MCSE Certified Cloud Security Engineer Exam, Exams of Technology

This exam validates professional-level expertise in designing and securing cloud environments. Topics include cloud security architecture, identity protection, network security, monitoring, incident response, and compliance. Candidates are assessed on their ability to implement and manage secure, scalable cloud security solutions.

Typology: Exams

2025/2026

Available from 01/24/2026

shilpi-jain-2
shilpi-jain-2 🇮🇳

1

(1)

25K documents

1 / 87

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
MCSE Certified Cloud Security Engineer Exam
**Question 1.** Which AWS component isolates a set of resources within a VPC and provides a
virtual firewall at the instance level?
A) Security Group
B) Network ACL
C) Route Table
D) Internet Gateway
Answer: A
Explanation: Security Groups act as stateful virtual firewalls attached to EC2 instances,
controlling inbound and outbound traffic.
**Question 2.** In Azure, which service provides a dedicated private connection between an
onpremises data center and Azure without traversing the public Internet?
A) Azure VPN Gateway
B) Azure ExpressRoute
C) Azure Virtual Network Peering
D) Azure Front Door
Answer: B
Explanation: ExpressRoute creates a private, highthroughput, lowlatency link that bypasses
the public Internet.
**Question 3.** Which principle of Zero Trust states that no user or device is trusted solely
because it resides inside the corporate network?
A) Least Privilege
B) Assume Breach
C) Verify Explicitly
D) Never Trust, Always Verify
Answer: D
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57

Partial preview of the text

Download MCSE Certified Cloud Security Engineer Exam and more Exams Technology in PDF only on Docsity!

Question 1. Which AWS component isolates a set of resources within a VPC and provides a virtual firewall at the instance level? A) Security Group B) Network ACL C) Route Table D) Internet Gateway Answer: A Explanation: Security Groups act as stateful virtual firewalls attached to EC2 instances, controlling inbound and outbound traffic. Question 2. In Azure, which service provides a dedicated private connection between an on‑premises data center and Azure without traversing the public Internet? A) Azure VPN Gateway B) Azure ExpressRoute C) Azure Virtual Network Peering D) Azure Front Door Answer: B Explanation: ExpressRoute creates a private, high‑throughput, low‑latency link that bypasses the public Internet. Question 3. Which principle of Zero Trust states that no user or device is trusted solely because it resides inside the corporate network? A) Least Privilege B) Assume Breach C) Verify Explicitly D) Never Trust, Always Verify Answer: D

Explanation: “Never Trust, Always Verify” means every request must be authenticated and authorized regardless of origin. Question 4. In GCP, which service is used to centrally manage cryptographic keys, including rotation and destruction? A) Cloud KMS B) Secret Manager C) Cloud IAM D) Cloud HSM Answer: A Explanation: Cloud KMS provides lifecycle management for symmetric and asymmetric keys. Question 5. Which Kubernetes object is used to store sensitive data such as passwords, and is automatically mounted into Pods as a volume? A) ConfigMap B) Secret C) ServiceAccount D) PersistentVolumeClaim Answer: B Explanation: Secrets store base64‑encoded data and can be injected into containers as files or environment variables. Question 6. What does the “principle of least privilege” require when assigning IAM permissions? A) Grant all permissions to administrators only B) Assign the maximum set of permissions a user might need C) Give each identity only the permissions required for its tasks

B) Run containers as root user C) Set userns-remap to enable user namespace isolation D) Disable SELinux Answer: C Explanation: userns-remap maps container root to an unprivileged host UID, reducing risk of host compromise. Question 10. Which IAM policy condition key can be used to enforce MFA for AWS console sign‑in? A) aws:MultiFactorAuthPresent B) aws:RequestedRegion C) aws:SecureTransport D) aws:SourceIp Answer: A Explanation: The aws:MultiFactorAuthPresent condition ensures MFA is present for the request. Question 11. What is the primary purpose of a Network ACL in a VPC? A) Provide stateful filtering for individual instances B) Define routing paths between subnets C) Enforce stateless inbound and outbound traffic rules at the subnet level D) Manage DNS resolution inside the VPC Answer: C Explanation: NACLs are stateless and apply to all traffic entering or leaving a subnet. Question 12. In Kubernetes RBAC, which resource defines a set of permissions that can be granted to users or service accounts?

