CCSP: Certified Cloud Security Professional Exam

CCSP: Certified Cloud Security Professional (CCSP) Exam Practice Test

The Certified Cloud Security Professional (CCSP) certification, offered by (ISC)², is a globally recognized credential for IT and cybersecurity professionals specializing in cloud security. As organizations increasingly adopt cloud technologies, the demand for experts skilled in securing cloud environments continues to grow. This certification validates your knowledge and expertise in designing, managing, and securing data, applications, and infrastructure in the cloud.

What is the CCSP Certification Exam?

The CCSP exam tests your mastery of critical cloud security concepts aligned with the (ISC)² CCSP Common Body of Knowledge (CBK). It covers a broad range of topics including cloud architecture, data security, platform and infrastructure security, cloud application security, and legal and compliance issues. Passing this exam demonstrates your ability to protect cloud environments effectively and helps advance your career in cybersecurity.

What Will You Learn?

By preparing with Exam Sage’s CCSP practice tests, you will gain deep insights into:

• Cloud computing concepts and architecture

• Cloud data security strategies including encryption and key management

• Securing cloud infrastructure and virtualization environments

• Application security in cloud-native and hybrid models

• Identity and access management (IAM) in cloud environments

• Risk management and compliance considerations in cloud security

• Incident response and disaster recovery in cloud contexts

Our practice tests simulate the real exam environment, helping you identify knowledge gaps and reinforcing essential cloud security principles.

Topics Covered

• Architectural Concepts and Design Requirements

• Cloud Data Security

• Cloud Platform and Infrastructure Security

• Cloud Application Security

• Operations

• Legal and Compliance

Why Choose Exam Sage for Your CCSP Exam Preparation?

Exam Sage offers expertly crafted, up-to-date practice questions with detailed explanations designed by cybersecurity professionals. Our tests are optimized for clarity and relevance, enabling you to master the material efficiently.

With Exam Sage, you get:

• Realistic exam simulations to build confidence

• Detailed answer explanations to enhance understanding

• Flexible practice anytime, anywhere on desktop or mobile

• Trusted resource for thousands of exam candidates worldwide

Prepare effectively and increase your chances of passing the CCSP exam on your first attempt with Exam Sage.

Sample Questions and Answers

1. Which of the following best describes the primary responsibility of a Cloud Security Architect?

A) Managing cloud service costs
B) Designing and implementing cloud security policies
C) Writing application code for cloud services
D) Monitoring network traffic only

Answer: B
Explanation: The Cloud Security Architect is responsible for designing and implementing security policies, controls, and architectures specific to cloud environments.

2. What type of cloud deployment model involves multiple organizations sharing cloud resources securely?

A) Public Cloud
B) Private Cloud
C) Hybrid Cloud
D) Community Cloud

Answer: D
Explanation: Community Cloud is a cloud infrastructure shared by several organizations with common concerns, allowing them to share resources securely.

3. Which principle ensures that users only get access to the minimum resources needed to perform their job?

A) Separation of duties
B) Least privilege
C) Need to know
D) Defense in depth

Answer: B
Explanation: The principle of least privilege limits user access to only the resources essential for their duties.

4. What is the main function of a Cloud Access Security Broker (CASB)?

A) Providing cloud data backup
B) Enforcing cloud security policies between cloud users and providers
C) Offering cloud-based firewalls
D) Monitoring cloud billing usage

Answer: B
Explanation: CASBs act as security enforcement points between cloud users and cloud service providers to apply security policies.

5. Which type of cloud service model provides customers with virtualized hardware resources?

A) Software as a Service (SaaS)
B) Platform as a Service (PaaS)
C) Infrastructure as a Service (IaaS)
D) Function as a Service (FaaS)

Answer: C
Explanation: IaaS provides virtualized computing resources like servers, storage, and networks.

6. What does encryption “in transit” protect?

A) Data stored in the cloud storage
B) Data being sent between client and cloud service
C) Data backed up offline
D) Data in physical hardware

Answer: B
Explanation: Encryption in transit secures data while it is being transmitted over a network.

