[CCPE] Cloud Security CCPE Certification Exam Guide, Exams of Technology

This certification exam guide focuses on securing cloud platforms and services. Topics include cloud security architecture, identity and access management, encryption, threat detection, compliance frameworks, and incident response. Candidates gain knowledge to design and maintain secure cloud environments under shared responsibility models.

Typology: Exams

2025/2026

Available from 02/12/2026

shilpi-jain-3
shilpi-jain-3 🇮🇳

2.5

(11)

80K documents

1 / 94

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
[CCPE] Cloud Security CCPE Certification Exam
Guide
**Question 1. Which NIST definition best captures the essence of cloud computing?**
A) A set of virtual machines hosted on a single server.
B) Ondemand network access to a shared pool of configurable computing resources.
C) A proprietary platform offering only SaaS solutions.
D) A private data center managed internally.
Answer: B
Explanation: NIST SP 800145 defines cloud computing as “a model for enabling ubiquitous,
convenient, ondemand network access to a shared pool of configurable computing resources”.
**Question 2. In the shared responsibility model for IaaS, which of the following is typically the
provider’s responsibility?**
A) Patch management of the guest operating system.
B) Physical security of the data center.
C) Configuration of applicationlevel firewalls.
D) Encryption of data stored in the customer’s database.
Answer: B
Explanation: For IaaS the provider secures the physical infrastructure (data center, power,
cooling) while the customer manages the OS, applications, and data.
**Question 3. Which cloud characteristic directly supports rapid scaling of resources during a
traffic spike?**
A) Multitenancy
B) Measured service
C) Rapid elasticity
D) Resource pooling
Answer: C
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59
pf5a
pf5b
pf5c
pf5d
pf5e

Partial preview of the text

Download [CCPE] Cloud Security CCPE Certification Exam Guide and more Exams Technology in PDF only on Docsity!

Guide

Question 1. Which NIST definition best captures the essence of cloud computing? A) A set of virtual machines hosted on a single server. B) On‑demand network access to a shared pool of configurable computing resources. C) A proprietary platform offering only SaaS solutions. D) A private data center managed internally. Answer: B Explanation: NIST SP 800‑145 defines cloud computing as “a model for enabling ubiquitous, convenient, on‑demand network access to a shared pool of configurable computing resources”. Question 2. In the shared responsibility model for IaaS, which of the following is typically the provider’s responsibility? A) Patch management of the guest operating system. B) Physical security of the data center. C) Configuration of application‑level firewalls. D) Encryption of data stored in the customer’s database. Answer: B Explanation: For IaaS the provider secures the physical infrastructure (data center, power, cooling) while the customer manages the OS, applications, and data. Question 3. Which cloud characteristic directly supports rapid scaling of resources during a traffic spike? A) Multi‑tenancy B) Measured service C) Rapid elasticity D) Resource pooling Answer: C

Guide

Explanation: Rapid elasticity allows resources to be automatically provisioned and released to match demand. Question 4. Which deployment model is most appropriate when multiple organizations share a common set of security, compliance, and operational requirements? A) Public cloud B) Private cloud C) Community cloud D) Hybrid cloud Answer: C Explanation: A community cloud is shared by several organizations with common concerns, such as regulatory compliance. Question 5. Which cloud service model gives the consumer the greatest control over the operating system and runtime environment? A) SaaS B) PaaS C) IaaS D) FaaS Answer: C Explanation: IaaS provides virtualized compute, storage, and networking, allowing the consumer to install and configure the OS and middleware. Question 6. Which of the following best describes a hypervisor’s role in virtualization security? A) It encrypts data at rest for all VMs. B) It isolates virtual machines from each other and the host.

Guide

Question 9. Which design principle helps mitigate vendor lock‑in for cloud‑based applications? A) Using proprietary APIs exclusively. B. Deploying workloads in a single region. C. Designing for portability across multiple cloud providers. D. Relying on a single‑vendor managed database service. Answer: C Explanation: Portability ensures workloads can be moved between providers, reducing dependence on a single vendor’s services. Question 10. Which certification specifically addresses cloud‑specific security controls for service providers? A) ISO/IEC 27001 B) ISO/IEC 27017 C) FIPS 140‑ 2 D) PCI‑DSS Answer: B Explanation: ISO/IEC 27017 provides guidelines for information security controls applicable to cloud services. Question 11. In the cloud data lifecycle, which phase directly follows “Use”? A) Create B) Share C) Archive D) Destroy Answer: B

