Cloud Security MCQ 60 Tests With Answers (2026)
PerfectNotes TeamUpdated: March 2026~15 min practice 60 Questions Β· 3 Levels 60 Questions Β· 3 Levels
Cloud Security MCQ practice questions are essential for preparing for competitive exams, certifications, and technical interviews. This comprehensive MCQ platform provides 60 carefully curated practice questions covering the policies, technologies, and controls deployed to protect cloud-based systems β from the shared responsibility model and IAM through CSPM, encryption strategies, and real-world misconfiguration attacks across AWS, Azure, and GCP.
These questions are organized into three progressive difficulty levels of 20 questions each: Basics (covering service models, shared responsibility, IAM, and encryption fundamentals), Concepts (covering CSPM, CWPP, network segmentation, and container/Kubernetes security), and Advanced (covering zero trust in the cloud, confidential computing, policy-as-code, and DevSecOps pipelines). Each question includes a verified, in-depth explanation to reinforce learning.
Practice in Study Mode to reveal answers and detailed explanations instantly, or use Exam Mode for timed testing and real-time scoring to simulate AWS Security Specialty, CCSP, CISSP, and CompTIA Cloud+ exam conditions.
Contents
- 1.Basics (20 Questions)Shared responsibility Β· service models Β· IAM Β· encryption at rest/transit
- 2.Concepts (20 Questions)CSPM Β· CWPP Β· network segmentation Β· container/Kubernetes security
- 3.Advanced (20 Questions)Zero trust cloud Β· confidential computing Β· OPA Β· DevSecOps pipelines
- 4.Conclusionsummary Β· next steps Β· study tips
- 5.Key Takeawaysquick-fire bullet recap of essential facts
- 6.Quick Review Summaryconcept Β· definition Β· key fact table
- 7.FAQcommon questions answered
Cloud Security β Basics
1Which foundational cloud security concept dictates that the cloud provider manages the security of the cloud, while the customer manages security in the cloud?
CorrectC: The Shared Responsibility Model
The Shared Responsibility Model defines a clear division: the provider secures the physical infrastructure, hypervisor, and foundational services; the customer is responsible for OS patching, identity management, application security, and data protection within their cloud environment.
IncorrectC: The Shared Responsibility Model
The Shared Responsibility Model defines a clear division: the provider secures the physical infrastructure, hypervisor, and foundational services; the customer is responsible for OS patching, identity management, application security, and data protection within their cloud environment.
2In which cloud service model is the customer solely responsible for managing the application code and user data, while the provider handles the underlying runtime environment, OS, and hardware?
CorrectB: PaaS (Platform as a Service)
In PaaS, the cloud provider manages everything from the physical hardware through the runtime and middleware; the customer only writes and deploys application code and manages the data it produces β making it a significantly reduced but not eliminated security responsibility.
IncorrectB: PaaS (Platform as a Service)
In PaaS, the cloud provider manages everything from the physical hardware through the runtime and middleware; the customer only writes and deploys application code and manages the data it produces β making it a significantly reduced but not eliminated security responsibility.
3If an organization migrates its physical servers to virtual machines hosted in an AWS Virtual Private Cloud (VPC), which service model are they utilizing?
CorrectA: IaaS (Infrastructure as a Service)
IaaS provides raw virtualized compute, networking, and storage. The customer controls the operating system, middleware, and applications on top of the provider's physical infrastructure β AWS EC2 instances inside a VPC is the canonical IaaS example.
IncorrectA: IaaS (Infrastructure as a Service)
IaaS provides raw virtualized compute, networking, and storage. The customer controls the operating system, middleware, and applications on top of the provider's physical infrastructure β AWS EC2 instances inside a VPC is the canonical IaaS example.
4What is the primary security risk associated with "Multi-tenancy" in public cloud environments?
CorrectD: The potential for data leakage or side-channel attacks if logical isolation between different customers' resources fails
Multi-tenancy means multiple customers share the same physical infrastructure. A hypervisor vulnerability or side-channel attack (e.g., Spectre/Meltdown) could allow one tenant to access another's memory β the most serious isolation risk in public cloud.
IncorrectD: The potential for data leakage or side-channel attacks if logical isolation between different customers' resources fails
Multi-tenancy means multiple customers share the same physical infrastructure. A hypervisor vulnerability or side-channel attack (e.g., Spectre/Meltdown) could allow one tenant to access another's memory β the most serious isolation risk in public cloud.
5What is the fundamental difference between a Public Cloud and a Private Cloud?
CorrectC: Public cloud resources are shared over the internet among multiple organizations; private cloud resources are dedicated to a single organization
A public cloud is a multi-tenant, shared infrastructure operated by a third-party provider (e.g., AWS, Azure, GCP); a private cloud is a single-tenant environment dedicated entirely to one organization, running either on-premises or in a dedicated hosted facility.
IncorrectC: Public cloud resources are shared over the internet among multiple organizations; private cloud resources are dedicated to a single organization
A public cloud is a multi-tenant, shared infrastructure operated by a third-party provider (e.g., AWS, Azure, GCP); a private cloud is a single-tenant environment dedicated entirely to one organization, running either on-premises or in a dedicated hosted facility.
6What is the primary function of a Hypervisor in cloud computing?
CorrectA: To abstract physical hardware and allocate resources to multiple isolated Virtual Machines (VMs)
A hypervisor (Type 1: Xen, KVM, Hyper-V; Type 2: VMware Workstation) sits between the hardware and VMs, virtualizing CPU, memory, and I/O. It enforces isolation between VMs β its security is foundational to all cloud security guarantees.
IncorrectA: To abstract physical hardware and allocate resources to multiple isolated Virtual Machines (VMs)
A hypervisor (Type 1: Xen, KVM, Hyper-V; Type 2: VMware Workstation) sits between the hardware and VMs, virtualizing CPU, memory, and I/O. It enforces isolation between VMs β its security is foundational to all cloud security guarantees.
7In cloud environments, "Elasticity" allows resources to scale up and down automatically based on demand. What is a key security consideration of this feature?
CorrectD: Security controls (like firewall rules and monitoring agents) must dynamically scale and attach to new resources the moment they are provisioned
When auto-scaling provisions new instances, those instances must inherit the correct security group rules, have monitoring agents auto-installed, and be registered with IAM roles immediately β otherwise a window of unprotected exposure exists between provisioning and hardening.
IncorrectD: Security controls (like firewall rules and monitoring agents) must dynamically scale and attach to new resources the moment they are provisioned
When auto-scaling provisions new instances, those instances must inherit the correct security group rules, have monitoring agents auto-installed, and be registered with IAM roles immediately β otherwise a window of unprotected exposure exists between provisioning and hardening.
8What is the primary purpose of a Cloud Access Security Broker (CASB)?
CorrectB: To sit between cloud service users and cloud applications, monitoring activity and enforcing corporate security policies
A CASB (e.g., Microsoft Defender for Cloud Apps, Netskope) intercepts cloud traffic to provide visibility into Shadow IT, enforce DLP policies, detect anomalous user behavior, and apply encryption or tokenization to sensitive data flowing into SaaS applications.
