ISC2 CCSP — Certified Cloud Security Professional · Difficulty

Medium CCSP practice questions

Applied — put a concept to work in a realistic situation. 105 medium questions available — no sign-up, always free.

Question 1 of 25

A development team exposes a REST API for a multi-tenant cloud SaaS. During a security review, a tester finds that by changing the numeric 'accountId' parameter in the URL (e.g., /api/v1/accounts/1042/invoices), they can retrieve invoices belonging to other tenants even though the JWT they present is valid for only their own account. The endpoint authenticates the token correctly but returns data without further checks. Which control best addresses this OWASP API Security Top 10 weakness?

Reviewed for accuracy · Report an issue
Question 2 of 25

A financial services company exposes internal microservices to trusted partner banks through a cloud API gateway. Security requires that both the calling partner service AND the receiving API prove their identities cryptographically before any request payload is processed, preventing spoofed clients even if a partner's API key were leaked. Which control best satisfies this requirement?

Reviewed for accuracy · Report an issue
Question 3 of 25

A cloud operations team runs a customer-facing SaaS platform on autoscaling IaaS. Over three consecutive months, month-end batch processing has caused CPU saturation and degraded response times, even though autoscaling eventually adds capacity. The operations manager wants a repeatable ITIL-aligned process to forecast demand, model future workload growth, and ensure resources are provisioned ahead of predictable spikes rather than reacting to them. Which operational process should the team formalize to address this?

Reviewed for accuracy · Report an issue
Question 4 of 25

A cloud forensics investigator at a financial services firm is collecting log data from a CSP-managed SIEM to support an anticipated fraud lawsuit. To ensure the collected logs will be admissible and defensible in court, which control is MOST critical for the investigator to establish and document throughout the collection and handling process?

Reviewed for accuracy · Report an issue
Question 5 of 25

A cloud operations engineer discovers that a critical authentication microservice is failing intermittently in production due to an expired configuration certificate. Restoring service requires deploying a corrected configuration immediately, but the organization's ITIL-aligned change management process normally requires that all production changes be reviewed and approved by the Change Advisory Board (CAB), which meets weekly. What is the MOST appropriate way for the engineer to proceed while remaining compliant with the change management process?

Reviewed for accuracy · Report an issue
Question 6 of 25

A financial services company is preparing for its annual ISO 27001 certification audit of its cloud-hosted trading platform. The compliance manager wants an internal review conducted first to identify areas where current controls fall short of the standard's requirements before the external certification body arrives, so that remediation can occur in advance. Which audit activity best fits this objective?

Reviewed for accuracy · Report an issue
Question 7 of 25

A financial services firm is negotiating a contract with a large public IaaS provider. The firm's internal audit team insists on including a traditional 'right-to-audit' clause that would allow their auditors physical, on-site access to the provider's data centers to inspect controls whenever needed. The provider refuses this specific demand, citing the multitenant nature of its facilities. As the cloud security advisor, what should you recommend as the most practical way for the firm to obtain the required assurance over the provider's control environment?

Reviewed for accuracy · Report an issue
Question 8 of 25

A financial services firm is being audited against its own controls, many of which now depend on a SaaS provider that hosts customer transaction data. The firm's auditor requests to physically inspect the provider's data centers and run vulnerability scans against the provider's shared infrastructure. The provider refuses both requests, citing multitenancy and its own security policies. What is the MOST appropriate way for the firm to satisfy the auditor's need for assurance over the outsourced controls?

Reviewed for accuracy · Report an issue
Question 9 of 25

A financial services company runs its production trading platform in a single cloud region and has configured asynchronous replication of application data to a second region. The BCDR plan documents a failover procedure to the secondary region, but the plan has never been exercised since it was written 18 months ago. During a recent tabletop review, the security team notes that the DNS failover automation, the promotion of the standby database, and the IAM role trust relationships in the secondary region have all changed as the environment evolved. Which action should the team prioritize to give the greatest assurance that the BCDR plan will actually work when needed?

Reviewed for accuracy · Report an issue
Question 10 of 25

A retail company runs its e-commerce platform on a private cloud sized for normal traffic. During seasonal sales events, demand spikes to nearly triple the baseline for a few days. Rather than permanently over-provisioning its private infrastructure, the company wants to automatically shift the temporary overflow workload to a public cloud provider only during these peak periods, keeping sensitive customer data on-premises the rest of the time. Which deployment model and technique best describes this approach?

Reviewed for accuracy · Report an issue
Question 11 of 25

A financial services firm is negotiating a contract with a SaaS provider for a core analytics platform. During legal review, the risk officer wants to ensure the firm can retrieve all its data in a usable, non-proprietary format and migrate to another provider if the relationship ends. Which contractual provision most directly addresses this concern?

Reviewed for accuracy · Report an issue
Question 12 of 25

A financial services company stores highly sensitive customer records in a public cloud IaaS environment. As part of its data governance program, the security team is mapping controls to each phase of the cloud data lifecycle. They are now focused on the final phase, where information that has reached the end of its retention period must be rendered permanently unrecoverable. Because the underlying storage hardware is owned and multi-tenanted by the cloud provider, physical destruction of the media is not possible for the customer. Which technique is the MOST appropriate for the security team to rely on to securely address this lifecycle phase?

