Hard CCSP practice questions
Challenge — multi-step scenarios, trade-offs, and subtle distinctions. 16 hard questions available — no sign-up, always free.
A financial services company is designing its BCDR strategy for a customer-facing transaction platform hosted in a single cloud region. Business leaders mandate a Recovery Time Objective (RTO) of under 15 minutes and a Recovery Point Objective (RPO) of near-zero data loss, but they also want to avoid the full cost of duplicating the entire production environment continuously. Which cloud BCDR approach BEST meets these requirements?
A financial services firm must archive customer transaction records for seven years to meet regulatory requirements. The archived data is stored encrypted in a cloud object storage tier and is rarely accessed. During a compliance audit in year four, the security team discovers that some older archives cannot be decrypted because the encryption keys used to protect them were rotated and the previous key versions were destroyed after the standard 90-day key retention window. What is the MOST important consideration the team overlooked when designing the Archive phase of the data lifecycle?
A healthcare analytics team needs to run aggregate statistical queries on a large patient dataset stored in a cloud data warehouse. Regulators require that individual patient identifiers be irreversibly obscured before analysts access the data, and the analysts must still be able to count distinct patients across queries. Which data protection technique best satisfies both the irreversibility requirement AND the need to correlate the same patient across records?
A retail analytics team stores customer purchase records across two cloud databases. To comply with PCI DSS, primary account numbers (PANs) must be removed from the analytics environment, but analysts still need to join transactions belonging to the same card across both databases and count distinct cardholders. The security architect wants to preserve this ability without exposing any actual PAN values. Which data protection approach best meets these requirements?
A cloud security architect is reviewing the virtual network design for a new multi-tier IaaS application. During threat modeling, the team identifies that a compromised tenant VM on a shared virtual subnet could potentially advertise a false gateway address to redirect and intercept traffic from neighboring VMs on the same broadcast domain. Which control most directly mitigates this specific Layer 2 threat within the cloud provider's virtual network?
A US-headquartered company is subject to a US court order requiring production of documents stored by its cloud provider in a data center located in France. Company counsel notes that French blocking statutes and EU data protection law restrict the transfer of the requested personal data outside the EU. What is the MOST appropriate first step for the organization to take when responding to the eDiscovery request?
A data subject in the EU submits a valid GDPR Article 17 (right to erasure) request to an online retailer that operates entirely on a public cloud SaaS platform. The privacy officer confirms the request is legitimate and that no legal exemption to retain the data applies. When the DPO instructs the operations team to comply, the team reports that the customer's personal data also exists in encrypted incremental backups that are retained on a 90-day rolling cycle and cannot be selectively edited without corrupting the backup chain. What is the MOST appropriate way to handle the erasure obligation with respect to these backups?
A media company distributes confidential pre-release films to external review partners using an Information Rights Management (IRM) solution. Executives require that a reviewer's access to a downloaded film be automatically revoked the moment their contract ends, even if the file already resides on the reviewer's laptop. During testing, the security team discovers that some reviewers can still open protected files days after their contract termination date. Which IRM configuration issue is the MOST likely root cause?
A financial services firm is adopting a SaaS analytics platform that encrypts all tenant data at rest. Regulators require that the firm be able to revoke the provider's ability to decrypt its data at any moment, without waiting on the provider's cooperation. Which key management approach best satisfies this requirement?
A financial services company stores encrypted customer records in an IaaS environment. During a compliance review, the auditor notes that while the data is encrypted with a strong algorithm, the cloud provider's administrators technically have the ability to retrieve the encryption keys from the provider-managed key store. The security team must eliminate the risk that provider personnel could decrypt customer data while still using the provider's storage services. Which approach BEST addresses this concern?
A cloud security architect is reviewing the management plane for a large IaaS deployment. During an incident review, the team discovers that a compromised service account's API key was used to programmatically spin up hundreds of compute instances in minutes, driving up costs and creating orphaned resources before anyone noticed. The management plane's authentication was intact, but the abuse still succeeded. Which control would MOST directly limit the impact of this type of orchestration abuse against the management plane?
A cloud security architect for a financial services firm is concerned that administrators are making undocumented manual changes to production virtual machines through the console, causing configuration drift away from the approved hardened baseline. The firm already uses infrastructure-as-code templates to provision resources. Which approach BEST prevents this drift and enforces that all changes flow through the approved change pipeline?
A cloud provider is designing the storage backend for a new high-performance block storage service. The architecture team is debating between a tightly coupled and a loosely coupled storage cluster design. Management requires the design to deliver the highest performance and strongest data consistency for latency-sensitive database workloads, even if this constrains how large the cluster can grow. Which storage cluster architecture best meets these requirements, and what is the primary trade-off the team must accept?
A cloud infrastructure architect is designing a new IaaS zone that will present block storage to hypervisor hosts over an IP-based iSCSI storage network. During testing, throughput to the storage array is far below the array's rated capacity, and packet captures show heavy TCP retransmissions and fragmentation on the storage VLAN, which shares the same physical switches and default MTU as general tenant traffic. Which design change should the architect prioritize to address the root cause?
A cloud provider hosts thousands of tenants on shared physical infrastructure. During a design review, the security architect must ensure that each tenant's virtual network traffic remains logically isolated from other tenants across the same underlying physical switches, even though many tenants reuse overlapping private IP address ranges (e.g., 10.0.0.0/8). Which infrastructure approach BEST achieves this isolation at the network layer?
A retail company must share a copy of its customer transaction database with an external analytics vendor. The dataset includes primary account numbers (PANs) subject to PCI DSS. The analytics team needs to correlate transactions by the same card across time but must never see, and the company must never transmit, the actual PAN values. The company also wants to keep a secure internal ability to reverse the process to the original PAN when a fraud investigation requires it. Which data protection technique best meets these requirements?