Cloud security applies security principles to cloud-hosted infrastructure, applications, and data. CompTIA Network+ N10-009 tests cloud security concepts including the shared responsibility model, cloud-native security controls, and threats specific to cloud environments. As organizations migrate to cloud, network security skills must extend into cloud networking and security architecture.
Practice this topic
Cloud security is shared between the provider and customer. The provider is always responsible for physical infrastructure, network fabric, and hypervisor security. The customer is always responsible for their data, identity and access management, and client-side configurations. The middle ground shifts by service model: IaaS — customer responsible for OS and above. PaaS — customer responsible for application and data. SaaS — customer responsible for data and user access only.
Common customer mistakes: misconfigured S3 buckets (public read access on private data), overprivileged IAM roles, no MFA on root/admin accounts, unencrypted data at rest, open security groups allowing 0.0.0.0/0 on all ports. Most cloud breaches result from customer misconfiguration, not cloud provider failures.
Security groups (virtual firewalls): control inbound and outbound traffic to cloud instances at the instance level. Stateful — only outbound rules needed for return traffic. Apply least-privilege: only open specific required ports from specific sources. Never use 0.0.0.0/0 (allow all) for sensitive resources.
Network ACLs (cloud): subnet-level stateless filters in cloud VPCs (e.g., AWS NACL). Unlike security groups, NACLs require both inbound and outbound rules for bidirectional traffic. Applied at the subnet level — affect all instances in the subnet.
Cloud WAF and DDoS protection: cloud providers offer WAF services (AWS WAF, Azure WAF, Cloudflare WAF) and DDoS protection (AWS Shield, Azure DDoS Protection). These cloud-native services integrate directly with cloud load balancers and CDNs without requiring dedicated hardware.
Encryption: encrypt data at rest using cloud KMS (Key Management Service) — provider-managed keys or customer-managed keys (CMK). Encrypt data in transit using TLS. Client-side encryption: encrypt before uploading so even the provider cannot access plaintext.
The cloud provider secures everything in the cloud
The shared responsibility model clearly defines customer responsibilities. Customers must configure IAM, encryption, security groups, and data protection. Cloud provider breaches are rare — customer misconfiguration is the primary cloud security risk
These questions are representative of what you will see on Network+ exams. The correct answer and explanation are shown immediately below each question.
A company hosts an application on IaaS cloud VMs. The cloud provider is responsible for which of the following?
Explanation: In IaaS, the cloud provider is responsible for physical infrastructure, hypervisors, and the underlying network fabric. The customer is responsible for everything above the hypervisor: OS patching, application security, data, and user access management. This is the IaaS shared responsibility boundary.
CSPM (Cloud Security Posture Management) tools continuously scan cloud environments for misconfigurations, compliance violations, and security risks. They identify issues like publicly accessible S3 buckets, overprivileged IAM roles, security groups with excessive access, and unencrypted storage volumes. Examples: Prisma Cloud, AWS Security Hub, Microsoft Defender for Cloud. CSPM provides visibility into the security posture across multi-cloud environments.
Try free Cloud Security practice questions with explanations, topic links and progress tracking.