CCNA Cloud Security Ops Questions

75 of 92 questions · Page 1/2 · Cloud Security Ops topic · Answers revealed

1
MCQmedium

A security analyst is using a cloud security posture management (CSPM) tool that reports a finding of "storage bucket publicly accessible." However, upon manual inspection, the bucket's ACL and bucket policy both restrict access to authorized users only. What is the most likely cause of the false positive?

A.The bucket is in a different region
B.The bucket policy has a syntax error
C.The bucket contains objects with public ACLs
D.The CSPM tool is misconfigured
AnswerC

Object-level ACLs can override bucket-level settings and cause a public access finding.

Why this answer

Option D is correct because individual objects within the bucket might have public ACLs, which CSPM might detect. Option A (CSPM misconfigured) is possible but less likely. Option B (policy syntax error) would cause error, not public access.

Option C (region mismatch) is irrelevant.

2
MCQmedium

Refer to the exhibit. An AWS CloudTrail log entry is shown. Which of the following can be determined from this log entry?

A.The instance launch was performed by user john.doe via the console
B.The instance was terminated immediately after launch
C.The instance was launched in eu-west-2
D.An S3 bucket policy was modified
AnswerA

User identity and user agent indicate console access.

Why this answer

Option C is correct because the log shows the event was initiated by the IAM user john.doe from IP 203.0.113.50 via the AWS Management Console. Option A is wrong because there is no indication of an S3 access. Option B is wrong because the region is us-east-1, not eu-west-2.

Option D is wrong because the event is RunInstances, not TerminateInstances.

3
MCQhard

A cloud security engineer is reviewing incident response procedures for a hybrid cloud environment. During a security incident, the team needs to collect forensic evidence from a compromised virtual machine while preserving its state. Which of the following actions should be taken first?

A.Take a snapshot of the virtual machine's disk
B.Notify the cloud provider
C.Disconnect the virtual machine from the network
D.Install a forensic agent on the virtual machine
AnswerC

Isolation prevents ongoing compromise and preserves evidence.

Why this answer

Option A is correct because isolating the VM (disconnecting it from the network) prevents further damage or data exfiltration, and then a snapshot can be taken. Option B (snapshot) comes after isolation. Option C (install agent) may alter the evidence.

Option D (notify provider) is done in parallel but not first.

4
MCQhard

A multinational corporation runs its critical applications on a cloud platform. The security team has implemented a Security Information and Event Management (SIEM) solution that collects logs from various cloud services, including virtual machines, storage, and databases. The SIEM is configured to generate alerts based on predefined rules. Recently, the team noticed an increase in false positive alerts, causing alert fatigue among the analysts. Additionally, there is a lack of context in the alerts, making it difficult to triage and prioritize incidents. The team wants to improve the efficiency of the SOC without increasing headcount. Which of the following is the BEST course of action to address these issues?

A.Deploy a user and entity behavior analytics (UEBA) tool to baseline normal behavior and generate alerts based on anomalies.
B.Assign more analysts to manually review and tune the alert rules.
C.Implement automated response playbooks for the most common alerts to reduce analyst workload.
D.Increase the threshold levels for all alert rules to reduce the number of alerts generated.
E.Create additional correlation rules to capture more specific attack patterns.
AnswerA

UEBA reduces false positives by focusing on deviations from normal behavior.

Why this answer

UEBA uses machine learning to establish baselines of normal user and entity behavior, then generates alerts only when deviations occur. This directly reduces false positives by filtering out benign anomalies and enriches alerts with behavioral context, enabling analysts to triage and prioritize incidents more efficiently without increasing headcount.

Exam trap

ISC2 often tests the distinction between reducing alert volume (e.g., tuning thresholds) and improving alert quality (e.g., adding context via UEBA), trapping candidates who choose threshold increases or additional rules without recognizing that false positives stem from static, context-free detection logic.

How to eliminate wrong answers

Option B is wrong because manually reviewing and tuning alert rules is labor-intensive, does not scale, and fails to address the root cause of false positives—static rules cannot adapt to evolving normal behavior. Option C is wrong because automated response playbooks reduce analyst workload for confirmed incidents but do not reduce false positive alerts or add context; they may even automate responses to false positives, worsening the problem. Option D is wrong because increasing threshold levels indiscriminately reduces all alerts, including true positives, and does not add context; it is a blunt approach that risks missing real attacks.

Option E is wrong because creating additional correlation rules increases the number of alerts and complexity, likely exacerbating false positives and alert fatigue without providing behavioral context.

5
Multi-Selectmedium

Which TWO of the following are best practices for implementing baseline configuration management in a cloud environment? (Choose two.)

Select 2 answers
A.Allow administrators to manually adjust configurations as needed to maintain flexibility
B.Disable configuration drift detection to reduce alert fatigue
C.Automate the deployment of baseline configurations using orchestration tools
D.Grant all users read/write access to configuration repositories for efficiency
E.Store and manage configuration templates in a version-controlled repository
AnswersC, E

Ensures consistent and repeatable deployments.

Why this answer

Automating the deployment of baseline configurations using orchestration tools (e.g., AWS CloudFormation, Terraform, or Ansible) ensures consistency, reduces human error, and enforces security controls across cloud resources. This aligns with the principle of immutable infrastructure, where configurations are deployed programmatically rather than manually adjusted.

Exam trap

ISC2 often tests the misconception that manual flexibility or disabling detection features are acceptable trade-offs for operational convenience, when in fact they directly violate cloud security operations best practices.

6
MCQhard

A security analyst is conducting a forensic investigation of a compromised virtual machine in a public cloud. The VM is running in a production environment and cannot be stopped. Which of the following techniques is MOST appropriate to acquire volatile memory evidence?

A.Create a snapshot of the VM's disk and then analyze it.
B.Perform a network packet capture to capture memory data.
C.Use the cloud provider's API to take a memory snapshot of the VM.
D.Run `dd if=/dev/mem of=/tmp/mem.dump` from within the VM.
AnswerC

Many cloud providers offer memory acquisition APIs that do not require stopping the instance.

Why this answer

Option C is correct because cloud providers like AWS, Azure, and GCP offer APIs (e.g., AWS EC2 CreateSnapshot with memory flag, Azure Disk Snapshot with memory, or GCP VM memory snapshot) that capture the VM's volatile memory (RAM) without stopping the instance. This is the only technique that preserves the runtime state (processes, network connections, encryption keys) while respecting the production constraint that the VM cannot be stopped.

Exam trap

ISC2 often tests the misconception that `dd if=/dev/mem` is a valid forensic acquisition method in cloud environments, but the trap is that it requires root access, alters the system state, and is not supported in many cloud VM configurations, whereas the cloud provider's API is the only non-disruptive, forensically sound method for volatile memory capture in a production VM that cannot be stopped.

How to eliminate wrong answers

Option A is wrong because a disk snapshot captures only persistent storage (the virtual disk), not volatile memory (RAM), so it cannot acquire evidence like running processes, kernel modules, or active network connections. Option B is wrong because network packet capture collects traffic traversing the network interface, not the contents of system memory; it cannot capture in-memory data such as process memory or cached credentials. Option D is wrong because running `dd if=/dev/mem` from within the VM requires root access and modifies the system state (e.g., writing to /tmp), which can overwrite evidence and trigger anti-forensic mechanisms; moreover, it may not be supported in all cloud VM configurations (e.g., paravirtualized kernels) and violates the principle of minimal interference in a production environment.

7
MCQhard

Refer to the exhibit. A cloud security analyst reviews the bucket policy for example-bucket. Based on the policy, which of the following is true?

A.Requests from IP 192.0.2.10 over HTTPS are allowed.
B.Access is denied because the Principal is set to "*", which is insecure.
C.Requests from IP 192.0.2.10 over HTTP are allowed because the deny statement only applies when SecureTransport is false.
D.Any IP address can perform GetObject requests if they use HTTPS.
AnswerA

The allow statement permits GetObject from that IP range, and the deny does not apply because HTTPS is used.

Why this answer

Option A is correct because the bucket policy includes an explicit Allow statement granting s3:GetObject to all principals (Principal: "*") from the IP address 192.0.2.10, and the condition "Bool": {"aws:SecureTransport": "true"} ensures that only HTTPS requests are allowed. Since the request originates from the specified IP and uses HTTPS, it satisfies both the Allow condition and is not blocked by the Deny statement, which only denies requests when SecureTransport is false (i.e., HTTP). Thus, the request is permitted.

Exam trap

ISC2 often tests the nuance that an explicit Deny overrides an Allow, but here the Deny only applies to HTTP (SecureTransport false), so HTTPS requests from the allowed IP are still permitted, leading candidates to mistakenly think the Deny blocks all requests.

How to eliminate wrong answers

Option B is wrong because setting Principal to "*" is not inherently insecure; AWS S3 bucket policies commonly use "*" to grant public access, and security is enforced through conditions like IP restrictions and SecureTransport requirements. Option C is wrong because the Deny statement applies when SecureTransport is false, but the Allow statement explicitly requires SecureTransport to be true; therefore, a request from IP 192.0.2.10 over HTTP would be denied by the Deny statement (since SecureTransport is false) and also would not satisfy the Allow condition. Option D is wrong because the Allow statement is restricted to the specific IP address 192.0.2.10; any other IP address attempting GetObject over HTTPS would not match the Allow condition and would be implicitly denied (or explicitly denied if another Deny statement exists).

8
MCQhard

An incident response team is investigating a potential breach in a cloud environment. They have collected logs from various sources. Which of the following is the MOST critical factor to ensure the admissibility of digital evidence in court?

A.Maintaining a documented chain of custody for all evidence
B.Encrypting all evidence during collection and transport
C.Using automated tools for log analysis
D.Ensuring logs are in their original format
AnswerA

Chain of custody is crucial for admissibility.

Why this answer

Option A is correct because maintaining the chain of custody ensures evidence integrity and admissibility. Option B is wrong while important for investigation, admissibility depends on custody. Option C is wrong because logs may not be original but certified copies can be used if chain of custody is maintained.

Option D is wrong because encryption does not guarantee authenticity.

9
MCQhard

A cloud security operations team is evaluating SIEM solutions. They need to minimize false positives while ensuring critical security events are not missed. Which of the following is the MOST effective technique to achieve this balance?

A.Implement context-aware correlation and tune rules based on feedback loops
B.Aggregate all security events into a single correlation rule
C.Increase the alert threshold for all event types to reduce noise
D.Rely exclusively on signature-based detection
AnswerA

Balances false positives and detection.

Why this answer

Option D is correct because tuning detection rules based on environmental context and using threat intelligence reduces false positives while maintaining sensitivity. Option A is wrong because increasing threshold reduces alerts but may miss true positives. Option B is wrong because aggregating events increases noise.

Option C is wrong because using only known signatures misses novel attacks.

10
Multi-Selecthard

Which THREE components are essential for establishing a secure baseline configuration for a cloud virtual machine? (Choose three.)

Select 3 answers
A.Running applications as a service account.
B.Removing unnecessary software and services from the OS.
C.Configuring network security groups at the subnet level.
D.Implementing least privilege for local user accounts.
E.Enabling a host-based firewall to restrict inbound and outbound traffic.
AnswersB, D, E

Hardening by disabling unused services reduces attack surface.

