Cloud Security (Sample Question Bank)
Cloud Security (Sample Question Bank)
4) What business benefit(s) was Amazon attempting to realize when they created their internal cloud computing program? Select
all that apply.
a) Faster time to deploy developer resources
b) Build a world-class public cloud computing platform
c) Better match real-time capacity to fluctuating demand
d) Beat Microsoft
6) Cloud computing supports scaling up of required resources, but not scaling down.
a) True
b) False
7) Which of the following appear in both the NIST and ISO/IEC cloud computing definitions? Select all that apply.
a) Network access
b) On-demand
c) Self Service
d) Resource pools
e) Rapid provisioning
8) Click and drag the correct NIST model element to the appropriate category below.
Answer
9) Services scaling out and scaling in quickly are an example of which essential characteristic of cloud.
a) Resource Pooling
b) On-Demand Self Service
c) Rapid Elasticity
d) Measured Service
e) Broad Network Access
10) Click and drag the Essential Characteristics to the box below.
Answer
13) Software as a Service is always built on top of Platform as a Service which is always built on Infrastructure as a Service.
a) True
b) False
18) Drag the labels to indicate which of the SaaS components are built on laaS.
Answer
19) If an organization uses a Community Cloud Deployment Model, some portion of the physical infrastructure MUST be on-
premises with one of the community members.
a) True
b) False
20) If an organization employs the technique of cloud bursting, which cloud deployment model are they utilizing?
a) Proprietary
b) Multi-Tenancy
c) PaaS
d) Hybrid
21) Which element of the logical model describes the cloud management plane?
a) Infostructure
b) Infrastructure
c) Applistructure
d) Metastructure
22) Click and drag the Accessible and Consumed By items on the left to complete the column.
23) In which service model does the cloud consumer have the least amount of control over security?
a) Infrastructure as a Service
b) Platform as a Service
c) security as a Service
d) software as a service
24) In which cloud service model is the cloud consumer responsible for ensuring that the hypervisor is not vulnerable to attack?
a) Software as a Service
b) Infrastructure as a Service
c) Platform as a Service
d) None of the above
25) When should you define the security controls when building a cloud deployment?
a) Before determining the service and deployment models
b) Before selecting the provider
c) After identifying control gaps
d) After identifying requirements
Answer
MODULE 2: INFRASTRUCTURE SECURITY FOR CLOUD COMPUTING
3) Click on the components that the cloud consumer is primarily responsible for securing.
Answer
4) Which of the following are typically in the underlying infrastructure of a cloud? (click all that apply)
a) Database
b) Message queue
c) API server
d) Hypervisors
e) identity service
7) Which SDN security capability often replaces the need for a physical or virtual appliance?
a) Default deny
b) Lack of support for packet sniffing
c) Security groups
d) Integrated isolation
8) The most effective way for an attacker to compromise a security group is to compromise the host/virtual machine and then
modify the rules.
a) True
b) False
9) Which of the following physical networks is used for Internet to instance traffic?
a) storage
b) Management
c) Virtual
d) Service
10) Why should cloud providers use multiple underlying physical networks? (select all that apply)
a) Cost management
b) Resiliency
c) Better performance
d) Better isolation
14) Which SDN security capability often replaces the need for a physical or virtual appliance?
a) Default deny
b) Lack of support for packet sniffing
c) security groups
d) integrated isolation
15) The most effective way for an attacker to compromise a security group is to compromise the host/virtual machine and then
modify the rules.
a) True
b) False
16) Which of the following is the most effective security barrier to contain blast radius?
a) Cloud account/project/subscription
b) Virtual subnet (with or without ACLs)
c) Virtual network
d) security group
18) Place the following network security tools in the preferred order in most cloud deployments, from 1 (most preferred) to 4.
