccessible, directly addressing data remanence concerns without relying on the cloud provider's cleanup processes.

Exam trap

ISC2 often tests the distinction between data remanence prevention (encryption at rest) and data-in-transit protection (encrypted migration), leading candidates to mistakenly choose encrypted live migration when the real issue is residual data left on the source host.

How to eliminate wrong answers

Option A is wrong because dedicated (single-tenant) hosts isolate VMs from other customers but do not prevent data remanence on the host's local storage after migration; residual files can still persist and be accessible to the same tenant's future VMs or during host reuse. Option C is wrong because the customer cannot perform a secure wipe of the original host after each migration; in a public IaaS model, the cloud provider controls the hypervisor and physical host, and customers lack the privileges or access to execute such operations. Option D is wrong because encrypted live migration protects data in transit during the VM move but does not address data at rest left behind on the source host's local storage; it prevents interception of the migration stream, not residual files.

5
Drag & Dropmedium

Drag and drop the steps for implementing a disaster recovery plan using cross-region replication in AWS into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Start with enabling replication, then IAM roles, automation templates, testing, and documentation.

6
MCQeasy

A financial services company is migrating its on-premises data center to a public cloud IaaS environment. During the transition, the security team must ensure that the same network segmentation and firewall rules are maintained. Which of the following is the BEST approach to replicate the on-premises network security controls in the cloud?

A.Configure a site-to-site VPN between on-premises and cloud to extend the existing network.
B.Use virtual private clouds (VPCs) with subnets and security groups to enforce segmentation and firewall rules.
C.Implement an intrusion detection and prevention system (IDPS) to monitor traffic.
D.Deploy a software-defined WAN (SD-WAN) to manage network traffic between cloud resources.
AnswerB

VPCs and security groups directly replicate network segmentation and firewall controls.

Why this answer

Option B is correct because VPCs with subnets and security groups provide native, software-defined network segmentation and stateful firewall rules that directly replicate on-premises network segmentation and ACLs. Security groups act as virtual firewalls at the instance level, while network ACLs provide subnet-level stateless filtering, together enabling granular control without extending the on-premises network.

Exam trap

The trap here is that candidates often confuse extending the network via VPN (Option A) with replicating segmentation, not realizing that VPNs merge networks rather than isolating them, while VPCs provide the necessary logical isolation and granular firewall controls.

How to eliminate wrong answers

Option A is wrong because a site-to-site VPN extends the on-premises network into the cloud, which does not replicate segmentation and firewall rules but instead merges the networks, potentially breaking isolation and requiring additional routing and firewall policies. Option C is wrong because an IDPS monitors and alerts on malicious traffic but does not enforce network segmentation or firewall rules; it is a detection control, not a preventive control for segmentation. Option D is wrong because SD-WAN optimizes traffic routing and bandwidth across WAN links but does not provide network segmentation or firewall rule enforcement within the cloud environment.

7
Multi-Selectmedium

A cloud security team is designing a defense-in-depth strategy for a web application. Which TWO of the following are effective network-level security controls? (Choose two.)

Select 2 answers
A.CloudTrail
B.Network ACLs
C.IAM policies
D.Web Application Firewall (WAF)
E.Security groups
AnswersB, E

NACLs are stateless firewall rules at the subnet level.

Why this answer

Network ACLs (Option B) are a stateless, subnet-level firewall that filters traffic based on rules evaluating source/destination IP, protocol, and port. They operate at Layer 3/4 of the OSI model, making them an effective network-level security control for defense-in-depth by providing a first line of perimeter defense.

Exam trap

The trap here is confusing application-layer controls (WAF) or identity controls (IAM) with network-layer controls, or mistaking CloudTrail (a logging service) for a network security control.

8
MCQeasy

A company's security policy requires that all data stored in the cloud must be encrypted at rest. The cloud provider offers server-side encryption with either cloud-managed keys or customer-managed keys (CMK). Which additional control should the company implement to ensure that the CMK is not compromised and that access is auditable?

A.Enable automatic key rotation and configure detailed audit logging for the key management service.
B.Implement a VPN for all management traffic to the cloud provider's API.
C.Enable multi-factor authentication (MFA) for all cloud console users.
D.Use encryption in transit (TLS) for all data transfers to and from the cloud.
AnswerA

Key rotation and audit logs are essential controls for CMK security.

Why this answer

Option A is correct because enabling automatic key rotation reduces the risk of key compromise by limiting the exposure window of any single key, while detailed audit logging for the key management service (e.g., AWS CloudTrail for KMS, Azure Monitor for Key Vault) provides an immutable record of all key usage and administrative actions. This combination ensures that even if a CMK is exposed, the window of vulnerability is minimized, and any unauthorized access or misuse is detectable through logs. Without these controls, the customer-managed key could remain static for long periods, increasing risk, and access events would not be auditable, violating the policy requirement.

Exam trap

ISC2 often tests the distinction between controls that protect the key itself (rotation and auditing) versus controls that protect the channel or user access (VPN, MFA, TLS), leading candidates to confuse network or identity safeguards with key management safeguards.

How to eliminate wrong answers

Option B is wrong because a VPN for management traffic protects data in transit to the cloud provider's API but does not address the security or auditability of the customer-managed key itself; it is a network-level control unrelated to key compromise or auditing. Option C is wrong because multi-factor authentication (MFA) for cloud console users protects against unauthorized account access but does not directly secure the CMK or provide audit logging for key usage; it is an identity control, not a key management control. Option D is wrong because encryption in transit (TLS) protects data during transfer but does not affect the security of the key at rest or provide audit trails for key access; it is a data protection control, not a key management control.

9
MCQmedium

An organization requires that all data at rest in a cloud storage service be encrypted using a key that is managed entirely on-premises and never exposed to the cloud provider. The organization wants to use server-side encryption. Which approach should be used?

A.Use server-side encryption with a key stored in the cloud provider's key management service (KMS).
B.Use server-side encryption with a customer-provided key (SSE-C).
C.Use server-side encryption with a cloud-managed key (SSE-S3).
D.Use client-side encryption where the application encrypts data before sending it to the cloud.
AnswerB

SSE-C encrypts data at rest using a key that you provide; the cloud does not store the key.

Why this answer

Server-side encryption with customer-provided keys (SSE-C) allows the organization to encrypt data at rest in the cloud while retaining full control of the encryption keys on-premises. With SSE-C, the customer provides the encryption key with each API request, and the cloud service uses it to encrypt/decrypt the data server-side, but the key is never stored by the provider. This meets the requirement of keeping the key entirely on-premises and never exposed to the cloud provider.

Exam trap

ISC2 often tests the distinction between server-side and client-side encryption, and candidates may mistakenly choose client-side encryption (Option D) because it keeps keys on-premises, but the question specifically requires server-side encryption, making SSE-C the only correct option.

How to eliminate wrong answers

Option A is wrong because using a key stored in the cloud provider's KMS means the provider manages and stores the key, which violates the requirement that the key never be exposed to the cloud provider. Option C is wrong because SSE-S3 uses a cloud-managed key that is fully controlled and stored by the provider, again exposing the key to the cloud. Option D is wrong because client-side encryption encrypts data before it is sent to the cloud, which is not server-side encryption; the question explicitly requires server-side encryption.

10
Multi-Selectmedium

A security architect is designing network segmentation for a multi-tier application in the cloud. Which TWO configurations help enforce micro-segmentation? (Choose two.)

