Domain 3 – Section C Review: Controls & Continuity
This section integrates:
- Security Controls Implementation
- Identification, Authentication, and Authorization
- Business Continuity and Disaster Recovery
Question 1
A developer has permanent administrative access to production cloud resources. What is the BEST control to implement?
A. Revoke all access permanently
B. Implement just-in-time access with time-limited elevation and approval workflows
C. Add a second password requirement
D. Require the developer to use a shared admin account
Answer & reasoning
Correct: B
JIT access provides temporary privilege elevation only when needed, enforcing least privilege while maintaining operational capability.
Question 2
An IaC template with a hardcoded API key has been deployed to 30 environments. What is the immediate priority?
A. Rotate the API key across all environments and migrate to a secrets vault
B. Add a comment noting the key should be changed later
C. Delete the IaC template from version control
D. Notify the CSP about the exposure
Answer & reasoning
Correct: A
Exposed credentials require immediate rotation. Moving to a secrets vault prevents recurrence. Deleting the template does not remediate already-deployed credentials.
Question 3
A BIA determines a cloud application requires an RTO of 10 minutes and RPO of 5 minutes. Which DR strategy meets these requirements?
A. Pilot light with manual failover
B. Daily backup and restore
C. Warm standby with hourly snapshots
D. Active-active multi-region deployment
Answer & reasoning
Correct: D
Near-zero RTO and RPO require active-active multi-region deployment. Backup/restore and pilot light strategies have RTOs measured in hours.
Question 4
An organization relies on network security groups as its sole access control mechanism. An insider with valid credentials exfiltrates data. What control was missing?
A. Defense-in-depth including identity-layer controls and DLP
B. Physical access restrictions
C. A stronger firewall
D. Longer password requirements
Answer & reasoning
Correct: A
Network controls alone cannot prevent authorized-credential abuse. Defense-in-depth requires controls at multiple layers including identity, data, and application layers.
Question 5
A root cloud account has a strong password but no MFA. The password is compromised through phishing. What is the impact?
A. Access to one VM only
B. Limited access to billing only
C. The CSP automatically blocks the access
D. Full control of the entire cloud environment
Answer & reasoning
Correct: D
Root accounts without MFA grant unrestricted access when credentials are compromised. MFA is the critical compensating control for credential theft.
Question 6
A DR plan exists on paper but has never been tested. A major CSP outage occurs. The recovery fails. What is the root cause?
A. The DR plan was never validated through actual failover testing
B. The team did not read the plan during the outage
C. The plan was written too long ago
D. The CSP did not honor its SLA
Answer & reasoning
Correct: A
Untested DR plans fail under real conditions. Technical recovery must be validated through actual failover tests, not just tabletop exercises.
Question 7
A mobile app needs to access cloud APIs on behalf of a user. Which protocol is MOST appropriate?
A. SAML 2.0
B. LDAP
C. Kerberos
D. OAuth 2.0 with OIDC
Answer & reasoning
Correct: D
OAuth 2.0 handles delegated authorization for API access, and OIDC adds authentication. SAML is designed for web browser SSO, not mobile API patterns.
Question 8
A CSP SLA guarantees 99.99% availability. During a 6-hour outage, the CSP offers service credits equal to 10% of the monthly bill. The customer lost $500,000 in revenue. What does this demonstrate?
A. The customer should have negotiated a better SLA
B. SLA credits do not compensate for actual business losses
C. The SLA is fraudulent
D. The CSP should pay the full revenue loss
Answer & reasoning
Correct: B
CSP SLA remedies are limited to service credits. The customer must architect their own resilience rather than depending on SLA guarantees.
Question 9
An organization cannot deploy a traditional network IDS in the cloud. What is an appropriate compensating control?
A. Accept the risk since cloud is inherently secure
B. Host-based detection agents combined with cloud-native flow logging
C. Migrate back to on-premises
D. Request the CSP to install the IDS
Answer & reasoning
Correct: B
Compensating controls must address the same risk through different means. Host-based detection plus flow logging provides equivalent visibility to network IDS.
Question 10
A conditional access policy detects a user logging in from an unusual country at 3 AM. What is the BEST automated response?
A. Block the access permanently
B. Require step-up authentication (additional MFA challenge)
C. Reset the user password immediately
D. Allow the access but notify the user
Answer & reasoning
Correct: B
Step-up authentication balances security with usability. It verifies the user’s identity without permanently blocking legitimate access from unusual locations.