IncorrectB: To sit between cloud service users and cloud applications, monitoring activity and enforcing corporate security policies
A CASB (e.g., Microsoft Defender for Cloud Apps, Netskope) intercepts cloud traffic to provide visibility into Shadow IT, enforce DLP policies, detect anomalous user behavior, and apply encryption or tokenization to sensitive data flowing into SaaS applications.
9What does Identity and Access Management (IAM) fundamentally govern in a cloud environment?
CorrectC: The authentication of users/services and the precise authorization of what resources they can interact with
IAM is the backbone of cloud security: it authenticates identities (users, roles, service accounts) and authorizes their actions via policies. Misconfigured IAM β overly permissive roles, unused admin accounts β is the #1 cause of cloud security incidents.
IncorrectC: The authentication of users/services and the precise authorization of what resources they can interact with
IAM is the backbone of cloud security: it authenticates identities (users, roles, service accounts) and authorizes their actions via policies. Misconfigured IAM β overly permissive roles, unused admin accounts β is the #1 cause of cloud security incidents.
10Which of the following best describes "Shadow IT" in the context of cloud security?
CorrectA: The use of unauthorized, unvetted cloud applications or services by employees without the IT department's knowledge or approval
Shadow IT introduces unmanaged attack surface: the applications may lack MFA, store corporate data without DLP controls, and create compliance violations. A CASB is the primary tool used to discover and govern Shadow IT usage.
IncorrectA: The use of unauthorized, unvetted cloud applications or services by employees without the IT department's knowledge or approval
Shadow IT introduces unmanaged attack surface: the applications may lack MFA, store corporate data without DLP controls, and create compliance violations. A CASB is the primary tool used to discover and govern Shadow IT usage.
11Which cryptographic mechanism is utilized to secure "Data in Transit" as it travels from an enterprise network to a cloud provider?
CorrectD: Transport Layer Security (TLS)
TLS (currently TLS 1.3) encrypts data in transit using a hybrid approach β asymmetric cryptography for key exchange and symmetric encryption (AES-GCM) for bulk data transfer β protecting it from interception or tampering on the network path.
IncorrectD: Transport Layer Security (TLS)
TLS (currently TLS 1.3) encrypts data in transit using a hybrid approach β asymmetric cryptography for key exchange and symmetric encryption (AES-GCM) for bulk data transfer β protecting it from interception or tampering on the network path.
12Why is Multi-Factor Authentication (MFA) considered essential for securing Cloud Management Consoles?
CorrectB: Because compromised administrative credentials could allow an attacker to delete entire infrastructure environments or steal massive datasets instantly
A cloud root or admin console compromise via stolen credentials is catastrophic β an attacker can terminate all workloads, exfiltrate all stored data, modify all firewall rules, and create backdoor IAM users within minutes. MFA is the single highest-impact control to prevent this.
IncorrectB: Because compromised administrative credentials could allow an attacker to delete entire infrastructure environments or steal massive datasets instantly
A cloud root or admin console compromise via stolen credentials is catastrophic β an attacker can terminate all workloads, exfiltrate all stored data, modify all firewall rules, and create backdoor IAM users within minutes. MFA is the single highest-impact control to prevent this.
13What is the primary objective of "Vendor Lock-in" avoidance strategies?
CorrectC: To design cloud architectures using open standards so the organization can easily migrate workloads to a different cloud provider if necessary
Vendor lock-in avoidance uses open standards (Kubernetes for containers, Terraform for IaC, S3-compatible APIs) so workloads are portable. This is also a resilience and negotiating strategy β if a provider suffers a prolonged outage or unacceptable price increases, migration remains feasible.
IncorrectC: To design cloud architectures using open standards so the organization can easily migrate workloads to a different cloud provider if necessary
Vendor lock-in avoidance uses open standards (Kubernetes for containers, Terraform for IaC, S3-compatible APIs) so workloads are portable. This is also a resilience and negotiating strategy β if a provider suffers a prolonged outage or unacceptable price increases, migration remains feasible.
14A massive flood of junk HTTP requests targets a cloud-hosted web application, making it inaccessible. What type of attack is this?
CorrectD: Distributed Denial of Service (DDoS)
A DDoS attack overwhelms the target with traffic from many sources (a botnet) to exhaust bandwidth, connection tables, or compute capacity. Cloud providers offer DDoS protection services (AWS Shield, Azure DDoS Protection, GCP Cloud Armor) that absorb volumetric attacks at the network edge.
IncorrectD: Distributed Denial of Service (DDoS)
A DDoS attack overwhelms the target with traffic from many sources (a botnet) to exhaust bandwidth, connection tables, or compute capacity. Cloud providers offer DDoS protection services (AWS Shield, Azure DDoS Protection, GCP Cloud Armor) that absorb volumetric attacks at the network edge.
15What is a Virtual Private Cloud (VPC)?
CorrectA: A logically isolated section of a public cloud where a customer can launch resources within a defined virtual network
A VPC provides network isolation within a public cloud β the customer defines CIDR ranges, subnets, route tables, internet gateways, and security groups, creating a private virtual network overlay on the provider's shared physical fabric.
IncorrectA: A logically isolated section of a public cloud where a customer can launch resources within a defined virtual network
A VPC provides network isolation within a public cloud β the customer defines CIDR ranges, subnets, route tables, internet gateways, and security groups, creating a private virtual network overlay on the provider's shared physical fabric.
16In "Serverless" computing (like AWS Lambda), what security responsibility is entirely shifted away from the customer?
CorrectB: Operating system patching, kernel updates, and underlying infrastructure maintenance
Serverless eliminates infrastructure management entirely: the provider handles OS patching, runtime updates, hardware maintenance, and scaling. The customer retains responsibility for function code security, IAM permissions, secrets management, and input validation.
IncorrectB: Operating system patching, kernel updates, and underlying infrastructure maintenance
Serverless eliminates infrastructure management entirely: the provider handles OS patching, runtime updates, hardware maintenance, and scaling. The customer retains responsibility for function code security, IAM permissions, secrets management, and input validation.
17If a developer accidentally uploads an AWS Access Key to a public GitHub repository, what is the most immediate security risk?
CorrectC: Attackers can use the key to authenticate as that identity, potentially spinning up malicious crypto-mining instances or stealing data
Automated bots continuously scrape GitHub for exposed secrets; a leaked AWS Access Key is typically abused within minutes to launch crypto-mining EC2 instances, exfiltrate S3 data, or establish persistence. Keys must be rotated immediately and the incident investigated.
IncorrectC: Attackers can use the key to authenticate as that identity, potentially spinning up malicious crypto-mining instances or stealing data
Automated bots continuously scrape GitHub for exposed secrets; a leaked AWS Access Key is typically abused within minutes to launch crypto-mining EC2 instances, exfiltrate S3 data, or establish persistence. Keys must be rotated immediately and the incident investigated.
