Alibaba Cloud Security Ultimate Exam, Exams of Technology

The Alibaba Cloud Security Ultimate Exam focuses on cloud security principles and Alibaba Cloud security technologies. Topics include identity and access management, encryption, threat detection, network security, compliance, risk management, data protection, and secure cloud architecture. This exam preparation resource is ideal for IT professionals seeking expertise in cloud security practices.

Typology: Exams

2025/2026

Available from 05/08/2026

nicky-jone
nicky-jone 🇮🇳

2.9

(44)

28K documents

1 / 48

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Alibaba Cloud Security Ultimate Exam
**Question 1. Which RAM policy effect grants the specified permissions without overriding other
attached policies?**
A) Deny
B) Allow
C) NotAction
D) NotResource
Answer: B
Explanation: The **Allow** effect grants permissions while coexisting with other policies; Deny
overrides any Allow, and NotAction/NotResource are used for inverse specifications.
**Question 2. In a RAM policy, which element is used to restrict access based on source IP address?**
A) Action
B) Condition
C) Resource
D) Effect
Answer: B
Explanation: The **Condition** element can include `acs:SourceIp` to limit calls to specific IP ranges.
**Question 3. What is the primary purpose of a RAM servicelinked role?**
A) To enable crossaccount access for users
B) To allow a cloud service to access resources on your behalf
C) To replace the root account for daily operations
D) To enforce MFA for all users
Answer: B
Explanation: Servicelinked roles are predefined roles that let Alibaba Cloud services act on resources
securely without manual permission grants.
**Question 4. Which authentication method provides the highest security for console login?**
A) Password only
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30

Partial preview of the text

Download Alibaba Cloud Security Ultimate Exam and more Exams Technology in PDF only on Docsity!

Question 1. Which RAM policy effect grants the specified permissions without overriding other attached policies? A) Deny B) Allow C) NotAction D) NotResource Answer: B Explanation: The Allow effect grants permissions while co‑existing with other policies; Deny overrides any Allow, and NotAction/NotResource are used for inverse specifications. Question 2. In a RAM policy, which element is used to restrict access based on source IP address? A) Action B) Condition C) Resource D) Effect Answer: B Explanation: The Condition element can include acs:SourceIp to limit calls to specific IP ranges. Question 3. What is the primary purpose of a RAM service‑linked role? A) To enable cross‑account access for users B) To allow a cloud service to access resources on your behalf C) To replace the root account for daily operations D) To enforce MFA for all users Answer: B Explanation: Service‑linked roles are pre‑defined roles that let Alibaba Cloud services act on resources securely without manual permission grants. Question 4. Which authentication method provides the highest security for console login? A) Password only

B) AccessKey only C) MFA with password D) Single sign‑on (SSO) without MFA Answer: C Explanation: Combining password + MFA adds a second factor, making it more resistant to credential theft than single‑factor methods. Question 5. How often should AccessKeys be rotated to comply with best practices? A) Every 30 days B) Every 90 days C) Every 180 days D) Every 365 days Answer: B Explanation: Alibaba Cloud recommends rotating AccessKeys at least every 90 days to reduce exposure risk. Question 6. Which protocol is used by SAML 2.0 to integrate Alibaba Cloud with an on‑premises LDAP directory? A) OAuth 2. B) OpenID Connect C) HTTP POST binding D) SSH Answer: C Explanation: SAML 2.0 typically uses HTTP POST binding to transmit authentication assertions from IdP to Alibaba Cloud. Question 7. In a hub‑and‑spoke VPC architecture, the hub VPC primarily provides which function? A) Direct internet access for all spokes B) Centralized routing and shared services C) Isolated data storage for each spoke