Answer
21) Of the following, which is the most important use case for the Software Defined Perimeter?
a) To secure hybrid networks
b) To encrypt SDN traffic
c) For federated network identity
d) To improve and secure remote access
22) Which of the following are cloud workloads? Select all that apply:
a) Host servers.
b) containers
c) Virtual machines
d) Serverless/function as a service
23) Click on the pipeline component that executed security tests and builds images:
Answer
24) Which of the following *most* impacts traditional workload security controls when applied to cloud deployments?
a) hypervisors
b) serverless
c) low resiliency
d) security groups
e) High Volatility/rates of change
26) Select the cloud workload security option that can most improve overall security and reduce attack surface:
a) select cloud aware host security gents
b) Use immutable as much as possible
c) Store logs external to instances
d) Leverage existing/Traditional vulnerability assessment tools
27) Which of the following is primarily a cloud consumer workload security responsibility?
a) Underlying infrastructure security
b) Hypervisor security
c) Volatile memory security
d) Monitoring and logging
Answer
30) Multi factor authentication is the single most important management plane security control.
a) True
b) False
33) Select the best option for management plane monitoring, when it is available:
a) inherent cloud auditing since it captures the most activity
b) inherent cloud auditing since that offloads responsibility to the cloud provider
c) Proxy-based auditing since it eliminates the need to trust the loud provider
d) Proxy-based auditing since it captures more activity
34) What is the single most important rule for cloud BC/DR?
a) Use object storage for backups
b) snapshot regularly
c) Use multiple cloud providers
d) Architect for failure
Answer – Megastructure
1) Select the governance tool that is most affected by the transition to cloud computing:
a) Mission statement
b) Compliance reporting
c) Board of director reporting
d) Chart of accounts.
2) In terms of cloud computing and security... what is the primary governance role of a contract?
a) Regulatory Requirements
b) Defines how you extend internal controls to the cloud provider
c) Cost management
d) To define the data custodian
3) Does the shared responsibilities model define the contract or the contract define the shared responsibilities model?
a) The shared responsibilities model defines the contract.
b) The contract defines the shared responsibilities model.
4) Select the layer where you evaluate your providers in the diagram:
6) Your risk assessment effort should be equal for all information assets:
a) True
b) False
7) In which service model does the cloud consumer have to rely most on what is in the contract and documented to enforce and
manage security?
a) PaaS
b) Hybrid
c) IaaS
d) SaaS
8) Under which conditions is managing risk similar for public and private cloud?
a) No conditions; public cloud is always riskier
b) The risk profiles are always the same
c) When your private cloud is third party hosted and managed
d) When using a major public cloud provider
9) Which do you need to rely more on to manage risks when using public cloud computing?
a) Physical control of assets
b) Testing instead of assessments and attestations
c) Consultants
d) Contracts and SLAs
10) What is critical when evaluating a cloud service within your risk management program?
a) Ensuring the provider's security program supports your existing on-premise tools
b) Accounting for the context of the information assets involved
c) Minimizing regional harm
d) Eliminating all outsourcing risk
11) How can you manage risk if you can't negotiate a contract with the cloud provider?
a) Use compensating controls and your own risk mitigation mechanisms
b) Always choose a different provider
c) Obtain cyber insurance
d) Accept all potential risks.
15) Compliance inheritance means that an application built on top of a cloud provider's service that is compliant with a
regulation/standard is always guaranteed to be compliant.
a) True
b) False
17) The Australian Privacy Act of 1988 can apply to Australian customers, even if the cloud service provider is based elsewhere:
a) True
b) False
20) The Federal Government in the United States does not directly address issues of data privacy, but instead leave it up to the
states to create laws that address privacy concerns:
a) True
b) False
21) If a business is located outside the European Union it does not have to comply with the privacy laws of the European Union
a) True
b) False
22) In the United States, only entities that collect or process financial data or health data must comply with privacy or security laws
a) True
b) False
25) Cloud consumers are ultimately responsible for understanding the legal implications of using a particular cloud provider and
service.
a) True
b) False
26) A contract with a cloud service provider can fulfill all of the following except one
a) Clarify what happen when the service is terminated
b) Clarify whether metadata can be reused for secondary purposes
c) Clarify the price for the service
d) Define the minimum-security measures taken by the cloud provider
e) Prevent a breach of security
27) If you own the data, ii till possible for your CSP to own the metadata:
a) True
b) False
28) Why do cloud providers typically limit their customers’ ability to directly assess and inspect their facilities and services?
