CCSP · topic practice

Cloud Platform and Infrastructure Security practice questions

Practise Certified Cloud Security Professional CCSP Cloud Platform and Infrastructure Security practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Cloud Platform and Infrastructure Security

What the exam tests

What to know about Cloud Platform and Infrastructure Security

Cloud concepts questions usually test the service model (IaaS/PaaS/SaaS) and deployment model (public/private/hybrid/community) appropriate for a given scenario.

IaaS, PaaS and SaaS responsibilities and examples.

Public, private, hybrid and community cloud deployment models.

On-premises vs cloud trade-offs: cost, control, scalability.

How cloud connectivity options (VPN, Direct Connect, ExpressRoute) work.

Watch out for

Common Cloud Platform and Infrastructure Security exam traps

  • IaaS gives you infrastructure control; SaaS gives you only the application.
  • Hybrid cloud combines on-premises and public cloud — not two public clouds.
  • Cloud does not automatically mean cheaper or more secure.
  • Management responsibility shifts with each service model (IaaSPaaSSaaS).

Practice set

Cloud Platform and Infrastructure Security questions

20 questions · select your answer, then reveal the explanation

A financial services company is migrating its on-premises data center to a public cloud IaaS environment. During the transition, the security team must ensure that the same network segmentation and firewall rules are maintained. Which of the following is the BEST approach to replicate the on-premises network security controls in the cloud?

A cloud architect is designing a multi-tier application in a public cloud. The web tier must be accessible from the internet, while the application and database tiers must only be reachable from the web tier. The architect needs to ensure that even if the web server is compromised, the attacker cannot directly access the database. Which architecture BEST meets this requirement?

During a cloud migration, a company discovers that its existing virtual machine images contain embedded credentials and proprietary software that must not be exposed to the cloud provider's administrators. Which of the following is the BEST strategy to protect this sensitive data while maintaining the ability to create new instances?

A company's security policy requires that all data stored in the cloud must be encrypted at rest. The cloud provider offers server-side encryption with either cloud-managed keys or customer-managed keys (CMK). Which additional control should the company implement to ensure that the CMK is not compromised and that access is auditable?

A company is deploying a critical application on a public cloud IaaS platform. To ensure high availability and disaster recovery, which TWO of the following strategies should the company implement? (Choose two.)

Question 6hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is deploying a containerized microservices application on a public cloud Kubernetes cluster. The cluster spans three availability zones in a single region. The application consists of a front-end service, a payment service, and a database service. The security team requires that the payment service must not be directly accessible from the internet, but must be accessible from the front-end service. The database must only be accessible from the payment service. Additionally, all inter-service communication must be encrypted, and the cluster must be able to scale up to 500 nodes during peak load. The cloud provider's container orchestration service is used. After deployment, the security team discovers that the payment service is still reachable from the internet via a public load balancer that was configured for testing. The team needs to remediate this issue immediately without disrupting the front-end service. Which of the following actions should the team take FIRST?

A security architect is designing a cloud workload protection platform (CWPP) for a hybrid cloud environment. The architect needs to ensure that security policies are consistently applied across virtual machines running in both on-premises and public cloud environments. Which TWO components are essential for achieving this goal?

A cloud security engineer reviews the IAM policy shown in the exhibit, which is attached to an S3 bucket. The engineer finds that users from outside the 10.0.0.0/8 network can still download objects from the bucket. What is the most likely reason for this behavior?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:DeleteObject"
      ],
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/8"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject"
      ],
      "Resource": "arn:aws:s3:::example-bucket/*"
    }
  ]
}
Question 9hardmultiple choice
Read the full NAT/PAT explanation →

A large financial institution hosts a critical application in a multi-cloud environment using AWS and Azure. The application processes sensitive customer data and requires low-latency access to a shared database. The database is deployed as a MySQL instance in AWS RDS, and the Azure application instances connect to it over the public internet using SSL. Recently, the security team discovered that the database connection traffic is being routed through an unencrypted proxy, exposing the data in transit. The network architect must redesign the connectivity to ensure encryption end-to-end and minimize latency. The current setup includes an AWS Direct Connect and an Azure ExpressRoute that both terminate at the same on-premises data center. The on-premises network has a firewall that inspects all traffic. The architect proposes using the on-premises data center as an intermediary to route traffic between clouds. Which of the following solutions best addresses the security and latency requirements?

Drag and drop the steps for implementing a disaster recovery plan using cross-region replication in AWS into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Match each key management solution to its characteristic.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Hardware-based key generation and storage

Software-based key lifecycle management

Customer-managed keys in cloud provider HSM

Customer holds and manages own keys

A company wants to enforce that all EC2 instances launched in a specific AWS account are tagged with the key "Environment" and "Owner". What is the most effective way to enforce this policy?

An organization requires that all data at rest in a cloud storage service be encrypted using a key that is managed entirely on-premises and never exposed to the cloud provider. The organization wants to use server-side encryption. Which approach should be used?

A multi-tier web application is deployed across two VPCs connected via VPC peering. The web tier in VPC A must communicate with the database tier in VPC B on port 3306. Security groups are used for instance-level security. Which security group configuration is MOST secure?

A developer accidentally launched an EC2 instance with an overly permissive security group that allows SSH from 0.0.0.0/0. After a security review, the team wants to ensure this cannot happen again. What is the MOST effective preventive control?

A company is using AWS CloudTrail to log API calls. A security analyst needs to be alerted when an IAM user creates a new access key for another user. Which CloudTrail event should be monitored?

An organization has a cloud environment with many accounts. They want to prevent any account from using certain services that are not approved (e.g., outside of a defined list). What is the BEST way to enforce this at the organizational level?

A cloud administrator needs to ensure that all data transferred between an on-premises data center and a cloud VPC is encrypted in transit. Which solution should be used?

A security engineer is reviewing logs and finds repeated failed login attempts to a cloud database instance. The database is accessible only from a specific security group. What is the BEST immediate action to reduce the attack surface?

A company uses AWS Organizations with multiple accounts. A security team wants to ensure that a specific S3 bucket in the production account cannot be deleted by anyone, including the root user of that account. Which control should be implemented?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Cloud Platform and Infrastructure Security sessions

Start a Cloud Platform and Infrastructure Security only practice session

Every question in these sessions is drawn from the Cloud Platform and Infrastructure Security domain — nothing else.

Related practice questions

Related CCSP topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the CCSP exam test about Cloud Platform and Infrastructure Security?
Cloud concepts questions usually test the service model (IaaS/PaaS/SaaS) and deployment model (public/private/hybrid/community) appropriate for a given scenario.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Cloud Platform and Infrastructure Security questions in a focused session?
Yes — the session launcher on this page draws every question from the Cloud Platform and Infrastructure Security domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CCSP topics?
Use the topic links above to move to related areas, or go back to the CCSP question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CCSP exam covers. They are not copied from any real exam or dump site.