A) RoleBinding B) ClusterRole C) ServiceAccount D) Role Answer: D Explanation: A Role contains rules that allow actions on resources within a namespace; it is bound via RoleBinding. Question 13. Which GCP feature automatically encrypts data at rest without user intervention? A) Customer‑Managed Encryption Keys (CMEK) B) Cloud KMS C) Default Google‑managed encryption D) Cloud HSM Answer: C Explanation: All data stored in GCP is encrypted at rest by default using Google‑managed keys. Question 14. Which AWS IAM construct allows you to create a temporary set of credentials for a federated user? A) Access Key B) IAM Role with AssumeRole C) IAM Policy D) Service Control Policy Answer: B Explanation: AssumeRole returns temporary security credentials for federated or cross‑account access.

Explanation: Secrets Manager securely stores secrets and can automatically rotate them for supported databases. Question 18. What does the “defense‑in‑depth” strategy recommend for protecting cloud workloads? A) Rely on a single perimeter firewall B) Apply multiple overlapping security controls at different layers C) Use only network‑based security controls D) Disable logging to reduce noise Answer: B Explanation: Defense‑in‑depth uses layered controls (network, host, application, data) to mitigate risk. Question 19. Which Kubernetes admission controller can enforce that all container images come from a trusted registry? A) NamespaceLifecycle B) ImagePolicyWebhook C) PodSecurityPolicy D) NodeRestriction Answer: B Explanation: ImagePolicyWebhook intercepts pod creation requests and validates image sources. Question 20. In Azure, which feature allows you to assign a managed identity to an Azure VM for accessing other Azure services without credentials? A) Service Principal B) Azure AD Application C) System‑assigned Managed Identity

D) Azure Key Vault Answer: C Explanation: A system‑assigned managed identity is automatically created for the VM and can be granted Azure RBAC permissions. Question 21. Which AWS feature protects data in transit between EC2 instances and load balancers using TLS termination? A) AWS Shield B) Elastic Load Balancing (ELB) with HTTPS listeners C) VPC Flow Logs D) Security Groups Answer: B Explanation: HTTPS listeners on ELB terminate TLS, ensuring encrypted communication to the load balancer. Question 22. What is the primary benefit of using a dedicated hardware security module (HSM) in the cloud? A) Lower cost than software encryption B) Automatic key rotation without user involvement C) Secure generation and storage of cryptographic keys isolated from the host OS D) Simplified key sharing across accounts Answer: C Explanation: HSMs provide tamper‑resistant hardware for key generation and storage, enhancing security. Question 23. Which AWS Config rule checks whether S3 buckets have public read access blocked? A) s3-bucket-public-read-prohibited

Question 26. What does the term “SSRF” stand for, and why is it a concern in cloud environments? A) Server‑Side Request Forgery; it can cause internal services to be accessed by an attacker B) Secure Service Routing Framework; it improves network performance C) Simple Secure Remote File; it's a file transfer protocol D) System‑State Recovery Feature; it restores VM snapshots Answer: A Explanation: SSRF tricks a server into sending requests to internal resources, potentially exposing sensitive data. Question 27. Which AWS service can be used to enforce encryption of data stored in DynamoDB tables? A) AWS KMS integration with DynamoDB encryption at rest B) AWS S C) AWS Certificate Manager D) AWS WAF Answer: A Explanation: DynamoDB integrates with KMS to provide server‑side encryption for data at rest. Question 28. In GCP, which IAM role provides read‑only access to all resources in a project? A) roles/editor B) roles/owner C) roles/viewer D) roles/browser Answer: C Explanation: The Viewer role grants read‑only permissions across the project.

Question 29. Which container runtime security tool can monitor system calls inside a running container to detect anomalies? A) Docker Compose B) Falco C) Helm D) kube‑proxy Answer: B Explanation: Falco uses syscall monitoring to detect suspicious behavior in containers. Question 30. Which Azure feature allows you to lock a resource group to prevent accidental deletion? A) Azure Policy B) Resource Locks (Read‑Only or Delete) C) Role‑Based Access Control D) Azure Blueprints Answer: B Explanation: Resource locks can be applied to prevent delete or modify operations. Question 31. Which AWS networking construct enables you to connect two VPCs in different accounts using private IP addresses? A) VPC Peering B) Transit Gateway C) VPN CloudHub D) Direct Connect Answer: A Explanation: VPC Peering creates a private route between VPCs, allowing resources to communicate using private IPs.