Why this answer

Option B is correct because removing unnecessary software and services from the OS reduces the attack surface by eliminating potential vulnerabilities and backdoors. A secure baseline configuration must minimize the number of running components to only those required for the VM's intended function, following the principle of least functionality.

Exam trap

ISC2 often tests the distinction between OS-level hardening (baseline) and network-level controls (like NSGs), so candidates may mistakenly include subnet-level security groups as part of the VM's baseline configuration.

11
MCQhard

A cloud security architect is designing a forensics capability for a multi-tenant infrastructure-as-a-service (IaaS) environment. Which of the following is the MOST significant challenge when performing forensic acquisition of virtual machine (VM) memory?

A.High performance overhead caused by memory acquisition
B.Inability to access the hypervisor-level memory of other tenants due to isolation
C.Memory content is not available after the VM is powered off
D.Lack of tools that can capture memory from a running VM in the cloud
AnswerB

Multi-tenancy prevents cross-tenant memory access.

Why this answer

Option A is correct because accessing another tenant's VM memory would violate isolation boundaries and is not permitted by the cloud provider. Option B is wrong because VM memory can be imaged using tools like LiME, but the main issue is access. Option C is wrong because memory acquisition does not necessarily cause high performance impact.

Option D is wrong because memory content is volatile but the challenge is obtaining it from a tenant's perspective.

12
MCQeasy

A financial services company uses a hybrid cloud environment with an on-premises data center and AWS. They have deployed a Cloud Access Security Broker (CASB) to enforce data loss prevention (DLP) policies for SaaS applications. Recently, the security team noticed that sensitive customer data is being exfiltrated via encrypted traffic to a sanctioned cloud storage application. The CASB logs show the traffic is identified as HTTPS, but the DLP policy is not blocking it. The team verifies that the CASB is configured with a forward proxy and SSL inspection is enabled. Which action should the security team take to prevent this exfiltration?

A.Block all HTTPS traffic to the cloud storage application
B.Ensure the CASB's SSL certificate is deployed to all endpoint devices
C.Configure the CASB to log only metadata for encrypted traffic
D.Disable HTTPS for the cloud storage application and force HTTP
AnswerB

Without the CASB’s certificate trusted by clients, SSL inspection fails, and DLP cannot inspect encrypted content.

Why this answer

The CASB is configured as a forward proxy with SSL inspection enabled, but for SSL inspection to work, the CASB's certificate must be trusted by the endpoint devices. Without the CASB's certificate deployed to the endpoints, the SSL inspection fails (the CASB cannot decrypt the traffic), so the DLP policy cannot inspect the payload of HTTPS traffic, allowing sensitive data to be exfiltrated. Deploying the CASB's certificate to all endpoint devices ensures that the endpoints trust the CASB's man-in-the-middle decryption, enabling the CASB to decrypt, inspect, and enforce DLP policies on encrypted traffic.

Exam trap

The trap here is that candidates assume SSL inspection is automatically effective once enabled in the CASB configuration, overlooking the critical prerequisite that the CASB's certificate must be trusted by the endpoints for decryption to occur.

How to eliminate wrong answers

Option A is wrong because blocking all HTTPS traffic to the cloud storage application is an overly broad and disruptive measure that would break legitimate business use of the sanctioned application, and it does not address the root cause of the DLP policy not being enforced on encrypted traffic. Option C is wrong because logging only metadata for encrypted traffic would reduce visibility and prevent the CASB from inspecting the payload, making it impossible to enforce DLP policies on the content of the traffic. Option D is wrong because disabling HTTPS and forcing HTTP would expose the data in transit to interception and tampering, violating security best practices and potentially regulatory compliance requirements, and it does not leverage the existing SSL inspection capability of the CASB.

13
MCQeasy

A financial services company is migrating a critical application to the cloud. They must ensure that the cloud provider supports the ability to conduct forensic investigations in case of a security incident. Which of the following is the MOST important requirement to include in the contract?

A.The provider must guarantee 99.999% uptime for all cloud services used.
B.The provider must automatically patch all virtual machines within 24 hours of patch release.
C.The provider must grant the customer access to raw logs and the ability to perform memory captures on virtual instances.
D.The provider must store data only in data centers located within the country of operation.
AnswerC

Access to raw logs and memory captures is critical for forensic analysis.

Why this answer

Option B is correct because access to raw logs is essential for forensic investigations. Option A is wrong because automatic patching is a security measure but not specific to forensics. Option C is wrong because geographic restrictions are about data residency, not forensics.

Option D is wrong because uptime guarantees are about availability, not forensic capability.

14
MCQmedium

Refer to the exhibit. A security analyst is investigating a potential unauthorized key pair creation. The CloudTrail log shows a successful CreateKeyPair event for an admin user. What additional step should the analyst take to determine if this was an authorized action?

A.Immediately revoke all admin privileges for the user.
B.Review the key pair's usage to see if it was used to launch instances.
C.Delete the key pair immediately to prevent any misuse.
D.Check the source IP address against the company's approved IP ranges.
AnswerD

This helps verify if the action came from a trusted location.

Why this answer

Option D is correct because the first step in verifying whether a CreateKeyPair event was authorized is to check the source IP address against the company's approved IP ranges. CloudTrail logs include the sourceIPAddress field, which can be compared to a whitelist of administrative jump hosts or corporate VPN ranges. If the IP is outside those ranges, it strongly indicates unauthorized access, even if the user credentials were valid.

Exam trap

ISC2 often tests the misconception that the immediate response to a suspicious event should be a punitive action (like revoking privileges or deleting resources) rather than a methodical investigative step to confirm authorization.

How to eliminate wrong answers

Option A is wrong because immediately revoking all admin privileges is a drastic, premature action that could disrupt legitimate operations; the analyst must first gather evidence to confirm unauthorized activity. Option B is wrong because reviewing the key pair's usage to see if it was used to launch instances is a later forensic step, not the immediate action to determine authorization; a key pair can be created and used maliciously within seconds, and the creation event itself must be validated first. Option C is wrong because deleting the key pair immediately could destroy forensic evidence and alert an attacker, and it does not address the root cause of potential credential compromise.

15
Multi-Selecthard

A cloud security engineer is investigating a potential data breach in a cloud environment. The organization uses a cloud access security broker (CASB) and has deployed a security information and event management (SIEM) system. Which of the following are likely indicators that the CASB has detected unauthorized data exfiltration? (Choose two.)

Select 2 answers
A.Anomalous spike in outbound traffic to an unknown IP address
B.A change in the configuration of a firewall rule
C.A large number of file downloads by a single user outside of business hours
D.Multiple failed login attempts to a critical application
E.An alert for a known malware signature in an email attachment
AnswersA, C

Unusual outbound traffic patterns can indicate data exfiltration.

Why this answer

CASBs are designed to detect anomalous data movements. An anomalous spike in outbound traffic to an unknown IP (A) and a large number of file downloads by a single user outside business hours (C) are strong indicators of exfiltration. Multiple failed logins (B) indicate brute force attempts, not exfiltration.

Malware in email (D) is a malware indicator, not exfiltration. Firewall rule change (E) is a configuration change, not a direct exfiltration sign.

16
MCQhard

A company runs its production workloads on a cloud infrastructure-as-a-service (IaaS) platform. The security operations team uses a SIEM to monitor security events. Over the past week, they have observed an increasing number of alerts indicating failed login attempts to a critical database server. The source IP addresses are varied and originate from different geographic regions. The team has also noticed that the database server's CPU usage has spiked during non-business hours. The database is not exposed to the internet; it is in a private subnet. The security team suspects that the database credentials have been compromised. Which of the following actions should the security team take FIRST to mitigate the risk?

A.Conduct a forensic investigation to determine how the credentials were compromised
B.Block the source IP ranges identified in the SIEM alerts at the network firewall
C.Enable multi-factor authentication on the database server
D.Rotate the database credentials immediately
AnswerD

Prevents further unauthorized access.

Why this answer

Option C is correct. The first step should be to rotate the database credentials to prevent further unauthorized access. The failed login attempts indicate active exploitation, and credential rotation is the immediate mitigation.

Option A is wrong because blocking IPs is ineffective since they are varied and dynamic. Option B is wrong because while investigating the source is important, it does not stop the ongoing attacks. Option D is wrong because while enabling MFA is good, the immediate priority is to stop access via compromised credentials.

17
MCQeasy

A company has implemented a centralized logging solution for its cloud environment. The security team notices that logs from a critical application are missing for the past hour. What is the MOST likely cause?

A.The log retention policy was set to 0 days
B.Log encryption was enabled causing a delay
C.The security team does not have read permission on the log bucket
D.The logging agent on the application server stopped working
AnswerD

A stopped logging agent would cause missing logs.

Why this answer

Option B is correct because the most common cause of missing logs is a misconfiguration in the logging agent or log forwarder. Option A is wrong because log retention policies affect how long logs are stored, not whether they are generated. Option C is wrong because encryption does not prevent log generation.

Option D is wrong because user permission changes would not cause logs to stop being sent, they would affect access to existing logs.

18
Multi-Selecteasy

A cloud security administrator is reviewing the security controls for a SaaS application. Which of the following are typically the responsibility of the cloud customer (tenant) in a SaaS model? (Choose two.)

Select 2 answers
A.Physical security of data center
B.Managing user access and identity
C.Network infrastructure security
D.Patching the underlying operating system
E.Data classification and encryption at rest
AnswersB, E

Customers control user identities and access permissions.

Why this answer

In a SaaS model, the customer is responsible for managing user access and identity (B) and data classification and encryption at rest (D). The provider handles patching the underlying OS (A), physical security (C), and network infrastructure security (E).

19
Multi-Selectmedium

Which TWO responsibilities are typically shared between the cloud customer and the cloud provider in an IaaS model? (Choose two.)

Select 2 answers
A.Physical security of data centers.
B.Hypervisor security.
C.Management of security group rules.
D.Patching the guest operating system.
E.Configuration of virtual network firewalls.
AnswersC, E

Both customer (defines rules) and provider (enforces them) share this.

Why this answer

In an IaaS model, the cloud customer is responsible for managing security group rules, which act as virtual stateful firewalls controlling inbound and outbound traffic at the instance level. The cloud provider is responsible for the underlying network infrastructure, but the customer must configure these rules to enforce least-privilege access. This shared responsibility is explicitly defined in the AWS Shared Responsibility Model and similar frameworks.

Exam trap

ISC2 often tests the misconception that hypervisor security is a shared responsibility, but in IaaS, the provider alone secures the hypervisor, while the customer is responsible for guest OS and application-level security controls like security groups and virtual firewalls.

20
MCQeasy

A cloud security engineer is troubleshooting a failure in automated backups for a production database. The backup job runs nightly but has failed for the past three nights. The logs show permission denied errors when the backup service attempts to write to the storage bucket. Which action should the engineer take first?

A.Open a support ticket with the cloud provider for incident response.
B.Check the IAM roles and bucket ACLs assigned to the service account.
C.Restart the backup service and retry the job.
D.Rotate the service account keys used for authentication.
AnswerB

The error indicates a permission issue, so this is the correct first step.

Why this answer

The permission denied errors indicate that the service account used by the backup job lacks the necessary permissions to write to the storage bucket. Checking the IAM roles and bucket ACLs is the first logical step to identify and resolve the misconfiguration, as it directly addresses the root cause without introducing unnecessary changes or escalations.

Exam trap

ISC2 often tests the distinction between authentication (who you are) and authorization (what you can do), leading candidates to mistakenly rotate keys or restart services instead of checking permissions.

