
















































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
The PrepIQ MCSE Certified Cloud Security Engineer Ultimate Exam focuses on securing cloud environments and enterprise workloads. Learners study cloud governance, identity management, encryption strategies, monitoring controls, and secure architecture design principles.
Typology: Exams
1 / 56
This page cannot be seen from the preview
Don't miss anything!

















































Question 1. Which AWS service provides a logically isolated virtual network that you can configure subnets, route tables, and network ACLs? A) AWS IAM B) Amazon VPC C) AWS Direct Connect D) Amazon CloudFront Answer: B Explanation: Amazon Virtual Private Cloud (VPC) lets you create isolated network environments with customizable subnets, routing, and security controls. Question 2. In Azure, which feature enforces micro-segmentation at the NIC level for virtual machines? A) Azure Policy B) Network Security Groups (NSG) C) Azure Front Door D) Azure Defender for Servers Answer: B Explanation: NSGs allow inbound and outbound traffic filtering per NIC or subnet, enabling fine-grained segmentation. Question 3. Which protocol is primarily used to secure data in transit between a client and a cloud load balancer? A) FTP B) TLS C) SMTP D) SNMP
Answer: B Explanation: Transport Layer Security (TLS) encrypts traffic to protect confidentiality and integrity during transmission. Question 4. When establishing a site-to-site VPN between an on-premises data center and AWS, which component terminates the VPN tunnel on the AWS side? A) AWS Transit Gateway B) AWS Direct Connect gateway C) Amazon S3 bucket D) AWS IAM role Answer: A Explanation: A Transit Gateway can act as the VPN termination point, routing traffic to VPCs. **Question 5. In a Zero Trust model, which principle states that no entity should be trusted by default, even if it resides within the network perimeter? ** A) Least Privilege B) Assume Breach C) Identity as the Perimeter D) Defense in Depth Answer: C Explanation: “Identity as the Perimeter” treats identity verification as the primary security boundary, regardless of network location. Question 6. Which Azure feature provides just-in-time (JIT) access to privileged virtual machines to reduce exposure of admin ports? A) Azure Bastion
Question 9. In Azure AD Conditional Access, which condition can be used to require MFA only when users sign in from an untrusted location? A) Device compliance B) Sign-in risk level C) Named location D) Application access policy Answer: C Explanation: Named locations let you define trusted IP ranges; MFA can be enforced when sign-ins originate outside these ranges. Question 10. Which AWS service records API calls made on your account for audit and compliance purposes? A) AWS Config B) AWS CloudTrail C) Amazon GuardDuty D) AWS Shield Answer: B Explanation: CloudTrail logs management events, providing a comprehensive audit trail of API activity. Question 11. What is the primary purpose of a Kubernetes Pod Security Policy (PSP)? A) Define network routes for pods B) Enforce runtime security constraints on pod specifications C) Manage storage class selection D) Automate container image scanning Answer: B
Explanation: PSPs control security-sensitive aspects of pod definitions, such as privileged mode or hostPath usage. Question 12. Which Docker command is used to scan an image for known vulnerabilities using the built-in scanning feature? A) docker build B) docker run C) docker scan D) docker push Answer: C Explanation: docker scan integrates with Snyk to analyze images for CVEs and other issues. Question 13. In Kubernetes RBAC, which resource defines a set of permissions that can be granted to a user or service account? A) RoleBinding B) ClusterRole C) ServiceAccount D) ConfigMap Answer: B Explanation: A ClusterRole contains a list of API verbs and resources and can be bound at the cluster level. Question 14. Which Kubernetes object stores sensitive information such as passwords and should be accessed via the API server only? A) ConfigMap B) Secret C) PersistentVolumeClaim
B) Storage Service Encryption (SSE) C) Azure Information Protection D) Azure Key Vault Managed HSM Answer: B Explanation: SSE is enabled by default for Azure Storage, encrypting blobs, files, queues, and tables. Question 18. Which component of a Cloud KMS is responsible for generating and protecting the cryptographic material in a tamper-resistant environment? A) Key policy B) Key ring C) Hardware Security Module (HSM) D) IAM role Answer: C Explanation: HSMs securely generate, store, and use keys, preventing extraction of raw key material. Question 19. What is the primary benefit of using client-side encryption for data stored in the cloud? A) Reduces storage cost B) Eliminates need for access controls C) Ensures data is encrypted before it leaves the client environment D) Improves network latency Answer: C Explanation: Client-side encryption encrypts data locally, so the cloud provider never sees plaintext.