Explanation: Service accounts are used by workloads to programmatically access GCP services. Question 35. Which Azure storage feature can enforce that data is encrypted with a customer‑managed key stored in Azure Key Vault? A) Azure Storage Service Encryption (SSE) with Microsoft‑managed keys B) Customer‑Managed Keys (CMK) for Azure Storage C) Shared Access Signature (SAS) D) Azure Disk Encryption Answer: B Explanation: CMK allows you to supply your own key from Key Vault for encrypting storage data. Question 36. In AWS, which IAM policy element specifies the actions that are allowed or denied? A) Effect B) Action C) Resource D) Condition Answer: B Explanation: The “Action” element lists the API operations the statement applies to. Question 37. Which Kubernetes security context setting prevents a container from gaining new privileges? A) runAsUser B) allowPrivilegeEscalation: false C) readOnlyRootFilesystem: true D) capabilities: add Answer: B

Explanation: Setting allowPrivilegeEscalation to false blocks the container from acquiring additional privileges. Question 38. Which AWS service provides a centralized view of security findings from multiple AWS services? A) AWS Security Hub B) AWS Config C) AWS Inspector D] AWS CloudTrail Answer: A Explanation: Security Hub aggregates findings from GuardDuty, Inspector, Macie, and others. Question 39. In GCP, which feature enables you to enforce organization‑wide policies such as “disable public IPs on VM instances”? A) Cloud Identity B) Organization Policy Service C) VPC Service Controls D) Cloud Armor Answer: B Explanation: Organization Policy allows administrators to set constraints across the entire organization. Question 40. Which Azure tool can be used to automatically remediate non‑compliant resources based on defined policies? A) Azure Monitor B) Azure Policy with remediation tasks C) Azure Advisor

C) The joint development of APIs between providers and users D) The allocation of compute resources among tenants Answer: A Explanation: The model clarifies which security controls are managed by the provider versus the customer. Question 44. Which AWS IAM feature enables you to require MFA for API calls made with temporary credentials? A) IAM Access Analyzer B) IAM Policy with aws:MultiFactorAuthPresent condition C) AWS Organizations SCP D) AWS SSO Answer: B Explanation: Adding the aws:MultiFactorAuthPresent condition to policies forces MFA even for temporary credentials. Question 45. In Azure, which service provides a managed, highly available PostgreSQL database with built‑in encryption at rest? A) Azure SQL Database B) Azure Database for PostgreSQL – Flexible Server C) Azure Cosmos DB D) Azure Database for MySQL Answer: B Explanation: Azure Database for PostgreSQL (Flexible Server) offers encryption at rest and in transit by default. Question 46. Which container image scanning tool can be integrated into CI/CD pipelines to detect known vulnerabilities?

A) Docker Compose B) Trivy C) kube‑adm D) Helm Answer: B Explanation: Trivy scans container images for CVEs and misconfigurations during build processes. Question 47. Which AWS service can be used to enforce encryption of data in motion for S3 objects accessed via HTTPS? A) S3 Block Public Access B) S3 Transfer Acceleration C) S3 Bucket Policy requiring aws:SecureTransport condition D) S3 Object Lock Answer: C Explanation: The aws:SecureTransport condition forces the use of TLS when accessing S objects. Question 48. In GCP, which feature allows you to limit the export of data from a Cloud Storage bucket to specific service accounts? A) Bucket IAM B) Uniform bucket-level access with IAM permissions C) Signed URLs D) Object Lifecycle Management Answer: B Explanation: Uniform bucket-level access centralizes IAM controls, enabling precise permission grants.

Explanation: Mounting a Secret as a volume provides file‑based access without exposing values in the environment. Question 52. Which AWS service helps you detect and remediate insecure S3 bucket permissions? A) AWS GuardDuty B) Amazon Macie C) AWS Config D) AWS Security Hub Answer: C Explanation: Config rules can evaluate bucket ACLs and policies for public exposure. Question 53. What is the main security benefit of using a “private endpoint” for Azure Storage? A) Improves latency B) Allows access over the public Internet C) Enables traffic to stay within the Microsoft backbone network, avoiding exposure to the Internet D) Provides automatic data replication Answer: C Explanation: Private Endpoints map the service to a private IP, keeping traffic off the public Internet. Question 54. Which GCP service can automatically detect and classify sensitive data such as PII in Cloud Storage objects? A) Cloud DLP B) Cloud Armor C) Cloud Identity

D) Cloud KMS Answer: A Explanation: Cloud Data Loss Prevention (DLP) scans data for sensitive information and can take actions. Question 55. In AWS, which type of IAM policy is attached directly to a user, group, or role? A) Managed policy B) Inline policy C) Permission boundary D) Service control policy Answer: B Explanation: Inline policies are embedded directly into an IAM identity. Question 56. Which Azure security feature can automatically block traffic from known malicious IP addresses? A) Azure Firewall Threat Intelligence B) Azure DDoS Protection Standard C) Azure Network Watcher D) Azure Front Door Answer: A Explanation: Azure Firewall’s threat intelligence feeds block traffic from IPs with known malicious activity. Question 57. In Kubernetes, which command displays the current RBAC permissions for a specific user? A) kubectl auth can-i --list --as <user> B) kubectl get roles