Text preview & study summary
(ISC)2 CCSP - Certified Cloud Security Professional - Cloud Architecture Data Security Platform Application Operations Legal
A free sample of 5 questions from this quiz, shown in full with answer choices and explanations. No interactivity — everything is visible on this page for study and review.
Want to test your knowledge? Launch the Interactive Exam Simulator
Question 1
An organization is evaluating cloud service providers for a new workload. The security team wants to verify that the cloud provider's security controls are independently assessed. Which assessment standard provides the MOST comprehensive and recognized cloud security assurance?
Explanation
Third-party assurance for cloud providers: (1) SOC 2 Type II — independent auditor assessment of controls over a 6-12 month period, covering the five Trust Service Criteria; Type II is more valuable than Type I (point-in-time), (2) ISO 27001 — internationally recognized ISMS standard, (3) CSA STAR (Security Trust Assurance and Risk) — cloud-specific registry with self-assessment (Level 1), third-party assessment (Level 2), and continuous monitoring (Level 3), (4) FedRAMP — US government cloud security authorization, (5) PCI DSS AOC — for payment card processing. Self-attestation (option A) has no independent verification. Type I SOC 2 (option D) doesn't assess whether controls operated effectively over time.
Question 2
A cloud security team is performing a threat model for a serverless application (AWS Lambda). Which threats are UNIQUE or more significant in a serverless architecture compared to traditional VMs?
Explanation
Serverless security considerations (OWASP Serverless Top 10): (1) Function event-data injection — functions process events from many sources (API, S3, SQS) that could contain malicious payloads, (2) Broken authentication — functions often have complex permission chains, (3) Insecure third-party dependencies — Lambda packages include npm/pip libraries with potential vulnerabilities, (4) Over-privileged functions — functions given broad IAM permissions can become powerful attack pivot points, (5) Inadequate logging — serverless adds new attack surfaces (each invocation needs logging), (6) Application secrets management — hard-coded credentials in function code or environment variables. The managed infrastructure reduces OS-level threats but introduces new cloud-native threat vectors.
Question 3
An organization is transitioning to a cloud-native DevSecOps model. Security testing must be integrated into the CI/CD pipeline without significantly slowing deployment velocity. Which approach BEST achieves this balance?
Explanation
DevSecOps security testing integration (Shift Left): (1) Pre-commit — git hooks for secrets scanning (git-secrets, Detect-Secrets), (2) Pull request checks — SAST (Checkmarx, Semgrep, SonarQube) and SCA (Snyk, WhiteSource) scan code and dependencies for vulnerabilities, (3) Build stage — container image scanning (Trivy, Clair, Snyk Container), IaC scanning (Checkov, TFLint), (4) Pre-production — DAST (OWASP ZAP, Burp Suite) and IAST testing against deployed application. Policy: automatically fail the pipeline for critical/high severity findings; report medium/low for tracking. Manual review (option A) creates bottlenecks that development teams work around. Post-deployment scanning (option D) is too late — vulnerabilities are already in production.
Question 4
A multinational organization has cloud workloads in AWS, Azure, and GCP. The security team struggles with visibility across all three platforms. Which approach provides the MOST comprehensive multi-cloud security visibility?
Explanation
CSPM platforms (Prisma Cloud, Wiz, Orca, Lacework, Fugue) address multi-cloud security challenges: (1) Unified visibility — single pane of glass across AWS, Azure, GCP, and other providers, (2) Configuration assessment — continuously checks cloud resources against security benchmarks (CIS, NIST, PCI DSS), (3) Normalized findings — translates provider-specific issues to common format, (4) Compliance reporting — maps controls to regulatory frameworks, (5) Contextual risk — understands cloud resource relationships to prioritize real risks. Native tools (option A) work only in their own ecosystem and require separate workflows. Multi-cloud is a business reality — CSPM is the technical solution.
Question 5
A cloud-hosted application is experiencing intermittent availability issues. Investigation reveals the application auto-scaling group is not scaling fast enough, causing request queuing during traffic spikes. The security team must consider availability as a security concern. Which cloud architecture pattern improves resilience against this issue?
Explanation
Availability is a security concern (part of CIA triad). Resilient cloud architecture patterns: (1) Predictive auto-scaling — scale before load hits based on patterns, not reactively, (2) Queue-based load leveling — requests go to a queue (SQS, etc.) and are processed asynchronously, absorbing traffic spikes without dropping requests, (3) Circuit breakers — prevent cascading failures by failing fast when a dependency is degraded, (4) Multiple availability zones — geographic redundancy. Simply increasing max instances (option A) doesn't help if scaling triggers too slowly. Pre-provisioning maximum capacity (option D) is expensive and inefficient. Queue-based architectures are fundamental cloud-native resilience patterns.