Guide

Explanation: After data is used, it is often shared with other users or systems before being archived or destroyed. Question 12. Which storage type is most appropriate for temporary files that do not need persistence after a VM is terminated? A) Ephemeral storage B) Object storage C) Block storage with snapshots D) Glacier archival storage Answer: A Explanation: Ephemeral storage exists only for the life of the VM and is deleted when the VM terminates. Question 13. Which threat is most closely associated with multi‑tenant object storage buckets? A) Data at rest encryption bypass B) Cross‑tenant data leakage via misconfigured ACLs C) Physical theft of storage devices D) Hypervisor VM escape Answer: B Explanation: Misconfigured access control lists can allow one tenant to read or write objects belonging to another tenant. Question 14. Which of the following tokenization techniques replaces sensitive data with a reversible token? A) Hashing B) Encryption

Guide

A) Schema analysis B) Regular expression scanning of object metadata and content C) SQL query profiling D) Network traffic sniffing Answer: B Explanation: Regular expressions can search object contents and metadata for patterns such as credit‑card numbers in unstructured files. Question 18. Which classification label would typically trigger encryption at rest and stricter access controls? A) Public B) Internal C) Confidential D) Archived Answer: C Explanation: “Confidential” data requires higher protection, including encryption and limited access. Question 19. Information Rights Management (IRM) primarily provides which capability? A) Automatic key rotation for encrypted storage B) Persistent protection and usage policies applied to documents C) Network‑level packet inspection D) Physical security of the data center Answer: B Explanation: IRM embeds usage restrictions (view, edit, print) directly into the document, enforcing them wherever the file travels.

Guide

Question 20. Which legal hold requirement prevents data from being altered or destroyed during e‑discovery? A) Data retention for 30 days B) Immutable storage configuration (WORM) C) Regular backup rotation D) Deleting logs after 90 days Answer: B Explanation: Write‑once‑read‑many (WORM) storage ensures that data cannot be modified or deleted, satisfying legal hold obligations. Question 21. Which physical security control is most relevant for protecting a cloud provider’s data center against environmental threats? A) Biometric access control for server rooms B) Fire suppression systems and temperature monitoring C) Network firewalls D) Role‑based access control for APIs Answer: B Explanation: Environmental controls like fire suppression and HVAC protect hardware from physical hazards. Question 22. Which network security component inspects HTTP traffic for application‑layer attacks such as SQL injection? A) IDS/IPS operating at Layer 3 B) Traditional router ACLs C) Web Application Firewall (WAF) D) VPN concentrator

Guide

C) Hyper‑jacking D) Container breakout Answer: B Explanation: VM escape is when a guest VM breaks isolation and runs code on the underlying hypervisor. Question 26. In STRIDE threat modeling, which category addresses the risk of unauthorized disclosure of data? A) Spoofing B) Tampering C) Repudiation D) Information disclosure Answer: D Explanation: “Information disclosure” in STRIDE covers unauthorized data exposure. Question 27. Which control is part of the “Identification, Authentication, and Authorization” (IAA) set for cloud workloads? A) Data-at-rest encryption B) Multi‑factor authentication for admin accounts C) Load balancing across regions D) Automated patching of guest OSes Answer: B Explanation: MFA strengthens the authentication component of IAA. Question 28. What does the Recovery Point Objective (RPO) define in disaster recovery planning?

Guide

A) The maximum acceptable downtime before service restoration B) The amount of data loss measured in time that an organization can tolerate C) The order in which services are recovered D) The geographic location of the backup site Answer: B Explanation: RPO specifies the latest point in time to which data must be recovered, i.e., allowable data loss. Question 29. Which cloud‑specific risk is directly mitigated by implementing network segmentation between tenant workloads? A) Hypervisor VM escape B) Shared‑resource side‑channel attacks C) Physical theft of servers D) Application code injection Answer: B Explanation: Segmentation reduces the attack surface for side‑channel attacks that exploit shared hardware resources. Question 30. Which of the following is a primary benefit of using a Cloud Access Security Broker (CASB)? A) Automating hypervisor updates B) Providing visibility and control over SaaS usage C) Managing on‑premises firewalls D. Encrypting all network traffic at the ISP level Answer: B Explanation: CASBs monitor and enforce security policies for SaaS applications, giving organizations visibility and control.

Guide

Answer: B Explanation: DAST sends inputs to a running application and observes responses to find vulnerabilities. Question 34. Which open‑source license is most likely to introduce supply‑chain risk if not managed properly? A) MIT License B) Apache 2. C) GPLv D) Unlicensed (public domain) Answer: C Explanation: GPL‑licensed components can impose strict redistribution obligations; failure to track them can cause compliance and security risks. Question 35. Which identity federation protocol uses signed XML assertions to convey authentication statements? A) OAuth 2. B) SAML 2. C) OpenID Connect D) Kerberos Answer: B Explanation: SAML transfers authentication data via signed XML assertions between IdP and SP. Question 36. Which factor is most important when selecting an Identity Provider (IdP) for a multi‑cloud environment? A) Ability to store large binary files B) Support for multiple federation standards (SAML, OIDC)