7. What is a major risk of multi-tenancy in cloud environments?

A) Lack of physical hardware
B) Resource underutilization
C) Data leakage between tenants
D) Inflexible scalability

Answer: C
Explanation: Multi-tenancy increases risk of data leakage or unauthorized access between tenants sharing the same cloud resources.

8. Which cloud security framework is developed by the Cloud Security Alliance (CSA)?

A) NIST Cybersecurity Framework
B) ISO 27001
C) Cloud Controls Matrix (CCM)
D) COBIT

Answer: C
Explanation: The Cloud Controls Matrix is a cybersecurity control framework specifically for cloud computing, developed by CSA.

9. What does the Shared Responsibility Model define in cloud security?

A) How cloud providers and customers share security obligations
B) The division of billing responsibilities
C) How users share credentials
D) How cloud providers manage hardware

Answer: A
Explanation: The Shared Responsibility Model clarifies which security tasks are handled by the cloud provider and which remain the customer’s responsibility.

10. What is the key difference between Public and Private Cloud?

A) Public Cloud is free, Private Cloud is paid
B) Public Cloud is owned by a single organization; Private Cloud is shared
C) Public Cloud resources are available to the general public; Private Cloud is restricted
D) Private Cloud always uses physical servers, Public Cloud is virtual

Answer: C
Explanation: Public Clouds are accessible by the general public, while Private Clouds are restricted to a single organization.

11. What is the purpose of identity federation in cloud environments?

A) To manage cloud resources efficiently
B) To enable users to use a single identity across multiple systems
C) To encrypt cloud data
D) To monitor cloud network traffic

Answer: B
Explanation: Identity federation allows users to access multiple systems or cloud services using one set of credentials.

12. Which of the following is NOT a common cloud data storage type?

A) Object storage
B) Block storage
C) File storage
D) Tape storage

Answer: D
Explanation: Tape storage is traditional backup storage, not commonly used directly in cloud architectures.

13. What is the main goal of cloud workload protection platforms (CWPP)?

A) To manage cloud billing
B) To protect cloud workloads from attacks
C) To automate resource allocation
D) To monitor employee activity

Answer: B
Explanation: CWPPs focus on securing cloud workloads (e.g., virtual machines, containers) against threats.

14. Which authentication factor is an example of “something you have”?

A) Password
B) Fingerprint
C) Smart card
D) Security question

Answer: C
Explanation: A smart card is a physical token, representing “something you have” in multi-factor authentication.

15. What is the most secure method of ensuring data confidentiality in cloud storage?

A) Data masking
B) Tokenization
C) Encryption at rest
D) Compression

Answer: C
Explanation: Encryption at rest protects data stored in the cloud from unauthorized access.

16. What is the key benefit of containerization in cloud security?

A) Eliminates the need for firewalls
B) Isolates applications to limit attack surfaces
C) Increases physical server capacity
D) Automatically encrypts data

Answer: B
Explanation: Containers isolate applications, reducing attack surfaces and improving security.

17. In cloud risk management, what does a Risk Acceptance decision imply?

A) The risk is too costly to mitigate, so it is accepted
B) The risk is eliminated entirely
C) The risk is transferred to a third party
D) The risk is ignored

Answer: A
Explanation: Risk acceptance means acknowledging the risk without applying controls, often because mitigation costs outweigh benefits.

18. Which of the following is an example of a cloud governance activity?

A) Setting service level agreements (SLAs)
B) Developing encryption algorithms
C) Building cloud infrastructure
D) Coding web applications

Answer: A
Explanation: Governance involves policies and agreements, such as SLAs, to manage cloud service delivery and compliance.

19. Which standard is often used as a reference for cloud security controls and auditing?

A) ISO/IEC 27017
B) HIPAA
C) PCI DSS
D) SOX

Answer: A
Explanation: ISO/IEC 27017 provides guidelines for information security controls applicable to cloud services.

