ISC2 CCSP — Certified Cloud Security Professional · Domain 5 · 16% of exam

Cloud Security Operations

Drill 18 practice questions focused entirely on Cloud Security Operations for the ISC2 CCSP exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.

Verified answer18 questions
Question 1 of 18

A cloud operations team runs a customer-facing SaaS platform on autoscaling IaaS. Over three consecutive months, month-end batch processing has caused CPU saturation and degraded response times, even though autoscaling eventually adds capacity. The operations manager wants a repeatable ITIL-aligned process to forecast demand, model future workload growth, and ensure resources are provisioned ahead of predictable spikes rather than reacting to them. Which operational process should the team formalize to address this?

Reviewed for accuracy · Report an issue
Question 2 of 18

A cloud operations engineer discovers that a critical authentication microservice is failing intermittently in production due to an expired configuration certificate. Restoring service requires deploying a corrected configuration immediately, but the organization's ITIL-aligned change management process normally requires that all production changes be reviewed and approved by the Change Advisory Board (CAB), which meets weekly. What is the MOST appropriate way for the engineer to proceed while remaining compliant with the change management process?

Reviewed for accuracy · Report an issue
Question 3 of 18

An investigator at a SaaS customer organization must collect forensic artifacts related to a suspected account compromise. The relevant hypervisor logs, underlying storage snapshots, and network flow data reside entirely within the cloud provider's infrastructure and are not exposed through the customer's tenant console. What is the MOST appropriate first step to lawfully obtain this evidence?

Reviewed for accuracy · Report an issue
Question 4 of 18

A SOC analyst is responding to an active compromise of a running IaaS virtual machine. Management wants to preserve evidence for a potential court case while the incident is ongoing. The VM is still powered on and the attacker appears to have an active session. Following forensic best practice and the order of volatility, what should the analyst prioritize acquiring FIRST?

Reviewed for accuracy · Report an issue
Question 5 of 18

A cloud operations team maintains an approved configuration baseline for all production Linux instances, including required kernel hardening parameters and disabled legacy services. During a routine automated scan, the configuration management database (CMDB) reveals that 12 instances in an auto-scaling group have deviated from the baseline: an outdated SSH cipher suite has been re-enabled and a firewall rule was manually modified. The change is not documented in any change ticket. According to sound configuration management practice, what should the team do FIRST?

Reviewed for accuracy · Report an issue
Question 6 of 18

During an active incident, a cloud SOC analyst confirms that customer PII stored in a multi-tenant SaaS database was accessed by an unauthorized party. The incident response plan is in the containment phase, and regulatory breach-notification clocks may soon start. The analyst wants to alert affected customers immediately via a mass email to demonstrate transparency. According to sound incident management and stakeholder communication practice, what should the analyst do FIRST?

Reviewed for accuracy · Report an issue
Question 7 of 18

A forensic investigator is responding to a confirmed compromise of a cloud-hosted Linux virtual machine that is still running. The investigator has provider cooperation and legal authority to collect all available artifacts. To preserve the most fragile evidence first, in what order should the investigator prioritize collection of the following data sources?

Reviewed for accuracy · Report an issue
Question 8 of 18

A financial services company running its trading platform in a public IaaS environment discovers evidence of a potential insider fraud incident. Legal counsel instructs the cloud security team to preserve all relevant digital evidence for a possible court case. Some critical evidence resides in provider-managed logs (e.g., hypervisor and storage-layer activity) that the customer cannot directly access. What is the MOST appropriate action for the security team to ensure this evidence is admissible and properly preserved?

Reviewed for accuracy · Report an issue
Question 9 of 18

A cloud operations team repeatedly encounters an intermittent authentication timeout affecting a customer-facing SaaS portal. The root cause has been identified as a race condition in a third-party identity library, but the vendor's permanent fix will not be released for several months. In the meantime, restarting the affected pod reliably resolves each occurrence. According to ITIL practices, what is the MOST appropriate action for the operations team to take with this information?