How to eliminate wrong answers

Option A is wrong because opening a support ticket is premature; the engineer should first investigate and resolve the permission issue internally, as it is likely a configuration problem rather than a provider-side incident. Option C is wrong because restarting the backup service and retrying the job will not fix the underlying permission denial; the same error will recur until the IAM or ACL configuration is corrected. Option D is wrong because rotating service account keys addresses authentication (who you are), not authorization (what you are allowed to do); the error is about permission to write, not about invalid credentials.

21
Multi-Selecthard

Which THREE of the following are key considerations when designing a disaster recovery plan for a cloud-based application?

Select 3 answers
A.Performing manual failover testing only once a year.
B.Eliminating all security controls to speed up recovery.
C.Implementing cross-region replication for critical data.
D.Defining the Recovery Time Objective (RTO) for critical services.
E.Ensuring data consistency and integrity across replicated environments.
AnswersC, D, E

Cross-region replication ensures availability.

Why this answer

Option C is correct because cross-region replication ensures that critical data is asynchronously or synchronously copied to a geographically separate cloud region, providing resilience against regional outages. This design directly supports disaster recovery by enabling failover to a secondary site with minimal data loss, often leveraging cloud-native services like AWS S3 Cross-Region Replication or Azure Geo-Redundant Storage.

Exam trap

ISC2 often tests the misconception that disaster recovery planning can skip security controls or infrequent testing, but the exam emphasizes that DR must maintain security posture and be validated through regular, automated testing to meet compliance and operational requirements.

22
MCQmedium

An organization is designing a cloud storage solution for highly sensitive customer data. The data must be encrypted at rest and the encryption keys must be managed by the customer, not the cloud provider. Additionally, the solution must allow granular access control based on data classification. Which combination of services should the architect recommend?

A.Server-side encryption with customer-managed keys and a storage bucket with bucket-level policies.
B.Server-side encryption with cloud-managed keys and a storage bucket with bucket-level policies.
C.Cloud HSM for key management and a cloud storage service with object-level ACLs.
D.Client-side encryption with a cloud KMS and a storage bucket with bucket-level policies.
AnswerC

Customer-managed keys in HSM and object-level ACLs meet both requirements.

Why this answer

Option C is correct because Cloud HSM provides customer-managed keys for encryption at rest, ensuring the customer retains sole control over the keys. Combined with a cloud storage service that supports object-level ACLs, this allows granular access control based on data classification, meeting both requirements.

Exam trap

ISC2 often tests the distinction between server-side encryption (where the provider performs encryption) and client-side encryption (where the customer encrypts before upload), and the trap here is assuming that server-side encryption with customer-managed keys (Option A) gives the customer full control over key management, when in fact the provider still has access to the keys during encryption/decryption operations.

How to eliminate wrong answers

Option A is wrong because server-side encryption with customer-managed keys still relies on the cloud provider's infrastructure to perform encryption, and bucket-level policies alone do not provide granular object-level access control based on data classification. Option B is wrong because cloud-managed keys mean the provider controls the keys, violating the customer-managed key requirement. Option D is wrong because client-side encryption with a cloud KMS still involves the provider in key management (the KMS is provider-managed), and bucket-level policies lack the granularity of object-level ACLs for data classification.

23
MCQhard

An organization uses a cloud key management service (KMS) to encrypt data at rest. The security policy requires that the encryption keys be rotated every 90 days. The operations team is concerned about the impact of key rotation on encrypted data. Which of the following statements is true regarding KMS key rotation?

A.Key rotation is not supported in cloud KMS
B.Data encrypted before rotation can still be decrypted using the previous key as long as it is available
C.The KMS automatically re-encrypts all data with the new key
D.Existing data encrypted with the previous key must be re-encrypted with the new key
AnswerB

KMS retains previous keys to decrypt older data.

Why this answer

Option B is correct because cloud KMS retains previous key versions after rotation, allowing decryption of data encrypted with older keys. The key rotation creates a new cryptographic key version, but the old version remains active for decryption until it is disabled or deleted. This ensures that data encrypted before rotation remains accessible without re-encryption.

Exam trap

ISC2 often tests the misconception that key rotation forces re-encryption of all existing data, but the correct understanding is that previous key versions remain available for decryption, making re-encryption optional unless the old key is deleted.

How to eliminate wrong answers

Option A is wrong because cloud KMS (e.g., AWS KMS, Azure Key Vault, GCP Cloud KMS) fully supports key rotation, both automatic and manual. Option C is wrong because KMS does not automatically re-encrypt existing data; re-encryption requires an explicit operation by the application or storage service. Option D is wrong because existing data encrypted with the previous key can still be decrypted using the retained previous key version, so re-encryption is not mandatory for access.

24
MCQmedium

An organization has implemented a change management process for its cloud infrastructure. During a routine change, a network security group rule is modified incorrectly, causing a critical application to become inaccessible. What is the most effective way to prevent this issue in future changes?

A.Require all changes to be approved by two managers.
B.Integrate automated configuration validation tests into the change pipeline.
C.Ensure every change has a rollback plan.
D.Implement a peer review process for all change requests.
AnswerB

Automated testing can detect policy violations and misconfigurations before deployment.

Why this answer

Option D is correct because automated testing validations catch misconfigurations before production deployment. Option A is wrong because requiring manager approval does not prevent technical errors. Option B is wrong because peer review helps but is manual and can miss issues.

Option C is wrong because rollback plans are reactive, not preventive.

25
MCQeasy

A security analyst notices that a cloud storage bucket contains objects with public read access. The organization's policy prohibits public access. What is the most efficient way to remediate this issue across all objects in the bucket?

A.Delete the bucket and recreate it
B.Use a third-party tool to scan and fix
C.Apply a bucket policy that denies public access and update the bucket ACL to block public access
D.Manually update each object's ACL
AnswerC

Bucket-level policies and ACLs override object-level permissions, efficiently blocking public access.

Why this answer

Option B is correct because applying a bucket policy that denies public access and updating the bucket ACL to block public access will override any object-level public ACLs. Option A is inefficient as it requires manual object updates. Option C is unnecessarily disruptive.

Option D may not be needed.

26
MCQhard

A multinational corporation uses a hybrid cloud model with on-premises data centers and the AWS cloud. They have implemented a Cloud Access Security Broker (CASB) to enforce security policies. Recently, the security team noticed that users are accessing cloud applications from unusual geographic locations and downloading large volumes of data. The CASB logs show that the users authenticated using single sign-on (SSO) with valid credentials. The company has not enabled multi-factor authentication (MFA) for all users due to a previous pushback from the user community. The security team suspects a credential theft incident. What is the BEST course of action to mitigate the risk and respond to the potential incident?

A.Revoke the suspicious sessions and require all users to re-authenticate with MFA before granting access to cloud applications.
B.Ask the affected users to change their passwords and monitor their accounts for further suspicious activity.
C.Lock all user accounts and require the IT team to manually verify each user's identity before unlocking.
D.Disable SSO immediately and require users to authenticate directly with the cloud applications.
AnswerA

This immediately stops the ongoing threat and enforces a stronger authentication method for future access.

Why this answer

Option C is correct because immediately revoking the suspicious sessions and requiring MFA re-authentication stops the potential attack and enforces stronger security. Option A is wrong because disabling SSO would disrupt business operations and not address the root cause. Option B is wrong while resetting passwords helps, without MFA the new passwords could also be stolen.

Option D is wrong because locking all accounts is too disruptive and assumes all users are compromised, which is not indicated.

27
MCQeasy

A cloud operations team has a process for making changes to production environments. Which change management practice is MOST important for reducing the risk of service disruption?

A.Allowing all changes to be made immediately with no approval process.
B.Testing all changes in a staging environment before production deployment.
C.Notifying the security team after the change is completed.
D.Ensuring a rollback plan is documented after the change is made.
AnswerB

Staging testing catches issues early.

Why this answer

Testing all changes in a staging environment before production deployment is the most important practice because it validates the change's behavior, performance, and compatibility in an isolated replica of production. This directly reduces the risk of service disruption by catching configuration errors, resource conflicts, or software defects that could cause outages. Without staging validation, even well-intentioned changes can introduce silent failures or cascading issues.

Exam trap

ISC2 often tests the misconception that a documented rollback plan is sufficient to reduce risk, but the trap is that a rollback plan is reactive and cannot prevent the initial disruption, whereas staging testing proactively prevents the disruption from occurring in the first place.

How to eliminate wrong answers

Option A is wrong because allowing all changes to be made immediately with no approval process bypasses change advisory board (CAB) review and automated gating, leading to unvalidated modifications that frequently cause production incidents. Option C is wrong because notifying the security team after the change is completed provides no opportunity for pre-deployment security review or compensating controls, leaving vulnerabilities exploitable during the change window. Option D is wrong because ensuring a rollback plan is documented after the change is made defeats its purpose; a rollback plan must be prepared and tested before the change to be effective, as post-change documentation cannot reverse an ongoing disruption.

28
Multi-Selectmedium

Which TWO of the following are best practices for monitoring a cloud environment to detect security incidents?

Select 2 answers
A.Centralize logs from all cloud services into a single analytics platform.
B.Set up automated alerts based on defined thresholds for key security metrics.
C.Enable all available log sources to ensure complete visibility.
D.Monitor only network flow logs to reduce data volume.
E.Conduct manual log reviews on a weekly basis to identify anomalies.
AnswersA, B

Centralization allows correlation across services for better detection.

Why this answer

Centralizing logs from all cloud services into a single analytics platform (e.g., SIEM like Splunk or AWS Security Hub) enables correlation across disparate data sources, which is essential for detecting multi-vector attacks. This practice aligns with the NIST SP 800-92 log management guidelines and the CCSP domain of Cloud Security Operations, as it provides a unified view for threat detection and incident response.

Exam trap

ISC2 often tests the misconception that 'more logs are always better' (Option C) or that manual reviews are sufficient, when in reality, automated correlation and threshold-based alerting are required for effective incident detection in cloud environments.

29
MCQeasy

Refer to the exhibit. An administrator attaches security group sg-12345 to a web server. Which of the following describes the traffic that will be allowed by the security group?

A.Only SSH traffic from the internal network is allowed inbound.
B.Inbound HTTP and HTTPS from anywhere, and SSH only from the internal network are allowed.
C.The server cannot initiate any outbound connections.
D.All inbound traffic from the internet is allowed.
AnswerB

This matches the rules shown.

Why this answer

Option D is correct. Inbound HTTP and HTTPS from anywhere (0.0.0.0/0) are allowed. SSH is allowed only from the internal network (10.0.0.0/8).

Outbound all traffic is allowed. Options A, B, and C are incorrect because they misrepresent the rules.

30
Multi-Selecteasy

Which TWO of the following are valid considerations when performing forensic imaging of virtual machines in a public cloud? (Choose two.)

Select 2 answers
A.Time synchronization between the imaging tool and the VM clock is essential
B.The imaging process must be performed from within the same cloud region
C.Images of other tenants' VMs can be accessed through the hypervisor if needed
D.The cloud provider will provide hypervisor memory dumps upon request
E.Volatile data will be lost if the VM is powered off before imaging
AnswersA, E

Ensures accurate timeline.

Why this answer

Options A and D are correct. A: In-memory data is lost when VM is stopped, so acquire while running. D: Time synchronization is important for timeline analysis.

