Domain 1: Cloud Concepts, Architecture & Design Section C Review

Domain 1 – Section C Review: Security Design

CCSP Domain 1 — Cloud Concepts, Architecture & Design Section C Review 10 scenarios
This section review tests your ability to apply concepts from the preceding modules to realistic exam scenarios. Work through each question, commit to an answer, then reveal the reasoning. Focus on understanding WHY the correct answer is right and why the distractors are wrong.

Scenario 1

A cloud administrator uses OAuth 2.0 to authenticate users to a web application. Users report they can access the app but the system does not know who they are — it only knows what resources they are authorized to access. What is the root cause?

  1. A) OAuth 2.0 is an authorization framework, not an authentication protocol. User identity verification requires OpenID Connect (OIDC) which adds an identity layer on top of OAuth
  2. B) Users need to re-register their accounts
  3. C) OAuth 2.0 is not compatible with cloud web applications
  4. D) The OAuth implementation needs additional scopes configured
Answer & reasoning

Correct: A

OAuth 2.0 grants access to resources but does not verify user identity. OIDC adds authentication (identity verification) on top of OAuth's authorization framework. This is one of the most commonly tested distinctions.

Scenario 2

A security audit reveals that five cloud administrators share a root account for emergency access. The audit log shows 127 actions last month from this account, but no one can determine which administrator performed which action. What must change?

  1. A) Eliminate the shared account by creating individual admin accounts with role-based access. Implement break-glass procedures for emergency root access with individual accountability
  2. B) Increase logging verbosity to capture more detail about each action
  3. C) Reduce the number of administrators who know the shared password
  4. D) Add MFA to the shared root account for better security
Answer & reasoning

Correct: A

Shared accounts destroy accountability. No amount of logging detail can attribute actions to individuals using the same credentials. Individual accounts with RBAC and break-glass emergency procedures provide both access and accountability.

Scenario 3

An organization's cloud VPC uses security groups (stateful) for compute instances and network ACLs (stateless) at the subnet level. A new application allows inbound traffic on port 8080 via the security group but does not configure an outbound rule in the network ACL. Users cannot access the application. Why?

  1. A) Network ACLs are stateless — even though the security group (stateful) automatically allows return traffic, the network ACL requires an explicit outbound rule for the return traffic to pass
  2. B) Port 8080 is blocked by the cloud provider by default
  3. C) Security groups are blocking the outbound traffic
  4. D) The application needs to listen on port 443 instead
Answer & reasoning

Correct: A

Stateful security groups automatically allow return traffic. Stateless network ACLs do not. Both layers must be correctly configured. This two-layer model is commonly tested.

Scenario 4

During a cloud security assessment, a tester demonstrates that by analyzing CPU cache timing patterns, they can extract partial encryption keys from a VM on the same physical host. What threat is this?

  1. A) Man-in-the-middle attack on the virtual network
  2. B) A social engineering attack targeting the VM administrator
  3. C) Side-channel attack — exploiting shared physical hardware (CPU caches) to extract information from co-located VMs. This is a real multi-tenancy risk mitigated by dedicated hosting or hardware isolation
  4. D) A brute-force attack against the encryption algorithm
Answer & reasoning

Correct: C

Side-channel attacks exploit shared physical resources. CPU cache timing attacks are a documented threat in multi-tenant cloud environments. Mitigation requires dedicated hosts or hardware isolation for sensitive workloads.

Scenario 5

A company classifies data quarterly. Between reviews, newly collected medical records are stored in the same unencrypted storage as marketing materials. After classification, the records are moved to encrypted storage. What is the risk?

  1. A) The marketing team may accidentally delete the medical records
  2. B) No risk — data is eventually classified and protected
  3. C) Sensitive medical data is unprotected during the gap between collection and classification. Delayed classification creates a window where data may be stored, accessed, or shared with insufficient controls, potentially violating HIPAA
  4. D) The quarterly schedule is industry standard and acceptable
Answer & reasoning

Correct: C

Classification at creation is a fundamental principle. Delaying classification means sensitive data receives inadequate protection during the gap. For regulated data like medical records, this creates direct compliance violations.

