Domain 4 – Full Cross-Topic Review: Cloud Application Security
This review integrates:
- AppSec Awareness & OWASP/SANS Vulnerabilities
- Secure SDLC, Threat Modeling & Secure Coding
- Software Assurance & Testing
- API Security & Supply Chain
- Architecture Components & IAM
Expect cross-topic scenarios that blend application security, testing, architecture, and identity management.
Question 1
A PaaS application has both SQL injection and an overly permissive IAM role. If exploited together, what is the impact?
A. The attacker gains database access via SQL injection AND cloud account access via the IAM role
B. Only the IAM role is exploitable
C. PaaS prevents SQL injection automatically
D. Only database data is exposed
Answer & reasoning
Correct: A
SQL injection extracts database data. The overly permissive IAM role allows the attacker to pivot to cloud resources. Combined, these vulnerabilities grant both data access and cloud infrastructure control.
Question 2
A microservices application uses a service mesh with mTLS. A new service is deployed without enrolling it in the mesh. What is the risk?
A. mTLS is only for external traffic
B. The service mesh automatically covers all services
C. No risk since the service is internal
D. The unenrolled service bypasses authentication and authorization controls
Answer & reasoning
Correct: D
A service outside the mesh communicates without mTLS authentication, creating an unprotected entry point. All services must be enrolled for the mesh to provide consistent security.
Question 3
A cloud application uses SCA and finds 50 vulnerable dependencies. The team has capacity to fix 10 this sprint. How should they prioritize?
A. Prioritize by CVSS score and whether the dependency is in an internet-facing component
B. Randomly select 10
C. Fix the oldest vulnerabilities first
D. Fix them alphabetically
Answer & reasoning
Correct: A
Prioritize by severity (CVSS score) and exposure (internet-facing components have higher risk). This risk-based approach addresses the most dangerous vulnerabilities first.
Question 4
An SSRF vulnerability in a cloud application allows an attacker to access the instance metadata service. The application runs with an admin IAM role. What is the blast radius?
A. Only the metadata is exposed
B. The entire cloud account because temporary admin credentials from metadata grant full access
C. The CSP management plane
D. Only the application server
Answer & reasoning
Correct: B
SSRF to the metadata service exposes temporary credentials. An admin IAM role means those credentials grant full cloud account access. This is why least-privilege IAM roles and IMDSv2 are critical.
Question 5
A threat model uses STRIDE on a serverless event-driven application. Which threat is MOST relevant to the event trigger mechanism?
A. Social engineering
B. Spoofing of user identity
C. Physical access to servers
D. Tampering with event payloads
Answer & reasoning
Correct: D
Event-driven systems are susceptible to Tampering threats where attackers inject or modify event payloads. Each event trigger must validate input integrity.
Question 6
An organization needs both SAML for enterprise web SSO and OAuth for mobile API access. What is the correct architecture?
A. SAML for web SSO via IdP, OAuth 2.0 with OIDC for mobile and API access
B. Use OAuth for everything
C. Use SAML for everything
D. Create separate user databases for each protocol
Answer & reasoning
Correct: A
SAML is designed for browser-based SSO. OAuth/OIDC is designed for mobile and API access. Using the right protocol for each use case with a shared identity provider is the correct architecture.
Question 7
A WAF blocks a SQL injection attempt against a cloud application. The development team claims the WAF makes input validation unnecessary. Is this correct?
A. No, WAF is a defense-in-depth layer but application-level input validation remains essential
B. WAFs cannot detect SQL injection
C. Yes, WAF eliminates the need for application-level defenses
D. Input validation and WAFs serve identical purposes
Answer & reasoning
Correct: A
WAFs provide perimeter defense but can be bypassed with encoding tricks or new attack patterns. Application-level input validation with parameterized queries is the authoritative defense. Both layers are needed.
Question 8
A container base image from Docker Hub is used in production without scanning. It contains a critical CVE. Whose responsibility is the vulnerability?
A. The original image author
B. The customer for deploying an unscanned image
C. The CSP for not scanning customer containers
D. Docker Hub for hosting the image
Answer & reasoning
Correct: B
The customer is responsible for scanning and validating all software they deploy, including container base images. Using a private registry with mandatory scanning prevents this.
Question 9
A CI/CD pipeline includes SAST, SCA, and container scanning but no DAST. A runtime authentication bypass reaches production. What was missing?
A. More SAST rules
B. Manual code review of every line
C. DAST testing against a staging environment to catch runtime vulnerabilities
D. Additional container scanning
Answer & reasoning
Correct: C
SAST and SCA find code-level and dependency issues but cannot detect runtime behavior like authentication bypasses. DAST against staging catches these runtime vulnerabilities before production.
Question 10
A CSP holds FedRAMP authorization. A customer application built on this CSP processes federal data. Does the customer still need their own ATO?
A. Yes, the customer application requires separate authorization
B. No, the CSP authorization covers everything
C. Only if the application is classified
D. FedRAMP eliminates all authorization requirements
Answer & reasoning
Correct: A
CSP authorization covers the infrastructure. Customer applications require their own authorization to confirm they meet security requirements for the data they process.
Question 11
An API returns full user objects including SSN when clients only need name and email. A data breach exposes all returned fields. What should have been implemented?
A. Full-disk encryption
B. Field-level filtering to return only requested data (API response minimization)
C. Rate limiting
D. Stronger authentication
Answer & reasoning
Correct: B
Excessive data exposure is prevented by returning only the data the client needs. This minimizes the impact of any data breach through the API.