a) They are worried customers will find vulnerabilities and they will lose business
b) Cost management
c) On-site inspections can be a security risk, and remote assessments are hard to distinguish from real attacks
d) Do deter paying out bug bounties
29) Audio scopes for any given standard, like an SSAE1G are always consistent.
a) True
b) False
30) Select all the following sources that are considered artifacts of compliance
a) Activity reports
b) System configuration details
c) Logfiles
d) Change management details
31) Should you assess or review the audits of a cloud provider more or less frequently than traditional outsourcers?
a) More
b) Less
32) Which CSA tool maps cloud security control specifications to architectural relevance?
a) STARWatch
b) Cloud Controls Matrix
c) The Security, Trust and Assurance Registry (STAR)
d) Consensus Assessment Initiative Questionnaire
33) You are a cloud provider and struggling to respond to a large amount of highly variable customer RFP requests for security
controls documentation. Which CSA document could you instead complete and send to customers:
a) cloud Controls Matrix
b) STARWatch
c) The security, Trust and Assurance Registry (STAR)
d) Consensus Assessment Initiative Questionnaire
34) Where can cloud providers publish their CAIQ and other security/compliance documents to help cloud prospects and customers
assess the provider's current security posture?
a) The Security, Trust and Assurance Registry (STAR)
b) The AWS marketplace
c) The United States Federal Register of Cloud Providers
d) Google
35) Which CSA tool allows you to quickly search a providers assessment for controls that map to regulations you care about and see
the responses to those controls?
a) CCM
b) CAIQ
c) STAR
d) STARWatch
36) The CSA Cloud Controls Matrix v3.0.1 maps control specifications to FedRAMP High Impact Level.
a) True
b) False
37) The CSA Cloud Controls Matrix v3.0.1 contains how many control specifications?
a) 57
b) 16
c) 133
d) 295
MODULE 4: DATA SECURITY FOR CLOUD COMPUTING
1) All cloud data is eventually stored on a physical device, like a hard drive
a) True
b) False
2) Which of the following cloud data storage types can be described as “a database for files":
a) Object storage
b) Database storage
c) Volume storage
d) Platform storage
4) Which security tool can help detect sensitive data migrating to the cloud?
a) Data security proxies (DSP)
b) firewalls
c) Data Loss Prevention (DLP)
d) IPS
5) Which of the available CASB modes is most cloud-native but often not supported by smaller, especially SaaS, providers:
a) API
b) Inline (cloud)
c) Inline (local)
d) Cloud-integrated
7) How does cloud complicate access controls as compared to traditional data storage?
a) There is no difference; they are not more complicated
b) cloud storage may offer more options, such a sharing privileges access to the data’s metadata
c) Cloud access controls are less reliable
d) provides must super the same access control, which makes bud the cloud more complex
8) In a Cloud Computing Environment, what is always your most significant security control?
a) encryption controls
b) access control
c) Provider-specific controls
d) Management controls
9) In the entitlement matrix below, click the boxes to allow the service administrator to describe and modify volumes but not
access logs or object storage:
Answer
10) In the entitlement matrix below, select which entitlement allows users to view metadata:
Answer
11) Click on the layer in the stack where encryption is best for protecting discrete data throughout the layers, but may be more
complex and is less effective for bulk data.
12) Select the 3 components of an encryption system.
a) Protocol
b) encryption engine
c) key
d) Data
14) Which of the following options encrypts data before you transfer it to object storage:
a) Externally managed encryption
b) Application encryption
c) server-side encryption
d) Client-side encryption
15) Select all *potential* options for encrypting data in PaaS, if they are supported by the platform:
a) Database
b) Application level (in your own code)
c) Provider-integrated
d) Volume storage
16) Click on the location that would provide the most secure place to keep encryption keys:
17) When using provider managed encryption you are always sharing the same keys with other tenants.