Option B is wrong because cloud provider typically does not allow direct access to hypervisor memory for forensic purposes. Option C is wrong because hypervisor-level isolation prevents accessing other tenants' images.

31
MCQhard

A company uses a cloud-based SIEM to aggregate logs from multiple sources. Recently, the SIEM stopped receiving logs from a critical application server. The server is running and the application is functioning normally. The security team has verified that the log forwarder service is running on the server and the network path to the SIEM is open. Which additional step should the team take to diagnose the issue?

A.Check the server's CPU and memory utilization.
B.Review the firewall rules between the server and the SIEM.
C.Restart the SIEM collector service.
D.Inspect the log forwarder's configuration and recent log files for errors.
AnswerD

This directly addresses the most probable cause of misconfiguration.

Why this answer

Option D is correct because the most likely cause of logs not being received by the SIEM, when the server is running and the network path is open, is a misconfiguration or error within the log forwarder itself. Inspecting the forwarder's configuration (e.g., destination IP, port, protocol) and its local log files (e.g., syslog, Windows Event Forwarding logs) can reveal authentication failures, queue overflows, or parsing errors that prevent log transmission. This step directly addresses the log generation and forwarding pipeline, which is the remaining point of failure after verifying network connectivity and service status.

Exam trap

ISC2 often tests the misconception that network-level checks (firewall, connectivity) are sufficient, when the real issue is often an application-layer misconfiguration within the log forwarder itself, which candidates overlook because they assume a 'running' service is correctly configured.

How to eliminate wrong answers

Option A is wrong because CPU and memory utilization on the application server would not prevent a properly configured and running log forwarder from sending logs; high resource usage might cause delays but not a complete cessation of log forwarding, and the server is functioning normally. Option B is wrong because the security team has already verified that the network path to the SIEM is open, which implicitly includes firewall rules; reviewing them again would be redundant and not address the log forwarder's internal state. Option C is wrong because restarting the SIEM collector service on the cloud-based SIEM side would not fix a problem originating from the log forwarder's configuration or errors; the collector is receiving logs from other sources, indicating it is operational.

32
MCQhard

A multinational corporation operates in a country where data sovereignty laws require that all customer data remain within the country's borders. The company uses a global public cloud provider. Which operational control is MOST critical to ensure compliance?

A.Use a VPN to connect to the cloud provider's network.
B.Implement cloud policy to restrict resource deployment to approved regions.
C.Conduct quarterly audits of data storage locations.
D.Encrypt all data at rest and in transit.
AnswerB

Policy enforcement prevents resources from being created outside allowed regions.

Why this answer

Option B is correct because implementing a cloud policy to restrict resource deployment to approved regions is the most direct and proactive operational control to enforce data sovereignty. By using Azure Policy, AWS Service Control Policies (SCPs), or GCP Organization Policies, the organization can programmatically prevent resources from being provisioned in non-compliant regions, ensuring customer data never leaves the required jurisdiction. This is a preventive control that operates at the infrastructure level, unlike detective or reactive measures.

Exam trap

ISC2 often tests the distinction between preventive and detective controls, and the trap here is that candidates confuse encryption or VPNs (which protect data in transit/at rest) with location enforcement, failing to recognize that data sovereignty is a geographic constraint, not a security one.

How to eliminate wrong answers

Option A is wrong because a VPN only secures the network connection between the organization and the cloud provider; it does not control where the cloud provider physically stores data, so it cannot enforce data sovereignty. Option C is wrong because quarterly audits are a detective control that only identifies non-compliance after it has occurred, rather than preventing it; by the time an audit reveals data in a prohibited region, the violation has already happened. Option D is wrong because encryption protects data confidentiality but does not address data location; encrypted data stored in a non-compliant region still violates data sovereignty laws.

33
MCQmedium

A company has deployed a mission-critical application in the cloud and needs to ensure that it remains available even if an entire cloud region fails. Which architecture pattern should they adopt?

A.Regular backups to a different region
B.Active-passive across regions
C.Vertical scaling within a single region
D.Horizontal scaling within a single availability zone
AnswerB

Active-passive replicates to another region for failover.

Why this answer

Option C is correct because an active-passive across-regions architecture provides disaster recovery for region failure. Option A (vertical scaling) increases capacity in the same region. Option B (horizontal scaling within a single AZ) does not protect against region failure.

Option D (backups) is not a high-availability pattern.

34
MCQeasy

A cloud security engineer is tasked with automating the response to a detected malware infection on a virtual machine. The engineer wants to isolate the VM from the network immediately upon detection. Which cloud-native feature should be used?

A.Take a snapshot of the VM for forensic analysis.
B.Modify the VM's security group to deny all inbound and outbound traffic.
C.Attach the VM to a different load balancer.
D.Create a site-to-site VPN connection for the VM.
AnswerB

Security groups can be updated programmatically to isolate the VM.

Why this answer

Modifying the VM's security group to deny all inbound and outbound traffic is the correct cloud-native method to immediately isolate the VM from the network. Security groups act as a virtual firewall at the instance level, and by removing all allow rules, you effectively block all traffic to and from the VM, containing the malware without deleting or powering off the instance.

Exam trap

ISC2 often tests the distinction between network isolation (security groups) and forensic preservation (snapshots), trapping candidates who confuse post-incident analysis steps with immediate containment actions.

How to eliminate wrong answers

Option A is wrong because taking a snapshot is a forensic preservation step, not an isolation mechanism; it does not alter the VM's network connectivity and the malware could still communicate. Option C is wrong because attaching the VM to a different load balancer does not isolate it; it merely changes the traffic distribution endpoint and may even expose the VM to new traffic. Option D is wrong because creating a site-to-site VPN connection extends the network to an external site, which is the opposite of isolation and would increase the attack surface.

35
MCQeasy

A security analyst reviews the bucket policy above. What is the primary security concern?

A.The bucket policy allows public read access to all objects
B.The bucket policy uses an outdated version
C.The bucket policy is missing a Condition element
D.The bucket policy allows public write access to all objects
AnswerA

Allowing GetObject to anonymous users makes all objects publicly readable.

Why this answer

Option A is correct because the bucket policy grants public read access to all objects via a Principal set to '*' and an Effect of 'Allow' on the s3:GetObject action. This means any unauthenticated user on the internet can list and download objects in the bucket, leading to potential data exposure. The primary security concern is unauthorized data disclosure, which violates the principle of least privilege.

Exam trap

ISC2 often tests the distinction between read and write permissions in bucket policies, so candidates may mistakenly choose public write access (Option D) when the policy clearly shows read access, or they may overthink the missing Condition element (Option C) as the primary issue rather than the explicit public Principal.

How to eliminate wrong answers

Option B is wrong because the policy version (e.g., '2012-10-17') is the standard AWS IAM policy version and is not outdated; an outdated version would not cause a security concern by itself. Option C is wrong because while a missing Condition element can reduce granularity, it is not inherently a security concern if the policy already allows public access; the absence of a Condition does not create the exposure—the overly permissive Principal and Action do. Option D is wrong because the policy shown allows read access (s3:GetObject), not write access (s3:PutObject); public write access would be a different and equally severe concern, but it is not present in this policy.

36
MCQhard

A cloud security engineer is responsible for a SaaS application hosted on a public cloud provider. The application uses a relational database to store customer data. The security team recently conducted a vulnerability assessment and discovered that the database can be accessed over the internet without any network restrictions. Additionally, the database admin user has the same password as the root account, and the password has not been changed in 18 months. The company is subject to GDPR and PCI DSS compliance requirements. The engineer needs to remediate these issues immediately. Which of the following actions should be taken FIRST?

A.Change the database admin password to a complex new password immediately.
B.Upgrade the database to the latest version with all security patches applied.
C.Configure the database security group to allow traffic only from the application server's IP address range.
D.Enable encryption at rest for the database to protect the data if it is stolen.
AnswerC

Restricting network access is the quickest way to eliminate the internet exposure and should be done first to prevent ongoing attacks.

Why this answer

Option B is correct because restricting network access to authorized sources only is the most immediate way to reduce the attack surface and prevent unauthorized access over the internet. Option A is wrong because changing the password is important but should follow the network restriction to ensure the database is not exposed during the change. Option C is wrong while enabling encryption is a best practice, it does not prevent an attacker from connecting directly.

Option D is wrong because upgrading the database might not be immediately available and does not address the access issue.

37
MCQhard

Refer to the exhibit. A security engineer has attached the above IAM policy to a user. What is the effect of this policy?

A.The user can upload objects only to the my-bucket bucket with no restrictions.
B.The user can upload objects only if they use customer-managed KMS keys.
C.The user is denied from uploading objects without encryption.
D.The user can upload objects only if they specify server-side encryption with AES256.
AnswerD

The condition requires s3:x-amz-server-side-encryption to be AES256.

Why this answer

Option D is correct because the IAM policy uses a `Condition` block with `s3:x-amz-server-side-encryption` set to `AES256`. This condition ensures that any `s3:PutObject` request must include the `x-amz-server-side-encryption` header with the value `AES256`. Without this header or with a different encryption value, the request is denied.

The `Deny` effect overrides any `Allow` that might exist, so the user is forced to specify SSE-S3 (AES-256) encryption on every upload.

Exam trap

ISC2 often tests the distinction between SSE-S3 (`AES256`) and SSE-KMS (`aws:kms`), and the trap here is that candidates mistakenly think the policy allows any encryption or that it only blocks unencrypted uploads, when in fact it mandates a specific encryption type.

How to eliminate wrong answers

Option A is wrong because the policy does not grant unrestricted uploads; it explicitly denies uploads that do not meet the encryption condition. Option B is wrong because the condition requires `AES256`, which refers to SSE-S3 (Amazon S3-managed keys), not customer-managed KMS keys (SSE-KMS). Option C is wrong because the policy does not deny all unencrypted uploads; it only denies uploads that lack the specific `x-amz-server-side-encryption: AES256` header, meaning uploads with other encryption types (e.g., SSE-KMS) are also denied.

38
MCQhard

A financial services company runs a critical application on a cloud infrastructure. The application consists of a web tier, an application tier, and a database tier, all deployed in a single cloud region. The database is a managed relational database service with automated backups enabled. The company's disaster recovery plan requires a Recovery Time Objective (RTO) of 4 hours and a Recovery Point Objective (RPO) of 1 hour. During a recent regional outage, the primary region became unavailable for 6 hours. The company attempted to restore the database from the latest automated backup in a different region, but the restore took 5 hours due to the large database size, exceeding the RTO. Additionally, the backup was 2 hours old at the time of the outage, exceeding the RPO. The security team has also noted that the backup data is encrypted with a cloud-managed key, which may not meet future compliance requirements for customer-managed encryption keys. Which course of action should the company take to meet both the RTO and RPO objectives while also addressing the encryption requirement?

A.Implement cross-region read replicas with synchronous replication and enable encryption with a customer-managed key that is replicated to the disaster recovery region.
B.Store the backup in a different region using cross-region copy and use a cloud HSM to manage the encryption key.
C.Use cross-region asynchronous replication with a separate database instance and encrypt with a cloud-managed key.
D.Increase the frequency of automated backups to every 30 minutes and use faster storage for the database restore process.
AnswerA

Synchronous replicas provide RPO of seconds and failover in minutes; customer-managed keys meet compliance.