Scenario 6

An organization evaluates a CSP that provides a SOC 2 Type I report from last year. The CISO wants assurance that security controls have been consistently operating effectively. Is the SOC 2 Type I sufficient?

  1. A) No — the CISO should request a SOC 1 report instead
  2. B) Yes — as long as the report is less than 2 years old
  3. C) No — SOC 2 Type I only assesses control design at a point in time. SOC 2 Type II evaluates operating effectiveness over a period (typically 6-12 months) and provides the ongoing assurance the CISO requires
  4. D) Yes — SOC 2 Type I comprehensively evaluates all security controls
Answer & reasoning

Correct: C

Type I confirms controls were designed and in place on a specific date. Type II confirms they operated effectively over a sustained period. For ongoing assurance, Type II is required.

Scenario 7

A cloud architect designs a system using defense in depth: VPC isolation, security groups, IAM policies, encryption at rest, encryption in transit, DLP, and SIEM monitoring. The CFO questions why so many controls are needed. What is the justification?

  1. A) More controls always mean better security
  2. B) No single control is sufficient. Defense in depth ensures that if any one layer fails (e.g., IAM misconfiguration), other layers (encryption, network controls, monitoring) continue to protect the system. This reduces the impact of any single control failure
  3. C) The architect is over-engineering the solution
  4. D) Each control addresses a different compliance requirement
Answer & reasoning

Correct: B

Defense in depth is a fundamental security principle. Each layer addresses a different attack vector and provides redundancy. If one layer fails, others maintain protection. The exam treats this as a core architectural requirement.

Scenario 8

A CSP holds ISO 27001 certification but not ISO 27017 or ISO 27018. A customer storing PII from EU data subjects asks if these certifications are sufficient for their needs. What is the BEST assessment?

  1. A) ISO 27001 certifies an ISMS but lacks cloud-specific controls (27017) and PII protection guidance (27018). For a customer storing EU PII in the cloud, all three certifications (or equivalent controls) would provide more appropriate assurance
  2. B) Only ISO 27018 matters for PII, and 27001 is irrelevant
  3. C) ISO 27001 alone is comprehensive and covers all cloud and privacy requirements
  4. D) No ISO certification is relevant for cloud security evaluation
Answer & reasoning

Correct: A

ISO 27001 provides a security management foundation. 27017 adds cloud-specific controls. 27018 addresses PII in public clouds. For EU PII in cloud storage, the customer benefits from assurance across all three domains.

Scenario 9

A zero trust architecture implementation treats all access requests as untrusted regardless of origin. A senior executive complains that internal network users should be trusted by default since they passed physical security. Is the executive correct?

  1. A) Yes — but only for non-sensitive resources
  2. B) No — but an exception should be made for executives
  3. C) Yes — employees on the corporate network have been vetted and should be trusted
  4. D) No — zero trust requires verification of every access request regardless of network location. Internal network position does not establish trustworthiness, especially in cloud environments where traditional network perimeters do not exist
Answer & reasoning

Correct: D

Zero trust is a foundational cloud security principle. Network location does not establish trust. Compromised credentials, insider threats, and lateral movement all originate from 'trusted' networks. Every request must be verified.

Scenario 10

A CSP evaluation reveals that the provider uses three sub-processors for data handling, but the contract makes no mention of sub-processors. The provider's SOC 2 Type II covers only their own operations. What supply chain risk exists?

  1. A) Customer data is handled by entities not covered by the SOC 2 audit, with unknown security controls, in potentially unknown jurisdictions. The contract should require sub-processor disclosure, security requirements, and audit rights
  2. B) Sub-processors are always covered by the primary provider's certifications
  3. C) The customer should audit the sub-processors directly without the provider's involvement
  4. D) No risk — the SOC 2 covers the primary provider, which is sufficient
Answer & reasoning

Correct: A

Sub-processors create supply chain risk outside the audited boundary. The SOC 2 only covers the primary provider. Without contractual provisions, the customer has no visibility into or control over how sub-processors handle their data.

Up Next Domain 1 Capstone Review