[DevOpsSEC] Official Certified DevOps Information Security Engineer DevOps SEC Program Cer, Exams of Technology

A specialized exam guide tailored for DevOps security professionals focusing on secure development pipelines, infrastructure security, compliance, vulnerability management, and risk mitigation strategies. The guide delivers in-depth theoretical concepts alongside real-world security scenarios, secure coding practices, threat modeling, and governance frameworks. Includes practice questions with explanations, exam strategies, and practical case studies to help candidates confidently prepare for certification while strengthening security-focused DevOps skills.

Typology: Exams

2025/2026

Available from 02/18/2026

shilpi-jain-3
shilpi-jain-3 🇮🇳

2.5

(11)

80K documents

1 / 79

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
[DevOpsSEC] Official Certified DevOps Information
Security Engineer DevOps SEC Program Certification
Exam Guide
**Question 1.** Which IaC approach declares the desired endstate rather than the steps to achieve it?
A) Imperative scripting
B) Declarative configuration
C) Procedural programming
D) Manual provisioning
Answer: B
Explanation: Declarative IaC describes *what* the infrastructure should look like, letting the tool
compute the steps.
**Question 2.** In Terraform, what is the purpose of a backend configuration?
A) To define variable types
B) To store state remotely
C) To generate modules automatically
D) To enforce naming conventions
Answer: B
Explanation: Backends enable remote state storage, locking, and collaboration.
**Question 3.** Which Terraform command safely updates the state file after applying changes?
A) terraform plan
B) terraform apply
C) terraform refresh
D) terraform state pull
Answer: B
Explanation: `terraform apply` writes the resulting resource IDs into the state file.
**Question 4.** What does Terraform workspace isolation primarily help with?
A) Parallel execution of resources
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f

Partial preview of the text

Download [DevOpsSEC] Official Certified DevOps Information Security Engineer DevOps SEC Program Cer and more Exams Technology in PDF only on Docsity!

Security Engineer DevOps SEC Program Certification

Exam Guide

Question 1. Which IaC approach declares the desired end‑state rather than the steps to achieve it? A) Imperative scripting B) Declarative configuration C) Procedural programming D) Manual provisioning Answer: B Explanation: Declarative IaC describes what the infrastructure should look like, letting the tool compute the steps. Question 2. In Terraform, what is the purpose of a backend configuration? A) To define variable types B) To store state remotely C) To generate modules automatically D) To enforce naming conventions Answer: B Explanation: Backends enable remote state storage, locking, and collaboration. Question 3. Which Terraform command safely updates the state file after applying changes? A) terraform plan B) terraform apply C) terraform refresh D) terraform state pull Answer: B Explanation: terraform apply writes the resulting resource IDs into the state file. Question 4. What does Terraform workspace isolation primarily help with? A) Parallel execution of resources

Security Engineer DevOps SEC Program Certification

Exam Guide

B) Separating environments like dev and prod C) Encrypting state files D) Scaling compute nodes automatically Answer: B Explanation: Workspaces allow distinct state files per environment, preventing cross‑environment contamination. Question 5. Which version control practice is essential for module versioning in Terraform? A) Tagging releases in Git B) Using .gitignore for .tf files C) Storing modules in a private Docker registry D) Encrypting module source code Answer: A Explanation: Tagging modules in Git provides immutable references for specific versions. Question 6. In Ansible, which module is best suited for enforcing file permissions on a Linux host? A) yum B) copy C) file D) service Answer: C Explanation: The file module can set ownership, mode, and attributes. Question 7. Which Ansible feature enables idempotent OS hardening across hundreds of servers? A) Ansible Vault B) Playbook loops C) Roles with tasks and handlers

Security Engineer DevOps SEC Program Certification

Exam Guide

Question 11. Which workload controller guarantees stable network identity and storage for each pod replica? A) Deployment B) DaemonSet C) StatefulSet D) Job Answer: C Explanation: StatefulSets provide ordered, stable identities and persistent storage. Question 12. In Kubernetes, what does a NetworkPolicy control? A) Pod CPU limits B) Ingress/Egress traffic between pods C) Persistent volume size D) Node auto‑scaling thresholds Answer: B Explanation: NetworkPolicies define allowed traffic flows at the pod level. Question 13. Which CSI driver feature enables dynamic provisioning of storage? A) VolumeAttachment B) NodePublishVolume C) CreateVolume D) ControllerExpandVolume Answer: C Explanation: CreateVolume is called to provision a new volume on demand. Question 14. What is the main benefit of using a Service Mesh like Istio?