20. What is a common control to prevent data loss in cloud services?

A) Intrusion Detection System (IDS)
B) Data Loss Prevention (DLP)
C) Firewall
D) VPN

Answer: B
Explanation: DLP systems monitor and prevent unauthorized data transfers, protecting data confidentiality.

21. How does multi-factor authentication (MFA) improve cloud security?

A) By requiring multiple passwords
B) By requiring two or more independent authentication factors
C) By encrypting user data
D) By blocking all unknown IP addresses

Answer: B
Explanation: MFA adds security by requiring two or more separate authentication factors, reducing risk of credential compromise.

22. What is a “Cloud Security Posture Management” (CSPM) tool used for?

A) Managing user identities
B) Monitoring and improving cloud security compliance
C) Encrypting cloud data
D) Providing cloud backups

Answer: B
Explanation: CSPM tools continuously monitor cloud environments to identify and remediate security risks and compliance issues.

23. What is “serverless computing”?

A) Cloud computing without physical servers
B) Running code without provisioning or managing servers
C) Using only virtual machines
D) A synonym for IaaS

Answer: B
Explanation: Serverless computing abstracts server management from developers, who deploy code that runs on-demand.

24. What is the primary purpose of a Virtual Private Cloud (VPC)?

A) To provide a dedicated physical server
B) To create an isolated network within a public cloud
C) To run applications without security
D) To back up data offline

Answer: B
Explanation: A VPC creates a logically isolated network environment within a public cloud for greater control and security.

25. Which of the following is a best practice when managing cloud encryption keys?

A) Store keys with the cloud provider by default
B) Use hardware security modules (HSMs) for key management
C) Share keys freely among all users
D) Use the same key for all data

Answer: B
Explanation: HSMs provide secure, tamper-resistant storage and management of encryption keys.

26. Which cloud characteristic allows rapid scaling of resources up or down?

A) Elasticity
B) Multi-tenancy
C) Measured service
D) Broad network access

Answer: A
Explanation: Elasticity is the ability of the cloud to dynamically allocate or release resources based on demand.

27. What is the function of a Cloud Security Policy?

A) Define the responsibilities and rules for securing cloud resources
B) Increase cloud storage capacity
C) Encrypt all cloud data automatically
D) Manage cloud vendor contracts

Answer: A
Explanation: Cloud Security Policies specify security requirements and responsibilities within cloud environments.

28. Which of the following is a legal consideration in cloud security?

A) Cloud provider’s physical location and data sovereignty laws
B) Firewall configuration
C) Use of multi-factor authentication
D) Encryption algorithm strength

Answer: A
Explanation: Data sovereignty laws depend on where data is stored physically, affecting compliance and legal requirements.

29. What is the main threat from “Shadow IT” in cloud environments?

A) Unmonitored cloud usage bypassing IT controls
B) Cloud provider outages
C) Over-provisioning of cloud resources
D) Inefficient billing

Answer: A
Explanation: Shadow IT refers to unauthorized use of cloud services, which can bypass security policies and increase risk.

30. Which compliance framework is specifically related to protecting health information in cloud services?

A) HIPAA
B) GDPR
C) PCI DSS
D) SOX

Answer: A
Explanation: HIPAA regulates the protection of health information and applies to cloud services handling such data.

31. What is the primary goal of data classification in cloud security?

A) Encrypting all cloud data
B) Identifying and categorizing data based on sensitivity and criticality
C) Backing up all data automatically
D) Storing data in multiple regions

Answer: B
Explanation: Data classification helps organizations identify the sensitivity of data to apply appropriate security controls and compliance measures.

32. Which cloud security control is designed to prevent unauthorized API access?

A) Intrusion Detection System (IDS)
B) API Gateway with authentication and authorization
C) Firewalls only
D) Data Loss Prevention (DLP)

Answer: B
Explanation: API Gateways enforce authentication, authorization, and traffic control to prevent unauthorized API calls.

33. What does the term “immutability” refer to in cloud data protection?

A) Data cannot be changed once written
B) Data is encrypted at all times
C) Data is backed up every hour
D) Data can be accessed by all users

Answer: A
Explanation: Immutability means data is write-once-read-many (WORM), protecting it from modification or deletion to ensure integrity.