Why this answer

Option A is correct because cross-region read replicas with synchronous replication can provide a standby database in another region with an RPO of effectively zero (synchronous replication ensures no data loss) and an RTO measured in minutes (promote the replica to primary), meeting both the 4-hour RTO and 1-hour RPO. Using a customer-managed key (CMK) replicated to the DR region satisfies the compliance requirement for customer-managed encryption keys, as the key can be controlled and audited independently of the cloud provider.

Exam trap

ISC2 often tests the distinction between synchronous and asynchronous replication in the context of RPO/RTO, and the trap here is that candidates assume cross-region backups or asynchronous replication can meet strict RPO/RTO targets, ignoring the inherent latency and restore time penalties.

How to eliminate wrong answers

Option B is wrong because storing backups in a different region via cross-region copy still relies on the backup creation schedule (e.g., 2-hour-old backup) and restore time (5 hours), failing both RPO and RTO; using a cloud HSM does not address the restore speed or backup age. Option C is wrong because asynchronous replication can introduce replication lag (often minutes to hours), potentially exceeding the 1-hour RPO, and encrypting with a cloud-managed key does not meet the customer-managed key compliance requirement. Option D is wrong because increasing backup frequency to 30 minutes only improves RPO (to 30 minutes) but does not reduce the 5-hour restore time (RTO failure) and does not address the encryption key compliance issue.

39
Multi-Selecthard

A cloud security architect is designing a secure CI/CD pipeline for a containerized application deployed on a Kubernetes cluster. The pipeline must ensure that only approved images are deployed. Which TWO of the following controls should be implemented? (Choose two.)

Select 2 answers
A.Implement role-based access control (RBAC) to restrict who can push images to the registry.
B.Configure the Kubernetes admission controller to reject pods that use unsigned images.
C.Use network policies to restrict pod-to-pod communication.
D.Scan all container images for vulnerabilities in the CI pipeline.
E.Sign container images with a private key and verify signatures before deployment.
AnswersB, E

An admission controller can enforce policies at deployment time, rejecting pods that do not meet criteria such as image signature verification.

Why this answer

Option B is correct because Kubernetes admission controllers can enforce policies such as rejecting pods that use unsigned images, ensuring only images with verified signatures are deployed. This directly addresses the requirement to deploy only approved images by validating image integrity at admission time.

Exam trap

ISC2 often tests the distinction between controls that prevent unauthorized images from being deployed (signing and admission control) versus controls that manage access or detect vulnerabilities but do not enforce approval at deployment time.

40
Drag & Dropmedium

Drag and drop the steps for responding to a security incident involving a compromised cloud VM into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First isolate, then capture forensics, terminate, analyze, and finally remediate and restore.

41
MCQeasy

A cloud service provider is designing a new data center. To ensure physical security, which of the following controls is most effective for preventing unauthorized access to the server floor?

A.Implement biometric access controls and two-factor authentication at all entry points.
B.Hire 24/7 security guards to monitor the entrance.
C.Use mantraps at the main entrance to catch tailgating.
D.Install high-definition surveillance cameras covering all entrances and server aisles.
AnswerA

Biometric + 2FA provides strong authentication and prevents unauthorized access.

Why this answer

Option A is correct because biometric access control with two-factor authentication provides strong access control. Option B is wrong because surveillance cameras are detective, not preventive. Option C is wrong because security guards are less reliable and can be bypassed.

Option D is wrong because mantrap doors are effective but best when combined with authentication.

42
MCQmedium

A company uses a cloud key management service with automatic annual key rotation. An auditor requires that keys are rotated every 90 days to meet internal policy. What should the cloud security architect do to satisfy this requirement?

A.Create a manual process to rotate keys every 90 days using scripts.
B.Request an exception from the auditor because the default annual rotation is sufficient.
C.Configure the cloud KMS with a custom rotation period of 90 days.
D.Disable automatic rotation and rotate keys manually when needed.
AnswerC

Cloud KMS allows custom rotation policies; the architect should use it.

Why this answer

Option C is correct because cloud KMS services (e.g., AWS KMS, Azure Key Vault, GCP Cloud KMS) allow administrators to define a custom rotation period, overriding the default annual rotation. By configuring a 90-day rotation schedule, the architect directly meets the auditor's policy without manual intervention or exceptions, ensuring automated compliance.

Exam trap

ISC2 often tests the misconception that manual rotation or exception requests are acceptable workarounds, but the correct approach is to leverage the cloud KMS's built-in configuration to automate compliance with the required rotation interval.

How to eliminate wrong answers

Option A is wrong because creating a manual process introduces operational overhead, risk of human error, and potential gaps in compliance, whereas cloud KMS supports automated custom rotation periods. Option B is wrong because requesting an exception ignores the auditor's explicit requirement and does not address the policy gap; default annual rotation is not sufficient per the 90-day mandate. Option D is wrong because disabling automatic rotation and rotating manually reintroduces the same risks as Option A and defeats the purpose of using a managed KMS service, which is designed to automate key lifecycle management.

43
MCQmedium

During a security incident involving a compromised virtual machine (VM) in a public cloud, the incident response team needs to preserve evidence for potential legal action. Which of the following actions should be taken FIRST?

A.Stop the VM and take a snapshot of its disks
B.Delete the VM immediately to prevent further damage
C.Isolate the VM by removing it from the network
D.Create a forensic image of the VM's volumes while it is still running
AnswerD

Captures volatile data and preserves evidence.

Why this answer

Option D is correct because creating a forensic image of the VM's volumes captures volatile and persistent data while preserving the original state. Option A is wrong because deleting the VM destroys evidence. Option B is wrong because stopping the VM may cause loss of volatile data but snapshotting after stop is acceptable, but the best first step is to create a forensic image before stopping.

Option C is wrong because isolating the network is important but does not preserve the VM state for forensics as effectively as imaging.

44
MCQeasy

Refer to the exhibit. A cloud administrator ran the Azure CLI command to list virtual machines. One VM shows a ProvisioningState of 'Failed'. What is the most likely cause of this state?

A.The VM's resource group has been moved to another subscription.
B.The VM is in a deallocated state.
C.The VM failed to start due to a resource quota limit or configuration error.
D.The VM was deleted by another administrator.
AnswerC

This is the typical reason for a failed provisioning state.

Why this answer

Option C is correct because a 'ProvisioningState' of 'Failed' in Azure indicates that the VM could not be created or started due to a resource quota limit (e.g., vCPU quota exceeded) or a configuration error (e.g., invalid network interface, unsupported VM size). This state is set by the Azure Resource Manager when the deployment or update operation fails, and it persists until the underlying issue is resolved and the VM is redeployed or reconfigured.

Exam trap

ISC2 often tests the distinction between 'ProvisioningState' and 'PowerState' — the trap here is that candidates confuse a 'Failed' provisioning state with a deallocated or stopped VM, but 'ProvisioningState' only reflects the success of the resource creation or update operation, not the runtime status.

How to eliminate wrong answers

Option A is wrong because moving a resource group to another subscription does not change the provisioning state of existing VMs; the VM would remain in its current state (e.g., 'Succeeded') and continue running. Option B is wrong because a deallocated VM shows a 'ProvisioningState' of 'Succeeded' (since it was successfully provisioned) and a 'PowerState' of 'Deallocated'; the 'ProvisioningState' field specifically tracks the success or failure of the provisioning operation, not the power state. Option D is wrong because if a VM is deleted, it no longer appears in the list of VMs; the 'ProvisioningState' field is only relevant for existing resources, and a deleted VM would return a '404 Not Found' error or simply not be listed.

45
Drag & Dropmedium

Drag and drop the steps for implementing a secure DevOps (DevSecOps) pipeline in a cloud environment into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First SAST at commit, then DAST in staging, IaC scanning, policy enforcement, and runtime monitoring.

46
MCQeasy

A company uses an Infrastructure as a Service (IaaS) provider for critical applications. They need to define a backup retention policy that meets regulatory requirements for keeping financial records for 7 years. Which of the following strategies best meets this requirement while optimizing costs?

A.Perform daily full backups and retain all backups for 7 years.
B.Perform daily backups, keep weekly backups for 3 months, monthly for 1 year, and yearly for 7 years in cold storage.
C.Replicate all backups to a secondary region with snapshots kept for 7 years.
D.Use a grandfather-father-son rotation scheme with weekly, monthly, and yearly backups.
AnswerB

This tiered retention reduces costs while meeting the 7-year requirement.

Why this answer

Option B is correct because it implements a tiered backup retention strategy that aligns with the 7-year regulatory requirement while minimizing storage costs. By transitioning weekly backups to cold storage after 3 months, monthly backups after 1 year, and yearly backups for the full 7 years, the company reduces the cost of storing infrequently accessed data. This approach leverages the IaaS provider's lifecycle management policies (e.g., AWS S3 Lifecycle or Azure Blob Storage access tiers) to automatically move backups to lower-cost storage classes like Glacier or Archive, which are optimized for long-term retention.

Exam trap

ISC2 often tests the misconception that a simple rotation scheme (like grandfather-father-son) alone satisfies both retention and cost optimization, but the trap is that rotation schemes define retention cycles without addressing storage tiering or cold storage, which is essential for cost-effective long-term retention in the cloud.

How to eliminate wrong answers

Option A is wrong because performing daily full backups and retaining all for 7 years incurs excessive storage costs and is operationally inefficient, as it does not leverage incremental or differential backup strategies or tiered storage to reduce expenses. Option C is wrong because replicating all backups to a secondary region with snapshots kept for 7 years provides geographic redundancy but does not inherently optimize costs; it duplicates storage costs across regions without a tiered retention policy, leading to unnecessary expense. Option D is wrong because a grandfather-father-son rotation scheme is a tape-based backup rotation method that defines retention cycles (e.g., daily, weekly, monthly) but does not specify storage tier optimization or cold storage transition, and it may not meet a strict 7-year retention requirement without additional configuration; it is a legacy concept not directly tied to cloud cost optimization.

47
MCQhard

Refer to the exhibit. A data sync job fails with the error shown. The IAM role 'data-sync-role' has the following policy attached: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": "arn:aws:s3:*:*:data-bucket-2024/*" } ] } What is the MOST likely cause of the failure?

A.The resource ARN in the policy is incorrectly formatted, causing the action to not be applied.
B.The role 'data-sync-role' is not attached to the sync job.
C.The bucket 'data-bucket-2024' does not exist.
D.There is an explicit Deny policy blocking the action.
AnswerA

The ARN uses wildcards in the wrong positions; S3 object ARNs require bucket name and key without account or region.

Why this answer

Option C is correct. The resource ARN in the policy uses wildcards incorrectly: 'arn:aws:s3:*:*:data-bucket-2024/*' is not a valid S3 object ARN. The correct format is 'arn:aws:s3:::data-bucket-2024/*'.

The malformed ARN means the policy does not actually grant access to the object. Option A is incorrect because the bucket exists. Option B is incorrect because the role is attached.

Option D is incorrect because there is no explicit deny.

48
MCQmedium

A cloud customer is migrating a legacy application to a cloud platform. The application currently runs on physical servers and uses local storage. The migration plan involves rehosting the application on virtual machines (VMs) in the cloud. The security team wants to ensure that the VMs are properly hardened before deployment. During the migration testing, the team discovers that the base image used for the VMs contains several unnecessary services and default credentials. The team is concerned that these vulnerabilities could be exploited. The cloud provider offers a shared responsibility model where the customer is responsible for securing the OS. Which of the following is the BEST course of action to address this issue?