18What is the "Principle of Least Privilege" applied to cloud IAM?
CorrectD: Identities (users, roles, or services) should be granted only the exact permissions strictly required to perform their authorized tasks, and nothing more
Least privilege limits blast radius: if a service account is compromised, it can only access the specific resources it was permitted. In cloud IAM, this means avoiding wildcard (*) actions in policies and regularly reviewing and revoking unused permissions.
IncorrectD: Identities (users, roles, or services) should be granted only the exact permissions strictly required to perform their authorized tasks, and nothing more
Least privilege limits blast radius: if a service account is compromised, it can only access the specific resources it was permitted. In cloud IAM, this means avoiding wildcard (*) actions in policies and regularly reviewing and revoking unused permissions.
19What is the purpose of reviewing a cloud provider's SOC 2 Type II report?
CorrectA: To verify the operational effectiveness of the provider's security, availability, and confidentiality controls over a specific period of time
Unlike SOC 2 Type I (which only verifies controls exist at a point in time), SOC 2 Type II audits the operational effectiveness of those controls over a 6β12 month period β giving customers confidence that the provider's security practices function as designed continuously.
IncorrectA: To verify the operational effectiveness of the provider's security, availability, and confidentiality controls over a specific period of time
Unlike SOC 2 Type I (which only verifies controls exist at a point in time), SOC 2 Type II audits the operational effectiveness of those controls over a 6β12 month period β giving customers confidence that the provider's security practices function as designed continuously.
20What is the most common root cause of massive cloud data breaches involving object storage (e.g., Amazon S3)?
CorrectB: Simple customer misconfigurations, such as setting the storage bucket's access policy to "Public"
The vast majority of high-profile cloud breaches (Capital One, GoDaddy, Toyota) trace to customer-side misconfiguration β an S3 bucket set to public, an overly permissive IAM role, or an unencrypted database exposed to the internet. CSPM tools exist specifically to catch these issues.
IncorrectB: Simple customer misconfigurations, such as setting the storage bucket's access policy to "Public"
The vast majority of high-profile cloud breaches (Capital One, GoDaddy, Toyota) trace to customer-side misconfiguration β an S3 bucket set to public, an overly permissive IAM role, or an unencrypted database exposed to the internet. CSPM tools exist specifically to catch these issues.
Cloud Security β Concepts
1What is the primary function of a Cloud Workload Protection Platform (CWPP)?
CorrectD: To provide security monitoring, threat detection, and vulnerability management specifically tailored for internal cloud workloads (VMs, containers, serverless)
CWPP focuses on securing running workloads from the inside: agent-based vulnerability scanning, runtime threat detection, application allow-listing, and memory protection for VMs, containers, and serverless functions across multi-cloud environments.
IncorrectD: To provide security monitoring, threat detection, and vulnerability management specifically tailored for internal cloud workloads (VMs, containers, serverless)
CWPP focuses on securing running workloads from the inside: agent-based vulnerability scanning, runtime threat detection, application allow-listing, and memory protection for VMs, containers, and serverless functions across multi-cloud environments.
2How does Cloud Security Posture Management (CSPM) differ from traditional vulnerability scanning?
CorrectC: CSPM continuously monitors the cloud environment's configuration (like open ports, IAM policies, and unencrypted drives) against compliance frameworks and security best practices
CSPM tools (Prisma Cloud, Wiz, Orca) continuously assess cloud configuration state against CIS Benchmarks, NIST, SOC 2, and PCI-DSS β alerting on drifts like publicly accessible databases, MFA disabled on root accounts, or security groups with 0.0.0.0/0 inbound rules.
IncorrectC: CSPM continuously monitors the cloud environment's configuration (like open ports, IAM policies, and unencrypted drives) against compliance frameworks and security best practices
CSPM tools (Prisma Cloud, Wiz, Orca) continuously assess cloud configuration state against CIS Benchmarks, NIST, SOC 2, and PCI-DSS β alerting on drifts like publicly accessible databases, MFA disabled on root accounts, or security groups with 0.0.0.0/0 inbound rules.
3Which term describes a comprehensive platform that converges the capabilities of CSPM, CWPP, and CIEM (Cloud Infrastructure Entitlement Management) into a single solution?
CorrectA: Cloud-Native Application Protection Platform (CNAPP)
CNAPP (coined by Gartner) integrates CSPM for configuration risk, CWPP for runtime workload protection, and CIEM for IAM entitlement governance into a unified platform β providing end-to-end visibility from development to production across multi-cloud environments.
IncorrectA: Cloud-Native Application Protection Platform (CNAPP)
CNAPP (coined by Gartner) integrates CSPM for configuration risk, CWPP for runtime workload protection, and CIEM for IAM entitlement governance into a unified platform β providing end-to-end visibility from development to production across multi-cloud environments.
4In cloud identity federation, what is the role of Security Assertion Markup Language (SAML)?
CorrectB: It allows an Identity Provider (IdP) to securely pass authentication and authorization data to a cloud Service Provider (SP), enabling Single Sign-On (SSO)
SAML 2.0 is an XML-based open standard for SSO federation: the IdP (e.g., Okta, ADFS) authenticates the user and issues a digitally signed XML assertion containing identity and attribute claims, which the Service Provider (e.g., AWS SSO) validates to grant access.
IncorrectB: It allows an Identity Provider (IdP) to securely pass authentication and authorization data to a cloud Service Provider (SP), enabling Single Sign-On (SSO)
SAML 2.0 is an XML-based open standard for SSO federation: the IdP (e.g., Okta, ADFS) authenticates the user and issues a digitally signed XML assertion containing identity and attribute claims, which the Service Provider (e.g., AWS SSO) validates to grant access.
5In cloud network architecture, what is the distinction between the "Control Plane" and the "Data Plane"?
CorrectC: The Control Plane manages the configuration and provisioning of resources (e.g., API calls to create a VM); the Data Plane handles the actual transit of user network traffic
Separating control and data planes is a security principle: the control plane (cloud management APIs, Kubernetes API server) must be hardened with strict authentication and audit logging, while the data plane carries actual workload traffic. A compromise of the control plane grants complete environment control.
IncorrectC: The Control Plane manages the configuration and provisioning of resources (e.g., API calls to create a VM); the Data Plane handles the actual transit of user network traffic
Separating control and data planes is a security principle: the control plane (cloud management APIs, Kubernetes API server) must be hardened with strict authentication and audit logging, while the data plane carries actual workload traffic. A compromise of the control plane grants complete environment control.
6In Kubernetes architecture, what mechanism is used to logically isolate cluster resources between different teams or projects?
CorrectD: Namespaces
Kubernetes Namespaces provide logical isolation of resources (pods, services, secrets) within a cluster. Combined with RBAC (RoleBindings scoped to a namespace) and Network Policies, they enforce multi-team isolation β though they do not provide the same isolation guarantees as separate clusters.
IncorrectD: Namespaces
Kubernetes Namespaces provide logical isolation of resources (pods, services, secrets) within a cluster. Combined with RBAC (RoleBindings scoped to a namespace) and Network Policies, they enforce multi-team isolation β though they do not provide the same isolation guarantees as separate clusters.
