Domain 5 – Domain 5 Capstone Review: Cloud Security Operations

If you can think through this review, you are thinking the way the CCSP expects for cloud security operations. These questions cross all three sections — infrastructure, maintenance, and operational processes.

These scenarios blend:

• Physical and logical infrastructure
• Hardware security and access controls
• Hardening, IaC, and resilience
• Monitoring and capacity management
• ITIL and change management
• Incident response and forensics
• SOC and SIEM operations

Every question forces you to identify whether the issue is infrastructure, process, monitoring, or forensic — and apply the correct operational discipline.

Scenario questions (20)

Question 1

A cloud customer's security team discovers that their IaaS provider's SOC 2 report has a carve-out for the physical security subcontractor. The customer processes PCI-regulated card data.

What should the customer do?

A. Assume physical security is the provider's problem and ignore the carve-out
B. Accept the SOC 2 report as sufficient
C. Terminate the contract immediately
D. Request separate audit evidence from the physical security subcontractor to verify controls

Question 2

An organization deploys all production workloads in a single availability zone. A zone-level failure causes a complete outage lasting 8 hours.

What architectural change prevents recurrence?

A. Deploy larger instances in the same zone
B. Move all workloads to a different zone
C. Distribute workloads across multiple availability zones within the region
D. Increase the instance count in the single zone

Question 3

A cloud engineer deploys a change that modifies IAM policies without going through change management. Two days later, a privilege escalation attack exploits the overly permissive policy.

What was the root cause?

A. The IAM policy was too complex
B. The engineer lacked sufficient training on IAM
C. The change management process was bypassed, allowing an unreviewed security-impacting change to reach production
D. The cloud provider's IAM service has a vulnerability

Question 4

During an incident, the response team wants to immediately terminate a compromised instance. The forensic team objects.

What is the forensic team's MOST valid concern?

A. The instance should be left running to observe the attacker
B. Termination will trigger alerts that could tip off the attacker
C. Terminating instances is too expensive
D. Volatile evidence (memory, runtime state) will be permanently lost before it can be captured

Question 5

An organization's IaC templates deploy security groups that allow SSH from 0.0.0.0/0 to all instances. This misconfiguration appears in every environment.

What is the MOST effective fix?

A. Accept the risk since SSH requires authentication
B. Add compensating controls like host-based firewalls
C. Manually fix each environment's security groups
D. Fix the IaC template and add automated policy enforcement to prevent non-compliant templates from deploying

Question 6

A cloud environment generates API audit logs, but the logs are stored in the same account they monitor. Administrators can delete them.

What is the PRIMARY risk?

A. An attacker who compromises the account can destroy evidence of their activities
B. Compliance reports will be delayed
C. Logs may consume excessive storage
D. Log queries may impact production performance

Question 7

An organization's RTO is 2 hours and RPO is 30 minutes. They use daily backup-and-restore as their DR strategy.

What is the PRIMARY gap?

A. Daily backups cannot meet a 30-minute RPO — up to 24 hours of data would be lost
B. The backup frequency exceeds storage capacity
C. The RTO of 2 hours is too aggressive for any DR strategy
D. Backup-and-restore is never appropriate for cloud environments

Question 8

A SOC analyst notices that their cloud SIEM only ingests server syslog. A credential compromise allows the attacker to access cloud storage directly through API calls.

Why was the attack missed?

A. The SIEM lacks cloud-native data sources — API audit logs and storage access logs — needed to detect API-based attacks
B. The syslog configuration was incorrect
C. The attacker used an advanced evasion technique
D. The SIEM vendor has a bug

Question 9

A cloud environment uses auto-scaling with no maximum limit. During a volumetric DDoS attack, the auto-scaler launches 300 additional instances.

What is the PRIMARY concern?

A. The instances need to be manually configured
B. The auto-scaler is working correctly and no action is needed
C. The additional instances improve application performance
D. Massive uncontrolled cost escalation (Economic Denial of Service) without actually mitigating the attack

Question 10

A cloud security incident reveals that the same vulnerability has caused three incidents in the past year. Each time, the incident team applied a temporary fix.

What process is MISSING?