Select 2 answers
A.Allow all traffic from the internet.
B.Use a bastion host for all administrative access.
C.Use a single network ACL for all subnets.
D.Deploy a virtual firewall between tiers.
E.Implement security groups per application tier.
AnswersD, E

A virtual firewall enforces segmentation and inspection.

Why this answer

Option D is correct because deploying a virtual firewall between tiers (e.g., between web, application, and database tiers) enforces micro-segmentation by inspecting and controlling east-west traffic at the application layer. This allows granular, stateful filtering of traffic based on specific protocols, ports, and even application-level attributes, preventing lateral movement of threats within the cloud environment.

Exam trap

ISC2 often tests the distinction between coarse network controls (like a single ACL) and granular micro-segmentation mechanisms (like virtual firewalls or security groups), trapping candidates who confuse a bastion host or broad ACLs with proper tier isolation.

11
MCQeasy

A small business recently migrated its file server to a cloud storage service like Amazon S3. They use bucket policies to control access. The IT manager, who is not a security expert, configured the bucket policy to allow all users within the company's AWS account to have read and write access. During an internal audit, it was discovered that the bucket also had a public ACL that allowed 'Everyone' to read objects. The security analyst needs to fix the misconfiguration and prevent future occurrences. Which of the following actions should the analyst take first?

A.Delete the bucket and recreate it with default private settings.
B.Set up a notification to alert when bucket policies change.
C.Remove the public ACL and update the bucket policy to enforce least privilege.
D.Enable bucket versioning to recover from accidental public exposure.
AnswerC

Directly fixes the public exposure and tightens access.

Why this answer

Option C is correct because the immediate priority is to remediate the active vulnerability by removing the public ACL that grants 'Everyone' read access, then updating the bucket policy to enforce least privilege for the company's AWS account. This directly addresses the misconfiguration and aligns with the principle of denying public access by default, which is a core security best practice for cloud storage services like Amazon S3.

Exam trap

ISC2 often tests the misconception that deleting and recreating a resource is the safest or quickest fix, when in reality the proper remediation is to modify the existing access controls without destroying the resource.

How to eliminate wrong answers

Option A is wrong because deleting and recreating the bucket is an unnecessarily destructive and time-consuming approach; the misconfiguration can be fixed by simply removing the public ACL and adjusting the bucket policy, and it does not address the root cause of why the public ACL was allowed in the first place. Option B is wrong because setting up a notification for bucket policy changes is a detective control that would alert on future changes, but it does not fix the current public ACL exposure; the immediate action must be to remediate the existing vulnerability. Option D is wrong because enabling bucket versioning helps recover from accidental deletion or overwrite of objects, but it does not prevent or fix public access; versioning does not affect access control permissions and would not remove the existing public ACL.

12
Multi-Selecthard

An organization is migrating critical workloads to the cloud and must ensure data confidentiality. Which THREE of the following practices help protect data in transit? (Choose three.)

Select 3 answers
A.Implementing IPsec VPNs
B.Using HTTPS for web applications
C.Applying service control policies (SCPs)
D.Enabling server-side encryption (SSE) for data at rest
E.Using SSL/TLS for application traffic
AnswersA, B, E

IPsec encrypts IP packets for site-to-site connectivity.

Why this answer

IPsec VPNs encrypt IP packets at the network layer, providing end-to-end confidentiality and integrity for all traffic between sites or between a remote user and the cloud. This is a standard practice for securing data in transit across untrusted networks like the internet.

Exam trap

ISC2 often tests the distinction between data-in-transit controls (like IPsec, TLS, HTTPS) and data-at-rest controls (like SSE) or policy-based controls (like SCPs), leading candidates to mistakenly select options that protect data at rest or manage permissions instead of securing data during transmission.

13
Multi-Selecteasy

A security architect is designing a cloud workload protection platform (CWPP) for a hybrid cloud environment. The architect needs to ensure that security policies are consistently applied across virtual machines running in both on-premises and public cloud environments. Which TWO components are essential for achieving this goal?

Select 2 answers
A.Software-defined perimeter (SDP) architecture
B.Virtual private cloud (VPC) network ACLs
C.Unified agent software installed on each VM
D.Centralized policy management console
E.Infrastructure as code templates
AnswersC, D

Enforces policies locally regardless of environment.

Why this answer

Unified agent software installed on each VM is essential because it provides a consistent security monitoring and enforcement layer across heterogeneous environments. The agent communicates with the centralized policy management console to receive and enforce policies locally, ensuring that security controls such as file integrity monitoring, vulnerability scanning, and host-based firewall rules are applied uniformly regardless of whether the VM runs on-premises or in a public cloud.

Exam trap

ISC2 often tests the distinction between network-level controls (SDP, VPC ACLs) and host-level controls (unified agents), leading candidates to mistakenly select network-centric options for workload protection that requires per-VM policy enforcement.

14
MCQeasy

An organization wants to encrypt data at rest in a cloud object storage service. Which control is appropriate?

A.Implement a web application firewall.
B.Enable server-side encryption with a customer-managed key.
C.Use a VPN for all access.
D.Enable TLS for all API requests.
AnswerB

Server-side encryption encrypts data at rest.

Why this answer

Server-side encryption with a customer-managed key (SSE-C) allows the cloud provider to encrypt data at rest in object storage using a key that the customer controls and manages. This ensures that the encryption process is handled by the service itself, but the customer retains control over key rotation, access, and revocation, which is appropriate for meeting compliance and security requirements for data at rest.

Exam trap

ISC2 often tests the distinction between encryption in transit (TLS, VPN) and encryption at rest (SSE), leading candidates to mistakenly select TLS or VPN when the question explicitly asks about data at rest.

How to eliminate wrong answers

Option A is wrong because a web application firewall (WAF) protects against application-layer attacks (e.g., SQL injection, XSS) and does not provide encryption for data at rest. Option C is wrong because a VPN secures data in transit over the network but does not encrypt data stored in the object storage service. Option D is wrong because TLS encrypts data in transit between the client and the service, not data at rest within the storage infrastructure.

15
MCQmedium

Refer to the exhibit. A security engineer attaches this bucket policy to an S3 bucket. What does this policy accomplish?

A.It allows only requests from a specific VPC endpoint.
B.It denies all requests to the bucket that are not using HTTPS.
C.It denies requests from IP addresses outside a specific range.
D.It denies all requests to the bucket.
AnswerB

The condition aws:SecureTransport false means requests over HTTP are denied.

Why this answer

The bucket policy uses a `Condition` block with `aws:SecureTransport` set to `false` and an explicit `Deny` effect. This denies any request that does not use HTTPS (i.e., plain HTTP), ensuring all traffic to the bucket is encrypted in transit. The `NotPrincipal` and `NotAction` elements are used to apply the denial broadly, but the core effect is to block non-HTTPS requests.

Exam trap

The trap here is that candidates may confuse `aws:SecureTransport` with IP-based or VPC endpoint conditions, or mistakenly think the policy denies all requests because of the `Deny` effect, without reading the `Condition` block that limits the denial to non-HTTPS traffic.

How to eliminate wrong answers

Option A is wrong because the policy does not reference `aws:SourceVpce` or any VPC endpoint condition; it only checks `aws:SecureTransport`. Option C is wrong because the policy does not use `aws:SourceIp` or any IP address condition; it only checks the transport protocol. Option D is wrong because the policy does not deny all requests; it only denies requests where `aws:SecureTransport` is `false`, so HTTPS requests are still allowed.

16
MCQmedium

A company is using AWS CloudTrail to log API calls. A security analyst needs to be alerted when an IAM user creates a new access key for another user. Which CloudTrail event should be monitored?