7What is "Infrastructure as Code" (IaC) in the context of cloud security?
CorrectA: Managing and provisioning cloud infrastructure through machine-readable definition files (e.g., Terraform, CloudFormation) rather than manual console configuration
IaC (Terraform, AWS CloudFormation, Pulumi) enables version-controlled, auditable, and repeatable infrastructure deployments. Security benefits include drift detection, peer review of infrastructure changes via pull requests, and automated scanning for misconfigurations before provisioning.
IncorrectA: Managing and provisioning cloud infrastructure through machine-readable definition files (e.g., Terraform, CloudFormation) rather than manual console configuration
IaC (Terraform, AWS CloudFormation, Pulumi) enables version-controlled, auditable, and repeatable infrastructure deployments. Security benefits include drift detection, peer review of infrastructure changes via pull requests, and automated scanning for misconfigurations before provisioning.
8Why is it highly recommended to perform security scanning on IaC templates (like Terraform files) before deployment?
CorrectB: To shift security "left," identifying and remediating misconfigurations (like overly permissive firewalls) before the flawed infrastructure is ever provisioned
Shift-left IaC scanning tools (Checkov, tfsec, Snyk IaC) analyze Terraform/CloudFormation before deployment, catching misconfigurations like S3 buckets with public ACLs, security groups allowing 0.0.0.0/0, or unencrypted EBS volumes β at a fraction of the cost of fixing them post-deployment.
IncorrectB: To shift security "left," identifying and remediating misconfigurations (like overly permissive firewalls) before the flawed infrastructure is ever provisioned
Shift-left IaC scanning tools (Checkov, tfsec, Snyk IaC) analyze Terraform/CloudFormation before deployment, catching misconfigurations like S3 buckets with public ACLs, security groups allowing 0.0.0.0/0, or unencrypted EBS volumes β at a fraction of the cost of fixing them post-deployment.
9Applying the "Zero Trust" model to a cloud environment means:
CorrectC: Never trusting any entity (user, device, or workload) by default, regardless of its network location, and enforcing continuous authentication and strict authorization
Zero Trust (NIST SP 800-207) eliminates implicit trust based on network location: every request from any workload, user, or device must be explicitly authenticated and authorized. In cloud, this means mTLS between services, short-lived credentials, and per-request policy evaluation.
IncorrectC: Never trusting any entity (user, device, or workload) by default, regardless of its network location, and enforcing continuous authentication and strict authorization
Zero Trust (NIST SP 800-207) eliminates implicit trust based on network location: every request from any workload, user, or device must be explicitly authenticated and authorized. In cloud, this means mTLS between services, short-lived credentials, and per-request policy evaluation.
10What security challenge is uniquely amplified by the "ephemeral" nature of containers and serverless functions?
CorrectD: Because they spin up and shut down rapidly, traditional forensic investigations are difficult since the compromised workload and its local logs may be gone before an investigation begins
Containers and Lambda functions may live for seconds. Once they terminate, volatile evidence (in-memory state, local logs, network connections) vanishes. This requires shipping logs to an external, immutable system (CloudWatch, Splunk) and using eBPF-based runtime tracing that captures events without relying on the workload's existence.
IncorrectD: Because they spin up and shut down rapidly, traditional forensic investigations are difficult since the compromised workload and its local logs may be gone before an investigation begins
Containers and Lambda functions may live for seconds. Once they terminate, volatile evidence (in-memory state, local logs, network connections) vanishes. This requires shipping logs to an external, immutable system (CloudWatch, Splunk) and using eBPF-based runtime tracing that captures events without relying on the workload's existence.
11What does the concept of "Data Sovereignty" dictate in cloud computing?
CorrectA: Digital data is subject to the laws, regulations, and privacy mandates of the specific country or region in which it is physically stored
Data sovereignty means that data stored in a German AWS region is subject to German/EU law (GDPR), while data in a US region is subject to US law (CLOUD Act). Organizations must carefully select cloud regions and understand how cross-border data transfers affect their legal obligations.
IncorrectA: Digital data is subject to the laws, regulations, and privacy mandates of the specific country or region in which it is physically stored
Data sovereignty means that data stored in a German AWS region is subject to German/EU law (GDPR), while data in a US region is subject to US law (CLOUD Act). Organizations must carefully select cloud regions and understand how cross-border data transfers affect their legal obligations.
12In cloud cryptography, what is the primary function of a Key Management Service (KMS)?
CorrectB: To securely generate, store, rotate, and manage the cryptographic keys used to encrypt data across the cloud environment
AWS KMS, Azure Key Vault, and GCP Cloud KMS provide FIPS 140-2 validated hardware-backed key storage. They enable automatic key rotation, fine-grained access control over key usage, audit logging of every cryptographic operation, and integration with native cloud encryption services.
IncorrectB: To securely generate, store, rotate, and manage the cryptographic keys used to encrypt data across the cloud environment
AWS KMS, Azure Key Vault, and GCP Cloud KMS provide FIPS 140-2 validated hardware-backed key storage. They enable automatic key rotation, fine-grained access control over key usage, audit logging of every cryptographic operation, and integration with native cloud encryption services.
13What is "Envelope Encryption"?
CorrectC: Encrypting plaintext data with a Data Encryption Key (DEK), and then subsequently encrypting that DEK with a highly secured Key Encryption Key (KEK)
Envelope encryption separates data encryption from key protection: the DEK (unique per object, generated locally) encrypts data; the KEK (stored in KMS) encrypts the DEK. Only the small encrypted DEK is stored next to the data β the master KEK never leaves the HSM-backed KMS.
IncorrectC: Encrypting plaintext data with a Data Encryption Key (DEK), and then subsequently encrypting that DEK with a highly secured Key Encryption Key (KEK)
Envelope encryption separates data encryption from key protection: the DEK (unique per object, generated locally) encrypts data; the KEK (stored in KMS) encrypts the DEK. Only the small encrypted DEK is stored next to the data β the master KEK never leaves the HSM-backed KMS.
14Which severe vulnerability occurs when a cloud application is tricked into making an unauthorized HTTP request to an internal, restricted resource (like the cloud metadata service)?
CorrectD: Server-Side Request Forgery (SSRF)
SSRF in cloud environments is particularly dangerous: attacking the Instance Metadata Service (IMDS at 169.254.169.254) retrieves IAM role credentials, allowing complete account takeover. The Capital One breach exploited SSRF to steal over 100 million customer records from S3.
IncorrectD: Server-Side Request Forgery (SSRF)
SSRF in cloud environments is particularly dangerous: attacking the Instance Metadata Service (IMDS at 169.254.169.254) retrieves IAM role credentials, allowing complete account takeover. The Capital One breach exploited SSRF to steal over 100 million customer records from S3.
15What is the primary purpose of Container Image Scanning in a CI/CD pipeline?
