






















































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
This certification exam guide focuses on securing cloud platforms and services. Topics include cloud security architecture, identity and access management, encryption, threat detection, compliance frameworks, and incident response. Candidates gain knowledge to design and maintain secure cloud environments under shared responsibility models.
Typology: Exams
1 / 94
This page cannot be seen from the preview
Don't miss anything!























































































Question 1. Which NIST definition best captures the essence of cloud computing? A) A set of virtual machines hosted on a single server. B) On‑demand network access to a shared pool of configurable computing resources. C) A proprietary platform offering only SaaS solutions. D) A private data center managed internally. Answer: B Explanation: NIST SP 800‑145 defines cloud computing as “a model for enabling ubiquitous, convenient, on‑demand network access to a shared pool of configurable computing resources”. Question 2. In the shared responsibility model for IaaS, which of the following is typically the provider’s responsibility? A) Patch management of the guest operating system. B) Physical security of the data center. C) Configuration of application‑level firewalls. D) Encryption of data stored in the customer’s database. Answer: B Explanation: For IaaS the provider secures the physical infrastructure (data center, power, cooling) while the customer manages the OS, applications, and data. Question 3. Which cloud characteristic directly supports rapid scaling of resources during a traffic spike? A) Multi‑tenancy B) Measured service C) Rapid elasticity D) Resource pooling Answer: C
Explanation: Rapid elasticity allows resources to be automatically provisioned and released to match demand. Question 4. Which deployment model is most appropriate when multiple organizations share a common set of security, compliance, and operational requirements? A) Public cloud B) Private cloud C) Community cloud D) Hybrid cloud Answer: C Explanation: A community cloud is shared by several organizations with common concerns, such as regulatory compliance. Question 5. Which cloud service model gives the consumer the greatest control over the operating system and runtime environment? A) SaaS B) PaaS C) IaaS D) FaaS Answer: C Explanation: IaaS provides virtualized compute, storage, and networking, allowing the consumer to install and configure the OS and middleware. Question 6. Which of the following best describes a hypervisor’s role in virtualization security? A) It encrypts data at rest for all VMs. B) It isolates virtual machines from each other and the host.
Question 9. Which design principle helps mitigate vendor lock‑in for cloud‑based applications? A) Using proprietary APIs exclusively. B. Deploying workloads in a single region. C. Designing for portability across multiple cloud providers. D. Relying on a single‑vendor managed database service. Answer: C Explanation: Portability ensures workloads can be moved between providers, reducing dependence on a single vendor’s services. Question 10. Which certification specifically addresses cloud‑specific security controls for service providers? A) ISO/IEC 27001 B) ISO/IEC 27017 C) FIPS 140‑ 2 D) PCI‑DSS Answer: B Explanation: ISO/IEC 27017 provides guidelines for information security controls applicable to cloud services. Question 11. In the cloud data lifecycle, which phase directly follows “Use”? A) Create B) Share C) Archive D) Destroy Answer: B
Explanation: After data is used, it is often shared with other users or systems before being archived or destroyed. Question 12. Which storage type is most appropriate for temporary files that do not need persistence after a VM is terminated? A) Ephemeral storage B) Object storage C) Block storage with snapshots D) Glacier archival storage Answer: A Explanation: Ephemeral storage exists only for the life of the VM and is deleted when the VM terminates. Question 13. Which threat is most closely associated with multi‑tenant object storage buckets? A) Data at rest encryption bypass B) Cross‑tenant data leakage via misconfigured ACLs C) Physical theft of storage devices D) Hypervisor VM escape Answer: B Explanation: Misconfigured access control lists can allow one tenant to read or write objects belonging to another tenant. Question 14. Which of the following tokenization techniques replaces sensitive data with a reversible token? A) Hashing B) Encryption
A) Schema analysis B) Regular expression scanning of object metadata and content C) SQL query profiling D) Network traffic sniffing Answer: B Explanation: Regular expressions can search object contents and metadata for patterns such as credit‑card numbers in unstructured files. Question 18. Which classification label would typically trigger encryption at rest and stricter access controls? A) Public B) Internal C) Confidential D) Archived Answer: C Explanation: “Confidential” data requires higher protection, including encryption and limited access. Question 19. Information Rights Management (IRM) primarily provides which capability? A) Automatic key rotation for encrypted storage B) Persistent protection and usage policies applied to documents C) Network‑level packet inspection D) Physical security of the data center Answer: B Explanation: IRM embeds usage restrictions (view, edit, print) directly into the document, enforcing them wherever the file travels.