A.CreateAccessKey
B.DeleteAccessKey
C.CreateUser
D.UpdateAccessKey
AnswerA

CreateAccessKey is the correct API event for creating access keys.

Why this answer

The correct event to monitor is 'CreateAccessKey' because this is the CloudTrail event name generated when an IAM user creates a new access key for another user. AWS CloudTrail logs all IAM API calls, and the event name directly corresponds to the API action invoked (CreateAccessKey). Monitoring this event allows the security analyst to detect unauthorized creation of access keys, which is a common privilege escalation or persistence technique.

Exam trap

ISC2 often tests the distinction between API actions that create versus modify versus delete resources, and the trap here is confusing 'CreateAccessKey' with 'UpdateAccessKey' because both involve access keys, but only 'CreateAccessKey' generates a new credential.

How to eliminate wrong answers

Option B (DeleteAccessKey) is wrong because it logs the deletion of an access key, not its creation, and would not alert on the described activity. Option C (CreateUser) is wrong because it logs the creation of a new IAM user, not the creation of an access key for an existing user. Option D (UpdateAccessKey) is wrong because it logs changes to an existing access key's status (e.g., Active/Inactive), not the creation of a new key.

17
MCQeasy

A cloud administrator notices that a storage bucket containing sensitive data is publicly accessible. What is the most likely misconfiguration?

A.The bucket has logging disabled.
B.The bucket's ACLs are too permissive.
C.The bucket is using server-side encryption.
D.The bucket is versioned.
AnswerB

Permissive ACLs often cause unintended public access.

Why this answer

The most likely misconfiguration is that the bucket's ACLs are too permissive, granting public read or write access to the storage bucket. In cloud platforms like AWS S3 or Azure Blob Storage, bucket ACLs or bucket policies can be set to allow public access, which directly exposes sensitive data. Disabling logging, using server-side encryption, or enabling versioning do not inherently make a bucket publicly accessible.

Exam trap

ISC2 often tests the misconception that security features like encryption or logging directly prevent unauthorized access, when in fact access control misconfigurations (like permissive ACLs) are the root cause of public exposure.

How to eliminate wrong answers

Option A is wrong because disabling logging only affects audit trails and does not control access permissions; a bucket can be publicly accessible even with logging enabled. Option C is wrong because server-side encryption protects data at rest but does not affect access control; a publicly accessible bucket with encryption still exposes data to anyone who can read it. Option D is wrong because versioning creates multiple object versions but does not change the bucket's access policy; a publicly accessible bucket remains public regardless of versioning status.

18
MCQhard

During a cloud migration, a company discovers that its existing virtual machine images contain embedded credentials and proprietary software that must not be exposed to the cloud provider's administrators. Which of the following is the BEST strategy to protect this sensitive data while maintaining the ability to create new instances?

A.Use a VPN to encrypt data in transit between the on-premises environment and the cloud.
B.Use a cryptographic hash of the image to ensure integrity, and store the image in object storage with access controls.
C.Encrypt the virtual machine images using a customer-provided key (CMK) integrated with the cloud provider's key management service.
D.Tokenize the embedded credentials and replace them with placeholders in the image.
AnswerC

Encryption with a CMK ensures the provider cannot decrypt the image without the key.

Why this answer

Option C is correct because encrypting the virtual machine images with a customer-provided key (CMK) integrated with the cloud provider's key management service ensures that the cloud provider's administrators cannot access the embedded credentials and proprietary software. The encryption is performed client-side or using envelope encryption where the CMK wraps a data encryption key, and only the customer holds the master key material. This allows the customer to create new instances from the encrypted image while maintaining full control over access to the sensitive data.

Exam trap

The trap here is that candidates often confuse integrity controls (hashing) with confidentiality controls (encryption), or assume that network-level protections like VPNs extend to data at rest, leading them to pick Option A or B instead of the correct encryption-based answer.

How to eliminate wrong answers

Option A is wrong because a VPN only protects data in transit between on-premises and the cloud, but does not protect the image at rest in the cloud provider's storage, leaving the embedded credentials and proprietary software exposed to administrators. Option B is wrong because a cryptographic hash ensures integrity (detecting tampering) but does not provide confidentiality; the image remains unencrypted and readable by the cloud provider's administrators. Option D is wrong because tokenization replaces credentials with placeholders, but the proprietary software remains in the clear; additionally, tokenization requires a secure token vault and does not protect the entire image from administrator access.

19
MCQhard

Refer to the exhibit. A security analyst reviews this CloudTrail log entry. What is the most immediate concern?

A.A user named john.doe is not authorized to modify security groups.
B.An EC2 instance was launched without approval.
C.A security group rule was added that allows unrestricted SSH access.
D.The user john.doe failed to authenticate.
AnswerC

SSH from 0.0.0.0/0 is a major security exposure.

Why this answer

Option C is correct because the CloudTrail log entry shows an AuthorizeSecurityGroupIngress API call that added a rule allowing SSH (port 22) from source 0.0.0.0/0, which grants unrestricted internet access. This is a critical security misconfiguration that exposes the EC2 instance to potential brute-force attacks or unauthorized access, making it the most immediate concern.

Exam trap

ISC2 often tests the distinction between an authorization failure (IAM policy deny) and a successful but dangerous action; the trap here is that candidates see the user name and assume a permission error, but the log shows the action succeeded, making the unrestricted SSH rule the real risk.

How to eliminate wrong answers

Option A is wrong because the log entry shows the API call was successful ("eventType": "AwsApiCall", no error code), indicating john.doe was authorized to modify security groups at the time of the event. Option B is wrong because the log entry records an AuthorizeSecurityGroupIngress action, not a RunInstances action; no EC2 instance was launched in this event. Option D is wrong because the log entry shows a successful API call with "userIdentity" details and no authentication failure (no "errorCode" or "errorMessage" fields indicating a failure), so john.doe authenticated successfully.

20
MCQmedium

Refer to the exhibit. A security analyst finds this IAM policy attached to an S3 bucket. What is the primary security issue?

A.The policy is missing a condition for encryption.
B.The policy does not specify a source IP.
C.The policy allows all actions.
D.The policy grants public read access to all objects.
AnswerD

Principal '*' with Allow effect makes the bucket publicly readable.

Why this answer

Option D is correct because the IAM policy statement includes `"Principal": "*"` and `"Effect": "Allow"` without any condition restricting access, which grants public read access to all objects in the S3 bucket. This violates the principle of least privilege and exposes sensitive data to anyone on the internet, making it a critical security misconfiguration.

Exam trap

ISC2 often tests the distinction between 'public access' and 'all actions' — candidates mistakenly think 'all actions' is the issue, but the trap is that the policy only grants read access, yet the public principal makes it a severe data exposure risk regardless of the action scope.

How to eliminate wrong answers

Option A is wrong because while encryption conditions are a best practice, the absence of an encryption condition does not directly cause public exposure; the core issue is the lack of access restrictions. Option B is wrong because source IP restrictions are not required for all S3 policies; the primary flaw here is the public principal, not the absence of IP filtering. Option C is wrong because the policy only allows `s3:GetObject` (read access), not all actions; the statement explicitly lists `"Action": "s3:GetObject"`, so it does not permit write, delete, or other administrative actions.

21
MCQmedium

A cloud security engineer is designing a disaster recovery plan for a critical application running on virtual machines. The RTO is 4 hours and RPO is 1 hour. Which approach meets these requirements?

A.Take daily snapshots and restore to a different region.
B.Use synchronous replication to a secondary availability zone.
C.Keep a warm standby in another region with continuous data replication.
D.Use asynchronous replication with a 1-hour lag to a secondary site.
AnswerC

Warm standby with continuous replication meets both RTO and RPO.

