Domain 1: Cloud Concepts, Architecture & Design Section B Review

Domain 1 – Section B Review: Architecture & Deployment

CCSP Domain 1 — Cloud Concepts, Architecture & Design Section B Review 10 scenarios
This section review tests your ability to apply concepts from the preceding modules to realistic exam scenarios. Work through each question, commit to an answer, then reveal the reasoning. Focus on understanding WHY the correct answer is right and why the distractors are wrong.

Scenario 1

A company uses both AWS (public cloud) and their own on-premises data center with VMware vSphere that meets all NIST cloud characteristics. They transfer workloads between environments. A consultant calls this multi-cloud. Is the consultant correct?

  1. A) Yes — any use of multiple computing environments is multi-cloud
  2. B) No — this is simply traditional IT with one cloud provider
  3. C) No — this is hybrid cloud (combining public and private cloud deployment models), not multi-cloud (which involves multiple public cloud providers)
  4. D) Yes — multi-cloud includes any combination of cloud and on-premises
Answer & reasoning

Correct: C

Hybrid cloud combines different deployment models (here, public and private). Multi-cloud specifically refers to using multiple public cloud providers. The distinction matters for the exam.

Scenario 2

An SLA guarantees 99.99% availability. The service experiences 2 hours of unplanned downtime in a month. The customer demands compensation for lost revenue. What will the SLA MOST likely provide?

  1. A) Service credits against future billing — standard cloud SLAs exclude consequential damages like lost revenue
  2. B) Full compensation for all documented revenue losses
  3. C) Termination of the contract with a full refund
  4. D) An upgraded SLA tier with better availability guarantees
Answer & reasoning

Correct: A

Standard cloud SLAs limit remedies to service credits. Consequential damages (lost revenue, reputational harm) are almost always excluded. 99.99% allows ~4.3 minutes/month, so 2 hours is a clear breach, but the remedy is credits, not compensation.

Scenario 3

A security architect reviews a cloud deployment using AES-256 encryption with provider-managed keys. The keys and encrypted data reside in the same cloud account. An attacker gains admin access. What is the encryption's effectiveness?

  1. A) Partially effective — the attacker can read but not modify the data
  2. B) Ineffective — the attacker can access both the encrypted data and the decryption keys through the same administrative access, rendering the encryption moot for this attack vector
  3. C) The encryption fully protects the data regardless of account access
  4. D) Fully effective — AES-256 cannot be broken even with the keys
Answer & reasoning

Correct: B

When encryption keys are accessible through the same compromised account as the encrypted data, the encryption provides no protection against that attack vector. Key management separation is essential.

Scenario 4

An organization's SLA with their cloud provider does not address data portability or format upon contract termination. The organization decides to switch providers. What challenge will they MOST likely face?

  1. A) The new provider will refuse to accept the migrated data
  2. B) Higher costs with the new provider
  3. C) Difficulty extracting their data — without contractual provisions for data format, timeline, and deletion verification, the organization has limited leverage and may face proprietary formats or extraction barriers
  4. D) No challenges — cloud data is inherently portable
Answer & reasoning

Correct: C

Data portability and exit strategy must be negotiated before contract signing. Without SLA provisions, the organization may face proprietary data formats, extraction delays, or inability to verify complete data deletion from the former provider.

Scenario 5

A CISO evaluates quantum computing risk for their cloud-stored data. The data includes 25-year trade secrets encrypted with RSA-2048. What is the MOST appropriate immediate action?

  1. A) No action needed — quantum computing is decades away from threatening RSA-2048
  2. B) Switch to AES-128 for all data encryption
  3. C) Begin cryptographic inventory and transition planning for post-quantum algorithms, given that the data's 25-year confidentiality requirement overlaps with projected quantum computing capabilities and harvest-now-decrypt-later threats
  4. D) Move data from cloud to on-premises to avoid quantum threats
Answer & reasoning

Correct: C

For data with long-term confidentiality requirements, the harvest-now-decrypt-later threat means action is needed now. Adversaries can capture RSA-encrypted data today and decrypt it when quantum computers arrive. Transitioning to PQC algorithms is prudent.