CorrectA: To analyze the static contents of a container image for known vulnerabilities (CVEs), embedded secrets, and malware before it is allowed to run
Image scanning tools (Trivy, Grype, AWS ECR scanning, Snyk) analyze every layer of a container image against CVE databases before it enters production, also detecting hardcoded secrets, dangerous base image versions, and malicious file signatures β a critical shift-left security gate.
IncorrectA: To analyze the static contents of a container image for known vulnerabilities (CVEs), embedded secrets, and malware before it is allowed to run
Image scanning tools (Trivy, Grype, AWS ECR scanning, Snyk) analyze every layer of a container image against CVE databases before it enters production, also detecting hardcoded secrets, dangerous base image versions, and malicious file signatures β a critical shift-left security gate.
16In a microservices architecture using a Service Mesh, what is the "Sidecar" pattern?
CorrectB: Deploying a dedicated network proxy alongside every application container to handle secure communication, mTLS, and observability, decoupling these functions from the application code
In Istio/Linkerd, an Envoy sidecar proxy is auto-injected into every pod. It intercepts all inbound and outbound traffic, enforces mTLS between services without requiring application code changes, applies authorization policies, and emits telemetry for observability.
IncorrectB: Deploying a dedicated network proxy alongside every application container to handle secure communication, mTLS, and observability, decoupling these functions from the application code
In Istio/Linkerd, an Envoy sidecar proxy is auto-injected into every pod. It intercepts all inbound and outbound traffic, enforces mTLS between services without requiring application code changes, applies authorization policies, and emits telemetry for observability.
17How do API Gateways enhance the security of cloud-native applications?
CorrectC: By providing a centralized point to enforce rate limiting, authentication, authorization, and traffic filtering before requests reach backend microservices
API Gateways (AWS API Gateway, Kong, Apigee) act as the front door for all external traffic: validating JWT/OAuth tokens, enforcing rate limits to prevent abuse, blocking malformed requests, applying WAF rules for OWASP Top 10 protections, and routing to the correct backend service.
IncorrectC: By providing a centralized point to enforce rate limiting, authentication, authorization, and traffic filtering before requests reach backend microservices
API Gateways (AWS API Gateway, Kong, Apigee) act as the front door for all external traffic: validating JWT/OAuth tokens, enforcing rate limits to prevent abuse, blocking malformed requests, applying WAF rules for OWASP Top 10 protections, and routing to the correct backend service.
18Which of the following is a critical control for securing a CI/CD (Continuous Integration/Continuous Deployment) pipeline?
CorrectD: Implementing strict role-based access control, requiring code review approvals, and tightly securing the secrets used by the pipeline agents
CI/CD pipelines have broad permissions to deploy to production β making them high-value attack targets. Critical controls include: branch protection rules requiring signed commits and PR approvals, secrets stored in a vault (not in env vars), pipeline agents running with least-privilege roles, and build artifact signing.
IncorrectD: Implementing strict role-based access control, requiring code review approvals, and tightly securing the secrets used by the pipeline agents
CI/CD pipelines have broad permissions to deploy to production β making them high-value attack targets. Critical controls include: branch protection rules requiring signed commits and PR approvals, secrets stored in a vault (not in env vars), pipeline agents running with least-privilege roles, and build artifact signing.
19While OAuth 2.0 is primarily designed for delegated authorization, which protocol is built on top of it to handle user authentication (identity)?
CorrectA: OpenID Connect (OIDC)
OpenID Connect (OIDC) extends OAuth 2.0 by adding an ID Token (a signed JWT) containing user identity claims. It is the modern standard for cloud SSO, used by AWS Cognito, Azure AD, and GCP Identity to federate identity across services and applications.
IncorrectA: OpenID Connect (OIDC)
OpenID Connect (OIDC) extends OAuth 2.0 by adding an ID Token (a signed JWT) containing user identity claims. It is the modern standard for cloud SSO, used by AWS Cognito, Azure AD, and GCP Identity to federate identity across services and applications.
20What is the cloud-native equivalent of a traditional on-premises firewall rule that controls inbound and outbound traffic at the VM or subnet level?
CorrectB: A Security Group or Network Security Group (NSG)
Security Groups (AWS) and NSGs (Azure) are stateful virtual firewalls assigned to individual VMs or subnets, defining allowed inbound and outbound traffic by port, protocol, and source/destination CIDR. They are the primary network access control mechanism in cloud environments.
IncorrectB: A Security Group or Network Security Group (NSG)
Security Groups (AWS) and NSGs (Azure) are stateful virtual firewalls assigned to individual VMs or subnets, defining allowed inbound and outbound traffic by port, protocol, and source/destination CIDR. They are the primary network access control mechanism in cloud environments.
Cloud Security β Advanced
1In AWS, how does the Instance Metadata Service version 2 (IMDSv2) mitigate the risk of Server-Side Request Forgery (SSRF) attacks compared to IMDSv1?
CorrectB: It requires a session-oriented flow where a PUT request must first retrieve a temporary token, which is then passed in a specific header for subsequent GET requests
IMDSv1 was a simple GET request β trivially exploitable via SSRF. IMDSv2 adds a session layer: the attacker must first issue a PUT request (which most SSRF vulnerabilities cannot do) to receive a TTL-limited token, then include it as an X-aws-ec2-metadata-token header. This extra step defeats most SSRF chains.
IncorrectB: It requires a session-oriented flow where a PUT request must first retrieve a temporary token, which is then passed in a specific header for subsequent GET requests
IMDSv1 was a simple GET request β trivially exploitable via SSRF. IMDSv2 adds a session layer: the attacker must first issue a PUT request (which most SSRF vulnerabilities cannot do) to receive a TTL-limited token, then include it as an X-aws-ec2-metadata-token header. This extra step defeats most SSRF chains.
2What is the fundamental technological achievement of "Confidential Computing" (e.g., AWS Nitro Enclaves, Intel SGX)?
CorrectD: Utilizing hardware-based Trusted Execution Environments (TEEs) to isolate and encrypt data in use (in memory) so that even the hypervisor or cloud provider cannot access it
Confidential Computing addresses the "data in use" problem β data must be decrypted to be processed, traditionally exposing it to the provider. TEEs (Intel SGX, AMD SEV, ARM TrustZone) create hardware-encrypted memory enclaves with remote attestation, ensuring even a compromise hypervisor cannot read the data.
IncorrectD: Utilizing hardware-based Trusted Execution Environments (TEEs) to isolate and encrypt data in use (in memory) so that even the hypervisor or cloud provider cannot access it
Confidential Computing addresses the "data in use" problem β data must be decrypted to be processed, traditionally exposing it to the provider. TEEs (Intel SGX, AMD SEV, ARM TrustZone) create hardware-encrypted memory enclaves with remote attestation, ensuring even a compromise hypervisor cannot read the data.
3In advanced cloud-native security, what does eBPF (Extended Berkeley Packet Filter) allow security tools to do?