Guide

C) Proprietary token format only D) Requirement for on‑premises hardware appliance Answer: B Explanation: Multi‑cloud environments often need both SAML and OIDC support to integrate with diverse services. Question 37. Which of the following best describes the purpose of a TPM (Trusted Platform Module) in cloud servers? A) To provide hardware‑based key generation and secure storage B) To manage virtual network overlays C) To enforce firewall rules at the hypervisor level D) To schedule VM migrations automatically Answer: A Explanation: TPMs generate and protect cryptographic keys, enabling hardware‑rooted trust. Question 38. Which log source is most valuable for detecting compromised privileged credentials in a cloud environment? A) DNS query logs B. Application error logs C) IAM authentication and role‑assumption logs D) Storage bucket inventory reports Answer: C Explanation: IAM logs capture successful and failed authentication attempts and role assumption events, revealing credential misuse. Question 39. Which patch management strategy aligns with the principle of “least disruption” for critical production workloads?

Guide

Question 42. Which principle ensures that evidence collected from a cloud instance remains admissible in court? A) Encrypting the evidence with a proprietary algorithm B) Maintaining a documented chain of custody C) Storing evidence on the same cloud provider’s storage D. Deleting original logs after collection Answer: B Explanation: A clear chain of custody demonstrates that evidence was not tampered with, preserving its admissibility. Question 43. Which regulatory framework specifically addresses the protection of health‑related information in the United States? A) GDPR B) CCPA C) HIPAA D) PCI‑DSS Answer: C Explanation: HIPAA (Health Insurance Portability and Accountability Act) governs the privacy and security of PHI. Question 44. Under GDPR, which of the following is considered a “legitimate interest” for processing personal data? A) Marketing to individuals without consent B) Processing employee data for payroll C) Selling personal data to third parties D) Publishing personal data publicly

Guide

Answer: B Explanation: Payroll processing is a legitimate interest necessary for the performance of a contract with the data subject. Question 45. Which audit report focuses on a service organization’s controls relevant to security, availability, processing integrity, confidentiality, or privacy? A) SOC 1 B) SOC 2 C) SOC 3 D) ISO 27001 certification Answer: B Explanation: SOC 2 reports assess controls related to the Trust Services Criteria, including security and privacy. Question 46. In risk management, the term “risk appetite” refers to: A) The total amount of risk an organization can tolerate before bankruptcy B) The level of risk an organization is willing to accept to achieve its objectives C) The probability of a specific threat occurring D) The cost of implementing all possible security controls Answer: B Explanation: Risk appetite is the amount and type of risk an organization is prepared to pursue, retain, or tolerate. Question 47. Which clause in a cloud SLA typically defines the provider’s penalty for exceeding agreed‑upon uptime? A) Service Credits B) Data Residency

Guide

Question 50. Which security control is most effective at preventing “cloud‑jack” attacks where attackers gain unauthorized access to a tenant’s management console? A) Enforcing MFA for all console logins B) Disabling all API access C) Using only static IP allow‑lists for console access D) Encrypting all data at rest Answer: A Explanation: MFA adds a second factor, mitigating credential‑theft attacks on the management console. Question 51. Which cryptographic algorithm is recommended for protecting data in transit over public networks? A) MD B) SHA‑ 1 C) AES‑256 in GCM mode over TLS 1.2+ D) DES Answer: C Explanation: AES‑ 256 ‑GCM combined with TLS 1.2 or higher provides confidentiality and integrity for data in transit. Question 52. Which data classification label typically requires compliance with the “right to be forgotten” under GDPR? A) Public B) Internal C) Personal Data (PII) D) Archived Answer: C

Guide

Explanation: Personal data subjects have the right to request erasure of their personal data under GDPR. Question 53. Which cloud‑native logging service can be integrated with a SIEM to provide centralized security event correlation? A) Amazon CloudWatch Logs B) Azure Active Directory C) Google Cloud DNS D) Kubernetes Scheduler Answer: A Explanation: CloudWatch Logs aggregates logs from AWS services and can forward them to external SIEMs. Question 54. Which of the following is a key benefit of implementing immutable infrastructure in a cloud environment? A) Ability to patch running VMs without downtime B) Reducing configuration drift by replacing instances rather than modifying them C) Storing logs on mutable disks for faster access D) Allowing users to edit system files directly on production servers Answer: B Explanation: Immutable infrastructure replaces entire instances, ensuring consistency and eliminating drift. Question 55. Which of the following best describes a “cold standby” disaster recovery site? A) A fully operational replica that receives live traffic B) A site with pre‑installed hardware but no data synchronized C) A location where only backup tapes are stored