Why this answer

Option C meets both the RTO of 4 hours and RPO of 1 hour by maintaining a warm standby in another region with continuous data replication. Continuous replication ensures data is synchronized with minimal lag (well under 1 hour), and the warm standby VM can be activated quickly to meet the 4-hour RTO. This approach balances cost and recovery speed, as a warm standby is partially running and can be promoted to production faster than a cold standby.

Exam trap

ISC2 often tests the distinction between RPO and RTO, and the trap here is that candidates confuse asynchronous replication with a 1-hour lag as meeting both requirements, overlooking that a cold standby without pre-provisioned compute cannot achieve a 4-hour RTO even if the data is available.

How to eliminate wrong answers

Option A is wrong because daily snapshots provide an RPO of up to 24 hours, far exceeding the required 1-hour RPO, and restoring to a different region would likely exceed the 4-hour RTO due to the time needed to transfer and restore large snapshot data. Option B is wrong because synchronous replication to a secondary availability zone within the same region does not protect against a regional disaster; it only covers zone-level failures, and synchronous replication typically requires low-latency links, making it unsuitable for cross-region DR. Option D is wrong because asynchronous replication with a 1-hour lag exactly matches the RPO of 1 hour, but it does not guarantee the RTO of 4 hours; a secondary site with only replication and no pre-provisioned compute (cold standby) would require additional time to provision and start VMs, likely exceeding the RTO.

22
Multi-Selecteasy

Which TWO of the following are recommended practices for securing cloud storage buckets? (Choose two.)

Select 2 answers
A.Block public read/write access
B.Enable bucket versioning
C.Enable default encryption
D.Delete unused buckets immediately
E.Enable access logging
AnswersA, C

Preventing public access is a fundamental security control.

Why this answer

Blocking public access and enabling encryption are key practices. Versioning and logging are good but not as primary. Deleting buckets is not a security practice.

23
MCQhard

A financial services firm uses a hybrid cloud architecture with a VPN connection to AWS. They need to comply with PCI DSS requirements for network segmentation. Which design is best?

A.Use AWS Direct Connect with multiple VLANs to separate traffic.
B.Implement a DMZ with a firewall appliance in a transit VPC.
C.Create separate VPCs for cardholder data and corporate systems, connected via VPC peering.
D.Use a single VPC with security groups to isolate workloads.
AnswerB

A transit VPC with firewall enforces segmentation and inspection, compliant with PCI DSS.

Why this answer

Option B is correct because a DMZ with a firewall appliance in a transit VPC provides a controlled, inspectable boundary between the on-premises network and AWS, enabling network segmentation that meets PCI DSS Requirement 1 (firewall configuration) and Requirement 1.3 (DMZ to isolate cardholder data from untrusted networks). The transit VPC design allows centralized egress/ingress inspection and prevents direct lateral movement between environments, which is critical for compliance.

Exam trap

The trap here is that candidates often confuse VPC peering or security groups as sufficient for network segmentation, but PCI DSS requires a DMZ with a firewall appliance to enforce a clear security boundary, not just logical isolation.

How to eliminate wrong answers

Option A is wrong because AWS Direct Connect with multiple VLANs does not inherently provide a DMZ or firewall inspection; it only extends the network, and PCI DSS requires a DMZ with a firewall to isolate cardholder data from untrusted networks, not just VLAN separation. Option C is wrong because VPC peering creates a direct, flat network connection between VPCs without any intermediate firewall or inspection point, violating PCI DSS Requirement 1.3 that mandates a DMZ and controlled traffic inspection. Option D is wrong because a single VPC with security groups alone cannot enforce network segmentation at the perimeter; security groups are stateful host-level filters, not network-layer firewalls, and PCI DSS requires a DMZ with a firewall appliance to separate cardholder data from untrusted networks.

24
MCQmedium

A medium-sized e-commerce company uses a cloud provider's container orchestration service (e.g., Amazon ECS or Google Kubernetes Engine). They have a security requirement to ensure that all containers run with the least privilege principle. The development team often requests containers to run as root for debugging purposes. The security team wants to enforce a policy that prevents containers from running as root in the production environment. However, the development team still needs the ability to troubleshoot occasionally. The cloud security architect must design a solution that restricts root privilege in production but allows controlled troubleshooting. Which of the following approaches is the most effective?

A.Allow containers to run as root but configure host-based intrusion detection to alert on suspicious activities.
B.Grant developers SSH access to the host nodes for troubleshooting.
C.Use a security context constraint (or PodSecurityPolicy) to deny all containers running as root, and require developers to use a sidecar container for debugging.
D.Create two separate clusters, one for production with root restriction, and one for debugging where root is allowed.
AnswerC

Enforces non-root and provides controlled debugging via sidecar.

Why this answer

Option C is correct because it uses a security context constraint (SCC) or PodSecurityPolicy (PSP) to enforce a deny-all policy for root containers in production, which aligns with the least privilege principle. The sidecar container provides a controlled debugging mechanism without granting root access to the main application container, allowing developers to troubleshoot via a separate, privileged sidecar that can be audited and restricted.

Exam trap

ISC2 often tests the misconception that allowing root in containers with monitoring (Option A) or using separate clusters (Option D) is acceptable, but the CCSP emphasizes that least privilege must be enforced at the container level, not compensated for by external controls.

How to eliminate wrong answers

Option A is wrong because allowing containers to run as root and relying solely on host-based intrusion detection (HIDS) does not prevent the violation of the least privilege principle; root access in containers can still lead to container breakout or privilege escalation before any alert is triggered. Option B is wrong because granting developers SSH access to host nodes undermines the security boundary, as it exposes the underlying host OS and potentially other containers, violating the principle of isolation and increasing the attack surface. Option D is wrong because maintaining two separate clusters (production and debugging) introduces operational complexity, configuration drift, and does not enforce least privilege in production; developers might still need root access in production for debugging, which the separate cluster does not address without additional controls.

25
MCQmedium

A company is migrating on-premises workloads to IaaS. They need to ensure that virtual machine images are secure and free of malware. Which approach is best practice?

A.Use a golden image from the cloud provider's marketplace.
B.Rely on host-based firewalls to protect instances.
C.Perform vulnerability scanning on running instances only.
D.Create a hardened baseline image and store it in a secure repository.
AnswerD

Creating a hardened baseline ensures images are secure before deployment.

Why this answer

Option D is correct because creating a hardened baseline image ensures that the virtual machine is built from a known, secure configuration with all necessary security patches, minimal services, and no malware. Storing this image in a secure repository (e.g., encrypted and access-controlled) prevents tampering and allows consistent deployment of secure instances. This approach follows the principle of immutable infrastructure and is a foundational practice for secure IaaS migrations.

Exam trap

ISC2 often tests the misconception that using a cloud provider's marketplace image is sufficient for security, but the trap is that these images are not tailored to the organization's specific hardening requirements and may contain default credentials or unnecessary services.

How to eliminate wrong answers

Option A is wrong because cloud provider marketplace images are generic and may not meet the organization's specific security requirements; they can contain unnecessary software or default configurations that introduce vulnerabilities. Option B is wrong because host-based firewalls only control network traffic and do not detect or remove malware already present in the virtual machine image; they are a perimeter control, not a secure image creation practice. Option C is wrong because vulnerability scanning on running instances only identifies issues after deployment, leaving the initial image potentially compromised; it does not prevent the deployment of a malicious or unhardened image.