A.Deploy the VMs and run vulnerability scans to identify and fix issues after deployment
B.Ask the cloud provider to provide a hardened OS image
C.Create a custom golden image with necessary hardening and approved software only
D.Deploy the VMs and manually apply security patches and remove services after deployment
AnswerC

Ensures consistent and secure base.

Why this answer

Option C is correct because creating a custom golden image allows the customer to enforce a hardened baseline that removes unnecessary services, disables default credentials, and includes only approved software before any VM is deployed. This aligns with the shared responsibility model, where the customer controls OS-level security, and prevents vulnerabilities from ever reaching production. Pre-hardening the image is more secure and efficient than fixing issues post-deployment, as it eliminates the window of exposure during initial boot and configuration.

Exam trap

The trap here is that candidates may choose Option D (manual patching after deployment) because it seems practical, but they overlook that this approach leaves VMs vulnerable during the initial boot and configuration phase, whereas pre-hardening the image eliminates that risk entirely.

How to eliminate wrong answers

Option A is wrong because deploying VMs with known vulnerabilities and relying on post-deployment vulnerability scans introduces a window of exposure where the VMs could be compromised before patches are applied, and it violates the principle of secure-by-default. Option B is wrong because the cloud provider is responsible for the hypervisor and infrastructure, not the OS image; asking them to provide a hardened OS image shifts responsibility that the customer must own under the shared responsibility model, and providers typically offer only generic base images. Option D is wrong because manually patching and removing services after deployment is error-prone, time-consuming, and leaves the VMs exposed during the time between deployment and remediation, which is especially risky in automated scaling scenarios.

49
MCQhard

A cloud security team needs to implement a logging strategy that captures user activity, API calls, and resource changes across multiple cloud services. The logs must be tamper-proof and retained for at least one year. Which combination of actions best meets these requirements?

A.Stream all logs to a Security Information and Event Management (SIEM) system and retain raw logs for one year on standard storage.
B.Enable logging for all services, encrypt logs at rest, and store them in a centralized log management system.
C.Use separate logging accounts for each cloud service and retain logs in their native format.
D.Centralize logs into a dedicated log archive account with write-once-read-many (WORM) storage and enable anomaly detection alerts.
AnswerD

WORM storage prevents modification or deletion, meeting tamper-proof requirement.

Why this answer

Option C is correct because centralizing logs with write-once storage ensures tamper-proof retention, and alerting on anomalies provides security monitoring. Option A is wrong because encryption alone does not prevent tampering, and simple log management may allow deletion. Option B is wrong because using separate log accounts for each service creates silos and complexity.

Option D is wrong because exporting to SIEM is good but retention should be in immutable storage.

50
MCQeasy

A cloud operations team is setting up a new virtual network in the cloud. They need to segment traffic between different tiers of an application (web, application, database). Which security control should they implement?

A.Network access control lists and security groups
C.Data loss prevention
D.Web application firewall
AnswerA

NACLs and security groups filter traffic based on rules, enabling segmentation.

Why this answer

Option D is correct because network access control lists (NACLs) and security groups provide network segmentation by controlling traffic between tiers. Option A (IDS) detects threats but does not control traffic. Option B (WAF) protects web applications at layer 7.

Option C (DLP) prevents data loss.

51
MCQmedium

A cloud operations team is implementing a logging strategy for their hybrid cloud environment. They need to ensure that logs from on-premises systems are collected and stored in a centralized cloud logging service with low latency. Which configuration is most appropriate?

A.Transfer logs via email attachments
B.Use a VPN connection and forward syslog directly to the cloud endpoint
C.Configure on-premises systems to send logs via syslog over the internet with TLS
D.Use a cloud logging agent on-premises that buffers and sends logs via HTTPS
AnswerB

A dedicated VPN reduces latency and ensures consistent connectivity.

Why this answer

Option A is correct because using a VPN connection and forwarding syslog directly to the cloud endpoint provides a dedicated, low-latency path. Option B (syslog over the internet) may introduce latency. Option C (cloud logging agent) may buffer and delay logs.

Option D (email) is not suitable for real-time logging.

52
MCQmedium

A company has a disaster recovery (DR) plan that includes failing over to a secondary cloud region. The plan was tested six months ago and worked, but since then significant infrastructure changes have been made. Which of the following should the company do to ensure the DR plan remains effective?

A.Wait until the next annual DR test to verify the changes.
B.Automate the entire failover process to eliminate human error.
C.Update the DR documentation to reflect the changes and assume the plan still works.
D.Conduct a tabletop exercise now, followed by a partial failover test of critical applications.
AnswerD

Tabletop and partial failover identify gaps quickly and are less disruptive.

Why this answer

Option B is correct because iterative tabletop exercises and partial failovers validate changes without full disruption. Option A is wrong because one annual test is insufficient given the changes. Option C is wrong because documentation updates without testing are risky.

Option D is wrong because automating fails reduces human error but still requires validation.

53
MCQeasy

A cloud customer is decommissioning a storage service that contains sensitive data. The cloud provider offers several data destruction options. Which method provides the HIGHEST assurance that data is irrecoverable?

A.Degaussing the storage media
B.Physical shredding of the storage drives
C.Multiple overwrite passes with zeros and ones
D.Cryptographic erasure of encryption keys
AnswerB

Guarantees data is irrecoverable.

Why this answer

Option C is correct because physical destruction of the storage media ensures data cannot be recovered by any means. Option A is wrong because cryptographic erasure is effective but if the key is not properly destroyed, data may still be recoverable. Option B is wrong because overwriting with zeros may leave residual data in some cases.

Option D is wrong because degaussing is effective for magnetic media but not for SSDs, and some drives may still be recoverable.

54
MCQeasy

A cloud security administrator needs to ensure that all API calls to the cloud provider's management plane are logged for audit purposes. Which service should be enabled?

A.Cloud configuration service
B.Cloud threat detection service
C.Cloud audit logging service
D.Cloud monitoring service
AnswerC

Audit logs capture all management plane API calls.

Why this answer

Option C is correct because the cloud audit logging service (e.g., AWS CloudTrail) records API calls for auditing. Option A (monitoring) focuses on performance metrics. Option B (configuration) tracks resource changes but not all API calls.

Option D (threat detection) is for security threats.

55
MCQmedium

A security analyst is investigating a data breach in a cloud environment. The analyst needs to preserve evidence for legal proceedings. Which of the following actions is most critical to ensure the chain of custody is maintained?

A.Calculate cryptographic hashes of all relevant files.
B.Isolate all affected systems from the network to prevent further data loss.
C.Begin a detailed log documenting all actions, timestamps, and personnel involved.
D.Immediately notify senior management and legal counsel.
AnswerC

This is the first step in establishing chain of custody.

Why this answer

Chain of custody requires documenting every transfer of evidence. Option B is correct because starting a log of all actions with timestamps and personnel ensures accountability. Option A is wrong because notifying management is important but not the most critical for chain of custody.

Option C is wrong because isolating systems can destroy volatile data. Option D is wrong because while important, unique hashing alone does not document custody.

56
MCQmedium

A cloud security team is investigating a data breach in their AWS environment. The logs show that an EC2 instance with an attached IAM role was compromised. The attacker used the instance's temporary credentials to access an S3 bucket containing sensitive data. Which design change would BEST prevent this type of attack in the future?

A.Implement a network ACL that denies all outbound traffic from the EC2 instance to the S3 service.
B.Enable IMDSv2 with a hop limit of 1 on the EC2 instance.
C.Restrict S3 bucket access to the EC2 instance's private IP address only.
D.Disable public access on the S3 bucket using a bucket policy.
AnswerB

IMDSv2 with hop limit 1 prevents the attacker from using the instance as a proxy to retrieve credentials.

Why this answer

Option B is correct because enabling IMDSv2 with a hop limit of 1 forces the EC2 instance to use a session-oriented method to retrieve temporary credentials from the Instance Metadata Service (IMDS). This prevents SSRF attacks or other techniques that trick the instance into leaking its IAM role credentials, as the attacker would need to be on the instance itself to obtain the token. By setting the hop limit to 1, the metadata response is not forwarded beyond the instance's network interface, blocking remote access to the credentials.

Exam trap

ISC2 often tests the distinction between IMDSv1 (which is vulnerable to SSRF) and IMDSv2 with hop limit enforcement, and the trap here is that candidates mistakenly choose network-level controls (like NACLs or IP restrictions) instead of addressing the metadata service vulnerability that directly enables credential theft.

How to eliminate wrong answers

Option A is wrong because a network ACL denying all outbound traffic to S3 would block legitimate access from the EC2 instance to S3, breaking functionality, and does not address the root cause of credential theft from the instance metadata service. Option C is wrong because S3 bucket policies cannot restrict access based on the EC2 instance's private IP address; S3 uses source IP conditions, but private IPs are not routable over the internet and this approach would not prevent an attacker from using the stolen credentials from another location. Option D is wrong because disabling public access on the S3 bucket does not prevent an attacker who has valid temporary credentials from accessing the bucket; the attacker is using the instance's IAM role permissions, not public access.

57
MCQmedium

A company's security team is investigating an anomalous spike in outbound traffic from a cloud workload. The workload is a web server running in an IaaS environment. The team suspects data exfiltration. Which of the following is the BEST initial step to identify the source and type of traffic?

A.Immediately isolate the workload by blocking all outbound traffic in the security group.
B.Deploy a host-based intrusion detection system (HIDS) agent on the workload.
C.Run a vulnerability scanner against the workload to identify possible entry points.
D.Enable VPC flow logs for the subnet hosting the workload and analyze the logs.
AnswerD

VPC flow logs provide network-level visibility and can quickly show anomalous outbound connections without requiring agent installation.

Why this answer

Option D is correct because VPC flow logs capture metadata about all IP traffic to and from network interfaces in a subnet, including source/destination IPs, ports, protocols, and packet/byte counts. Analyzing these logs allows the security team to identify the external destination IPs and ports involved in the anomalous outbound traffic, which is the fastest way to pinpoint the source workload and characterize the exfiltration pattern without disrupting service or requiring agent deployment.

Exam trap

ISC2 often tests the distinction between investigative actions and reactive containment; the trap here is that candidates may choose immediate isolation (Option A) as a 'best first step' when the question explicitly asks for the step to 'identify the source and type of traffic,' not to stop it.

How to eliminate wrong answers

Option A is wrong because immediately blocking all outbound traffic via security group is a reactive containment step, not an investigative one; it would halt all egress, potentially breaking legitimate services and destroying forensic evidence of the exfiltration path. Option B is wrong because deploying a HIDS agent is a proactive monitoring measure that requires installation time and may not capture the current traffic burst; it also does not provide immediate visibility into the network-level flow details needed to identify the exfiltration destination. Option C is wrong because running a vulnerability scanner identifies potential entry points but does not reveal current outbound traffic patterns or the specific data being exfiltrated; it is a post-incident forensic step, not an initial investigative action.

58
MCQmedium

A cloud operations team manages a critical application on AWS that uses EC2 instances behind an Application Load Balancer (ALB). The application experiences occasional high latency and timeout errors. The team has enabled detailed monitoring and CloudWatch Logs. They notice that during peak hours, the CPU utilization on some instances reaches 95%, while others remain around 40%. The security group allows traffic from a wide range of IP addresses. The team needs to improve both performance and security. Which of the following actions would BEST address the performance imbalance and also enhance security posture?