Reviewed for accuracy · Report an issue
Question 13 of 25

A U.S. company using a SaaS collaboration platform receives a litigation hold notice requiring it to preserve all relevant emails, chat messages, and shared documents. The legal team is concerned because the data is stored and processed entirely by the cloud provider across multiple regions, and the provider's standard retention policy auto-deletes chat logs after 90 days. What is the MOST important action the company must take to meet its eDiscovery preservation obligations?

Reviewed for accuracy · Report an issue
Question 14 of 25

An investigator at a SaaS customer organization must collect forensic artifacts related to a suspected account compromise. The relevant hypervisor logs, underlying storage snapshots, and network flow data reside entirely within the cloud provider's infrastructure and are not exposed through the customer's tenant console. What is the MOST appropriate first step to lawfully obtain this evidence?

Reviewed for accuracy · Report an issue
Question 15 of 25

A SOC analyst is responding to an active compromise of a running IaaS virtual machine. Management wants to preserve evidence for a potential court case while the incident is ongoing. The VM is still powered on and the attacker appears to have an active session. Following forensic best practice and the order of volatility, what should the analyst prioritize acquiring FIRST?

Reviewed for accuracy · Report an issue
Question 16 of 25

A development team runs a containerized microservice on a managed Kubernetes cluster in a public cloud. The service needs to read objects from a cloud object storage bucket. Currently, developers have embedded a long-lived cloud access key and secret into the container image's environment variables. A security review flags this as a risk. Which approach BEST remediates the finding while following cloud IAM best practices for application identity?

Reviewed for accuracy · Report an issue
Question 17 of 25

A mid-sized retailer wants to consume services from three different SaaS providers but lacks the internal expertise to integrate them, manage identity federation across them, and negotiate consolidated billing. They engage a third party that aggregates these services, adds single sign-on, and presents a unified portal and invoice to the retailer. According to the NIST cloud reference architecture, which role is this third party performing?

Reviewed for accuracy · Report an issue
Question 18 of 25

A large retailer is drafting a governance document to clarify accountability for its cloud initiative. The document must define the entity that periodically reviews cloud service outputs and independently confirms that the provider meets agreed standards and regulatory obligations. Which cloud computing role best matches this responsibility?

Reviewed for accuracy · Report an issue
Question 19 of 25

A financial services firm is completing a vendor risk assessment on a SaaS provider that will process regulated customer data. During the review, the security team discovers the SaaS provider relies on a separate third-party analytics company to enrich data, and that analytics company in turn uses an offshore IaaS provider for compute. The firm's regulator holds it accountable for the full processing chain. Which action best addresses the enterprise risk this arrangement creates?

Reviewed for accuracy · Report an issue
Question 20 of 25

A financial services firm relies on a SaaS trading-analytics platform. During a 14-hour provider outage, the firm lost an estimated $2.3 million in trading opportunities. When the firm reviewed the signed contract to recover damages, it found the SLA guaranteed 99.9% monthly availability with a remedy of 'service credits equal to 10% of the monthly fee for each hour of downtime beyond the commitment.' The firm's risk committee is frustrated that recovery is limited to a few thousand dollars in credits. From an enterprise risk management perspective, what is the MOST important lesson for the firm's future cloud vendor negotiations?

Reviewed for accuracy · Report an issue
Question 21 of 25

A cloud security architect is procuring a hardware firewall appliance to protect the perimeter of a new private cloud data center. Corporate policy requires that any security product selected must have been independently evaluated for the trustworthiness of its security functions against a standardized, internationally recognized assurance framework, so the assurance rating can be compared across vendors from different countries. Which certification or standard should the architect require the vendor to provide?

Reviewed for accuracy · Report an issue
Question 22 of 25

Several regional hospitals want to share a common cloud platform to exchange patient records and run shared analytics. They must all comply with the same healthcare privacy regulations and want shared governance and cost-sharing among the participating organizations, but they do not want the platform open to the general public or hosted entirely within a single hospital's data center. Which cloud deployment model best fits these requirements?

Reviewed for accuracy · Report an issue
Question 23 of 25

A cloud operations team maintains an approved configuration baseline for all production Linux instances, including required kernel hardening parameters and disabled legacy services. During a routine automated scan, the configuration management database (CMDB) reveals that 12 instances in an auto-scaling group have deviated from the baseline: an outdated SSH cipher suite has been re-enabled and a firewall rule was manually modified. The change is not documented in any change ticket. According to sound configuration management practice, what should the team do FIRST?

Reviewed for accuracy · Report an issue
Question 24 of 25

A development team is building a cloud-hosted web application that displays user-submitted comments on a public product page. During a threat modeling review, a security engineer flags that attacker-supplied comment text could be rendered directly into the HTML response, allowing malicious scripts to execute in other users' browsers. Which control most directly mitigates this OWASP-classified vulnerability?

Reviewed for accuracy · Report an issue
Question 25 of 25

A financial services company stores seven years of customer transaction archives in a cloud object storage bucket that is shared across multiple tenants under the provider's control. A customer whose retention period has legally expired requests that their specific archived data be rendered permanently unrecoverable. Because the underlying storage media is multitenant and physical destruction is impossible, which approach BEST guarantees the data is effectively destroyed?

Reviewed for accuracy · Report an issue