26
MCQhard

A multinational corporation is deploying a containerized microservices application on a public cloud Kubernetes cluster. The cluster spans three availability zones in a single region. The application consists of a front-end service, a payment service, and a database service. The security team requires that the payment service must not be directly accessible from the internet, but must be accessible from the front-end service. The database must only be accessible from the payment service. Additionally, all inter-service communication must be encrypted, and the cluster must be able to scale up to 500 nodes during peak load. The cloud provider's container orchestration service is used. After deployment, the security team discovers that the payment service is still reachable from the internet via a public load balancer that was configured for testing. The team needs to remediate this issue immediately without disrupting the front-end service. Which of the following actions should the team take FIRST?

A.Change the payment service type from LoadBalancer to ClusterIP and update the front-end configuration.
B.Implement a Kubernetes NetworkPolicy that denies ingress to the payment service pods from all sources except the front-end service's pod label.
C.Delete the public load balancer that was used for testing.
D.Apply a security group to the node instances to block inbound traffic on the payment service port.
AnswerB

This immediately restricts access to only the front-end service, without changing the service type or affecting other components.

Why this answer

Option B is correct because a Kubernetes NetworkPolicy can enforce fine-grained ingress rules at the pod level, allowing only traffic from the front-end service's pod label to reach the payment service pods. This directly addresses the requirement to block internet access while preserving front-end-to-payment communication, without modifying the service type or disrupting the front-end service. NetworkPolicies operate at Layer 3/4 and are native to Kubernetes, making them the immediate and precise remediation.

Exam trap

ISC2 often tests the misconception that deleting the load balancer (Option C) is the first step, but the trap is that this ignores the need to maintain front-end-to-payment connectivity and the fact that a NetworkPolicy can immediately block internet traffic without removing the load balancer resource itself.

How to eliminate wrong answers

Option A is wrong because changing the payment service type from LoadBalancer to ClusterIP would remove the public load balancer but also require updating the front-end configuration to point to the new ClusterIP, which could disrupt the front-end service during the transition; it also does not address the immediate need to block internet access without disruption. Option C is wrong because deleting the public load balancer would stop internet traffic but does not ensure that the payment service remains accessible from the front-end service, and it may cause downtime if the load balancer is still referenced; it also does not provide a scalable, policy-based solution. Option D is wrong because applying a security group to the node instances blocks traffic at the infrastructure level, which is coarse-grained and does not account for Kubernetes pod IPs that may change with scaling; it also does not differentiate between traffic from the front-end service and other internal sources, potentially breaking legitimate inter-service communication.

27
Multi-Selecteasy

A cloud security team is auditing a cloud environment and needs to ensure compliance with logging requirements. Which TWO actions are essential? (Choose two.)

Select 2 answers
A.Store logs in a publicly accessible bucket.
B.Allow users to modify logs.
C.Encrypt logs at rest.
D.Enable CloudTrail (or equivalent) for all regions.
E.Delete logs after 30 days.
AnswersC, D

Encryption protects log data at rest.

Why this answer

Encrypting logs at rest (Option C) is essential to protect sensitive audit data from unauthorized access if the storage medium is compromised. Cloud providers like AWS offer server-side encryption (SSE-S3 or SSE-KMS) for log buckets, ensuring compliance with standards such as SOC 2, PCI DSS, and ISO 27001. Without encryption, logs could be read by anyone with physical or administrative access to the storage infrastructure.

Exam trap

ISC2 often tests the misconception that deleting logs after a short period is a security best practice, but the trap is that compliance mandates specific retention durations, and premature deletion can lead to audit failures.

28
MCQhard

An organization has a cloud environment with many accounts. They want to prevent any account from using certain services that are not approved (e.g., outside of a defined list). What is the BEST way to enforce this at the organizational level?

A.Configure each account's IAM policy to deny the services.
B.Enable AWS Config rules to detect and disable non-approved services.
C.Apply a service control policy (SCP) that denies the services.
D.Use resource-based policies on each resource to restrict usage.
AnswerC

SCPs are applied at the OU or account level and cannot be overridden by account admins.

Why this answer

Service Control Policies (SCPs) are the correct mechanism because they operate at the organizational level in AWS Organizations, allowing you to centrally define a whitelist or blacklist of services for all member accounts. Unlike IAM policies, SCPs set a permissions boundary that cannot be overridden by account administrators, ensuring that non-approved services are denied across the entire organization. This provides a preventive control that blocks the use of prohibited services before any action can occur.

Exam trap

The trap here is that candidates confuse detective controls (like AWS Config) with preventive controls (like SCPs), or assume that IAM policies applied per account can achieve the same centralized enforcement, missing the fact that SCPs are the only mechanism that cannot be bypassed by account-level administrators.

How to eliminate wrong answers

Option A is wrong because configuring each account's IAM policy individually is not an organizational-level enforcement; it is decentralized, error-prone, and can be overridden by account administrators with full IAM permissions. Option B is wrong because AWS Config rules are detective controls that can only detect and report non-compliant resources, not prevent their creation or usage; they cannot disable services in real time. Option D is wrong because resource-based policies are attached to individual resources (e.g., S3 buckets, KMS keys) and cannot restrict the use of entire services or apply at the organizational level across all accounts.

29
MCQhard

A multi-tier web application is deployed across two VPCs connected via VPC peering. The web tier in VPC A must communicate with the database tier in VPC B on port 3306. Security groups are used for instance-level security. Which security group configuration is MOST secure?

A.In the database security group, add an inbound rule allowing TCP/3306 from the security group ID of the web servers.
B.Configure a VPN connection between VPCs and use route tables to direct traffic.
C.In the network ACL for VPC B's subnet, add an inbound rule allowing TCP/3306 from VPC A CIDR.
D.In the database security group, add an inbound rule allowing TCP/3306 from the VPC A CIDR.
AnswerA

Security group referencing ensures only instances in the web security group can connect.

Why this answer

The most secure approach is to allow inbound traffic to the database security group from the web server security group by referencing its ID (security group ID). This ensures that only instances in the web server security group can reach the database, regardless of IP changes. Option A is less secure because any instance in the CIDR range could connect.

Option B is correct. Options C and D involve network ACLs or routing, which are not instance-level.

30
MCQeasy

A developer accidentally launched an EC2 instance with an overly permissive security group that allows SSH from 0.0.0.0/0. After a security review, the team wants to ensure this cannot happen again. What is the MOST effective preventive control?

A.Grant developers full access to EC2 and rely on training.
B.Attach an IAM policy to developer roles that denies the ec2:AuthorizeSecurityGroupIngress action if the CIDR is 0.0.0.0/0.
C.Use AWS Systems Manager to automatically remediate open SSH rules.
D.Enable AWS Config rules to detect and alert on open SSH.
AnswerB

This IAM policy condition prevents the action at the time of request.

Why this answer

Option B is correct because IAM policies can enforce preventive controls by denying the ec2:AuthorizeSecurityGroupIngress action when the CIDR is 0.0.0.0/0, which blocks the action at the API level before any rule is created. This is a preventive control because it stops the insecure configuration from being applied, rather than detecting or remediating it after the fact. By attaching this policy to developer roles, the team ensures that even if a developer attempts to add an overly permissive SSH rule, the request is denied by AWS IAM.

Exam trap

ISC2 often tests the distinction between preventive controls (IAM deny policies) and detective/reactive controls (AWS Config, Systems Manager remediation), and the trap here is that candidates may choose a detective or reactive option because they think 'alerting' or 'auto-remediation' is sufficient, when the question explicitly asks for the 'most effective preventive control.'