a) True
b) False
18) Proxy-encryption requires you to break any existing secure connection to your cloud provider:
a) True
b) False
19) Which is the most inherently secure key management option, but it may not be viable or even needed depending on your
project requirements and platform/provider support:
a) Virtual Appliance
b) Third party service
c) Cloud Provider service
d) HSM/Appliance
20) To be considered Bring Your Own Key (BYOK) the provider must not be able to ever see or manage your keys:
a) False
b) True
21) Which key management option should you select if you are dealing with highly sensitive data that you don’t want your provider
to potentially access under any circumstances:
a) Virtual appliance
b) BYOK
c) 3rd party key management service
d) HSM/Appliance
22) Which option allows you to use an existing build for key management without replicating everything in the cloud?
a) Virtual Appliance
b) Third party service
c) Hybrid
d) HSM/Appliance
23) In the diagram below, what area shows the greatest reduction in attack surface?
a) Network attack paths
b) The cloud provider
c) The data canter
d) Application logic attacks
26) Logs of some events in a cloud environment may not be available to you depending on your choice of cloud provider.
a) False
b) True
30) What is the primary objective of mapping functions, actors, and locations?
a) To list a potential security controls
b) To replace data flow diagrams
c) To determine what’s possible vs. what should be allowed
d) To document information risk
31) What do we use to reduce what is possible to what should be allowed within the context of the lifecycle?
a) Entitlement matrix
b) CASB or DLP
c) Key management
d) security control
MODULE 5: SECURING CLOUD APPLICATIONS AND USERS
1) When moving to cloud, what now becomes within the scope of application security unlike with traditional infrastructure?
a) Management Plane
b) SAST
c) Source code
d) Architecture
2) Click and drag the phases of the lifecycle to the correct order.
Answer
3) STRIDE is a common thread modelling framework. Which of the four categories does a cloud provider typically take more
responsibility to manage:
a) information disclosure
b) spoofing
c) Denial of service
d) privilege escalation
4) What is one example of a control that can reduce the potential of spoofing:
a) Encryption
b) Authentication
c) Audit logging
d) Authorization
5) Specific testing techniques are tightly aligned and should only be performed during their designated phase in the secure
software development process:
a) True
b) False
6) Which kind of test should be added to static analysis for cloud deployments?
a) Regression tests.
b) API resiliency
c) Code completion
d) Scanning for stored cloud credentials
7) Which kind of testing will most likely require permission from your cloud provider before performing?
a) Vulnerability assessment
b) Security unit tests
c) SAST
d) Composition analysis
8) Which vulnerability analysis option will always comply with the terms of service of the cloud provider, but may require paying
close attention to network architecture:
a) Penetration testing
b) Traditional network-based
c) Host-based
d) Deployment pipeline testing
9) While there are many definitions of DevOps, one technology/process is typically considered to be central to any DevOps
program. Which technology is that?
a) Continuous integration
b) Configuration management
c) Composition management
d) static analysis
10) Click and drag the version control repository and the continuous integration server to the correct location.
ANSWER
13) Which of the following is not a new concern of secure operations for applications in the cloud?
a) WAF limitations/differences
b) The cloud configuration
c) SAST
d) The management plane
16) Many of the new architectural options for cloud offer security benefits over what is possible in traditional infrastructure
a) True
b) False
20) Which of the following is a discrete type that will have an identity? Examples include users and organizations.
a) persona
b) Attributes
c) Entity
d) Role
21) What is the biggest difference between IAM in cloud and in traditional environments?
a) IAM Must span at least two organizational boundaries
b) Cloud is more secure
c) They use different standards
d) Cloud is less secure
22) Which IAM standard is best suited for enterprises federating with cloud providers?
a) SAML
b) XACML
c) Kerberos
d) OATH
23) Which of the following is one of the 3 most common identity standards in cloud environments?
a) SCIM
b) OATH
c) Kerberos
d) XACML
24) In the OpenID exchange below, click on the element that represents the enterprise’ directory server? Select the correct item
below.
