Domain 3 – Full Cross-Topic Review: Cloud Platform & Infrastructure Security
This review integrates:
- Infrastructure Components
- Data Center & Risk
- Controls & Continuity
Expect cross-topic scenarios that blend infrastructure, risk, and control selection.
Question 1
A healthcare company deploys patient data processing on IaaS. The hypervisor on the shared host has not been patched in 90 days. Who is responsible and what should the customer do?
A. The customer should migrate to a different host
B. The CSP is responsible; the customer should verify patching through audit reports
C. The customer should patch the hypervisor immediately
D. Both parties share hypervisor patching responsibility
Answer & reasoning
Correct: B
Hypervisor management is always the CSP’s responsibility. The customer verifies through SOC reports and contractual SLAs.
Question 2
An organization deploys containers for microservices. A kernel exploit is discovered. The security team wants to limit blast radius. What is the BEST immediate action?
A. Migrate all containers to VMs
B. Isolate affected hosts and patch the kernel
C. Restart all containers
D. Disable networking on all container hosts
Answer & reasoning
Correct: B
Since containers share the host kernel, isolating affected hosts and patching limits the blast radius. Migration to VMs is a long-term architectural decision, not an immediate response.
Question 3
A company needs DR for a cloud application. Budget allows only $500/month for DR. RTO is 4 hours and RPO is 1 hour. Which strategy fits?
A. No DR since the budget is too small
B. Pilot light with database replication and on-demand compute
C. Hot standby across three regions
D. Active-active multi-region
Answer & reasoning
Correct: B
Pilot light keeps only the database replicating (low cost) with compute spun up on demand during failover. This can achieve 4-hour RTO and 1-hour RPO within budget constraints.
Question 4
A security audit reveals that all cloud resources are managed through a single root account with no MFA. The account password is shared among five administrators. What is the FIRST remediation step?
A. Restrict root account access to the network perimeter
B. Enable MFA on the root account immediately
C. Change the shared password to a longer one
D. Create individual IAM accounts for each administrator
Answer & reasoning
Correct: B
Enabling MFA on the root account is the most urgent action to prevent credential compromise. Individual accounts should follow, but MFA addresses the immediate critical risk.
Question 5
An organization’s cloud storage is publicly accessible due to a misconfiguration. The CSPM tool flagged this three months ago but no action was taken. A breach occurs. What was the root cause?
A. The CSP should have blocked public access automatically
B. The CSPM tool was ineffective
C. Cloud storage cannot be made private
D. The organization failed to act on known findings
Answer & reasoning
Correct: D
Detective controls are only effective if findings are acted upon. The CSPM detected the issue; the organization’s failure to remediate was the root cause.
Question 6
A VPN tunnel between on-premises and cloud uses IPsec. A separate Direct Connect link is also in place but unencrypted. Which connection poses a confidentiality risk?
A. Both connections
B. The IPsec VPN tunnel
C. Neither connection
D. The Direct Connect link
Answer & reasoning
Correct: D
Direct Connect provides dedicated bandwidth but does not encrypt traffic by default. The IPsec VPN is encrypted. Only the Direct Connect link poses a confidentiality risk.
Question 7
A cloud customer needs to verify that their CSP’s fire suppression system uses clean agents rather than water-based systems. How should they verify this?
A. Install temperature sensors at the CSP facility
B. Review the SOC 2 Type II report covering environmental controls
C. Ask the CSP sales representative
D. Visit the data center and inspect fire suppression equipment
Answer & reasoning
Correct: B
SOC 2 Type II reports provide independent verification of environmental controls. CSP facilities are not open for customer inspection.
Question 8
An organization uses federation with SAML for cloud console access. A mobile app also needs cloud API access. What protocol should the mobile app use?
A. OAuth 2.0 with OIDC
B. LDAP
C. SAML 2.0
D. The same SAML token as the console
Answer & reasoning
Correct: A
SAML is designed for browser-based SSO. OAuth 2.0 with OIDC is the appropriate protocol for mobile application API access patterns.
Question 9
Serverless functions processing financial data have administrator-level IAM roles. A dependency vulnerability is exploited. What is the blast radius?
A. Only the function’s input data
B. Only the affected function
C. All functions in the same region
D. The entire cloud account
Answer & reasoning
Correct: D
Administrator-level roles grant unrestricted access. An exploited function with admin privileges can access every resource in the cloud account.
Question 10
A risk assessment identifies vendor lock-in as a high risk. What is the MOST effective mitigation?
A. Design applications using portable, cloud-agnostic technologies where feasible
B. Sign a longer contract for better pricing
C. Ignore the risk since all CSPs have lock-in
D. Use only proprietary CSP services
Answer & reasoning
Correct: A
Using portable technologies (containers, open standards, abstraction layers) reduces dependency on any single provider and mitigates lock-in risk.
Question 11
A data center power outage triggers UPS systems. Diesel generators fail to start. What is the MOST likely cause of this compound failure?