Question 20. Which legal hold requirement prevents data from being altered or destroyed during e‑discovery? A) Data retention for 30 days B) Immutable storage configuration (WORM) C) Regular backup rotation D) Deleting logs after 90 days Answer: B Explanation: Write‑once‑read‑many (WORM) storage ensures that data cannot be modified or deleted, satisfying legal hold obligations. Question 21. Which physical security control is most relevant for protecting a cloud provider’s data center against environmental threats? A) Biometric access control for server rooms B) Fire suppression systems and temperature monitoring C) Network firewalls D) Role‑based access control for APIs Answer: B Explanation: Environmental controls like fire suppression and HVAC protect hardware from physical hazards. Question 22. Which network security component inspects HTTP traffic for application‑layer attacks such as SQL injection? A) IDS/IPS operating at Layer 3 B) Traditional router ACLs C) Web Application Firewall (WAF) D) VPN concentrator
C) Hyper‑jacking D) Container breakout Answer: B Explanation: VM escape is when a guest VM breaks isolation and runs code on the underlying hypervisor. Question 26. In STRIDE threat modeling, which category addresses the risk of unauthorized disclosure of data? A) Spoofing B) Tampering C) Repudiation D) Information disclosure Answer: D Explanation: “Information disclosure” in STRIDE covers unauthorized data exposure. Question 27. Which control is part of the “Identification, Authentication, and Authorization” (IAA) set for cloud workloads? A) Data-at-rest encryption B) Multi‑factor authentication for admin accounts C) Load balancing across regions D) Automated patching of guest OSes Answer: B Explanation: MFA strengthens the authentication component of IAA. Question 28. What does the Recovery Point Objective (RPO) define in disaster recovery planning?
A) The maximum acceptable downtime before service restoration B) The amount of data loss measured in time that an organization can tolerate C) The order in which services are recovered D) The geographic location of the backup site Answer: B Explanation: RPO specifies the latest point in time to which data must be recovered, i.e., allowable data loss. Question 29. Which cloud‑specific risk is directly mitigated by implementing network segmentation between tenant workloads? A) Hypervisor VM escape B) Shared‑resource side‑channel attacks C) Physical theft of servers D) Application code injection Answer: B Explanation: Segmentation reduces the attack surface for side‑channel attacks that exploit shared hardware resources. Question 30. Which of the following is a primary benefit of using a Cloud Access Security Broker (CASB)? A) Automating hypervisor updates B) Providing visibility and control over SaaS usage C) Managing on‑premises firewalls D. Encrypting all network traffic at the ISP level Answer: B Explanation: CASBs monitor and enforce security policies for SaaS applications, giving organizations visibility and control.
Answer: B Explanation: DAST sends inputs to a running application and observes responses to find vulnerabilities. Question 34. Which open‑source license is most likely to introduce supply‑chain risk if not managed properly? A) MIT License B) Apache 2. C) GPLv D) Unlicensed (public domain) Answer: C Explanation: GPL‑licensed components can impose strict redistribution obligations; failure to track them can cause compliance and security risks. Question 35. Which identity federation protocol uses signed XML assertions to convey authentication statements? A) OAuth 2. B) SAML 2. C) OpenID Connect D) Kerberos Answer: B Explanation: SAML transfers authentication data via signed XML assertions between IdP and SP. Question 36. Which factor is most important when selecting an Identity Provider (IdP) for a multi‑cloud environment? A) Ability to store large binary files B) Support for multiple federation standards (SAML, OIDC)
C) Proprietary token format only D) Requirement for on‑premises hardware appliance Answer: B Explanation: Multi‑cloud environments often need both SAML and OIDC support to integrate with diverse services. Question 37. Which of the following best describes the purpose of a TPM (Trusted Platform Module) in cloud servers? A) To provide hardware‑based key generation and secure storage B) To manage virtual network overlays C) To enforce firewall rules at the hypervisor level D) To schedule VM migrations automatically Answer: A Explanation: TPMs generate and protect cryptographic keys, enabling hardware‑rooted trust. Question 38. Which log source is most valuable for detecting compromised privileged credentials in a cloud environment? A) DNS query logs B. Application error logs C) IAM authentication and role‑assumption logs D) Storage bucket inventory reports Answer: C Explanation: IAM logs capture successful and failed authentication attempts and role assumption events, revealing credential misuse. Question 39. Which patch management strategy aligns with the principle of “least disruption” for critical production workloads?
