


















































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
The 7Safe Certified Cloud Security Analyst Exam assesses knowledge of securing cloud environments. It covers cloud architectures, identity and access management, data protection, monitoring, compliance, and incident response in cloud platforms. This certification prepares professionals to analyze and mitigate risks in cloud-based systems.
Typology: Exams
1 / 90
This page cannot be seen from the preview
Don't miss anything!



















































































Question 1. Which cloud service model places the greatest security responsibility on the customer for operating system patches and application hardening? A) IaaS B) PaaS C) SaaS D) FaaS Answer: A Explanation: In IaaS the provider manages the physical infrastructure, while the customer is responsible for the OS, middleware, and applications, including patching and hardening. Question 2. In the shared responsibility model for AWS, who is responsible for securing data stored in an S3 bucket? A) AWS only B) Customer only C) Both AWS and the customer equally D) Neither; it is managed by a third‑party auditor Answer: B Explanation: AWS secures the underlying storage infrastructure, but the customer must configure bucket policies, encryption, and access controls to protect their data. Question 3. Which deployment model is best suited for an organization that wants to keep sensitive workloads on‑premises while leveraging public cloud resources for burst capacity? A) Public cloud B) Private cloud C) Hybrid cloud D) Multi‑cloud Answer: C
Explanation: Hybrid cloud combines on‑premises infrastructure with public cloud services, allowing sensitive workloads to remain private while using public resources for scaling. Question 4. A hypervisor vulnerability that allows a guest VM to execute code on the host is known as: A) VM escape B) Container breakout C) Side‑channel attack D) Man‑in‑the‑middle Answer: A Explanation: VM escape lets a compromised virtual machine break out of its isolation and affect the host hypervisor. Question 5. Which IAM policy element defines the actions that are allowed or denied? A) Effect B) Action C) Resource D) Condition Answer: B Explanation: The “Action” element lists the specific API calls or operations the statement applies to. Question 6. In AWS IAM, which policy condition key would you use to enforce MFA for a user’s API calls? A) aws:MultiFactorAuthPresent B) aws:SecureTransport C) aws:RequestedRegion
B) Route to a NAT Gateway only C) No routes; use default D) Route to a VPC peering connection only Answer: A Explanation: Public subnets require a route to an IGW to allow inbound traffic from the internet. Question 10. Which type of security group rule is stateful, meaning return traffic is automatically allowed? A) Inbound rule only B) Outbound rule only C) Both inbound and outbound rules D) Neither; security groups are stateless Answer: C Explanation: Security groups are stateful; if an inbound rule permits traffic, the corresponding outbound response is automatically allowed, and vice versa. Question 11. A network ACL in AWS is configured as “allow all inbound traffic from 10.0.0.0/8, deny all other inbound traffic”. This ACL is: A) Stateless, requiring explicit return rules B) Stateful, automatically allowing return traffic C) Invalid because CIDR blocks cannot be overlapping D) Redundant because security groups already cover this Answer: A Explanation: Network ACLs are stateless; each direction must be explicitly allowed or denied.