A. Generators are not designed for data centers
B. Insufficient maintenance and testing of generator systems
C. The power outage was too severe for any backup
D. The UPS batteries were too small
Answer & reasoning
Correct: B
Generator failure during an actual outage typically indicates inadequate maintenance and testing. Regular testing under load is essential for reliability.
Question 12
A cloud security architect must protect AI training data stored across multiple cloud storage services. What is the PRIMARY consideration?
A. Applying the same data classification and encryption controls as any sensitive data
B. Allowing public access for distributed training
C. Storing AI data without encryption for processing speed
D. Using the fastest storage tier available
Answer & reasoning
Correct: A
AI training data requires the same classification, encryption, and access controls as any other sensitive data. Processing speed does not override security requirements.
Question 13
An organization deploys across two AZs. Both AZs are in the same city. A flood affects the entire metropolitan area. What design flaw does this expose?
A. The AZs should have been in different subnets
B. Floods do not affect cloud data centers
C. Two AZs is always sufficient
D. AZs within the same metro may share common disaster risks
Answer & reasoning
Correct: D
AZs within the same metro area may share common environmental risks. Multi-region deployment across geographically diverse areas is needed for resilience against regional disasters.
Question 14
A compensating control assessment is needed because the cloud environment cannot support host-based IPS. What is an acceptable compensating approach?
A. Documenting that IPS is not needed in cloud
B. Deploying a physical IPS appliance at the office
C. Requesting the CSP to install IPS on shared infrastructure
D. Using cloud-native WAF and security group rules with enhanced logging
Answer & reasoning
Correct: D
Cloud-native WAF, security groups, and enhanced logging collectively address the same risk as host-based IPS through different mechanisms.
Question 15
After decommissioning a cloud database containing PII, what is the MOST effective data sanitization method?
A. Three-pass overwrite
B. Formatting the virtual disk
C. Cryptographic erasure
D. Requesting physical disk destruction
Answer & reasoning
Correct: C
Cryptographic erasure destroys encryption keys, rendering distributed cloud data unrecoverable. Physical destruction and overwrite are impractical for shared cloud storage.
Question 16
A security group allows all inbound traffic on all ports. The instance runs a web server that only needs ports 80 and 443. What principle is violated?
A. Separation of duties
B. Data classification
C. Least privilege
D. Defense in depth
Answer & reasoning
Correct: C
Least privilege requires granting only the minimum access necessary. A security group allowing all traffic violates this principle for a web server that only needs HTTP/HTTPS.
Question 17
An organization tests DR with annual tabletop exercises only. During an actual regional outage, the failover process fails due to expired credentials and outdated DNS records. What test type would have caught this?
A. Another tabletop exercise
B. A parallel or full interruption test
C. A risk assessment
D. A compliance audit
Answer & reasoning
Correct: B
Tabletop exercises validate procedures on paper but do not validate technical recovery. Parallel or full interruption tests would have exposed expired credentials and outdated DNS entries.
Question 18
A cloud environment uses RBAC exclusively. A new requirement mandates that users can only access production during business hours from corporate IP ranges. What additional authorization model is needed?
A. Discretionary access control
B. Attribute-based access control (ABAC)
C. No additional model is needed
D. Mandatory access control
Answer & reasoning
Correct: B
ABAC adds contextual attributes (time of day, source IP) to authorization decisions. RBAC alone cannot enforce time-based or location-based access restrictions.
Question 19
A CSP is acquired by a company headquartered in a country with mandatory government data access laws. The customer stores data subject to GDPR. What is the PRIMARY concern?
A. The CSP will automatically relocate data
B. Technical performance will degrade
C. Data sovereignty conflict between GDPR and the acquiring country’s laws
D. Service pricing will increase
Answer & reasoning
Correct: C
A CSP acquisition by a company in a jurisdiction with government data access laws creates a conflict with GDPR data protection requirements, potentially making the customer non-compliant.
Question 20
An organization wants to protect sensitive workloads from a potentially compromised cloud provider hypervisor. What is the BEST technical control?
A. More frequent vulnerability scanning
B. Additional network encryption
C. Confidential computing with hardware-based TEEs
D. Stronger password policies
Answer & reasoning
Correct: C
Confidential computing with TEEs creates hardware-isolated enclaves that protect data even from a compromised hypervisor or malicious provider.
Domain 3 Readiness Checklist
Before moving to Domain 4, confirm you can:
- Explain the shared responsibility model across IaaS, PaaS, and SaaS
- Distinguish hypervisor, container, and serverless isolation boundaries
- Identify when network misconfiguration is the most likely cause of a cloud breach
- Match data center tier classifications to availability guarantees
- Select the appropriate risk assessment method based on available data
- Recognize cloud-specific vulnerability categories (misconfiguration, insecure APIs, broken IAM)
- Choose the correct control type (preventive, detective, corrective, compensating) for a scenario
- Differentiate SAML, OAuth, and OIDC use cases
- Design a DR strategy that matches RTO/RPO requirements to budget
- Explain why CSP SLA credits do not equal business continuity