Text preview & study summary

(ISC)2 CCSP - Certified Cloud Security Professional - Cloud Architecture Data Security Platform Application Operations Legal

A free sample of 5 questions from this quiz, shown in full with answer choices and explanations. No interactivity — everything is visible on this page for study and review.

Want to test your knowledge? Launch the Interactive Exam Simulator

Question 1

An organization is evaluating cloud service providers for a new workload. The security team wants to verify that the cloud provider's security controls are independently assessed. Which assessment standard provides the MOST comprehensive and recognized cloud security assurance?

Answer choices

  • A. The cloud provider's self-attestation security questionnaire

  • B. SOC 2 Type II report (covers Security, Availability, Confidentiality, Processing Integrity, and Privacy Trust Service Criteria over a period of time) and ISO 27001 certification, along with cloud-specific standards like CSA STAR certification (Correct)

  • C. The cloud provider's marketing security whitepaper

  • D. A one-time (Type I) SOC 2 report covering a specific point in time

Explanation

Third-party assurance for cloud providers: (1) SOC 2 Type II — independent auditor assessment of controls over a 6-12 month period, covering the five Trust Service Criteria; Type II is more valuable than Type I (point-in-time), (2) ISO 27001 — internationally recognized ISMS standard, (3) CSA STAR (Security Trust Assurance and Risk) — cloud-specific registry with self-assessment (Level 1), third-party assessment (Level 2), and continuous monitoring (Level 3), (4) FedRAMP — US government cloud security authorization, (5) PCI DSS AOC — for payment card processing. Self-attestation (option A) has no independent verification. Type I SOC 2 (option D) doesn't assess whether controls operated effectively over time.

Question 2

A cloud security team is performing a threat model for a serverless application (AWS Lambda). Which threats are UNIQUE or more significant in a serverless architecture compared to traditional VMs?

Answer choices

  • A. Serverless applications have no unique threats — standard web application threats apply

  • B. Function injection attacks (injecting malicious code via event sources), over-privileged IAM roles (blast radius of a compromised function), cold start denial of service, event source injection (malicious messages triggering excessive function invocations), and supply chain attacks through dependencies (Correct)

  • C. DDoS attacks are the primary threat to serverless applications

  • D. Serverless is inherently more secure than VMs because the infrastructure is managed by the provider

Explanation

Serverless security considerations (OWASP Serverless Top 10): (1) Function event-data injection — functions process events from many sources (API, S3, SQS) that could contain malicious payloads, (2) Broken authentication — functions often have complex permission chains, (3) Insecure third-party dependencies — Lambda packages include npm/pip libraries with potential vulnerabilities, (4) Over-privileged functions — functions given broad IAM permissions can become powerful attack pivot points, (5) Inadequate logging — serverless adds new attack surfaces (each invocation needs logging), (6) Application secrets management — hard-coded credentials in function code or environment variables. The managed infrastructure reduces OS-level threats but introduces new cloud-native threat vectors.

Question 3

An organization is transitioning to a cloud-native DevSecOps model. Security testing must be integrated into the CI/CD pipeline without significantly slowing deployment velocity. Which approach BEST achieves this balance?

Answer choices

  • A. Require manual security review of all code before merging — this ensures thorough review

  • B. Implement: SAST (Static Application Security Testing) and SCA (Software Composition Analysis) as automated pre-commit/pull request checks, container image scanning in the build stage, secrets scanning to prevent credential commits, IaC scanning (Terraform/CloudFormation) for misconfigurations, and DAST (Dynamic Application Security Testing) in pre-production — only block deployments for critical/high findings (Correct)

  • C. Conduct quarterly penetration tests instead of integrating security into CI/CD

  • D. Deploy to production first, then scan for vulnerabilities using post-deployment tools

Explanation

DevSecOps security testing integration (Shift Left): (1) Pre-commit — git hooks for secrets scanning (git-secrets, Detect-Secrets), (2) Pull request checks — SAST (Checkmarx, Semgrep, SonarQube) and SCA (Snyk, WhiteSource) scan code and dependencies for vulnerabilities, (3) Build stage — container image scanning (Trivy, Clair, Snyk Container), IaC scanning (Checkov, TFLint), (4) Pre-production — DAST (OWASP ZAP, Burp Suite) and IAST testing against deployed application. Policy: automatically fail the pipeline for critical/high severity findings; report medium/low for tracking. Manual review (option A) creates bottlenecks that development teams work around. Post-deployment scanning (option D) is too late — vulnerabilities are already in production.

Question 4

A multinational organization has cloud workloads in AWS, Azure, and GCP. The security team struggles with visibility across all three platforms. Which approach provides the MOST comprehensive multi-cloud security visibility?

Answer choices

  • A. Use each cloud provider's native security tools independently (AWS Security Hub, Azure Defender, GCP Security Command Center)

  • B. Implement a Cloud Security Posture Management (CSPM) platform that aggregates findings across all cloud providers, normalizes security findings, and provides unified compliance reporting (Correct)

  • C. Standardize on a single cloud provider to eliminate multi-cloud complexity

  • D. Hire dedicated security specialists for each cloud platform

Explanation

CSPM platforms (Prisma Cloud, Wiz, Orca, Lacework, Fugue) address multi-cloud security challenges: (1) Unified visibility — single pane of glass across AWS, Azure, GCP, and other providers, (2) Configuration assessment — continuously checks cloud resources against security benchmarks (CIS, NIST, PCI DSS), (3) Normalized findings — translates provider-specific issues to common format, (4) Compliance reporting — maps controls to regulatory frameworks, (5) Contextual risk — understands cloud resource relationships to prioritize real risks. Native tools (option A) work only in their own ecosystem and require separate workflows. Multi-cloud is a business reality — CSPM is the technical solution.

Question 5

A cloud-hosted application is experiencing intermittent availability issues. Investigation reveals the application auto-scaling group is not scaling fast enough, causing request queuing during traffic spikes. The security team must consider availability as a security concern. Which cloud architecture pattern improves resilience against this issue?

Answer choices

  • A. Increase the maximum instance count in the auto-scaling group — this prevents scaling limitations

  • B. Implement a combination of: pre-warming based on predicted load patterns, queue-based load leveling (SQS/Pub-Sub) to decouple request intake from processing, circuit breakers to prevent cascading failures, and predictive auto-scaling using historical patterns (Correct)

  • C. Migrate to a dedicated server environment to eliminate shared cloud resource contention

  • D. Disable auto-scaling and pre-provision maximum expected capacity at all times

Explanation

Availability is a security concern (part of CIA triad). Resilient cloud architecture patterns: (1) Predictive auto-scaling — scale before load hits based on patterns, not reactively, (2) Queue-based load leveling — requests go to a queue (SQS, etc.) and are processed asynchronously, absorbing traffic spikes without dropping requests, (3) Circuit breakers — prevent cascading failures by failing fast when a dependency is degraded, (4) Multiple availability zones — geographic redundancy. Simply increasing max instances (option A) doesn't help if scaling triggers too slowly. Pre-provisioning maximum capacity (option D) is expensive and inefficient. Queue-based architectures are fundamental cloud-native resilience patterns.