CorrectA: Safely run sandboxed programs within the OS kernel without changing kernel source code, providing deep, high-performance observability and security enforcement for containers and microservices
eBPF revolutionized cloud-native security by enabling runtime hooks into the Linux kernel (syscalls, network events, file operations) without kernel module risk. Tools like Falco, Cilium, and Tetragon use eBPF for zero-overhead threat detection, network policy enforcement, and tracing at unprecedented granularity.
IncorrectA: Safely run sandboxed programs within the OS kernel without changing kernel source code, providing deep, high-performance observability and security enforcement for containers and microservices
eBPF revolutionized cloud-native security by enabling runtime hooks into the Linux kernel (syscalls, network events, file operations) without kernel module risk. Tools like Falco, Cilium, and Tetragon use eBPF for zero-overhead threat detection, network policy enforcement, and tracing at unprecedented granularity.
4What is the modern mechanism used in Kubernetes to enforce pod security configurations (e.g., preventing containers from running as root), replacing the deprecated PodSecurityPolicies (PSP)?
CorrectC: Pod Security Admission (PSA) and Pod Security Standards (PSS)
PSPs were deprecated in Kubernetes 1.21 and removed in 1.25. The replacement is Pod Security Admission with three built-in Pod Security Standards: Privileged (unrestricted), Baseline (minimal restrictions), and Restricted (maximum security) β enforced as admission controller labels on namespaces.
IncorrectC: Pod Security Admission (PSA) and Pod Security Standards (PSS)
PSPs were deprecated in Kubernetes 1.21 and removed in 1.25. The replacement is Pod Security Admission with three built-in Pod Security Standards: Privileged (unrestricted), Baseline (minimal restrictions), and Restricted (maximum security) β enforced as admission controller labels on namespaces.
5What is the "Confused Deputy" problem in cloud IAM architecture?
CorrectB: A vulnerability where an attacker tricks a highly-privileged service (the deputy) into performing an action on the attacker's behalf, utilizing the service's privileges rather than the attacker's
The Confused Deputy is a classic privilege escalation: if Service A (high privileges) trusts anyone calling its API, Attacker B (low privileges) can craft a request causing Service A to perform privileged actions on the attacker's behalf. In AWS, this occurs in cross-account role assumption without ExternalId validation.
IncorrectB: A vulnerability where an attacker tricks a highly-privileged service (the deputy) into performing an action on the attacker's behalf, utilizing the service's privileges rather than the attacker's
The Confused Deputy is a classic privilege escalation: if Service A (high privileges) trusts anyone calling its API, Attacker B (low privileges) can craft a request causing Service A to perform privileged actions on the attacker's behalf. In AWS, this occurs in cross-account role assumption without ExternalId validation.
6In AWS, what specific mechanism is explicitly designed to prevent the "Confused Deputy" problem during cross-account IAM role assumption?
CorrectA: Utilizing the ExternalId condition key in the role's trust policy
The ExternalId is a secret known only to the customer and the trusted service. The role's trust policy requires Condition: {"StringEquals": {"sts:ExternalId": "customer-secret-value"}}. Even if an attacker knows the role ARN, they cannot assume it without the ExternalId β preventing the confused deputy scenario.
IncorrectA: Utilizing the ExternalId condition key in the role's trust policy
The ExternalId is a secret known only to the customer and the trusted service. The role's trust policy requires Condition: {"StringEquals": {"sts:ExternalId": "customer-secret-value"}}. Even if an attacker knows the role ARN, they cannot assume it without the ExternalId β preventing the confused deputy scenario.
7Which of the following configurations presents the highest risk of a "Container Escape," allowing an attacker to break out of the container and compromise the underlying host node?
CorrectD: Running the container with the --privileged flag or overly permissive capabilities (e.g., CAP_SYS_ADMIN)
--privileged grants the container nearly all Linux kernel capabilities, effectively giving it the same access as root on the host. CAP_SYS_ADMIN alone enables namespace escapes, cgroup manipulation, and device mounting. These are the primary vectors in known container escape CVEs (runc CVE-2019-5736, Kubernetes CVE-2022-0492).
IncorrectD: Running the container with the --privileged flag or overly permissive capabilities (e.g., CAP_SYS_ADMIN)
--privileged grants the container nearly all Linux kernel capabilities, effectively giving it the same access as root on the host. CAP_SYS_ADMIN alone enables namespace escapes, cgroup manipulation, and device mounting. These are the primary vectors in known container escape CVEs (runc CVE-2019-5736, Kubernetes CVE-2022-0492).
8If an attacker compromises a Kubernetes worker node, what is a common technique they use to achieve lateral movement across the entire cluster?
CorrectC: Extracting the highly privileged Service Account tokens belonging to the Kubelet or other pods running on that compromised node to query the central API server
Every pod has a Service Account token auto-mounted at /var/run/secrets/kubernetes.io/serviceaccount/token. If a high-privilege pod runs on the compromised node, its token grants API server access to read secrets, escalate privileges, or create pods on other nodes. Disabling auto-mount and using least-privilege RBAC mitigates this.
IncorrectC: Extracting the highly privileged Service Account tokens belonging to the Kubelet or other pods running on that compromised node to query the central API server
Every pod has a Service Account token auto-mounted at /var/run/secrets/kubernetes.io/serviceaccount/token. If a high-privilege pod runs on the compromised node, its token grants API server access to read secrets, escalate privileges, or create pods on other nodes. Disabling auto-mount and using least-privilege RBAC mitigates this.
9What is "Homomorphic Encryption," a cutting-edge concept heavily researched for cloud security?
CorrectB: A form of encryption that allows complex mathematical operations to be performed directly on ciphertext, generating an encrypted result without ever exposing the plaintext
Fully Homomorphic Encryption (FHE) is the theoretical holy grail of cloud privacy: a cloud provider could perform analytics on encrypted customer data and return an encrypted result β without ever seeing the plaintext. Current implementations (Microsoft SEAL, IBM HElib) are orders of magnitude slower than plaintext computation, limiting practical use.
IncorrectB: A form of encryption that allows complex mathematical operations to be performed directly on ciphertext, generating an encrypted result without ever exposing the plaintext
Fully Homomorphic Encryption (FHE) is the theoretical holy grail of cloud privacy: a cloud provider could perform analytics on encrypted customer data and return an encrypted result β without ever seeing the plaintext. Current implementations (Microsoft SEAL, IBM HElib) are orders of magnitude slower than plaintext computation, limiting practical use.
10What is the key distinction between Bring Your Own Key (BYOK) and Hold Your Own Key (HYOK) in cloud cryptography?
CorrectA: In BYOK, you generate the key but the cloud provider manages it in their KMS; in HYOK, the key never leaves your on-premises HSM, giving you absolute control but breaking native cloud search/indexing features
BYOK: customer generates the key material, imports it to the cloud KMS β but the provider still manages it. HYOK (used in Microsoft Purview Double Key Encryption): the key never leaves customer premises; decryption requires reaching the customer's on-premises key server. HYOK prevents even Microsoft from accessing the data, at the cost of cloud-native features.