34. Which of the following cloud service models offers the least control to the customer?

A) IaaS
B) PaaS
C) SaaS
D) DaaS

Answer: C
Explanation: SaaS customers use applications managed entirely by the provider with minimal control over infrastructure or platform.

35. What is the primary purpose of cloud penetration testing?

A) To evaluate cloud provider uptime
B) To identify security vulnerabilities before attackers do
C) To increase cloud storage capacity
D) To migrate data securely

Answer: B
Explanation: Penetration testing simulates attacks to uncover and remediate vulnerabilities.

36. How does the principle of “defense in depth” apply to cloud security?

A) Using a single strong firewall
B) Implementing multiple layers of security controls throughout the cloud environment
C) Encrypting all data only
D) Relying on cloud provider’s security

Answer: B
Explanation: Defense in depth uses layered controls (network, application, data, user) to provide redundancy and reduce risk.

37. What cloud computing characteristic enables users to access services from various devices and locations?

A) Resource pooling
B) Broad network access
C) Rapid elasticity
D) Measured service

Answer: B
Explanation: Broad network access means cloud services are accessible over the network via standard mechanisms from multiple device types.

38. What role does Security Information and Event Management (SIEM) play in cloud environments?

A) Data backup
B) Collecting and analyzing security logs to detect threats
C) Encrypting cloud data
D) Controlling user access

Answer: B
Explanation: SIEM systems collect and correlate logs for threat detection and incident response.

39. What does “elasticity” allow cloud customers to do?

A) Use a fixed amount of resources regardless of demand
B) Automatically scale resources up or down based on workload
C) Manage encryption keys
D) Control the physical hardware

Answer: B
Explanation: Elasticity allows resources to be provisioned and released dynamically to meet changing demands.

40. What is the main security concern related to Bring Your Own Device (BYOD) in cloud environments?

A) Increased cloud storage costs
B) Device theft or loss leading to data exposure
C) Lack of cloud provider support
D) Poor internet connectivity

Answer: B
Explanation: BYOD devices can be lost or stolen, potentially exposing sensitive cloud data if not properly secured.

41. In cloud security, what is “tokenization”?

A) Encrypting data with a key
B) Replacing sensitive data with non-sensitive placeholders or tokens
C) Compressing data to save space
D) Authenticating users

Answer: B
Explanation: Tokenization substitutes sensitive data with tokens to reduce exposure and simplify compliance.

42. What is a cloud service level agreement (SLA) primarily used for?

A) Defining security protocols
B) Outlining performance and availability commitments from a cloud provider
C) Listing encryption algorithms
D) Managing user permissions

Answer: B
Explanation: SLAs specify guaranteed uptime, performance metrics, and remedies for service failures.

43. Which of the following is a best practice when decommissioning cloud resources?

A) Leaving data on the resource for backup
B) Securely wiping data and removing all access
C) Turning off the resource without deleting data
D) Exporting data without encryption

Answer: B
Explanation: Proper decommissioning requires data destruction and access removal to prevent data leakage.

44. What is the purpose of “metadata” in cloud storage?

A) Actual data content
B) Data about data, such as size, creation date, and access permissions
C) Encrypted data
D) Backup files

Answer: B
Explanation: Metadata provides context and management information about stored data.

45. What is a common challenge in cloud incident response?

A) Lack of data encryption
B) Shared responsibility and unclear roles between customer and provider
C) Cloud hardware failure
D) Slow internet speeds

Answer: B
Explanation: Incident response in cloud requires coordination between customer and provider, which can be complex due to shared responsibility.

46. What does “data residency” refer to?

A) The location where data physically resides or is stored
B) Data encryption status
C) User access rights
D) Backup schedules

Answer: A
Explanation: Data residency concerns where data is stored geographically, important for legal and compliance reasons.

47. What is the function of a “key escrow” service in cloud security?

A) Storing backup keys with a trusted third party
B) Encrypting cloud workloads
C) Monitoring network traffic
D) Providing cloud billing reports

Answer: A
Explanation: Key escrow involves storing encryption keys securely with a third party for recovery or legal compliance.