Question 20. Which AWS feature blocks public access to an S3 bucket unless explicitly allowed? A) Bucket versioning B) Block public access settings C) Object lock D) S3 Transfer Acceleration Answer: B Explanation: Block public access provides account-wide or bucket-level controls to prevent unintended exposure. Question 21. In Azure, which setting on a storage account prevents anonymous read access to blobs? A) Secure transfer required B) Public access level set to “Private” C) Soft delete enabled D) Immutable storage policy Answer: B Explanation: Setting the public access level to Private ensures blobs can only be accessed with authorized credentials. Question 22. Which attack vector exploits a server that retrieves data from a URL supplied by a user without proper validation? A) SQL Injection B) Cross-Site Scripting (XSS) C) Server-Side Request Forgery (SSRF) D) Man-in-the-Middle (MITM) Answer: C
D) Increase the instance type for better performance Answer: C Explanation: Isolation prevents further lateral movement while preserving evidence for forensic analysis. Question 26. When preserving evidence from a compromised cloud VM, which method ensures data integrity? A) Copying files via SCP to a local laptop B) Creating a snapshot and storing it in a separate, immutable bucket C) Re-imaging the VM with a clean AMI D) Exporting logs to a public GitHub repository Answer: B Explanation: Snapshots capture the exact disk state; storing them immutably prevents tampering. Question 27. Which AWS service helps you discover and remediate misconfigurations in your cloud environment? A) AWS Trusted Advisor B) AWS Config C) AWS CloudFormation D) AWS WAF Answer: B Explanation: AWS Config records resource configurations and can evaluate them against compliance rules. Question 28. In Azure, which policy effect denies the creation of resources that do not meet specified tagging standards? A) DeployIfNotExists
B) Modify C) AuditIfNotExists D) Deny Answer: D Explanation: The Deny effect blocks resource creation when the policy condition is not satisfied. Question 29. Which Kubernetes feature provides a network policy to restrict pod-to-pod communication? A) Service Mesh B) NetworkPolicy CRD C) Ingress controller D) Horizontal Pod Autoscaler Answer: B Explanation: NetworkPolicy objects define allowed traffic between pods based on selectors and ports. Question 30. Which container runtime security tool can detect malicious system calls within a running container? A) Falco B) Prometheus C) Helm D) Skaffold Answer: A Explanation: Falco monitors system calls and alerts on suspicious behavior inside containers.
Explanation: MFA adds a second factor, and storing keys in a vault reduces exposure. Question 34. What does the “least privilege” principle recommend when assigning IAM permissions? A) Grant all permissions to simplify management B) Assign only the permissions required to perform a specific task C) Use only AWS-managed policies D) Allow users to self-assign roles Answer: B Explanation: Limiting permissions to the minimum necessary reduces the attack surface. Question 35. Which AWS service can automatically rotate secrets such as database passwords without manual intervention? A) AWS Secrets Manager B) AWS Parameter Store C) AWS KMS D) AWS Certificate Manager Answer: A Explanation: Secrets Manager supports scheduled rotation of credentials for supported services. Question 36. In Azure, which capability allows you to enforce that all inbound traffic to a VM must be inspected by Azure Firewall before reaching the VM? A) Service Endpoints B) Private Link
C) Forced Tunneling D) Route Table with a default route to Azure Firewall Answer: D Explanation: Adding a default route (0.0.0.0/0) pointing to Azure Firewall forces all traffic through it. Question 37. Which of the following is a characteristic of a well-designed Cloud Incident Response Playbook? A) Contains only technical steps, no communication plan B) Is static and never updated C) Defines clear roles, triggers, and escalation paths D) Requires manual execution of every task Answer: C Explanation: Effective playbooks assign responsibilities, specify detection triggers, and outline escalation. Question 38. Which AWS service provides a managed, scalable DNS firewall to block malicious domains? A) Amazon Route 53 Resolver DNS Firewall B) AWS WAF C) Amazon CloudFront D) AWS Shield Advanced Answer: A Explanation: Route 53 Resolver DNS Firewall lets you create domain lists to block or allow DNS queries. Question 39. In Kubernetes, which object is used to store non-confidential configuration data that can be consumed as environment variables?