Question 12
A prompt injection attack against an AI-powered cloud application extracts sensitive data from the model context. What SDLC phase should have addressed this?
A. Threat modeling during design, identifying prompt injection as a risk for LLM-powered features
B. No SDLC phase can address AI attacks
C. Deployment
D. Maintenance only
Answer & reasoning
Correct: A
Prompt injection should be identified during threat modeling in the design phase for any application incorporating LLMs. This allows appropriate controls to be designed before implementation.
Question 13
An application uses both RBAC and ABAC. RBAC grants base permissions by role. ABAC restricts access based on time-of-day and IP address. What advantage does this combination provide?
A. No advantage over RBAC alone
B. Simpler administration than RBAC alone
C. Redundant authorization that slows performance
D. Fine-grained, context-aware access control that adapts to circumstances
Answer & reasoning
Correct: D
Combining RBAC with ABAC provides both role-based permissions and context-aware restrictions. Users get base access via roles, but ABAC can further restrict based on attributes like time and location.
Question 14
A development team uses a public npm registry. A typosquatting attack publishes a malicious package with a name similar to a popular library. A developer installs it by mistake. What control prevents this?
A. Using a different programming language
B. Stronger passwords for npm accounts
C. DAST scanning of the production application
D. A private registry with only vetted, approved packages
Answer & reasoning
Correct: D
A private registry with curated, approved packages prevents typosquatting and supply chain attacks by ensuring only vetted dependencies enter the build pipeline.
Question 15
A CASB detects that employees are using an unapproved cloud file-sharing service to share sensitive documents. What is the BEST response?
A. Discipline the employees immediately
B. Block all cloud services
C. Investigate why employees use unapproved services and provide a secure approved alternative
D. Ignore it since cloud services are all secure
Answer & reasoning
Correct: C
Shadow IT indicates unmet business needs. Understanding why employees use unapproved services and providing secure alternatives addresses the root cause while maintaining security.
Question 16
A cloud application stores secrets in a vault service. The vault access credentials themselves are hardcoded in the application. What is the flaw?
A. Vault access should use passwords instead of credentials
B. This is the recommended pattern
C. The hardcoded vault credentials create the same exposure risk the vault was meant to prevent
D. Vault services are unnecessary
Answer & reasoning
Correct: C
Hardcoding vault credentials defeats the purpose of the vault. Applications should use instance roles, workload identity, or other credential-less authentication to access the vault.
Question 17
A cloud application processes data subject to GDPR. A third-party analytics SaaS service receives this data. The SaaS provider is based in a country without EU adequacy. What is the PRIMARY risk?
A. GDPR violation due to unauthorized data transfer to an inadequate jurisdiction
B. No risk if the data is encrypted
C. The SaaS service will be slow
D. Analytics will be inaccurate
Answer & reasoning
Correct: A
Transferring GDPR-protected data to a jurisdiction without EU adequacy determination violates GDPR data transfer requirements. Supply chain risk assessment must include regulatory compliance.
Question 18
A security review reveals that a cloud application RASP solution detected and blocked 50 attacks in production last month. Does this eliminate the need for pre-production security testing?
A. No, RASP is a defense layer but pre-production testing catches vulnerabilities before deployment
B. RASP replaces WAF but not testing
C. 50 blocked attacks means the application is secure
D. Yes, RASP provides complete protection
Answer & reasoning
Correct: A
RASP provides runtime protection but should complement, not replace, pre-production testing. Defense in depth requires multiple layers: secure coding, testing, WAF, and RASP.
Question 19
An API gateway handles authentication for 25 microservices. The gateway experiences an outage. What happens to application authentication?
A. Authentication continues normally
B. Each service falls back to its own authentication
C. All 25 services lose their authentication enforcement simultaneously
D. The CSP provides backup authentication
Answer & reasoning
Correct: C
A centralized API gateway is a single point of failure for authentication. High availability design for the gateway (multi-AZ, redundancy) is critical. Services should also implement basic validation as defense in depth.
Question 20
A complete SBOM is generated for a cloud application. A zero-day vulnerability is later discovered in a dependency listed in the SBOM. What is the immediate benefit?
A. The SBOM blocks the vulnerability from being exploited
B. The SBOM automatically patches the vulnerability
C. No benefit until the next scheduled assessment
D. The team instantly knows which applications are affected and can prioritize remediation
Answer & reasoning
Correct: D
SBOMs provide instant visibility into which applications use affected components. This enables rapid triage and targeted remediation rather than time-consuming analysis across all applications.
Domain 4 Readiness Checklist
Before moving to Domain 5, confirm you can:
- Explain application security responsibilities across IaaS, PaaS, and SaaS
- Identify OWASP Top 10 and cloud-specific vulnerabilities from scenario descriptions
- Describe when threat modeling, SAST, DAST, SCA, and penetration testing should occur in the SDLC
- Differentiate verification from validation in software assurance
- Explain SBOM purpose and supply chain risk management
- Design API security using gateways, OAuth, rate limiting, and input validation
- Select the correct IAM protocol (SAML, OAuth, OIDC) for different use cases
- Compare RBAC, ABAC, and policy-as-code authorization models
- Describe microservices, serverless, and multi-tenant security patterns
- Recognize AI-specific application threats (prompt injection, model poisoning)