48. Which of the following cloud models allows a mix of on-premises infrastructure and cloud resources?

A) Public Cloud
B) Private Cloud
C) Hybrid Cloud
D) Community Cloud

Answer: C
Explanation: Hybrid Cloud combines on-premises and cloud infrastructure for flexibility and optimization.

49. How is “data sovereignty” different from “data residency”?

A) Sovereignty refers to legal jurisdiction over data; residency is physical location
B) They mean the same thing
C) Sovereignty is about encryption; residency is about access
D) Sovereignty only applies to healthcare data

Answer: A
Explanation: Data sovereignty refers to the laws governing data in a location, whereas residency is just the physical location.

50. What is an advantage of using multi-region cloud deployments?

A) Improved application performance and disaster recovery
B) Higher cloud service costs
C) Reduced security controls
D) Simplified user access management

Answer: A
Explanation: Multi-region deployments improve availability, latency, and fault tolerance.

51. Which cloud security threat involves attackers gaining unauthorized access through misconfigured permissions?

A) Phishing
B) Misconfiguration exploitation
C) Malware
D) Denial of Service (DoS)

Answer: B
Explanation: Misconfigured permissions can leave cloud resources exposed, allowing attackers unauthorized access.

52. What is “infrastructure as code” (IaC) in cloud computing?

A) Writing software for cloud applications
B) Managing and provisioning cloud infrastructure through machine-readable scripts
C) Encrypting cloud resources
D) Monitoring cloud network traffic

Answer: B
Explanation: IaC automates cloud infrastructure setup, ensuring consistency and repeatability.

53. How does container orchestration improve cloud security?

A) It removes all vulnerabilities automatically
B) It manages deployment and scaling, allowing better control and patching of containers
C) It encrypts container data
D) It replaces firewalls

Answer: B
Explanation: Container orchestration automates deployment and updates, helping maintain security posture.

54. What is “zero trust” security in cloud environments?

A) Trusting all devices within the network perimeter
B) Never trusting and always verifying users and devices, regardless of location
C) Disabling user authentication
D) Encrypting all cloud data

Answer: B
Explanation: Zero trust requires strict identity verification for every access request, minimizing trust assumptions.

55. What is the main purpose of cloud auditing?

A) Increasing cloud speed
B) Assessing compliance and verifying security controls are effective
C) Encrypting data
D) Backing up data

Answer: B
Explanation: Auditing reviews security and compliance posture through logs, configurations, and policies.

56. Which cloud security technology uses behavior analytics to detect anomalies?

A) Firewall
B) User and Entity Behavior Analytics (UEBA)
C) VPN
D) SSL/TLS

Answer: B
Explanation: UEBA uses machine learning to detect unusual user or system behavior indicative of threats.

57. What does “data exfiltration” mean in cloud security?

A) Encrypting data
B) Unauthorized transfer of data from the cloud environment to an external location
C) Backup of cloud data
D) Migration of data between cloud providers

Answer: B
Explanation: Data exfiltration is the unauthorized theft or movement of sensitive data.

58. Which of the following helps ensure business continuity in cloud computing?

A) Regular penetration testing
B) Disaster Recovery (DR) planning and backups
C) Multi-factor authentication
D) Single sign-on

Answer: B
Explanation: DR planning prepares for outages by ensuring quick recovery of systems and data.

59. What is the biggest challenge when encrypting data in use in cloud environments?

A) Lack of encryption algorithms
B) Data must be decrypted to be processed, exposing it temporarily
C) Key management
D) Compliance regulations

Answer: B
Explanation: Data in use must be processed in plaintext, presenting exposure risks during computation.

60. What is a “cloud broker”?

A) A user of cloud services
B) A third party that helps organizations select, integrate, and manage cloud services
C) A cloud infrastructure provider
D) A security protocol

Answer: B
Explanation: Cloud brokers facilitate cloud adoption by managing multiple providers and optimizing service delivery.