IncorrectA: In BYOK, you generate the key but the cloud provider manages it in their KMS; in HYOK, the key never leaves your on-premises HSM, giving you absolute control but breaking native cloud search/indexing features
BYOK: customer generates the key material, imports it to the cloud KMS β but the provider still manages it. HYOK (used in Microsoft Purview Double Key Encryption): the key never leaves customer premises; decryption requires reaching the customer's on-premises key server. HYOK prevents even Microsoft from accessing the data, at the cost of cloud-native features.
11Which advanced attack vector involves an attacker manipulating global internet routing tables to redirect a cloud provider's traffic through an attacker-controlled network?
CorrectC: BGP (Border Gateway Protocol) Hijacking
BGP Hijacking occurs when a malicious AS announces more specific routes for IP prefixes it doesn't own, causing other ASes to route traffic through the attacker. Historical examples include the 2010 China Telecom hijack of US military traffic and the 2022 Cloudflare/AWS prefix hijacks, demonstrating the internet routing infrastructure's inherent lack of origin validation.
IncorrectC: BGP (Border Gateway Protocol) Hijacking
BGP Hijacking occurs when a malicious AS announces more specific routes for IP prefixes it doesn't own, causing other ASes to route traffic through the attacker. Historical examples include the 2010 China Telecom hijack of US military traffic and the 2022 Cloudflare/AWS prefix hijacks, demonstrating the internet routing infrastructure's inherent lack of origin validation.
12In Kubernetes Role-Based Access Control (RBAC), what is the functional difference between a RoleBinding and a ClusterRoleBinding?
CorrectD: A RoleBinding grants permissions strictly within a specific namespace; a ClusterRoleBinding grants permissions globally across all namespaces in the cluster
Namespace-scoped RoleBindings are the least-privilege choice for multi-tenant clusters β a developer role bound in namespace "dev" cannot access "prod." ClusterRoleBindings grant cluster-wide permissions including non-namespaced resources (Nodes, PersistentVolumes, ClusterRoles) and should be reserved for platform operators.
IncorrectD: A RoleBinding grants permissions strictly within a specific namespace; a ClusterRoleBinding grants permissions globally across all namespaces in the cluster
Namespace-scoped RoleBindings are the least-privilege choice for multi-tenant clusters β a developer role bound in namespace "dev" cannot access "prod." ClusterRoleBindings grant cluster-wide permissions including non-namespaced resources (Nodes, PersistentVolumes, ClusterRoles) and should be reserved for platform operators.
13What is a critical security risk associated with the "execution environment reuse" (warm starts) of serverless functions?
CorrectB: If a function does not properly sanitize its temporary local storage (/tmp) or global variables before terminating, sensitive data from a previous execution could leak to a subsequent execution
AWS Lambda reuses execution environments ("warm containers") for performance. If a function caches database credentials, PII, or cryptographic material in global variables or /tmp, a subsequent invocation β potentially from a different user β may read that data. Functions must treat global state as potentially contaminated.
IncorrectB: If a function does not properly sanitize its temporary local storage (/tmp) or global variables before terminating, sensitive data from a previous execution could leak to a subsequent execution
AWS Lambda reuses execution environments ("warm containers") for performance. If a function caches database credentials, PII, or cryptographic material in global variables or /tmp, a subsequent invocation β potentially from a different user β may read that data. Functions must treat global state as potentially contaminated.
14In AWS IAM, what is the difference between an Identity-Based Policy and a Resource-Based Policy?
CorrectA: An identity policy is attached to a user or role to define what they can do; a resource policy is attached directly to a resource (like an S3 bucket) to define who can access it
Identity-based policies travel with the principal (user/role) and list allowed/denied actions. Resource-based policies are attached to the resource itself (S3, KMS, SQS) and specify which principals can access it β enabling cross-account access without role assumption by explicitly listing external account ARNs.
IncorrectA: An identity policy is attached to a user or role to define what they can do; a resource policy is attached directly to a resource (like an S3 bucket) to define who can access it
Identity-based policies travel with the principal (user/role) and list allowed/denied actions. Resource-based policies are attached to the resource itself (S3, KMS, SQS) and specify which principals can access it β enabling cross-account access without role assumption by explicitly listing external account ARNs.
15How does a Service Mesh (like Istio) fundamentally implement Mutual TLS (mTLS) between microservices?
CorrectD: By injecting sidecar proxies that automatically intercept traffic, request ephemeral certificates from a central Certificate Authority (CA), and handle the cryptographic handshake transparently to the application
Istio's Citadel (now istiod) acts as an internal CA, auto-issuing short-lived X.509 certificates to every service's Envoy sidecar via the gRPC-based SDS (Secret Discovery Service). The sidecars perform mTLS transparently β the application code never handles certificates, and certificates rotate automatically (default: 24h).
IncorrectD: By injecting sidecar proxies that automatically intercept traffic, request ephemeral certificates from a central Certificate Authority (CA), and handle the cryptographic handshake transparently to the application
Istio's Citadel (now istiod) acts as an internal CA, auto-issuing short-lived X.509 certificates to every service's Envoy sidecar via the gRPC-based SDS (Secret Discovery Service). The sidecars perform mTLS transparently β the application code never handles certificates, and certificates rotate automatically (default: 24h).
16Which of the following represents a high-severity risk unique to cloud environments regarding Environment Variables?
CorrectC: Developers frequently use them to store plaintext secrets (like API keys or database passwords), which can be easily exposed if the application crashes, is debugged, or if Server-Side Request Forgery is achieved
Environment variables in cloud functions/containers are a common secret anti-pattern: they appear in crash dumps, process listings (/proc/self/environ), container inspection outputs, and SSRF exploitation. Best practice is to retrieve secrets at runtime from a secrets manager (AWS Secrets Manager, HashiCorp Vault) rather than injecting them as environment variables.
IncorrectC: Developers frequently use them to store plaintext secrets (like API keys or database passwords), which can be easily exposed if the application crashes, is debugged, or if Server-Side Request Forgery is achieved
Environment variables in cloud functions/containers are a common secret anti-pattern: they appear in crash dumps, process listings (/proc/self/environ), container inspection outputs, and SSRF exploitation. Best practice is to retrieve secrets at runtime from a secrets manager (AWS Secrets Manager, HashiCorp Vault) rather than injecting them as environment variables.
17In a GitOps architecture, what happens if an administrator manually modifies a cloud firewall rule via the web console instead of updating the central Git repository?
CorrectA: The GitOps continuous delivery agent (e.g., ArgoCD) will detect the "drift" and automatically revert the manual change, restoring the infrastructure to match the declared state in Git
GitOps tools (ArgoCD, Flux) continuously reconcile the deployed state against the Git-declared state. Out-of-band changes (console clicks, manual CLI changes) are detected as "drift" and reverted β enforcing immutable infrastructure and providing a complete, auditable change history through Git commits.