Scenario 6

A development team deploys containers using public Docker Hub images without any security scanning. A post-deployment scan reveals 47 critical CVEs across their container fleet. What process failure occurred?

  1. A) Docker Hub should have removed vulnerable images
  2. B) The container orchestrator should have blocked vulnerable images automatically
  3. C) The development team should have built all images from scratch
  4. D) Container image scanning and validation before deployment was missing — images from public registries should be scanned for vulnerabilities and pulled from trusted, verified sources before production use
Answer & reasoning

Correct: D

The fundamental failure was deploying unscanned images from a public registry. Container image scanning before deployment is a basic security control that catches known vulnerabilities before they reach production.

Scenario 7

A cloud customer wants absolute certainty that their CSP cannot access their data at rest, in transit, or in use. Which combination of controls BEST achieves this?

  1. A) BYOK encryption with cloud-native processing
  2. B) VPN connectivity with TLS and provider-managed encryption
  3. C) Client-side encryption with customer-held keys (HYOK) for data at rest and in transit, combined with confidential computing (hardware enclaves) for data in use
  4. D) Provider-managed encryption with a strong SLA
Answer & reasoning

Correct: C

HYOK keeps keys entirely outside the cloud, ensuring the CSP cannot decrypt data at rest or in transit. Confidential computing uses hardware enclaves to protect data during processing. This combination addresses all three data states.

Scenario 8

IoT temperature sensors send data to a cloud analytics platform. The sensors have 64KB of RAM and cannot support standard TLS. The organization sends data unencrypted, arguing the data is not sensitive. A security assessor disagrees. Why?

  1. A) IoT data only needs encryption if it crosses the internet
  2. B) Even non-sensitive data streams can be manipulated (integrity risk) or used for reconnaissance. Additionally, unencrypted IoT channels could be exploited to inject malicious data or pivot to cloud infrastructure through authorized connections
  3. C) The assessor is being overly cautious about low-value data
  4. D) Temperature data has no security value regardless of context
Answer & reasoning

Correct: B

Even seemingly non-sensitive IoT data creates risks: data manipulation could affect business decisions, communication channels could be exploited for injection attacks, and compromised devices could pivot to attack cloud infrastructure. Lightweight encryption protocols exist for constrained devices.

Scenario 9

A company operates in the EU and uses a US-based cloud provider. The SLA specifies data will be stored in the EU region. During an audit, they discover disaster recovery replicas in a US data center. What is the compliance impact?

  1. A) The SLA protects the customer since it specifies EU storage
  2. B) No impact — disaster recovery is exempt from data residency requirements
  3. C) Only the cloud provider faces regulatory consequences
  4. D) Potential GDPR violation — EU personal data replicated to the US without proper legal transfer mechanisms (SCCs, adequacy decisions) may violate cross-border transfer restrictions, regardless of the purpose
Answer & reasoning

Correct: D

GDPR restricts cross-border data transfers regardless of purpose. DR replicas in the US without proper legal mechanisms constitute a transfer violation. The SLA claiming EU-only storage was not being honored, creating both compliance and contractual issues.

Scenario 10

An organization uses a community cloud shared with three partner organizations. One partner suffers a significant security breach, and their compromised credentials are used to access shared infrastructure. What community cloud risk does this illustrate?

  1. A) This risk only applies to public cloud, not community cloud
  2. B) The cloud provider failed to isolate tenants properly
  3. C) Shared trust dependency — in community cloud, each member's security posture affects all members. A breach at one organization can compromise the shared infrastructure and all participants
  4. D) Community clouds are inherently insecure and should never be used
Answer & reasoning

Correct: C

Community cloud creates shared security dependencies. Because members share infrastructure based on common trust, a breach at any member can affect all participants. Community cloud governance must include minimum security requirements for all members.

Up Next Module 9: Identity and Access Control