Security
Drill 20 practice questions focused entirely on Security for the CompTIA CV0-004 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.
A financial services company must retain cloud audit logs for seven years to satisfy regulatory requirements. During a recent compliance audit, investigators raised concerns that a privileged administrator could tamper with or delete logs to hide malicious activity. Which control best ensures the integrity and non-repudiation of the retained audit logs?
A financial services company must retain full control over the cryptographic key material used to encrypt data stored in a cloud provider's managed key service, per regulatory requirements. Auditors require that the company generate the key material on-premises and be able to revoke the provider's ability to use it at any time. Which approach best meets these requirements?
A cloud team manages dozens of public-facing services, each fronted by a TLS certificate that must be renewed annually. Last quarter, an expired certificate caused a customer-facing outage because no one noticed the renewal deadline. The team wants a durable solution that prevents recurrence while minimizing manual effort. Which approach BEST addresses the root cause?
A financial services company must store the root encryption keys for its payment processing platform in the cloud. Regulatory auditors require that the keys never leave a FIPS 140-2 Level 3 validated hardware boundary and that the cloud provider itself has no ability to access or export the key material. Which key management approach should the cloud engineer implement?
During a compliance audit, a security engineer discovers that an object storage bucket containing customer PII is accessible to anyone on the internet because its access control policy grants read permissions to all principals. The organization must remain compliant with data protection regulations while keeping the data available to an internal analytics application running in the same cloud account. Which action BEST remediates the exposure while preserving required functionality?
A security team discovers that after a single compromised application server in the web tier, an attacker was able to reach and pivot to database servers, internal APIs, and a logging service — all within the same subnet. The workloads all reside in one flat network segment. The team wants to limit the blast radius of any future compromise so that a breached workload cannot freely communicate with unrelated workloads. Which approach BEST addresses this requirement?
A DevOps team deploys containerized microservices to a managed Kubernetes cluster. During a recent security review, auditors discovered that several running containers were built from base images containing known critical CVEs. The team wants to prevent vulnerable images from ever reaching production while minimizing manual effort. Which control BEST addresses this requirement?
A security review of a Kubernetes production cluster finds that several application containers run as the root user and can write to the host filesystem through mounted volumes. A recent penetration test showed that a compromised container could escalate to the underlying node. Which control should the security team prioritize to reduce the impact of a container compromise?
A company acquires a partner organization that uses a separate cloud provider account. Developers from the partner need occasional read-only access to a set of resources in the company's account. Security policy prohibits creating long-lived credentials or sharing account root access. Which approach best satisfies these requirements?
A healthcare company stores patient records in a cloud provider's managed object storage. Compliance auditors require that even the cloud provider's own administrators and support staff be technically incapable of decrypting the data, and the company must retain full control over the encryption keys within their on-premises facility. Which approach best satisfies this requirement?
A financial services company stores sensitive customer records in a cloud object storage bucket. A new compliance mandate requires that the organization retain full control over the encryption keys, be able to revoke access to all encrypted data instantly, and enforce automatic annual key rotation. The security team wants to minimize operational overhead while meeting these requirements. Which approach BEST satisfies the mandate?
A financial services company stores customer records across multiple cloud object storage buckets and databases. Auditors found that sensitive PII was being copied into buckets intended for non-sensitive analytics data, and no controls prevented this. The security team wants an automated, scalable way to identify sensitive data as it lands and enforce handling rules that block or quarantine misplaced PII. Which approach best addresses this requirement?
A financial services company runs a microservices application across multiple nodes in a Kubernetes cluster. A recent audit found that traffic between internal services travels unencrypted over the pod network, violating a regulatory requirement that all data in transit be encrypted regardless of network location. The security team needs to enforce encryption for all service-to-service communication with minimal changes to application code. Which solution best meets this requirement?
A financial services company stores customer PII in a managed relational database in the cloud. An auditor requires that even the cloud provider's employees cannot decrypt the stored data, and that the encryption keys are fully under the customer's control and can be revoked instantly to render the data inaccessible. Which approach best satisfies these requirements?
A financial services company allows developers to access a cloud object storage bucket containing sensitive customer records. Security requires that access to this bucket be permitted only when requests originate from the corporate VPN's public IP range, even for users who already hold valid credentials. Which approach best enforces this requirement?
A security audit of a company's managed Kubernetes cluster reveals that application credentials stored as Kubernetes Secrets are readable in plaintext by anyone with direct access to the underlying etcd datastore backups. The security team must ensure these Secrets are protected at rest without requiring developers to change how they consume Secrets in their pods. Which action BEST addresses this finding?
A security audit of your company's cloud environment reveals that an application service account has been granted a broad administrator policy, even though the application only reads objects from a single storage bucket and writes log entries to one logging service. The audit flags this as a violation of least privilege. What is the MOST appropriate remediation?
A cloud security auditor flags that several administrators can log in to the provider's management console using only a username and password. Company policy and a new compliance requirement mandate stronger protection specifically for privileged, interactive human logins to the console, without disrupting automated service-to-service API calls that use short-lived tokens. Which control should the cloud administrator implement first to address the finding?
A security team discovers that a production application stores static database credentials in an environment variable that has not changed in over two years. Compliance requires that database credentials be rotated every 30 days without application downtime, and the application must always retrieve valid credentials at runtime. Which approach best meets these requirements?
A cloud security engineer must block a specific malicious external IP address from reaching any resource within a VPC subnet that hosts multiple EC2 instances. Because security groups only support allow rules and cannot explicitly deny traffic from a single IP, the engineer needs a stateless filtering mechanism applied at the subnet boundary. Which control should be configured to accomplish this?
More CV0-004 practice
Keep going with the other CompTIA Cloud+ (CV0-004) domains, or take a full timed mock exam.
← Back to CV0-004 overview