IncorrectA: The GitOps continuous delivery agent (e.g., ArgoCD) will detect the "drift" and automatically revert the manual change, restoring the infrastructure to match the declared state in Git
GitOps tools (ArgoCD, Flux) continuously reconcile the deployed state against the Git-declared state. Out-of-band changes (console clicks, manual CLI changes) are detected as "drift" and reverted β enforcing immutable infrastructure and providing a complete, auditable change history through Git commits.
18How can an advanced attacker attempt to hide their tracks after compromising a cloud environment?
CorrectB: By tampering with or deleting CloudTrail (AWS) or Cloud Audit Logs (GCP), assuming they have acquired the excessive permissions necessary to do so
CloudTrail/Audit Logs record every API call β the attacker's primary evidence trail. Sophisticated attackers attempt to StopLogging, DeleteTrail, or modify S3 bucket policies to delete log files. Defense: enable CloudTrail log file validation, send logs to an immutable S3 bucket with Object Lock, and alert on any logging-modification API call.
IncorrectB: By tampering with or deleting CloudTrail (AWS) or Cloud Audit Logs (GCP), assuming they have acquired the excessive permissions necessary to do so
CloudTrail/Audit Logs record every API call β the attacker's primary evidence trail. Sophisticated attackers attempt to StopLogging, DeleteTrail, or modify S3 bucket policies to delete log files. Defense: enable CloudTrail log file validation, send logs to an immutable S3 bucket with Object Lock, and alert on any logging-modification API call.
19An attacker intercepts an API request GET /api/user/v1/invoice?id=800 and changes it to id=801, successfully accessing another customer's cloud invoice. What specific cloud API vulnerability is this?
CorrectD: Insecure Direct Object Reference (IDOR) / Broken Object Level Authorization (BOLA)
IDOR/BOLA (OWASP API Security Top 10 #1) occurs when the API grants access based on a user-controlled reference (the invoice ID) without verifying that the authenticated user is authorized to access that specific object. The fix: server-side authorization checks verifying the requesting user owns resource ID 801.
IncorrectD: Insecure Direct Object Reference (IDOR) / Broken Object Level Authorization (BOLA)
IDOR/BOLA (OWASP API Security Top 10 #1) occurs when the API grants access based on a user-controlled reference (the invoice ID) without verifying that the authenticated user is authorized to access that specific object. The fix: server-side authorization checks verifying the requesting user owns resource ID 801.
20What is the Open Policy Agent (OPA) typically used for in cloud-native ecosystems?
CorrectC: To provide a unified, decoupled policy engine that uses the Rego language to enforce granular, context-aware authorization policies across microservices, Kubernetes, and CI/CD pipelines
OPA decouples policy decision logic from service code: services query OPA's REST API with input (user, action, resource) and receive an allow/deny decision based on Rego policies. In Kubernetes, OPA Gatekeeper is used as an admission controller to enforce policies like "no images from unregistered registries" or "all pods must have resource limits."
IncorrectC: To provide a unified, decoupled policy engine that uses the Rego language to enforce granular, context-aware authorization policies across microservices, Kubernetes, and CI/CD pipelines
OPA decouples policy decision logic from service code: services query OPA's REST API with input (user, action, resource) and receive an allow/deny decision based on Rego policies. In Kubernetes, OPA Gatekeeper is used as an admission controller to enforce policies like "no images from unregistered registries" or "all pods must have resource limits."
Conclusion: Securing Your Cloud Strategy
Cloud security is not a single product or tool β it is a continuous discipline spanning architecture, identity governance, and operational hardening. These 60 MCQs span the foundational concepts through practical deployment security to advanced threat models including container security, zero-trust in clouds, and DevSecOps pipelines.
The questions reflect real-world scenarios faced by security teams securing AWS, Azure, and GCP environments β from misconfiguration detection and privilege escalation vectors to lateral movement between cloud services.
Revisit questions you missed, pair this practice test with the full Cloud Security Theory Guide, and use CSPM tools in your own cloud environment to reinforce these concepts.
Key Takeaways β Cloud Security
- Shared Responsibility Model: Provider secures the cloud (infrastructure, hypervisor); customer secures in the cloud (OS, apps, data, IAM).
- Service Model Shifts Responsibility: IaaS customer manages most; PaaS reduces customer burden; SaaS provider handles most security.
- Identity is the New Perimeter: In the cloud, IAM (Identity and Access Management) replaces traditional network firewalls as the primary boundary. Least privilege and MFA are critical.
- Misconfigurations cause most breaches: Public S3 buckets, open security groups, and excessive IAM permissions are the root cause of most cloud incidents. Use CSPM to detect these continuously.
- Encryption is mandatory: Always use encryption at rest (KMS, AES-256) and in transit (TLS, VPN, Direct Connect). Bring Your Own Key (BYOK) gives customers ultimate control over their data.
- Serverless β Security-less: You don't manage the underlying OS, but you must still secure the application code, IAM execution roles, and resource policies.
- Zero Trust Architecture: "Never trust, always verify." Continuous authentication, micro-segmentation, and assuming breach are the core tenets.
Use this table to consolidate cloud security patterns and controls before or after attempting the questions above.
| Cloud Security Concept | Purpose / Risk Mitigated | Key Implementation |
|---|---|---|
| Shared Responsibility Model | Clarifies security accountability | Provider: infrastructure; Customer: apps, data, IAM |
| Identity & Access Management (IAM) | Prevents unauthorized access & privilege escalation | Role-based access control (RBAC), least privilege, MFA |
| Cloud Security Posture Management (CSPM) | Detects misconfigurations at scale | Continuous scanning of S3, security groups, encryption status |
| Cloud Workload Protection Platform (CWPP) | Runtime protection against malware & intrusions | File integrity monitoring, behavior analysis, threat detection |
| Encryption at Rest | Protects data in storage from disclosure | BYOK (bring your own key) with KMS; AES-256 for databases |
| Encryption in Transit | Protects data in flight over networks | TLS/SSL for API calls; mTLS for service-to-service |
| Network Segmentation | Limits lateral movement between cloud resources | Security groups, NACLs, VPC subnets, service mesh (Istio) |
| Cloud Access Security Broker (CASB) | Enforces DLP policies on SaaS applications | Intercept traffic; encrypt sensitive data; anomaly detection |
| OPA (Open Policy Agent) | Enforces fine-grained authorization policies | Kubernetes admission controller; microservice policy engine |
| Zero Trust Architecture | Continuous verification; assume breach | Explicit trust decisions; monitor every request; segment networks |
Frequently Asked Questions
Q. What is the Shared Responsibility Model in cloud security?
Q. What are the key differences between IaaS, PaaS, and SaaS in terms of security responsibility?
Q. What is a Cloud Access Security Broker (CASB) and what security problems does it solve?
Q. What are cloud misconfigurations and why are they a critical security risk?
Q. How does the principle of least privilege apply to cloud IAM?
Q. What is a hypervisor and why is its security foundational to cloud security?
Q. What is the difference between encryption at rest and encryption in transit?
Q. How do cloud security posture management (CSPM) and cloud workload protection platforms (CWPP) differ?
Struggling with some questions? Re-read the full Theory Guide: Cloud Security