Reviewed for accuracy · Report an issue
Question 10 of 18

A cloud operations team runs an ITIL-aligned service management process. Over the past month, the same authentication microservice has failed four separate times, each time restored quickly by restarting the container. Users report the disruptions are increasingly frequent, but no one has determined why the failures keep happening. Which ITIL process should the team engage to address this pattern most effectively?

Reviewed for accuracy · Report an issue
Question 11 of 18

A cloud operations manager at a SaaS provider notices that customers repeatedly complain that agreed response times for their tickets are not being tracked against any documented target, and there is no formal process to review whether operational performance meets what was promised to clients. The manager wants to introduce an ITIL practice that establishes measurable targets, monitors delivery against them, and drives periodic service reviews with customers. Which ITIL practice best addresses this need?

Reviewed for accuracy · Report an issue
Question 12 of 18

A cloud operations team manages a fleet of 400 IaaS virtual machines running a standardized guest OS image. A critical vendor patch has just been released. The team follows ITIL-aligned processes and wants to reduce the risk that the patch destabilizes production workloads while still meeting the emergency remediation window. Which approach best balances operational stability with timely remediation?

Reviewed for accuracy · Report an issue
Question 13 of 18

A cloud operations team follows ITIL practices and is preparing to promote a validated application change from staging into the production Kubernetes cluster. The change has already been approved by the CAB and passed configuration testing. As the release manager finalizes the deployment package, the security lead insists that one specific element must be documented and ready before the deployment window opens. Which element is MOST critical to include in the release package prior to deploying to production?

Reviewed for accuracy · Report an issue
Question 14 of 18

A cloud SOC analyst begins a shift and finds 47 open alerts in the SIEM queue. Among them: (1) an automated alert that a public S3-equivalent bucket containing customer PII was just made world-readable, (2) a failed nightly backup job on a dev workstation, (3) three brute-force login attempts against a decommissioned test account that no longer exists, and (4) a certificate expiration warning for an internal service due in 21 days. Given limited staff and the need to minimize risk, which alert should the analyst investigate and act on FIRST?

Reviewed for accuracy · Report an issue
Question 15 of 18

A cloud SOC team is correlating security events across dozens of virtual machines, containers, and managed PaaS services spread over three regions. During a recent investigation, analysts found that events from different sources appeared out of order, making it impossible to reconstruct an accurate attack timeline. Which foundational control should the SOC implement FIRST to ensure reliable cross-source event correlation?

Reviewed for accuracy · Report an issue
Question 16 of 18

A SOC team at a healthcare company runs workloads across multiple IaaS accounts in a single public cloud provider. They need to centralize security telemetry — control-plane API activity, guest OS logs, and network flow logs — into their SIEM for real-time monitoring. The cloud provider offers a native, fully managed service that streams these log sources to a subscribed destination without requiring software installation on each instance. The SOC lead wants the most operationally reliable approach that minimizes gaps in control-plane and network-layer coverage. Which approach best meets this requirement?

Reviewed for accuracy · Report an issue
Question 17 of 18

A cloud SOC team reports that analysts are missing genuine intrusion alerts because the SIEM generates thousands of low-value notifications per day, mostly from benign automated scaling events and expected health-check traffic. Investigation shows correlation rules were deployed with vendor defaults and never adjusted to the environment. Which action should the SOC manager prioritize to most directly address the underlying problem?

Reviewed for accuracy · Report an issue
Question 18 of 18

A cloud security operations team runs weekly vulnerability scans against a fleet of IaaS Linux instances. The unauthenticated network scans consistently report far fewer findings than expected, and patching teams complain the reports miss known missing OS patches confirmed by their own package inventory. The SOC lead wants scan results that accurately reflect installed software versions and missing patches on each host. Which change to the scanning approach BEST addresses this gap?

Reviewed for accuracy · Report an issue

More CCSP practice

Keep going with the other ISC2 CCSP — Certified Cloud Security Professional domains, or take a full timed mock exam.

← Back to CCSP overview