A.Schedule a periodic cron job to launch additional instances during expected peak hours and configure the ALB to use sticky sessions.
B.Create an auto scaling group with a dynamic scaling policy based on average CPU utilization, change the ALB to a Network Load Balancer for lower latency, and restrict the security group rules to the minimal required IP addresses.
C.Increase the instance size to a larger type that can handle peak loads and reduce the security group to allow only known IP ranges.
D.Replace the ALB with a Classic Load Balancer and configure it to use round-robin routing without health checks to balance traffic quickly.
AnswerB

Dynamic auto scaling adjusts capacity based on load, NLB provides lower latency, and restricting security groups enhances security.

Why this answer

Option D is correct because implementing an auto scaling policy based on CPU and swapping the ALB to a Network Load Balancer (NLB) for better performance, combined with tightening security group rules, addresses both issues. Option A is wrong because increasing instance size is not a dynamic solution and does not help with the imbalance. Option B is wrong because scheduling scaling based on time may not align with unpredictable traffic.

Option C is wrong because a Classic Load Balancer is older and less capable; also, round-robin without considering load may not fix the imbalance.

59
MCQmedium

A cloud security architect is designing a defense-in-depth strategy for a multi-tenant IaaS environment. Which of the following controls would BEST protect against workload isolation failure due to a hypervisor vulnerability?

A.Perform weekly vulnerability scans of the hypervisor and tenant workloads.
B.Deploy a dedicated virtual firewall instance for each tenant to enforce network segmentation.
C.Apply the latest hypervisor security patches and disable unnecessary services.
D.Use encrypted virtual disks for all tenant virtual machines.
AnswerB

Network segmentation using virtual firewalls provides an additional layer of isolation even if the hypervisor is compromised.

Why this answer

Option D is correct because a dedicated firewall instance for each tenant provides network-level isolation independent of the hypervisor. Option A is wrong because hypervisor hardening is necessary but does not guarantee isolation if a vulnerability exists. Option B is wrong because vulnerability scanning is detective, not preventive.

Option C is wrong while encryption protects data at rest, it does not prevent a hypervisor escape.

60
Multi-Selectmedium

A cloud security team is developing an incident response plan for a SaaS application hosted on a public cloud. During the preparation phase, which TWO steps are most critical to include?

Select 2 answers
A.Conduct regular tabletop exercises to simulate incident scenarios
B.Conduct a post-mortem analysis of previous incidents
C.Implement automated isolation of compromised instances
D.Define and document communication escalation paths
E.Deploy a security information and event management (SIEM) system
AnswersA, D

Tabletop exercises help validate the plan and train the response team before an incident.

Why this answer

Conducting regular tabletop exercises (Option A) is critical during the preparation phase because it validates the incident response plan's effectiveness, identifies gaps in team coordination, and ensures stakeholders understand their roles without impacting production systems. This proactive simulation aligns with NIST SP 800-61 and CCSP best practices for readiness testing before an actual incident occurs.

Exam trap

ISC2 often tests the distinction between preparation-phase activities (planning, training, documentation) and operational-phase activities (detection, containment, recovery), leading candidates to mistakenly select automated response or monitoring tools as preparation steps.

61
MCQmedium

An organization uses a continuous integration/continuous deployment (CI/CD) pipeline to deploy infrastructure as code. The security team wants to ensure that all cloud resources comply with internal security policies before deployment. Which of the following is the MOST effective method to enforce this?

A.Restrict the IAM permissions of developers to only approved roles.
B.Run automated policy compliance checks as part of the CI/CD pipeline.
C.Conduct manual security reviews after each deployment.
D.Deploy resources and then scan for compliance after deployment.
AnswerB

Policy-as-code checks block non-compliant deployments before they go live.

Why this answer

Option D is correct because integrating policy-as-code scanning into the CI/CD pipeline catches non-compliance before deployment. Option A is incorrect because manual reviews are error-prone and slow. Option B is incorrect because post-deployment scanning is reactive.

Option C is incorrect because only limiting user permissions does not prevent misconfigurations from valid users.

62
MCQhard

Refer to the exhibit. A cloud security analyst is reviewing an S3 bucket policy. The bucket contains sensitive data and must only be accessible over HTTPS from the internal network (10.0.0.0/24). Which of the following correctly describes the behavior of this policy?

A.Requests from 10.0.0.0/24 over HTTPS are allowed; all other requests are denied.
B.Requests from 10.0.0.0/24 over HTTP are allowed because the Allow statement matches.
C.The policy is invalid because it combines Allow and Deny statements.
D.All requests from 10.0.0.0/24 are denied because the Deny statement applies to all actions.
AnswerA

The Allow statement permits GetObject from the internal IP range, and the Deny blocks non-HTTPS requests. Requests from external IPs are implicitly denied.

Why this answer

The policy uses an explicit Deny for any request that is not using HTTPS (i.e., aws:SecureTransport is false) or does not originate from the 10.0.0.0/24 IP range. This Deny overrides the Allow statement, ensuring that only requests meeting both conditions (source IP 10.0.0.0/24 AND HTTPS) are permitted. Requests from 10.0.0.0/24 over HTTPS satisfy the Allow and are not caught by the Deny, so they are allowed; all other requests are denied.

Exam trap

ISC2 often tests the misconception that an Allow statement alone is sufficient to grant access, ignoring that an explicit Deny with broader conditions can override it, or that a policy with both Allow and Deny is automatically invalid.

How to eliminate wrong answers

Option B is wrong because the Deny statement explicitly denies requests over HTTP (when aws:SecureTransport is false), so even if the source IP matches 10.0.0.0/24, the request is blocked. Option C is wrong because combining Allow and Deny statements is valid in AWS IAM policy evaluation; explicit Deny always takes precedence, but the policy is syntactically and logically correct. Option D is wrong because the Deny statement does not apply to all actions from 10.0.0.0/24; it only denies requests that are not using HTTPS (i.e., aws:SecureTransport is false) or that come from outside the 10.0.0.0/24 range, so requests from 10.0.0.0/24 over HTTPS are allowed.

63
MCQmedium

A healthcare organization has deployed a cloud-based application that handles protected health information (PHI). The application runs on virtual machines in a virtual private cloud (VPC). The security team has implemented security groups to control traffic to the VMs. Recently, an external penetration test revealed that a web server VM is accessible from the internet on port 22 (SSH) from any IP address (0.0.0.0/0). The security team also discovered that the SSH key pair used for the web server was created with a weak algorithm (1024-bit RSA). The team needs to remediate these issues without causing downtime for the application. Additionally, the application logs must be sent to a centralized logging solution that is encrypted in transit and at rest. Which combination of actions should the security team take?

A.Restrict inbound SSH access to only a bastion host's IP address, generate a new 2048-bit RSA key pair, configure the application to send logs via TLS to a centralized logging service, and enable server-side encryption for the logging bucket.
B.Implement a VPN connection for all administrative access, keep the existing key pair, and use a third-party logging tool with TLS.
C.Change the SSH port to a non-standard port, keep the existing key pair, and enable logging to a cloud storage bucket without encryption.
D.Disable SSH access entirely and use a serial console for administration, keep the existing key pair, and send logs via plaintext syslog to a logging server.
AnswerA

This fully addresses both vulnerabilities and logging requirements.

Why this answer

Option A is correct because it addresses both critical vulnerabilities without downtime: restricting SSH to a bastion host's IP eliminates internet-wide exposure, and generating a new 2048-bit RSA key pair replaces the weak 1024-bit key. For logging, TLS ensures encryption in transit, and server-side encryption for the logging bucket ensures encryption at rest, meeting compliance requirements for PHI.

Exam trap

ISC2 often tests the distinction between security by obscurity (e.g., changing ports) and actual security controls (e.g., restricting IPs and using strong keys), leading candidates to pick options that seem quick but fail compliance requirements.

How to eliminate wrong answers

Option B is wrong because keeping the existing 1024-bit RSA key pair leaves a weak cryptographic algorithm in place, which is a security risk and non-compliant with standards like NIST SP 800-57. Option C is wrong because changing the SSH port to a non-standard port is security by obscurity and does not prevent scanning or brute-force attacks, and sending logs to a bucket without encryption violates encryption-at-rest requirements for PHI. Option D is wrong because disabling SSH entirely and using a serial console is impractical for cloud VMs and often causes downtime, and sending logs via plaintext syslog lacks encryption in transit, violating HIPAA and other regulations.

64
MCQmedium

A company uses a cloud provider's managed database service. The security team is concerned about the shared responsibility model for patching the operating system and database engine. According to the shared responsibility model, who is responsible for applying security patches to the database engine?

A.The customer, because they control the database configuration
B.A third-party vendor contracted by the customer
C.The cloud provider, because it is a managed service
D.Both the customer and the cloud provider equally
AnswerC

Managed services include engine patching by the provider.

Why this answer

Option C is correct because for managed services, the cloud provider is responsible for patching the underlying database engine. Option A is wrong because the customer is responsible for the data and access, not the engine. Option B is wrong because both parties do not share this responsibility.

Option D is wrong because the database engine is part of the service.

65
MCQhard

A company is deploying a multi-tier application in a public cloud and needs to restrict traffic between tiers. The web tier must only accept HTTPS from the internet, and the app tier must only accept HTTP from the web tier. Which cloud networking feature should be used to enforce this?

A.Network access control lists (ACLs) attached to the subnets.
B.Security groups applied to each tier’s instances.
C.Internet gateway with appropriate routes.
D.VPC peering connection between tier subnets.
AnswerA

Network ACLs are stateless and can enforce explicit allow rules between subnets.

Why this answer

Network ACLs are stateless, meaning they filter traffic based on source and destination IP addresses, ports, and protocols at the subnet level. By configuring inbound rules on the web tier subnet to allow HTTPS (TCP/443) from the internet and outbound rules to allow HTTP (TCP/80) to the app tier subnet, and inbound rules on the app tier subnet to allow HTTP only from the web tier subnet, you enforce the required traffic restrictions without maintaining session state. This stateless behavior is essential for explicitly controlling traffic between tiers in a multi-tier architecture.

Exam trap

ISC2 often tests the distinction between stateless (network ACLs) and stateful (security groups) filtering, and the trap here is that candidates assume security groups can enforce inter-tier traffic restrictions as effectively as ACLs, overlooking that security groups are stateful and instance-specific, not subnet-wide.

How to eliminate wrong answers

Option B is wrong because security groups are stateful, meaning if you allow inbound HTTPS to the web tier, the return traffic is automatically allowed, but they cannot enforce outbound restrictions from the web tier to the app tier without additional rules; more critically, security groups are applied at the instance level, not the subnet level, making them less suitable for controlling traffic between entire tiers. Option C is wrong because an internet gateway only provides a target for routing traffic to and from the internet; it does not filter or restrict traffic between subnets or tiers. Option D is wrong because VPC peering connects two VPCs for routing, but it does not provide any filtering or access control; it merely establishes a network path, leaving traffic restrictions to ACLs or security groups.

66
MCQeasy

During a cloud security audit, it is discovered that a cloud storage bucket is configured to allow access from any IP address. The bucket contains sensitive customer data. What is the BEST immediate action to secure the bucket?