Explanation: Cloud Firewall provides intra‑VPC (east‑west) traffic inspection and filtering, complementing north‑south protection. Question 11. Anti‑DDoS Pro primarily protects against which layer of attacks? A) Layer 2 only B) Layer 3/4 (network and transport) C) Layer 7 (application) D) All layers equally Answer: B Explanation: Anti‑DDoS Pro focuses on Layer 3/4 volumetric attacks such as UDP/TCP floods, while Anti‑DDoS Premium adds Layer 7 protection. Question 12. Which mitigation policy should be used to defend against HTTP‑based SYN‑Flood attacks? A) Layer 3/4 UDP flood policy B) Layer 7 HTTP request rate limiting C) Blackhole routing policy D) TCP SYN protection policy Answer: D Explanation: TCP SYN protection specifically mitigates SYN‑Flood attacks at the transport layer. Question 13. What triggers a blackhole routing action in Anti‑DDoS? A) Detection of a known malware signature B) Exceeding the configured bandwidth threshold for a protected IP C) Successful login from a new IP address D) Completion of a scheduled backup Answer: B Explanation: Blackhole routing is automatically activated when traffic surpasses the defined bandwidth limit, dropping all packets to protect upstream resources.

Question 14. Which feature of Bastionhost helps with audit compliance? A) Automatic password rotation for all users B) Session recording and playback C) Real‑time DDoS mitigation D) Integrated WAF rule management Answer: B Explanation: Bastionhost records SSH/RDP sessions, allowing administrators to replay and audit privileged operations. Question 15. When configuring a VPN Gateway, which encryption protocol is recommended for maximum security? A) PPTP B) L2TP without IPsec C) IPsec with AES‑ 256 D) SSL VPN with DES Answer: C Explanation: IPsec using AES‑256 provides strong, industry‑standard encryption for VPN tunnels. Question 16. In a Cloud Enterprise Network (CEN) topology, what is the role of a CEN instance? A) To provide NAT services for all VPCs B) To interconnect multiple VPCs across regions with encrypted links C) To replace a VPC router D) To host serverless functions Answer: B Explanation: CEN creates a global, encrypted backbone linking VPCs across regions, enabling seamless inter‑VPC traffic. Question 17. Which WAF protection rule directly mitigates SQL injection attacks? A) XSS filter B) CSRF token validation

D) To manage IAM roles across accounts Answer: B Explanation: The host vulnerability scanner assesses ECS instances for unpatched software and misconfigurations. Question 21. Which Security Center feature detects brute‑force login attempts on Linux ECS instances? A) Web shell detection B) Intrusion detection system (IDS) rule set for password guessing C) Data encryption monitoring D) Cloud monitor alarm Answer: B Explanation: The IDS rule set for password guessing monitors login logs and flags repeated failed attempts indicative of brute‑force attacks. Question 22. In ACK (Alibaba Cloud Container Service for Kubernetes), which component enforces runtime security policies? A) Kube‑proxy B) Container Security Service (CSS) C) Cloud Monitor D) Serverless Compute Answer: B Explanation: Container Security Service (CSS) integrates with ACK to enforce runtime policies such as privilege escalation prevention. Question 23. What is the purpose of image scanning in ACK? A) To compress container images for faster deployment B) To identify vulnerabilities and malicious code before deployment C) To convert images to a proprietary format D) To backup images to OSS automatically

Answer: B Explanation: Image scanning examines container images for known CVEs and malicious components, ensuring safe deployment. Question 24. Which KMS operation is used to encrypt a data key that will then encrypt large datasets (envelope encryption)? A) GenerateDataKey B) Encrypt C) CreateKey D) Decrypt Answer: A Explanation: GenerateDataKey returns a plaintext data key and a ciphertext version encrypted with the CMK, enabling envelope encryption. Question 25. When a CMK is scheduled for deletion, what is the minimum waiting period before it is permanently removed? A) 7 days B) 30 days C) 90 days D) 180 days Answer: B Explanation: Alibaba Cloud enforces a 30‑day waiting period for CMK deletion to prevent accidental loss. Question 26. Which of the following services can directly use KMS to encrypt data at rest without additional configuration? A) Elastic Compute Service (ECS) system disks B) CloudMonitor dashboards C) Resource Directory metadata D) RAM policy documents Answer: A

Question 30. Which Alibaba Cloud service provides automated moderation of text, image, and video content? A) Content Moderation (CM) B) Cloud Firewall C) ActionTrail D) Log Service (SLS) Answer: A Explanation: Content Moderation (CM) uses AI to detect illegal or inappropriate content across multiple media types. Question 31. ActionTrail primarily records which type of activity? A) Network packet captures B) API calls and console operations across Alibaba Cloud services C) Disk I/O metrics for ECS instances D) Real‑time video streaming logs Answer: B Explanation: ActionTrail captures every API request and console action, enabling audit and forensics. Question 32. Which Log Service (SLS) feature enables real‑time alerting on security log patterns? A) Logstore TTL B) Logtail agent C) Log alert rule with SQL query D) Data ingestion pipeline Answer: C Explanation: Log alert rules let you define SQL‑based conditions that trigger alerts when matching log events occur. Question 33. In Config, what does a “Managed Rule” represent?

