ISC2 CCSP — Certified Cloud Security Professional · Domain 1 · 17% of exam

Cloud Concepts, Architecture and Design

Drill 20 practice questions focused entirely on Cloud Concepts, Architecture and Design for the ISC2 CCSP exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.

Verified answer20 questions
Question 1 of 20

A hospital is evaluating a new cloud-based scheduling application. The CISO requires that clinicians be able to access the application from hospital workstations, personal tablets, and smartphones, using only a standard browser and standard network protocols, without installing any proprietary client software. Which NIST essential cloud characteristic most directly describes this requirement the CISO is emphasizing?

Reviewed for accuracy · Report an issue
Question 2 of 20

A cloud architect is documenting the foundational technologies that allow a provider to pool physical servers and dynamically allocate compute resources to many customers on demand. Which building-block technology most directly enables this abstraction of physical hardware into flexible, shareable resource pools?

Reviewed for accuracy · Report an issue
Question 3 of 20

A retail company runs its e-commerce platform on a private cloud sized for normal traffic. During seasonal sales events, demand spikes to nearly triple the baseline for a few days. Rather than permanently over-provisioning its private infrastructure, the company wants to automatically shift the temporary overflow workload to a public cloud provider only during these peak periods, keeping sensitive customer data on-premises the rest of the time. Which deployment model and technique best describes this approach?

Reviewed for accuracy · Report an issue
Question 4 of 20

A financial services company stores highly sensitive customer records in a public cloud IaaS environment. As part of its data governance program, the security team is mapping controls to each phase of the cloud data lifecycle. They are now focused on the final phase, where information that has reached the end of its retention period must be rendered permanently unrecoverable. Because the underlying storage hardware is owned and multi-tenanted by the cloud provider, physical destruction of the media is not possible for the customer. Which technique is the MOST appropriate for the security team to rely on to securely address this lifecycle phase?

Reviewed for accuracy · Report an issue
Question 5 of 20

A mid-sized retailer wants to consume services from three different SaaS providers but lacks the internal expertise to integrate them, manage identity federation across them, and negotiate consolidated billing. They engage a third party that aggregates these services, adds single sign-on, and presents a unified portal and invoice to the retailer. According to the NIST cloud reference architecture, which role is this third party performing?

Reviewed for accuracy · Report an issue
Question 6 of 20

A large retailer is drafting a governance document to clarify accountability for its cloud initiative. The document must define the entity that periodically reviews cloud service outputs and independently confirms that the provider meets agreed standards and regulatory obligations. Which cloud computing role best matches this responsibility?

Reviewed for accuracy · Report an issue
Question 7 of 20

A cloud security architect is procuring a hardware firewall appliance to protect the perimeter of a new private cloud data center. Corporate policy requires that any security product selected must have been independently evaluated for the trustworthiness of its security functions against a standardized, internationally recognized assurance framework, so the assurance rating can be compared across vendors from different countries. Which certification or standard should the architect require the vendor to provide?

Reviewed for accuracy · Report an issue
Question 8 of 20

Several regional hospitals want to share a common cloud platform to exchange patient records and run shared analytics. They must all comply with the same healthcare privacy regulations and want shared governance and cost-sharing among the participating organizations, but they do not want the platform open to the general public or hosted entirely within a single hospital's data center. Which cloud deployment model best fits these requirements?

Reviewed for accuracy · Report an issue
Question 9 of 20

A financial services company is migrating a payment processing application to a public cloud IaaS provider. Regulatory requirements mandate that the cryptographic modules used to protect and store encryption keys be independently certified to a U.S. government standard for physical and logical security of cryptographic hardware. Which certification should the security architect require the cloud provider's key management hardware to hold?

Reviewed for accuracy · Report an issue
Question 10 of 20

A mid-sized retailer currently runs a self-managed relational database on IaaS virtual machines. The DBA team spends significant time on OS patching, database engine upgrades, backup scripting, and replication configuration. Leadership asks the cloud architect to reduce operational overhead while keeping the same database engine, but they are concerned about losing low-level control. As part of a cost-benefit analysis, which trade-off should the architect present as the PRIMARY consideration when recommending a move to the provider's managed PaaS database service?