Question 12. Which AWS service provides DDoS protection for Elastic Load Balancers and CloudFront distributions? A) AWS Shield Standard B) AWS WAF C) AWS GuardDuty D) AWS Config Answer: A Explanation: AWS Shield Standard automatically protects against common DDoS attacks for ELB, CloudFront, and other services. Question 13. To enforce encryption at rest for all new S3 buckets in an AWS account, which feature should be used? A) Bucket policy B) IAM policy with s3:PutEncryptionConfiguration condition C) Service control policy (SCP) in AWS Organizations D) S3 Access Points Answer: C Explanation: An SCP can deny the creation of unencrypted buckets across the organization, ensuring encryption at rest. Question 14. In Azure, which storage service provides immutable blobs that cannot be overwritten or deleted for a specified retention period? A) Azure Files B) Azure Blob Storage with Immutable Blob storage (WORM) C) Azure Disk Storage D) Azure Table Storage Answer: B
D) Manual ticket generation for each finding Answer: C Explanation: CSPM tools that integrate with Config Rules can auto‑remediate violations, such as tightening overly permissive SG rules. Question 18. When hunting for a credential‑theft incident in Azure logs, which KQL query fragment would best identify suspicious authentication from unknown IP addresses? A) | where OperationName == "CreateUser" B) | where Category == "Administrative" C) | where ResultType == "Success" and IPAddress !in (trustedIPList) D) | where EventLevel == "Error" Answer: C Explanation: Filtering successful authentications from IPs not in the trusted list helps surface anomalous login attempts. Question 19. In a multi‑cloud strategy, which principle helps ensure consistent security controls across AWS, Azure, and GCP? A) Vendor‑specific IAM policies only B) Use of a unified Cloud Security Posture Management (CSPM) platform C) Relying on each provider’s native tools exclusively D) Deploying separate firewalls per cloud without coordination Answer: B Explanation: A CSPM platform provides a single pane of glass to enforce and monitor security policies across multiple clouds. Question 20. Which of the following is the most effective way to protect secrets used by serverless functions (e.g., AWS Lambda) from accidental exposure in code repositories? A) Hard‑code the secret in the function code
B) Store the secret in an environment variable defined in the deployment pipeline C) Retrieve the secret at runtime from a managed secrets service (e.g., AWS Secrets Manager) D) Place the secret in a public S3 bucket and reference it in code Answer: C Explanation: Fetching secrets at runtime from a dedicated secrets manager keeps them out of code and version control. Question 21. Which AWS feature allows you to enforce that all traffic to an Amazon RDS instance stays within a VPC, preventing public internet exposure? A) Publicly accessible flag set to true B) Use of a DB subnet group with only private subnets C) Enabling IAM database authentication only D) Enabling Multi‑AZ deployment Answer: B Explanation: Placing RDS in private subnets of a DB subnet group ensures it is not reachable from the internet. Question 22. In Azure, which service provides a managed, highly available, and scalable key vault for storing cryptographic keys and secrets? A) Azure Key Vault B) Azure Sentinel C) Azure Policy D) Azure Security Center Answer: A Explanation: Azure Key Vault is purpose‑built for secure storage and management of keys, secrets, and certificates.
Explanation: CloudTrail records S3 API actions, including PutObject, along with source IP information. Question 26. In a containerized environment, which vulnerability allows a compromised container to gain access to the host kernel? A) Container image pull‑through cache poisoning B) Privileged container escape via CAP_SYS_ADMIN C) Misconfigured service mesh routing D) Unused volume mounts Answer: B Explanation: Running a container with elevated capabilities (e.g., CAP_SYS_ADMIN) can enable an escape to the host kernel. Question 27. Which Azure feature can be used to enforce that only specific subnets may access a PaaS service such as Azure SQL Database? A) Azure Firewall B) Service Endpoints with subnet restrictions C) Azure AD Conditional Access D) Azure Bastion Answer: B Explanation: Service Endpoints extend the VNet identity to Azure PaaS services, allowing subnet‑level access controls. Question 28. When using IAM policies that employ the aws:PrincipalTag condition, what is the primary benefit? A) Reducing the number of policies needed by leveraging tags on IAM principals for fine‑grained access B) Enabling MFA enforcement automatically
C) Allowing cross‑account access without trust relationships D) Encrypting the policy document at rest Answer: A Explanation: aws:PrincipalTag lets you base permissions on tags attached to users or roles, simplifying policy management. Question 29. Which of the following is a recommended practice for securing SSH access to EC2 instances? A) Allowing SSH from 0.0.0.0/0 on port 22 B) Using key‑pair authentication and restricting source IPs via security groups C) Storing private keys on the instance’s file system D) Disabling SSH and using only console access Answer: B Explanation: Key‑pair authentication combined with source IP restriction minimizes exposure and prevents credential theft. Question 30. A cloud‑native IDS/IPS service that analyzes VPC flow logs in real time and generates alerts is: A) AWS GuardDuty B) Azure Monitor C) Google Cloud Armor D) AWS Config Answer: A Explanation: GuardDuty ingests VPC Flow Logs, DNS logs, and CloudTrail events to detect malicious activity. Question 31. Which AWS feature provides a fully managed, serverless data catalog that can be used to enforce encryption and access policies on data stored in S3?