Security Engineer DevOps SEC Program Certification

Exam Guide

A) Automatic container image updates B) Centralized traffic management and observability C) Server‑less function execution D) Immutable infrastructure snapshots Answer: B Explanation: Service Mesh injects sidecars for traffic control, security, and tracing. Question 15. Which protocol does an Ingress controller typically use to route HTTP traffic? A) TCP B) UDP C) gRPC D) HTTP/HTTPS with path‑based rules Answer: D Explanation: Ingress resources define HTTP/HTTPS routing based on host/path. Question 16. A VPN connection between on‑premises and AWS primarily provides which security property? A) Data integrity at rest B) Encryption of data in transit C) Multi‑factor authentication for IAM users D) Immutable snapshots of EBS volumes Answer: B Explanation: VPN tunnels encrypt traffic between the data center and the cloud. Question 17. Which abstraction layer helps manage resources uniformly across AWS, Azure, and GCP? A) Terraform provider plugins B) Cloud‑init scripts

Security Engineer DevOps SEC Program Certification

Exam Guide

Explanation: strategy.type (e.g., RollingUpdate) defines how pods are replaced. Question 21. In GitOps, what is the role of ArgoCD? A) Compile source code into binaries B) Continuously reconcile cluster state with Git repositories C) Generate Terraform state files D) Perform static code analysis Answer: B Explanation: ArgoCD watches Git and applies the desired manifests to the cluster. Question 22. Which statement best describes the “single source of truth” in GitOps? A) All configuration lives in a database B) All infrastructure definitions are stored in a Git repo C) Secrets are stored in plain text files D) CI pipelines generate configuration at runtime Answer: B Explanation: Git holds the authoritative definition of system state. Question 23. Feature flags primarily help to: A) Reduce container image size B) Decouple deployment from feature activation C) Encrypt network traffic D) Automate backup schedules Answer: B Explanation: Flags allow code to be shipped while toggling features on/off. Question 24. Which tool is commonly used for feature flag management in a cloud‑native stack?

Security Engineer DevOps SEC Program Certification

Exam Guide

A) Prometheus B) LaunchDarkly C) Consul D) Terraform Answer: B Explanation: LaunchDarkly provides a SaaS platform for flag evaluation. Question 25. Which of the following is a time‑series database used for metrics collection? A) Elasticsearch B) Grafana C) Prometheus D) Loki Answer: C Explanation: Prometheus scrapes and stores metrics as time‑series data. Question 26. In the observability triad, which component captures distributed request traces? A) Metrics B) Logging C) Tracing D) Alerting Answer: C Explanation: Tracing follows a request across service boundaries. Question 27. What does an SLI represent? A) A contractual penalty for downtime B) A measurable indicator of service performance C) A security level indicator

Security Engineer DevOps SEC Program Certification

Exam Guide

Question 31. Which service is designed for secret storage and dynamic credential generation? A) AWS S B) HashiCorp Vault C) CloudWatch D) Kubernetes ConfigMap Answer: B Explanation: Vault can generate and rotate secrets on demand. Question 32. What is the primary advantage of dynamic secret rotation? A) Reduces storage costs B) Limits the window of exposure if a secret is compromised C) Improves container startup time D) Enables faster DNS resolution Answer: B Explanation: Frequently rotating credentials reduces risk from leaked secrets. Question 33. Which tool can scan container images for known vulnerabilities during CI? A) Falco B) Trivy C) Prometheus D) Istio Answer: B Explanation: Trivy pulls image layers and matches them against vulnerability databases. Question 34. eBPF‑based runtime security monitors which of the following? A) Network packet headers only

Security Engineer DevOps SEC Program Certification

Exam Guide

B) System calls and kernel events C) Application source code quality D) Cloud provider IAM policies Answer: B Explanation: eBPF hooks into the kernel to observe syscalls for anomalous behavior. Question 35. Compliance‑as‑Code typically uses which language to express policies? A) Python B) HCL (HashiCorp Configuration Language) C) Rego (Open Policy Agent) D) Bash Answer: C Explanation: OPA’s Rego language enables declarative policy definitions. Question 36. Which framework is commonly automated for CIS Benchmark compliance on Linux servers? A) NIST SP 800‑ 53 B) PCI DSS C) CIS Benchmarks D) ISO 27001 Answer: C Explanation: CIS Benchmarks provide prescriptive hardening steps that can be scripted. Question 37. In incident response, the first step after detection is: A) Root cause analysis B. Post‑mortem documentation C. Triage and classification

Security Engineer DevOps SEC Program Certification

Exam Guide

Question 41. What does RTO stand for in disaster recovery? A. Recovery Time Objective B. Redundant Transfer Operation C. Remote Transaction Override D. Resource Throttling Option Answer: A Explanation: RTO defines the maximum acceptable downtime. Question 42. Which DR strategy maintains a minimal set of resources running continuously in the cloud? A. Pilot Light B. Warm Standby C. Multi‑site Active‑Active D. Cold Backup Answer: A Explanation: Pilot Light keeps core services ready, allowing fast scale‑up. Question 43. In a blameless post‑mortem, the focus is on: A. Assigning fault to individuals B. Identifying systemic improvements C. Reducing documentation overhead D. Penalizing teams that caused the outage Answer: B Explanation: Blameless reviews aim to learn and prevent recurrence without finger‑pointing. Question 44. Which Terraform command can be used to migrate state from local to remote backend?