61. What is a Shared Responsibility Model in cloud security?

A) The cloud provider is responsible for all security
B) The customer is responsible for all security
C) Security responsibilities are divided between cloud provider and customer
D) Third-party vendors manage security

Answer: C
Explanation: Cloud security is a shared responsibility where providers manage security of the cloud infrastructure, and customers manage security in the cloud such as data and user access.

62. Which type of cloud deployment is operated solely for a single organization and may be on or off-premises?

A) Public Cloud
B) Private Cloud
C) Community Cloud
D) Hybrid Cloud

Answer: B
Explanation: Private clouds are dedicated to a single organization and provide more control over security and compliance.

63. What does “multi-tenancy” mean in cloud computing?

A) One customer using multiple cloud providers
B) Multiple customers sharing the same physical resources securely
C) Multiple cloud services integrated together
D) A cloud provider leasing only one server

Answer: B
Explanation: Multi-tenancy allows different customers (tenants) to share physical resources while maintaining data isolation.

64. Which encryption method protects data while stored in the cloud?

A) Encryption in transit
B) Encryption at rest
C) Tokenization
D) Hashing

Answer: B
Explanation: Encryption at rest secures data stored on disks or other persistent storage media.

65. What is the primary benefit of using Identity and Access Management (IAM) in cloud environments?

A) Faster data processing
B) Control and manage who has access to cloud resources and what they can do
C) Reducing cloud costs
D) Automating backups

Answer: B
Explanation: IAM helps define user identities and their permissions, improving security.

66. Which of the following best describes Cloud Access Security Broker (CASB)?

A) Cloud storage service
B) Security policy enforcement point between cloud users and cloud services
C) Network firewall appliance
D) Data backup service

Answer: B
Explanation: CASBs enforce security policies such as access control, data protection, and compliance in cloud usage.

67. What is “federated identity” in the cloud?

A) Using separate user accounts for each cloud service
B) Single sign-on across multiple systems or organizations using trust relationships
C) Guest user access only
D) Temporary user accounts

Answer: B
Explanation: Federated identity allows users to authenticate across different domains or cloud services seamlessly.

68. What is the primary challenge of monitoring cloud environments?

A) Static network infrastructure
B) Dynamic and elastic nature of cloud resources complicates tracking and logging
C) Lack of encryption
D) No access to logs

Answer: B
Explanation: Cloud resources are dynamic, making monitoring and correlating logs across services challenging.

69. How does a Cloud Security Posture Management (CSPM) tool help organizations?

A) Encrypts cloud data
B) Continuously assesses cloud security posture and compliance risks
C) Manages cloud billing
D) Performs penetration testing

Answer: B
Explanation: CSPM tools automate risk assessments and compliance checks to detect misconfigurations.

70. What is the purpose of “microsegmentation” in cloud security?

A) Encrypting microservices
B) Dividing cloud networks into small, isolated segments to contain threats
C) Backing up small data chunks
D) Scaling cloud storage

Answer: B
Explanation: Microsegmentation limits lateral movement of attackers by isolating workloads.

71. What is an example of a preventative security control in cloud environments?

A) Security Incident and Event Management (SIEM)
B) Multi-factor Authentication (MFA)
C) Intrusion Detection System (IDS)
D) Log Analysis

Answer: B
Explanation: MFA prevents unauthorized access by requiring multiple authentication factors.

72. Which cloud security framework is widely recognized for risk management?

A) COBIT
B) NIST Cybersecurity Framework
C) ITIL
D) Six Sigma

Answer: B
Explanation: The NIST Cybersecurity Framework provides guidelines for managing cybersecurity risk.

73. Which of the following is a form of cloud service orchestration?

A) Managing deployment pipelines and automated scaling of resources
B) Encrypting data
C) Physical server maintenance
D) Firewall configuration

Answer: A
Explanation: Orchestration automates provisioning and management of cloud services.

74. Which of the following describes a key management system (KMS) function?

A) Backing up data
B) Generating, storing, and managing encryption keys
C) Controlling user access
D) Logging network traffic

Answer: B
Explanation: KMS ensures secure handling of cryptographic keys.