Question 34. In Google Cloud Platform, which service automatically applies security patches to the underlying OS of Compute Engine VMs when you enable “Automatic Updates”? A) OS Config Agent B) Cloud Armor C) Cloud Scheduler D) Cloud Identity Answer: A Explanation: OS Config Agent can manage OS patching, configuration enforcement, and package installation on VMs. Question 35. Which AWS feature helps you enforce that all data written to an EBS volume is encrypted at rest? A) Enabling encryption on the EC2 instance profile B) Using an encrypted AMI to launch the instance C) Attaching a non‑encrypted volume and enabling encryption later D) Configuring a bucket policy for EBS snapshots Answer: B Explanation: Launching from an encrypted AMI ensures that the root EBS volume is encrypted; encryption can also be enforced via policy. Question 36. A security analyst notices an unusual spike in DNS queries from a Lambda function. Which AWS service can automatically investigate and remediate such behavior? A) AWS Config B) AWS GuardDuty (with automated response via CloudWatch Events) C) AWS IAM Access Analyzer D) AWS WAF
Answer: B Explanation: GuardDuty detects anomalous DNS activity, and CloudWatch Events can trigger automated remediation (e.g., disabling the function). Question 37. Which of the following is a primary benefit of using a “Zero‑Trust” network model in cloud environments? A) Eliminating the need for encryption B) Assuming no implicit trust for any network segment, including internal traffic C) Relying solely on perimeter firewalls D) Allowing unrestricted lateral movement for privileged users Answer: B Explanation: Zero‑Trust treats every request as untrusted, enforcing strict verification regardless of source location. Question 38. In Azure, which built‑in role provides read‑only access to all resources across a subscription? A) Owner B) Contributor C) Reader D) Security Admin Answer: C Explanation: The Reader role grants view‑only permissions without the ability to modify resources. Question 39. Which AWS service can be used to centrally manage and rotate database credentials for RDS, Aurora, and Redshift? A) AWS Secrets Manager B) AWS Certificate Manager
B) Cloud Identity C) Cloud Resource Manager D) Cloud Endpoints Answer: B Explanation: Cloud Identity allows SAML federation, enabling single sign‑on with external IdPs. Question 43. Which log type should be enabled to capture configuration changes to Azure resources for compliance auditing? A) Azure Activity Log B) Azure Diagnostic Logs C) Azure AD Sign‑in Logs D) Azure Network Watcher Logs Answer: A Explanation: The Activity Log records create, update, and delete operations on Azure resources. Question 44. A CSPM tool flags that an S3 bucket has “PublicRead” ACL enabled. Which immediate remediation step is most appropriate? A) Delete the bucket B) Remove the public ACL and apply a bucket policy that denies anonymous access C) Enable versioning on the bucket D) Enable server‑side encryption Answer: B Explanation: Removing the public ACL and adding a restrictive bucket policy eliminates unintended public exposure.
Question 45. Which of the following AWS services provides a managed WAF that can be associated with CloudFront, ALB, and API Gateway? A) AWS Shield B) AWS WAF C) AWS Firewall Manager D) AWS Inspector Answer: B Explanation: AWS WAF offers rule‑based protection for CloudFront, ALB, and API Gateway. Question 46. In the context of cloud data protection, what does “encryption in use” refer to? A) Encrypting data at rest only B) Encrypting data while it is being transmitted C) Encrypting data while it is being processed by applications (e.g., homomorphic encryption) D) Encrypting backups only Answer: C Explanation: “Encryption in use” protects data during computation, typically via advanced techniques like homomorphic encryption. Question 47. Which Azure service can automatically discover and remediate misconfigurations in Azure Kubernetes Service (AKS) clusters? A) Azure Security Center (Defender for Cloud) B) Azure Monitor C) Azure DevTest Labs D) Azure Automation Answer: A
C) A finding with “IsPublic” set to false D) A finding indicating “Policy is too restrictive” Answer: B Explanation: “AllowedExternalAccess” true signals that the resource policy permits access from external principals. Question 51. In Azure, which built‑in policy can automatically deny creation of storage accounts that do not enable secure transfer (HTTPS only)? A) Allowed locations policy B) Secure transfer required for storage accounts C) Audit VMs without managed disks D) Require tag on resources Answer: B Explanation: The “secure transfer required” policy enforces HTTPS‑only access for storage accounts. Question 52. Which AWS feature helps you enforce that specific tags are present on all newly created resources? A) AWS Config Rules with required-tags managed rule B) IAM policy with TagResources action only C) CloudTrail event filtering D) S3 bucket policy Answer: A Explanation: Config’s required-tags rule evaluates resources for mandatory tags at creation time. Question 53. A security engineer wants to detect anomalous lateral movement between EC2 instances. Which data source is most valuable for this detection?
A) S3 Access Logs B) VPC Flow Logs C) CloudTrail Management Events only D) RDS Performance Insights Answer: B Explanation: VPC Flow Logs capture IP traffic between instances, revealing unexpected internal connections. Question 54. Which of the following is the primary function of a “Cloud Access Security Broker” (CASB)? A) Provide DDoS protection for cloud services B) Enforce security policies between cloud users and cloud services, offering visibility and data loss prevention C) Manage DNS routing for multi‑region deployments D) Automate VM image creation Answer: B Explanation: CASBs act as policy enforcement points, delivering visibility, compliance, and data protection across cloud services. Question 55. In AWS, which service can be used to centrally manage firewall rules across multiple accounts and VPCs? A) AWS Firewall Manager B) AWS WAF C) AWS Shield D) AWS Config Answer: A Explanation: Firewall Manager enables organization‑wide policy enforcement for WAF, Shield Advanced, and security groups.