Question 42. What is the primary purpose of an AWS Service Control Policy (SCP) in an organization? A) Define encryption settings for S3 buckets B) Restrict the maximum permissions that member accounts can have C) Manage VPC peering connections D) Automate EC2 instance patching Answer: B Explanation: SCPs act as a guardrail, limiting the effective permissions that IAM policies can grant within an account. Question 43. Which Azure security offering automatically patches virtual machines without requiring a reboot? A) Azure Update Management (via Automation) B) Azure Disk Encryption C) Azure Policy D) Azure Bastion Answer: A Explanation: Azure Update Management can apply patches and, where possible, use hot-patching techniques to avoid reboots. **Question 44. In a hybrid cloud scenario, which AWS service provides a dedicated private connection between an on-premises data center and AWS? ** A) AWS VPN CloudHub B) AWS Direct Connect C) AWS Snowball Edge D) AWS Transit Gateway
Answer: B Explanation: Direct Connect establishes a private, high-throughput link bypassing the public internet. Question 45. Which Kubernetes admission controller can enforce that all container images come from a trusted registry? A) NamespaceLifecycle B) ImagePolicyWebhook C) PersistentVolumeLabel D) ServiceAccount Answer: B Explanation: ImagePolicyWebhook allows you to validate image sources before pods are admitted. Question 46. Which AWS feature provides continuous monitoring of EC instance configuration drift against a known baseline? A) AWS Inspector B) AWS Config Rules – “ec2-instance-no-public-ip” C) AWS Systems Manager State Manager D) AWS CloudWatch Alarms Answer: C Explanation: State Manager applies and monitors desired configurations, reporting drift when instances deviate. Question 47. In Azure, which resource type can be used to enforce that all storage accounts have soft delete enabled? A) Azure Policy B) Azure Blueprint
Question 50. Which AWS service can automatically quarantine an S bucket that is inadvertently made public? A) AWS Macie B) Amazon S3 Block Public Access C) AWS Config rule “s3-bucket-public-write-prohibited” with remediation D) AWS Shield Answer: C Explanation: Config rules can detect public buckets and trigger remediation actions such as applying a bucket policy. Question 51. In Azure, which feature enables you to enforce that all traffic to a web application passes through Azure Front Door before reaching the backend? A) Private Endpoint B) WAF policy attached to Front Door C) Service Endpoint D) ExpressRoute Global Reach Answer: B Explanation: By placing a WAF policy on Front Door, all inbound traffic is forced through it before backend delivery. Question 52. Which AWS capability helps you detect compromised AWS access keys by comparing usage patterns against a baseline? A) AWS IAM Access Analyzer B) Amazon GuardDuty’s “Credential Access” findings C) AWS CloudTrail Insights D) AWS Security Hub Answer: C
Explanation: CloudTrail Insights identifies anomalous API activity, which can indicate compromised keys. Question 53. When using customer-managed keys in Azure Key Vault, which operation must you perform to rotate the key without downtime? A) Delete the old key and create a new one B) Create a new version of the key and update dependent resources to use the new version C) Export the key, rotate locally, and re-import D) Enable automatic rotation in the vault settings Answer: B Explanation: Adding a new key version allows you to switch usage gradually while the old version remains available for decryption. Question 54. Which Kubernetes component is responsible for ensuring that the desired number of pod replicas are running? A) kube-proxy B) kube-scheduler C) kube-controller-manager (ReplicaSet controller) D) etcd Answer: C Explanation: The ReplicaSet controller, part of the controller manager, maintains the replica count. Question 55. Which AWS service provides managed detection and response (MDR) for workloads running on Amazon EC2, EKS, and Lambda? A) Amazon Detective B) AWS Security Hub