How to eliminate wrong answers

Option A is wrong because granting full EC2 access and relying solely on training is not a technical control; it depends on human behavior and does not prevent the action from occurring. Option C is wrong because AWS Systems Manager automation for remediation is a detective/reactive control, not preventive; it only fixes the issue after the insecure rule has already been created. Option D is wrong because AWS Config rules are detective controls that alert on non-compliant resources after they exist, but they do not block the initial creation of the overly permissive security group rule.

31
MCQmedium

A cloud security engineer reviews the IAM policy shown in the exhibit, which is attached to an S3 bucket. The engineer finds that users from outside the 10.0.0.0/8 network can still download objects from the bucket. What is the most likely reason for this behavior?

A.The condition key 'aws:SourceIp' does not apply to S3 operations
B.The first statement's condition explicitly denies access to IPs outside 10.0.0.0/8
C.The second Allow statement does not include the IP restriction, allowing any IP to read objects
D.The policy document has a syntax error that causes the first statement to be ignored
AnswerC

The policy grants unrestricted GetObject access via the second statement.

Why this answer

Option C is correct because the second Allow statement in the IAM policy grants s3:GetObject access to all principals without any condition, effectively overriding the IP restriction in the first statement. AWS IAM policy evaluation is explicit deny by default, but when multiple statements apply, an Allow without conditions will permit the action even if another statement restricts it. Since the second statement has no aws:SourceIp condition, any IP address, including those outside 10.0.0.0/8, can download objects.

Exam trap

ISC2 often tests the nuance that an unconditional Allow statement can override a conditional Deny statement in IAM policies, leading candidates to incorrectly assume that the Deny with an IP restriction will block all access from outside the specified range.

How to eliminate wrong answers

Option A is wrong because the aws:SourceIp condition key does apply to S3 operations when used in a bucket policy; it is a valid condition key for controlling access based on the requester's IP address. Option B is wrong because the first statement uses 'Deny' with the condition, which would deny access to IPs outside 10.0.0.0/8, but the second Allow statement without the condition overrides this deny for the allowed action. Option D is wrong because there is no syntax error; the policy is valid and both statements are evaluated, but the Allow statement without the IP restriction permits the access.

32
Multi-Selectmedium

A company is deploying a critical application on a public cloud IaaS platform. To ensure high availability and disaster recovery, which TWO of the following strategies should the company implement? (Choose two.)

Select 2 answers
A.Deploy the application across multiple availability zones within a region.
B.Use an active-passive configuration with both instances in the same availability zone.
C.Configure the application to run in only one region to simplify management.
D.Implement automated snapshots and replicate data to a different geographic region.
E.Use a single, large virtual machine instance to handle all traffic.
AnswersA, D

This provides high availability within a region.

Why this answer

Deploying across multiple availability zones (AZs) within a region ensures that if one AZ experiences an outage, the application can continue serving traffic from another AZ, providing high availability. This is a fundamental cloud architecture pattern for fault tolerance, as each AZ is an isolated data center with independent power, cooling, and networking.

Exam trap

ISC2 often tests the distinction between high availability (fault tolerance within a region using multiple AZs) and disaster recovery (cross-region data replication and failover), and the trap is that candidates confuse active-passive in the same AZ (which is not HA) with a valid HA strategy.

33
MCQeasy

Refer to the exhibit. A CloudFormation template defines a security group as shown. What is the security concern with this configuration?

A.It allows SSH access on port 22.
B.It allows HTTP traffic on port 80, not HTTPS.
C.It does not allow outbound traffic.
D.It allows inbound traffic from all IP addresses on port 443, which is overly permissive.
AnswerD

Best practice is to restrict source IPs to known ranges.

Why this answer

Option D is correct because the security group rule allows inbound traffic on port 443 (HTTPS) from 0.0.0.0/0, which means any IP address on the internet can reach the resource. This is overly permissive and violates the principle of least privilege, as it exposes the service to potential attacks from any source without restriction.

Exam trap

ISC2 often tests the misconception that allowing a common protocol like HTTPS on port 443 is always safe, but the trap is that the source IP range (0.0.0.0/0) is the actual vulnerability, not the port or protocol itself.

How to eliminate wrong answers

Option A is wrong because allowing SSH access on port 22 is not inherently a security concern; the issue is the source IP range, not the protocol itself. Option B is wrong because the template allows HTTPS on port 443, not HTTP on port 80, and HTTP traffic is not defined in the exhibit. Option C is wrong because security groups in AWS are stateful by default, meaning that if inbound traffic is allowed, the corresponding outbound return traffic is automatically permitted, so the absence of explicit outbound rules does not block outbound traffic.

34
MCQeasy

A cloud administrator needs to ensure that all data transferred between an on-premises data center and a cloud VPC is encrypted in transit. Which solution should be used?

A.AWS Transit Gateway
B.AWS Route 53 Resolver
C.AWS Site-to-Site VPN
D.AWS Direct Connect
AnswerC

Site-to-Site VPN uses IPSec to encrypt all traffic between the on-premises network and VPC.

Why this answer

AWS Site-to-Site VPN creates an encrypted tunnel between an on-premises data center and a cloud VPC using IPsec (IKEv1/IKEv2) to protect all data in transit. This directly meets the requirement for encryption, as traffic traverses the public internet or a Direct Connect connection with encryption enabled.

Exam trap

The trap here is that candidates often assume Direct Connect inherently encrypts traffic because it is a private connection, but it does not; encryption must be explicitly implemented, and the VPN is the direct solution for encryption in transit.

How to eliminate wrong answers

Option A is wrong because AWS Transit Gateway is a network transit hub that interconnects VPCs and on-premises networks, but it does not itself provide encryption; it can route traffic through a VPN attachment, but the encryption comes from the VPN, not Transit Gateway. Option B is wrong because AWS Route 53 Resolver is a DNS resolution service that resolves domain names to IP addresses; it has no role in encrypting data in transit. Option D is wrong because AWS Direct Connect provides a private, dedicated network connection that bypasses the public internet, but by default it does not encrypt traffic; encryption must be added separately (e.g., via IPsec over Direct Connect or a VPN).

35
MCQmedium

A security engineer is reviewing logs and finds repeated failed login attempts to a cloud database instance. The database is accessible only from a specific security group. What is the BEST immediate action to reduce the attack surface?

A.Enable multi-factor authentication for the database user accounts.
B.Review the security group inbound rules and restrict the source IP to only the required application servers.
C.Change the database port to a non-standard port.
D.Delete the database instance and restore from backup.
AnswerB

This limits who can attempt to connect, reducing the attack surface.

Why this answer

Option B is correct because the immediate priority is to restrict network-level access to the database. Since the database is only accessible from a specific security group, reviewing and tightening the inbound rules to allow traffic only from the required application servers' IP addresses directly reduces the attack surface by eliminating unnecessary exposure. This is a fundamental network segmentation principle in cloud security, as it prevents any unauthorized host within the security group from attempting authentication.

Exam trap

ISC2 often tests the distinction between network-layer controls (security groups) and application-layer controls (MFA, port obfuscation) to see if candidates prioritize reducing the attack surface at the lowest possible layer, where the impact is broadest and most immediate.