A. More frequent vulnerability scanning
B. Better incident detection tools
C. Additional SOC analysts
D. Problem management to identify and permanently address the root cause

Question 11

An organization uses a PaaS platform. The security team creates an OS patching schedule for the platform's underlying servers.

What is WRONG with this approach?

A. PaaS platforms do not need patching
B. The patching schedule should be more frequent
C. The security team should also patch the hypervisor
D. In PaaS, the provider is responsible for OS patching — the customer should focus on application-level security

Question 12

A cloud SIEM alert shows impossible travel — a user authenticated from New York at 10:00 AM and from Singapore at 10:05 AM.

What does this indicate?

A. Normal behavior for a traveling executive
B. A SIEM configuration error
C. Likely credential compromise — the account is being used from two distant locations nearly simultaneously
D. The user is using a VPN

Question 13

An organization stores encryption keys in a multi-tenant cloud KMS for their most sensitive data. A compliance audit questions the key isolation.

What is the auditor's concern?

A. The audit standard does not cover cloud KMS
B. Multi-tenant KMS shares HSM infrastructure, meaning the customer's keys are not on dedicated hardware
C. Cloud KMS cannot encrypt data
D. Cloud KMS keys cannot be rotated

Question 14

After a cloud service outage, the operations team restores service within the RTO. The security team asks to conduct a root cause analysis and lessons learned session.

What ITIL process does this align with?

A. Change management
B. Problem management — identifying root causes to prevent recurrence
C. Capacity management
D. Availability management

Question 15

A cloud environment uses golden images for VM deployment. A scan reveals the golden image has not been updated in 6 months and contains 47 known vulnerabilities.

What is the MOST appropriate action?

A. Deploy compensating controls on all existing instances
B. Apply patches individually to each running instance
C. Wait for the next scheduled maintenance window
D. Update the golden image with current patches and redeploy all instances using immutable infrastructure

Question 16

A forensic investigation requires evidence from a terminated cloud instance. The instance was terminated 3 hours ago.

What evidence is MOST likely still available?

A. The instance's network connections
B. The instance's memory contents
C. Cloud audit logs and any disk snapshots taken before termination
D. The instance's running processes

Question 17

An organization implements micro-segmentation in their cloud environment. After deployment, several applications stop communicating with their dependencies.

What is the MOST likely cause?

A. The cloud provider blocked the traffic
B. DNS resolution has failed
C. Undocumented application communication patterns were not included in the micro-segmentation policies
D. The micro-segmentation product is defective

Question 18

A change advisory board reviews a proposed IAM policy change that would grant a service account access to production databases. The security reviewer flags a concern.

What is the MOST likely concern?

A. The service account may have overly broad permissions violating least privilege
B. The database does not support service account authentication
C. The change is too simple for CAB review
D. Service accounts cannot access databases

Question 19

A cloud customer negotiates their contract and includes audit rights, breach notification within 24 hours, and data return in standard formats. They do NOT include a clause about subcontractor changes.

What risk remains?

A. The audit rights clause covers subcontractor risks
B. The provider can change subcontractors without notification, potentially introducing unknown risks
C. The contract is already comprehensive enough
D. Subcontractor clauses are only needed for IaaS

Question 20

An organization measures their SOC's MTTD at 72 hours and MTTR at 2 hours. Management wants to improve overall security posture.

Which metric has the MOST impact to improve?

A. Neither — both metrics are acceptable
B. MTTD — detecting threats faster reduces the attacker's undetected dwell time from 72 hours
C. Focus on reducing false positives instead
D. MTTR — respond even faster

Domain 5 readiness checklist

If you struggled with any question, revisit this checklist:

• Did you match the control to the correct shared responsibility boundary?
• Did you choose scalable, automated solutions over manual approaches?
• Did you preserve evidence before recovery?
• Did you follow structured processes (change, incident, problem)?
• Did you ensure monitoring covers cloud-native telemetry?
• Did you express risk in business terms?

If you can do this, you are ready

If you consistently:

• Apply shared responsibility correctly
• Choose automation and IaC over manual operations
• Preserve forensic evidence before acting
• Follow change management for every modification
• Monitor APIs, identities, and cloud-native telemetry
• Drive decisions from business impact, not just technical severity

You are thinking the way the CCSP expects for Domain 5.