Question 42. Which principle ensures that evidence collected from a cloud instance remains admissible in court? A) Encrypting the evidence with a proprietary algorithm B) Maintaining a documented chain of custody C) Storing evidence on the same cloud provider’s storage D. Deleting original logs after collection Answer: B Explanation: A clear chain of custody demonstrates that evidence was not tampered with, preserving its admissibility. Question 43. Which regulatory framework specifically addresses the protection of health‑related information in the United States? A) GDPR B) CCPA C) HIPAA D) PCI‑DSS Answer: C Explanation: HIPAA (Health Insurance Portability and Accountability Act) governs the privacy and security of PHI. Question 44. Under GDPR, which of the following is considered a “legitimate interest” for processing personal data? A) Marketing to individuals without consent B) Processing employee data for payroll C) Selling personal data to third parties D) Publishing personal data publicly
Answer: B Explanation: Payroll processing is a legitimate interest necessary for the performance of a contract with the data subject. Question 45. Which audit report focuses on a service organization’s controls relevant to security, availability, processing integrity, confidentiality, or privacy? A) SOC 1 B) SOC 2 C) SOC 3 D) ISO 27001 certification Answer: B Explanation: SOC 2 reports assess controls related to the Trust Services Criteria, including security and privacy. Question 46. In risk management, the term “risk appetite” refers to: A) The total amount of risk an organization can tolerate before bankruptcy B) The level of risk an organization is willing to accept to achieve its objectives C) The probability of a specific threat occurring D) The cost of implementing all possible security controls Answer: B Explanation: Risk appetite is the amount and type of risk an organization is prepared to pursue, retain, or tolerate. Question 47. Which clause in a cloud SLA typically defines the provider’s penalty for exceeding agreed‑upon uptime? A) Service Credits B) Data Residency
Question 50. Which security control is most effective at preventing “cloud‑jack” attacks where attackers gain unauthorized access to a tenant’s management console? A) Enforcing MFA for all console logins B) Disabling all API access C) Using only static IP allow‑lists for console access D) Encrypting all data at rest Answer: A Explanation: MFA adds a second factor, mitigating credential‑theft attacks on the management console. Question 51. Which cryptographic algorithm is recommended for protecting data in transit over public networks? A) MD B) SHA‑ 1 C) AES‑256 in GCM mode over TLS 1.2+ D) DES Answer: C Explanation: AES‑ 256 ‑GCM combined with TLS 1.2 or higher provides confidentiality and integrity for data in transit. Question 52. Which data classification label typically requires compliance with the “right to be forgotten” under GDPR? A) Public B) Internal C) Personal Data (PII) D) Archived Answer: C
Explanation: Personal data subjects have the right to request erasure of their personal data under GDPR. Question 53. Which cloud‑native logging service can be integrated with a SIEM to provide centralized security event correlation? A) Amazon CloudWatch Logs B) Azure Active Directory C) Google Cloud DNS D) Kubernetes Scheduler Answer: A Explanation: CloudWatch Logs aggregates logs from AWS services and can forward them to external SIEMs. Question 54. Which of the following is a key benefit of implementing immutable infrastructure in a cloud environment? A) Ability to patch running VMs without downtime B) Reducing configuration drift by replacing instances rather than modifying them C) Storing logs on mutable disks for faster access D) Allowing users to edit system files directly on production servers Answer: B Explanation: Immutable infrastructure replaces entire instances, ensuring consistency and eliminating drift. Question 55. Which of the following best describes a “cold standby” disaster recovery site? A) A fully operational replica that receives live traffic B) A site with pre‑installed hardware but no data synchronized C) A location where only backup tapes are stored