A.Modify the bucket policy to deny access from all IP addresses except trusted ranges.
B.Enable bucket logging to track access attempts.
C.Notify the security team and wait for a formal change request.
D.Enable server-side encryption on the bucket.
AnswerA

This directly removes public access and restricts to trusted IPs.

Why this answer

The immediate risk is that the bucket is publicly accessible from any IP address, exposing sensitive customer data. Modifying the bucket policy to deny access from all IP addresses except trusted ranges directly addresses this exposure by restricting network-level access. This is the most effective first step because it removes the broad, unrestricted access while maintaining necessary access for authorized users.

Exam trap

ISC2 often tests the distinction between access control and other security controls, trapping candidates who confuse encryption or logging with network-level access restriction.

How to eliminate wrong answers

Option B is wrong because enabling bucket logging only records access attempts; it does not prevent unauthorized access, so the data remains exposed. Option C is wrong because waiting for a formal change request delays remediation, leaving the sensitive data vulnerable during the wait period. Option D is wrong because server-side encryption protects data at rest but does not control network access; the bucket remains accessible from any IP address, so encryption alone does not secure the bucket from unauthorized access.

67
MCQhard

A company is migrating a critical application to the cloud and must ensure that its security operations center (SOC) can detect and respond to threats in real time. The application generates high volumes of logs. Which combination of services would provide the MOST efficient and cost-effective solution for centralized logging, analysis, and alerting?

A.Deploy a basic monitoring tool that triggers alerts based on static thresholds.
B.Implement a Security Information and Event Management (SIEM) system with real-time correlation and a log management solution that auto-scales.
C.Use a cloud-native log storage service with long retention and no analysis.
D.Store logs in a centralized log server and have SOC analysts manually review them.
AnswerB

SIEM provides real-time correlation and auto-scaling handles high volumes efficiently.

Why this answer

Option B is correct because a SIEM system with real-time correlation enables the SOC to detect threats as they occur by analyzing log data across multiple sources, while an auto-scaling log management solution ensures cost efficiency by dynamically adjusting resources to handle high log volumes without over-provisioning. This combination provides centralized logging, real-time analysis, and alerting, meeting the requirement for efficient and cost-effective threat detection.

Exam trap

ISC2 often tests the misconception that simple storage or manual review is sufficient for real-time threat detection, but the CCSP emphasizes that centralized logging without analysis and correlation fails to meet SOC operational requirements for real-time response.

How to eliminate wrong answers

Option A is wrong because a basic monitoring tool with static thresholds cannot perform real-time correlation across diverse log sources, leading to high false positives and missed advanced threats, and it lacks the scalability to handle high-volume logs efficiently. Option C is wrong because a cloud-native log storage service with long retention and no analysis fails to provide the real-time detection and alerting required by the SOC, as it only stores logs without any correlation or threat identification. Option D is wrong because storing logs in a centralized log server with manual review is neither efficient nor real-time, as SOC analysts cannot manually analyze high-volume logs quickly enough to detect and respond to threats promptly, and it does not scale cost-effectively.

68
Multi-Selecteasy

Which THREE of the following are effective strategies for ensuring data backup integrity and recoverability in the cloud?

Select 3 answers
A.Maintain at least three copies of data across two different locations.
B.Encrypt all backups with a strong algorithm.
C.Perform regular restore tests to validate backup usability.
D.Set backup schedules to run daily for all critical data.
E.Store backups in immutable storage to prevent modification or deletion.
AnswersA, C, E

Multiple copies and geographic diversity improve recoverability.

Why this answer

Option A is correct because the 3-2-1 backup rule (three copies, two different media types, one offsite) is a foundational strategy for data durability and recoverability. In cloud environments, this typically means maintaining a primary copy, a local backup in a different availability zone, and a cross-region copy to protect against region-wide failures. This ensures that even if two copies are compromised, a third remains available for recovery.

Exam trap

ISC2 often tests the distinction between backup security (encryption) and backup integrity/recoverability, leading candidates to mistakenly select encryption as a strategy for recoverability when it only addresses confidentiality.

69
MCQhard

A cloud security architect is designing an API gateway for a microservices application. The gateway must authenticate requests, enforce rate limiting, and log all transactions for audit. Which of the following security controls is most critical to protect against API abuse?

A.Implement rate limiting and throttling based on client identity and request volume.
B.Use TLS 1.3 to encrypt all traffic between clients and the gateway.
C.Validate and sanitize all input parameters to prevent injection attacks.
D.Require API keys for all requests and revoke keys of suspicious clients.
AnswerA

Rate limiting directly mitigates abuse by controlling request rates.

Why this answer

Option D is correct because rate limiting and throttling directly prevent abuse by limiting request frequency. Option A is wrong because encryption protects data in transit but not abuse. Option B is wrong because input validation prevents injection but not volume-based attacks.

Option C is wrong because API keys authenticate but do not limit usage.

70
MCQeasy

A cloud customer experiences a ransomware attack that encrypts data in an object storage bucket. The customer has versioning enabled on the bucket. How can the customer MOST effectively restore the data?

A.Delete the bucket and recreate it
B.Restore the bucket to a previous version using the versioning feature
C.Use the cloud provider's undelete feature for the encrypted objects
D.Decrypt the objects using the ransomware decryption key
AnswerB

Versioning allows recovery of unencrypted versions.

Why this answer

With versioning enabled on the object storage bucket, each object version is preserved. The correct approach is to restore the bucket to a previous, unencrypted version using the versioning feature, which effectively rolls back the data to its state before the ransomware encrypted the current versions. This avoids data loss and does not require decryption keys or bucket deletion.

Exam trap

ISC2 often tests the misconception that 'versioning' is only for preventing accidental deletion, when in fact it also enables recovery from overwrites (including ransomware encryption), and candidates may incorrectly assume that a decryption key or undelete feature is the primary recovery method.

How to eliminate wrong answers

Option A is wrong because deleting and recreating the bucket would permanently remove all object versions, including the unencrypted ones, resulting in total data loss. Option C is wrong because cloud providers do not offer a generic 'undelete' feature for encrypted objects; versioning is the intended mechanism for recovering overwritten or deleted objects, and 'undelete' typically refers to recovering deleted objects, not restoring encrypted ones. Option D is wrong because ransomware decryption keys are controlled by the attacker and are not available to the customer; attempting to decrypt without the key is infeasible and not a recommended recovery strategy.

71
MCQmedium

Refer to the exhibit. An IAM policy is attached to a user. Which action is the user allowed to perform?

A.Change the bucket's policy.
B.Read an existing object from the bucket.
C.Upload a new object to the bucket.
D.Delete an object from the bucket.
AnswerB

s3:GetObject is explicitly allowed.

Why this answer

The IAM policy grants the `s3:GetObject` action, which allows the user to read (download) an existing object from the specified S3 bucket. The policy explicitly allows this action for the bucket `my-bucket` and its objects, so the user can perform read operations on objects within that bucket.

Exam trap

ISC2 often tests the distinction between read and write permissions in S3 policies, where candidates mistakenly assume that `s3:GetObject` implies the ability to upload or modify objects, but each action (Get, Put, Delete) must be explicitly granted.

How to eliminate wrong answers

Option A is wrong because changing a bucket's policy requires the `s3:PutBucketPolicy` action, which is not included in the attached policy. Option C is wrong because uploading a new object requires the `s3:PutObject` action, which is not granted by the policy. Option D is wrong because deleting an object requires the `s3:DeleteObject` action, which is also absent from the policy.

72
Multi-Selecteasy

Which TWO cloud monitoring tools are used primarily for detecting anomalous behavior that may indicate a security incident? (Choose two.)

Select 2 answers
A.Infrastructure monitoring tool.
B.Intrusion detection system (IDS).
C.Cloud cost management tool.
D.Application performance monitoring (APM).
E.Security information and event management (SIEM) system.
AnswersB, E

IDS monitors network traffic for malicious activity.

Why this answer

An Intrusion Detection System (IDS) is specifically designed to monitor network traffic and system activities for signs of malicious activity or policy violations, making it a primary tool for detecting anomalous behavior indicative of a security incident. A Security Information and Event Management (SIEM) system aggregates and correlates logs from multiple sources, using rules and analytics to identify patterns of suspicious activity that may signal a security breach.

Exam trap

ISC2 often tests the distinction between monitoring for performance (infrastructure/APM tools) versus monitoring for security (IDS/SIEM), and candidates mistakenly choose infrastructure monitoring or APM because they think 'monitoring' broadly covers security, but these tools lack the specific anomaly detection and correlation capabilities required for incident detection.

73
Multi-Selecthard

Which THREE of the following are key components of an incident response plan specific to cloud environments? (Choose three.)

Select 3 answers
A.Establishing a process for preserving system snapshots and logs as evidence
B.Requiring involvement of the legal department for every incident
C.Defining procedures for contacting the cloud provider's support and security teams
D.Including a detailed data forensic analysis procedure for all incident types
E.Clarifying the shared responsibility model for incident handling
AnswersA, C, E

Key to evidence preservation.

Why this answer

Options B, D, and E are correct. B: Contacting the cloud provider is essential for assistance and evidence preservation. D: Understanding the shared responsibility model clarifies who does what.

E: Documenting system baseline configurations helps identify changes. Option A is wrong because data forensic analysis is part of response but not a plan component; more specifically, the plan should include procedures, not just analysis. Option C is wrong because primarily the incident response team handles, but legal involvement is case-specific, not necessarily all incidents.

74
MCQeasy

A cloud administrator is designing a backup strategy for a critical database. Which of the following is the BEST approach to ensure data recoverability in case of a regional outage?

A.Regularly copy backups to a different geographic region.
B.Use tape backups stored in a physical safe in the same building.
C.Perform only daily backups without replication.
D.Store backups in a different availability zone within the same region.
AnswerA

Cross-region replication ensures data survives a regional outage.

Why this answer

Option A is correct because replicating backups to a different geographic region ensures data recoverability even if the entire primary region experiences a catastrophic outage. This approach leverages cross-region replication, which provides independent fault domains and meets the recovery point objective (RPO) and recovery time objective (RTO) requirements for regional disaster scenarios. Cloud providers like AWS, Azure, and GCP offer services such as S3 Cross-Region Replication (CRR) or Azure Geo-Redundant Storage (GRS) to automate this process.

Exam trap

ISC2 often tests the distinction between 'availability zone' and 'region' redundancy, where candidates mistakenly believe that multiple AZs within a single region provide sufficient protection against a regional outage, but they do not—only cross-region replication ensures survivability from a full regional failure.

How to eliminate wrong answers

Option B is wrong because tape backups stored in a physical safe in the same building are vulnerable to the same regional disaster (e.g., earthquake, flood, power grid failure) and do not provide off-site protection; they also introduce latency and manual handling risks. Option C is wrong because performing only daily backups without replication creates a single point of failure; if the primary region fails, the backup data is lost or inaccessible, violating the principle of geographic redundancy. Option D is wrong because storing backups in a different availability zone within the same region does not protect against a regional outage, as the entire region can fail simultaneously (e.g., due to a widespread natural disaster or service provider failure).

75
Matchingmedium

Match each data state to its encryption requirement in cloud environments.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Encryption using AES-256

TLS 1.2+ encryption

Homomorphic or confidential computing

Encryption with separate key management

Why these pairings

Different data states require specific encryption mechanisms; data in use is challenging and requires advanced techniques.

Page 1 of 2 · 92 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Cloud Security Ops questions.