25) In a hub and spoke model, which technology mediates between directory servers/identity providers and the service
providers/relying parties:
a) Federated identity brokers.
b) Attribute services
c) CASB
d) Directory servers
26) Which of the following IAM security incidents is more likely in cloud versus traditional infrastructure and requires a dedicated
incident response focus?
a) Account takeover
b) Account abuse
c) Privilege escalation
d) Pass the hash
27) Multifactor authentication is absolutely mandatory for cloud computing due to the higher potential for remote account
takeovers.
a) True
b) False
28) Checking to see if a user authenticated with MFA from a corporate IP address to authorize an action is an example of?
a) Multifactor authorization
b) Authentication
c) Role-based access controls.
d) Attribute based access controls
1) Why are elasticity and infrastructure templating critical IaaS security capabilities?
a) They improve scalability
b) They optimize performance
c) These are operational capabilities, not security capabilities
d) They enable immutable deployments.
3) Frequent audits and assessments are important when looking at a cloud provider due to how rapidly they evolved their services
a) Ture
b) False
4) Which of the following protocols should a SaaS provider support to help extend an enterprises existing user management
security control and is considered a critical security capability?
a) AuthZ
b) LDAP
c) SAML
d) IPV6
6) Select al of the following characteristics that are required for something to be considered Security as a Service:
a) It has a hosted web interface
b) it meets the NIST essential characteristics
c) Itis built on a laaS provider
d) It is a security product or service delivered as a cloud service
e) it is marketed as SecaaS
7) Which of the following is one of the more unique potential benefits of Security as a Service:
a) Transparency
b) compliance
c) customer visibility
d) Intelligence Sharing
9) Using SecaaS removes accountability for the client, but only for the particular security control the service addresses.
a) Ture
b) False
10) What characteristic would make a Federated Identity Broker be considered SECaaS vs. a traditional tool?
a) It supports SAML
b) It supports multiple cloud providers AND on premise directories
c) it brokers authentication to cloud services
d) It is hosted in the cloud, elastic, and you pay per user
11) What is a potential advantage of a web security gateway SECaaS over an on-premise tool?
a) supports HTTPS.
b) They are always less expensive:
c) It will generally catch more malware
d) You can protect mobile users without requiring a VPN to the corporate network
13) Can a cloud-based key management service be integrated with on- premise encryption?
a) No
b) Yes
14) If an attacker compromises one of your virtual machines, and then uses it to attack other clients on the same cloud platform,
what is the cloud provider's likely action?
a) The CP will prioritize defending the rest of your deployment from the attack.”
b) The CSP Will first protect the rest of their broader client which may mean disrupting your development
c) The CSP will prioritize alerting you and providing information needed for you to respond to the attack.
d) The CSP has no responsibility in this situation pr the shared responsibilities model.
15) Click and drag the incident response phases in the proper order.
Answer
16) In which phase would you build a cloud ‘jump Kit’ of Detection and analysis
a) Detection and analysis
b) containment and response
c) Postmortem
d) preparation
17) In which phase would you snapshot a virtual machine for forensics?
a) Preparation
b) Detection and analysis
c) Postmortem
d) Containment and response
18) Which of the following most helps you quickly build parallel infrastructure, so that you can rapidly restore operations while still
having the compromised environment for analysis?
a) snapshots
b) Infrastructure as code templates
c) PaaS
d) SaaS
19) In a postmortem what would be your highest priority to review and remediate if it was a blocker in your incident response?
a) Operating system vulnerabilities
b) internal communications
c) Communications with the cloud provider
d) Container Vulnerabilities
21) Big Data is often defined as "high volume, high velocity, and high variety’ What does “high velocity” mean?
a) Fast raw storage speeds
b) Storage elasticity
c) Fast transfer speeds.
d) The data changes constantly/rapidly
22) Why should you consider relying extensively on the isolation capabilities of cloud to defend a big data deployment?
a) The distributed storage is always isolated by nature
b) Big data platforms tend to have low inherent security
c) Isolation Improve encryption
d) To meet compliance requirements
23) While not directly related to cloud, which loT principle is critical for long- term security?
a) Data encryption
b) The ability to patch/update the “things" (devices)
c) Elasticity
d) Public APIs
24) Which of the following issues on a mobile device can actually create security risks for the cloud deployment?
a) Insecure wireless networks.
b) Embedded/static/stored credentials
c) A malicious app.
d) Use of an out of date operating system
25) Serverless, used properly, can offer more security benefits than risks.
a) Ture
b) False