A) A user‑defined script for resource provisioning B) A pre‑built compliance check provided by Alibaba Cloud C) A backup policy for OSS buckets D) A network routing table entry Answer: B Explanation: Managed Rules are Alibaba Cloud’s built‑in compliance templates (e.g., “Ensure RAM users have MFA”). Question 34. Which component of Incident Response automates remediation when a vulnerability is detected on an ECS instance? A) ActionTrail workflow B) CloudMonitor alarm C) Security Center auto‑remediation playbook D) RAM policy update Answer: C Explanation: Security Center can trigger a predefined playbook to patch or isolate the vulnerable ECS automatically. Question 35. When using CloudMonitor to set a custom security threshold, which metric would you most likely monitor for brute‑force attacks? A) CPUUtilization B) LoginFailedCount C) DiskReadOps D) NetworkIn Answer: B Explanation: LoginFailedCount reflects repeated failed authentication attempts, a key indicator of brute‑force activity. Question 36. Under the Shared Responsibility Model, which security aspect is Alibaba Cloud not responsible for? A) Physical data‑center security

C) MLPS (Multi‑Level Protection Scheme) D) HIPAA Answer: C Explanation: Alibaba Cloud offers MLPS compliance checks tailored to China’s regulatory framework. Question 40. In a scenario where a VPC peering connection is required between two accounts, which IAM permission must be granted to the accepter account? A) vpc:CreateVpcPeeringConnection B) vpc:AcceptVpcPeeringConnection C) ram:AssumeRole D) ecs:CreateInstance Answer: B Explanation: The acceptor needs vpc:AcceptVpcPeeringConnection to approve the peering request. Question 41. Which of the following is a best practice when designing Security Group rules for a web server tier? A) Allow all inbound traffic on all ports. B) Restrict inbound HTTP/HTTPS to source 0.0.0.0/0 and deny all else. C) Permit inbound SSH from any IP address. D) Use a single rule that allows all traffic from the VPC CIDR. Answer: B Explanation: Allowing HTTP/HTTPS from anywhere while restricting other ports reduces attack surface while keeping the service accessible. Question 42. When configuring a Network ACL to block all inbound traffic from a malicious IP range, which statement must also be added? A) An explicit allow rule for the same IP range. B) A deny rule for the IP range with a lower rule number. C) A stateless rule to log the traffic.

D) No additional rule; ACLs are stateful. Answer: B Explanation: ACLs evaluate rules by rule number order; a lower number deny rule will be processed before any allow. Question 43. Which Cloud Firewall feature can be used to prevent data exfiltration from a compromised ECS instance? A) Outbound traffic rate limiting B) East‑west traffic inspection only C. Global IP blacklist D) Application‑level DDoS protection Answer: A Explanation: Outbound rate limiting or explicit deny rules can restrict data transfers, mitigating exfiltration risks. Question 44. In Anti‑DDoS Premium, what does the “Scrubbing Center” do? A) Generates SSL certificates automatically. B) Analyzes and cleans malicious traffic before forwarding clean traffic to the origin. C) Stores encrypted backups of logs. D) Provides IAM role federation. Answer: B Explanation: The Scrubbing Center filters out attack traffic, delivering only legitimate packets to the protected resource. Question 45. Which of the following is NOT a valid reason to use a Bastionhost? A) Centralized SSH access logging. B) Direct internet exposure of all internal servers. C) Enforcing MFA for privileged sessions. D) Isolating management traffic from production networks. Answer: B