75. What is the best practice for securing APIs in cloud environments?

A) Open APIs to all users
B) Use strong authentication, authorization, and input validation
C) Disable logging
D) Avoid using encryption

Answer: B
Explanation: Secure APIs require proper authentication and input validation to prevent unauthorized access and injection attacks.

76. Which cloud security tool can detect anomalous user behavior?

A) Firewall
B) User and Entity Behavior Analytics (UEBA)
C) Antivirus software
D) Backup software

Answer: B
Explanation: UEBA uses analytics to identify suspicious or risky user behavior patterns.

77. What is the difference between “cloud backup” and “disaster recovery”?

A) Backup is for data preservation; disaster recovery includes restoring systems and operations
B) Backup is more expensive
C) Disaster recovery is only on-premises
D) They are the same

Answer: A
Explanation: Backup protects data, while disaster recovery involves restoring infrastructure and services after failure.

78. What is the role of encryption key rotation?

A) To generate keys faster
B) To periodically replace encryption keys to reduce risk of compromise
C) To encrypt more data
D) To slow down encryption processes

Answer: B
Explanation: Key rotation limits the exposure time of a key, enhancing security.

79. What is a common cause of cloud security breaches?

A) Strong passwords
B) Misconfigured cloud resources and permissions
C) Multi-factor authentication
D) Regular patching

Answer: B
Explanation: Incorrect configuration leaves resources open to unauthorized access.

80. How does a cloud firewall differ from a traditional firewall?

A) It only protects physical servers
B) It protects cloud workloads and can be integrated into cloud infrastructure dynamically
C) It is slower
D) It only filters emails

Answer: B
Explanation: Cloud firewalls provide scalable, flexible protection tailored to cloud environments.

81. What is the purpose of encryption in transit?

A) Protecting data stored on disks
B) Protecting data as it moves between systems or over the internet
C) Encrypting backup files only
D) Encrypting user credentials only

Answer: B
Explanation: Encryption in transit protects data from interception during transmission.

82. What is the main challenge in cloud identity management?

A) Too many users
B) Managing access consistently across multiple cloud providers and services
C) Lack of user credentials
D) Poor internet connectivity

Answer: B
Explanation: Cross-provider identity management requires unified policies and tools.

83. What is the benefit of using container security tools?

A) Faster deployment
B) Detecting vulnerabilities and enforcing security policies on containerized applications
C) More storage space
D) Encrypting databases

Answer: B
Explanation: Container security tools scan for risks and help enforce compliance in container environments.

84. How does the “principle of least privilege” enhance cloud security?

A) Allows users full access by default
B) Grants users only the minimum permissions needed to perform their tasks
C) Prevents users from accessing any resources
D) Grants admin access to everyone

Answer: B
Explanation: Limiting permissions reduces the potential impact of compromised accounts.

85. What is the function of a Security Operations Center (SOC) in cloud security?

A) Selling cloud services
B) Monitoring, detecting, and responding to security incidents
C) Managing cloud costs
D) Developing cloud applications

Answer: B
Explanation: SOCs provide continuous security monitoring and incident management.

86. What is the risk of “data remanence” in cloud storage?

A) Data not being available quickly
B) Residual data remaining after deletion that could be recovered by attackers
C) Data being corrupted during backup
D) Data being encrypted

Answer: B
Explanation: Data remanence can lead to exposure if storage is not securely wiped.

87. What type of attack exploits vulnerabilities in cloud application interfaces?

A) Distributed Denial of Service (DDoS)
B) Injection attacks
C) Phishing
D) Man-in-the-middle

Answer: B
Explanation: Injection attacks exploit insecure inputs in APIs or web applications.

88. What is the main goal of cloud data governance?

A) Encrypting all cloud data
B) Defining policies and procedures to ensure proper management, security, and compliance of data
C) Speeding up data access
D) Backing up data daily

Answer: B
Explanation: Governance ensures data is handled according to organizational and regulatory requirements.