How to eliminate wrong answers

Option A is wrong because enabling multi-factor authentication (MFA) for database user accounts addresses authentication strength but does not reduce the attack surface from repeated failed login attempts; MFA would still allow attackers to attempt authentication from any IP within the security group, and the logs show the attempts are already reaching the database, meaning network access is the immediate vector. Option C is wrong because changing the database port to a non-standard port is a form of security through obscurity and does not prevent attackers from scanning for the new port or from continuing failed login attempts once the port is discovered; it does not address the root cause of unauthorized network access. Option D is wrong because deleting the database instance and restoring from backup is an overly drastic and disruptive action that does not address the underlying misconfiguration in the security group; it would cause unnecessary downtime and data loss without preventing the same attack from recurring after restoration.

36
Multi-Selectmedium

A cloud security architect is concerned about potential side-channel attacks against VMs running on a shared hypervisor. Which TWO of the following measures would be most effective in mitigating such attacks?

Select 2 answers
A.Use dedicated (single-tenant) hosts for sensitive workloads.
B.Encrypt all data at rest using AES-256.
C.Disable hyper-threading on the physical hosts.
D.Implement network segmentation using VLANs.
E.Enable multi-factor authentication for all cloud administrative accounts.
AnswersA, C

Dedicated hosts guarantee no other VMs on the same hypervisor, eliminating shared-resource side channels.

Why this answer

Option A is correct because using dedicated (single-tenant) hosts ensures that the physical server is not shared with any other customer's VMs. This eliminates the possibility of a co-resident attacker exploiting shared hardware resources (such as CPU caches, memory buses, or branch predictors) to launch side-channel attacks like Prime+Probe or Flush+Reload. By removing the shared hypervisor layer between tenants, the attack surface for cross-VM side channels is effectively nullified.

Exam trap

ISC2 often tests the distinction between data protection controls (encryption, MFA, network segmentation) and compute-level isolation controls, leading candidates to mistakenly select network or access controls that do not address the shared hardware attack surface.

37
MCQhard

Refer to the exhibit. A cloud security administrator is reviewing the following security group configuration associated with a web server instance. What security best practice is being violated?

A.Outbound traffic should be allowed to any destination.
B.Inbound SSH should not be allowed from any source.
C.Inbound HTTPS should be allowed from any source.
D.Security groups should not be used for web servers.
AnswerB

The rule allows SSH from 0.0.0.0/0, violating least privilege and increasing attack surface.

Why this answer

Option B is correct because allowing inbound SSH (TCP port 22) from any source (0.0.0.0/0) violates the security best practice of least privilege. SSH should only be permitted from specific administrative IP ranges or bastion hosts to prevent unauthorized access and brute-force attacks. In a cloud environment like AWS, security groups should restrict SSH to known management networks, not the entire internet.

Exam trap

ISC2 often tests the misconception that allowing inbound HTTPS from any source is a violation, but for a public web server, this is correct; the trap is confusing the need for open HTTPS with the need to restrict administrative protocols like SSH.

How to eliminate wrong answers

Option A is wrong because outbound traffic should be restricted to only necessary destinations (e.g., specific update servers or databases), not allowed to any destination, as unrestricted outbound traffic can facilitate data exfiltration. Option C is wrong because inbound HTTPS (TCP port 443) should be allowed from any source for a public web server; this is a standard requirement for serving web content securely. Option D is wrong because security groups are the primary and recommended mechanism for controlling traffic to cloud instances like web servers; they are stateful and provide granular access control.

38
MCQhard

A large healthcare organization runs its electronic health records (EHR) system on a private cloud built with VMware vSphere. They have implemented a hybrid cloud strategy with a public cloud provider for disaster recovery. The EHR application is mission-critical and must maintain high availability with zero data loss. During a routine audit, the security team discovers that the replication between the private cloud and the public cloud uses asynchronous replication with a 15-minute recovery point objective (RPO). However, the application requires an RPO of less than 1 minute. Additionally, the replication data is not encrypted in transit. The compliance officer demands immediate remediation. The cloud architect must propose a solution that meets the RPO requirement and ensures encryption of data in transit. Which of the following actions is the most appropriate first step?

A.Move the entire EHR system to the public cloud and use native replication services.
B.Increase the frequency of asynchronous replication to every 30 seconds and use IPsec VPN for encryption.
C.Switch to synchronous replication between the private cloud and public cloud to achieve near-zero RPO, and enable TLS for replication traffic.
D.Implement a third-party replication tool that uses compression and encryption, and keep asynchronous replication with 15-minute RPO.
AnswerC

Synchronous replication meets RPO and TLS ensures encryption.

Why this answer

Option C is correct because synchronous replication ensures that data is written to both the primary and secondary sites before acknowledging the write, achieving near-zero RPO (typically sub-second). Enabling TLS for replication traffic encrypts data in transit, directly addressing the compliance requirement. This approach meets the application's mission-critical need for zero data loss and encryption without changing the underlying hybrid architecture.

Exam trap

ISC2 often tests the misconception that increasing asynchronous replication frequency can achieve near-zero RPO, but only synchronous replication guarantees zero data loss by ensuring writes are committed at both sites before acknowledgment.

How to eliminate wrong answers

Option A is wrong because moving the entire EHR system to the public cloud does not inherently solve the RPO or encryption issues; it merely shifts the problem and may introduce new latency or compliance concerns without guaranteeing sub-minute RPO. Option B is wrong because increasing asynchronous replication frequency to 30 seconds still does not guarantee zero data loss (RPO is not zero) and IPsec VPN encrypts the tunnel but does not necessarily encrypt the replication stream itself at the application layer, potentially leaving data exposed during transit. Option D is wrong because keeping asynchronous replication with a 15-minute RPO fails to meet the sub-minute RPO requirement, regardless of compression and encryption improvements.

39
MCQmedium

A cloud architect is designing a multi-tier application in a public cloud. The web tier must be accessible from the internet, while the application and database tiers must only be reachable from the web tier. The architect needs to ensure that even if the web server is compromised, the attacker cannot directly access the database. Which architecture BEST meets this requirement?

A.Place all tiers in the same subnet and use a single security group to control inbound traffic.
B.Place all tiers in the same VPC but different subnets, and use network ACLs to restrict traffic.
C.Place the web tier in a public subnet with a security group allowing HTTP/HTTPS from 0.0.0.0/0, and place the app and database tiers in private subnets with security groups allowing traffic only from the web tier's security group.
D.Use a VPN to connect the tiers and rely on IPsec policies for segmentation.
AnswerC

This provides proper isolation: private subnets with security group references restrict access to the web tier only.

Why this answer

Option C is correct because it implements defense-in-depth by placing the web tier in a public subnet with a security group that allows inbound HTTP/HTTPS from the internet, while the app and database tiers reside in private subnets with security groups that only permit traffic from the web tier's security group. This ensures that even if the web server is compromised, the attacker cannot directly reach the database because the database security group explicitly denies traffic from any source other than the web tier's security group, and the private subnets have no direct internet route.

Exam trap

The trap here is that candidates often confuse network ACLs (stateless, IP-based) with security groups (stateful, can reference other security groups), leading them to choose Option B because they think ACLs provide sufficient segmentation, but they overlook the need for group-based source references to prevent lateral movement from a compromised host.

How to eliminate wrong answers

Option A is wrong because placing all tiers in the same subnet with a single security group provides no network segmentation; if the web server is compromised, the attacker can directly access the database on the same subnet without any additional controls. Option B is wrong because while different subnets provide network segmentation, network ACLs are stateless and evaluate rules in order, but they do not support source-group-based references (like security group IDs), so they cannot restrict traffic to only the web tier's security group; they can only filter by IP ranges, which is less precise and could allow lateral movement if the web server's IP is spoofed or if multiple instances are used. Option D is wrong because a VPN with IPsec policies connects the tiers over an encrypted tunnel but does not enforce internal segmentation within the VPC; it would still require additional security groups or ACLs to restrict database access, and the VPN itself does not prevent a compromised web server from directly reaching the database if both are on the same network segment.

