CCSP · topic practice

Legal, Risk and Compliance practice questions

Practise Certified Cloud Security Professional CCSP Legal, Risk and Compliance practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Legal, Risk and Compliance

What the exam tests

What to know about Legal, Risk and Compliance

Legal, Risk and Compliance questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Legal, Risk and Compliance exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Legal, Risk and Compliance questions

20 questions · select your answer, then reveal the explanation

A company's cloud infrastructure is subject to GDPR. The DPO requires that all customer personal data be encrypted at rest and in transit. The cloud provider offers SSE-S3 for object storage and enforces TLS 1.2 for API calls. Which additional control should the company implement to meet GDPR accountability requirements?

A financial institution uses a multi-cloud strategy with AWS and Azure. They must comply with PCI DSS. The security team found that a developer accidentally stored a file with credit card numbers in an S3 bucket that is publicly readable. Which immediate action should be taken to contain the breach?

A cloud service provider (CSP) offers a shared responsibility model. According to this model, who is responsible for patching the hypervisor?

A company is migrating to the cloud and must comply with the Health Insurance Portability and Accountability Act (HIPAA). They plan to store electronic protected health information (ePHI) in a cloud database. Which of the following is a mandatory requirement for the cloud service agreement?

An e-commerce company uses a cloud-based web application firewall (WAF) to protect against common web exploits. The security team notices that a specific IP address is sending a high volume of requests that appear to be a DDoS attack. What is the best immediate response to mitigate the attack while minimizing impact on legitimate users?

A company is conducting a risk assessment for a new cloud service. They identify a vulnerability that could lead to a data breach. The likelihood is low, but the impact is high. According to common risk management frameworks, how should this risk be addressed?

A cloud customer wants to ensure that their data is not accessible to the cloud provider's employees. Which of the following controls would best address this requirement?

Which TWO of the following are required elements of a valid Business Continuity Plan (BCP) in the cloud?

Which THREE of the following are typical responsibilities of a cloud customer under the shared responsibility model?

Which TWO of the following are key components of an Information Security Management System (ISMS) as defined by ISO 27001?

Question 11hardmultiple choice
Review the full subnetting walkthrough →

Refer to the exhibit. A security engineer discovers that the S3 bucket policy allows public read access from the entire corporate network (10.0.0.0/16). However, the company wants to restrict access only to the security team's subnet (10.0.1.0/24). What modification should be made to the policy?

Exhibit

Refer to the exhibit.
Bucket: my-company-logs
Region: us-east-1
Policy:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-company-logs/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/16"
        }
      }
    }
  ]
}

Refer to the exhibit. A cloud administrator sees this error log from AWS CloudTrail. The user [email protected] is a member of the 'Analysts' group. Which of the following is the most likely cause of the AccessDenied error?

Exhibit

Refer to the exhibit.
Error Log Entry:
Timestamp: 2024-08-15T14:23:10Z
User: [email protected]
Action: PutObject
Resource: s3://finance-reports/quarterly.xlsx
Status: AccessDenied
Source IP: 203.0.113.45
UserAgent: [ConsoleLogin]
Additional: The user does not have permissions to write to this bucket.
Question 13hardmultiple choice
Read the full NAT/PAT explanation →

A healthcare organization is migrating its electronic health record (EHR) system to a public cloud. The system stores sensitive patient data subject to HIPAA. The cloud architect has designed a multi-tier architecture with load balancers, web servers, application servers, and a PostgreSQL database. The database contains ePHI. To meet compliance, the architect plans to encrypt the database at rest using AWS RDS encryption with KMS. However, during a security review, the compliance officer notes that the database backups are stored in an S3 bucket that is not encrypted. Additionally, the application logs, which may contain patient data, are sent to CloudWatch Logs without encryption. The compliance officer insists that all data stores containing ePHI must be encrypted at rest. Which action should the architect take to ensure compliance?

Question 14mediummultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is migrating its customer data to a cloud provider that operates data centers in multiple jurisdictions. To comply with the General Data Protection Regulation (GDPR), the company must ensure that customer data remains within the European Economic Area (EEA) unless adequate safeguards are in place. The cloud provider offers data residency options but does not guarantee that data will never be accessed from outside the EEA. What is the BEST course of action for the company?

Question 15hardmultiple choice
Study the full virtualization explanation →

A cloud service provider (CSP) is designing a multi-tenant infrastructure and needs to ensure that a security incident in one tenant's environment does not compromise the confidentiality or integrity of other tenants. The CSP plans to use a combination of network segmentation, hypervisor isolation, and encryption. Which additional control is MOST critical to prevent side-channel attacks that could leak cryptographic keys or other sensitive data across tenants?

A cloud architect is designing a disaster recovery (DR) plan for a financial services application hosted on a public cloud. The plan must meet a Recovery Time Objective (RTO) of 4 hours and a Recovery Point Objective (RPO) of 1 hour. The application uses a relational database and stores files in object storage. Which TWO strategies should the architect recommend to meet these objectives?

A large healthcare organization uses a hybrid cloud environment with on-premises systems and Microsoft Azure. They store protected health information (PHI) in Azure Blob Storage and use Azure SQL Database for transactional data. The organization must comply with HIPAA and has implemented encryption at rest using Azure Storage Service Encryption and Transparent Data Encryption (TDE) for SQL. During a recent audit, the security team discovered that the organization does not have a formal process to identify and respond to security incidents that involve PHI. Additionally, the organization's backup strategy stores encrypted backups in a separate Azure region, but the backup encryption keys are managed by Azure and are not customer-controlled. The compliance officer is concerned about the ability to demonstrate HIPAA compliance in the event of an audit. Which of the following actions should the organization take FIRST to address the most critical gap?

A company is moving its customer database to a public cloud provider. The database contains personally identifiable information (PII) of European Union citizens. Which legal framework imposes requirements on the cloud customer regarding data protection and privacy in this scenario?

Question 19mediummulti select
Read the full NAT/PAT explanation →

A cloud service provider (CSP) is undergoing a SOC 2 Type II audit. The auditor reviews the CSP's access control policies and identifies that user access reviews are performed quarterly. However, the auditor notes that there is no automated termination of access for terminated employees. Which TWO of the following control objectives are likely to be non-compliant based on this finding?

An administrator applies the above S3 bucket policy to a bucket named 'data-bucket' that contains sensitive logs. The policy is intended to allow uploads only over HTTPS. After applying, the administrator finds that uploads using the AWS CLI without HTTPS still succeed. What is the most likely reason?

Exhibit

Refer to the exhibit.

---
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::data-bucket/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "true"
        }
      }
    },
    {
      "Effect": "Deny",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::data-bucket/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}
---

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Legal, Risk and Compliance sessions

Start a Legal, Risk and Compliance only practice session

Every question in these sessions is drawn from the Legal, Risk and Compliance domain — nothing else.

Related practice questions

Related CCSP topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the CCSP exam test about Legal, Risk and Compliance?
Legal, Risk and Compliance questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Legal, Risk and Compliance questions in a focused session?
Yes — the session launcher on this page draws every question from the Legal, Risk and Compliance domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CCSP topics?
Use the topic links above to move to related areas, or go back to the CCSP question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CCSP exam covers. They are not copied from any real exam or dump site.