Domain 3 – Section A Review: Infrastructure Components
This section integrates:
- Cloud Infrastructure Components
- Network and Communications Security
- Compute and Virtualization Security
CCSP evaluates whether you can map security responsibilities to the correct party and select appropriate controls for each infrastructure layer.
Question 1
An organization deploys VMs on IaaS. A vulnerability scan reveals the hypervisor is running an outdated version. Who is responsible for patching?
A. The customer security team
B. The cloud service provider
C. The customer network team
D. The VM operating system vendor
Answer & reasoning
Correct: B
The hypervisor is part of the provider’s infrastructure. Even in IaaS, the customer never manages the hypervisor. Patching it is the CSP’s responsibility.
Question 2
A cloud architect needs to isolate a sensitive workload from other workloads in the same cloud account. What is the MOST effective approach?
A. Enable verbose logging on all instances
B. Place the workload in a dedicated VPC with restricted security groups
C. Use a different programming language for the workload
D. Deploy the workload on a different continent
Answer & reasoning
Correct: B
VPC isolation with restrictive security groups provides logical network segmentation within the same account. Geography and programming language are irrelevant to logical isolation.
Question 3
A container running on a shared host is compromised through a kernel vulnerability. What is the potential impact?
A. Only the compromised container is affected
B. All containers on the same host could be compromised
C. The container orchestrator automatically quarantines the threat
D. Only containers in the same namespace are affected
Answer & reasoning
Correct: B
Containers share the host kernel. A kernel exploit can break container isolation and affect all containers on the same host, unlike VMs which have hypervisor-level isolation.
Question 4
An organization uses object storage for sensitive customer data. A security audit finds that default bucket permissions allow public read access. Who is responsible?
A. The CSP for insecure defaults
B. The network team for not blocking internet access
C. The customer for not configuring access controls
D. The auditor for not finding it sooner
Answer & reasoning
Correct: C
In the shared responsibility model, the customer is responsible for configuring access controls on their resources. Most CSPs default to private, but the customer must verify and maintain configurations.
Question 5
A security team implements TLS for all client-to-cloud traffic but discovers internal microservices communicate over unencrypted HTTP. What should they implement?
A. Longer TLS certificate validity periods
B. Additional perimeter firewalls
C. A WAF at the cloud perimeter
D. Mutual TLS between all internal services
Answer & reasoning
Correct: D
East-west traffic between microservices requires its own encryption. Mutual TLS authenticates and encrypts inter-service communication. Perimeter controls do not protect internal traffic.
Question 6
An organization uses a dedicated private connection to their CSP. The security team assumes this eliminates the need for encryption. What is the flaw?
A. Private connections do not provide encryption by default
B. Private connections are slower than internet connections
C. Private connections are shared with other customers
D. Private connections cannot carry TLS traffic
Answer & reasoning
Correct: A
Dedicated private connections like Direct Connect or ExpressRoute provide network isolation and consistent bandwidth but do not encrypt traffic. IPsec or TLS must be layered on top.
Question 7
A serverless function processes sensitive health records. The function has been assigned a role with full administrative access to the cloud account. What is the PRIMARY risk?
A. The CSP will throttle administrative API calls
B. The function will execute too slowly
C. A compromise of the function grants access to the entire cloud environment
D. Serverless functions cannot process health data
Answer & reasoning
Correct: C
Overly permissive roles on serverless functions mean any compromise gives the attacker full access. Least privilege should limit the function to only the resources it needs.
Question 8
An organization wants to protect against a malicious cloud provider accessing their data during processing. Which technology addresses this?
A. Data masking in application logs
B. Encryption at rest with CSP-managed keys
C. TLS 1.3 for data in transit
D. Confidential computing with Trusted Execution Environments
Answer & reasoning
Correct: D
Confidential computing with TEEs protects data in use by creating hardware-isolated enclaves that even the cloud provider cannot access. CSP-managed encryption does not protect against a malicious provider.
Question 9
After terminating cloud storage, the organization needs assurance that data cannot be recovered. What is the BEST approach in cloud?
A. Request physical disk shredding from the CSP
B. Perform multi-pass overwrite on the virtual disk
C. Destroy the encryption keys used to protect the data
D. Wait for the CSP to repurpose the storage hardware
Answer & reasoning
Correct: C
Cryptographic erasure is the standard method in cloud environments. Physical destruction is impractical for shared distributed storage, and multi-pass overwrite is ineffective on SSDs.
Question 10
A lateral movement incident occurs between cloud workloads in the same subnet. All workloads share one permissive security group. What control would have prevented this?
A. Full-disk encryption
B. Micro-segmentation with per-workload security groups
C. Stronger root passwords
D. A perimeter firewall upgrade
Answer & reasoning
Correct: B
Micro-segmentation applies individual security groups to each workload with least-privilege rules, preventing lateral movement even within the same subnet.