40
Matchingmedium

Match each key management solution to its characteristic.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Hardware-based key generation and storage

Software-based key lifecycle management

Customer-managed keys in cloud provider HSM

Customer holds and manages own keys

Why these pairings

Key management is critical for data protection; BYOK and KYOK offer different levels of customer control.

41
MCQhard

A large financial institution hosts a critical application in a multi-cloud environment using AWS and Azure. The application processes sensitive customer data and requires low-latency access to a shared database. The database is deployed as a MySQL instance in AWS RDS, and the Azure application instances connect to it over the public internet using SSL. Recently, the security team discovered that the database connection traffic is being routed through an unencrypted proxy, exposing the data in transit. The network architect must redesign the connectivity to ensure encryption end-to-end and minimize latency. The current setup includes an AWS Direct Connect and an Azure ExpressRoute that both terminate at the same on-premises data center. The on-premises network has a firewall that inspects all traffic. The architect proposes using the on-premises data center as an intermediary to route traffic between clouds. Which of the following solutions best addresses the security and latency requirements?

A.Create an AWS VPC peering connection to the Azure VNet through the on-premises data center using VPN tunnels, and configure the RDS security group to allow traffic only from the Azure VNet CIDR. Ensure the firewall does not decrypt the traffic.
B.Configure the Azure application to use a TLS termination proxy in the on-premises data center that forwards traffic to RDS over SSL, and allow the firewall to inspect traffic.
C.Use AWS Direct Connect and Azure ExpressRoute to connect directly to each other without going through the on-premises data center by establishing a cross-cloud direct connection.
D.Deploy a third-party SD-WAN appliance in both AWS and Azure to create an encrypted overlay network between the two clouds, bypassing the on-premises data center entirely.
AnswerA

Provides encrypted tunnel end-to-end and uses existing connections for low latency.

Why this answer

Option A is correct because it establishes an encrypted VPN tunnel between AWS and Azure through the on-premises data center, leveraging existing Direct Connect and ExpressRoute connections. This ensures end-to-end encryption (SSL from Azure app to RDS is preserved, and the VPN adds an additional layer) while keeping traffic within controlled, low-latency paths. Configuring the RDS security group to allow only the Azure VNet CIDR restricts access, and ensuring the firewall does not decrypt traffic prevents breaking the encryption chain.

Exam trap

The trap here is that candidates may assume Direct Connect and ExpressRoute can directly peer with each other (Option C) or that TLS termination at a proxy is acceptable (Option B), failing to recognize that end-to-end encryption must not be broken and that cloud provider direct interconnects are not available without a third-party service.

How to eliminate wrong answers

Option B is wrong because using a TLS termination proxy in the on-premises data center decrypts traffic for firewall inspection, breaking end-to-end encryption and exposing data in transit within the proxy. Option C is wrong because AWS Direct Connect and Azure ExpressRoute cannot directly interconnect without a third-party provider or intermediary; they terminate at separate on-premises locations and do not support direct cross-cloud peering. Option D is wrong because deploying a third-party SD-WAN appliance bypasses the on-premises data center entirely, which contradicts the architect's proposal to use the on-premises data center as an intermediary and may introduce additional latency or management complexity.

42
Multi-Selecthard

A company is implementing a software-defined perimeter (SDP) for their cloud environment. Which THREE characteristics are typical of an SDP? (Choose three.)

Select 3 answers
A.Static IP whitelisting.
B.Dynamic firewall rules based on user identity.
C.Application-layer access control.
D.Mutual authentication between client and controller.
E.Single-factor authentication.
AnswersB, C, D

SDP adjusts rules dynamically based on user identity.

Why this answer

Option B is correct because software-defined perimeter (SDP) architecture uses dynamic firewall rules that are created on-the-fly based on user identity and device posture, rather than static IP addresses. The SDP controller authenticates the user and then dynamically provisions a firewall rule to allow the user's specific IP address to access the requested application, ensuring zero-trust network access.

Exam trap

The trap here is that candidates confuse SDP's dynamic, identity-based firewall rules with traditional static IP whitelisting (Option A), failing to recognize that SDP eliminates reliance on IP addresses for access control.

43
MCQhard

A company uses AWS Organizations with multiple accounts. A security team wants to ensure that a specific S3 bucket in the production account cannot be deleted by anyone, including the root user of that account. Which control should be implemented?

A.Use S3 event notifications to alert when a delete is attempted.
B.Enable S3 Versioning on the bucket.
C.Enable AWS CloudTrail to log any deletion attempt.
D.Apply a service control policy (SCP) to deny s3:DeleteBucket on the production account.
AnswerD

SCPs apply to all principals including root, and cannot be overridden within the account.

Why this answer

Option D is correct because a service control policy (SCP) is an AWS Organizations policy that can be applied to an account (or OU) to restrict permissions for all IAM users, roles, and even the root user of that account. By attaching an SCP that denies the s3:DeleteBucket action, the security team ensures that no principal in the production account, including the root user, can delete the specified S3 bucket. This provides a preventive control that overrides any allow permissions within the account.

Exam trap

ISC2 often tests the distinction between preventive controls (like SCPs) and detective/reactive controls (like CloudTrail or notifications), and the trap here is that candidates confuse logging or versioning with actual deletion prevention.

How to eliminate wrong answers

Option A is wrong because S3 event notifications are only reactive alerts; they do not prevent the deletion from occurring, so the bucket can still be deleted. Option B is wrong because S3 Versioning protects objects within the bucket from being overwritten or deleted, but it does not prevent the bucket itself from being deleted. Option C is wrong because AWS CloudTrail logs API calls for auditing purposes but does not block the deletion action; it only records it after the fact.

44
MCQhard

A DevOps team is deploying containers in a Kubernetes cluster. They need to ensure that container images are scanned for vulnerabilities before deployment. Which is the most effective approach?

A.Scan images manually after deployment.
B.Use a container registry with integrated vulnerability scanning and enforce admission controls.
C.Rely on the developer's assurance that images are secure.
D.Use a runtime security tool.
AnswerB

Integrated scanning and admission control prevent vulnerable images from being deployed.

Why this answer

Option B is correct because integrating vulnerability scanning into the container registry (e.g., using tools like Trivy, Clair, or Amazon ECR scanning) combined with admission controllers (e.g., OPA/Gatekeeper or Kyverno) allows automated scanning of images at rest and blocks deployments of non-compliant images before they enter the cluster. This shift-left approach ensures that only images passing security policies are admitted, preventing vulnerable images from reaching production.

Exam trap

ISC2 often tests the distinction between pre-deployment controls (image scanning + admission) and runtime controls, so candidates mistakenly choose runtime tools (Option D) thinking they prevent vulnerabilities, when in fact runtime tools only detect active exploits after deployment.

How to eliminate wrong answers

Option A is wrong because scanning images manually after deployment introduces a delay that allows vulnerable containers to run in the cluster, violating the principle of shift-left security and failing to prevent exploitation. Option C is wrong because relying on developer assurance without automated verification is a security anti-pattern; developers may unknowingly introduce vulnerabilities, and this approach lacks auditability and enforcement. Option D is wrong because runtime security tools (e.g., Falco, Sysdig) monitor container behavior during execution but do not prevent vulnerable images from being deployed; they address post-deployment threats, not pre-deployment image integrity.

Ready to test yourself?

Try a timed practice session using only Cloud Platform Infra questions.