Question 49. In the context of WAF, what does “False Positive” refer to? A) Blocking legitimate traffic that matches a rule. B) Allowing malicious traffic to pass. C) Misclassifying a DDoS attack as normal traffic. D) Encrypting traffic incorrectly. Answer: A Explanation: A false positive occurs when a security rule incorrectly blocks benign requests. Question 50. Which Security Center feature can automatically isolate an ECS instance suspected of being compromised? A) Intrusion Prevention System (IPS) B) Automated quarantine action in a remediation playbook C) Log Service retention policy D) CloudMonitor CPU alarm Answer: B Explanation: Automated quarantine in a playbook can stop the instance to prevent further damage. Question 51. What does the “Least Privilege” principle recommend for RAM policies? A) Granting all actions to all users for simplicity. B) Assigning only the permissions required to perform a specific task. C) Using Deny statements exclusively. D) Sharing the root account among administrators. Answer: B Explanation: Least privilege limits users to the minimal set of actions needed, reducing risk. Question 52. Which condition key can be used in a RAM policy to restrict actions to a specific RAM role? A) acs:SourceIp

B) acs:PrincipalArn C) acs:RequestedRegion D) acs:TagKey Answer: B Explanation: acs:PrincipalArn allows policies to target a particular RAM role ARN. Question 53. When integrating an external IdP via SAML, which attribute maps the Alibaba Cloud user name? A) UserID B) NameID C) Email D) RoleSessionName Answer: B Explanation: The NameID attribute in SAML assertions is used as the Alibaba Cloud login name. Question 54. Which of the following is a recommended practice for AccessKey lifecycle management? A) Store AccessKeys in plain text on developer machines. B) Rotate AccessKeys quarterly and disable old keys promptly. C) Share a single AccessKey among all services. D) Never delete AccessKeys once created. Answer: B Explanation: Quarterly rotation and immediate disabling of unused keys limit exposure. Question 55. In a multi‑account environment, which Alibaba Cloud service centralizes RAM role delegation? A) Resource Directory B) ActionTrail C) Cloud Firewall D) Anti‑DDoS Basic

Question 59. Which OSS feature allows you to enforce that only encrypted objects can be uploaded? A) Bucket versioning B) Object lock C) Server‑side encryption (SSE) mandatory policy D) Transfer acceleration Answer: C Explanation: A SSE mandatory policy rejects any upload lacking encryption headers. Question 60. When using Function Compute, how can you ensure that the code package is free of known vulnerabilities? A) Enable automatic scaling. B) Use the built‑in image scanning service before deployment. C) Set a high memory limit. D) Deploy the function in a private VPC only. Answer: B Explanation: Image scanning checks the function’s code package for CVEs prior to execution. Question 61. Which of the following statements about ACK network policies is true? A) They are enforced by the Linux kernel on each node. B) They replace Security Groups entirely. C) They only apply to traffic between pods in the same namespace. D) They cannot restrict egress traffic. Answer: A Explanation: Network policies are implemented by the node’s kernel (e.g., iptables) to control pod‑to‑pod traffic. Question 62. In the context of Cloud Firewall, what does “East‑West traffic” refer to? A. Traffic between the internet and the VPC. B) Traffic within the same VPC or between peered VPCs.

C) Traffic from an on‑premises data center to the cloud. D) Traffic that uses UDP only. Answer: B Explanation: East‑West describes internal traffic moving laterally within or across VPCs. Question 63. Which Anti‑DDoS feature automatically switches traffic to a “clean” path when an attack is detected? A) Blackhole routing B) Traffic scrubbing C) Rate limiting D) IP whitelisting Answer: B Explanation: Traffic scrubbing redirects malicious flows to a cleaning center, delivering only legitimate packets. Question 64. What is the purpose of “Tag‑Based Access Control” in RAM? A) To limit access to resources based on resource tags. B) To encrypt tags at rest. C) To create DNS records for tags. D) To enable multi‑factor authentication for tags. Answer: A Explanation: Tag‑Based Access Control allows policies to grant or deny actions on resources that carry specific tags. Question 65. Which of the following is a recommended configuration for a public web application to achieve defense‑in‑depth? A) Only enable WAF. B) Enable WAF, Anti‑DDoS Premium, and Cloud Firewall together. C) Use a single Security Group with open ports. D) Disable SSL to reduce overhead.