CompTIA Cloud+ Cloud Security Controls Questions and Answers

Question 1

A cloud administrator needs to enforce security policies that govern how users interact with multiple SaaS applications. The primary goals are to gain visibility into application usage, prevent sensitive data from being uploaded to unapproved cloud services, and enforce data loss prevention (DLP) policies. Which of the following security controls is BEST suited for these requirements?

Accepted Answer

Cloud Access Security Broker (CASB)

Answer

A Cloud Access Security Broker (CASB) is a security policy enforcement point that sits between cloud service consumers and cloud service providers. It provides visibility, data security, threat protection, and compliance for cloud services. Its core functions include discovering shadow IT, enforcing DLP policies, and monitoring user activity across multiple cloud applications, which directly aligns with the stated requirements.

Question 2

An organization has deployed a containerized application on a Kubernetes cluster in a public cloud. A security audit reveals that many containers are running with unnecessary root privileges, and there are no restrictions on network communication between pods. Which of the following security controls should be implemented to address these specific container security issues?

Accepted Answer

Enforcing role-based access control (RBAC) and network policies

Answer

Role-based access control (RBAC) can be used to enforce the principle of least privilege, preventing containers from running with unnecessary permissions like root. Kubernetes Network Policies allow administrators to control the traffic flow between pods, effectively segmenting the network and preventing unrestricted communication. The other options are valid security controls but do not directly address the specific issues of excessive container privileges and open inter-pod communication.

Question 3

A DevOps team is building a serverless application using function-as-a-service (FaaS). To maintain security, they need to ensure that sensitive information, such as API keys and database credentials, is not hard-coded in the function's source code or stored in environment variables. What is the MOST secure method for managing these secrets?

Accepted Answer

Pass the secrets as encrypted parameters through the API Gateway.

Answer

The most secure and recommended practice for managing secrets in a serverless architecture is to use a dedicated secrets management service. These services, such as AWS Secrets Manager or Azure Key Vault, provide centralized storage, fine-grained access control, auditing, and automatic rotation of secrets, which significantly enhances security and manageability. Storing secrets in code, deployment packages, or environment variables is insecure and violates best practices.

Question 4

A security team wants to automate the detection of misconfigurations and compliance violations across their entire multi-cloud IaaS environment. Their goal is to continuously scan for issues like publicly accessible storage buckets, overly permissive IAM policies, and unused security groups. Which type of tool is specifically designed for this purpose?

Accepted Answer

Cloud Security Posture Management (CSPM)

Answer

Cloud Security Posture Management (CSPM) tools are designed to identify and remediate misconfiguration risks and compliance violations in cloud environments. They work by continuously monitoring the configuration of cloud infrastructure services against a set of security best practices and compliance standards, which is exactly what the security team requires.

Question 5

According to the shared responsibility model for a Platform-as-a-Service (PaaS) offering, which of the following is typically the CUSTOMER'S responsibility to secure?

Accepted Answer

The applications and data deployed on the platform

Answer

In the PaaS model, the cloud provider is responsible for securing the underlying infrastructure, including the physical data center, network, servers, operating systems, and the platform runtime. The customer is responsible for securing the applications they deploy on the platform, the data those applications process, and managing user access.

CompTIA Cloud+ Practice Test

CompTIA Cloud+ Practice Test

CompTIA Cloud+ Cloud Security Controls Questions and Answers