Reviewed for accuracy · Report an issue
Question 11 of 20

A financial analyst reviewing a SaaS collaboration platform notices that the monthly invoice varies based on the exact number of active users, storage consumed in gigabytes, and API calls made during the billing period. The provider's dashboard shows near real-time usage metrics that both parties can audit. Which essential characteristic of cloud computing, as defined by NIST SP 800-145, is most directly demonstrated by this billing arrangement?

Reviewed for accuracy · Report an issue
Question 12 of 20

A financial services company runs its workloads on a public IaaS provider that uses shared physical hosts to serve multiple customers. During a threat-modeling session, the security architect raises concern that a compromised virtual machine belonging to another tenant on the same physical server could potentially access their VM's memory or data. Which cloud building-block technology and associated risk is the architect describing, and what control primarily mitigates it?

Reviewed for accuracy · Report an issue
Question 13 of 20

A software company migrates its customer-facing web application to a Platform as a Service (PaaS) offering. The cloud provider manages the operating system, runtime, middleware, and underlying infrastructure. During a security review, the team discovers a SQL injection vulnerability in the application's input handling. Under the shared responsibility model for PaaS, who is responsible for remediating this vulnerability?

Reviewed for accuracy · Report an issue
Question 14 of 20

A national healthcare agency must deploy a new patient-records platform. Regulations require that all infrastructure be dedicated to the agency, that no other tenants share the underlying physical hosts, and that the agency retains full governance over the physical location and configuration of resources. The agency still wants cloud characteristics such as self-service provisioning and elasticity for its internal departments. Which deployment model best satisfies these requirements?

Reviewed for accuracy · Report an issue
Question 15 of 20

A fast-growing startup with limited capital wants to launch a customer-facing web application quickly. Leadership requires that the company avoid large upfront hardware purchases, pay only for what it consumes, and be able to scale to millions of users during marketing campaigns without owning any data center infrastructure. There are no specific regulatory requirements mandating dedicated hardware. Which cloud deployment model best satisfies these business drivers?

Reviewed for accuracy · Report an issue
Question 16 of 20

A video-streaming startup experiences highly variable traffic: near-idle during weekday mornings but 20x load during evening premieres. Their platform automatically scales compute resources up and down within minutes to match demand, without any human intervention or advance capacity requests. The CFO is impressed that they only ever provision what is needed at any moment. Which essential cloud computing characteristic, as defined by NIST, is MOST directly demonstrated by this automatic scaling behavior?

Reviewed for accuracy · Report an issue
Question 17 of 20

A financial services company is evaluating a public cloud provider. During due diligence, the security architect notes that the provider dynamically assigns and reassigns physical and virtual compute, storage, and network resources across many customers according to demand, and that customers generally have no knowledge or control over the exact physical location of the resources serving them. Which NIST essential characteristic of cloud computing does this description primarily illustrate?

Reviewed for accuracy · Report an issue
Question 18 of 20

A financial services company is negotiating a contract with a SaaS provider for a critical analytics platform. The CISO is concerned that if the relationship ends, the company must be able to retrieve all its data and reconstitute the service elsewhere without excessive cost or dependency on the original provider. Which pair of cloud design concepts most directly addresses this concern?

Reviewed for accuracy · Report an issue
Question 19 of 20

A financial services firm migrates its customer relationship management (CRM) system to a fully managed SaaS platform. The provider manages the application, underlying middleware, operating systems, and physical infrastructure. During a security review, the CISO asks which security responsibility the firm itself still cannot delegate to the SaaS provider under the shared responsibility model. Which responsibility remains with the customer?

Reviewed for accuracy · Report an issue
Question 20 of 20

A global healthcare analytics firm is designing a new SaaS platform. Regulators in the European Union require that personal health data of EU residents never be processed or stored outside the EU, while data for U.S. customers may reside in U.S. regions. The architecture team must ensure the platform can enforce these constraints as it scales. Which secure cloud design approach BEST satisfies these requirements?

Reviewed for accuracy · Report an issue

More CCSP practice

Keep going with the other ISC2 CCSP — Certified Cloud Security Professional domains, or take a full timed mock exam.

← Back to CCSP overview