Security Engineer DevOps SEC Program Certification

Exam Guide

A. terraform init - migrate-state B. terraform plan - out=state.tfstate C. terraform apply - auto-approve D. terraform state push Answer: A Explanation: terraform init - migrate-state moves the state file to the configured backend. Question 45. What is the effect of setting force_new_resource = true in a Terraform resource? A. The resource will be recreated on any attribute change B. The resource will be ignored during apply C. The resource will be encrypted at rest D. The resource will be provisioned in a new VPC automatically Answer: A Explanation: force_new_resource forces replacement whenever any argument changes. Question 46. Which Ansible feature allows encrypting sensitive variables? A. Ansible Vault B. Ansible Galaxy C. Ansible Pull D. Ansible Tower Answer: A Explanation: Vault encrypts files or variables for secure storage. Question 47. In SaltStack, what does a “pillar” provide? A. Network topology definitions B. Secure, targeted data for minions C. Container orchestration capabilities

Security Engineer DevOps SEC Program Certification

Exam Guide

Explanation: Mixer originally performed policy checks and telemetry; its functions are now embedded in Envoy proxies. Question 51. When using a multi‑cloud abstraction layer, which concept helps avoid vendor‑specific lock‑in? A. Single‑tenant VPCs B. Cloud‑agnostic APIs like the CNCF’s CloudEvents C. Provider‑specific IAM roles D. Proprietary storage formats Answer: B Explanation: Cloud‑agnostic standards enable portability across providers. Question 52. In a canary release, traffic shifting is typically controlled by: A. Changing DNS TTL to zero B. Updating the Deployment replica count only C. Using a service mesh or load balancer weight adjustments D. Rebuilding the container image with a new tag Answer: C Explanation: Weighted routing directs a percentage of traffic to the new version. Question 53. Which GitOps tool is known for a pull‑based reconciliation model? A. ArgoCD B. Flux C. Jenkins X D. Spinnaker Answer: B Explanation: Flux continuously pulls changes from Git and applies them.

Security Engineer DevOps SEC Program Certification

Exam Guide

Question 54. Feature flags stored in a database need to be refreshed by applications at least every: A. 1 second B. 5 minutes (typical) C. 24 hours D. 1 year Answer: B Explanation: Frequent refresh balances latency and consistency; 5 minutes is common. Question 55. Which Prometheus component performs rule evaluation and alert generation? A. Alertmanager B. Pushgateway C. Remote‑write D. Scrape config Answer: A Explanation: Alertmanager receives alerts from Prometheus and handles silencing, grouping, and routing. Question 56. Loki is primarily used for: A. Metric collection B. Log aggregation with low indexing overhead C. Distributed tracing D. Container image scanning Answer: B Explanation: Loki stores logs and indexes only metadata, reducing storage costs. Question 57. In OpenTelemetry, which data type represents a single request’s path through services? A. Span

Security Engineer DevOps SEC Program Certification

Exam Guide

D. Using a single generic alert for all services Answer: B Explanation: Back‑off reduces notification volume while still signaling persistent issues. Question 61. Which of the following is a recommended way to store secrets for Kubernetes workloads? A. ConfigMap B. Plain text files in the container image C. HashiCorp Vault integrated via CSI driver D. Environment variables hard‑coded in the deployment manifest Answer: C Explanation: Vault CSI injects secrets at pod start without persisting them in etcd. Question 62. Which scanning stage catches vulnerabilities introduced by base image layers? A. Runtime scanning only B. Build‑time scanning of Dockerfile FROM statement C. Post‑deployment log analysis D. Network packet inspection Answer: B Explanation: Scanning the base image during build reveals known CVEs early. Question 63. Falco primarily detects suspicious activity by: A. Analyzing container image signatures B. Monitoring system calls against rule sets C. Performing static code analysis D. Encrypting container traffic Answer: B

Security Engineer DevOps SEC Program Certification

Exam Guide

Explanation: Falco uses eBPF to watch syscalls and compare them to security policies. Question 64. Which OPA policy would deny a Terraform plan that creates an insecure security group? A. allow = true B. deny[msg] { input.resource.type == "aws_security_group" and input.resource.rules == "0.0.0.0/0" } C. count(input.resource) > 0 D. package main Answer: B Explanation: The rule matches insecure SG definitions and produces a denial message. Question 65. Which AWS service can automatically rotate RDS passwords stored in Secrets Manager? A. AWS Config B. AWS Systems Manager Parameter Store C. Secrets Manager rotation Lambda D. CloudTrail Answer: C Explanation: Secrets Manager can invoke a Lambda to rotate database credentials on schedule. Question 66. In a multi‑region active‑active deployment, data consistency is typically achieved with: A. Local SSD storage only B. Global DNS round‑robin without replication C. Distributed databases with eventual consistency (e.g., DynamoDB Global Tables) D. Manual file copy scripts Answer: C Explanation: Distributed databases provide replicated data across regions.