Cloud Platform and Infrastructure Security
Drill 20 practice questions focused entirely on Cloud Platform and Infrastructure Security for the ISC2 CCSP exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.
A financial services company is designing its BCDR strategy for a customer-facing transaction platform hosted in a single cloud region. Business leaders mandate a Recovery Time Objective (RTO) of under 15 minutes and a Recovery Point Objective (RPO) of near-zero data loss, but they also want to avoid the full cost of duplicating the entire production environment continuously. Which cloud BCDR approach BEST meets these requirements?
A financial services company runs its production trading platform in a single cloud region and has configured asynchronous replication of application data to a second region. The BCDR plan documents a failover procedure to the secondary region, but the plan has never been exercised since it was written 18 months ago. During a recent tabletop review, the security team notes that the DNS failover automation, the promotion of the standby database, and the IAM role trust relationships in the secondary region have all changed as the environment evolved. Which action should the team prioritize to give the greatest assurance that the BCDR plan will actually work when needed?
A cloud security architect is reviewing the virtual network design for a new multi-tier IaaS application. During threat modeling, the team identifies that a compromised tenant VM on a shared virtual subnet could potentially advertise a false gateway address to redirect and intercept traffic from neighboring VMs on the same broadcast domain. Which control most directly mitigates this specific Layer 2 threat within the cloud provider's virtual network?
A financial services company runs a multi-tier application (web, application, and database tiers) across many virtual machines in a single IaaS virtual network. During a tabletop exercise, the security team notes that if any single web-tier VM is compromised, an attacker could freely reach the database VMs because all internal traffic between VMs is currently unrestricted. Perimeter firewalls only inspect north-south (ingress/egress) traffic. Which control best reduces the risk of lateral (east-west) movement between the tiers?
A cloud provider must apply an urgent security patch to the hypervisor kernel across a cluster of hosts running thousands of tenant VMs. The security team requires that the patch be applied without extended tenant downtime and without exposing running workloads to the unpatched code. Which capability of the underlying virtualization infrastructure BEST enables the provider to meet this requirement?
A cloud provider's security team wants to detect malware and rootkits running inside customer VMs on their Type 1 hypervisor platform without installing any agent inside the guest operating systems, which tenants control. They need a mechanism that observes guest memory and process state from a trusted vantage point outside the VM. Which technology best meets this requirement?
A cloud provider is designing a new multi-tenant IaaS platform and must select a virtualization approach for its compute hosts. The security architect insists that the virtualization layer expose the smallest possible attack surface and not depend on a general-purpose host operating system that could be exploited to compromise all tenant VMs. Which choice best satisfies this requirement?
A cloud security architect is reviewing the management plane for a large IaaS deployment. During an incident review, the team discovers that a compromised service account's API key was used to programmatically spin up hundreds of compute instances in minutes, driving up costs and creating orphaned resources before anyone noticed. The management plane's authentication was intact, but the abuse still succeeded. Which control would MOST directly limit the impact of this type of orchestration abuse against the management plane?
A cloud security architect for a financial services firm is concerned that administrators are making undocumented manual changes to production virtual machines through the console, causing configuration drift away from the approved hardened baseline. The firm already uses infrastructure-as-code templates to provision resources. Which approach BEST prevents this drift and enforces that all changes flow through the approved change pipeline?
A cloud security architect is designing controls for the management plane of an IaaS environment. Administrators currently connect directly to the provider's web console and API endpoints using long-lived static credentials from their laptops, which may be on untrusted networks. Compromise of a single administrator account would allow an attacker to spin up, delete, or reconfigure the entire virtual infrastructure. Which control set most directly reduces the risk of management-plane compromise?
A cloud architect is designing network controls for a three-tier web application hosted in IaaS. The web tier must accept HTTPS from the internet, the application tier should only receive traffic from the web tier, and the database tier should only be reachable from the application tier. The security team also insists on inspecting inbound HTTP payloads for SQL injection and cross-site scripting attempts. Which combination of controls BEST satisfies these requirements?
A financial services firm is designing a private cloud hosted in its own data center to run a payment processing platform that must remain available even during scheduled maintenance of power and cooling systems. The architecture team wants a facility that provides concurrently maintainable power and cooling paths (N+1 redundancy) so any single component can be taken offline for service without disrupting the IT load, but they do not require the cost of fully fault-tolerant (2N) infrastructure. Which Uptime Institute data center tier best matches this requirement?
A cloud architect is provisioning infrastructure in an IaaS environment for a transactional relational database that requires low-latency, high-throughput persistent disk access and the ability to attach volumes directly to individual virtual machine instances as raw block devices. Which cloud storage type best meets these requirements?
A cloud provider is designing the storage backend for a new high-performance block storage service. The architecture team is debating between a tightly coupled and a loosely coupled storage cluster design. Management requires the design to deliver the highest performance and strongest data consistency for latency-sensitive database workloads, even if this constrains how large the cluster can grow. Which storage cluster architecture best meets these requirements, and what is the primary trade-off the team must accept?
A cloud infrastructure architect is designing a new IaaS zone that will present block storage to hypervisor hosts over an IP-based iSCSI storage network. During testing, throughput to the storage array is far below the array's rated capacity, and packet captures show heavy TCP retransmissions and fragmentation on the storage VLAN, which shares the same physical switches and default MTU as general tenant traffic. Which design change should the architect prioritize to address the root cause?
A cloud provider is designing a new data center to host IaaS workloads. During the design review, an architect notes that all storage traffic for a compute cluster routes through a single storage controller with one uplink to the core network. The provider promises tenants 99.99% availability. Which design improvement most directly addresses the identified risk?
A cloud architect is designing at-rest encryption for a large object storage repository holding millions of files. To limit the performance impact of rotating master keys and to avoid re-encrypting every object when a master key changes, the team decides to encrypt each object with its own unique data encryption key, then encrypt those data encryption keys with a centrally managed master key. Which encryption design does this approach describe?
A cloud architect is designing storage for a media company's IaaS platform. Recently uploaded videos are streamed heavily for the first 30 days, after which access drops to near zero but the files must be retained for seven years for licensing compliance. The finance team is pressuring the architect to reduce object storage spend without breaking the compliance requirement or slowing down active content. Which approach best balances cost and access requirements?
A cloud provider hosts thousands of tenants on shared physical infrastructure. During a design review, the security architect must ensure that each tenant's virtual network traffic remains logically isolated from other tenants across the same underlying physical switches, even though many tenants reuse overlapping private IP address ranges (e.g., 10.0.0.0/8). Which infrastructure approach BEST achieves this isolation at the network layer?
During a security review of an IaaS environment, an analyst discovers dozens of running virtual machines that no team claims ownership of. Several are missing from the configuration management database, are running outdated OS images, and have no assigned patching schedule. The security team is concerned about the risk these systems pose. Which infrastructure risk does this situation MOST directly represent, and what is the primary security consequence?
More CCSP practice
Keep going with the other ISC2 CCSP — Certified Cloud Security Professional domains, or take a full timed mock exam.
← Back to CCSP overview